From f3682c022981de6b15bc9c7023a911be7131d695 Mon Sep 17 00:00:00 2001 From: Clement Laforet Date: Tue, 26 Jul 2005 13:57:42 +0000 Subject: [PATCH] - Fix CAN-2005-2088 Obtained from: Apache repository --- www/apache13-modperl/Makefile | 2 +- .../files/patch-secfix-CAN-2005-2088 | 87 +++++++++++++++++++ www/apache13-ssl/Makefile | 1 + .../files/patch-secfix-CAN-2005-2088 | 87 +++++++++++++++++++ 4 files changed, 176 insertions(+), 1 deletion(-) create mode 100644 www/apache13-modperl/files/patch-secfix-CAN-2005-2088 create mode 100644 www/apache13-ssl/files/patch-secfix-CAN-2005-2088 diff --git a/www/apache13-modperl/Makefile b/www/apache13-modperl/Makefile index 5490452d9b05..bcab4dd3cce7 100644 --- a/www/apache13-modperl/Makefile +++ b/www/apache13-modperl/Makefile @@ -7,7 +7,7 @@ PORTNAME= apache+mod_perl PORTVERSION= ${VERSION_APACHE} -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= www perl5 MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD:S/$/:apache/} \ ${MASTER_SITE_PERL_CPAN:S/$/Apache\/:modperl/} diff --git a/www/apache13-modperl/files/patch-secfix-CAN-2005-2088 b/www/apache13-modperl/files/patch-secfix-CAN-2005-2088 new file mode 100644 index 000000000000..c4315400577e --- /dev/null +++ b/www/apache13-modperl/files/patch-secfix-CAN-2005-2088 @@ -0,0 +1,87 @@ +--- src/modules/proxy/proxy_http.c 2005/07/14 05:09:17 218987 ++++ src/modules/proxy/proxy_http.c 2005/07/14 05:19:15 218988 +@@ -121,7 +121,7 @@ + char portstr[32]; + pool *p = r->pool; + int destport = 0; +- int chunked = 0; ++ const char *chunked = NULL; + char *destportstr = NULL; + const char *urlptr = NULL; + const char *datestr, *urlstr; +@@ -338,7 +338,12 @@ + ap_table_mergen(req_hdrs, "X-Forwarded-Server", r->server->server_hostname); + } + +- /* we don't yet support keepalives - but we will soon, I promise! */ ++ /* we don't yet support keepalives - but we will soon, I promise! ++ * XXX: This introduces various HTTP Request vulnerabilies if not ++ * properly implemented. Before changing this .. be certain to ++ * add a hard-close of the connection if the T-E and C-L headers ++ * are both present, or the C-L header is malformed. ++ */ + ap_table_set(req_hdrs, "Connection", "close"); + + reqhdrs_arr = ap_table_elts(req_hdrs); +@@ -475,25 +480,40 @@ + } + + /* is this content chunked? */ +- chunked = ap_find_last_token(r->pool, +- ap_table_get(resp_hdrs, "Transfer-Encoding"), +- "chunked"); ++ chunked = ap_table_get(resp_hdrs, "Transfer-Encoding"); ++ if (chunked && (strcasecmp(chunked, "chunked") != 0)) { ++ ap_kill_timeout(r); ++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, ++ "Unsupported Transfer-Encoding ", chunked, ++ " from remote server", NULL)); ++ } + + /* strip hop-by-hop headers defined by Connection and RFC2616 */ + ap_proxy_clear_connection(p, resp_hdrs); + + content_length = ap_table_get(resp_hdrs, "Content-Length"); + if (content_length != NULL) { +- c->len = ap_strtol(content_length, NULL, 10); +- +- if (c->len < 0) { +- ap_kill_timeout(r); +- return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, +- "Invalid Content-Length from remote server", +- NULL)); ++ if (chunked) { ++ /* XXX: We would unset keep-alive here, to the proxy ++ * origin server, for safety's sake but we aren't using ++ * keep-alives (we force Connection: close above) ++ */ ++ nocache = 1; /* do not cache this suspect file */ ++ ap_table_unset(resp_hdrs, "Content-Length"); ++ } ++ else { ++ char *len_end; ++ errno = 0; ++ c->len = ap_strtol(content_length, &len_end, 10); ++ ++ if (errno || (c->len < 0) || (len_end && *len_end)) { ++ ap_kill_timeout(r); ++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ++ "Invalid Content-Length from remote" ++ " server"); ++ } + } + } +- + } + else { + /* an http/0.9 response */ +@@ -612,7 +632,8 @@ + * content length is not known. We need to make 100% sure c->len is always + * set correctly before we get here to correctly do keepalive. + */ +- ap_proxy_send_fb(f, r, c, c->len, 0, chunked, conf->io_buffer_size); ++ ap_proxy_send_fb(f, r, c, c->len, 0, chunked != NULL, ++ conf->io_buffer_size); + } + + /* ap_proxy_send_fb() closes the socket f for us */ diff --git a/www/apache13-ssl/Makefile b/www/apache13-ssl/Makefile index ad31c150c10f..017a0da88d45 100644 --- a/www/apache13-ssl/Makefile +++ b/www/apache13-ssl/Makefile @@ -9,6 +9,7 @@ PORTNAME= apache+ssl PORTVERSION= ${APACHE_VERSION}.${APACHE_SSL_VERSION} +PORTREVISION= 1 CATEGORIES= www security MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITES_APACHE_SSL:S/$/:ssl/} diff --git a/www/apache13-ssl/files/patch-secfix-CAN-2005-2088 b/www/apache13-ssl/files/patch-secfix-CAN-2005-2088 new file mode 100644 index 000000000000..c4315400577e --- /dev/null +++ b/www/apache13-ssl/files/patch-secfix-CAN-2005-2088 @@ -0,0 +1,87 @@ +--- src/modules/proxy/proxy_http.c 2005/07/14 05:09:17 218987 ++++ src/modules/proxy/proxy_http.c 2005/07/14 05:19:15 218988 +@@ -121,7 +121,7 @@ + char portstr[32]; + pool *p = r->pool; + int destport = 0; +- int chunked = 0; ++ const char *chunked = NULL; + char *destportstr = NULL; + const char *urlptr = NULL; + const char *datestr, *urlstr; +@@ -338,7 +338,12 @@ + ap_table_mergen(req_hdrs, "X-Forwarded-Server", r->server->server_hostname); + } + +- /* we don't yet support keepalives - but we will soon, I promise! */ ++ /* we don't yet support keepalives - but we will soon, I promise! ++ * XXX: This introduces various HTTP Request vulnerabilies if not ++ * properly implemented. Before changing this .. be certain to ++ * add a hard-close of the connection if the T-E and C-L headers ++ * are both present, or the C-L header is malformed. ++ */ + ap_table_set(req_hdrs, "Connection", "close"); + + reqhdrs_arr = ap_table_elts(req_hdrs); +@@ -475,25 +480,40 @@ + } + + /* is this content chunked? */ +- chunked = ap_find_last_token(r->pool, +- ap_table_get(resp_hdrs, "Transfer-Encoding"), +- "chunked"); ++ chunked = ap_table_get(resp_hdrs, "Transfer-Encoding"); ++ if (chunked && (strcasecmp(chunked, "chunked") != 0)) { ++ ap_kill_timeout(r); ++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, ++ "Unsupported Transfer-Encoding ", chunked, ++ " from remote server", NULL)); ++ } + + /* strip hop-by-hop headers defined by Connection and RFC2616 */ + ap_proxy_clear_connection(p, resp_hdrs); + + content_length = ap_table_get(resp_hdrs, "Content-Length"); + if (content_length != NULL) { +- c->len = ap_strtol(content_length, NULL, 10); +- +- if (c->len < 0) { +- ap_kill_timeout(r); +- return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, +- "Invalid Content-Length from remote server", +- NULL)); ++ if (chunked) { ++ /* XXX: We would unset keep-alive here, to the proxy ++ * origin server, for safety's sake but we aren't using ++ * keep-alives (we force Connection: close above) ++ */ ++ nocache = 1; /* do not cache this suspect file */ ++ ap_table_unset(resp_hdrs, "Content-Length"); ++ } ++ else { ++ char *len_end; ++ errno = 0; ++ c->len = ap_strtol(content_length, &len_end, 10); ++ ++ if (errno || (c->len < 0) || (len_end && *len_end)) { ++ ap_kill_timeout(r); ++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ++ "Invalid Content-Length from remote" ++ " server"); ++ } + } + } +- + } + else { + /* an http/0.9 response */ +@@ -612,7 +632,8 @@ + * content length is not known. We need to make 100% sure c->len is always + * set correctly before we get here to correctly do keepalive. + */ +- ap_proxy_send_fb(f, r, c, c->len, 0, chunked, conf->io_buffer_size); ++ ap_proxy_send_fb(f, r, c, c->len, 0, chunked != NULL, ++ conf->io_buffer_size); + } + + /* ap_proxy_send_fb() closes the socket f for us */