From: Ruediger Pluem <rpluem@apache.org>
Date: Tue, 14 May 2013 14:41:30 +0000 (+0000)
Subject: * mod_rewrite: Ensure that client data written to the RewriteLog is
X-Git-Tag: 2.2.25~63
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0eb0397499044a0fc365a279d06d6bfe71ad646;p=thirdparty%2Fapache%2Fhttpd.git

* mod_rewrite: Ensure that client data written to the RewriteLog is
  escaped to prevent terminal escape sequences from entering the
  log file. (CVE-2013-1862 (cve.mitre.org))

Submitted by: jorton
Reviewed by: jorton, covener, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1482349 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 910d9cd2d61..8a50c66e850 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.25
 
+  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
+     mod_rewrite: Ensure that client data written to the RewriteLog is
+     escaped to prevent terminal escape sequences from entering the
+     log file.  [Joe Orton]
+
   *) htdigest: Fix buffer overflow when reading digest password file
      with very long lines. PR 54893. [Rainer Jung]
 
diff --git a/STATUS b/STATUS
index 023abe62eab..3cc3179c995 100644
--- a/STATUS
+++ b/STATUS
@@ -103,12 +103,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     2.2.x patch: http://people.apache.org/~wrowe/httpd-2.2-quiet-fips.patch
     +1: wrowe, druggeri, kbrand
 
-  * mod_rewrite: fix CVE-2013-1862, escape log file output
-     (not needed for trunk/2.4)
-    2.2.x patch:
-      http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch
-   +1: jorton, covener, rpluem
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index b68650b7644..081c7b5948a 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -500,11 +500,11 @@ static void do_rewritelog(request_rec *r, int level, char *perdir,
 
     logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
                                     "(%d) %s%s%s%s" APR_EOL_STR,
-                           rhost ? rhost : "UNKNOWN-HOST",
-                           rname ? rname : "-",
-                           r->user ? (*r->user ? r->user : "\"\"") : "-",
+                           rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
+                           rname ? ap_escape_logitem(r->pool, rname) : "-",
+                           r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
                            current_logtime(r),
-                           ap_get_server_name(r),
+                           ap_escape_logitem(r->pool, ap_get_server_name(r)),
                            (void *)(r->server),
                            (void *)r,
                            r->main ? "subreq" : "initial",
@@ -514,7 +514,7 @@ static void do_rewritelog(request_rec *r, int level, char *perdir,
                            perdir ? "[perdir " : "",
                            perdir ? perdir : "",
                            perdir ? "] ": "",
-                           text);
+                           ap_escape_logitem(r->pool, text));
 
     nbytes = strlen(logline);
     apr_file_write(conf->rewritelogfp, logline, &nbytes);