Backport the 2.x C-L/T-E core protocol patch;

Reviewed for 1.3 by: wrowe, jimj, graham

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@230826 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/src/CHANGES b/src/CHANGES
index 2c8e5c9b3e9b16fa2cb2c459f28a3512ec31f95b..1eaaf15e3180e4ba478f723feaa23a8c6121d9ba 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,12 @@
 Changes with Apache 1.3.34
 
+  *) SECURITY: core: If a request contains both Transfer-Encoding and 
+     Content-Length headers, remove the Content-Length, mitigating some 
+     HTTP Request Splitting/Spoofing attacks.  This has no impact on
+     mod_proxy_http, yet affects any module which supports chunked
+     encoding yet fails to prefer T-E: chunked over the Content-Length
+     purported value.  [Paul Querna, Joe Orton]
+
   *) Added TraceEnable [on|off|extended] per-server directive to alter
      the behavior of the TRACE method.  This addresses a flaw in proxy
      conformance to RFC 2616 - previously the proxy server would accept

diff --git a/src/main/http_protocol.c b/src/main/http_protocol.c
index 8899b7f8dc965f6b04adf07a47bd4b220a29d1b0..7ecba30edf3169b902d5ce0899fa3eeefb65b820 100644 (file)
--- a/src/main/http_protocol.c
+++ b/src/main/http_protocol.c
@@ -1214,6 +1214,14 @@ API_EXPORT(request_rec *) ap_read_request(conn_rec *conn)
             ap_log_transaction(r);
             return r;
         }
+        if (ap_table_get(r->headers_in, "Transfer-Encoding")
+            && ap_table_get(r->headers_in, "Content-Length")) {
+            /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+             * and Content-Length are received, the latter MUST be
+             * ignored"; so unset it here to prevent any confusion
+             * later. */
+            ap_table_unset(r->headers_in, "Content-Length");
+        }
     }
     else {
         ap_kill_timeout(r);