diff options
| author | Stefan Fritsch <sf@debian.org> | 2009-07-30 11:48:42 +0000 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2012-01-02 10:37:03 +0100 |
| commit | 385d9c94b3dfc568e0f6a08334372bbfed9b10eb (patch) | |
| tree | 5ee1ecd1ec94900ef40cb4669781ea23a214260d | |
| parent | 538918bc60965c5593f5f0c9d84ec5c53b3ee482 (diff) | |
| download | apache2-385d9c94b3dfc568e0f6a08334372bbfed9b10eb.tar.gz | |
Make mod_deflate not compress the content for HEAD requests
git-svn-id: svn+ssh://svn.debian.org/svn/pkg-apache/trunk/apache2@1012 01b336ce-410b-0410-9a02-a0e7f243c266
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches/00list | 1 | ||||
| -rw-r--r-- | debian/patches/069_no_deflate_for_HEAD.dpatch | 30 |
3 files changed, 33 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index abef55af..a096566f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,8 @@ apache2 (2.2.12-1) UNRELEASED; urgency=low - Fixes timefmt config in SSI (closes: #363964). - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. + * Make mod_deflate not compress the content for HEAD requests. This is a + similar issue as CVE-2009-1891. * Enable hardening compile options. * Switch default LogFormat from %b (size of file sent) to %O (bytes actually sent) (closes: #272476 LP: #255124) diff --git a/debian/patches/00list b/debian/patches/00list index 80896524..06acfd28 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -18,6 +18,7 @@ 058_suexec-CVE-2007-1742.dpatch 067_fix_segfault_in_ab.dpatch 068_mod_dav_detect_EOF.dpatch +069_no_deflate_for_HEAD.dpatch 099_config_guess_sub_update 200_cp_suexec.dpatch 201_build_suexec-custom.dpatch diff --git a/debian/patches/069_no_deflate_for_HEAD.dpatch b/debian/patches/069_no_deflate_for_HEAD.dpatch new file mode 100644 index 00000000..ba1c8997 --- /dev/null +++ b/debian/patches/069_no_deflate_for_HEAD.dpatch @@ -0,0 +1,30 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: mod_deflate DoS +## DP: This should switch off deflate for HEAD requests +## DP: Patch by Ruediger Pluem + +@DPATCH@ +--- a/modules/filters/mod_deflate.c (revision 793927) ++++ a/modules/filters/mod_deflate.c (working copy) +@@ -629,6 +629,19 @@ + apr_bucket *b; + apr_size_t len; + ++ /* ++ * Optimization: If we are a HEAD request and bytes_sent is not zero ++ * it means that we have passed the content-length filter once and ++ * have more data to sent. This means that the content-length filter ++ * could not determine our content-length for the response to the ++ * HEAD request anyway (the associated GET request would deliver the ++ * body in chunked encoding) and we can stop compressing. ++ */ ++ if (r->header_only && r->bytes_sent) { ++ ap_remove_output_filter(f); ++ return ap_pass_brigade(f->next, bb); ++ } ++ + e = APR_BRIGADE_FIRST(bb); + + if (APR_BUCKET_IS_EOS(e)) { |