From: Ruediger Pluem Date: Sat, 25 Apr 2009 09:58:52 +0000 (+0000) Subject: Merge r763394 from trunk: X-Git-Tag: 2.2.12~156 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=baa507cb25149aed51128d14336f922ec1c6960b;p=thirdparty%2Fapache%2Fhttpd.git Merge r763394 from trunk: * Avoid delivering content from a previous request which failed to send a request body by closing the connection to the backend in this case instead of reusing it. CVE: CVE-2009-1191 (cve.mitre.org) PR: 46949 Submitted by: rpluem Reviewed by: rpluem, wrowe, jfclere git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@768506 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 2697cd93441..013398d3cf0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.12 + *) SECURITY: CVE-2009-1191 (cve.mitre.org) + mod_proxy_ajp: Avoid delivering content from a previous request which + failed to send a request body. PR 46949 [Ruediger Pluem] + *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. [Ruediger Pluem] diff --git a/STATUS b/STATUS index b3ed5a88a96..0f4d79ef9ba 100644 --- a/STATUS +++ b/STATUS @@ -87,16 +87,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] -* mod_proxy_ajp: Avoid delivering content from a previous request which failed - to send a request body by closing the connection to the backend in this case - instead of reusing it. - PR: 46949 - Trunk version of patch: - http://svn.apache.org/viewvc?rev=763394&view=rev - Backport version for 2.2.x of patch: - Trunk version of patch works - +1: rpluem, wrowe, jfclere - * mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol. Trunk version of patch: http://svn.apache.org/viewvc?rev=764239&view=rev diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c index c3b80e3d78a..6601cb2c886 100644 --- a/modules/proxy/mod_proxy_ajp.c +++ b/modules/proxy/mod_proxy_ajp.c @@ -307,21 +307,17 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, "proxy: read zero bytes, expecting" " %" APR_OFF_T_FMT " bytes", content_length); - status = ajp_send_data_msg(conn->sock, msg, 0); - if (status != APR_SUCCESS) { - /* We had a failure: Close connection to backend */ - conn->close++; - ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server, - "proxy: send failed to %pI (%s)", - conn->worker->cp->addr, - conn->worker->hostname); - return HTTP_INTERNAL_SERVER_ERROR; - } - else { - /* Client send zero bytes with C-L > 0 - */ - return HTTP_BAD_REQUEST; - } + /* + * We can only get here if the client closed the connection + * to us without sending the body. + * Now the connection is in the wrong state on the backend. + * Sending an empty data msg doesn't help either as it does + * not move this connection to the correct state on the backend + * for later resusage by the next request again. + * Close it to clean things up. + */ + conn->close++; + return HTTP_BAD_REQUEST; } }