diff options
-rw-r--r-- | CHANGES | 6 | ||||
-rw-r--r-- | STATUS | 13 | ||||
-rw-r--r-- | docs/manual/howto/access.html.en | 8 | ||||
-rw-r--r-- | include/ap_release.h | 2 | ||||
-rw-r--r-- | modules/proxy/mod_proxy_http.c | 35 |
5 files changed, 38 insertions, 26 deletions
@@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.9 + *) SECURITY: CVE-2008-2364 (cve.mitre.org) + mod_proxy_http: Better handling of excessive interim responses + from origin server to prevent potential denial of service and high + memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, + Joe Orton, Jim Jagielski] + *) SECURITY: CVE-2007-6420 (cve.mitre.org) mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager interface. [Joe Orton] @@ -26,8 +26,7 @@ Release history: [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases, while x.{even}.z versions are Stable/GA releases.] - 2.2.9 : In development. Jim would like to do a release early - June and offers to RM. + 2.2.9 : Tagged June 10, 2008. 2.2.8 : Released January 19, 2008. 2.2.7 : Tagged January 4, 2008. Not released. 2.2.6 : Released September 7, 2007. @@ -130,16 +129,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: -1: niq - strcasecmp(NULL, ...) when secure is not set rpluem: Good catch. Should be fixed by r660461. - * mod_proxy_http: Handle interim responses better to avoid - excessive memory usage and potential denial of service - CVE-2008-2364 - Trunk version of patch: - http://svn.apache.org/viewvc?view=rev&revision=666154 - http://svn.apache.org/viewvc?view=rev&revision=666180 - Backport version for 2.2.x of patch: - Trunk version of patch works - +1: jim - * mod_proxy_http: Do not forward an Expect: 100-continue to an HTTP/1.0 server Trunk version of patch: diff --git a/docs/manual/howto/access.html.en b/docs/manual/howto/access.html.en index 010a40c187..e7755ed88a 100644 --- a/docs/manual/howto/access.html.en +++ b/docs/manual/howto/access.html.en @@ -138,14 +138,6 @@ discussed in this document include <code class="module"><a href="../mod/mod_sete this variable is set. This blocks that particular user agent from the site. </p> - - <p>An environment variable test can be negated using the <code>=!</code> - syntax:</p> - - <div class="example"><p> - Allow from env=!GoAway - </p></div> - </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="section"> <h2><a name="rewrite" id="rewrite">Access control with mod_rewrite</a></h2> diff --git a/include/ap_release.h b/include/ap_release.h index 7e5f20699b..af9b32332d 100644 --- a/include/ap_release.h +++ b/include/ap_release.h @@ -46,7 +46,7 @@ #define AP_SERVER_MAJORVERSION_NUMBER 2 #define AP_SERVER_MINORVERSION_NUMBER 2 #define AP_SERVER_PATCHLEVEL_NUMBER 9 -#define AP_SERVER_DEVBUILD_BOOLEAN 1 +#define AP_SERVER_DEVBUILD_BOOLEAN 0 #if AP_SERVER_DEVBUILD_BOOLEAN #define AP_SERVER_ADD_STRING "-dev" diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index b2c87b80d5..3ca21895f7 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -1307,6 +1307,16 @@ apr_status_t ap_proxygetline(apr_bucket_brigade *bb, char *s, int n, request_rec return rv; } +/* + * Limit the number of interim respones we sent back to the client. Otherwise + * we suffer from a memory build up. Besides there is NO sense in sending back + * an unlimited number of interim responses to the client. Thus if we cross + * this limit send back a 502 (Bad Gateway). + */ +#ifndef AP_MAX_INTERIM_RESPONSES +#define AP_MAX_INTERIM_RESPONSES 10 +#endif + static apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, proxy_conn_rec *backend, @@ -1321,8 +1331,8 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, apr_bucket *e; apr_bucket_brigade *bb, *tmp_bb; int len, backasswards; - int interim_response; /* non-zero whilst interim 1xx responses - * are being read. */ + int interim_response = 0; /* non-zero whilst interim 1xx responses + * are being read. */ int pread_len = 0; apr_table_t *save_table; int backend_broke = 0; @@ -1523,7 +1533,9 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { ap_set_content_type(r, apr_pstrdup(p, buf)); } - ap_proxy_pre_http_request(origin,rp); + if (!ap_is_HTTP_INFO(r->status)) { + ap_proxy_pre_http_request(origin, rp); + } /* Clear hop-by-hop headers */ for (i=0; hop_by_hop_hdrs[i]; ++i) { @@ -1572,7 +1584,12 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, backend->close += 1; } - interim_response = ap_is_HTTP_INFO(r->status); + if (ap_is_HTTP_INFO(r->status)) { + interim_response++; + } + else { + interim_response = 0; + } if (interim_response) { /* RFC2616 tells us to forward this. * @@ -1773,7 +1790,15 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, apr_brigade_cleanup(bb); } - } while (interim_response); + } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES)); + + /* See define of AP_MAX_INTERIM_RESPONSES for why */ + if (interim_response >= AP_MAX_INTERIM_RESPONSES) { + return ap_proxyerror(r, HTTP_BAD_GATEWAY, + apr_psprintf(p, + "Too many (%d) interim responses from origin server", + interim_response)); + } /* If our connection with the client is to be aborted, return DONE. */ if (c->aborted || backend_broke) { |