You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2016/08/31 19:49:25 UTC
svn commit: r1758671 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS
server/protocol.c
Author: ylavic
Date: Wed Aug 31 19:49:25 2016
New Revision: 1758671
URL: http://svn.apache.org/viewvc?rev=1758671&view=rev
Log:
Merge r892678, r1100511, r1102124 from trunk:
Reject requests containing (invalid) NULL characters in request line
or request headers.
PR 43039
use APR_STATUS_IS_TIMEUP() instead of direct comparison with APR_TIMEUP.
Use APR_STATUS_IS_... in some more cases.
While this is not strictly necessary everywhere, it makes it much easier
to find the problematic cases.
Submitted by: niq, covener, sf
Reviewed by: wrowe, covener, ylavic
Modified:
httpd/httpd/branches/2.2.x/ (props changed)
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/server/protocol.c
Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Aug 31 19:49:25 2016
@@ -1,2 +1,2 @@
/httpd/httpd/branches/2.4.x:1555538,1555559,1648845,1649003,1681034,1682929,1682939,1707123,1722573,1726087
-/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1172732,1200040,1200372,1200374,1213380,1213391,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363186,1366344,1367778,136
8131,1368396,1369568,1395225,1398066,1400700,1407004,1407088,1407528,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1484852,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1514215,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1529988,1529991,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1585090,1586745,1587594,1587639,1588851,1590509,1597352,1603156,1604353,1610207,1610311,1610491,1610501,1611165,1611169,1620932,1621419,1621453,1643537,1643543,1648840,1649001,1649043,1650310,1650320,1652929,1653997,1657897,1658765,1663647,1664205,1665215,1665218,1665625,1665721,1666363,1674056,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1681037,1682923,1682937,
1684513,1684900,1685345,1685347,1685349-1685350,1687539,1687680,1688274,1688331,1688339-1688340,1688343,1688536,1688538,1697013,1697015,1706989,1722572,1723567,1726086,1745767,1748448,1753228
+/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,892678,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1100511,1102124,1172732,1200040,1200372,1200374,1213380,1213391,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363
186,1366344,1367778,1368131,1368396,1369568,1395225,1398066,1400700,1407004,1407088,1407528,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1484852,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1514215,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1529988,1529991,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1585090,1586745,1587594,1587639,1588851,1590509,1597352,1603156,1604353,1610207,1610311,1610491,1610501,1611165,1611169,1620932,1621419,1621453,1643537,1643543,1648840,1649001,1649043,1650310,1650320,1652929,1653997,1657897,1658765,1663647,1664205,1665215,1665218,1665625,1665721,1666363,1674056,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1
681037,1682923,1682937,1684513,1684900,1685345,1685347,1685349-1685350,1687539,1687680,1688274,1688331,1688339-1688340,1688343,1688536,1688538,1697013,1697015,1706989,1722572,1723567,1726086,1745767,1748448,1753228
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1758671&r1=1758670&r2=1758671&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Aug 31 19:49:25 2016
@@ -4,6 +4,9 @@ Changes with Apache 2.2.32
*) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.
[Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+ *) Core: reject NULLs in request line or request headers.
+ PR 43039 [Nick Kew]
+
*) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
[Jan Kaluza, Yann Ylavic]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1758671&r1=1758670&r2=1758671&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Aug 31 19:49:25 2016
@@ -103,19 +103,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) core: Reject requests containing (invalid) NULL characters in request line
- or request headers. (Including embedded %00 in URL).
- (Use APR_STATUS_IS_... in some more cases.)
- Trunk version of patch
- http://svn.apache.org/r892678
- http://svn.apache.org/r1100511
- http://svn.apache.org/r1102124
- Backport: (trunk works as well)
- https://raw.githubusercontent.com/wrowe/patches/master/backport-2.2.x-r892678.patch
- Submitted by niq, status legibility fixes by covener, sf
- PR: 43039
- +1: wrowe, covener, ylavic
-
*) core: Limit to ten the number of tolerated empty lines between request.
Before this commit, the maximum number of empty lines was the same as
configured LimitRequestFields, defaulting to 100, which was way too much.
Modified: httpd/httpd/branches/2.2.x/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/protocol.c?rev=1758671&r1=1758670&r2=1758671&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/protocol.c (original)
+++ httpd/httpd/branches/2.2.x/server/protocol.c Wed Aug 31 19:49:25 2016
@@ -433,8 +433,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_cor
}
}
}
-
*read = bytes_handled;
+
+ /* PR#43039: We shouldn't accept NULL bytes within the line */
+ if (strlen(*s) < bytes_handled - 1) {
+ return APR_EINVAL;
+ }
+
return APR_SUCCESS;
}
@@ -597,12 +602,15 @@ static int read_request_line(request_rec
* buffer before finding the end-of-line. This is only going to
* happen if it exceeds the configured limit for a request-line.
*/
- if (rv == APR_ENOSPC) {
+ if (APR_STATUS_IS_ENOSPC(rv)) {
r->status = HTTP_REQUEST_URI_TOO_LARGE;
}
else if (APR_STATUS_IS_TIMEUP(rv)) {
r->status = HTTP_REQUEST_TIME_OUT;
}
+ else if (APR_STATUS_IS_EINVAL(rv)) {
+ r->status = HTTP_BAD_REQUEST;
+ }
r->proto_num = HTTP_VERSION(1,0);
r->protocol = apr_pstrdup(r->pool, "HTTP/1.0");
return 0;
@@ -908,9 +916,16 @@ request_rec *ap_read_request(conn_rec *c
/* Get the request... */
if (!read_request_line(r, tmp_bb)) {
- if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "request failed: URI too long (longer than %d)", r->server->limit_req_line);
+ if (r->status == HTTP_REQUEST_URI_TOO_LARGE
+ || r->status == HTTP_BAD_REQUEST) {
+ if (r->status == HTTP_BAD_REQUEST) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "request failed: invalid characters in URI");
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "request failed: URI too long (longer than %d)", r->server->limit_req_line);
+ }
ap_send_error_response(r, 0);
ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
ap_run_log_transaction(r);