You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2014/07/16 22:56:51 UTC
svn commit: r1611185 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS
docs/manual/mod/mod_cgid.xml modules/generators/mod_cgid.c
Author: wrowe
Date: Wed Jul 16 20:56:51 2014
New Revision: 1611185
URL: http://svn.apache.org/r1611185
Log:
SECURITY: CVE-2014-0231
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server.
Submitted by: Rainer Jung, Eric Covener, Yann Ylavic
Backports: r1610509, r1535125
Reviewed by: covener, trawick, ylavic
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cgid.xml
httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1611185&r1=1611184&r2=1611185&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jul 16 20:56:51 2014
@@ -1,6 +1,15 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.28
+ *) SECURITY: CVE-2014-0231 (cve.mitre.org)
+ mod_cgid: Fix a denial of service against CGI scripts that do
+ not consume stdin that could lead to lingering HTTPD child processes
+ filling up the scoreboard and eventually hanging the server. By
+ default, the client I/O timeout (Timeout directive) now applies to
+ communication with scripts. The CGIDScriptTimeout directive can be
+ used to set a different timeout for communication with scripts.
+ [Rainer Jung, Eric Covener, Yann Ylavic]
+
*) SECURITY: CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow. [Joe Orton, Eric Covener, Jeff Trawick]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1611185&r1=1611184&r2=1611185&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Jul 16 20:56:51 2014
@@ -110,17 +110,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
*) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480.
+1: breser, rpluem, ylavic
- * SECURITY: CVE-2014-0231
- mod_cgid: Fix a denial of service against CGI scripts that do
- not consume stdin that could lead to lingering HTTPD child processes
- filling up the scoreboard and eventually hanging the server.
- [Rainer Jung, Eric Covener, Yann Ylavic]
-
- trunk patch: http://svn.apache.org/r1610509
- http://svn.apache.org/r1535125
- 2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-cgid-script_timeout.diff
- +1: covener, trawick, ylavic
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cgid.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cgid.xml?rev=1611185&r1=1611184&r2=1611185&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cgid.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cgid.xml Wed Jul 16 20:56:51 2014
@@ -96,5 +96,32 @@ the cgi daemon</description>
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>CGIDScriptTimeout</name>
+<description>The length of time to wait for more output from the
+CGI program</description>
+<syntax>CGIDScriptTimeout <var>time</var>[s|ms]</syntax>
+<default>value of <directive module="core">Timeout</directive> directive when
+unset</default>
+<contextlist><context>server config</context>
+<context>virtual host</context><context>directory</context>
+<context>.htaccess</context></contextlist>
+<compatibility>CGIDScriptTimeout defaults to zero in releases 2.4 and earlier
+</compatibility>
+
+<usage>
+ <p>This directive limits the length of time to wait for more output from
+ the CGI program. If the time is exceeded, the request and CGI are
+ terminated.</p>
+
+ <example><title>Example</title>
+ <highlight language="config">
+ CGIDScriptTimeout 20
+ </highlight>
+ </example>
+
+</usage>
+</directivesynopsis>
+
</modulesynopsis>
Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c?rev=1611185&r1=1611184&r2=1611185&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c (original)
+++ httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c Wed Jul 16 20:56:51 2014
@@ -93,6 +93,10 @@ static const char *sockname;
static pid_t parent_pid;
static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 };
+typedef struct {
+ apr_interval_time_t timeout;
+} cgid_dirconf;
+
/* The APR other-child API doesn't tell us how the daemon exited
* (SIGSEGV vs. exit(1)). The other-child maintenance function
* needs to decide whether to restart the daemon after a failure
@@ -934,7 +938,14 @@ static void *merge_cgid_config(apr_pool_
return overrides->logname ? overrides : base;
}
+static void *create_cgid_dirconf(apr_pool_t *p, char *dummy)
+{
+ cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf));
+ return c;
+}
+
static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg)
+
{
server_rec *s = cmd->server;
cgid_server_conf *conf = ap_get_module_config(s->module_config,
@@ -987,7 +998,16 @@ static const char *set_script_socket(cmd
return NULL;
}
+static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg)
+{
+ cgid_dirconf *dc = dummy;
+ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) {
+ return "CGIDScriptTimeout has wrong format";
+ }
+
+ return NULL;
+}
static const command_rec cgid_cmds[] =
{
AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF,
@@ -999,6 +1019,10 @@ static const command_rec cgid_cmds[] =
AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF,
"the name of the socket to use for communication with "
"the cgi daemon."),
+ AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF,
+ "The amount of time to wait between successful reads from "
+ "the CGI script, in seconds."),
+
{NULL}
};
@@ -1335,11 +1359,15 @@ static int cgid_handler(request_rec *r)
apr_file_t *tempsock;
struct cleanup_script_info *info;
apr_status_t rv;
+ cgid_dirconf *dc;
if (strcmp(r->handler,CGI_MAGIC_TYPE) && strcmp(r->handler,"cgi-script"))
return DECLINED;
conf = ap_get_module_config(r->server->module_config, &cgid_module);
+ dc = ap_get_module_config(r->per_dir_config, &cgid_module);
+
+
is_included = !strcmp(r->protocol, "INCLUDED");
if ((argv0 = strrchr(r->filename, '/')) != NULL)
@@ -1412,6 +1440,12 @@ static int cgid_handler(request_rec *r)
*/
apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
+ if (dc->timeout > 0) {
+ apr_file_pipe_timeout_set(tempsock, dc->timeout);
+ }
+ else {
+ apr_file_pipe_timeout_set(tempsock, r->server->timeout);
+ }
apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
if ((argv0 = strrchr(r->filename, '/')) != NULL)
@@ -1487,6 +1521,10 @@ static int cgid_handler(request_rec *r)
if (rv != APR_SUCCESS) {
/* silly script stopped reading, soak up remaining message */
child_stopped_reading = 1;
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+ "Error writing request body to script %s",
+ r->filename);
+
}
}
apr_brigade_cleanup(bb);
@@ -1577,7 +1615,13 @@ static int cgid_handler(request_rec *r)
return HTTP_MOVED_TEMPORARILY;
}
- ap_pass_brigade(r->output_filters, bb);
+ rv = ap_pass_brigade(r->output_filters, bb);
+ if (rv != APR_SUCCESS) {
+ /* APLOG_ERR because the core output filter message is at error,
+ * but doesn't know it's passing CGI output
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "Failed to flush CGI output to client");
+ }
}
if (nph) {
@@ -1707,6 +1751,8 @@ static int include_cmd(include_ctx_t *ct
request_rec *r = f->r;
cgid_server_conf *conf = ap_get_module_config(r->server->module_config,
&cgid_module);
+ cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module);
+
struct cleanup_script_info *info;
add_ssi_vars(r);
@@ -1736,6 +1782,13 @@ static int include_cmd(include_ctx_t *ct
* get rid of the cleanup we registered when we created the socket.
*/
apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
+ if (dc->timeout > 0) {
+ apr_file_pipe_timeout_set(tempsock, dc->timeout);
+ }
+ else {
+ apr_file_pipe_timeout_set(tempsock, r->server->timeout);
+ }
+
apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock,
@@ -1841,7 +1894,7 @@ static void register_hook(apr_pool_t *p)
module AP_MODULE_DECLARE_DATA cgid_module = {
STANDARD20_MODULE_STUFF,
- NULL, /* dir config creater */
+ create_cgid_dirconf, /* dir config creater */
NULL, /* dir merger --- default is to override */
create_cgid_config, /* server config */
merge_cgid_config, /* merge server config */