From 115c1e496d8f7057447571534bd73bb61e99b114 Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Thu, 21 Jan 2010 07:19:41 +0000 Subject: Correctly align the behavior of headers_in to be consistent with the treatment of headers_out, resolving PR 48359 by keeping subrequest scope changes out of the main request headers. This ensures that all requests-without-bodies behave as the requests-with-bodies code has. Mitre: CVE-2010-0434 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@901578 13f79535-47bb-0310-9956-ffa450edef68 --- server/protocol.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'server/protocol.c') diff --git a/server/protocol.c b/server/protocol.c index 38840f5429..8061dc7de1 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -1074,15 +1074,13 @@ request_rec *ap_read_request(conn_rec *conn) return r; } -/* if a request with a body creates a subrequest, clone the original request's - * input headers minus any headers pertaining to the body which has already - * been read. out-of-line helper function for ap_set_sub_req_protocol. +/* if a request with a body creates a subrequest, remove original request's + * input headers which pertain to the body which has already been read. + * out-of-line helper function for ap_set_sub_req_protocol. */ -static void clone_headers_no_body(request_rec *rnew, - const request_rec *r) +static void strip_headers_request_body(request_rec *rnew) { - rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in); apr_table_unset(rnew->headers_in, "Content-Encoding"); apr_table_unset(rnew->headers_in, "Content-Language"); apr_table_unset(rnew->headers_in, "Content-Length"); @@ -1116,15 +1114,14 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew, rnew->status = HTTP_OK; + rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in); + /* did the original request have a body? (e.g. POST w/SSI tags) * if so, make sure the subrequest doesn't inherit body headers */ if (!r->kept_body && (apr_table_get(r->headers_in, "Content-Length") || apr_table_get(r->headers_in, "Transfer-Encoding"))) { - clone_headers_no_body(rnew, r); - } else { - /* no body (common case). clone headers the cheap way */ - rnew->headers_in = r->headers_in; + strip_headers_request_body(rnew); } rnew->subprocess_env = apr_table_copy(rnew->pool, r->subprocess_env); rnew->headers_out = apr_table_make(rnew->pool, 5); -- cgit v1.2.3