fielding 98/10/29 19:08:56
Modified: src CHANGES src/include http_log.h src/main http_core.c Log: Eliminate DoS attack when a bad URI path contains what looks like a printf format escape. This was caused by allowing tainted data from the network to be placed within the format string of a call to ap_log_rerror. PR: Reported by Remco van de Meent <[EMAIL PROTECTED]>, Studenten Net Twente Submitted by: Marc Slemko Reviewed by: Roy Fielding Revision Changes Path 1.1129 +3 -0 apache-1.3/src/CHANGES Index: CHANGES =================================================================== RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1128 retrieving revision 1.1129 diff -u -r1.1128 -r1.1129 --- CHANGES 1998/10/28 19:33:52 1.1128 +++ CHANGES 1998/10/30 03:08:52 1.1129 @@ -1,5 +1,8 @@ Changes with Apache 1.3.4 + *) SECURITY: Eliminate DoS attack when a bad URI path contains what + looks like a printf format escape. [Marc Slemko, Studenten Net Twente] + *) Fix in mod_autoindex: for files where the last modified time stamp was unavailable, an empty string was printed which was 2 bytes short. The size and description columns were therefore not aligned correctly. 1.32 +9 -0 apache-1.3/src/include/http_log.h Index: http_log.h =================================================================== RCS file: /home/cvs/apache-1.3/src/include/http_log.h,v retrieving revision 1.31 retrieving revision 1.32 diff -u -r1.31 -r1.32 --- http_log.h 1998/08/06 17:30:24 1.31 +++ http_log.h 1998/10/30 03:08:55 1.32 @@ -105,6 +105,15 @@ #define APLOG_MARK __FILE__,__LINE__ void ap_open_logs (server_rec *, pool *p); + +/* The two primary logging functions, ap_log_error and ap_log_rerror, + * use a printf style format string to build the log message. It is + * VERY IMPORTANT that you not include any raw data from the network, + * such as the request-URI or request header fields, within the format + * string. Doing so makes the server vulnerable to a denial-of-service + * attack and other messy behavior. Instead, use a simple format string + * like "%s", followed by the string containing the untrusted data. + */ API_EXPORT(void) ap_log_error(const char *file, int line, int level, const server_rec *s, const char *fmt, ...) __attribute__((format(printf,5,6))); 1.238 +1 -1 apache-1.3/src/main/http_core.c Index: http_core.c =================================================================== RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v retrieving revision 1.237 retrieving revision 1.238 diff -u -r1.237 -r1.238 --- http_core.c 1998/10/23 20:07:39 1.237 +++ http_core.c 1998/10/30 03:08:55 1.238 @@ -2783,7 +2783,7 @@ else { emsg = ap_pstrcat(r->pool, emsg, r->filename, r->path_info, NULL); } - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, emsg); + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, "%s", emsg); return HTTP_NOT_FOUND; } if (r->method_number != M_GET) {