From: Ruediger Pluem Date: Wed, 8 Apr 2009 21:06:46 +0000 (+0000) Subject: * Avoid delivering content from a previous request which failed to send a request X-Git-Tag: 2.3.3~729 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b6b2ba9ef27f5695e6838cf1a901ca36ab16eb3a;p=thirdparty%2Fapache%2Fhttpd.git * Avoid delivering content from a previous request which failed to send a request body by closing the connection to the backend in this case instead of reusing it. CVE: CVE-2008-5519 PR: 46949 Reviewed by: jim, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@763394 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 0743869bec6..2f8ffda7617 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.3 + *) mod_proxy_ajp: Avoid delivering content from a previous request which + failed to send a request body. PR 46949 [Ruediger Pluem] + *) mod_proxy_ajp: Forward remote port information by default. [Rainer Jung] diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c index 7be72bfe5c8..613ec31ba1e 100644 --- a/modules/proxy/mod_proxy_ajp.c +++ b/modules/proxy/mod_proxy_ajp.c @@ -307,21 +307,17 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, "proxy: read zero bytes, expecting" " %" APR_OFF_T_FMT " bytes", content_length); - status = ajp_send_data_msg(conn->sock, msg, 0); - if (status != APR_SUCCESS) { - /* We had a failure: Close connection to backend */ - conn->close++; - ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server, - "proxy: send failed to %pI (%s)", - conn->worker->cp->addr, - conn->worker->hostname); - return HTTP_INTERNAL_SERVER_ERROR; - } - else { - /* Client send zero bytes with C-L > 0 - */ - return HTTP_BAD_REQUEST; - } + /* + * We can only get here if the client closed the connection + * to us without sending the body. + * Now the connection is in the wrong state on the backend. + * Sending an empty data msg doesn't help either as it does + * not move this connection to the correct state on the backend + * for later resusage by the next request again. + * Close it to clean things up. + */ + conn->close++; + return HTTP_BAD_REQUEST; } }