You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/09/20 20:34:36 UTC

svn commit: r290517 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/proxy/proxy_http.c

Author: wrowe
Date: Tue Sep 20 11:34:33 2005
New Revision: 290517

URL: http://svn.apache.org/viewcvs?rev=290517&view=rev
Log:

  Backport trunk changes as recorded in branches/proxy-reqbody-2.0.x,
  refactoring http_proxy.c request body handling.  This correction
  satisfies the vetoed issues in the originally backported proxy
  request body handling from trunk/ in 171205.

Reviewed by: jim, minfrin

Added:
    httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c
      - copied unchanged from r290514, httpd/httpd/branches/proxy-reqbody-2.0.x/modules/proxy/proxy_http.c
Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?rev=290517&r1=290516&r2=290517&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Tue Sep 20 11:34:33 2005
@@ -1,6 +1,13 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.55
 
+  *) SECURITY: CAN-2005-2088 (cve.mitre.org)
+     proxy: Correctly handle the Transfer-Encoding and Content-Length
+     headers.  Discard the request Content-Length whenever T-E: chunked
+     is used, always passing one of either C-L or T-E: chunked whenever 
+     the request includes a request body.  Resolves an entire class of
+     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]
+
   *) Added TraceEnable [on|off|extended] per-server directive to alter
      the behavior of the TRACE method.  This addresses a flaw in proxy
      conformance to RFC 2616 - previously the proxy server would accept

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/STATUS?rev=290517&r1=290516&r2=290517&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Tue Sep 20 11:34:33 2005
@@ -104,29 +104,6 @@
 
 RELEASE SHOWSTOPPERS:
 
-    * Copy the backport branch of all of the mod_proxy_http.c's request body 
-      handling security, protocol and bug fixes; by svn copy'ing the file
-      httpd/httpd/branches/proxy-reqbody-2.0.x/modules/proxy/proxy_http.c back to
-      httpd/branches/2.0.x/... preserving the detail of all of the individually
-      backported changes.
-
-       +1: wrowe, jim, minfrin
-       -1:
-
-      For a complete history of individual unit changes, see r230703 - r230744 in
-      http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/proxy-reqbody-2.0.x/
-      [...]  modules/proxy/proxy_http.c?&view=log
-      Cite the specific patch with justification for each specific objection.
-
-      Suggested; revert r219061 to thoroughly test this patch, as r219061 masks 
-      some underlying bugs (although it is a -good- patch in and of itself and
-      provides additional protection to other content-handling modules).      
-
-    * TRACE must not have a request body per RFC2616; see the -trace.patch
-      below for one of two alternatives.  The other alternative; simply
-      hack mod_proxy.c to reject TRACE when a body is seen, again see that
-      -trace.patch for an illustration.
-
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]

Re: svn commit: r290517 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/proxy/proxy_http.c

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

Joe Orton wrote:
> 
> proxy_http.c: In function 'ap_proxy_http_request':
> proxy_http.c:569: warning: 'status' may be used uninitialized in this function
> http_protocol.c: In function 'ap_send_http_trace':
> http_protocol.c:1377: warning: 'bodyread' may be used uninitialized in this function

Both, as I expected, were never-encountered edge cases.  But please do
svn up and double check that our compile is clean, now, on gcc4.

Re: svn commit: r290517 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/proxy/proxy_http.c

Posted by Joe Orton <jo...@redhat.com>.

On Tue, Sep 20, 2005 at 06:34:36PM -0000, William Rowe wrote:
> Author: wrowe
> Date: Tue Sep 20 11:34:33 2005
> New Revision: 290517
> 
> URL: http://svn.apache.org/viewcvs?rev=290517&view=rev

-Werror regressions with these commits (gcc 4):

proxy_http.c: In function 'ap_proxy_http_request':
proxy_http.c:569: warning: 'status' may be used uninitialized in this function
http_protocol.c: In function 'ap_send_http_trace':
http_protocol.c:1377: warning: 'bodyread' may be used uninitialized in this function