FYI, I have implemented some restrictions and alterations to mod_lua, to
prevent HTTP Response Splitting in cases where users fail to properly
check their output or think mod_lua takes care of everything all by itself.

This is not a security flaw in mod_lua itself, but rather a scripting
accident waiting to happen, that I think is best handled by making
mod_lua take some extra precautions, much like we have and recommend
using prepared statements with our database API, to prevent SQL
injection attacks, instead of the users having to escape values themselves.

If anyone thinks this is a more serious matter (and requires a CVE
or..?), please let me/us know.

With regards,
Daniel.

On 03/27/2014 12:22 PM, humbed...@apache.org wrote:
> Author: humbedooh
> Date: Thu Mar 27 11:22:33 2014
> New Revision: 1582264
> 
> URL: http://svn.apache.org/r1582264
> Log:
> mod_lua: Prevent HTTP Response Splitting by not allowing tables in the 
> request_rec to be set with values containing newlines. 
> 
> Modified:
>     httpd/httpd/branches/2.4.x/CHANGES
>     httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c
> 
> Modified: httpd/httpd/branches/2.4.x/CHANGES
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1582264&r1=1582263&r2=1582264&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Mar 27 11:22:33 2014
> @@ -12,6 +12,10 @@ Changes with Apache 2.4.10
>       from causing response splitting.
>       [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
>  
> +  *) mod_lua: Disallow newlines in table values inside the request_rec, 
> +     to prevent HTTP Response Splitting via tainted headers.
> +     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
> +
>  Changes with Apache 2.4.9
>  
>    *) mod_ssl: Work around a bug in some older versions of OpenSSL that
> 
> Modified: httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c?rev=1582264&r1=1582263&r2=1582264&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c (original)
> +++ httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c Thu Mar 27 11:22:33 2014
> @@ -40,6 +40,13 @@ static int lua_table_set(lua_State *L)
>      const char     *key = luaL_checkstring(L, 2);
>      const char     *val = luaL_checkstring(L, 3);
>  
> +    /* Prevent response/header splitting by not allowing newlines in tables.
> +     * At this stage, we don't have the request_rec handy, and we can't 
> change
> +     * a const char*, so we'll redirect to a standard error value instead.
> +     */
> +    if (ap_strchr_c(val, '\n')) {
> +        val = "[ERROR: Value contains newline, ignored.]";
> +    }
>      apr_table_set(t, key, val);
>      return 0;
>  }
> 
> 

Reply via email to