diff options
author | William A. Rowe Jr <wrowe@apache.org> | 2016-12-22 20:50:05 +0000 |
---|---|---|
committer | William A. Rowe Jr <wrowe@apache.org> | 2016-12-22 20:50:05 +0000 |
commit | 5258ca6220ed403b0b42f237c35893b918cd6c37 (patch) | |
tree | bfc947550f5e18b303153b004b471e74061e248c | |
parent | 859fd740f1ba9a88a82429592b96b2d80a0d0a89 (diff) | |
download | httpd-5258ca6220ed403b0b42f237c35893b918cd6c37.tar.gz |
Backports: r892678
Submitted by: niq
Reject requests containing (invalid) NULL characters in request line
or request headers.
PR 43039
Backports: r892808
Submitted by: rpluem
Fix up r892678
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x-merge-http-strict@1775731 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 3 | ||||
-rw-r--r-- | server/protocol.c | 23 |
2 files changed, 22 insertions, 4 deletions
@@ -11,6 +11,9 @@ Changes with Apache 2.2.31 *) core: Do not over allocate memory within 'ap_rgetline_core' for the common case. [Christophe Jaillet] + *) Core: reject NULLs in request line or request headers. + PR 43039 [Nick Kew] + Changes with Apache 2.2.30 (not released) *) SECURITY: CVE-2015-3183 (cve.mitre.org) diff --git a/server/protocol.c b/server/protocol.c index 614d501a0b..660f5148db 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -426,8 +426,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n, } } } - *read = bytes_handled; + + /* PR#43039: We shouldn't accept NULL bytes within the line */ + if (strlen(*s) < bytes_handled) { + return APR_EINVAL; + } + return APR_SUCCESS; } @@ -602,6 +607,9 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) else if (APR_STATUS_IS_TIMEUP(rv)) { r->status = HTTP_REQUEST_TIME_OUT; } + else if (rv == APR_EINVAL) { + r->status = HTTP_BAD_REQUEST; + } r->proto_num = HTTP_VERSION(1,0); r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); return 0; @@ -916,9 +924,16 @@ request_rec *ap_read_request(conn_rec *conn) /* Get the request... */ if (!read_request_line(r, tmp_bb)) { - if (r->status == HTTP_REQUEST_URI_TOO_LARGE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "request failed: URI too long (longer than %d)", r->server->limit_req_line); + if (r->status == HTTP_REQUEST_URI_TOO_LARGE + || r->status == HTTP_BAD_REQUEST) { + if (r->status == HTTP_BAD_REQUEST) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "request failed: invalid characters in URI"); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "request failed: URI too long (longer than %d)", r->server->limit_req_line); + } ap_send_error_response(r, 0); ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); ap_run_log_transaction(r); |