You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by hu...@apache.org on 2014/03/27 12:00:35 UTC
svn commit: r1582255 - in /httpd/httpd/branches/2.4.x: CHANGES
modules/lua/lua_request.c
Author: humbedooh
Date: Thu Mar 27 11:00:34 2014
New Revision: 1582255
URL: http://svn.apache.org/r1582255
Log:
mod_lua: escape key/value pairs when setting cookies to prevent header splitting with tainted cookies.
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/modules/lua/lua_request.c
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1582255&r1=1582254&r2=1582255&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Mar 27 11:00:34 2014
@@ -8,6 +8,10 @@ Changes with Apache 2.4.10
*) mod_lua: Reformat and escape script error output.
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+ *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
+ from causing response splitting.
+ [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
Changes with Apache 2.4.9
*) mod_ssl: Work around a bug in some older versions of OpenSSL that
Modified: httpd/httpd/branches/2.4.x/modules/lua/lua_request.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/lua/lua_request.c?rev=1582255&r1=1582254&r2=1582255&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/lua/lua_request.c (original)
+++ httpd/httpd/branches/2.4.x/modules/lua/lua_request.c Thu Mar 27 11:00:34 2014
@@ -2048,6 +2048,10 @@ static int lua_set_cookie(lua_State *L)
/* Domain does NOT like quotes in most browsers, so let's avoid that */
strdomain = apr_psprintf(r->pool, "Domain=%s;", domain);
}
+
+ /* URL-encode key/value */
+ value = ap_escape_urlencoded(r->pool, value);
+ key = ap_escape_urlencoded(r->pool, key);
/* Create the header */
out = apr_psprintf(r->pool, "%s=%s; %s %s %s %s %s", key, value,