diff options
| author | Eric Covener <covener@apache.org> | 2023-03-05 20:22:52 +0000 |
|---|---|---|
| committer | Eric Covener <covener@apache.org> | 2023-03-05 20:22:52 +0000 |
| commit | d753ea76b5972a85349b68c31b59d04c60014f2d (patch) | |
| tree | f9d0b969a22d2a65d1ff7124cf9ad450e8fa4ff9 | |
| parent | 935c2db17770271845dc2666d83f589bb501fef3 (diff) | |
| download | httpd-d753ea76b5972a85349b68c31b59d04c60014f2d.tar.gz | |
Merge r1907980 from trunk:
mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation
Reviewed By: ylavic, covener, gbechis, rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908094 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | changes-entries/proxy_uwsgi_response_validation.txt | 2 | ||||
| -rw-r--r-- | modules/proxy/mod_proxy_uwsgi.c | 49 |
2 files changed, 37 insertions, 14 deletions
diff --git a/changes-entries/proxy_uwsgi_response_validation.txt b/changes-entries/proxy_uwsgi_response_validation.txt new file mode 100644 index 0000000000..2cdb6c6300 --- /dev/null +++ b/changes-entries/proxy_uwsgi_response_validation.txt @@ -0,0 +1,2 @@ + *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. + [Yann Ylavic] diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c index e02450ef06..92e153cc24 100644 --- a/modules/proxy/mod_proxy_uwsgi.c +++ b/modules/proxy/mod_proxy_uwsgi.c @@ -307,18 +307,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, pass_bb = apr_brigade_create(r->pool, c->bucket_alloc); len = ap_getline(buffer, sizeof(buffer), rp, 1); - if (len <= 0) { - /* oops */ + /* invalid or empty */ return HTTP_INTERNAL_SERVER_ERROR; } - backend->worker->s->read += len; - - if (len >= sizeof(buffer) - 1) { - /* oops */ + if ((apr_size_t)len >= sizeof(buffer)) { + /* too long */ return HTTP_INTERNAL_SERVER_ERROR; } + /* Position of http status code */ if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) { status_start = 9; @@ -327,8 +325,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, status_start = 7; } else { - /* oops */ - return HTTP_INTERNAL_SERVER_ERROR; + /* not HTTP */ + return HTTP_BAD_GATEWAY; } status_end = status_start + 3; @@ -348,21 +346,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, } r->status_line = apr_pstrdup(r->pool, &buffer[status_start]); - /* start parsing headers */ + /* parse headers */ while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) { + if ((apr_size_t)len >= sizeof(buffer)) { + /* too long */ + len = -1; + break; + } value = strchr(buffer, ':'); - /* invalid header skip */ - if (!value) - continue; - *value = '\0'; - ++value; + if (!value) { + /* invalid header */ + len = -1; + break; + } + *value++ = '\0'; + if (*ap_scan_http_token(buffer)) { + /* invalid name */ + len = -1; + break; + } while (apr_isspace(*value)) ++value; for (end = &value[strlen(value) - 1]; end > value && apr_isspace(*end); --end) *end = '\0'; + if (*ap_scan_http_field_content(value)) { + /* invalid value */ + len = -1; + break; + } apr_table_add(r->headers_out, buffer, value); } + if (len < 0) { + /* Reset headers, but not to NULL because things below the chain expect + * this to be non NULL e.g. the ap_content_length_filter. + */ + r->headers_out = apr_table_make(r->pool, 1); + return HTTP_BAD_GATEWAY; + } if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { ap_set_content_type(r, apr_pstrdup(r->pool, buf)); |