From: Yann Ylavic <ylavic@apache.org>
Date: Thu, 21 May 2015 16:47:38 +0000 (+0000)
Subject: Merge r1664205 from trunk.
X-Git-Tag: 2.2.30~83
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29f446a64288844f23d8952cf1162dffa00f5a65;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1664205 from trunk.
Preventive backport, 2.2.x not concerned by CVE-2015-0253.


r1664205 | covener | 2015-03-05 03:33:16 +0100 (Thu, 05 Mar 2015) | 12 lines

  *) SECURITY: CVE-2015-0253 (cve.mitre.org)
     core: Fix a crash introduced in with ErrorDocument 400 pointing
     to a local URL-path with the INCLUDES filter active, introduced
     in 2.4.11. PR 57531. [Yann Ylavic]


Submitted By: ylavic
Committed By: covener


Reviewed by: ylavic, wrowe, rjung
Backported by: ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1680927 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 08f97ed1f8c..02c6ed3e4c9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.30
 
+  *) core: Avoid potential use of uninitialized (NULL) request data in
+     request line error path. [Yann Ylavic]
+ 
   *) mod_proxy_http: Use the "Connection: close" header for requests to
      backends not recycling connections (disablereuse), including the default
      reverse and forward proxies.  [Yann Ylavic]
diff --git a/STATUS b/STATUS
index 7d5645b2f6a..f90f7abf88b 100644
--- a/STATUS
+++ b/STATUS
@@ -108,16 +108,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.2.x patch: http://people.apache.org/~wrowe/httpd-2.2-default-httpd-ssl.conf.in.patch
      +1: wrowe, ylavic, rjung
 
-   * core: Avoid potential use of uninitialized (NULL) request data in
-     request line error path.
-     trunk patch: http://svn.apache.org/r1664205
-     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-read_request_line.patch
-                  (trunk works but CHANGES entry does not need to refer to CVE-2015-0253)
-     +1: ylavic, wrowe, rjung
-     ylavic: this is CVE-2015-0253 wrt 2.4.13, although 2.2.x is not
-             vulnerable per se (no ErrorDocument handling from early
-             request line parser), better be safe than sorry.
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/server/protocol.c b/server/protocol.c
index 579fbcad798..f078b2f2e44 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -605,12 +605,12 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
              */
             if (rv == APR_ENOSPC) {
                 r->status    = HTTP_REQUEST_URI_TOO_LARGE;
-                r->proto_num = HTTP_VERSION(1,0);
-                r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
             }
             else if (APR_STATUS_IS_TIMEUP(rv)) {
                 r->status = HTTP_REQUEST_TIME_OUT;
             }
+            r->proto_num = HTTP_VERSION(1,0);
+            r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
             return 0;
         }
     } while ((len <= 0) && (++num_blank_lines < max_blank_lines));