Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters. [Graham Leggett, Yann Ylavic]
+ *) core: Allow spaces after chunk-size for compatibility with implementations
+ using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
+
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts. PR 56241.
[Kaspar Brand]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) SECURITY: CVE-2015-3183 (cve.mitre.org)
- core: Fix chunk header parsing defect.
- Remove apr_brigade_flatten(), buffering and duplicated code from
- the HTTP_IN filter, parse chunks in a single pass with zero copy.
- Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
- authorized characters. [Graham Leggett, Yann Ylavic]
- Submitted by: minfrin, ylavic
- Reviewed by: ylavic, wrowe,
- Backports: 1484852, 1684513
- Reported by: regilero <regis.leroy makina-corpus.com>
-
- trunk
- http://svn.apache.org/r1484852
- http://svn.apache.org/r1684513
- 2.4.x branch
- http://svn.apache.org/r1684515
- 2.2.x branch
- http://people.apache.org/~wrowe/httpd-2.2.x-ap_http_filter-chunked-v6.patch
- +1: ylavic, wrowe, minfrin
- jim notes: test framework errors due to 413->400 error change [test adjusted]
- wrowe notes: r1684513 was not neglected in this patch, already included
-
- *) core: Allow spaces after chunk-size for compatibility with implementations
- using a pre-filled buffer.
- trunk patch: http://svn.apache.org/r1685345
- http://svn.apache.org/r1685347
- http://svn.apache.org/r1685349
- http://svn.apache.org/r1685350
- 2.[24].x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_http_filter_chunked-v3.patch
- (trunk works but CHANGES entry in the above patch is
- better since the APLOG_INFO part is already included
- in the CVE-2015-3183 patch)
- +1: ylavic, wrowe, minfrin
- ylavic: CVE-2015-3183 patch httpd-2.2.x-ap_http_filter-chunked-v6.patch
- above must be applied first.
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
BODY_CHUNK, /* chunk expected */
BODY_CHUNK_PART, /* chunk digits */
BODY_CHUNK_EXT, /* chunk extension */
- BODY_CHUNK_LF, /* got CR, expect LF after digits/extension */
+ BODY_CHUNK_CR, /* got space(s) after digits, expect [CR]LF or ext */
+ BODY_CHUNK_LF, /* got CR after digits or ext, expect LF */
BODY_CHUNK_DATA, /* data constrained by chunked encoding */
BODY_CHUNK_END, /* chunked data terminating CRLF */
- BODY_CHUNK_END_LF, /* got CR, expect LF after data */
+ BODY_CHUNK_END_LF, /* got CR after data, expect LF */
BODY_CHUNK_TRAILER /* trailers */
} state;
unsigned int eos_sent :1;
return APR_EINVAL;
}
}
+ else if (c == ' ' || c == '\t') {
+ ctx->state = BODY_CHUNK_CR;
+ }
+ else if (ctx->state == BODY_CHUNK_CR) {
+ /*
+ * ';', CR or LF expected.
+ */
+ return APR_EINVAL;
+ }
else if (ctx->state == BODY_CHUNK_PART) {
int xvalue;
projects / thirdparty / apache / httpd.git / commitdiff
