From: William A. Rowe Jr Date: Sun, 28 Feb 2010 18:15:42 +0000 (+0000) Subject: This is an information revealing flaw under worker MPM. discuss X-Git-Tag: 2.2.15~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff47013f2d7a394f1a23d4d3199a67e94b3a0f03;p=thirdparty%2Fapache%2Fhttpd.git This is an information revealing flaw under worker MPM. discuss git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@917234 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 6ffa7215d69..30427f245f1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ - -*- coding: utf-8 -*- + -*- coding: utf-8 -*- Changes with Apache 2.2.15 + *) Ensure each subrequest has a shallow copy of headers_in so that the + parent request headers are not corrupted. Elimiates a problematic + optimization in the case of no request body. PR 48359 + [Jake Scott, William Rowe, Ruediger Pluem] + *) SECURITY: CVE-2009-3555 (cve.mitre.org) A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations. Forcibly disable keepalive diff --git a/STATUS b/STATUS index 4f818d9ea4d..85306f4e1bc 100644 --- a/STATUS +++ b/STATUS @@ -83,6 +83,23 @@ CURRENT RELEASE NOTES: RELEASE SHOWSTOPPERS: + * Ensure each subrequest has a shallow copy of headers_in so that the + parent request headers are not corrupted. Eliminates a problematic + optimization in the case of no request body. PR 48359 + [Jake Scott, William Rowe, Ruediger Pluem] + Link to discussion thread; + https://issues.apache.org/bugzilla/show_bug.cgi?id=48359 + Applied to trunk; + http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=901578&r2=901577 + Ported to 2.2 (also attached to PR); + http://people.apache.org/~wrowe/protocol_headers_copy.patch + +1: wrowe + -1: niq: this risks breaking existing apps, as discussed in + comments on PR 48359. + [wrowe notes; incorrect and invalid objection, also as + identified in the comments. Legitimate API users are + presently broken by this memory scope flaw.] + PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] @@ -101,23 +118,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: sf: Couldn't the linux 2.4 bug be worked around by calling access twice? Once with R_OK and once with X_OK. - * Ensure each subrequest has a shallow copy of headers_in so that the - parent request headers are not corrupted. Eliminates a problematic - optimization in the case of no request body. PR 48359 - [Jake Scott, William Rowe, Ruediger Pluem] - Link to discussion thread; - https://issues.apache.org/bugzilla/show_bug.cgi?id=48359 - Applied to trunk; - http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=901578&r2=901577 - Ported to 2.2 (also attached to PR); - http://people.apache.org/~wrowe/protocol_headers_copy.patch - +1: wrowe - -1: niq: this risks breaking existing apps, as discussed in - comments on PR 48359. - [wrowe notes; incorrect and invalid objection, also as - identified in the comments. Legitimate API users are - presently broken by this memory scope flaw.] - * core: Support wildcards in both the directory and file components of the path specified by the Include directive. Trunk patch: http://svn.apache.org/viewvc?rev=909878&view=rev diff --git a/server/protocol.c b/server/protocol.c index 23ef080f4bc..e5a3a4038b5 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -1041,15 +1041,13 @@ request_rec *ap_read_request(conn_rec *conn) return r; } -/* if a request with a body creates a subrequest, clone the original request's - * input headers minus any headers pertaining to the body which has already - * been read. out-of-line helper function for ap_set_sub_req_protocol. +/* if a request with a body creates a subrequest, remove original request's + * input headers which pertain to the body which has already been read. + * out-of-line helper function for ap_set_sub_req_protocol. */ -static void clone_headers_no_body(request_rec *rnew, - const request_rec *r) +static void strip_headers_request_body(request_rec *rnew) { - rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in); apr_table_unset(rnew->headers_in, "Content-Encoding"); apr_table_unset(rnew->headers_in, "Content-Language"); apr_table_unset(rnew->headers_in, "Content-Length"); @@ -1083,15 +1081,14 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew, rnew->status = HTTP_OK; + rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in); + /* did the original request have a body? (e.g. POST w/SSI tags) * if so, make sure the subrequest doesn't inherit body headers */ if (apr_table_get(r->headers_in, "Content-Length") || apr_table_get(r->headers_in, "Transfer-Encoding")) { - clone_headers_no_body(rnew, r); - } else { - /* no body (common case). clone headers the cheap way */ - rnew->headers_in = r->headers_in; + strip_headers_request_body(rnew, r); } rnew->subprocess_env = apr_table_copy(rnew->pool, r->subprocess_env); rnew->headers_out = apr_table_make(rnew->pool, 5);