You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2012/09/30 17:50:21 UTC
svn commit: r1392050 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS
server/protocol.c
Author: jim
Date: Sun Sep 30 15:50:21 2012
New Revision: 1392050
URL: http://svn.apache.org/viewvc?rev=1392050&view=rev
Log:
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
r1234837 on 2.0.x:
http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
+1: trawick, rjung, jim
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/STATUS
httpd/httpd/branches/2.0.x/server/protocol.c
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1392050&r1=1392049&r2=1392050&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Sun Sep 30 15:50:21 2012
@@ -1,6 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.0.65
+ *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+ Fix an issue in error responses that could expose "httpOnly" cookies
+ when no custom ErrorDocument is specified for status code 400.
+ [Eric Covener]
+
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=1392050&r1=1392049&r2=1392050&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Sun Sep 30 15:50:21 2012
@@ -171,14 +171,6 @@ RELEASE SHOWSTOPPERS:
http://people.apache.org/~trawick/2.0-CVE-2011-4317-r1235443.patch
+1: trawick
- *) SECURITY: CVE-2012-0053 (cve.mitre.org)
- Fix an issue in error responses that could expose "httpOnly" cookies
- when no custom ErrorDocument is specified for status code 400.
- [Eric Covener]
-
- r1234837 on 2.0.x:
- http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
- +1: trawick, rjung
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
Modified: httpd/httpd/branches/2.0.x/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/server/protocol.c?rev=1392050&r1=1392049&r2=1392050&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/server/protocol.c (original)
+++ httpd/httpd/branches/2.0.x/server/protocol.c Sun Sep 30 15:50:21 2012
@@ -677,6 +677,16 @@ static int read_request_line(request_rec
return 1;
}
+/* get the length of the field name for logging, but no more than 80 bytes */
+#define LOG_NAME_MAX_LEN 80
+static int field_name_len(const char *field)
+{
+ const char *end = ap_strchr_c(field, ':');
+ if (end == NULL || end - field > LOG_NAME_MAX_LEN)
+ return LOG_NAME_MAX_LEN;
+ return end - field;
+}
+
AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb)
{
char *last_field = NULL;
@@ -709,12 +719,15 @@ AP_DECLARE(void) ap_get_mime_headers_cor
/* insure ap_escape_html will terminate correctly */
field[len - 1] = '\0';
apr_table_setn(r->notes, "error-notes",
- apr_pstrcat(r->pool,
+ apr_psprintf(r->pool,
"Size of a request header field "
"exceeds server limit.<br />\n"
- "<pre>\n",
- ap_escape_html(r->pool, field),
- "</pre>\n", NULL));
+ "<pre>\n%.*s\n</pre>/n",
+ field_name_len(field),
+ ap_escape_html(r->pool, field)));
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+ "Request header exceeds LimitRequestFieldSize: "
+ "%.*s", field_name_len(field), field);
return;
}
@@ -739,13 +752,17 @@ AP_DECLARE(void) ap_get_mime_headers_cor
* overflow (last_field) as the field with the problem
*/
apr_table_setn(r->notes, "error-notes",
- apr_pstrcat(r->pool,
+ apr_psprintf(r->pool,
"Size of a request header field "
"after folding "
"exceeds server limit.<br />\n"
- "<pre>\n",
- ap_escape_html(r->pool, last_field),
- "</pre>\n", NULL));
+ "<pre>\n%.*s\n</pre>\n",
+ field_name_len(last_field),
+ ap_escape_html(r->pool, last_field)));
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+ "Request header exceeds LimitRequestFieldSize "
+ "after folding: %.*s",
+ field_name_len(last_field), last_field);
return;
}
@@ -777,13 +794,17 @@ AP_DECLARE(void) ap_get_mime_headers_cor
if (!(value = strchr(last_field, ':'))) { /* Find ':' or */
r->status = HTTP_BAD_REQUEST; /* abort bad request */
apr_table_setn(r->notes, "error-notes",
- apr_pstrcat(r->pool,
+ apr_psprintf(r->pool,
"Request header field is "
"missing ':' separator.<br />\n"
- "<pre>\n",
- ap_escape_html(r->pool,
- last_field),
- "</pre>\n", NULL));
+ "<pre>\n%.*s</pre>\n",
+ (int)LOG_NAME_MAX_LEN,
+ ap_escape_html(r->pool,
+ last_field)));
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "Request header field is missing ':' "
+ "separator: %.*s", (int)LOG_NAME_MAX_LEN,
+ last_field);
return;
}