Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
+ *) SECURITY: CVE-2007-1862 (cve.mitre.org)
+ mod_mem_cache: Copy headers into longer lived storage; header names and
+ values could previously point to cleaned up storage
+ PR 41551 [Davi Arnaut <davi haxent.com.br>]
+
*) mod_cache: Do not set Date or Expires when they are missing from
the original response or are invalid. [Justin Erenkrantz]
return OK;
}
+static apr_table_t *deep_table_copy(apr_pool_t *p, const apr_table_t *table)
+{
+ const apr_array_header_t *array = apr_table_elts(table);
+ apr_table_entry_t *elts = (apr_table_entry_t *) array->elts;
+ apr_table_t *copy = apr_table_make(p, array->nelts);
+ int i;
+
+ for (i = 0; i < array->nelts; i++) {
+ if (elts[i].key) {
+ apr_table_add(copy, elts[i].key, elts[i].val);
+ }
+ }
+
+ return copy;
+}
+
static apr_status_t recall_headers(cache_handle_t *h, request_rec *r)
{
mem_cache_object_t *mobj = (mem_cache_object_t*) h->cache_obj->vobj;
- h->req_hdrs = apr_table_copy(r->pool, mobj->req_hdrs);
- h->resp_hdrs = apr_table_copy(r->pool, mobj->header_out);
+ h->req_hdrs = deep_table_copy(r->pool, mobj->req_hdrs);
+ h->resp_hdrs = deep_table_copy(r->pool, mobj->header_out);
return OK;
}
* - The original response headers (for returning with a cached response)
* - The body of the message
*/
- mobj->req_hdrs = apr_table_copy(mobj->pool, r->headers_in);
+ mobj->req_hdrs = deep_table_copy(mobj->pool, r->headers_in);
/* Precompute how much storage we need to hold the headers */
headers_out = ap_cache_cacheable_hdrs_out(r->pool, r->headers_out,
}
headers_out = apr_table_overlay(r->pool, headers_out, r->err_headers_out);
- mobj->header_out = apr_table_copy(mobj->pool, headers_out);
+ mobj->header_out = deep_table_copy(mobj->pool, headers_out);
/* Init the info struct */
obj->info.status = info->status;
projects / apache / commitdiff