From: Ruediger Pluem Date: Wed, 12 Mar 2014 12:41:07 +0000 (+0000) Subject: Merge r1575400 from trunk: X-Git-Tag: 2.2.27~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5abc0650d6aab5a19ea21be44788c0da7e59ed3c;p=thirdparty%2Fapache%2Fhttpd.git Merge r1575400 from trunk: CVE-2014-0098 (reported by Rainer Canavan ) Segfaults w/ truncated cookie logging. Clean up the cookie logging parser to recognize only the cookie=value pairs, not valueless cookies. This refactors multiple passes over the same string buffer into a single pass parser. Submitted by: wrowe Reviewed by: rpluem, jim Reviewed by: wrowe, ylavic, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576716 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 19f051bd695..c67e8b0512e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.27 + *) SECURITY: CVE-2014-0098 (cve.mitre.org) + Clean up cookie logging with fewer redundant string parsing passes. + Log only cookies with a value assignment. Prevents segfaults when + logging truncated cookies. + [William Rowe, Ruediger Pluem, Jim Jagielski] + *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding TE/CL conflicts. [Yann Ylavic , Jim Jagielski] diff --git a/STATUS b/STATUS index 573a146f3f6..ed27cef1272 100644 --- a/STATUS +++ b/STATUS @@ -98,13 +98,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_log_config: Clean up cookie logging with fewer redundant - string parsing passes. Log only cookies with a value assignment. - [William Rowe, Ruediger Pluem, Jim Jagielski] - trunk patch: http://svn.apache.org/r1575400 - 2.4.x patch: trunk works - +1: wrowe, ylavic, jim - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c index e33ab1c5c22..a0835403953 100644 --- a/modules/loggers/mod_log_config.c +++ b/modules/loggers/mod_log_config.c @@ -524,14 +524,24 @@ static const char *log_cookie(request_rec *r, char *a) while ((cookie = apr_strtok(cookies, ";", &last1))) { char *name = apr_strtok(cookie, "=", &last2); - if (name) { - char *value = name + strlen(name) + 1; - apr_collapse_spaces(name, name); + /* last2 points to the next char following an '=' delim, + or the trailing NUL char of the string */ + char *value = last2; + if (name && *name && value && *value) { + char *last = value - 2; + /* Move past leading WS */ + name += strspn(name, " \t"); + while (last >= name && apr_isspace(*last)) { + *last = '\0'; + --last; + } if (!strcasecmp(name, a)) { - char *last; - value += strspn(value, " \t"); /* Move past leading WS */ - last = value + strlen(value) - 1; + /* last1 points to the next char following the ';' delim, + or the trailing NUL char of the string */ + last = last1 - (*last1 ? 2 : 1); + /* Move past leading WS */ + value += strspn(value, " \t"); while (last >= value && apr_isspace(*last)) { *last = '\0'; --last; @@ -540,6 +550,7 @@ static const char *log_cookie(request_rec *r, char *a) return ap_escape_logitem(r->pool, value); } } + /* Iterate the remaining tokens using apr_strtok(NULL, ...) */ cookies = NULL; } }