You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2010/03/11 16:57:26 UTC

svn commit: r921910 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS server/protocol.c

Author: trawick
Date: Thu Mar 11 15:57:26 2010
New Revision: 921910

URL: http://svn.apache.org/viewvc?rev=921910&view=rev
Log:
merge from trunk and 2.2.x:

SECURITY: CVE-2010-0434 (cve.mitre.org)
Ensure each subrequest has a shallow copy of headers_in so that the
parent request headers are not corrupted.  Elimiates a problematic
optimization in the case of no request body.

PR: 48359
Submitted by: Jake Scott, William Rowe, Ruediger Pluem
Reviewed by: wrowe, trawick, rpluem


Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/server/protocol.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=921910&r1=921909&r2=921910&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Thu Mar 11 15:57:26 2010
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.64
 
+  *) SECURITY: CVE-2010-0434 (cve.mitre.org)
+     Ensure each subrequest has a shallow copy of headers_in so that the
+     parent request headers are not corrupted.  Elimiates a problematic
+     optimization in the case of no request body.  PR 48359
+     [Jake Scott, William Rowe, Ruediger Pluem]
+
   *) SECURITY: CVE-2008-2364 (cve.mitre.org)
      mod_proxy_http: Better handling of excessive interim responses
      from origin server to prevent potential denial of service and high

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=921910&r1=921909&r2=921910&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Thu Mar 11 15:57:26 2010
@@ -114,11 +114,6 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
-  * Commit http://people.apache.org/~wrowe/CVE-2010-0434.patch
-    SECURITY: CVE-2010-0434 (cve.mitre.org)
-    note; simpler because we had not yet cleaned up input headers for subreq
-    +1: wrowe, trawick, rpluem
-    trawick: remember to post to apply_to_2.0.63 when approved
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]

Modified: httpd/httpd/branches/2.0.x/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/server/protocol.c?rev=921910&r1=921909&r2=921910&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/server/protocol.c (original)
+++ httpd/httpd/branches/2.0.x/server/protocol.c Thu Mar 11 15:57:26 2010
@@ -1022,7 +1022,7 @@ AP_DECLARE(void) ap_set_sub_req_protocol
 
     rnew->status          = HTTP_OK;
 
-    rnew->headers_in      = r->headers_in;
+    rnew->headers_in      = apr_table_copy(rnew->pool, r->headers_in);
     rnew->subprocess_env  = apr_table_copy(rnew->pool, r->subprocess_env);
     rnew->headers_out     = apr_table_make(rnew->pool, 5);
     rnew->err_headers_out = apr_table_make(rnew->pool, 5);