On 03/05/2015 03:33 AM, [email protected] wrote: > Author: covener > Date: Thu Mar 5 02:33:16 2015 > New Revision: 1664205 > > URL: http://svn.apache.org/r1664205 > Log: > *) SECURITY: CVE-2015-0253 (cve.mitre.org) > core: Fix a crash introduced in with ErrorDocument 400 pointing > to a local URL-path with the INCLUDES filter active, introduced > in 2.4.11. PR 57531. [Yann Ylavic] > > > Submitted By: ylavic > Committed By: covener > > > > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/server/protocol.c >
> Modified: httpd/httpd/trunk/server/protocol.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?rev=1664205&r1=1664204&r2=1664205&view=diff > ============================================================================== > --- httpd/httpd/trunk/server/protocol.c (original) > +++ httpd/httpd/trunk/server/protocol.c Thu Mar 5 02:33:16 2015 > @@ -606,8 +606,6 @@ static int read_request_line(request_rec > */ > if (APR_STATUS_IS_ENOSPC(rv)) { > r->status = HTTP_REQUEST_URI_TOO_LARGE; > - r->proto_num = HTTP_VERSION(1,0); > - r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); > } > else if (APR_STATUS_IS_TIMEUP(rv)) { > r->status = HTTP_REQUEST_TIME_OUT; > @@ -615,6 +613,8 @@ static int read_request_line(request_rec > else if (APR_STATUS_IS_EINVAL(rv)) { > r->status = HTTP_BAD_REQUEST; > } > + r->proto_num = HTTP_VERSION(1,0); > + r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); > return 0; > } > } while ((len <= 0) && (++num_blank_lines < max_blank_lines)); > > > Don't we need to have the following in addition to avoid a crash in another path? Index: protocol.c =================================================================== --- protocol.c (revision 1664261) +++ protocol.c (working copy) @@ -674,6 +674,8 @@ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02418) "Invalid protocol '%s'", r->protocol); if (enforce_strict) { + r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); + r->proto_num = HTTP_VERSION(1,0); r->status = HTTP_BAD_REQUEST; return 0; } Regards RĂ¼diger
