You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by pq...@apache.org on 2005/06/16 23:34:10 UTC

svn commit: r191005 - in /httpd/httpd/trunk: CHANGES server/protocol.c

Author: pquerna
Date: Thu Jun 16 14:34:08 2005
New Revision: 191005

URL: http://svn.apache.org/viewcvs?rev=191005&view=rev
Log:
If a request contains both a T-E and C-L, remove the C-L, stopping some HTTP Request Smuggling attacks exploited when using HTTPD as a forward or reverse proxy.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/server/protocol.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=191005&r1=191004&r2=191005&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES (original)
+++ httpd/httpd/trunk/CHANGES Thu Jun 16 14:34:08 2005
@@ -2,6 +2,11 @@
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) SECURITY: 
+     core: If a request contains both Transfer-Encoding and a Content-Length,
+     remove the Content-Length, stopping some HTTP Request smuggling attacks.
+     [Paul Querna]
+
   *) mod_ssl: Setting the Protocol to 'https' can replace the use of the 
      'SSLEngine on' command. [Paul Querna]
 

Modified: httpd/httpd/trunk/server/protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/server/protocol.c?rev=191005&r1=191004&r2=191005&view=diff
==============================================================================
--- httpd/httpd/trunk/server/protocol.c (original)
+++ httpd/httpd/trunk/server/protocol.c Thu Jun 16 14:34:08 2005
@@ -898,6 +898,18 @@
             apr_brigade_destroy(tmp_bb);
             return r;
         }
+
+        if (apr_table_get(r->headers_in, "Content-Length")) {
+            const char* te = apr_table_get(r->headers_in, "Transfer-Encoding");
+            /*
+             * If the client sent any Transfer-Encoding besides "identity",
+             * the RFC says we MUST ignore the C-L header.  We kill it here
+             * to prevent more work later on in modules like mod_proxy.
+             */
+            if (te && !strcasecmp("identity", te)) {
+                apr_table_unset(r->headers_in, "Content-Length");
+            }
+        }
     }
     else {
         if (r->header_only) {