Hi Martin,
Martin Kraemer wrote:
Hi.
While looking at ajp_header.c, I realized that its method of parsing
the header line tokens is flakey: it uses memcmp() to check, e.g.,
whether the header token is "Accept-Charset:", by uppercasing the
token name (-> "ACCEPT-CHARSET"), then compares the initial "ACCEPT-"
prefix, and then tests:
if (memcmp(p, "CHARSET", 7) == 0) return SC_ACCEPT_CHARSET;
but does not verify that the end of the token has been reached.
Thus, a header
Accept-CharsetXXX-Blah: utf-8
would be mistaken for an "Accept-Charset: utf-8".
Same goes for a couple of other header names.
The patch replaces the memcmp by a strcmp to check for the trailing
NIL character, too.
For mod_jk the problem you found here is the same. Thanks for finding it!
We finally applied a slightly different patch, by keeping the memcmp,
but simply incrementing the number of bytes to compare by one. This
should work for mod_proxy also.
Why is it OK?
- the variable header name is inside an array of length 16, which is big
enough to hold the longest string we want to compare to
- the variable header names are \0-terminated
- the string constants we compare to are always \0-terminated
- so increasing the number of bytes to do memcmp() on by one will
correctly include a compare on the terminating \0.
Our variant of the patch is at
http://marc.info/?l=tomcat-dev&m=118849057126771&w=2
Regards,
Rainer
