On Thu, Mar 27, 2014 at 8:06 AM, Daniel Gruno <rum...@cord.dk> wrote:
> FYI, I have implemented some restrictions and alterations to mod_lua, to > prevent HTTP Response Splitting in cases where users fail to properly > check their output or think mod_lua takes care of everything all by itself. > > This is not a security flaw in mod_lua itself, but rather a scripting > accident waiting to happen, that I think is best handled by making > mod_lua take some extra precautions, much like we have and recommend > using prepared statements with our database API, to prevent SQL > injection attacks, instead of the users having to escape values themselves. > > If anyone thinks this is a more serious matter (and requires a CVE > or..?), please let me/us know. > IMO Lua scripts would be treated similarly to C-language extensions -- code that httpd must be able to trust. As you noticed, core does not protect against a module (mod_lua or anything else) inserting broken values. A CVE would apply to a broken script or module that inserts broken values. > With regards, > Daniel. > > On 03/27/2014 12:22 PM, humbed...@apache.org wrote: > > Author: humbedooh > > Date: Thu Mar 27 11:22:33 2014 > > New Revision: 1582264 > > > > URL: http://svn.apache.org/r1582264 > > Log: > > mod_lua: Prevent HTTP Response Splitting by not allowing tables in the > request_rec to be set with values containing newlines. > > > > Modified: > > httpd/httpd/branches/2.4.x/CHANGES > > httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c > > > > Modified: httpd/httpd/branches/2.4.x/CHANGES > > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1582264&r1=1582263&r2=1582264&view=diff > > > ============================================================================== > > --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original) > > +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Mar 27 11:22:33 2014 > > @@ -12,6 +12,10 @@ Changes with Apache 2.4.10 > > from causing response splitting. > > [Daniel Gruno, Felipe Daragon <filipe syhunt com>] > > > > + *) mod_lua: Disallow newlines in table values inside the request_rec, > > + to prevent HTTP Response Splitting via tainted headers. > > + [Daniel Gruno, Felipe Daragon <filipe syhunt com>] > > + > > Changes with Apache 2.4.9 > > > > *) mod_ssl: Work around a bug in some older versions of OpenSSL that > > > > Modified: httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c > > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c?rev=1582264&r1=1582263&r2=1582264&view=diff > > > ============================================================================== > > --- httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c (original) > > +++ httpd/httpd/branches/2.4.x/modules/lua/lua_apr.c Thu Mar 27 11:22:33 > 2014 > > @@ -40,6 +40,13 @@ static int lua_table_set(lua_State *L) > > const char *key = luaL_checkstring(L, 2); > > const char *val = luaL_checkstring(L, 3); > > > > + /* Prevent response/header splitting by not allowing newlines in > tables. > > + * At this stage, we don't have the request_rec handy, and we can't > change > > + * a const char*, so we'll redirect to a standard error value > instead. > > + */ > > + if (ap_strchr_c(val, '\n')) { > > + val = "[ERROR: Value contains newline, ignored.]"; > > + } > > apr_table_set(t, key, val); > > return 0; > > } > > > > > > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
