Merge r535617 from trunk (fixing CVE-2007-1863):

* Prevent a segmentation fault if one of the Cache-Control headers
  s-maxage, max-age, min-fresh, max-stale has no value assigned.
  In this case ignore s-maxage, max-age, min-fresh. For max-stale
  it is valid to set no value. In this case set max-stale to 1 year
  to signal that the client is accepting a stale response of any age.

Submitted by: Niklas Edmundsson <nikke acc.umu.se>
Reviewed by: mjc, rpluem, jorton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@556619 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 9197d3137e0e27febf9ba0b3bd2fef151fad2b80..805d69c35053ca6d61bb9391b38ebc6531e3c97d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.60
 
+  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+     mod_cache: Prevent segmentation fault if a Cache-Control header has
+     no value.  [Niklas Edmundsson <nikke acc.umu.se>]
+
   *) SECURITY: CVE-2006-5752 (cve.mitre.org)
      mod_status: Fix a possible XSS attack against a site with a public
      server-status page and ExtendedStatus enabled, for browsers which

diff --git a/modules/experimental/cache_util.c b/modules/experimental/cache_util.c
index eaac9d533e6c07ce1dea1af87e9ab6895f37cf7a..9782cb7b5e0c1745af5f03f560c8ef30fc7427ef 100644 (file)
--- a/modules/experimental/cache_util.c
+++ b/modules/experimental/cache_util.c
@@ -186,7 +186,8 @@ CACHE_DECLARE(int) ap_cache_check_freshness(cache_handle_t *h,
     age = ap_cache_current_age(info, age_c, r->request_time);
 
     /* extract s-maxage */
-    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) {
+    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)
+        && val != NULL) {
         smaxage = apr_atoi64(val);
     }
     else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "s-maxage", &val)) {
@@ -197,7 +198,8 @@ CACHE_DECLARE(int) ap_cache_check_freshness(cache_handle_t *h,
     }
 
     /* extract max-age from request */
-    if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) {
+    if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)
+        && val != NULL) {
         maxage_req = apr_atoi64(val);
     }
     else {
@@ -205,7 +207,8 @@ CACHE_DECLARE(int) ap_cache_check_freshness(cache_handle_t *h,
     }
 
     /* extract max-age from response */
-    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) {
+    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)
+        && val != NULL) {
         maxage_cresp = apr_atoi64(val);
     }
     else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "max-age", &val)) {
@@ -231,14 +234,28 @@ CACHE_DECLARE(int) ap_cache_check_freshness(cache_handle_t *h,
 
     /* extract max-stale */
     if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) {
-        maxstale = apr_atoi64(val);
+        if(val != NULL) {
+            maxstale = apr_atoi64(val);
+        }
+        else {
+            /*
+             * If no value is assigned to max-stale, then the client is willing
+             * to accept a stale response of any age (RFC2616 14.9.3). We will
+             * set it to one year in this case as this situation is somewhat
+             * similar to a "never expires" Expires header (RFC2616 14.21)
+             * which is set to a date one year from the time the response is
+             * sent in this case.
+             */
+            maxstale = APR_INT64_C(86400*365);
+        }
     }
     else {
         maxstale = 0;
     }
 
     /* extract min-fresh */
-    if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) {
+    if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)
+        && val != NULL) {
         minfresh = apr_atoi64(val);
     }
     else {
@@ -384,6 +401,9 @@ CACHE_DECLARE(int) ap_cache_liststr(apr_pool_t *p, const char *list,
                                                   next - val_start);
                         }
                     }
+                    else {
+                        *val = NULL;
+                    }
                 }
                 return 1;
             }