* mod_rewrite: Ensure that client data written to the RewriteLog is

  escaped to prevent terminal escape sequences from entering the
  log file. (CVE-2013-1862 (cve.mitre.org))

Submitted by: jorton
Reviewed by: jorton, covener, rpluem

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1482349 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 910d9cd2d61b528d465a39da2702b6d06651cc15..8a50c66e8504fbcc1fe5a09a744cc60dc79a09cf 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.25
 
+  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
+     mod_rewrite: Ensure that client data written to the RewriteLog is
+     escaped to prevent terminal escape sequences from entering the
+     log file.  [Joe Orton]
+
   *) htdigest: Fix buffer overflow when reading digest password file
      with very long lines. PR 54893. [Rainer Jung]
 

diff --git a/STATUS b/STATUS
index 023abe62eabc8a9571add3a65b200e821cb20ec0..3cc3179c995b27f596be3b23bf4f190467bb264b 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -103,12 +103,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     2.2.x patch: http://people.apache.org/~wrowe/httpd-2.2-quiet-fips.patch
     +1: wrowe, druggeri, kbrand
 
-  * mod_rewrite: fix CVE-2013-1862, escape log file output
-     (not needed for trunk/2.4)
-    2.2.x patch:
-      http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch
-   +1: jorton, covener, rpluem
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index b68650b7644c2db4c49c05aaf9b9c8e28899b19a..081c7b5948a8201db1a625a488e75939f97d87f8 100644 (file)
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -500,11 +500,11 @@ static void do_rewritelog(request_rec *r, int level, char *perdir,
 
     logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
                                     "(%d) %s%s%s%s" APR_EOL_STR,
-                           rhost ? rhost : "UNKNOWN-HOST",
-                           rname ? rname : "-",
-                           r->user ? (*r->user ? r->user : "\"\"") : "-",
+                           rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
+                           rname ? ap_escape_logitem(r->pool, rname) : "-",
+                           r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
                            current_logtime(r),
-                           ap_get_server_name(r),
+                           ap_escape_logitem(r->pool, ap_get_server_name(r)),
                            (void *)(r->server),
                            (void *)r,
                            r->main ? "subreq" : "initial",
@@ -514,7 +514,7 @@ static void do_rewritelog(request_rec *r, int level, char *perdir,
                            perdir ? "[perdir " : "",
                            perdir ? perdir : "",
                            perdir ? "] ": "",
-                           text);
+                           ap_escape_logitem(r->pool, text));
 
     nbytes = strlen(logline);
     apr_file_write(conf->rewritelogfp, logline, &nbytes);