From: William A. Rowe Jr Date: Tue, 2 Mar 2010 04:01:29 +0000 (+0000) Subject: Ensure each subrequest has a shallow copy of headers_in so that the X-Git-Tag: 2.2.15~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2bb56790c0fb4520b878efe03aa56443a5f8b047;p=thirdparty%2Fapache%2Fhttpd.git Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Eliminates a problematic optimization in the case of no request body. Mitre: CVE-2010-0434 PR: 48359 Submitted by: Jake Scott, wrowe, rpluem Backports: server/protocol.c r901578 Reviewed by: minfrin git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@917867 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 379de076d7c..46cdb47c713 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,11 @@ Changes with Apache 2.2.15 access control is still vulnerable, unless using OpenSSL >= 0.9.8l. [Joe Orton, Ruediger Pluem, Hartmut Keil ] + *) Ensure each subrequest has a shallow copy of headers_in so that the + parent request headers are not corrupted. Elimiates a problematic + optimization in the case of no request body. PR 48359 + [Jake Scott, William Rowe, Ruediger Pluem] + *) mod_reqtimeout: New module to set timeouts and minimum data rates for receiving requests from the client. [Stefan Fritsch] diff --git a/STATUS b/STATUS index d2dda72cd90..7534c8b5e9d 100644 --- a/STATUS +++ b/STATUS @@ -83,18 +83,6 @@ CURRENT RELEASE NOTES: RELEASE SHOWSTOPPERS: - * Ensure each subrequest has a shallow copy of headers_in so that the - parent request headers are not corrupted. Eliminates a problematic - optimization in the case of no request body. PR 48359 - [Jake Scott, William Rowe, Ruediger Pluem] - Link to discussion thread (please review before voting); - https://issues.apache.org/bugzilla/show_bug.cgi?id=48359 - Applied to trunk; - http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=901578&r2=901577 - Ported to 2.2 (also attached to PR); - http://people.apache.org/~wrowe/httpd-headers-in-fix.patch - +1: wrowe, minfrin, rpluem - PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] diff --git a/server/protocol.c b/server/protocol.c index 9d37f1ceeb5..570ec2e0329 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -1041,15 +1041,13 @@ request_rec *ap_read_request(conn_rec *conn) return r; } -/* if a request with a body creates a subrequest, clone the original request's - * input headers minus any headers pertaining to the body which has already - * been read. out-of-line helper function for ap_set_sub_req_protocol. +/* if a request with a body creates a subrequest, remove original request's + * input headers which pertain to the body which has already been read. + * out-of-line helper function for ap_set_sub_req_protocol. */ -static void clone_headers_no_body(request_rec *rnew, - const request_rec *r) +static void strip_headers_request_body(request_rec *rnew) { - rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in); apr_table_unset(rnew->headers_in, "Content-Encoding"); apr_table_unset(rnew->headers_in, "Content-Language"); apr_table_unset(rnew->headers_in, "Content-Length"); @@ -1083,15 +1081,14 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew, rnew->status = HTTP_OK; + rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in); + /* did the original request have a body? (e.g. POST w/SSI tags) * if so, make sure the subrequest doesn't inherit body headers */ if (apr_table_get(r->headers_in, "Content-Length") || apr_table_get(r->headers_in, "Transfer-Encoding")) { - clone_headers_no_body(rnew, r); - } else { - /* no body (common case). clone headers the cheap way */ - rnew->headers_in = r->headers_in; + strip_headers_request_body(rnew); } rnew->subprocess_env = apr_table_copy(rnew->pool, r->subprocess_env); rnew->headers_out = apr_table_make(rnew->pool, 5);