mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.
Merge r1797550 from trunk:
mod_mime: fix quoted pair scanning
Submitted By: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@
1799235 13f79535-47bb-0310-9956-
ffa450edef68
authentication phase may lead to authentication requirements being
bypassed.
[Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+ *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+ mod_mime can read one byte past the end of a buffer when sending a
+ malicious Content-Type response header. [Yann Ylavic]
*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
[Joe Orton]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_mime: Fix scanning of quoted-pairs.
- trunk patch: http://svn.apache.org/r1797550
- 2.4.x patch: svn merge -c 1797550 ^/httpd/httpd/trunk .
- +1: covener, ylavic, wrowe
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
int res = -1;
int c;
- if (((s + 1) != NULL) && (*s == '\\')) {
+ if (*s == '\\') {
c = (int) *(s + 1);
- if (apr_isascii(c)) {
+ if (c && apr_isascii(c)) {
res = 1;
}
}
projects / thirdparty / apache / httpd.git / commitdiff
