Merge r1575400 from trunk:

CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>)
Segfaults w/ truncated cookie logging.

Clean up the cookie logging parser to recognize only the cookie=value pairs,
not valueless cookies.  This refactors multiple passes over the same string
buffer into a single pass parser.

Submitted by: wrowe
Reviewed by: rpluem, jim

Reviewed by: wrowe, ylavic, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576716 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 19f051bd695f17561f0c892d01aabc8439e7fedc..c67e8b0512ec8a144716b7037f62006fc7444e80 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.27
 
+  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
+     Clean up cookie logging with fewer redundant string parsing passes.
+     Log only cookies with a value assignment. Prevents segfaults when
+     logging truncated cookies.
+     [William Rowe, Ruediger Pluem, Jim Jagielski]
+
   *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
      TE/CL conflicts. [Yann Ylavic <ylavic.dev gmail com>, Jim Jagielski]
 

diff --git a/STATUS b/STATUS
index 573a146f3f6f53b1ee698052f9d7b5844ec8634d..ed27cef1272eab21115e9f4a85f8738a80914b5e 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -98,13 +98,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_log_config: Clean up cookie logging with fewer redundant
-     string parsing passes.  Log only cookies with a value assignment.
-     [William Rowe, Ruediger Pluem, Jim Jagielski]
-     trunk patch: http://svn.apache.org/r1575400
-     2.4.x patch: trunk works
-     +1: wrowe, ylavic, jim
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c
index e33ab1c5c22531b9ca252a07f1dca1dae2f602b5..a08354039533764146bcd0d4d64531aa0a865ce6 100644 (file)
--- a/modules/loggers/mod_log_config.c
+++ b/modules/loggers/mod_log_config.c
@@ -524,14 +524,24 @@ static const char *log_cookie(request_rec *r, char *a)
 
         while ((cookie = apr_strtok(cookies, ";", &last1))) {
             char *name = apr_strtok(cookie, "=", &last2);
-            if (name) {
-                char *value = name + strlen(name) + 1;
-                apr_collapse_spaces(name, name);
+            /* last2 points to the next char following an '=' delim,
+               or the trailing NUL char of the string */
+            char *value = last2;
+            if (name && *name &&  value && *value) {
+                char *last = value - 2;
+                /* Move past leading WS */
+                name += strspn(name, " \t");
+                while (last >= name && apr_isspace(*last)) {
+                    *last = '\0';
+                    --last;
+                }
 
                 if (!strcasecmp(name, a)) {
-                    char *last;
-                    value += strspn(value, " \t");  /* Move past leading WS */
-                    last = value + strlen(value) - 1;
+                    /* last1 points to the next char following the ';' delim,
+                       or the trailing NUL char of the string */
+                    last = last1 - (*last1 ? 2 : 1);
+                    /* Move past leading WS */
+                    value += strspn(value, " \t");
                     while (last >= value && apr_isspace(*last)) {
                        *last = '\0';
                        --last;
@@ -540,6 +550,7 @@ static const char *log_cookie(request_rec *r, char *a)
                     return ap_escape_logitem(r->pool, value);
                 }
             }
+            /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
             cookies = NULL;
         }
     }