From: Paul Querna Date: Wed, 21 Jul 2010 18:25:49 +0000 (+0000) Subject: CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure. X-Git-Tag: 2.2.16~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98115eef19b4a3c1120106f1bc530b458de85860;p=thirdparty%2Fapache%2Fhttpd.git CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure. If a specially crafted request was sent, it is possible to crash mod_dav or mod_cache, as they accessed a field that is set to NULL by the URI parser, assuming that it always put in a valid string. PR: 49246 Submitted by: Mark Drayton Patch by: Jeff Trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@966349 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 52d160c472c..a68ffc7d7de 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.16 + *) SECURITY: CVE-2010-1452 (cve.mitre.org) + mod_dav, mod_cache: Fix Handling of requests without a path segment. + PR: 49246 [Mark Drayton, Jeff Trawick] + *) SECURITY: CVE-2010-2068 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung] diff --git a/include/httpd.h b/include/httpd.h index 30bdc71b7b4..40351b79c66 100644 --- a/include/httpd.h +++ b/include/httpd.h @@ -940,7 +940,7 @@ struct request_rec { /** The URI without any parsing performed */ char *unparsed_uri; - /** The path portion of the URI */ + /** The path portion of the URI, or "/" if no path provided */ char *uri; /** The filename on disk corresponding to this response */ char *filename; diff --git a/modules/cache/cache_storage.c b/modules/cache/cache_storage.c index 2fbadc8be1e..f87f9c9ddb6 100644 --- a/modules/cache/cache_storage.c +++ b/modules/cache/cache_storage.c @@ -479,7 +479,7 @@ apr_status_t cache_generate_key_default(request_rec *r, apr_pool_t* p, * Check if we need to ignore session identifiers in the URL and do so * if needed. */ - path = r->parsed_uri.path; + path = r->uri; querystring = r->parsed_uri.query; if (conf->ignore_session_id->nelts) { int i; @@ -546,7 +546,7 @@ apr_status_t cache_generate_key_default(request_rec *r, apr_pool_t* p, */ cache->key = apr_pstrdup(r->pool, *key); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "cache: Key for entity %s?%s is %s", r->parsed_uri.path, + "cache: Key for entity %s?%s is %s", r->uri, r->parsed_uri.query, *key); return APR_SUCCESS; diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c index 5297b908489..6ab880b426d 100644 --- a/modules/dav/main/util.c +++ b/modules/dav/main/util.c @@ -624,7 +624,8 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) /* 2518 specifies this must be an absolute URI; just take the * relative part for later comparison against r->uri */ - if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS) { + if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS + || !parsed_uri.path) { return dav_new_error(r->pool, HTTP_BAD_REQUEST, DAV_ERR_IF_TAGGED, "Invalid URI in tagged If-header.");