Merge r1664205 from trunk.

Preventive backport, 2.2.x not concerned by CVE-2015-0253.

r1664205 | covener | 2015-03-05 03:33:16 +0100 (Thu, 05 Mar 2015) | 12 lines

  *) SECURITY: CVE-2015-0253 (cve.mitre.org)
     core: Fix a crash introduced in with ErrorDocument 400 pointing
     to a local URL-path with the INCLUDES filter active, introduced
     in 2.4.11. PR 57531. [Yann Ylavic]

Submitted By: ylavic
Committed By: covener

Reviewed by: ylavic, wrowe, rjung
Backported by: ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680927 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 08f97ed1f8ceb785aed30602fcb80fe23c11861c..02c6ed3e4c9e01694a02c08fc7b9010a7866dcd3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.30
 
+  *) core: Avoid potential use of uninitialized (NULL) request data in
+     request line error path. [Yann Ylavic]
+ 
   *) mod_proxy_http: Use the "Connection: close" header for requests to
      backends not recycling connections (disablereuse), including the default
      reverse and forward proxies.  [Yann Ylavic]

diff --git a/STATUS b/STATUS
index 7d5645b2f6a096c72aae23c322ca43eb9fd9837e..f90f7abf88b871437a685ccf93ae121f7b3b8dde 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -108,16 +108,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.2.x patch: http://people.apache.org/~wrowe/httpd-2.2-default-httpd-ssl.conf.in.patch
      +1: wrowe, ylavic, rjung
 
-   * core: Avoid potential use of uninitialized (NULL) request data in
-     request line error path.
-     trunk patch: http://svn.apache.org/r1664205
-     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-read_request_line.patch
-                  (trunk works but CHANGES entry does not need to refer to CVE-2015-0253)
-     +1: ylavic, wrowe, rjung
-     ylavic: this is CVE-2015-0253 wrt 2.4.13, although 2.2.x is not
-             vulnerable per se (no ErrorDocument handling from early
-             request line parser), better be safe than sorry.
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

diff --git a/server/protocol.c b/server/protocol.c
index 579fbcad798ba991c32f1be381080c00ad794c22..f078b2f2e442dfb76c2053162c4f143346ca318e 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -605,12 +605,12 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
              */
             if (rv == APR_ENOSPC) {
                 r->status    = HTTP_REQUEST_URI_TOO_LARGE;
-                r->proto_num = HTTP_VERSION(1,0);
-                r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
             }
             else if (APR_STATUS_IS_TIMEUP(rv)) {
                 r->status = HTTP_REQUEST_TIME_OUT;
             }
+            r->proto_num = HTTP_VERSION(1,0);
+            r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
             return 0;
         }
     } while ((len <= 0) && (++num_blank_lines < max_blank_lines));