>Number: 1305 >Category: general >Synopsis: Apache is *very* unprotected against characters with 8bit set >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Oct 22 22:50:01 PDT 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3b2 >Environment: FreeBSD >Description: According to both POSIX and ANSI specs valiad range for ctype macros is EOF,0..255 (for 8bit chars). It means that calls like isupper(-179) is illegal and may cause addressing beyoud ctype table bounds causing page fault or random bits can be picked from this memory region. But call with negative arg can happen on every "signed char" type making ctype_macro((char)) illegal for all characters with 8bit set due to sign extension: char -> int.
There is two ways to fix it: first one is add isascii() check before any ctype macro including tolower and toupper (assuming you want to deal with only ascii data), second one is add "(unsigned char)" cast directly to ctype macro argument. Second way is faster. BTW, it can't be solve at OS level since recognition of EOF (-1) still wanted (which is not different from '\377' after sign extension), so is is application task to pass correct arg. Second problem that you indirectly assume that default system ctype table is ascii. Expansion of default system table from ascii to superceeded charset not violates POSIX, so system default ctype table can be iso-8859-1 f.e. You can force ascii by calling setlocale() with ascii locale name as argument, but the name is different in different platforms and setlocale() itself is not always available. Alternative method is checking isascii() before things like isalpha(), isalnum(), etc. in all cases you assume ascii only. >How-To-Repeat: >Fix: I made mega-patch trying to fix all incorrect ctype macros usage in Apache. Since the patch is over 50K I can't cut&paste it here, but make it available at http://www.nagual.pp.ru/~ache/apache_ctype.patch Surprisingly I find that new mod_mime_magic provides few examples of the same ctype macros usage as I recommend, but I think they comes from 3rd party code.. >Audit-Trail: >Unformatted:
