resolves external origin CAN-2005-2088 issues, does not
address internal origin C-L/T-E discrepancies within proxy_http
Security: CVE CAN-2005-2088
Submitted by: Joe Orton
Reviewed by: Jeff Trawick, Will Rowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@219061
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.0.55
+ *) SECURITY: CAN-2005-2088
+ core: If a request contains both Transfer-Encoding and Content-Length
+ headers, remove the Content-Length, mitigating some HTTP Request
+ Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
+
*) proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, mitigating some HTTP Response Splitting attacks.
* Various fixes to T-E and C-L processing from trunk
- + core: strip C-L from any request with a T-E header
- http://people.apache.org/~jorton/ap_tevscl.diff
- (CVE CAN-2005-2088)
- +1: jorton, trawick
+
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ please append new backports at the end of this list not the top. ]
apr_brigade_destroy(tmp_bb);
return r;
}
+
+ if (apr_table_get(r->headers_in, "Transfer-Encoding")
+ && apr_table_get(r->headers_in, "Content-Length")) {
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ apr_table_unset(r->headers_in, "Content-Length");
+ }
}
else {
if (r->header_only) {
projects / thirdparty / apache / httpd.git / commitdiff
