git.ipfire.org Git - thirdparty/apache/httpd.git/commit

author	Joe Orton <jorton@apache.org>
	Tue, 15 Jul 2014 12:27:00 +0000 (12:27 +0000)
committer	Joe Orton <jorton@apache.org>
	Tue, 15 Jul 2014 12:27:00 +0000 (12:27 +0000)
commit	69ce95ded2b530427240fe185ae513d0b6616576
tree	e9f6d384bc7ead06d7415786e78f2f4583397914	tree
parent	6a5460f32415c2087b6dd5f67281b111a916a79b	commit \| diff

SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse
proxy configuration, a remote attacker could send a carefully crafted
request which could crash a server process, resulting in denial of
service.

Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
reporting this issue.

* server/util.c (ap_parse_token_list_strict): New function.

* modules/proxy/proxy_util.c (find_conn_headers): Use it here.

* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):
Send a 400 for a malformed Connection header.

Submitted by: Edward Lu, breser, covener

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1610674 13f79535-47bb-0310-9956-ffa450edef68

include/ap_mmn.h		diff \| blob \| blame \| history
include/httpd.h		diff \| blob \| blame \| history
modules/proxy/mod_proxy_http.c		diff \| blob \| blame \| history
modules/proxy/proxy_util.c		diff \| blob \| blame \| history
server/util.c		diff \| blob \| blame \| history