Introduce proper escaping of command.com and cmd.exe for Win32.

  These patches close vulnerability CAN-2002-0061, identified and
  reported by Ory Segal <ory.segal@sanctuminc> 13 Feb 2002, by which
  any invocation of .bat or .cmd files permit system comprimize
  when cmd.exe parsed the args passed from QUERY_STRING.
  [William Rowe]

  Patches of the set reviewed by Allan Edwards and Bill Stoddard,
  while the security solutions were reviewed at length by the entire
  security community at the ASF.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@94092 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/src/CHANGES b/src/CHANGES
index 6547ce23bf1b68989085753a64449712bdc7146a..f8a2167772c20b39ccd57d7130abbbd147eda14b 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,36 @@
 Changes with Apache 1.3.24
 
+
+  *) Introduce proper escaping of command.com and cmd.exe for Win32.
+     These patches close vulnerability CAN-2002-0061, identified and
+     reported by Ory Segal <ory.segal@sanctuminc>, by which any CGI
+     invocation of .bat or .cmd files could comprimize the system 
+     when the .bat or .cmd was parsed the query args as an argument 
+     to either cmd.exe /c or command.com /c.  [William Rowe]
+
+  *) Add % and \r [C/R] to the dangerous Win32 shell character list.
+     Retain the Unix sh escapes list for compatibility.
+     [William Rowe]
+
+  *) Pass the command line to the cmd.exe /c interpreter double quoted.
+     This fixes a bug that CGI args ending in a double-quote would 
+     cause invocation to fail.  Also, treat command.com as a 16-bit 
+     executable.  [William Rowe]
+
+  *) Win32; Never invoke cmd or bat scripts based on the registry, even 
+     for 'ScriptInterpreterSource Registry' enabled.  [William Rowe]
+
+ *) Provide Win32 users a log of the cgi command invoked, to assist
+     in debugging scripts at LogLevel info.  Also provide env vars
+     at LogLevel debug for additional help to admins troubleshooting
+     the ever mysterious "Premature end of script headers" error.
+     [Aaron Bannert]
+
+  *) Added the 'CgiCommandArgs off' directive, to allow admins
+     to disable the query argument passing mechanism in Apache,
+     if future cgi arguments vulnerabilities should be discovered.
+     [Aaron Bannert]
+
   *) When a proxied site was being served, Apache was replacing
      the original site Server header with it's own, which is not
      allowed by RFC2616. Fixed. [Graham Leggett]

diff --git a/src/main/util_script.c b/src/main/util_script.c
index b69a03974ec74c195d2f0d1a1c24c70d2fde7762..45da3d173cb4505f1d95969187560f3cf3e681ea 100644 (file)
--- a/src/main/util_script.c
+++ b/src/main/util_script.c
@@ -1016,10 +1016,33 @@ API_EXPORT(int) ap_call_exec(request_rec *r, child_info *pinfo, char *argv0,
        
                 /*
                  * We need to unescape any characters that are 
-                 * in the arguments list.
+                 * in the arguments list.  Truncate to 4000
+                 * characters for safety, being careful of the
+                 * now-escaped characters.
                  */
                 ap_unescape_url(arguments);
                 arguments = ap_escape_shell_cmd(r->pool, arguments);
+                if (strlen(arguments) > 4000)
+                {
+                    int len = 4000;
+                    while (len && arguments[len - 1] == '\\') {
+                        --len;
+                    }
+                    arguments[len] = '\0';
+                }
+
+                /*
+                 * Now that the arguments list is 'shell' escaped with
+                 * backslashes, we need to make cmd.exe/command.com 
+                 * safe from this same set of characters.
+                 */
+                if (fileType == eCommandShell32) {
+                    arguments = ap_caret_escape_args(r->pool, arguments);
+                }
+                else if (fileType == eCommandShell16) {
+                    arguments = ap_pstrcat(r->pool, "\"", 
+                            ap_double_quotes(r->pool, arguments), "\"", NULL);
+                }
             }
 
             /*