diff options
author | Yann Ylavic <ylavic@apache.org> | 2015-06-24 18:04:49 +0000 |
---|---|---|
committer | Yann Ylavic <ylavic@apache.org> | 2015-06-24 18:04:49 +0000 |
commit | 5ef157ba2af1efad5cf110579e339117df25135a (patch) | |
tree | 7870713d4a01ecac618b9c28c46826b85cc365d7 | |
parent | 74231d7ca3e7961d0e4f7b8e6c156f2da5388730 (diff) | |
download | httpd-5ef157ba2af1efad5cf110579e339117df25135a.tar.gz |
Merge r1685345, r1685347, r1685349 and r1685350 from trunk.
core: Allow spaces after chunk-size for compatibility with implementations
using a pre-filled buffer.
Submitted by: ylavic, trawick
Reviewed by: ylavic, wrowe, minfrin
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1687339 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 3 | ||||
-rw-r--r-- | STATUS | 36 | ||||
-rw-r--r-- | modules/http/http_filters.c | 14 |
3 files changed, 15 insertions, 38 deletions
@@ -8,6 +8,9 @@ Changes with Apache 2.2.30 Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. [Graham Leggett, Yann Ylavic] + *) core: Allow spaces after chunk-size for compatibility with implementations + using a pre-filled buffer. [Yann Ylavic, Jeff Trawick] + *) mod_ssl: bring SNI behavior into better conformance with RFC 6066: no longer send warning-level unrecognized_name(112) alerts. PR 56241. [Kaspar Brand] @@ -101,42 +101,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) SECURITY: CVE-2015-3183 (cve.mitre.org) - core: Fix chunk header parsing defect. - Remove apr_brigade_flatten(), buffering and duplicated code from - the HTTP_IN filter, parse chunks in a single pass with zero copy. - Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext - authorized characters. [Graham Leggett, Yann Ylavic] - Submitted by: minfrin, ylavic - Reviewed by: ylavic, wrowe, - Backports: 1484852, 1684513 - Reported by: regilero <regis.leroy makina-corpus.com> - - trunk - http://svn.apache.org/r1484852 - http://svn.apache.org/r1684513 - 2.4.x branch - http://svn.apache.org/r1684515 - 2.2.x branch - http://people.apache.org/~wrowe/httpd-2.2.x-ap_http_filter-chunked-v6.patch - +1: ylavic, wrowe, minfrin - jim notes: test framework errors due to 413->400 error change [test adjusted] - wrowe notes: r1684513 was not neglected in this patch, already included - - *) core: Allow spaces after chunk-size for compatibility with implementations - using a pre-filled buffer. - trunk patch: http://svn.apache.org/r1685345 - http://svn.apache.org/r1685347 - http://svn.apache.org/r1685349 - http://svn.apache.org/r1685350 - 2.[24].x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_http_filter_chunked-v3.patch - (trunk works but CHANGES entry in the above patch is - better since the APLOG_INFO part is already included - in the CVE-2015-3183 patch) - +1: ylavic, wrowe, minfrin - ylavic: CVE-2015-3183 patch httpd-2.2.x-ap_http_filter-chunked-v6.patch - above must be applied first. - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c index 5e190cb5fe..94cac96f81 100644 --- a/modules/http/http_filters.c +++ b/modules/http/http_filters.c @@ -70,10 +70,11 @@ typedef struct http_filter_ctx BODY_CHUNK, /* chunk expected */ BODY_CHUNK_PART, /* chunk digits */ BODY_CHUNK_EXT, /* chunk extension */ - BODY_CHUNK_LF, /* got CR, expect LF after digits/extension */ + BODY_CHUNK_CR, /* got space(s) after digits, expect [CR]LF or ext */ + BODY_CHUNK_LF, /* got CR after digits or ext, expect LF */ BODY_CHUNK_DATA, /* data constrained by chunked encoding */ BODY_CHUNK_END, /* chunked data terminating CRLF */ - BODY_CHUNK_END_LF, /* got CR, expect LF after data */ + BODY_CHUNK_END_LF, /* got CR after data, expect LF */ BODY_CHUNK_TRAILER /* trailers */ } state; unsigned int eos_sent :1; @@ -203,6 +204,15 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer, return APR_EINVAL; } } + else if (c == ' ' || c == '\t') { + ctx->state = BODY_CHUNK_CR; + } + else if (ctx->state == BODY_CHUNK_CR) { + /* + * ';', CR or LF expected. + */ + return APR_EINVAL; + } else if (ctx->state == BODY_CHUNK_PART) { int xvalue; |