SECURITY: CVE-2014-0231

author William A. Rowe Jr <wrowe@apache.org>

Wed, 16 Jul 2014 20:56:51 +0000 (20:56 +0000)

committer William A. Rowe Jr <wrowe@apache.org>

Wed, 16 Jul 2014 20:56:51 +0000 (20:56 +0000)
author William A. Rowe Jr <wrowe@apache.org>
Wed, 16 Jul 2014 20:56:51 +0000 (20:56 +0000)
committer William A. Rowe Jr <wrowe@apache.org>
Wed, 16 Jul 2014 20:56:51 +0000 (20:56 +0000)
diff --git a/CHANGES b/CHANGES

index 252f22ce23bc8088ff9ef4b6d695be8f14980868..f860266b0eb3eb04392ac4568c02640394eb9f8b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,15 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.2.28
  
+  *) SECURITY: CVE-2014-0231 (cve.mitre.org)
+     mod_cgid: Fix a denial of service against CGI scripts that do
+     not consume stdin that could lead to lingering HTTPD child processes
+     filling up the scoreboard and eventually hanging the server.  By
+     default, the client I/O timeout (Timeout directive) now applies to
+     communication with scripts.  The CGIDScriptTimeout directive can be
+     used to set a different timeout for communication with scripts.
+     [Rainer Jung, Eric Covener, Yann Ylavic]
+
    *) SECURITY: CVE-2014-0226 (cve.mitre.org)
       Fix a race condition in scoreboard handling, which could lead to
       a heap buffer overflow.  [Joe Orton, Eric Covener, Jeff Trawick]
diff --git a/STATUS b/STATUS

index 693e52175a0500e4fec187d74e3a15726bd2db99..9d55a4e706b5d979720838120e2089c468211dd9 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -110,17 +110,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
       *) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
       +1: breser, rpluem, ylavic
  
-   * SECURITY: CVE-2014-0231 
-       mod_cgid: Fix a denial of service against CGI scripts that do
-       not consume stdin that could lead to lingering HTTPD child processes
-       filling up the scoreboard and eventually hanging the server.
-       [Rainer Jung, Eric Covener, Yann Ylavic]
-
-     trunk patch: http://svn.apache.org/r1610509 
-                  http://svn.apache.org/r1535125  
-     2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-cgid-script_timeout.diff
-     +1: covener, trawick, ylavic
-
  
  PATCHES PROPOSED TO BACKPORT FROM TRUNK:
    [ New proposals should be added at the end of the list ]
diff --git a/docs/manual/mod/mod_cgid.xml b/docs/manual/mod/mod_cgid.xml

index 01e660dd2ffebc951d3f8cfb209333e0416b556f..303c29dfa032dc851f37351e1c68f9ff9c209672 100644 (file)
--- a/docs/manual/mod/mod_cgid.xml
+++ b/docs/manual/mod/mod_cgid.xml
@@ -96,5 +96,32 @@ the cgi daemon</description>
  </usage>
  </directivesynopsis>
  
+<directivesynopsis>
+<name>CGIDScriptTimeout</name>
+<description>The length of time to wait for more output from the
+CGI program</description>
+<syntax>CGIDScriptTimeout <var>time</var>[s|ms]</syntax>
+<default>value of <directive module="core">Timeout</directive> directive when 
+unset</default>
+<contextlist><context>server config</context>
+<context>virtual host</context><context>directory</context>
+<context>.htaccess</context></contextlist>
+<compatibility>CGIDScriptTimeout defaults to zero in releases 2.4 and earlier
+</compatibility>
+
+<usage>
+    <p>This directive limits the length of time to wait for more output from
+    the CGI program.  If the time is exceeded, the request and CGI are 
+    terminated.</p>
+
+    <example><title>Example</title>
+    <highlight language="config">
+      CGIDScriptTimeout 20
+    </highlight>
+    </example>
+
+</usage>
+</directivesynopsis>
+
  </modulesynopsis>
  
diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c

index 6f39ff6640e4dea16ce10e0ffa57d16e0c14e9b5..f8705e3b3d8cd4b4befef389a0798ab43493fba1 100644 (file)
--- a/modules/generators/mod_cgid.c
+++ b/modules/generators/mod_cgid.c
@@ -93,6 +93,10 @@ static const char *sockname;
  static pid_t parent_pid;
  static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 };
  
+typedef struct { 
+    apr_interval_time_t timeout;
+} cgid_dirconf;
+
  /* The APR other-child API doesn't tell us how the daemon exited
   * (SIGSEGV vs. exit(1)).  The other-child maintenance function
   * needs to decide whether to restart the daemon after a failure
@@ -934,7 +938,14 @@ static void *merge_cgid_config(apr_pool_t *p, void *basev, void *overridesv)
      return overrides->logname ? overrides : base;
  }
  
+static void *create_cgid_dirconf(apr_pool_t *p, char *dummy)
+{
+    cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf));
+    return c;
+}
+
  static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg)
+
  {
      server_rec *s = cmd->server;
      cgid_server_conf *conf = ap_get_module_config(s->module_config,
@@ -987,7 +998,16 @@ static const char *set_script_socket(cmd_parms *cmd, void *dummy, const char *ar
  
      return NULL;
  }
+static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg)
+{
+    cgid_dirconf *dc = dummy;
  
+    if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { 
+        return "CGIDScriptTimeout has wrong format";
+    }
+ 
+    return NULL;
+}
  static const command_rec cgid_cmds[] =
  {
      AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF,
@@ -999,6 +1019,10 @@ static const command_rec cgid_cmds[] =
      AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF,
                    "the name of the socket to use for communication with "
                    "the cgi daemon."),
+    AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF,
+                  "The amount of time to wait between successful reads from "
+                  "the CGI script, in seconds."),
+                  
      {NULL}
  };
  
@@ -1335,11 +1359,15 @@ static int cgid_handler(request_rec *r)
      apr_file_t *tempsock;
      struct cleanup_script_info *info;
      apr_status_t rv;
+    cgid_dirconf *dc;
  
      if (strcmp(r->handler,CGI_MAGIC_TYPE) && strcmp(r->handler,"cgi-script"))
          return DECLINED;
  
      conf = ap_get_module_config(r->server->module_config, &cgid_module);
+    dc = ap_get_module_config(r->per_dir_config, &cgid_module);
+
+    
      is_included = !strcmp(r->protocol, "INCLUDED");
  
      if ((argv0 = strrchr(r->filename, '/')) != NULL)
@@ -1412,6 +1440,12 @@ static int cgid_handler(request_rec *r)
       */
  
      apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
+    if (dc->timeout > 0) { 
+        apr_file_pipe_timeout_set(tempsock, dc->timeout);
+    }
+    else { 
+        apr_file_pipe_timeout_set(tempsock, r->server->timeout);
+    }
      apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
  
      if ((argv0 = strrchr(r->filename, '/')) != NULL)
@@ -1487,6 +1521,10 @@ static int cgid_handler(request_rec *r)
              if (rv != APR_SUCCESS) {
                  /* silly script stopped reading, soak up remaining message */
                  child_stopped_reading = 1;
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, 
+                              "Error writing request body to script %s", 
+                              r->filename);
+
              }
          }
          apr_brigade_cleanup(bb);
@@ -1577,7 +1615,13 @@ static int cgid_handler(request_rec *r)
              return HTTP_MOVED_TEMPORARILY;
          }
  
-        ap_pass_brigade(r->output_filters, bb);
+        rv = ap_pass_brigade(r->output_filters, bb);
+        if (rv != APR_SUCCESS) { 
+            /* APLOG_ERR because the core output filter message is at error,
+             * but doesn't know it's passing CGI output 
+             */
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "Failed to flush CGI output to client");
+        }
      }
  
      if (nph) {
@@ -1707,6 +1751,8 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
      request_rec *r = f->r;
      cgid_server_conf *conf = ap_get_module_config(r->server->module_config,
                                                    &cgid_module);
+    cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module);
+
      struct cleanup_script_info *info;
  
      add_ssi_vars(r);
@@ -1736,6 +1782,13 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
       * get rid of the cleanup we registered when we created the socket.
       */
      apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
+    if (dc->timeout > 0) {
+        apr_file_pipe_timeout_set(tempsock, dc->timeout);
+    }
+    else {
+        apr_file_pipe_timeout_set(tempsock, r->server->timeout);
+    }
+
      apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
  
      APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock,
@@ -1841,7 +1894,7 @@ static void register_hook(apr_pool_t *p)
  
  module AP_MODULE_DECLARE_DATA cgid_module = {
      STANDARD20_MODULE_STUFF,
-    NULL, /* dir config creater */
+    create_cgid_dirconf, /* dir config creater */
      NULL, /* dir merger --- default is to override */
      create_cgid_config, /* server config */
      merge_cgid_config, /* merge server config */
author	William A. Rowe Jr <wrowe@apache.org>
	Wed, 16 Jul 2014 20:56:51 +0000 (20:56 +0000)
committer	William A. Rowe Jr <wrowe@apache.org>
	Wed, 16 Jul 2014 20:56:51 +0000 (20:56 +0000)
CHANGES		patch \| blob \| blame \| history
STATUS		patch \| blob \| blame \| history
docs/manual/mod/mod_cgid.xml		patch \| blob \| blame \| history
modules/generators/mod_cgid.c		patch \| blob \| blame \| history