From: Eric Covener Date: Tue, 24 Mar 2015 13:08:44 +0000 (+0000) Subject: Merge r1664205 from trunk: X-Git-Tag: 2.4.13~326 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47cb2e45958b4058bb81fa9c7b810758927d7a09;p=thirdparty%2Fapache%2Fhttpd.git Merge r1664205 from trunk: *) SECURITY: CVE-2015-0253 (cve.mitre.org) core: Fix a crash introduced in with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. [Yann Ylavic] Submitted By: ylavic Committed By: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1668879 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 3c0a569ce84..12e5ab2fe10 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,11 @@ Changes with Apache 2.4.13 + *) SECURITY: CVE-2015-0253 (cve.mitre.org) + core: Fix a crash introduced in with ErrorDocument 400 pointing + to a local URL-path with the INCLUDES filter active, introduced + in 2.4.11. PR 57531. [Yann Ylavic] + *) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash. diff --git a/STATUS b/STATUS index 08c268508e6..5443295c9d1 100644 --- a/STATUS +++ b/STATUS @@ -106,16 +106,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) SECURITY: CVE-2015-0253 (cve.mitre.org) - core: Fix a crash introduced in with ErrorDocument 400 pointing - to a local URL-path with the INCLUDES filter active, introduced - in 2.4.11. PR 57531. [Yann Ylavic] - trunk patch: http://svn.apache.org/r1664205 - 2.4.x patch: trunk works - +1 covener, jim, ylavic - - - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/server/protocol.c b/server/protocol.c index 499be515e82..a8c1d6829b0 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -599,8 +599,6 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) */ if (APR_STATUS_IS_ENOSPC(rv)) { r->status = HTTP_REQUEST_URI_TOO_LARGE; - r->proto_num = HTTP_VERSION(1,0); - r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); } else if (APR_STATUS_IS_TIMEUP(rv)) { r->status = HTTP_REQUEST_TIME_OUT; @@ -608,6 +606,8 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) else if (APR_STATUS_IS_EINVAL(rv)) { r->status = HTTP_BAD_REQUEST; } + r->proto_num = HTTP_VERSION(1,0); + r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); return 0; } } while ((len <= 0) && (++num_blank_lines < max_blank_lines));