You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/08/08 19:52:06 UTC
svn commit: r230826 - in /httpd/httpd/branches/1.3.x/src: CHANGES
main/http_protocol.c
Author: wrowe
Date: Mon Aug 8 10:52:01 2005
New Revision: 230826
URL: http://svn.apache.org/viewcvs?rev=230826&view=rev
Log:
Backport the 2.x C-L/T-E core protocol patch;
Reviewed for 1.3 by: wrowe, jimj, graham
Modified:
httpd/httpd/branches/1.3.x/src/CHANGES
httpd/httpd/branches/1.3.x/src/main/http_protocol.c
Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/1.3.x/src/CHANGES?rev=230826&r1=230825&r2=230826&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Mon Aug 8 10:52:01 2005
@@ -1,5 +1,12 @@
Changes with Apache 1.3.34
+ *) SECURITY: core: If a request contains both Transfer-Encoding and
+ Content-Length headers, remove the Content-Length, mitigating some
+ HTTP Request Splitting/Spoofing attacks. This has no impact on
+ mod_proxy_http, yet affects any module which supports chunked
+ encoding yet fails to prefer T-E: chunked over the Content-Length
+ purported value. [Paul Querna, Joe Orton]
+
*) Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 - previously the proxy server would accept
Modified: httpd/httpd/branches/1.3.x/src/main/http_protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/1.3.x/src/main/http_protocol.c?rev=230826&r1=230825&r2=230826&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/main/http_protocol.c (original)
+++ httpd/httpd/branches/1.3.x/src/main/http_protocol.c Mon Aug 8 10:52:01 2005
@@ -1214,6 +1214,14 @@
ap_log_transaction(r);
return r;
}
+ if (ap_table_get(r->headers_in, "Transfer-Encoding")
+ && ap_table_get(r->headers_in, "Content-Length")) {
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ ap_table_unset(r->headers_in, "Content-Length");
+ }
}
else {
ap_kill_timeout(r);