From: Jim Jagielski Date: Sun, 30 Sep 2012 15:50:21 +0000 (+0000) Subject: *) SECURITY: CVE-2012-0053 (cve.mitre.org) X-Git-Tag: 2.0.65~58 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1a98f84a5e8d0b9eca50f9a59cfd6304d3020a1;p=thirdparty%2Fapache%2Fhttpd.git *) SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener] r1234837 on 2.0.x: http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch +1: trawick, rjung, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1392050 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 282ad341308..0baf09574f0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.0.65 + *) SECURITY: CVE-2012-0053 (cve.mitre.org) + Fix an issue in error responses that could expose "httpOnly" cookies + when no custom ErrorDocument is specified for status code 400. + [Eric Covener] + *) SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate diff --git a/STATUS b/STATUS index 182015df05d..afb31f4e566 100644 --- a/STATUS +++ b/STATUS @@ -171,14 +171,6 @@ RELEASE SHOWSTOPPERS: http://people.apache.org/~trawick/2.0-CVE-2011-4317-r1235443.patch +1: trawick - *) SECURITY: CVE-2012-0053 (cve.mitre.org) - Fix an issue in error responses that could expose "httpOnly" cookies - when no custom ErrorDocument is specified for status code 400. - [Eric Covener] - - r1234837 on 2.0.x: - http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch - +1: trawick, rjung PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] diff --git a/server/protocol.c b/server/protocol.c index 918555b0245..9b05c6539f3 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -677,6 +677,16 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) return 1; } +/* get the length of the field name for logging, but no more than 80 bytes */ +#define LOG_NAME_MAX_LEN 80 +static int field_name_len(const char *field) +{ + const char *end = ap_strchr_c(field, ':'); + if (end == NULL || end - field > LOG_NAME_MAX_LEN) + return LOG_NAME_MAX_LEN; + return end - field; +} + AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) { char *last_field = NULL; @@ -709,12 +719,15 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb /* insure ap_escape_html will terminate correctly */ field[len - 1] = '\0'; apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "exceeds server limit.
\n" - "
\n",
-                                       ap_escape_html(r->pool, field),
-                                       "
\n", NULL)); + "
\n%.*s\n
/n", + field_name_len(field), + ap_escape_html(r->pool, field))); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "Request header exceeds LimitRequestFieldSize: " + "%.*s", field_name_len(field), field); return; } @@ -739,13 +752,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb * overflow (last_field) as the field with the problem */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "after folding " "exceeds server limit.
\n" - "
\n",
-                                               ap_escape_html(r->pool, last_field),
-                                               "
\n", NULL)); + "
\n%.*s\n
\n", + field_name_len(last_field), + ap_escape_html(r->pool, last_field))); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "Request header exceeds LimitRequestFieldSize " + "after folding: %.*s", + field_name_len(last_field), last_field); return; } @@ -777,13 +794,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ r->status = HTTP_BAD_REQUEST; /* abort bad request */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Request header field is " "missing ':' separator.
\n" - "
\n",
-                                               ap_escape_html(r->pool,
-                                                              last_field),
-                                               "
\n", NULL)); + "
\n%.*s
\n", + (int)LOG_NAME_MAX_LEN, + ap_escape_html(r->pool, + last_field))); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Request header field is missing ':' " + "separator: %.*s", (int)LOG_NAME_MAX_LEN, + last_field); return; }