Hello Eric,
Okay. Thanks.
I must have missed that discussion.
I just now compared ap_make_content_type in both 2.2 and 2.4.
It looks like you are correct.
Some code to return NULL was added in 2.4.
So there is no need to check the return from ap_make_content_type for NULL.
Sorry for the noise.
Take care,
Mike
On 10/14/2014 10:03 AM, Eric Covener wrote:
I thought at the time, the discussion was that ap_make_content_type
in those releases never returned NULL.
On Tue, Oct 14, 2014 at 1:01 PM, Mike Rumph <[email protected]
<mailto:[email protected]>> wrote:
In 2.2 code, this problem is actually in two places.
It is also in the store_headers function in
modules/cache/mod_mem_cache.c.
On 10/14/2014 8:40 AM, Mike Rumph wrote:
Hello Jim and Jan,
I am considering a proposal of backporting this fix to the 2.2
branch.
At first look, this fix doesn't apply to 2.2 code.
But I noticed that the pertinent code has been refactored
between 2.2 and 2.4.
The same problem exists in 2.2, but just in a different location.
In 2.2, the problem is in the store_headers function in
modules/cache/mod_disk_cache.c.
Are either of you interested in working a patch for this?
Otherwise, I will look at it myself in a few days.
Thanks,
Mike Rumph
On 9/26/2014 4:00 AM, [email protected] <mailto:[email protected]>
wrote:
Author: jim
Date: Fri Sep 26 11:00:14 2014
New Revision: 1627749
URL: http://svn.apache.org/r1627749
Log:
Merge r1624234 from trunk:
SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer
deference
in Content-Type handling.
mod_cache: Avoid a crash when Content-Type has an empty
value. PR56924.
Submitted By: Mark Montague <mark catseye.org
<http://catseye.org>>
Reviewed By: Jan Kaluza
Submitted by: jkaluza
Reviewed/backported by: jim
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1624234
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1627749&r1=1627748&r2=1627749&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 26
11:00:14 2014
@@ -2,6 +2,10 @@
Changes with Apache 2.4.11
+ *) SECURITY: CVE-2014-3581 (cve.mitre.org
<http://cve.mitre.org>)
+ mod_cache: Avoid a crash when Content-Type has an
empty value.
+ PR 56924. [Mark Montague <mark catseye.org
<http://catseye.org>>, Jan Kaluza]
+
*) mod_cache: Avoid sending 304 responses during
failed revalidations
PR56881. [Eric Covener]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1627749&r1=1627748&r2=1627749&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 26 11:00:14 2014
@@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_cache: CVE-2014-3581 - Avoid a crash when
Content-Type has an empty
- value. PR56924.
- trunk patch: http://svn.apache.org/r1624234
- 2.4.x patch: trunk works (modulo CHANGES)
- +1: jkaluza, jim, ylavic
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
Modified:
httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/cache/cache_util.c?rev=1627749&r1=1627748&r2=1627749&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
(original)
+++ httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
Fri Sep 26 11:00:14 2014
@@ -1258,8 +1258,10 @@ apr_table_t
*cache_merge_headers_out(req
if (r->content_type
&& !apr_table_get(headers_out,
"Content-Type")) {
- apr_table_setn(headers_out, "Content-Type",
- ap_make_content_type(r,
r->content_type));
+ const char *ctype = ap_make_content_type(r,
r->content_type);
+ if (ctype) {
+ apr_table_setn(headers_out, "Content-Type",
ctype);
+ }
}
if (r->content_encoding
--
Eric Covener
[email protected] <mailto:[email protected]>
