From afea2a1dc450cbd336df2a8494e87d57a2dc2b22 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Tue, 28 Dec 2010 14:20:52 +0000 Subject: When exporting request headers to HTTP_* environment variables, drop variables whose names contain invalid characters. Describe in the docs how to restore the old behaviour. Submitted by: Malte S. Stretz git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1053353 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ docs/manual/env.xml | 34 ++++++++++++++++++++++++++++++++++ docs/manual/howto/cgi.xml | 20 +++++++++++++++----- docs/manual/new_features_2_4.xml | 11 ++++++++++- server/util_script.c | 11 +++++++---- 5 files changed, 70 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index b6a5f34e1d..a11a200271 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.3.11 + *) core: When exporting request headers to HTTP_* environment variables, + drop variables whose names contain invalid characters. Describe in the + docs how to restore the old behaviour. [Malte S. Stretz ] + *) core: When selecting an IP-based virtual host, favor an exact match for the port over a wildcard (or omitted) port instead of favoring the one that came first in the configuration file. [Eric Covener] diff --git a/docs/manual/env.xml b/docs/manual/env.xml index 055f69e7d9..1cfcb7ff44 100644 --- a/docs/manual/env.xml +++ b/docs/manual/env.xml @@ -140,6 +140,13 @@ not be a number. Characters which do not match this restriction will be replaced by an underscore when passed to CGI scripts and SSI pages. + +
  • A special case are HTTP headers which are passed to CGI + scripts and the like via environment variables (see below). + They are converted to uppercase and only dashes are replaced with + underscores; if the header contains any other (invalid) character, + the whole header is silently dropped. See + below for a workaround.
  • The SetEnv directive runs late during request processing meaning that directives such as @@ -423,6 +430,33 @@
    Examples +
    + Passing broken headers to CGI scripts + +

    Starting with version 2.4, Apache is more strict about how HTTP + headers are converted to environment variables in mod_cgi + and other modules: Previously any invalid characters + in header names were simply translated to underscores. This allowed + for some potential cross-site-scripting attacks via header injection + (see + Unusual Web Bugs, slide 19/20).

    + +

    If you have to support a client which sends broken headers and + which can't be fixed, a simple workaround involving mod_setenvif + and mod_header allows you to still accept + these headers:

    + +
    +# 
+# The following works around a client sending a broken Accept_Encoding
+# header.
+#
+SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_accept_encoding=$1
+RequestHeader set Accept-Encoding %{fix_accept_encoding}e env=fix_accept_encoding
+
     + +
    +
    Changing protocol behavior with misbehaving clients diff --git a/docs/manual/howto/cgi.xml b/docs/manual/howto/cgi.xml index ca239138a4..890c6087b1 100644 --- a/docs/manual/howto/cgi.xml +++ b/docs/manual/howto/cgi.xml @@ -352,11 +352,6 @@

    Make sure that this is in fact the path to the interpreter.

    - -

    In addition, if your CGI program depends on other environment variables, you will need to - assure that those variables are passed by Apache.

    - When editing CGI scripts on Windows, end-of-line characters may be appended to the interpreter path. Ensure that files are then @@ -365,6 +360,21 @@ unrecognized end-of-line character being interpreted as a part of the interpreter filename. +
    + +
    + Missing environment variables + +

    If your CGI program depends on non-standard environment variables, you will need to + assure that those variables are passed by Apache.

    + +

    When you miss HTTP headers from the environment, make + sure they are formatted according to + RFC 2616, + section 4.2: Header names must start with a letter, + followed only by letters, numbers or hyphen. Any header + violating this rule will be dropped silently.

    diff --git a/docs/manual/new_features_2_4.xml b/docs/manual/new_features_2_4.xml index 94539bd5d9..70f7a8d7e4 100644 --- a/docs/manual/new_features_2_4.xml +++ b/docs/manual/new_features_2_4.xml @@ -109,11 +109,20 @@ authentication or authorization.
    mod_include
    -
    Support for the 'onerror' attribute within an 'include' element, allowing an error document to be served on error instead of the default error string.
    +
    mod_cgi, mod_include, + mod_isapi, ...
    +
    Translation of headers to environment variables is more strict than + before to mitigate some possible cross-site-scripting attacks via header + injection. Headers containing invalid characters (including underscores) + are now silently dropped. Environment Variables + in Apache has some pointers on how to work around broken legacy + clients which require such headers. (This affects all modules which + use these environment variables.)
    +
    diff --git a/server/util_script.c b/server/util_script.c index f5e4ef1210..2a987b1fba 100644 --- a/server/util_script.c +++ b/server/util_script.c @@ -67,11 +67,14 @@ static char *http2env(apr_pool_t *a, const char *w) *cp++ = '_'; while ((c = *w++) != 0) { - if (!apr_isalnum(c)) { + if (apr_isalnum(c)) { + *cp++ = apr_toupper(c); + } + else if (c == '-') { *cp++ = '_'; } else { - *cp++ = apr_toupper(c); + return NULL; } } *cp = 0; @@ -175,8 +178,8 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r) continue; } #endif - else { - apr_table_addn(e, http2env(r->pool, hdrs[i].key), hdrs[i].val); + else if ((env_temp = http2env(r->pool, hdrs[i].key)) != NULL) { + apr_table_addn(e, env_temp, hdrs[i].val); } } -- cgit v1.2.3