diff options
| author | Eric Covener <covener@apache.org> | 2007-06-01 17:50:12 +0200 |
|---|---|---|
| committer | Eric Covener <covener@apache.org> | 2007-06-01 17:50:12 +0200 |
| commit | 9a29cd5f657671998da41c51e1933d23312ad310 (patch) | |
| tree | 727a9596776d7ff337a017f32fe18406a97ad1e9 /modules/cache | |
| parent | * Prevent running through the error stack by returning OK and setting r->status (diff) | |
| download | apache2-9a29cd5f657671998da41c51e1933d23312ad310.tar.xz apache2-9a29cd5f657671998da41c51e1933d23312ad310.zip | |
SECURITY: CVE-2007-1862 (cve.mitre.org)
mod_mem_cache: Copy headers into longer lived storage; header names and
values could previously point to cleaned up storage
PR: 41551
Submitted by: Davi Arnaut <davi haxent.com.br>
Reviewed by: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@543515 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/cache')
| -rw-r--r-- | modules/cache/mod_mem_cache.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/modules/cache/mod_mem_cache.c b/modules/cache/mod_mem_cache.c index b963a347fe..93439c6401 100644 --- a/modules/cache/mod_mem_cache.c +++ b/modules/cache/mod_mem_cache.c @@ -539,12 +539,28 @@ static int remove_url(cache_handle_t *h, apr_pool_t *p) return OK; } +static apr_table_t *deep_table_copy(apr_pool_t *p, const apr_table_t *table) +{ + const apr_array_header_t *array = apr_table_elts(table); + apr_table_entry_t *elts = (apr_table_entry_t *) array->elts; + apr_table_t *copy = apr_table_make(p, array->nelts); + int i; + + for (i = 0; i < array->nelts; i++) { + if (elts[i].key) { + apr_table_add(copy, elts[i].key, elts[i].val); + } + } + + return copy; +} + static apr_status_t recall_headers(cache_handle_t *h, request_rec *r) { mem_cache_object_t *mobj = (mem_cache_object_t*) h->cache_obj->vobj; - h->req_hdrs = apr_table_copy(r->pool, mobj->req_hdrs); - h->resp_hdrs = apr_table_copy(r->pool, mobj->header_out); + h->req_hdrs = deep_table_copy(r->pool, mobj->req_hdrs); + h->resp_hdrs = deep_table_copy(r->pool, mobj->header_out); return OK; } @@ -586,7 +602,7 @@ static apr_status_t store_headers(cache_handle_t *h, request_rec *r, cache_info * - The original response headers (for returning with a cached response) * - The body of the message */ - mobj->req_hdrs = apr_table_copy(mobj->pool, r->headers_in); + mobj->req_hdrs = deep_table_copy(mobj->pool, r->headers_in); /* Precompute how much storage we need to hold the headers */ headers_out = ap_cache_cacheable_hdrs_out(r->pool, r->headers_out, @@ -600,7 +616,7 @@ static apr_status_t store_headers(cache_handle_t *h, request_rec *r, cache_info } headers_out = apr_table_overlay(r->pool, headers_out, r->err_headers_out); - mobj->header_out = apr_table_copy(mobj->pool, headers_out); + mobj->header_out = deep_table_copy(mobj->pool, headers_out); /* Init the info struct */ obj->info.status = info->status; |