From: Joe Orton Date: Mon, 16 Jul 2007 13:25:11 +0000 (+0000) Subject: Merge r535617 from trunk (fixing CVE-2007-1863): X-Git-Tag: 2.0.60~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5cf38df49207f099940df6b2413d17f0ba7c0aad;p=thirdparty%2Fapache%2Fhttpd.git Merge r535617 from trunk (fixing CVE-2007-1863): * Prevent a segmentation fault if one of the Cache-Control headers s-maxage, max-age, min-fresh, max-stale has no value assigned. In this case ignore s-maxage, max-age, min-fresh. For max-stale it is valid to set no value. In this case set max-stale to 1 year to signal that the client is accepting a stale response of any age. Submitted by: Niklas Edmundsson Reviewed by: mjc, rpluem, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@556619 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 9197d3137e0..805d69c3505 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.0.60 + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent segmentation fault if a Cache-Control header has + no value. [Niklas Edmundsson ] + *) SECURITY: CVE-2006-5752 (cve.mitre.org) mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which diff --git a/modules/experimental/cache_util.c b/modules/experimental/cache_util.c index eaac9d533e6..9782cb7b5e0 100644 --- a/modules/experimental/cache_util.c +++ b/modules/experimental/cache_util.c @@ -186,7 +186,8 @@ CACHE_DECLARE(int) ap_cache_check_freshness(cache_handle_t *h, age = ap_cache_current_age(info, age_c, r->request_time); /* extract s-maxage */ - if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) { + if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val) + && val != NULL) { smaxage = apr_atoi64(val); } else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "s-maxage", &val)) { @@ -197,7 +198,8 @@ CACHE_DECLARE(int) ap_cache_check_freshness(cache_handle_t *h, } /* extract max-age from request */ - if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) { + if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val) + && val != NULL) { maxage_req = apr_atoi64(val); } else { @@ -205,7 +207,8 @@ CACHE_DECLARE(int) ap_cache_check_freshness(cache_handle_t *h, } /* extract max-age from response */ - if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) { + if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val) + && val != NULL) { maxage_cresp = apr_atoi64(val); } else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "max-age", &val)) { @@ -231,14 +234,28 @@ CACHE_DECLARE(int) ap_cache_check_freshness(cache_handle_t *h, /* extract max-stale */ if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) { - maxstale = apr_atoi64(val); + if(val != NULL) { + maxstale = apr_atoi64(val); + } + else { + /* + * If no value is assigned to max-stale, then the client is willing + * to accept a stale response of any age (RFC2616 14.9.3). We will + * set it to one year in this case as this situation is somewhat + * similar to a "never expires" Expires header (RFC2616 14.21) + * which is set to a date one year from the time the response is + * sent in this case. + */ + maxstale = APR_INT64_C(86400*365); + } } else { maxstale = 0; } /* extract min-fresh */ - if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) { + if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val) + && val != NULL) { minfresh = apr_atoi64(val); } else { @@ -384,6 +401,9 @@ CACHE_DECLARE(int) ap_cache_liststr(apr_pool_t *p, const char *list, next - val_start); } } + else { + *val = NULL; + } } return 1; }