You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2009/07/10 10:17:18 UTC
Re: svn commit: r790589 -
/httpd/test/framework/trunk/t/security/CVE-2009-1890.t
On Thu, Jul 09, 2009 at 09:48:29AM -0400, Dan Poirier wrote:
> So if the content-length was parsed correctly, but the vulnerability
> related to additional data wasn't fixed, this test would still pass?
> (Since then we're not sending any more data than expected?)
That is phrased almost as if there are two separate vulnerabilities
here, which is not known to be the case. To ensure there is no
misunderstanding here:
The root cause of CVE-2009-1890 is that stream_reqbody_cl() would
convert the Content-Length from octal rather than decimal for the case
of a C-L header with leading zeroes. Fixing that bug fixes the security
issue.
A second change was also committed, to break out from the loop in the
case of a mismatch between length of received data and expected data.
That change is a safety and correctness fix; it is not strictly
necessary to fix any security vulnerability, so far as I am aware.
The test case does not trigger the error path added in the second
change, and I know of no way to trigger that error path with the current
code. I would certainly not recommend that anybody omit the second
change if backporting the fix, however.
Hope that is precise enough ;)
Regards, Joe