diff options
Diffstat (limited to 'www/apache22/patches/patch-ah')
| -rw-r--r-- | www/apache22/patches/patch-ah | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/www/apache22/patches/patch-ah b/www/apache22/patches/patch-ah new file mode 100644 index 00000000000..f42450e7da1 --- /dev/null +++ b/www/apache22/patches/patch-ah @@ -0,0 +1,44 @@ +$NetBSD: patch-ah,v 1.1 2009/07/14 12:23:40 tron Exp $ + +Fix for CVE-2009-1890 taken from here: + +http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587 + +--- modules/proxy/mod_proxy_http.c.orig 2008-11-11 20:04:34.000000000 +0000 ++++ modules/proxy/mod_proxy_http.c 2009-07-14 13:03:49.000000000 +0100 +@@ -422,10 +422,16 @@ + apr_off_t bytes_streamed = 0; + + if (old_cl_val) { ++ char *endstr; ++ + add_cl(p, bucket_alloc, header_brigade, old_cl_val); +- if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL, +- 0))) { +- return HTTP_INTERNAL_SERVER_ERROR; ++ status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10); ++ ++ if (status || *endstr || endstr == old_cl_val || cl_val < 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, ++ "proxy: could not parse request Content-Length (%s)", ++ old_cl_val); ++ return HTTP_BAD_REQUEST; + } + } + terminate_headers(bucket_alloc, header_brigade); +@@ -453,8 +459,13 @@ + * + * Prevents HTTP Response Splitting. + */ +- if (bytes_streamed > cl_val) +- continue; ++ if (bytes_streamed > cl_val) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "proxy: read more bytes of request body than expected " ++ "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")", ++ bytes_streamed, cl_val); ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + + if (header_brigade) { + /* we never sent the header brigade, so go ahead and |