core: strip C-L from any request with a T-E header

resolves external origin CAN-2005-2088 issues, does not address internal origin C-L/T-E discrepancies within proxy_http Security: CVE CAN-2005-2088 Submitted by: Joe Orton Reviewed by: Jeff Trawick, Will Rowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@219061 13f79535-47bb-0310-9956-ffa450edef68
author: William A. Rowe Jr <wrowe@apache.org> 2005-07-14 16:51:55 +0000
committer: William A. Rowe Jr <wrowe@apache.org> 2005-07-14 16:51:55 +0000
commit: c8215cdc47eea36df070cd5bb42eacce17d1d741 (patch)
tree: f617a8fedb254d620edab9ccbefd73df42166038
parent: 4599ade3eb01eccf58fc6cff2240d2632dbb2433 (diff)
download: httpd-c8215cdc47eea36df070cd5bb42eacce17d1d741.tar.gz
3 files changed, 15 insertions, 4 deletions
diff --git a/CHANGES b/CHANGES
index 3a6b86e544..a1b2f3360b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 2.0.55
 
+  *) SECURITY: CAN-2005-2088
+     core: If a request contains both Transfer-Encoding and Content-Length
+     headers, remove the Content-Length, mitigating some HTTP Request 
+     Splitting/Spoofing attacks.  [Paul Querna, Joe Orton]
+
   *) proxy HTTP: If a response contains both Transfer-Encoding and a 
      Content-Length, remove the Content-Length and don't reuse the
      connection, mitigating some HTTP Response Splitting attacks.
diff --git a/STATUS b/STATUS
index c0504f2e81..f3f075b27f 100644
--- a/STATUS
+++ b/STATUS
@@ -111,10 +111,7 @@ RELEASE SHOWSTOPPERS:
 
     * Various fixes to T-E and C-L processing from trunk
 
-      + core: strip C-L from any request with a T-E header
-          http://people.apache.org/~jorton/ap_tevscl.diff
-          (CVE CAN-2005-2088)
-        +1: jorton, trawick
+
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ please append new backports at the end of this list not the top. ]
diff --git a/server/protocol.c b/server/protocol.c
index 59aff7fc71..a10610e01e 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -885,6 +885,15 @@ request_rec *ap_read_request(conn_rec *conn)
             apr_brigade_destroy(tmp_bb);
             return r;
         }
+
+        if (apr_table_get(r->headers_in, "Transfer-Encoding")
+            && apr_table_get(r->headers_in, "Content-Length")) {
+            /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+             * and Content-Length are received, the latter MUST be
+             * ignored"; so unset it here to prevent any confusion
+             * later. */
+            apr_table_unset(r->headers_in, "Content-Length");
+        }
     }
     else {
         if (r->header_only) {
author	William A. Rowe Jr <wrowe@apache.org>	2005-07-14 16:51:55 +0000
committer	William A. Rowe Jr <wrowe@apache.org>	2005-07-14 16:51:55 +0000
commit	c8215cdc47eea36df070cd5bb42eacce17d1d741 (patch)
tree	f617a8fedb254d620edab9ccbefd73df42166038
parent	4599ade3eb01eccf58fc6cff2240d2632dbb2433 (diff)
download	httpd-c8215cdc47eea36df070cd5bb42eacce17d1d741.tar.gz