You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2007/07/16 15:25:16 UTC
svn commit: r556619 - in /httpd/httpd/branches/2.0.x: CHANGES
modules/experimental/cache_util.c
Author: jorton
Date: Mon Jul 16 06:25:11 2007
New Revision: 556619
URL: http://svn.apache.org/viewvc?view=rev&rev=556619
Log:
Merge r535617 from trunk (fixing CVE-2007-1863):
* Prevent a segmentation fault if one of the Cache-Control headers
s-maxage, max-age, min-fresh, max-stale has no value assigned.
In this case ignore s-maxage, max-age, min-fresh. For max-stale
it is valid to set no value. In this case set max-stale to 1 year
to signal that the client is accepting a stale response of any age.
Submitted by: Niklas Edmundsson <nikke acc.umu.se>
Reviewed by: mjc, rpluem, jorton
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/modules/experimental/cache_util.c
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=diff&rev=556619&r1=556618&r2=556619
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Mon Jul 16 06:25:11 2007
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.0.60
+ *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+ mod_cache: Prevent segmentation fault if a Cache-Control header has
+ no value. [Niklas Edmundsson <nikke acc.umu.se>]
+
*) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
Modified: httpd/httpd/branches/2.0.x/modules/experimental/cache_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/experimental/cache_util.c?view=diff&rev=556619&r1=556618&r2=556619
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/experimental/cache_util.c (original)
+++ httpd/httpd/branches/2.0.x/modules/experimental/cache_util.c Mon Jul 16 06:25:11 2007
@@ -186,7 +186,8 @@
age = ap_cache_current_age(info, age_c, r->request_time);
/* extract s-maxage */
- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) {
+ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)
+ && val != NULL) {
smaxage = apr_atoi64(val);
}
else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "s-maxage", &val)) {
@@ -197,7 +198,8 @@
}
/* extract max-age from request */
- if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) {
+ if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)
+ && val != NULL) {
maxage_req = apr_atoi64(val);
}
else {
@@ -205,7 +207,8 @@
}
/* extract max-age from response */
- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) {
+ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)
+ && val != NULL) {
maxage_cresp = apr_atoi64(val);
}
else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "max-age", &val)) {
@@ -231,14 +234,28 @@
/* extract max-stale */
if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) {
- maxstale = apr_atoi64(val);
+ if(val != NULL) {
+ maxstale = apr_atoi64(val);
+ }
+ else {
+ /*
+ * If no value is assigned to max-stale, then the client is willing
+ * to accept a stale response of any age (RFC2616 14.9.3). We will
+ * set it to one year in this case as this situation is somewhat
+ * similar to a "never expires" Expires header (RFC2616 14.21)
+ * which is set to a date one year from the time the response is
+ * sent in this case.
+ */
+ maxstale = APR_INT64_C(86400*365);
+ }
}
else {
maxstale = 0;
}
/* extract min-fresh */
- if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) {
+ if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)
+ && val != NULL) {
minfresh = apr_atoi64(val);
}
else {
@@ -383,6 +400,9 @@
*val = apr_pstrmemdup(p, val_start,
next - val_start);
}
+ }
+ else {
+ *val = NULL;
}
}
return 1;