From: Eric Covener Date: Tue, 24 Jan 2012 20:02:19 +0000 (+0000) Subject: backport r1234837 from trunk: X-Git-Tag: 2.2.22~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b465990b860c310ca85ce661623b5fb47fab11d2;p=thirdparty%2Fapache%2Fhttpd.git backport r1234837 from trunk: CVE-2012-0053: Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. Reviewed By: covener, trawick, gregames git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1235454 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index e57cd06b6a2..efa6cd94893 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.22 + *) SECURITY: CVE-2012-0053 (cve.mitre.org) + Fix an issue in error responses that could expose "httpOnly" cookies + when no custom ErrorDocument is specified for status code 400. + [Eric Covener] + *) SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate diff --git a/STATUS b/STATUS index 9b4ab1180dd..35bfd1de912 100644 --- a/STATUS +++ b/STATUS @@ -146,15 +146,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: http://svn.apache.org/viewvc?rev=1227860&view=rev +1: wrowe - * core: Fix header/cookie values echoed in default 400 error document - (CVE-2012-0053) - Trunk patch: - http://svn.apache.org/viewvc?rev=1234837&view=rev - 2.2.x patch: - http://people.apache.org/~covener/patches/httpd-2.2.x-CVE-2012-0053.diff - +1: covener, trawick, gregames - trawick: sync with 2.4.x on use of APLOG_INFO instead of APLOG_DEBUG? - PATCHES/ISSUES THAT ARE STALLED * core: Support wildcards in both the directory and file components of diff --git a/server/protocol.c b/server/protocol.c index 2e3ce935a4b..796ae587baa 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -670,6 +670,16 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) return 1; } +/* get the length of the field name for logging, but no more than 80 bytes */ +#define LOG_NAME_MAX_LEN 80 +static int field_name_len(const char *field) +{ + const char *end = ap_strchr_c(field, ':'); + if (end == NULL || end - field > LOG_NAME_MAX_LEN) + return LOG_NAME_MAX_LEN; + return end - field; +} + AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) { char *last_field = NULL; @@ -709,12 +719,15 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb /* insure ap_escape_html will terminate correctly */ field[len - 1] = '\0'; apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "exceeds server limit.
\n" - "
\n",
-                                           ap_escape_html(r->pool, field),
-                                           "
\n", NULL)); + "
\n%.*s\n
/n", + field_name_len(field), + ap_escape_html(r->pool, field))); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "Request header exceeds LimitRequestFieldSize: " + "%.*s", field_name_len(field), field); } return; } @@ -735,13 +748,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb * overflow (last_field) as the field with the problem */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "after folding " "exceeds server limit.
\n" - "
\n",
-                                               ap_escape_html(r->pool, last_field),
-                                               "
\n", NULL)); + "
\n%.*s\n
\n", + field_name_len(last_field), + ap_escape_html(r->pool, last_field))); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "Request header exceeds LimitRequestFieldSize " + "after folding: %.*s", + field_name_len(last_field), last_field); return; } @@ -773,13 +790,18 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ r->status = HTTP_BAD_REQUEST; /* abort bad request */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Request header field is " "missing ':' separator.
\n" - "
\n",
+                                               "
\n%.*s
\n",
+                                               (int)LOG_NAME_MAX_LEN,
                                                ap_escape_html(r->pool,
-                                                              last_field),
-                                               "
\n", NULL)); + last_field))); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Request header field is missing ':' " + "separator: %.*s", (int)LOG_NAME_MAX_LEN, + last_field); + return; }