You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2015/06/24 20:04:49 UTC
svn commit: r1687339 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS
modules/http/http_filters.c
Author: ylavic
Date: Wed Jun 24 18:04:49 2015
New Revision: 1687339
URL: http://svn.apache.org/r1687339
Log:
Merge r1685345, r1685347, r1685349 and r1685350 from trunk.
core: Allow spaces after chunk-size for compatibility with implementations
using a pre-filled buffer.
Proposed by: ylavic, trawick
Reviewed by: ylavic, wrowe, minfrin
Modified:
httpd/httpd/branches/2.2.x/ (props changed)
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/modules/http/http_filters.c
Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Jun 24 18:04:49 2015
@@ -1,2 +1,2 @@
/httpd/httpd/branches/2.4.x:1555538,1555559,1648845,1649003,1681034,1682929,1682939
-/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1172732,1200040,1200372,1200374,1213380,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363186,1366344,1367778,1368131,136
8396,1369568,1395225,1398066,1400700,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1484852,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1529988,1529991,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1585090,1586745,1587594,1587639,1588851,1590509,1603156,1604353,1610207,1610311,1610491,1610501,1611165,1611169,1620932,1621453,1643537,1643543,1648840,1649001,1649043,1650310,1650320,1652929,1653997,1657897,1658765,1663647,1664205,1665215,1665218,1665625,1665721,1666363,1674056,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1681037,1682923,1682937,1684513
+/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1172732,1200040,1200372,1200374,1213380,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363186,1366344,1367778,1368131,136
8396,1369568,1395225,1398066,1400700,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1484852,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1529988,1529991,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1585090,1586745,1587594,1587639,1588851,1590509,1603156,1604353,1610207,1610311,1610491,1610501,1611165,1611169,1620932,1621453,1643537,1643543,1648840,1649001,1649043,1650310,1650320,1652929,1653997,1657897,1658765,1663647,1664205,1665215,1665218,1665625,1665721,1666363,1674056,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1681037,1682923,1682937,1684513,1685345,1685347,1685349-1685350
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1687339&r1=1687338&r2=1687339&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jun 24 18:04:49 2015
@@ -8,6 +8,9 @@ Changes with Apache 2.2.30
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters. [Graham Leggett, Yann Ylavic]
+ *) core: Allow spaces after chunk-size for compatibility with implementations
+ using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
+
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts. PR 56241.
[Kaspar Brand]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1687339&r1=1687338&r2=1687339&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Jun 24 18:04:49 2015
@@ -101,42 +101,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) SECURITY: CVE-2015-3183 (cve.mitre.org)
- core: Fix chunk header parsing defect.
- Remove apr_brigade_flatten(), buffering and duplicated code from
- the HTTP_IN filter, parse chunks in a single pass with zero copy.
- Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
- authorized characters. [Graham Leggett, Yann Ylavic]
- Submitted by: minfrin, ylavic
- Reviewed by: ylavic, wrowe,
- Backports: 1484852, 1684513
- Reported by: regilero <regis.leroy makina-corpus.com>
-
- trunk
- http://svn.apache.org/r1484852
- http://svn.apache.org/r1684513
- 2.4.x branch
- http://svn.apache.org/r1684515
- 2.2.x branch
- http://people.apache.org/~wrowe/httpd-2.2.x-ap_http_filter-chunked-v6.patch
- +1: ylavic, wrowe, minfrin
- jim notes: test framework errors due to 413->400 error change [test adjusted]
- wrowe notes: r1684513 was not neglected in this patch, already included
-
- *) core: Allow spaces after chunk-size for compatibility with implementations
- using a pre-filled buffer.
- trunk patch: http://svn.apache.org/r1685345
- http://svn.apache.org/r1685347
- http://svn.apache.org/r1685349
- http://svn.apache.org/r1685350
- 2.[24].x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_http_filter_chunked-v3.patch
- (trunk works but CHANGES entry in the above patch is
- better since the APLOG_INFO part is already included
- in the CVE-2015-3183 patch)
- +1: ylavic, wrowe, minfrin
- ylavic: CVE-2015-3183 patch httpd-2.2.x-ap_http_filter-chunked-v6.patch
- above must be applied first.
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.2.x/modules/http/http_filters.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/http/http_filters.c?rev=1687339&r1=1687338&r2=1687339&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/http/http_filters.c (original)
+++ httpd/httpd/branches/2.2.x/modules/http/http_filters.c Wed Jun 24 18:04:49 2015
@@ -70,10 +70,11 @@ typedef struct http_filter_ctx
BODY_CHUNK, /* chunk expected */
BODY_CHUNK_PART, /* chunk digits */
BODY_CHUNK_EXT, /* chunk extension */
- BODY_CHUNK_LF, /* got CR, expect LF after digits/extension */
+ BODY_CHUNK_CR, /* got space(s) after digits, expect [CR]LF or ext */
+ BODY_CHUNK_LF, /* got CR after digits or ext, expect LF */
BODY_CHUNK_DATA, /* data constrained by chunked encoding */
BODY_CHUNK_END, /* chunked data terminating CRLF */
- BODY_CHUNK_END_LF, /* got CR, expect LF after data */
+ BODY_CHUNK_END_LF, /* got CR after data, expect LF */
BODY_CHUNK_TRAILER /* trailers */
} state;
unsigned int eos_sent :1;
@@ -203,6 +204,15 @@ static apr_status_t parse_chunk_size(htt
return APR_EINVAL;
}
}
+ else if (c == ' ' || c == '\t') {
+ ctx->state = BODY_CHUNK_CR;
+ }
+ else if (ctx->state == BODY_CHUNK_CR) {
+ /*
+ * ';', CR or LF expected.
+ */
+ return APR_EINVAL;
+ }
else if (ctx->state == BODY_CHUNK_PART) {
int xvalue;