You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/05/18 22:37:03 UTC

[Bug 56542] New: 2.4.x mod_rewrite writes data to a log file without sanitizing

https://issues.apache.org/bugzilla/show_bug.cgi?id=56542

            Bug ID: 56542
           Summary: 2.4.x mod_rewrite writes data to a log file without
                    sanitizing
           Product: Apache httpd-2
           Version: 2.4.9
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_rewrite
          Assignee: bugs@httpd.apache.org
          Reporter: max@cert.cx

comparing do_rewritelog() in line 2.2 and 2.4 I've found missing inheritance
for CVE-2013-1862 what may provide to writes data to a log file without
sanitizing

2.2
   logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
                                    "(%d) %s%s%s%s" APR_EOL_STR,
                           rhost ? ap_escape_logitem(r->pool, rhost) :
"UNKNOWN-HOST",
                           rname ? ap_escape_logitem(r->pool, rname) : "-",


and 

2.4
    logline = apr_psprintf(r->pool, "%s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
                                    "%s%s%s%s",
                           rhost ? rhost : "UNKNOWN-HOST",
                           rname ? rname : "-",


Why this is not patched since 2013 in 2.4? What is the reason for such a
difference?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 56542] 2.4.x mod_rewrite writes data to a log file without sanitizing

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56542

Ruediger Pluem <rp...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Ruediger Pluem <rp...@apache.org> ---
This patch is not needed for 2.4.x as the rewrite loging in in 2.4.x uses the
standard httpd logging API which does the escaping later on before printing it
to the file.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 56542] 2.4.x mod_rewrite writes data to a log file without sanitizing

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56542

Max <ma...@cert.cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |max@cert.cx

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org