From: Sander Striker <striker@apache.org>
Date: Fri, 24 Oct 2003 16:37:06 +0000 (+0000)
Subject: SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
X-Git-Tag: 2.0.48~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0e11ef4bb62693eb7001bed2c49d558938ab2b1;p=thirdparty%2Fapache%2Fhttpd.git

SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
the AF_UNIX socket used to communicate with the cgid daemon and
the CGI script.

Submitted by: Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@101557 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 03d30ee6619..bd113fc04ac 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,12 @@
 Changes with Apache 2.0.48
+  
+  *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
+     the AF_UNIX socket used to communicate with the cgid daemon and
+     the CGI script.  [Jeff Trawick]
 
-  *) SECURITY: CAN-2003-0542 (cve.mitre.org)
-     Fix buffer overflows in mod_alias and mod_rewrite which occurred if
-     one configured a regular expression with more than 9 captures.
-     [André Malo]
+  *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
+     mod_rewrite which occurred if one configured a regular expression
+     with more than 9 captures.  [André Malo]
 
   *) mod_include: fix segfault which occured if the filename was not
      set, for example, when processing some error conditions.
@@ -25,6 +28,11 @@ Changes with Apache 2.0.48
   *) mod_rewrite: Don't die silently when failing to open RewriteLogs.
      PR 23416.  [André Malo]
 
+
+  *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
+     the AF_UNIX socket used to communicate with the cgid daemon and
+     the CGI script.  [Jeff Trawick]
+
   *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
      rewritten request using "proxy:". The code was adding multiple "proxy:"
      fields in the rewritten URI. PR: 13946.
diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
index 289c074d8be..a6f89b7c786 100644
--- a/modules/generators/mod_cgid.c
+++ b/modules/generators/mod_cgid.c
@@ -1329,11 +1329,13 @@ static int cgid_handler(request_rec *r)
                               cleanup_script,
                               apr_pool_cleanup_null);
     /* We are putting the socket discriptor into an apr_file_t so that we can
-     * use a pipe bucket to send the data to the client.
-     * Note that this does not register a cleanup for the socket.  We did
-     * that explicitly right after we created the socket.
+     * use a pipe bucket to send the data to the client.  APR will create
+     * a cleanup for the apr_file_t which will close the socket, so we'll
+     * get rid of the cleanup we registered when we created the socket.
      */
-    apr_os_pipe_put(&tempsock, &sd, r->pool);
+    
+    apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
+    apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
 
     if ((argv0 = strrchr(r->filename, '/')) != NULL) 
         argv0++; 
@@ -1466,24 +1468,12 @@ static int cgid_handler(request_rec *r)
             return HTTP_MOVED_TEMPORARILY; 
         } 
 
-        /* Passing our socket down the filter chain in a pipe bucket
-         * gives up the responsibility of closing the socket, so
-         * get rid of the cleanup.
-         */
-        apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
-
         ap_pass_brigade(r->output_filters, bb);
     } 
 
     if (nph) {
         struct ap_filter_t *cur;
         
-        /* Passing our socket down the filter chain in a pipe bucket
-         * gives up the responsibility of closing the socket, so
-         * get rid of the cleanup.
-         */
-        apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
-
         /* get rid of all filters up through protocol...  since we
          * haven't parsed off the headers, there is no way they can
          * work
@@ -1660,16 +1650,11 @@ static int include_cmd(include_ctx_t *ctx, apr_bucket_brigade **bb, char *comman
                               cleanup_script,
                               apr_pool_cleanup_null);
     /* We are putting the socket discriptor into an apr_file_t so that we can
-     * use a pipe bucket to send the data to the client.
-     * Note that this does not register a cleanup for the socket.  We did
-     * that explicitly right after we created the socket.
-     */
-    apr_os_pipe_put(&tempsock, &sd, r->pool);
-
-    /* Passing our socket down the filter chain in a pipe bucket
-     * gives up the responsibility of closing the socket, so
-     * get rid of the cleanup.
+     * use a pipe bucket to send the data to the client.  APR will create
+     * a cleanup for the apr_file_t which will close the socket, so we'll
+     * get rid of the cleanup we registered when we created the socket.
      */
+    apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
     apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
 
     bcgi = apr_brigade_create(r->pool, r->connection->bucket_alloc);