From: William A. Rowe Jr Date: Thu, 21 Mar 2002 16:07:02 +0000 (+0000) Subject: Introduce proper escaping of command.com and cmd.exe for Win32. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bfc917467fccbf65bf3ba87aedafe5a1062ea716;p=thirdparty%2Fapache%2Fhttpd.git Introduce proper escaping of command.com and cmd.exe for Win32. These patches close vulnerability CAN-2002-0061, identified and reported by Ory Segal 13 Feb 2002, by which any invocation of .bat or .cmd files permit system comprimize when cmd.exe parsed the args passed from QUERY_STRING. [William Rowe] Patches of the set reviewed by Allan Edwards and Bill Stoddard, while the security solutions were reviewed at length by the entire security community at the ASF. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@94092 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/src/CHANGES b/src/CHANGES index 6547ce23bf1..f8a2167772c 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -1,5 +1,36 @@ Changes with Apache 1.3.24 + + *) Introduce proper escaping of command.com and cmd.exe for Win32. + These patches close vulnerability CAN-2002-0061, identified and + reported by Ory Segal , by which any CGI + invocation of .bat or .cmd files could comprimize the system + when the .bat or .cmd was parsed the query args as an argument + to either cmd.exe /c or command.com /c. [William Rowe] + + *) Add % and \r [C/R] to the dangerous Win32 shell character list. + Retain the Unix sh escapes list for compatibility. + [William Rowe] + + *) Pass the command line to the cmd.exe /c interpreter double quoted. + This fixes a bug that CGI args ending in a double-quote would + cause invocation to fail. Also, treat command.com as a 16-bit + executable. [William Rowe] + + *) Win32; Never invoke cmd or bat scripts based on the registry, even + for 'ScriptInterpreterSource Registry' enabled. [William Rowe] + + *) Provide Win32 users a log of the cgi command invoked, to assist + in debugging scripts at LogLevel info. Also provide env vars + at LogLevel debug for additional help to admins troubleshooting + the ever mysterious "Premature end of script headers" error. + [Aaron Bannert] + + *) Added the 'CgiCommandArgs off' directive, to allow admins + to disable the query argument passing mechanism in Apache, + if future cgi arguments vulnerabilities should be discovered. + [Aaron Bannert] + *) When a proxied site was being served, Apache was replacing the original site Server header with it's own, which is not allowed by RFC2616. Fixed. [Graham Leggett] diff --git a/src/main/util_script.c b/src/main/util_script.c index b69a03974ec..45da3d173cb 100644 --- a/src/main/util_script.c +++ b/src/main/util_script.c @@ -1016,10 +1016,33 @@ API_EXPORT(int) ap_call_exec(request_rec *r, child_info *pinfo, char *argv0, /* * We need to unescape any characters that are - * in the arguments list. + * in the arguments list. Truncate to 4000 + * characters for safety, being careful of the + * now-escaped characters. */ ap_unescape_url(arguments); arguments = ap_escape_shell_cmd(r->pool, arguments); + if (strlen(arguments) > 4000) + { + int len = 4000; + while (len && arguments[len - 1] == '\\') { + --len; + } + arguments[len] = '\0'; + } + + /* + * Now that the arguments list is 'shell' escaped with + * backslashes, we need to make cmd.exe/command.com + * safe from this same set of characters. + */ + if (fileType == eCommandShell32) { + arguments = ap_caret_escape_args(r->pool, arguments); + } + else if (fileType == eCommandShell16) { + arguments = ap_pstrcat(r->pool, "\"", + ap_double_quotes(r->pool, arguments), "\"", NULL); + } } /*