mod_lua: escape key/value pairs when setting cookies to prevent header splitting...

author Daniel Gruno <humbedooh@apache.org>

Thu, 27 Mar 2014 11:00:34 +0000 (11:00 +0000)

committer Daniel Gruno <humbedooh@apache.org>

Thu, 27 Mar 2014 11:00:34 +0000 (11:00 +0000)
author Daniel Gruno <humbedooh@apache.org>
Thu, 27 Mar 2014 11:00:34 +0000 (11:00 +0000)
committer Daniel Gruno <humbedooh@apache.org>
Thu, 27 Mar 2014 11:00:34 +0000 (11:00 +0000)
diff --git a/CHANGES b/CHANGES

index 36af84a928dd6036a6a8ef87f6b6e2eb7f7ef015..410cc75f4d3d1e414302732bd1edd6ec77c24ae1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,10 @@ Changes with Apache 2.4.10
    *) mod_lua: Reformat and escape script error output.
       [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
  
+  *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
+     from causing response splitting.
+     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
  Changes with Apache 2.4.9
  
    *) mod_ssl: Work around a bug in some older versions of OpenSSL that
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c

index 609b01673c59c2cc9bc945ae633b7a97902a59c4..f3217f38d84e36789b7cc24b4aca07a1230bc979 100644 (file)
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -2048,6 +2048,10 @@ static int lua_set_cookie(lua_State *L)
          /* Domain does NOT like quotes in most browsers, so let's avoid that */
          strdomain = apr_psprintf(r->pool, "Domain=%s;", domain);
      }
+
+    /* URL-encode key/value */
+    value = ap_escape_urlencoded(r->pool, value);
+    key = ap_escape_urlencoded(r->pool, key);
      
      /* Create the header */
      out = apr_psprintf(r->pool, "%s=%s; %s %s %s %s %s", key, value,
author	Daniel Gruno <humbedooh@apache.org>
	Thu, 27 Mar 2014 11:00:34 +0000 (11:00 +0000)
committer	Daniel Gruno <humbedooh@apache.org>
	Thu, 27 Mar 2014 11:00:34 +0000 (11:00 +0000)
CHANGES		patch \| blob \| history
modules/lua/lua_request.c		patch \| blob \| history