mod_lua: Prevent HTTP Response Splitting by not allowing tables in the request_rec...

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1582264 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 410cc75f4d3d1e414302732bd1edd6ec77c24ae1..e15c142da42a699e81ec4ae87a8e708c4549804c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,10 @@ Changes with Apache 2.4.10
      from causing response splitting.
      [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
 
+  *) mod_lua: Disallow newlines in table values inside the request_rec, 
+     to prevent HTTP Response Splitting via tainted headers.
+     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
 Changes with Apache 2.4.9
 
   *) mod_ssl: Work around a bug in some older versions of OpenSSL that

diff --git a/modules/lua/lua_apr.c b/modules/lua/lua_apr.c
index 8a1dcf6811e51775a5a07fd64a5cbbfa64252c0a..d8c59d0e16d41b0552a889104bce1ff2c0d23fbd 100644 (file)
--- a/modules/lua/lua_apr.c
+++ b/modules/lua/lua_apr.c
@@ -40,6 +40,13 @@ static int lua_table_set(lua_State *L)
     const char     *key = luaL_checkstring(L, 2);
     const char     *val = luaL_checkstring(L, 3);
 
+    /* Prevent response/header splitting by not allowing newlines in tables.
+     * At this stage, we don't have the request_rec handy, and we can't change
+     * a const char*, so we'll redirect to a standard error value instead.
+     */
+    if (ap_strchr_c(val, '\n')) {
+        val = "[ERROR: Value contains newline, ignored.]";
+    }
     apr_table_set(t, key, val);
     return 0;
 }