author: Andrey A. Chernov <ache@FreeBSD.org> 2005-08-11 12:34:43 +0000
committer: Andrey A. Chernov <ache@FreeBSD.org> 2005-08-11 12:34:43 +0000
commit: a07d258ebadafe919e19988a08bf78f7483560a7 (patch)
tree: 6c329093d70322cea8395af299aa1e449d74e849 /www/apache13
parent: 992437d83f8c35c23535b94ad15b3834456e8986 (diff)
download: ports-a07d258ebadafe919e19988a08bf78f7483560a7.tar.gz
ports-a07d258ebadafe919e19988a08bf78f7483560a7.zip
2 files changed, 88 insertions, 1 deletions
diff --git a/www/apache13/Makefile b/www/apache13/Makefile
index 220a9cc808f7..4786ab67f8f4 100644
--- a/www/apache13/Makefile
+++ b/www/apache13/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	1.3.33
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=   ${MASTER_SITE_APACHE_HTTPD}
 DISTNAME=	apache_${PORTVERSION}
diff --git a/www/apache13/files/patch-secfix-CAN-2005-2088 b/www/apache13/files/patch-secfix-CAN-2005-2088
new file mode 100644
index 000000000000..c4315400577e
--- /dev/null
+++ b/www/apache13/files/patch-secfix-CAN-2005-2088
@@ -0,0 +1,87 @@
+--- src/modules/proxy/proxy_http.c	2005/07/14 05:09:17	218987
++++ src/modules/proxy/proxy_http.c	2005/07/14 05:19:15	218988
+@@ -121,7 +121,7 @@
+     char portstr[32];
+     pool *p = r->pool;
+     int destport = 0;
+-    int chunked = 0;
++    const char *chunked = NULL;
+     char *destportstr = NULL;
+     const char *urlptr = NULL;
+     const char *datestr, *urlstr;
+@@ -338,7 +338,12 @@
+         ap_table_mergen(req_hdrs, "X-Forwarded-Server", r->server->server_hostname);
+     } 
+ 
+-    /* we don't yet support keepalives - but we will soon, I promise! */
++    /* we don't yet support keepalives - but we will soon, I promise! 
++     * XXX: This introduces various HTTP Request vulnerabilies if not
++     * properly implemented.  Before changing this .. be certain to
++     * add a hard-close of the connection if the T-E and C-L headers
++     * are both present, or the C-L header is malformed.
++     */
+     ap_table_set(req_hdrs, "Connection", "close");
+ 
+     reqhdrs_arr = ap_table_elts(req_hdrs);
+@@ -475,25 +480,40 @@
+         }
+ 
+         /* is this content chunked? */
+-        chunked = ap_find_last_token(r->pool,
+-                                     ap_table_get(resp_hdrs, "Transfer-Encoding"),
+-                                     "chunked");
++        chunked = ap_table_get(resp_hdrs, "Transfer-Encoding");
++        if (chunked && (strcasecmp(chunked, "chunked") != 0)) {
++            ap_kill_timeout(r);
++            return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
++                                 "Unsupported Transfer-Encoding ", chunked,
++                                 " from remote server", NULL));
++        }
+ 
+         /* strip hop-by-hop headers defined by Connection and RFC2616 */
+         ap_proxy_clear_connection(p, resp_hdrs);
+ 
+         content_length = ap_table_get(resp_hdrs, "Content-Length");
+         if (content_length != NULL) {
+-            c->len = ap_strtol(content_length, NULL, 10);
+-
+-	    if (c->len < 0) {
+-		ap_kill_timeout(r);
+-		return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
+-				     "Invalid Content-Length from remote server",
+-                                      NULL));
++            if (chunked) {
++                /* XXX: We would unset keep-alive here, to the proxy
++                 * origin server, for safety's sake but we aren't using
++                 * keep-alives (we force Connection: close  above)
++                 */
++                nocache = 1;        /* do not cache this suspect file */
++                ap_table_unset(resp_hdrs, "Content-Length");
++            }
++            else {
++                char *len_end;
++                errno = 0;
++                c->len = ap_strtol(content_length, &len_end, 10);
++
++                if (errno || (c->len < 0) || (len_end && *len_end)) {
++                    ap_kill_timeout(r);
++                    return ap_proxyerror(r, HTTP_BAD_GATEWAY, 
++                                         "Invalid Content-Length from remote"
++                                         " server");
++                }
+ 	    }
+         }
+-
+     }
+     else {
+         /* an http/0.9 response */
+@@ -612,7 +632,8 @@
+  * content length is not known. We need to make 100% sure c->len is always
+  * set correctly before we get here to correctly do keepalive.
+  */
+-        ap_proxy_send_fb(f, r, c, c->len, 0, chunked, conf->io_buffer_size);
++        ap_proxy_send_fb(f, r, c, c->len, 0, chunked != NULL, 
++                         conf->io_buffer_size);
+     }
+ 
+     /* ap_proxy_send_fb() closes the socket f for us */
author	Andrey A. Chernov <ache@FreeBSD.org>	2005-08-11 12:34:43 +0000
committer	Andrey A. Chernov <ache@FreeBSD.org>	2005-08-11 12:34:43 +0000
commit	a07d258ebadafe919e19988a08bf78f7483560a7 (patch)
tree	6c329093d70322cea8395af299aa1e449d74e849 /www/apache13
parent	992437d83f8c35c23535b94ad15b3834456e8986 (diff)
download	ports-a07d258ebadafe919e19988a08bf78f7483560a7.tar.gz ports-a07d258ebadafe919e19988a08bf78f7483560a7.zip