From: William A. Rowe Jr Date: Wed, 26 Jun 2013 17:36:15 +0000 (+0000) Subject: mod_rewrite: (CVE-2013-1862 (cve.mitre.org)) Ensure that client data X-Git-Tag: 2.0.65~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f90a7063c181e57dec59f319380642a907cc4f3c;p=thirdparty%2Fapache%2Fhttpd.git mod_rewrite: (CVE-2013-1862 (cve.mitre.org)) Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. Backports: r1482349 Submitted by: jorton Reviewed by: wrowe, covener, trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1497018 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index d4d5f3e084c..83a85e6e207 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.0.65 + *) SECURITY: CVE-2013-1862 (cve.mitre.org) + mod_rewrite: Ensure that client data written to the RewriteLog is + escaped to prevent terminal escape sequences from entering the + log file. [Joe Orton] + *) SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. diff --git a/STATUS b/STATUS index ac7a6c4a1db..abab7b5dbb5 100644 --- a/STATUS +++ b/STATUS @@ -118,12 +118,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_rewrite: (CVE-2013-1862 (cve.mitre.org)) Ensure that client data - written to the RewriteLog is escaped to prevent terminal escape sequences - from entering the log file. [Joe Orton] - http://svn.apache.org/viewvc?view=revision&revision=1482349 - 2.0.x: http://people.apache.org/~covener/patches/2.0.x-rewritelog.diff - +1: wrowe, covener, trawick PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ please place SVN revisions from trunk here, so it is easy to diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 23c9e96813f..a48eb9d208c 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -3599,10 +3599,11 @@ static void rewritelog(request_rec *r, int level, const char *text, ...) rhost = "UNKNOWN-HOST"; } - str1 = apr_pstrcat(r->pool, rhost, " ", - (conn->remote_logname != NULL ? - conn->remote_logname : "-"), " ", - ruser, NULL); + str1 = apr_pstrcat(r->pool, ap_escape_logitem(r->pool, rhost), " ", + (conn->remote_logname != NULL + ? ap_escape_logitem(r->pool, conn->remote_logname) + : "-"), + " ", ap_escape_logitem(r->pool, ruser), NULL); apr_vsnprintf(str2, sizeof(str2), text, ap); if (r->main == NULL) { @@ -3624,9 +3625,10 @@ static void rewritelog(request_rec *r, int level, const char *text, ...) apr_snprintf(str3, sizeof(str3), "%s %s [%s/sid#%lx][rid#%lx/%s%s] (%d) %s" APR_EOL_STR, str1, - current_logtime(r), ap_get_server_name(r), + current_logtime(r), + ap_escape_logitem(r->pool, ap_get_server_name(r)), (unsigned long)(r->server), (unsigned long)r, - type, redir, level, str2); + type, redir, level, ap_escape_logitem(r->pool, str2)); rv = apr_global_mutex_lock(rewrite_log_lock); if (rv != APR_SUCCESS) {