fielding 98/10/29 19:08:56
Modified: src CHANGES
src/include http_log.h
src/main http_core.c
Log:
Eliminate DoS attack when a bad URI path contains what
looks like a printf format escape. This was caused by allowing
tainted data from the network to be placed within the format string
of a call to ap_log_rerror.
PR: Reported by Remco van de Meent <[EMAIL PROTECTED]>, Studenten Net Twente
Submitted by: Marc Slemko
Reviewed by: Roy Fielding
Revision Changes Path
1.1129 +3 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1128
retrieving revision 1.1129
diff -u -r1.1128 -r1.1129
--- CHANGES 1998/10/28 19:33:52 1.1128
+++ CHANGES 1998/10/30 03:08:52 1.1129
@@ -1,5 +1,8 @@
Changes with Apache 1.3.4
+ *) SECURITY: Eliminate DoS attack when a bad URI path contains what
+ looks like a printf format escape. [Marc Slemko, Studenten Net Twente]
+
*) Fix in mod_autoindex: for files where the last modified time stamp was
unavailable, an empty string was printed which was 2 bytes short.
The size and description columns were therefore not aligned correctly.
1.32 +9 -0 apache-1.3/src/include/http_log.h
Index: http_log.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/include/http_log.h,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- http_log.h 1998/08/06 17:30:24 1.31
+++ http_log.h 1998/10/30 03:08:55 1.32
@@ -105,6 +105,15 @@
#define APLOG_MARK __FILE__,__LINE__
void ap_open_logs (server_rec *, pool *p);
+
+/* The two primary logging functions, ap_log_error and ap_log_rerror,
+ * use a printf style format string to build the log message. It is
+ * VERY IMPORTANT that you not include any raw data from the network,
+ * such as the request-URI or request header fields, within the format
+ * string. Doing so makes the server vulnerable to a denial-of-service
+ * attack and other messy behavior. Instead, use a simple format string
+ * like "%s", followed by the string containing the untrusted data.
+ */
API_EXPORT(void) ap_log_error(const char *file, int line, int level,
const server_rec *s, const char *fmt, ...)
__attribute__((format(printf,5,6)));
1.238 +1 -1 apache-1.3/src/main/http_core.c
Index: http_core.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.237
retrieving revision 1.238
diff -u -r1.237 -r1.238
--- http_core.c 1998/10/23 20:07:39 1.237
+++ http_core.c 1998/10/30 03:08:55 1.238
@@ -2783,7 +2783,7 @@
else {
emsg = ap_pstrcat(r->pool, emsg, r->filename, r->path_info, NULL);
}
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, emsg);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, "%s", emsg);
return HTTP_NOT_FOUND;
}
if (r->method_number != M_GET) {
