You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/07/14 18:51:56 UTC
svn commit: r219061 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS
server/protocol.c
Author: wrowe
Date: Thu Jul 14 09:51:55 2005
New Revision: 219061
URL: http://svn.apache.org/viewcvs?rev=219061&view=rev
Log:
core: strip C-L from any request with a T-E header
resolves external origin CAN-2005-2088 issues, does not
address internal origin C-L/T-E discrepancies within proxy_http
Security: CVE CAN-2005-2088
Submitted by: Joe Orton
Reviewed by: Jeff Trawick, Will Rowe
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/STATUS
httpd/httpd/branches/2.0.x/server/protocol.c
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?rev=219061&r1=219060&r2=219061&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES (original)
+++ httpd/httpd/branches/2.0.x/CHANGES Thu Jul 14 09:51:55 2005
@@ -1,5 +1,10 @@
Changes with Apache 2.0.55
+ *) SECURITY: CAN-2005-2088
+ core: If a request contains both Transfer-Encoding and Content-Length
+ headers, remove the Content-Length, mitigating some HTTP Request
+ Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
+
*) proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, mitigating some HTTP Response Splitting attacks.
Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/STATUS?rev=219061&r1=219060&r2=219061&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Thu Jul 14 09:51:55 2005
@@ -111,10 +111,7 @@
* Various fixes to T-E and C-L processing from trunk
- + core: strip C-L from any request with a T-E header
- http://people.apache.org/~jorton/ap_tevscl.diff
- (CVE CAN-2005-2088)
- +1: jorton, trawick
+
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ please append new backports at the end of this list not the top. ]
Modified: httpd/httpd/branches/2.0.x/server/protocol.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/server/protocol.c?rev=219061&r1=219060&r2=219061&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/server/protocol.c (original)
+++ httpd/httpd/branches/2.0.x/server/protocol.c Thu Jul 14 09:51:55 2005
@@ -885,6 +885,15 @@
apr_brigade_destroy(tmp_bb);
return r;
}
+
+ if (apr_table_get(r->headers_in, "Transfer-Encoding")
+ && apr_table_get(r->headers_in, "Content-Length")) {
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ apr_table_unset(r->headers_in, "Content-Length");
+ }
}
else {
if (r->header_only) {