Hi everybody,
can someone please have a look at the diff for passenger=2.2.11debian-2 in
Squeeze that should solve CVE-2015-7519[1] and nod?
Thanks!
Thorsten
[1] https://security-tracker.debian.org/tracker/CVE-2015-7519
diff -Nru passenger-2.2.11debian/ext/apache2/Hooks.cpp
passenger-2.2.11debian/ext/apache2/Hooks.cpp
--- passenger-2.2.11debian/ext/apache2/Hooks.cpp 2010-03-05
10:35:16.000000000 +0100
+++ passenger-2.2.11debian/ext/apache2/Hooks.cpp 2015-12-28
20:04:14.000000000 +0100
@@ -779,9 +779,33 @@
char *lookupEnv(request_rec *r, const char *name) {
return lookupName(r->subprocess_env, name);
}
+
+ static bool
+ isAlphaNum(char ch) {
+ return (ch >= '0' && ch <= '9') || (ch >= 'a' && ch <= 'z') || (ch >= 'A'
&& ch <= 'Z');
+ }
+
+ /**
+ * For CGI, alphanum headers with optional dashes are mapped to
UPP3R_CAS3. This
+ * function can be used to reject non-alphanum/dash headers that would
end up with
+ * the same mapping (e.g. upp3r_cas3 and upp3r-cas3 would end up the
same, and
+ * potentially collide each other in the receiving application). This is
+ * used to fix CVE-2015-7519.
+ */
+ static bool
+ containsNonAlphaNumDash(const char *s) {
+ size_t len = strlen(s);
+ for (size_t i = 0; i < len; i++) {
+ const char start = s[i];
+ if (start != '-' && !isAlphaNum(start)) {
+ return true;
+ }
+ }
+ return false;
+ }
void inline addHeader(apr_table_t *table, const char *name, const char
*value) {
- if (name != NULL && value != NULL) {
+ if ((name != NULL && value != NULL) ||
containsNonAlphaNumDash(name)) {
apr_table_addn(table, name, value);
}
}
