From: William A. Rowe Jr <wrowe@apache.org>
Date: Thu, 14 Jul 2005 16:47:30 +0000 (+0000)
Subject:   proxy HTTP - ignore C-L and disable keepalive to origin server
X-Git-Tag: 2.0.55~131
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4599ade3eb01eccf58fc6cff2240d2632dbb2433;p=thirdparty%2Fapache%2Fhttpd.git

  proxy HTTP - ignore C-L and disable keepalive to origin server

Submitted by: trawick
Reviewed by:  jorton, wrowe



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@219059 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index f205ee1920a..3a6b86e5442 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 2.0.55
 
+  *) proxy HTTP: If a response contains both Transfer-Encoding and a 
+     Content-Length, remove the Content-Length and don't reuse the
+     connection, mitigating some HTTP Response Splitting attacks.
+     [Jeff Trawick]
+
   *) Prevent hangs of child processes when writing to piped loggers at
      the time of graceful restart.  PR 26467.  [Jeff Trawick]
 
diff --git a/STATUS b/STATUS
index 52738632045..c0504f2e816 100644
--- a/STATUS
+++ b/STATUS
@@ -111,10 +111,6 @@ RELEASE SHOWSTOPPERS:
 
     * Various fixes to T-E and C-L processing from trunk
 
-      + proxy HTTP - ignore C-L and disable keepalive to origin server
-          http://people.apache.org/~trawick/20.te-cl.txt
-        +1: trawick, jorton
-
       + core: strip C-L from any request with a T-E header
           http://people.apache.org/~jorton/ap_tevscl.diff
           (CVE CAN-2005-2088)
diff --git a/modules/proxy/proxy_http.c b/modules/proxy/proxy_http.c
index a26e5caca2e..57e31d99a23 100644
--- a/modules/proxy/proxy_http.c
+++ b/modules/proxy/proxy_http.c
@@ -1201,8 +1201,24 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
                 return r->status;
 
             } else {
-                /* strip connection listed hop-by-hop headers from response */
                 const char *buf;
+
+                /* can't have both Content-Length and Transfer-Encoding */
+                if (apr_table_get(r->headers_out, "Transfer-Encoding")
+                    && apr_table_get(r->headers_out, "Content-Length")) {
+                    /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+                     * and Content-Length are received, the latter MUST be
+                     * ignored"; so unset it here to prevent any confusion
+                     * later. */
+                    apr_table_unset(r->headers_out, "Content-Length");
+                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                                 r->server,
+                                 "proxy: server %s returned Transfer-Encoding and Content-Length",
+                                 p_conn->name);
+                    p_conn->close += 1;
+                }
+                
+                /* strip connection listed hop-by-hop headers from response */
                 p_conn->close += ap_proxy_liststr(apr_table_get(r->headers_out,
                                                                 "Connection"),
                                                   "close");