From 357706a8704d64e69064c2606d47f8dfcd076524 Mon Sep 17 00:00:00 2001 From: Paul Querna Date: Thu, 16 Jun 2005 21:34:08 +0000 Subject: [PATCH] If a request contains both a T-E and C-L, remove the C-L, stopping some HTTP Request Smuggling attacks exploited when using HTTPD as a forward or reverse proxy. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@191005 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ server/protocol.c | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/CHANGES b/CHANGES index 672b804caaa..519a79f6398 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,11 @@ Changes with Apache 2.1.5 [Remove entries to the current 2.0 section below, when backported] + *) SECURITY: + core: If a request contains both Transfer-Encoding and a Content-Length, + remove the Content-Length, stopping some HTTP Request smuggling attacks. + [Paul Querna] + *) mod_ssl: Setting the Protocol to 'https' can replace the use of the 'SSLEngine on' command. [Paul Querna] diff --git a/server/protocol.c b/server/protocol.c index 8fa995d59a0..7b0d15ff0f4 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -898,6 +898,18 @@ request_rec *ap_read_request(conn_rec *conn) apr_brigade_destroy(tmp_bb); return r; } + + if (apr_table_get(r->headers_in, "Content-Length")) { + const char* te = apr_table_get(r->headers_in, "Transfer-Encoding"); + /* + * If the client sent any Transfer-Encoding besides "identity", + * the RFC says we MUST ignore the C-L header. We kill it here + * to prevent more work later on in modules like mod_proxy. + */ + if (te && !strcasecmp("identity", te)) { + apr_table_unset(r->headers_in, "Content-Length"); + } + } } else { if (r->header_only) { -- 2.47.2