You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2014/04/01 16:37:39 UTC

CVE-2013-5704, mod_headers and chunked trailer fields

For context: http://martin.swende.se/blog/HTTPChunked.html

This was discussed a little on the security@ list last year but it's a 
difficult issue and there was not any consensus beyond the fact that the 
current behaviour is wrong, and "punt to dev@".  There is a separate 
thread about how to fix this, which Eric just re-started, but it would 
be good to discuss/find consensus on the security impact.

The API for handling trailer fields is unspecified, which is really why 
this bug exists; modules don't really expect those trailers to get 
merged into r->headers_in at a "surprising" time during request 
processing.

I'd argue that gateway modules can/should handle this case correctly, 
regardless of the httpd API; hence this is not a security issue in httpd 
as such.  For example, with mod_proxy acting as a reverse proxy, no 
headers can get "accidentally" passed through, since mod_proxy captures 
the request headers before processing the request body.

Regards, Joe