]> git.ipfire.org Git - thirdparty/apache/httpd.git/commitdiff
Merge r1610501 from trunk:
authorJim Jagielski <jim@apache.org>
Thu, 17 Jul 2014 18:20:46 +0000 (18:20 +0000)
committerJim Jagielski <jim@apache.org>
Thu, 17 Jul 2014 18:20:46 +0000 (18:20 +0000)
  *) SECURITY: CVE-2014-0118 (cve.mitre.org)
     mod_deflate: The DEFLATE input filter (inflates request bodies) now
     limits the length and compression ratio of inflated request bodies to avoid
     denial of sevice via highly compressed bodies.  See directives
     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
     and DeflateInflateRatioBurst.

Thanks to Giancarlo Pellegrino and Davide Balzarotti for reporting the issue.

Submitted By: ylavic, covener
Reviewed By: jorton, covener, jim

Submitted by: covener
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611426 13f79535-47bb-0310-9956-ffa450edef68

CHANGES
STATUS
docs/manual/mod/mod_deflate.xml
modules/filters/mod_deflate.c

diff --git a/CHANGES b/CHANGES
index dbd55b8d4832b6fabf0e2fbe2a226b516da941a8..c480c9cd4ca3e6bed41ad4c0022cbbf35fc39a33 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,13 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.28
 
+  *) SECURITY: CVE-2014-0118 (cve.mitre.org)
+     mod_deflate: The DEFLATE input filter (inflates request bodies) now
+     limits the length and compression ratio of inflated request bodies to avoid
+     denial of sevice via highly compressed bodies.  See directives
+     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
+     and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
+
   *) SECURITY: CVE-2014-0231 (cve.mitre.org)
      mod_cgid: Fix a denial of service against CGI scripts that do
      not consume stdin that could lead to lingering HTTPD child processes
diff --git a/STATUS b/STATUS
index fcfc357bd701eb9e59be5402bc11940df31386c8..6ab876f8826bf82f41e16cb1cd1aa7bbd887aa6f 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -99,16 +99,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * SECURITY: CVE-2014-0118 (cve.mitre.org)
-     mod_deflate: The DEFLATE input filter (inflates request bodies) now
-     limits the length and compression ratio of inflated request bodies to avoid
-     denial of sevice via highly compressed bodies.  See directives
-     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
-     and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
-     trunk patch: http://svn.apache.org/r1610501
-     2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-deflate_limitrequestbody.diff
-     +1: covener, ylavic, jorton
 
    * mod_deflate: Don't fail when asked to flush inflated data to the user-agent
                   and that coincides with the end of stream ("Zlib error flushing
index c3f79f2981c7c95332f8a47d94d6554ccc541a04..bfbd48cb571d8364871d991e38c2cb7a439fdb97 100644 (file)
@@ -332,5 +332,58 @@ client</description>
 </directivesynopsis>
 
 
+<directivesynopsis>
+<name>DeflateInflateLimitRequestBody</name>
+<description>Maximum size of inflated request bodies</description>
+<syntax>DeflateInflateLimitRequestBody<var>value</var></syntax>
+<default>None, but LimitRequestBody applies after deflation</default>
+<contextlist><context>server config</context><context>virtual host</context>
+<context>directory</context><context>.htaccess</context></contextlist>
+<compatibility>2.2.28 and later</compatibility>
+
+<usage>
+    <p>The <directive>DeflateInflateLimitRequestBody</directive> directive 
+        specifies the maximum size of an inflated request body. If it is unset,
+        <directive module="core">LimitRequestBody</directive> is applied to the
+        inflated body.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>DeflateInflateRatioLimit</name>
+<description>Maximum inflation ratio for request bodies</description>
+<syntax>DeflateInflateRatioLimit <var>value</var></syntax>
+<default>200</default>
+<contextlist><context>server config</context><context>virtual host</context>
+<context>directory</context><context>.htaccess</context></contextlist>
+<compatibility>2.2.28 and later</compatibility>
+
+<usage>
+    <p>The <directive>DeflateInflateRatioLimit</directive> directive 
+        specifies the maximum ratio of deflated to inflated size of an 
+        inflated request body. This ratio is checked as the body is
+        streamed in, and if crossed more than 
+        <directive>DeflateInflateRatioBurst</directive> times the request
+        will be terminated.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>DeflateInflateRatioBurst</name>
+<description>Maximum number of times the inflation ratio for request bodies 
+             can be crossed</description>
+<syntax>DeflateInflateRatioBurst <var>value</var></syntax>
+<default>3</default>
+<contextlist><context>server config</context><context>virtual host</context>
+<context>directory</context><context>.htaccess</context></contextlist>
+<compatibility>2.2.28 and later</compatibility>
+
+<usage>
+    <p>The <directive>DeflateInflateRatioBurst</directive> directive 
+       specifies the maximum number of times the 
+       <directive>DeflateInflateRatioLimit</directive> cab be crossed before 
+       terminating the request.</p>
+</usage>
+</directivesynopsis>
 </modulesynopsis>
 
index 7856e35fa8776c4b10ce4f9eac668c1cc2f0a078..bd68812bca6557e668c7031fc29860db26b88f04 100644 (file)
@@ -37,6 +37,7 @@
 #include "httpd.h"
 #include "http_config.h"
 #include "http_log.h"
+#include "http_core.h"
 #include "apr_lib.h"
 #include "apr_strings.h"
 #include "apr_general.h"
@@ -51,6 +52,9 @@
 static const char deflateFilterName[] = "DEFLATE";
 module AP_MODULE_DECLARE_DATA deflate_module;
 
+#define AP_INFLATE_RATIO_LIMIT 200
+#define AP_INFLATE_RATIO_BURST 3
+
 typedef struct deflate_filter_config_t
 {
     int windowSize;
@@ -62,6 +66,12 @@ typedef struct deflate_filter_config_t
     char *note_output_name;
 } deflate_filter_config;
 
+typedef struct deflate_dirconf_t {
+    apr_off_t inflate_limit;
+    int ratio_limit,
+        ratio_burst;
+} deflate_dirconf_t;
+
 /* RFC 1952 Section 2.3 defines the gzip header:
  *
  * +---+---+---+---+---+---+---+---+---+---+
@@ -193,6 +203,14 @@ static void *create_deflate_server_config(apr_pool_t *p, server_rec *s)
     return c;
 }
 
+static void *create_deflate_dirconf(apr_pool_t *p, char *dummy)
+{
+    deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc));
+    dc->ratio_limit = AP_INFLATE_RATIO_LIMIT;
+    dc->ratio_burst = AP_INFLATE_RATIO_BURST;
+    return dc;
+}
+
 static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy,
                                            const char *arg)
 {
@@ -284,6 +302,55 @@ static const char *deflate_set_compressionlevel(cmd_parms *cmd, void *dummy,
     return NULL;
 }
 
+
+static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf,
+                                      const char *arg)
+{
+    deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
+    char *errp;
+
+    if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) {
+        return "DeflateInflateLimitRequestBody is not parsable.";
+    }
+    if (*errp || dc->inflate_limit < 0) {
+        return "DeflateInflateLimitRequestBody requires a non-negative integer.";
+    }
+
+    return NULL;
+}
+
+static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd,
+                                                   void *dirconf,
+                                                   const char *arg)
+{
+    deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
+    int i;
+
+    i = atoi(arg);
+    if (i <= 0)
+        return "DeflateInflateRatioLimit must be positive";
+
+    dc->ratio_limit = i;
+
+    return NULL;
+}
+
+static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd,
+                                                   void *dirconf,
+                                                   const char *arg)
+{
+    deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
+    int i;
+
+    i = atoi(arg);
+    if (i <= 0)
+        return "DeflateInflateRatioBurst must be positive";
+
+    dc->ratio_burst = i;
+
+    return NULL;
+}
+
 typedef struct deflate_ctx_t
 {
     z_stream stream;
@@ -294,8 +361,26 @@ typedef struct deflate_ctx_t
     unsigned char *validation_buffer;
     apr_size_t validation_buffer_length;
     int inflate_init;
+    int ratio_hits;
+    apr_off_t inflate_total;
 } deflate_ctx;
 
+/* Check whether the (inflate) ratio exceeds the configured limit/burst. */
+static int check_ratio(request_rec *r, deflate_ctx *ctx,
+                       const deflate_dirconf_t *dc)
+{
+    if (ctx->stream.total_in) {
+        int ratio = ctx->stream.total_out / ctx->stream.total_in;
+        if (ratio < dc->ratio_limit) {
+            ctx->ratio_hits = 0;
+        }
+        else if (++ctx->ratio_hits > dc->ratio_burst) {
+            return 0;
+        }
+    }
+    return 1;
+}
+
 /* Number of validation bytes (CRC and length) after the compressed data */
 #define VALIDATION_SIZE 8
 /* Do not update ctx->crc, see comment in flush_libz_buffer */
@@ -744,6 +829,8 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
     int zRC;
     apr_status_t rv;
     deflate_filter_config *c;
+    deflate_dirconf_t *dc;
+    apr_off_t inflate_limit;
 
     /* just get out of the way of things we don't want. */
     if (mode != AP_MODE_READBYTES) {
@@ -751,6 +838,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
     }
 
     c = ap_get_module_config(r->server->module_config, &deflate_module);
+    dc = ap_get_module_config(r->per_dir_config, &deflate_module);
 
     if (!ctx) {
         char deflate_hdr[10];
@@ -803,11 +891,13 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
         if (len != 10 ||
             deflate_hdr[0] != deflate_magic[0] ||
             deflate_hdr[1] != deflate_magic[1]) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: wrong/partial magic bytes");
             return APR_EGENERAL;
         }
 
         /* We can't handle flags for now. */
         if (deflate_hdr[3] != 0) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: cannot handle deflate flags");
             return APR_EGENERAL;
         }
 
@@ -831,6 +921,12 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
         apr_brigade_cleanup(ctx->bb);
     }
 
+    inflate_limit = dc->inflate_limit; 
+    if (inflate_limit == 0) { 
+        /* The core is checking the deflated body, we'll check the inflated */
+        inflate_limit = ap_get_limit_req_body(f->r);
+    }
+
     if (APR_BRIGADE_EMPTY(ctx->proc_bb)) {
         rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes);
 
@@ -863,6 +959,17 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
 
                 ctx->stream.next_out = ctx->buffer;
                 len = c->bufferSize - ctx->stream.avail_out;
+                ctx->inflate_total += len;
+                if (inflate_limit && ctx->inflate_total > inflate_limit) { 
+                    inflateEnd(&ctx->stream);
+                    ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, 
+                            "Inflated content length of %" APR_OFF_T_FMT
+                            " is larger than the configured limit"
+                            " of %" APR_OFF_T_FMT, 
+                            ctx->inflate_total, inflate_limit);
+                    return APR_ENOSPC;
+                }
 
                 ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
                 tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
@@ -891,6 +998,26 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
                     ctx->stream.next_out = ctx->buffer;
                     len = c->bufferSize - ctx->stream.avail_out;
 
+                      ctx->inflate_total += len;
+                      if (inflate_limit && ctx->inflate_total > inflate_limit) { 
+                          inflateEnd(&ctx->stream);
+                          ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                                  "Inflated content length of %" APR_OFF_T_FMT
+                                  " is larger than the configured limit"
+                                  " of %" APR_OFF_T_FMT, 
+                                  ctx->inflate_total, inflate_limit);
+                          return APR_ENOSPC;
+                      }
+
+                      if (!check_ratio(r, ctx, dc)) {
+                          inflateEnd(&ctx->stream);
+                          ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, 
+                                  "Inflated content ratio is larger than the "
+                                  "configured limit %i by %i time(s)",
+                                  dc->ratio_limit, dc->ratio_burst);
+                          return APR_EINVAL;
+                      }
+
                     ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
                     tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
                                                       NULL, f->c->bucket_alloc);
@@ -1003,6 +1130,7 @@ static apr_status_t inflate_out_filter(ap_filter_t *f,
     int zRC;
     apr_status_t rv;
     deflate_filter_config *c;
+    deflate_dirconf_t *dc;
 
     /* Do nothing if asked to filter nothing. */
     if (APR_BRIGADE_EMPTY(bb)) {
@@ -1010,6 +1138,7 @@ static apr_status_t inflate_out_filter(ap_filter_t *f,
     }
 
     c = ap_get_module_config(r->server->module_config, &deflate_module);
+    dc = ap_get_module_config(r->per_dir_config, &deflate_module);
 
     if (!ctx) {
 
@@ -1272,6 +1401,14 @@ static apr_status_t inflate_out_filter(ap_filter_t *f,
         while (ctx->stream.avail_in != 0) {
             if (ctx->stream.avail_out == 0) {
 
+                if (!check_ratio(r, ctx, dc)) {
+                    ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, 
+                            "Inflated content ratio is larger than the "
+                            "configured limit %i by %i time(s)",
+                            dc->ratio_limit, dc->ratio_burst);
+                    return APR_EINVAL;
+                }
+
                 ctx->stream.next_out = ctx->buffer;
                 len = c->bufferSize - ctx->stream.avail_out;
 
@@ -1346,12 +1483,20 @@ static const command_rec deflate_filter_cmds[] = {
                   "Set the Deflate Memory Level (1-9)"),
     AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF,
                   "Set the Deflate Compression Level (1-9)"),
+    AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL,
+                  "Set a limit on size of inflated input"),
+    AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL,
+                  "Set the inflate ratio limit above which inflation is "
+                  "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"),
+    AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL,
+                  "Set the maximum number of following inflate ratios above limit "
+                  "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"),
     {NULL}
 };
 
 module AP_MODULE_DECLARE_DATA deflate_module = {
     STANDARD20_MODULE_STUFF,
-    NULL,                         /* dir config creater */
+    create_deflate_dirconf,       /* dir config creater */
     NULL,                         /* dir merger --- default is to override */
     create_deflate_server_config, /* server config */
     NULL,                         /* merge server config */