You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2015/06/24 20:04:49 UTC

svn commit: r1687339 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS modules/http/http_filters.c

Author: ylavic
Date: Wed Jun 24 18:04:49 2015
New Revision: 1687339

URL: http://svn.apache.org/r1687339
Log:
Merge r1685345, r1685347, r1685349 and r1685350 from trunk.

core: Allow spaces after chunk-size for compatibility with implementations
using a pre-filled buffer.

Proposed by: ylavic, trawick
Reviewed by: ylavic, wrowe, minfrin

Modified:
    httpd/httpd/branches/2.2.x/   (props changed)
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/http/http_filters.c

Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Jun 24 18:04:49 2015
@@ -1,2 +1,2 @@
 /httpd/httpd/branches/2.4.x:1555538,1555559,1648845,1649003,1681034,1682929,1682939
-/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1172732,1200040,1200372,1200374,1213380,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363186,1366344,1367778,1368131,136
 8396,1369568,1395225,1398066,1400700,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1484852,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1529988,1529991,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1585090,1586745,1587594,1587639,1588851,1590509,1603156,1604353,1610207,1610311,1610491,1610501,1611165,1611169,1620932,1621453,1643537,1643543,1648840,1649001,1649043,1650310,1650320,1652929,1653997,1657897,1658765,1663647,1664205,1665215,1665218,1665625,1665721,1666363,1674056,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1681037,1682923,1682937,1684513
+/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1172732,1200040,1200372,1200374,1213380,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363186,1366344,1367778,1368131,136
 8396,1369568,1395225,1398066,1400700,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1484852,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1529988,1529991,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1585090,1586745,1587594,1587639,1588851,1590509,1603156,1604353,1610207,1610311,1610491,1610501,1611165,1611169,1620932,1621453,1643537,1643543,1648840,1649001,1649043,1650310,1650320,1652929,1653997,1657897,1658765,1663647,1664205,1665215,1665218,1665625,1665721,1666363,1674056,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1681037,1682923,1682937,1684513,1685345,1685347,1685349-1685350

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1687339&r1=1687338&r2=1687339&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jun 24 18:04:49 2015
@@ -8,6 +8,9 @@ Changes with Apache 2.2.30
      Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
      authorized characters.  [Graham Leggett, Yann Ylavic]
 
+  *) core: Allow spaces after chunk-size for compatibility with implementations
+     using a pre-filled buffer.  [Yann Ylavic, Jeff Trawick]
+
   *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
      no longer send warning-level unrecognized_name(112) alerts. PR 56241.
      [Kaspar Brand]

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1687339&r1=1687338&r2=1687339&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Jun 24 18:04:49 2015
@@ -101,42 +101,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
-     core: Fix chunk header parsing defect.
-     Remove apr_brigade_flatten(), buffering and duplicated code from
-     the HTTP_IN filter, parse chunks in a single pass with zero copy.
-     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
-     authorized characters.  [Graham Leggett, Yann Ylavic]
-  Submitted by: minfrin, ylavic
-  Reviewed by: ylavic, wrowe,
-  Backports: 1484852, 1684513
-  Reported by: regilero <regis.leroy makina-corpus.com>
-
-  trunk
-    http://svn.apache.org/r1484852
-    http://svn.apache.org/r1684513
-  2.4.x branch
-    http://svn.apache.org/r1684515
-  2.2.x branch
-    http://people.apache.org/~wrowe/httpd-2.2.x-ap_http_filter-chunked-v6.patch
-  +1: ylavic, wrowe, minfrin
-  jim notes: test framework errors due to 413->400 error change [test adjusted]
-  wrowe notes: r1684513 was not neglected in this patch, already included
-
-  *) core: Allow spaces after chunk-size for compatibility with implementations
-     using a pre-filled buffer.
-     trunk patch: http://svn.apache.org/r1685345
-                  http://svn.apache.org/r1685347
-                  http://svn.apache.org/r1685349
-                  http://svn.apache.org/r1685350
-     2.[24].x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_http_filter_chunked-v3.patch
-                     (trunk works but CHANGES entry in the above patch is
-                      better since the APLOG_INFO part is already included
-                      in the CVE-2015-3183 patch)
-     +1: ylavic, wrowe, minfrin
-     ylavic: CVE-2015-3183 patch httpd-2.2.x-ap_http_filter-chunked-v6.patch
-             above must be applied first.
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

Modified: httpd/httpd/branches/2.2.x/modules/http/http_filters.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/http/http_filters.c?rev=1687339&r1=1687338&r2=1687339&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/http/http_filters.c (original)
+++ httpd/httpd/branches/2.2.x/modules/http/http_filters.c Wed Jun 24 18:04:49 2015
@@ -70,10 +70,11 @@ typedef struct http_filter_ctx
         BODY_CHUNK, /* chunk expected */
         BODY_CHUNK_PART, /* chunk digits */
         BODY_CHUNK_EXT, /* chunk extension */
-        BODY_CHUNK_LF, /* got CR, expect LF after digits/extension */
+        BODY_CHUNK_CR, /* got space(s) after digits, expect [CR]LF or ext */
+        BODY_CHUNK_LF, /* got CR after digits or ext, expect LF */
         BODY_CHUNK_DATA, /* data constrained by chunked encoding */
         BODY_CHUNK_END, /* chunked data terminating CRLF */
-        BODY_CHUNK_END_LF, /* got CR, expect LF after data */
+        BODY_CHUNK_END_LF, /* got CR after data, expect LF */
         BODY_CHUNK_TRAILER /* trailers */
     } state;
     unsigned int eos_sent :1;
@@ -203,6 +204,15 @@ static apr_status_t parse_chunk_size(htt
                 return APR_EINVAL;
             }
         }
+        else if (c == ' ' || c == '\t') {
+            ctx->state = BODY_CHUNK_CR;
+        }
+        else if (ctx->state == BODY_CHUNK_CR) {
+            /*
+             * ';', CR or LF expected.
+             */
+            return APR_EINVAL;
+        }
         else if (ctx->state == BODY_CHUNK_PART) {
             int xvalue;