You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by pq...@apache.org on 2005/06/16 23:34:10 UTC
svn commit: r191005 - in /httpd/httpd/trunk: CHANGES server/protocol.c
Author: pquerna
Date: Thu Jun 16 14:34:08 2005
New Revision: 191005
URL: http://svn.apache.org/viewcvs?rev=191005&view=rev
Log:
If a request contains both a T-E and C-L, remove the C-L, stopping some HTTP Request Smuggling attacks exploited when using HTTPD as a forward or reverse proxy.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/server/protocol.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=191005&r1=191004&r2=191005&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES (original)
+++ httpd/httpd/trunk/CHANGES Thu Jun 16 14:34:08 2005
@@ -2,6 +2,11 @@
[Remove entries to the current 2.0 section below, when backported]
+ *) SECURITY:
+ core: If a request contains both Transfer-Encoding and a Content-Length,
+ remove the Content-Length, stopping some HTTP Request smuggling attacks.
+ [Paul Querna]
+
*) mod_ssl: Setting the Protocol to 'https' can replace the use of the
'SSLEngine on' command. [Paul Querna]
Modified: httpd/httpd/trunk/server/protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/server/protocol.c?rev=191005&r1=191004&r2=191005&view=diff
==============================================================================
--- httpd/httpd/trunk/server/protocol.c (original)
+++ httpd/httpd/trunk/server/protocol.c Thu Jun 16 14:34:08 2005
@@ -898,6 +898,18 @@
apr_brigade_destroy(tmp_bb);
return r;
}
+
+ if (apr_table_get(r->headers_in, "Content-Length")) {
+ const char* te = apr_table_get(r->headers_in, "Transfer-Encoding");
+ /*
+ * If the client sent any Transfer-Encoding besides "identity",
+ * the RFC says we MUST ignore the C-L header. We kill it here
+ * to prevent more work later on in modules like mod_proxy.
+ */
+ if (te && !strcasecmp("identity", te)) {
+ apr_table_unset(r->headers_in, "Content-Length");
+ }
+ }
}
else {
if (r->header_only) {