From: Eric Covener Date: Mon, 23 Jan 2012 15:04:09 +0000 (+0000) Subject: CVE-2012-0053: Fix an issue in error responses that could expose X-Git-Tag: 2.5.0-alpha~7550 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76aa41352dca4c8b6a6ae4c5f2efa451f6a99779;p=thirdparty%2Fapache%2Fhttpd.git CVE-2012-0053: Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1234837 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/server/protocol.c b/server/protocol.c index 73889ca7ed5..0781b26e44a 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -750,12 +750,12 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb /* insure ap_escape_html will terminate correctly */ field[len - 1] = '\0'; apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "exceeds server limit.
\n" - "
\n",
-                                           ap_escape_html(r->pool, field),
-                                           "
\n", NULL)); + "
\n%.*s\n
\n", + field_name_len(field), + ap_escape_html(r->pool, field))); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00561) "Request header exceeds LimitRequestFieldSize: " "%.*s", field_name_len(field), field); @@ -779,13 +779,13 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb * overflow (last_field) as the field with the problem */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "after folding " "exceeds server limit.
\n" - "
\n",
-                                               ap_escape_html(r->pool, last_field),
-                                               "
\n", NULL)); + "
\n%.*s\n
\n", + field_name_len(last_field), + ap_escape_html(r->pool, last_field))); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00562) "Request header exceeds LimitRequestFieldSize " "after folding: %.*s", @@ -824,13 +824,13 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ r->status = HTTP_BAD_REQUEST; /* abort bad request */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Request header field is " "missing ':' separator.
\n" - "
\n",
+                                               "
\n%.*s
\n", 
+                                               (int)LOG_NAME_MAX_LEN,
                                                ap_escape_html(r->pool,
-                                                              last_field),
-                                               "
\n", NULL)); + last_field))); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00564) "Request header field is missing ':' " "separator: %.*s", (int)LOG_NAME_MAX_LEN,