You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by hu...@apache.org on 2014/03/27 12:00:35 UTC

svn commit: r1582255 - in /httpd/httpd/branches/2.4.x: CHANGES modules/lua/lua_request.c

Author: humbedooh
Date: Thu Mar 27 11:00:34 2014
New Revision: 1582255

URL: http://svn.apache.org/r1582255
Log:
mod_lua: escape key/value pairs when setting cookies to prevent header splitting with tainted cookies.

Modified:
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/modules/lua/lua_request.c

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1582255&r1=1582254&r2=1582255&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Mar 27 11:00:34 2014
@@ -8,6 +8,10 @@ Changes with Apache 2.4.10
   *) mod_lua: Reformat and escape script error output.
      [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
 
+  *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
+     from causing response splitting.
+     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
 Changes with Apache 2.4.9
 
   *) mod_ssl: Work around a bug in some older versions of OpenSSL that

Modified: httpd/httpd/branches/2.4.x/modules/lua/lua_request.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/lua/lua_request.c?rev=1582255&r1=1582254&r2=1582255&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/lua/lua_request.c (original)
+++ httpd/httpd/branches/2.4.x/modules/lua/lua_request.c Thu Mar 27 11:00:34 2014
@@ -2048,6 +2048,10 @@ static int lua_set_cookie(lua_State *L) 
         /* Domain does NOT like quotes in most browsers, so let's avoid that */
         strdomain = apr_psprintf(r->pool, "Domain=%s;", domain);
     }
+
+    /* URL-encode key/value */
+    value = ap_escape_urlencoded(r->pool, value);
+    key = ap_escape_urlencoded(r->pool, key);
     
     /* Create the header */
     out = apr_psprintf(r->pool, "%s=%s; %s %s %s %s %s", key, value,