*) SECURITY: CVE-2012-0053 (cve.mitre.org)

       Fix an issue in error responses that could expose "httpOnly" cookies
            when no custom ErrorDocument is specified for status code 400.
                 [Eric Covener]

                      r1234837 on 2.0.x:
                             http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
                                  +1: trawick, rjung, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1392050 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 282ad34130865c73f953406192aef712a9ddfc59..0baf09574f0f00453c2cd763304d31d986ec63cd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.65
 
+  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+     Fix an issue in error responses that could expose "httpOnly" cookies
+     when no custom ErrorDocument is specified for status code 400.
+     [Eric Covener]
+
   *) SECURITY: CVE-2012-0031 (cve.mitre.org)
      Fix scoreboard issue which could allow an unprivileged child process 
      could cause the parent to crash at shutdown rather than terminate 

diff --git a/STATUS b/STATUS
index 182015df05d35e2a53deb87f8549029c8daf8e83..afb31f4e56653820e5611380000d2cc19261a352 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -171,14 +171,6 @@ RELEASE SHOWSTOPPERS:
         http://people.apache.org/~trawick/2.0-CVE-2011-4317-r1235443.patch
        +1: trawick
 
-  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
-     Fix an issue in error responses that could expose "httpOnly" cookies
-     when no custom ErrorDocument is specified for status code 400.
-     [Eric Covener]
-
-     r1234837 on 2.0.x:
-       http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
-     +1: trawick, rjung
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]

diff --git a/server/protocol.c b/server/protocol.c
index 918555b0245cf4e1a8210327ad15fc55d7f61e53..9b05c6539f3485daee48e9e91e318000f28c16bd 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -677,6 +677,16 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
     return 1;
 }
 
+/* get the length of the field name for logging, but no more than 80 bytes */
+#define LOG_NAME_MAX_LEN 80
+static int field_name_len(const char *field)
+{
+    const char *end = ap_strchr_c(field, ':');
+    if (end == NULL || end - field > LOG_NAME_MAX_LEN)
+        return LOG_NAME_MAX_LEN;
+    return end - field;
+}
+
 AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb)
 {
     char *last_field = NULL;
@@ -709,12 +719,15 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
             /* insure ap_escape_html will terminate correctly */
             field[len - 1] = '\0';
             apr_table_setn(r->notes, "error-notes",
-                           apr_pstrcat(r->pool,
+                           apr_psprintf(r->pool,
                                        "Size of a request header field "
                                        "exceeds server limit.<br />\n"
-                                       "<pre>\n",
-                                       ap_escape_html(r->pool, field),
-                                       "</pre>\n", NULL));
+                                        "<pre>\n%.*s\n</pre>/n",
+                                        field_name_len(field), 
+                                        ap_escape_html(r->pool, field)));
+            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                          "Request header exceeds LimitRequestFieldSize: "
+                          "%.*s", field_name_len(field), field);
             return;
         }
 
@@ -739,13 +752,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                      * overflow (last_field) as the field with the problem
                      */
                     apr_table_setn(r->notes, "error-notes",
-                                   apr_pstrcat(r->pool,
+                                   apr_psprintf(r->pool,
                                                "Size of a request header field " 
                                                "after folding "
                                                "exceeds server limit.<br />\n"
-                                               "<pre>\n",
-                                               ap_escape_html(r->pool, last_field),
-                                               "</pre>\n", NULL));
+                                                "<pre>\n%.*s\n</pre>\n",
+                                                field_name_len(last_field),
+                                                ap_escape_html(r->pool, last_field)));
+                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                                  "Request header exceeds LimitRequestFieldSize "
+                                  "after folding: %.*s",
+                                  field_name_len(last_field), last_field);
                     return;
                 }
 
@@ -777,13 +794,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                 if (!(value = strchr(last_field, ':'))) { /* Find ':' or    */
                     r->status = HTTP_BAD_REQUEST;      /* abort bad request */
                     apr_table_setn(r->notes, "error-notes",
-                                   apr_pstrcat(r->pool,
+                                   apr_psprintf(r->pool,
                                                "Request header field is "
                                                "missing ':' separator.<br />\n"
-                                               "<pre>\n",
-                                               ap_escape_html(r->pool,
-                                                              last_field),
-                                               "</pre>\n", NULL));
+                                                "<pre>\n%.*s</pre>\n",
+                                                (int)LOG_NAME_MAX_LEN,
+                                                ap_escape_html(r->pool,
+                                                               last_field)));
+                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                                  "Request header field is missing ':' "
+                                  "separator: %.*s", (int)LOG_NAME_MAX_LEN,
+                                  last_field);
                     return;
                 }