From: William A. Rowe Jr Date: Thu, 7 Oct 2010 22:24:15 +0000 (+0000) Subject: SECURITY: CVE-2010-1452 (cve.mitre.org) X-Git-Tag: 2.0.64~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9d1a5c95308d796798c512fa88e750d605bf14b;p=thirdparty%2Fapache%2Fhttpd.git SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav: Fix Handling of requests without a path segment. (mod_cache and mod_session portions don't apply to 2.0.x) PR: 49246 Backports: r966348 Submitted by: Mark Drayton, trawick Reviewed by: wrowe, rjung git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1005655 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index d59dc5d4097..f2d557f4c61 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ - -*- coding: utf-8 -*- + -*- coding: utf-8 -*- Changes with Apache 2.0.64 + *) SECURITY: CVE-2010-1452 (cve.mitre.org) + mod_dav: Fix Handling of requests without a path segment. + PR: 49246 [Mark Drayton, Jeff Trawick] + *) SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a diff --git a/STATUS b/STATUS index abdc65a83de..131088e60e7 100644 --- a/STATUS +++ b/STATUS @@ -113,12 +113,6 @@ CURRENT RELEASE NOTES: RELEASE SHOWSTOPPERS: - * CVE-2010-1452 fix for mod_dav - Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=966348 - (mod_cache and mod_session portions don't apply to 2.0.x) - 2.0.x patch: http://archive.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2010-1452-patch-2.0.txt - +1: wrowe, trawick, rjung - * Backport 354118: Fix recursive ErrorDocument handling [when r->status isn't HTTP_OK upon first pass through ap_die()]. PR #36090 Trunk version of patch: diff --git a/include/httpd.h b/include/httpd.h index 9ee682c25fd..4ad2df2213c 100644 --- a/include/httpd.h +++ b/include/httpd.h @@ -866,7 +866,7 @@ struct request_rec { /** The URI without any parsing performed */ char *unparsed_uri; - /** The path portion of the URI */ + /** The path portion of the URI, or "/" if no path provided */ char *uri; /** The filename on disk corresponding to this response */ char *filename; diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c index 242d79101d9..3ff3a19f6c9 100644 --- a/modules/dav/main/util.c +++ b/modules/dav/main/util.c @@ -624,7 +624,8 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) /* 2518 specifies this must be an absolute URI; just take the * relative part for later comparison against r->uri */ - if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS) { + if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS + || !parsed_uri.path) { return dav_new_error(r->pool, HTTP_BAD_REQUEST, DAV_ERR_IF_TAGGED, "Invalid URI in tagged If-header.");