Re: svn commit: r1639814 - /httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c
On Fri, Nov 14, 2014 at 7:37 PM, yla...@apache.org wrote: Author: ylavic Date: Sat Nov 15 00:37:13 2014 New Revision: 1639814 URL: http://svn.apache.org/r1639814 Log: mod_authnz_fcgi: follow up to r1639717. Let ap_scan_script_header*() validate the headers. Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c?rev=1639814r1=1639813r2=1639814view=diff == --- httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c (original) +++ httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c Sat Nov 15 00:37:13 2014 @@ -442,11 +442,8 @@ static int handle_headers(request_rec *r break; } } -else if (*itr == '\t' || !apr_iscntrl(*itr)) { -*state = HDR_STATE_READING_HEADERS; -} else { -return -1; +*state = HDR_STATE_READING_HEADERS; } if (*state == HDR_STATE_DONE_WITH_HEADERS) I was looking at the diffs for 2.4 and noticed some vestigial code from the first revision; please check the attached patch to see if you agree with some additional removals. Also, my understanding is that * some of the code in your first revision of both modules catches potential errors that should have been caught before, so that's an additional issue that could be mentioned in CHANGES. * the one CVE should apply to both modules, and the CHANGES entry can be grouped together. (It could in fact be the same affected application, which supports both authentication|authorization and response generation, using the two modules) Agreed? Thanks! -- Born in Roswell... married an alien... http://emptyhammock.com/ Index: modules/proxy/mod_proxy_fcgi.c === --- modules/proxy/mod_proxy_fcgi.c (revision 1639871) +++ modules/proxy/mod_proxy_fcgi.c (working copy) @@ -18,8 +18,6 @@ #include util_fcgi.h #include util_script.h -#include apr_lib.h /* for apr_iscntrl() */ - module AP_MODULE_DECLARE_DATA proxy_fcgi_module; /* @@ -568,12 +566,6 @@ int st = handle_headers(r, header_state, iobuf, readbuflen); -if (st == -1) { -*err = parsing response headers; -rv = APR_EINVAL; -break; -} - if (st == 1) { int status; seen_end_of_headers = 1; Index: modules/aaa/mod_authnz_fcgi.c === --- modules/aaa/mod_authnz_fcgi.c (revision 1639871) +++ modules/aaa/mod_authnz_fcgi.c (working copy) @@ -558,15 +558,6 @@ int st = handle_headers(r, header_state, readbuf, readbuflen); -if (st == -1) { -ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - APLOGNO(02821) %s: error reading - headers from %s, - fn, conf-backend); -rv = APR_EINVAL; -break; -} - if (st == 1) { int status;
Re: svn commit: r1638879 - /httpd/httpd/trunk/server/mpm/event/event.c
Done in r1639960. CJ Le 15/11/2014 08:32, Marion Christophe JAILLET a écrit : Hi, the same pattern exists in eventopt. CJ Le 12/11/2014 18:32, cove...@apache.org a écrit : Author: covener Date: Wed Nov 12 17:32:24 2014 New Revision: 1638879 URL: http://svn.apache.org/r1638879 Log: avoid dereferencing a recently apr_pool_clear()'ed event_conn_state_t *cs in several paths where ptrans is being recycled at the end of a request. Modified: httpd/httpd/trunk/server/mpm/event/event.c Modified: httpd/httpd/trunk/server/mpm/event/event.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/mpm/event/event.c?rev=1638879r1=1638878r2=1638879view=diff == --- httpd/httpd/trunk/server/mpm/event/event.c (original) +++ httpd/httpd/trunk/server/mpm/event/event.c Wed Nov 12 17:32:24 2014 @@ -852,6 +852,7 @@ static int start_lingering_close_common( rv = apr_pollset_add(event_pollset, cs-pfd); apr_thread_mutex_unlock(timeout_mutex); if (rv != APR_SUCCESS !APR_STATUS_IS_EEXIST(rv)) { +apr_pool_t *p = cs-p; ap_log_error(APLOG_MARK, APLOG_ERR, rv, ap_server_conf, start_lingering_close: apr_pollset_add failure); apr_thread_mutex_lock(timeout_mutex); @@ -859,7 +860,7 @@ static int start_lingering_close_common( apr_thread_mutex_unlock(timeout_mutex); apr_socket_close(cs-pfd.desc.s); apr_pool_clear(cs-p); -ap_push_pool(worker_queue_info, cs-p); +ap_push_pool(worker_queue_info, p); return 0; } return 1; [...]
Bug report for Apache httpd-2 [2014/11/16]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 7483|Ass|Enh|2002-03-26|Add FileAction directive to assign a cgi interpret| | 8713|Inf|Min|2002-05-01|No Errorlog on PROPFIND/Depth:Infinity| | 8867|Opn|Cri|2002-05-07|exports.c generation fails when using a symlink to| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |11294|New|Enh|2002-07-30|desired vhost_alias option| |11580|Opn|Enh|2002-08-09|generate Content-Location headers | |12033|Opn|Nor|2002-08-26|Graceful restart immidiately result in [warn] long| |12680|New|Enh|2002-09-16|Digest authentication with integrity protection | |13599|Inf|Nor|2002-10-14|autoindex formating broken for multibyte sequences| |13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation | |14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR| |14496|New|Enh|2002-11-13|Cannot upgrade any version on Windows. Must uninst| |14922|Inf|Enh|2002-11-28|target is currently hardcoded to 'apache2' | |15719|Inf|Nor|2002-12-30|WebDAV MOVE to destination URI which is content-ne| |16761|Inf|Nor|2003-02-04|CustomLog with pipe spawns process during config | |16802|New|Enh|2003-02-05|Additional AllowOverride directive Restrict | |16811|Ass|Maj|2003-02-05|mod_autoindex always return webpages in UTF-8.| |17107|New|Min|2003-02-16|Windows should not install printenv | |17114|New|Enh|2003-02-17|Please add strip and install-strip targets to Make| |17244|Ass|Nor|2003-02-20|./configure --help gives false information regardi| |17497|Opn|Nor|2003-02-27|mod_mime_magic generates incorrect response header| |18325|New|Enh|2003-03-25|PAM support for suEXEC| |18334|Inf|Cri|2003-03-25|Server crashes when authenticating users against L| |18497|New|Min|2003-03-30|configure --help gives wrong default for sysconfdi| |19043|New|Min|2003-04-15|Interesting interaction between cern_meta module a| |19670|New|Enh|2003-05-05|content type header supplied upon PUT is thrown aw| |20036|Ass|Nor|2003-05-19|Trailing Dots stripped from PATH_INFO environment | |21253|New|Nor|2003-07-01|Mime magic doesn't continue if type is specifed fo| |21260|New|Nor|2003-07-02|CacheMaxExpire directive not enforced ! | |21533|Ass|Cri|2003-07-11|Multiple levels of htacces files can cause mod_aut| |22005|Ver|Nor|2003-07-30|Win32: Help I'm Stuck! menu item leads to dead e| |22138|Inf|Cri|2003-08-05|Webdav is not preccessing special chars right.| |22237|New|Enh|2003-08-08|option to disable ServerSignature on index pages | |22484|Opn|Maj|2003-08-16|semaphore problem takes httpd down| |22686|Opn|Nor|2003-08-25|ab: apr_poll: The timeout specified has expired (7| |22898|Opn|Nor|2003-09-02|nph scripts with two HTTP header | |23167|Inf|Cri|2003-09-14|--enable-layout never goes to apr apr-util| |23181|New|Nor|2003-09-15|Status 304 (Not modified) and chunking leads to an| |23238|New|Cri|2003-09-18|non-async-signal-safe operations from signal handl| |23330|New|Enh|2003-09-22|Enhance ApacheMonitor to view and control Tomcat s| |23911|Opn|Cri|2003-10-18|CGI processes left defunct/zombie under 2.0.54| |24031|New|Enh|2003-10-23|Passphrase protected private key in SSLProxyMachin| |24095|Opn|Cri|2003-10-24|ERROR Parent: child process exited with status 32| |24243|New|Enh|2003-10-30|mod_autoindex enhancement ('IndexIgnoreRemove' opt| |24890|Opn|Nor|2003-11-21|Apache config parser should not be local aware ( g| |25014|New|Enh|2003-11-26|A flexible interface for mod_log_config | |25201|New|Enh|2003-12-04|Provide Cache Purge operation | |25240|Inf|Enh|2003-12-05|SSL Library Error: 336105671 logged as information| |25435|New|Enh|2003-12-11|sethandler and directoryindex not playing nice| |25469|Opn|Enh|2003-12-12|create AuthRoot for defining paths to auth files | |25484|Ass|Nor|2003-12-12|Non-service Apache cannot be stopped in WinXP |