Merge r1575400 from trunk:

CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>)
Segfaults w/ truncated cookie logging.

Clean up the cookie logging parser to recognize only the cookie=value pairs,
not valueless cookies.  This refactors multiple passes over the same string
buffer into a single pass parser.

Submitted by: wrowe
Reviewed by: rpluem, jim

Submitted by: wrowe
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1575904 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 64fe91d62d837ec647600fafee5cbeff99eff2b8..6175ad40c8beaaf2e997e35610b942c8d068e2f4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.4.8
 
+  *) Clean up cookie logging with fewer redundant string parsing passes.
+     Log only cookies with a value assignment.
+     [William Rowe, Ruediger Pluem, Jim Jagielski]
+
   *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping 
      execution when a handler is already set. PR53929. [Eric Covener]
 

diff --git a/STATUS b/STATUS
index 4c8fb581af214b01ba79c8c1f4bde360600d67e8..853d5f2040847b82468b8168d55cb38080d87a53 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -98,12 +98,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_log_config: Clean up cookie logging with fewer redundant
-     string parsing passes.  Log only cookies with a value assignment.
-     [William Rowe, Ruediger Pluem, Jim Jagielski]
-     trunk patch: http://svn.apache.org/r1575400
-     2.4.x patch: trunk works
-     +1: wrowe, jim, ylavic
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:

diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c
index f17e1641561b38283bf6defbe385a75fc3711247..792756db07b3e5d280eb9d1105493ae4f0d4d4d7 100644 (file)
--- a/modules/loggers/mod_log_config.c
+++ b/modules/loggers/mod_log_config.c
@@ -543,14 +543,24 @@ static const char *log_cookie(request_rec *r, char *a)
 
         while ((cookie = apr_strtok(cookies, ";", &last1))) {
             char *name = apr_strtok(cookie, "=", &last2);
-            if (name) {
-                char *value = name + strlen(name) + 1;
-                apr_collapse_spaces(name, name);
+            /* last2 points to the next char following an '=' delim,
+               or the trailing NUL char of the string */
+            char *value = last2;
+            if (name && *name &&  value && *value) {
+                char *last = value - 2;
+                /* Move past leading WS */
+                name += strspn(name, " \t");
+                while (last >= name && apr_isspace(*last)) {
+                    *last = '\0';
+                    --last;
+                }
 
                 if (!strcasecmp(name, a)) {
-                    char *last;
-                    value += strspn(value, " \t");  /* Move past leading WS */
-                    last = value + strlen(value) - 1;
+                    /* last1 points to the next char following the ';' delim,
+                       or the trailing NUL char of the string */
+                    last = last1 - (*last1 ? 2 : 1);
+                    /* Move past leading WS */
+                    value += strspn(value, " \t");
                     while (last >= value && apr_isspace(*last)) {
                        *last = '\0';
                        --last;
@@ -559,6 +569,7 @@ static const char *log_cookie(request_rec *r, char *a)
                     return ap_escape_logitem(r->pool, value);
                 }
             }
+            /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
             cookies = NULL;
         }
     }