diff options
| author | Stefan Fritsch <sf@sfritsch.de> | 2012-02-04 17:53:57 +0100 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2012-02-04 17:53:57 +0100 |
| commit | 9469afe8b83dc37895f32abb7b26d827be0c71ee (patch) | |
| tree | e9ba3a6ace8f545737ab27ef16984f000be94c79 | |
| parent | 1f504ab2026b915f946dab744782397de652c2bd (diff) | |
| download | apache2-9469afe8b83dc37895f32abb7b26d827be0c71ee.tar.gz | |
CVE-2012-0053: Fix an issue in code 400 error responses that could
expose "httpOnly" cookies.
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches/00list | 1 | ||||
| -rw-r--r-- | debian/patches/094_CVE-2012-0053.dpatch | 105 |
3 files changed, 108 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 04322c70..640690b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ apache2 (2.2.16-6+squeeze5) UNRELEASED; urgency=high privilege escalation. * CVE-2012-0031: Fix client process being able to crash parent process during shutdown. + * CVE-2012-0053: Fix an issue in code 400 error responses that could expose + "httpOnly" cookies. -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:38:51 +0100 diff --git a/debian/patches/00list b/debian/patches/00list index 32b1e0c5..94c19d77 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -35,6 +35,7 @@ 091_CVE-2011-3639.dpatch 092_CVE-2011-3607.dpatch 093_CVE-2012-0031.dpatch +094_CVE-2012-0053.dpatch 099_config_guess_sub_update 200_cp_suexec.dpatch 201_build_suexec-custom.dpatch diff --git a/debian/patches/094_CVE-2012-0053.dpatch b/debian/patches/094_CVE-2012-0053.dpatch new file mode 100644 index 00000000..23b49aee --- /dev/null +++ b/debian/patches/094_CVE-2012-0053.dpatch @@ -0,0 +1,105 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## All lines beginning with `## DP:' are a description of the patch. +## DP: backport of upstream r1235454 +commit 2bb066730e059da7127804a2dd9c999b50934a67 +Author: Eric Covener <covener@apache.org> +Date: Tue Jan 24 20:02:19 2012 +0000 + + backport r1234837 from trunk: + + CVE-2012-0053: Fix an issue in error responses that could expose + "httpOnly" cookies when no custom ErrorDocument is specified for + status code 400. + + Reviewed By: covener, trawick, gregames + + + + git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1235454 13f79535-47bb-0310-9956-ffa450edef68 + +diff --git a/server/protocol.c b/server/protocol.c +index 2e3ce93..796ae58 100644 +--- a/server/protocol.c ++++ b/server/protocol.c +@@ -670,6 +670,16 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) + return 1; + } + ++/* get the length of the field name for logging, but no more than 80 bytes */ ++#define LOG_NAME_MAX_LEN 80 ++static int field_name_len(const char *field) ++{ ++ const char *end = ap_strchr_c(field, ':'); ++ if (end == NULL || end - field > LOG_NAME_MAX_LEN) ++ return LOG_NAME_MAX_LEN; ++ return end - field; ++} ++ + AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) + { + char *last_field = NULL; +@@ -709,12 +719,15 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb + /* insure ap_escape_html will terminate correctly */ + field[len - 1] = '\0'; + apr_table_setn(r->notes, "error-notes", +- apr_pstrcat(r->pool, ++ apr_psprintf(r->pool, + "Size of a request header field " + "exceeds server limit.<br />\n" +- "<pre>\n", +- ap_escape_html(r->pool, field), +- "</pre>\n", NULL)); ++ "<pre>\n%.*s\n</pre>/n", ++ field_name_len(field), ++ ap_escape_html(r->pool, field))); ++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, ++ "Request header exceeds LimitRequestFieldSize: " ++ "%.*s", field_name_len(field), field); + } + return; + } +@@ -735,13 +748,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb + * overflow (last_field) as the field with the problem + */ + apr_table_setn(r->notes, "error-notes", +- apr_pstrcat(r->pool, ++ apr_psprintf(r->pool, + "Size of a request header field " + "after folding " + "exceeds server limit.<br />\n" +- "<pre>\n", +- ap_escape_html(r->pool, last_field), +- "</pre>\n", NULL)); ++ "<pre>\n%.*s\n</pre>\n", ++ field_name_len(last_field), ++ ap_escape_html(r->pool, last_field))); ++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, ++ "Request header exceeds LimitRequestFieldSize " ++ "after folding: %.*s", ++ field_name_len(last_field), last_field); + return; + } + +@@ -773,13 +790,18 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb + if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ + r->status = HTTP_BAD_REQUEST; /* abort bad request */ + apr_table_setn(r->notes, "error-notes", +- apr_pstrcat(r->pool, ++ apr_psprintf(r->pool, + "Request header field is " + "missing ':' separator.<br />\n" +- "<pre>\n", ++ "<pre>\n%.*s</pre>\n", ++ (int)LOG_NAME_MAX_LEN, + ap_escape_html(r->pool, +- last_field), +- "</pre>\n", NULL)); ++ last_field))); ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Request header field is missing ':' " ++ "separator: %.*s", (int)LOG_NAME_MAX_LEN, ++ last_field); ++ + return; + } + |