summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Querna <pquerna@apache.org>2010-07-21 20:25:01 +0200
committerPaul Querna <pquerna@apache.org>2010-07-21 20:25:01 +0200
commitad53d4dcbdacc1e9bd35f0348d20416d08e18566 (patch)
treeb6726c35ef9a72b1883725c9bfb343eed9f6de29
parentRebuild new example. (diff)
downloadapache2-ad53d4dcbdacc1e9bd35f0348d20416d08e18566.tar.xz
apache2-ad53d4dcbdacc1e9bd35f0348d20416d08e18566.zip
CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure.
If a specially crafted request was sent, it is possible to crash mod_dav, mod_cache or mod_session, as they accessed a field that is set to NULL by the URI parser, assuming that it always put in a valid string. PR: 49246 Submitted by: Mark Drayton Patch by: Jeff Trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@966348 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r--CHANGES4
-rw-r--r--include/httpd.h2
-rw-r--r--modules/cache/cache_storage.c4
-rw-r--r--modules/dav/main/util.c3
-rw-r--r--modules/session/mod_session.c4
5 files changed, 11 insertions, 6 deletions
diff --git a/CHANGES b/CHANGES
index 8cf626986b..96d99b42d5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
Changes with Apache 2.3.7
+ *) SECURITY: CVE-2010-1452 (cve.mitre.org)
+ mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
+ segment. PR: 49246 [Mark Drayton, Jeff Trawick]
+
*) core/mod_authz_core: Introduce new access_checker_ex hook that enables
mod_authz_core to bypass authentication if access should be allowed by
IP address/env var/... [Stefan Fritsch]
diff --git a/include/httpd.h b/include/httpd.h
index 492755c28f..c74a38e98c 100644
--- a/include/httpd.h
+++ b/include/httpd.h
@@ -922,7 +922,7 @@ struct request_rec {
/** The URI without any parsing performed */
char *unparsed_uri;
- /** The path portion of the URI */
+ /** The path portion of the URI, or "/" if no path provided */
char *uri;
/** The filename on disk corresponding to this response */
char *filename;
diff --git a/modules/cache/cache_storage.c b/modules/cache/cache_storage.c
index 606beb876e..0e2a698f53 100644
--- a/modules/cache/cache_storage.c
+++ b/modules/cache/cache_storage.c
@@ -479,7 +479,7 @@ apr_status_t cache_generate_key_default(request_rec *r, apr_pool_t* p,
* Check if we need to ignore session identifiers in the URL and do so
* if needed.
*/
- path = r->parsed_uri.path;
+ path = r->uri;
querystring = r->parsed_uri.query;
if (conf->ignore_session_id->nelts) {
int i;
@@ -578,7 +578,7 @@ apr_status_t cache_generate_key_default(request_rec *r, apr_pool_t* p,
*/
cache->key = apr_pstrdup(r->pool, *key);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
- "cache: Key for entity %s?%s is %s", r->parsed_uri.path,
+ "cache: Key for entity %s?%s is %s", r->uri,
r->parsed_uri.query, *key);
return APR_SUCCESS;
diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index 3af8ecb78e..7659b721da 100644
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -625,7 +625,8 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih)
/* 2518 specifies this must be an absolute URI; just take the
* relative part for later comparison against r->uri */
- if ((rv = apr_uri_parse(r->pool, uri, &parsed_uri)) != APR_SUCCESS) {
+ if ((rv = apr_uri_parse(r->pool, uri, &parsed_uri)) != APR_SUCCESS
+ || !parsed_uri.path) {
return dav_new_error(r->pool, HTTP_BAD_REQUEST,
DAV_ERR_IF_TAGGED, rv,
"Invalid URI in tagged If-header.");
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
index 2c08f86096..2775ad0329 100644
--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -63,7 +63,7 @@ static int session_included(request_rec * r, session_dir_conf * conf)
included = 0;
for (i = 0; !included && i < conf->includes->nelts; i++) {
const char *include = includes[i];
- if (strncmp(r->parsed_uri.path, include, strlen(include))) {
+ if (strncmp(r->uri, include, strlen(include))) {
included = 1;
}
}
@@ -72,7 +72,7 @@ static int session_included(request_rec * r, session_dir_conf * conf)
if (conf->excludes->nelts) {
for (i = 0; included && i < conf->includes->nelts; i++) {
const char *exclude = excludes[i];
- if (strncmp(r->parsed_uri.path, exclude, strlen(exclude))) {
+ if (strncmp(r->uri, exclude, strlen(exclude))) {
included = 0;
}
}