SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that

author Eric Covener <covener@apache.org>

Mon, 23 Jan 2012 15:05:08 +0000 (15:05 +0000)

committer Eric Covener <covener@apache.org>

Mon, 23 Jan 2012 15:05:08 +0000 (15:05 +0000)
author Eric Covener <covener@apache.org>
Mon, 23 Jan 2012 15:05:08 +0000 (15:05 +0000)
committer Eric Covener <covener@apache.org>
Mon, 23 Jan 2012 15:05:08 +0000 (15:05 +0000)
diff --git a/CHANGES b/CHANGES

index 85ff373283bbcdb365d6628e9720628031673cbd..4ceb1e4e20a8999b158fa0b35adac4b02c27d61f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.4.1
  
+  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+     Fix an issue in error responses that could expose "httpOnly" cookies
+     when no custom ErrorDocument is specified for status code 400.  
+     [Eric Covener]
+
    *) configure: Disable modules at configure time if a prerequisite module
       is not enabled. PR 52487. [Stefan Fritsch]
  
diff --git a/server/protocol.c b/server/protocol.c

index 11a82e1acb7251571ad28ce28adb1973bbee5d28..3635ce049fba76ac05235864740be43ece227732 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -753,12 +753,12 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                  /* insure ap_escape_html will terminate correctly */
                  field[len - 1] = '\0';
                  apr_table_setn(r->notes, "error-notes",
-                               apr_pstrcat(r->pool,
+                               apr_psprintf(r->pool,
                                             "Size of a request header field "
                                             "exceeds server limit.<br />\n"
-                                           "<pre>\n",
-                                           ap_escape_html(r->pool, field),
-                                           "</pre>\n", NULL));
+                                           "<pre>\n%.*s\n</pre>\n", 
+                                           field_name_len(field), 
+                                           ap_escape_html(r->pool, field)));
                  ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00561)
                                "Request header exceeds LimitRequestFieldSize: "
                                "%.*s", field_name_len(field), field);
@@ -782,13 +782,13 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                       * overflow (last_field) as the field with the problem
                       */
                      apr_table_setn(r->notes, "error-notes",
-                                   apr_pstrcat(r->pool,
+                                   apr_psprintf(r->pool,
                                                 "Size of a request header field "
                                                 "after folding "
                                                 "exceeds server limit.<br />\n"
-                                               "<pre>\n",
-                                               ap_escape_html(r->pool, last_field),
-                                               "</pre>\n", NULL));
+                                               "<pre>\n%.*s\n</pre>\n", 
+                                               field_name_len(last_field), 
+                                               ap_escape_html(r->pool, last_field)));
                      ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00562)
                                    "Request header exceeds LimitRequestFieldSize "
                                    "after folding: %.*s",
@@ -827,13 +827,13 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                  if (!(value = strchr(last_field, ':'))) { /* Find ':' or    */
                      r->status = HTTP_BAD_REQUEST;      /* abort bad request */
                      apr_table_setn(r->notes, "error-notes",
-                                   apr_pstrcat(r->pool,
+                                   apr_psprintf(r->pool,
                                                 "Request header field is "
                                                 "missing ':' separator.<br />\n"
-                                               "<pre>\n",
+                                               "<pre>\n%.*s</pre>\n", 
+                                               (int)LOG_NAME_MAX_LEN,
                                                 ap_escape_html(r->pool,
-                                                              last_field),
-                                               "</pre>\n", NULL));
+                                                              last_field)));
                      ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00564)
                                    "Request header field is missing ':' "
                                    "separator: %.*s", (int)LOG_NAME_MAX_LEN,
author	Eric Covener <covener@apache.org>
	Mon, 23 Jan 2012 15:05:08 +0000 (15:05 +0000)
committer	Eric Covener <covener@apache.org>
	Mon, 23 Jan 2012 15:05:08 +0000 (15:05 +0000)
CHANGES		patch \| blob \| history
server/protocol.c		patch \| blob \| history