You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/08/08 19:52:06 UTC
svn commit: r230826 - in /httpd/httpd/branches/1.3.x/src: CHANGES main/http_protocol.c

Author: wrowe
Date: Mon Aug  8 10:52:01 2005
New Revision: 230826

URL: http://svn.apache.org/viewcvs?rev=230826&view=rev
Log:

  Backport the 2.x C-L/T-E core protocol patch;

Reviewed for 1.3 by: wrowe, jimj, graham

Modified:
    httpd/httpd/branches/1.3.x/src/CHANGES
    httpd/httpd/branches/1.3.x/src/main/http_protocol.c

Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/1.3.x/src/CHANGES?rev=230826&r1=230825&r2=230826&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Mon Aug  8 10:52:01 2005
@@ -1,5 +1,12 @@
 Changes with Apache 1.3.34
 
+  *) SECURITY: core: If a request contains both Transfer-Encoding and 
+     Content-Length headers, remove the Content-Length, mitigating some 
+     HTTP Request Splitting/Spoofing attacks.  This has no impact on
+     mod_proxy_http, yet affects any module which supports chunked
+     encoding yet fails to prefer T-E: chunked over the Content-Length
+     purported value.  [Paul Querna, Joe Orton]
+
   *) Added TraceEnable [on|off|extended] per-server directive to alter
      the behavior of the TRACE method.  This addresses a flaw in proxy
      conformance to RFC 2616 - previously the proxy server would accept

Modified: httpd/httpd/branches/1.3.x/src/main/http_protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/1.3.x/src/main/http_protocol.c?rev=230826&r1=230825&r2=230826&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/main/http_protocol.c (original)
+++ httpd/httpd/branches/1.3.x/src/main/http_protocol.c Mon Aug  8 10:52:01 2005
@@ -1214,6 +1214,14 @@
             ap_log_transaction(r);
             return r;
         }
+        if (ap_table_get(r->headers_in, "Transfer-Encoding")
+            && ap_table_get(r->headers_in, "Content-Length")) {
+            /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+             * and Content-Length are received, the latter MUST be
+             * ignored"; so unset it here to prevent any confusion
+             * later. */
+            ap_table_unset(r->headers_in, "Content-Length");
+        }
     }
     else {
         ap_kill_timeout(r);