diff options
author | Paul Querna <pquerna@apache.org> | 2010-07-21 20:25:01 +0200 |
---|---|---|
committer | Paul Querna <pquerna@apache.org> | 2010-07-21 20:25:01 +0200 |
commit | ad53d4dcbdacc1e9bd35f0348d20416d08e18566 (patch) | |
tree | b6726c35ef9a72b1883725c9bfb343eed9f6de29 | |
parent | Rebuild new example. (diff) | |
download | apache2-ad53d4dcbdacc1e9bd35f0348d20416d08e18566.tar.xz apache2-ad53d4dcbdacc1e9bd35f0348d20416d08e18566.zip |
CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure.
If a specially crafted request was sent, it is possible to crash mod_dav,
mod_cache or mod_session, as they accessed a field that is set to NULL
by the URI parser, assuming that it always put in a valid string.
PR: 49246
Submitted by: Mark Drayton
Patch by: Jeff Trawick
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@966348 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | include/httpd.h | 2 | ||||
-rw-r--r-- | modules/cache/cache_storage.c | 4 | ||||
-rw-r--r-- | modules/dav/main/util.c | 3 | ||||
-rw-r--r-- | modules/session/mod_session.c | 4 |
5 files changed, 11 insertions, 6 deletions
@@ -2,6 +2,10 @@ Changes with Apache 2.3.7 + *) SECURITY: CVE-2010-1452 (cve.mitre.org) + mod_dav, mod_cache, mod_session: Fix Handling of requests without a path + segment. PR: 49246 [Mark Drayton, Jeff Trawick] + *) core/mod_authz_core: Introduce new access_checker_ex hook that enables mod_authz_core to bypass authentication if access should be allowed by IP address/env var/... [Stefan Fritsch] diff --git a/include/httpd.h b/include/httpd.h index 492755c28f..c74a38e98c 100644 --- a/include/httpd.h +++ b/include/httpd.h @@ -922,7 +922,7 @@ struct request_rec { /** The URI without any parsing performed */ char *unparsed_uri; - /** The path portion of the URI */ + /** The path portion of the URI, or "/" if no path provided */ char *uri; /** The filename on disk corresponding to this response */ char *filename; diff --git a/modules/cache/cache_storage.c b/modules/cache/cache_storage.c index 606beb876e..0e2a698f53 100644 --- a/modules/cache/cache_storage.c +++ b/modules/cache/cache_storage.c @@ -479,7 +479,7 @@ apr_status_t cache_generate_key_default(request_rec *r, apr_pool_t* p, * Check if we need to ignore session identifiers in the URL and do so * if needed. */ - path = r->parsed_uri.path; + path = r->uri; querystring = r->parsed_uri.query; if (conf->ignore_session_id->nelts) { int i; @@ -578,7 +578,7 @@ apr_status_t cache_generate_key_default(request_rec *r, apr_pool_t* p, */ cache->key = apr_pstrdup(r->pool, *key); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "cache: Key for entity %s?%s is %s", r->parsed_uri.path, + "cache: Key for entity %s?%s is %s", r->uri, r->parsed_uri.query, *key); return APR_SUCCESS; diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c index 3af8ecb78e..7659b721da 100644 --- a/modules/dav/main/util.c +++ b/modules/dav/main/util.c @@ -625,7 +625,8 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) /* 2518 specifies this must be an absolute URI; just take the * relative part for later comparison against r->uri */ - if ((rv = apr_uri_parse(r->pool, uri, &parsed_uri)) != APR_SUCCESS) { + if ((rv = apr_uri_parse(r->pool, uri, &parsed_uri)) != APR_SUCCESS + || !parsed_uri.path) { return dav_new_error(r->pool, HTTP_BAD_REQUEST, DAV_ERR_IF_TAGGED, rv, "Invalid URI in tagged If-header."); diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c index 2c08f86096..2775ad0329 100644 --- a/modules/session/mod_session.c +++ b/modules/session/mod_session.c @@ -63,7 +63,7 @@ static int session_included(request_rec * r, session_dir_conf * conf) included = 0; for (i = 0; !included && i < conf->includes->nelts; i++) { const char *include = includes[i]; - if (strncmp(r->parsed_uri.path, include, strlen(include))) { + if (strncmp(r->uri, include, strlen(include))) { included = 1; } } @@ -72,7 +72,7 @@ static int session_included(request_rec * r, session_dir_conf * conf) if (conf->excludes->nelts) { for (i = 0; included && i < conf->includes->nelts; i++) { const char *exclude = excludes[i]; - if (strncmp(r->parsed_uri.path, exclude, strlen(exclude))) { + if (strncmp(r->uri, exclude, strlen(exclude))) { included = 0; } } |