1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
|
#commit 57beef76acf54b147116636b98f9e0ea56ee503f
#Author: Rainer Jung <rjung@apache.org>
#Date: Sat Aug 18 09:32:36 2012 +0000
#
# mod_log_config: %{abc}C truncates cookies whose values contain '='.
# PR 53104
#
# Backport of r1328133 from trunk resp. r1359690 from 2.4.
#
# Submitted by: gregames
# Reviewed by: trawick, wrowe
# Backported by: rjung
#
#
# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374538 13f79535-47bb-0310-9956-ffa450edef68
#
#commit 4bab699bdccdd3f48943d6ae224a1253a9a1a0d2
#Author: Ruediger Pluem <rpluem@apache.org>
#Date: Wed Mar 12 12:41:07 2014 +0000
#
# Merge r1575400 from trunk:
#
# CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>)
# Segfaults w/ truncated cookie logging.
#
# Clean up the cookie logging parser to recognize only the cookie=value pairs,
# not valueless cookies. This refactors multiple passes over the same string
# buffer into a single pass parser.
#
# Submitted by: wrowe
# Reviewed by: rpluem, jim
#
# Reviewed by: wrowe, ylavic, jim
#
#
# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576716 13f79535-47bb-0310-9956-ffa450edef68
#
Index: apache2/modules/loggers/mod_log_config.c
===================================================================
--- apache2.orig/modules/loggers/mod_log_config.c
+++ apache2/modules/loggers/mod_log_config.c
@@ -524,14 +524,24 @@
while ((cookie = apr_strtok(cookies, ";", &last1))) {
char *name = apr_strtok(cookie, "=", &last2);
- if (name) {
- char *value;
- apr_collapse_spaces(name, name);
+ /* last2 points to the next char following an '=' delim,
+ or the trailing NUL char of the string */
+ char *value = last2;
+ if (name && *name && value && *value) {
+ char *last = value - 2;
+ /* Move past leading WS */
+ name += strspn(name, " \t");
+ while (last >= name && apr_isspace(*last)) {
+ *last = '\0';
+ --last;
+ }
- if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
- char *last;
- value += strspn(value, " \t"); /* Move past leading WS */
- last = value + strlen(value) - 1;
+ if (!strcasecmp(name, a)) {
+ /* last1 points to the next char following the ';' delim,
+ or the trailing NUL char of the string */
+ last = last1 - (*last1 ? 2 : 1);
+ /* Move past leading WS */
+ value += strspn(value, " \t");
while (last >= value && apr_isspace(*last)) {
*last = '\0';
--last;
@@ -540,6 +550,7 @@
return ap_escape_logitem(r->pool, value);
}
}
+ /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
cookies = NULL;
}
}
|