You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/07/14 18:51:56 UTC
svn commit: r219061 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS server/protocol.c

Author: wrowe
Date: Thu Jul 14 09:51:55 2005
New Revision: 219061

URL: http://svn.apache.org/viewcvs?rev=219061&view=rev
Log:

  core: strip C-L from any request with a T-E header
  resolves external origin CAN-2005-2088 issues, does not
  address internal origin C-L/T-E discrepancies within proxy_http

Security: CVE CAN-2005-2088
Submitted by: Joe Orton
Reviewed by:  Jeff Trawick, Will Rowe

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/server/protocol.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?rev=219061&r1=219060&r2=219061&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES (original)
+++ httpd/httpd/branches/2.0.x/CHANGES Thu Jul 14 09:51:55 2005
@@ -1,5 +1,10 @@
 Changes with Apache 2.0.55
 
+  *) SECURITY: CAN-2005-2088
+     core: If a request contains both Transfer-Encoding and Content-Length
+     headers, remove the Content-Length, mitigating some HTTP Request 
+     Splitting/Spoofing attacks.  [Paul Querna, Joe Orton]
+
   *) proxy HTTP: If a response contains both Transfer-Encoding and a 
      Content-Length, remove the Content-Length and don't reuse the
      connection, mitigating some HTTP Response Splitting attacks.

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/STATUS?rev=219061&r1=219060&r2=219061&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Thu Jul 14 09:51:55 2005
@@ -111,10 +111,7 @@
 
     * Various fixes to T-E and C-L processing from trunk
 
-      + core: strip C-L from any request with a T-E header
-          http://people.apache.org/~jorton/ap_tevscl.diff
-          (CVE CAN-2005-2088)
-        +1: jorton, trawick
+
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ please append new backports at the end of this list not the top. ]

Modified: httpd/httpd/branches/2.0.x/server/protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/server/protocol.c?rev=219061&r1=219060&r2=219061&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/server/protocol.c (original)
+++ httpd/httpd/branches/2.0.x/server/protocol.c Thu Jul 14 09:51:55 2005
@@ -885,6 +885,15 @@
             apr_brigade_destroy(tmp_bb);
             return r;
         }
+
+        if (apr_table_get(r->headers_in, "Transfer-Encoding")
+            && apr_table_get(r->headers_in, "Content-Length")) {
+            /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+             * and Content-Length are received, the latter MUST be
+             * ignored"; so unset it here to prevent any confusion
+             * later. */
+            apr_table_unset(r->headers_in, "Content-Length");
+        }
     }
     else {
         if (r->header_only) {