You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2014/04/01 16:37:39 UTC
CVE-2013-5704, mod_headers and chunked trailer fields
For context: http://martin.swende.se/blog/HTTPChunked.html
This was discussed a little on the security@ list last year but it's a
difficult issue and there was not any consensus beyond the fact that the
current behaviour is wrong, and "punt to dev@". There is a separate
thread about how to fix this, which Eric just re-started, but it would
be good to discuss/find consensus on the security impact.
The API for handling trailer fields is unspecified, which is really why
this bug exists; modules don't really expect those trailers to get
merged into r->headers_in at a "surprising" time during request
processing.
I'd argue that gateway modules can/should handle this case correctly,
regardless of the httpd API; hence this is not a security issue in httpd
as such. For example, with mod_proxy acting as a reverse proxy, no
headers can get "accidentally" passed through, since mod_proxy captures
the request headers before processing the request body.
Regards, Joe