diff options
author | Jeff Trawick <trawick@apache.org> | 2013-06-26 16:09:35 +0000 |
---|---|---|
committer | Jeff Trawick <trawick@apache.org> | 2013-06-26 16:09:35 +0000 |
commit | b0f63ef04a245161a7c57e716bf1f54d68a1e85a (patch) | |
tree | 3fc0bbf5426ad9a3fc32407d55e7df2a72cb75b9 | |
parent | bd7472686fb20d968a13c9be1268d4de13d9c112 (diff) | |
download | httpd-b0f63ef04a245161a7c57e716bf1f54d68a1e85a.tar.gz |
The merge of AllowAnyURI to 2.0.x (r1489910) included the changes I
wanted, and 2.0.x-HEAD passes my 3368/4317 testcases with HTTP 0.9
and 1.0, so I have no remaining concerns. (Thanks rjung+covener.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1496984 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | STATUS | 49 |
1 files changed, 0 insertions, 49 deletions
@@ -114,55 +114,6 @@ CURRENT RELEASE NOTES: RELEASE SHOWSTOPPERS: - *) SECURITY: CVE-2011-4317 (cve.mitre.org) - Resolve additional cases of URL rewriting with ProxyPassMatch or - RewriteRule, where particular request-URIs could result in undesired - backend network exposure in some configurations. - [Joe Orton] - - trawick: Applying the existing 2.0.x patch for CVE-2011-3368 to - 2.0.64, the three well-known testcases work for HTTP 1.0 - but fail with HTTP 0.9; after applying r1235443 (backing - out the server/protocol.c change and fixing rewrite and - proxy), the three well-known testcases work for me with - both HTTP 1.0 and HTTP 0.9. - - The reason is that ap_read_request() looks for a bad - status only for HTTP >= 1.0; processing proceeds for - HTTP/0.9 even after going through the error path in the - existing CVE-2011-3368 patch. - - The CVE-2011-3368 solution for 2.0 could be modified, - but I prefer going with the current CVE-2011-4317 - solution since it handles everything. - - While 2.2 also skips checking r->status for HTTP 0.9 - in the obvious place, this logic in ap_read_request() - finally catches the problem before proceeding too far - with the request: - -1052 * status codes that do not cause the connection to be dropped and -1053 * in situations where the connection should be kept alive. -1054 */ -1055 -1056 ap_add_input_filter_handle(ap_http_input_filter_handle, -1057 NULL, r, r->connection); -1058 -1059 if (r->status != HTTP_OK) { -1060 ap_send_error_response(r, 0); -1061 ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); - - From 2.2.x: http://svn.apache.org/viewvc?view=revision&revision=1235443 - Individual patches apply with offsets; here's a clean all-in-one: - http://people.apache.org/~trawick/2.0-CVE-2011-4317-r1235443.patch - +1: jim, wrowe (as incorporated by rjung below) - trawick: 2.2/2.4 now have a different solution (AllowAnyURI). - rjung: I added the AllowAnyURI patch below. Version 2 of the patch - integrates your 2.0-CVE-2011-4317-r1235443.patch. - covener: this is no longer needed after rjungs AllowAnyURI which is now - backported, right? - http://svn.apache.org/viewvc?view=revision&revision=r1489910 - PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] |