From: Eric Covener <covener@apache.org>
Date: Fri, 1 Jun 2007 15:50:12 +0000 (+0000)
Subject: SECURITY: CVE-2007-1862 (cve.mitre.org)
X-Git-Tag: 2.3.0~1791
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a29cd5f657671998da41c51e1933d23312ad310;p=thirdparty%2Fapache%2Fhttpd.git

SECURITY: CVE-2007-1862 (cve.mitre.org)
mod_mem_cache: Copy headers into longer lived storage; header names and
values could previously point to cleaned up storage

PR: 41551
Submitted by: Davi Arnaut <davi haxent.com.br>
Reviewed by: covener



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@543515 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 7d94981d5b0..b486adf50d9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) SECURITY: CVE-2007-1862 (cve.mitre.org)
+     mod_mem_cache: Copy headers into longer lived storage; header names and 
+     values could previously point to cleaned up storage
+     PR 41551 [Davi Arnaut <davi haxent.com.br>]
+
   *) mod_cache: Do not set Date or Expires when they are missing from
      the original response or are invalid.  [Justin Erenkrantz]
 
diff --git a/modules/cache/mod_mem_cache.c b/modules/cache/mod_mem_cache.c
index b963a347feb..93439c64012 100644
--- a/modules/cache/mod_mem_cache.c
+++ b/modules/cache/mod_mem_cache.c
@@ -539,12 +539,28 @@ static int remove_url(cache_handle_t *h, apr_pool_t *p)
     return OK;
 }
 
+static apr_table_t *deep_table_copy(apr_pool_t *p, const apr_table_t *table)
+{
+    const apr_array_header_t *array = apr_table_elts(table);
+    apr_table_entry_t *elts = (apr_table_entry_t *) array->elts;
+    apr_table_t *copy = apr_table_make(p, array->nelts);
+    int i;
+
+    for (i = 0; i < array->nelts; i++) {
+        if (elts[i].key) {  
+            apr_table_add(copy, elts[i].key, elts[i].val);
+        }
+    }
+
+    return copy;
+}
+
 static apr_status_t recall_headers(cache_handle_t *h, request_rec *r)
 {
     mem_cache_object_t *mobj = (mem_cache_object_t*) h->cache_obj->vobj;
 
-    h->req_hdrs = apr_table_copy(r->pool, mobj->req_hdrs);
-    h->resp_hdrs = apr_table_copy(r->pool, mobj->header_out);
+    h->req_hdrs = deep_table_copy(r->pool, mobj->req_hdrs);
+    h->resp_hdrs = deep_table_copy(r->pool, mobj->header_out);
 
     return OK;
 }
@@ -586,7 +602,7 @@ static apr_status_t store_headers(cache_handle_t *h, request_rec *r, cache_info
      * - The original response headers (for returning with a cached response)
      * - The body of the message
      */
-    mobj->req_hdrs = apr_table_copy(mobj->pool, r->headers_in);
+    mobj->req_hdrs = deep_table_copy(mobj->pool, r->headers_in);
 
     /* Precompute how much storage we need to hold the headers */
     headers_out = ap_cache_cacheable_hdrs_out(r->pool, r->headers_out,
@@ -600,7 +616,7 @@ static apr_status_t store_headers(cache_handle_t *h, request_rec *r, cache_info
     }
 
     headers_out = apr_table_overlay(r->pool, headers_out, r->err_headers_out);
-    mobj->header_out = apr_table_copy(mobj->pool, headers_out);
+    mobj->header_out = deep_table_copy(mobj->pool, headers_out);
 
     /* Init the info struct */
     obj->info.status = info->status;