On Thu, 1 Sep 2011 14:39:11 +0200
Marcus Meissner <[email protected]> wrote:
> Hi,
>
> CVE-2003-1418, a minor security issue, is still affecting the current
> codebase.
>
> someone opened a tracker bug a year ago without feedback:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
I've just hacked up a simple candidate patch. Review?
(trunk patch - trivial offset when applied to 2.2.x)
--
Nick Kew
Index: modules/http/http_etag.c
===================================================================
--- modules/http/http_etag.c (revision 1164053)
+++ modules/http/http_etag.c (working copy)
@@ -26,6 +26,7 @@
#include "http_core.h"
#include "http_protocol.h" /* For index_of_response(). Grump. */
#include "http_request.h"
+#include "util_md5.h"
/* Generate the human-readable hex representation of an apr_uint64_t
* (basically a faster version of 'sprintf("%llx")')
@@ -50,6 +51,13 @@
*next++ = HEX_DIGITS[u & (apr_uint64_t)0xf];
return next;
}
+static char *etag_uint64_to_md5(char *next, apr_uint64_t u, apr_pool_t *pool)
+{
+ char *digest = ap_md5_binary(pool, (unsigned char*)&u, sizeof(u));
+ int len = strlen(digest);
+ memcpy(next, digest, len);
+ return next+len;
+}
#define ETAG_WEAK "W/"
#define CHARS_PER_UINT64 (sizeof(apr_uint64_t) * 2)
@@ -114,7 +122,7 @@
* FileETag keywords.
*/
etag = apr_palloc(r->pool, weak_len + sizeof("\"--\"") +
- 3 * CHARS_PER_UINT64 + 1);
+ 2 * CHARS_PER_UINT64 + 2 * APR_MD5_DIGESTSIZE + 1);
next = etag;
if (weak) {
while (*weak) {
@@ -124,7 +132,7 @@
*next++ = '"';
bits_added = 0;
if (etag_bits & ETAG_INODE) {
- next = etag_uint64_to_hex(next, r->finfo.inode);
+ next = etag_uint64_to_md5(next, r->finfo.inode, r->pool);
bits_added |= ETAG_INODE;
}
if (etag_bits & ETAG_SIZE) {
