Package: apache2 / 2.2.22-13+deb7u6

cookie-logging-CVE-2014-0098.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#commit 57beef76acf54b147116636b98f9e0ea56ee503f
#Author: Rainer Jung <rjung@apache.org>
#Date:   Sat Aug 18 09:32:36 2012 +0000
#
#    mod_log_config: %{abc}C truncates cookies whose values contain '='.
#    PR 53104
#
#    Backport of r1328133 from trunk resp. r1359690 from 2.4.
#
#    Submitted by: gregames
#    Reviewed by: trawick, wrowe
#    Backported by: rjung
#
#
#    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374538 13f79535-47bb-0310-9956-ffa450edef68
#
#commit 4bab699bdccdd3f48943d6ae224a1253a9a1a0d2
#Author: Ruediger Pluem <rpluem@apache.org>
#Date:   Wed Mar 12 12:41:07 2014 +0000
#
#    Merge r1575400 from trunk:
#
#    CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>)
#    Segfaults w/ truncated cookie logging.
#
#    Clean up the cookie logging parser to recognize only the cookie=value pairs,
#    not valueless cookies.  This refactors multiple passes over the same string
#    buffer into a single pass parser.
#
#    Submitted by: wrowe
#    Reviewed by: rpluem, jim
#
#    Reviewed by: wrowe, ylavic, jim
#
#
#    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576716 13f79535-47bb-0310-9956-ffa450edef68
#
Index: apache2/modules/loggers/mod_log_config.c
===================================================================
--- apache2.orig/modules/loggers/mod_log_config.c
+++ apache2/modules/loggers/mod_log_config.c
@@ -524,14 +524,24 @@
 
         while ((cookie = apr_strtok(cookies, ";", &last1))) {
             char *name = apr_strtok(cookie, "=", &last2);
-            if (name) {
-                char *value;
-                apr_collapse_spaces(name, name);
+            /* last2 points to the next char following an '=' delim,
+               or the trailing NUL char of the string */
+            char *value = last2;
+            if (name && *name &&  value && *value) {
+                char *last = value - 2;
+                /* Move past leading WS */
+                name += strspn(name, " \t");
+                while (last >= name && apr_isspace(*last)) {
+                    *last = '\0';
+                    --last;
+                }
 
-                if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
-                    char *last;
-                    value += strspn(value, " \t");  /* Move past leading WS */
-                    last = value + strlen(value) - 1;
+                if (!strcasecmp(name, a)) {
+                    /* last1 points to the next char following the ';' delim,
+                       or the trailing NUL char of the string */
+                    last = last1 - (*last1 ? 2 : 1);
+                    /* Move past leading WS */
+                    value += strspn(value, " \t");
                     while (last >= value && apr_isspace(*last)) {
                        *last = '\0';
                        --last;
@@ -540,6 +550,7 @@
                     return ap_escape_logitem(r->pool, value);
                 }
             }
+            /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
             cookies = NULL;
         }
     }