From: William A. Rowe Jr Date: Mon, 8 Aug 2005 17:52:01 +0000 (+0000) Subject: Backport the 2.x C-L/T-E core protocol patch; X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0ede4df5abe884d6c12c5ade48ecb9e8eb2cf9c;p=thirdparty%2Fapache%2Fhttpd.git Backport the 2.x C-L/T-E core protocol patch; Reviewed for 1.3 by: wrowe, jimj, graham git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@230826 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/src/CHANGES b/src/CHANGES index 2c8e5c9b3e9..1eaaf15e318 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -1,5 +1,12 @@ Changes with Apache 1.3.34 + *) SECURITY: core: If a request contains both Transfer-Encoding and + Content-Length headers, remove the Content-Length, mitigating some + HTTP Request Splitting/Spoofing attacks. This has no impact on + mod_proxy_http, yet affects any module which supports chunked + encoding yet fails to prefer T-E: chunked over the Content-Length + purported value. [Paul Querna, Joe Orton] + *) Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept diff --git a/src/main/http_protocol.c b/src/main/http_protocol.c index 8899b7f8dc9..7ecba30edf3 100644 --- a/src/main/http_protocol.c +++ b/src/main/http_protocol.c @@ -1214,6 +1214,14 @@ API_EXPORT(request_rec *) ap_read_request(conn_rec *conn) ap_log_transaction(r); return r; } + if (ap_table_get(r->headers_in, "Transfer-Encoding") + && ap_table_get(r->headers_in, "Content-Length")) { + /* 2616 section 4.4, point 3: "if both Transfer-Encoding + * and Content-Length are received, the latter MUST be + * ignored"; so unset it here to prevent any confusion + * later. */ + ap_table_unset(r->headers_in, "Content-Length"); + } } else { ap_kill_timeout(r);