diff options
author | William A. Rowe Jr <wrowe@apache.org> | 2005-07-14 16:51:55 +0000 |
---|---|---|
committer | William A. Rowe Jr <wrowe@apache.org> | 2005-07-14 16:51:55 +0000 |
commit | c8215cdc47eea36df070cd5bb42eacce17d1d741 (patch) | |
tree | f617a8fedb254d620edab9ccbefd73df42166038 | |
parent | 4599ade3eb01eccf58fc6cff2240d2632dbb2433 (diff) | |
download | httpd-c8215cdc47eea36df070cd5bb42eacce17d1d741.tar.gz |
core: strip C-L from any request with a T-E header
resolves external origin CAN-2005-2088 issues, does not
address internal origin C-L/T-E discrepancies within proxy_http
Security: CVE CAN-2005-2088
Submitted by: Joe Orton
Reviewed by: Jeff Trawick, Will Rowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@219061 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | STATUS | 5 | ||||
-rw-r--r-- | server/protocol.c | 9 |
3 files changed, 15 insertions, 4 deletions
@@ -1,5 +1,10 @@ Changes with Apache 2.0.55 + *) SECURITY: CAN-2005-2088 + core: If a request contains both Transfer-Encoding and Content-Length + headers, remove the Content-Length, mitigating some HTTP Request + Splitting/Spoofing attacks. [Paul Querna, Joe Orton] + *) proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, mitigating some HTTP Response Splitting attacks. @@ -111,10 +111,7 @@ RELEASE SHOWSTOPPERS: * Various fixes to T-E and C-L processing from trunk - + core: strip C-L from any request with a T-E header - http://people.apache.org/~jorton/ap_tevscl.diff - (CVE CAN-2005-2088) - +1: jorton, trawick + PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ please append new backports at the end of this list not the top. ] diff --git a/server/protocol.c b/server/protocol.c index 59aff7fc71..a10610e01e 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -885,6 +885,15 @@ request_rec *ap_read_request(conn_rec *conn) apr_brigade_destroy(tmp_bb); return r; } + + if (apr_table_get(r->headers_in, "Transfer-Encoding") + && apr_table_get(r->headers_in, "Content-Length")) { + /* 2616 section 4.4, point 3: "if both Transfer-Encoding + * and Content-Length are received, the latter MUST be + * ignored"; so unset it here to prevent any confusion + * later. */ + apr_table_unset(r->headers_in, "Content-Length"); + } } else { if (r->header_only) { |