SECURITY: Eliminated leaks of several file descriptors to child

  processes, such as CGI scripts.

PR: 17206
Submitted by:	Christian Kratzer <ck@cksoft.de>, Bjoern A. Zeeb <bz@zabbadoz.net>
Reviewed by:	Joe Orton, Will Rowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99032 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 4c06afa698cd300e3b03cca07a7227bc7719fe96..db848cef4b9c1caba4528c415029991210f946f7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -156,6 +156,12 @@ Changes with Apache 2.1.0-dev
 
 Changes with Apache 2.0.45
 
+  *) SECURITY:  Eliminated leaks of several file descriptors to child
+     processes, such as CGI scripts.  This fix depends on the latest
+     APR library release 0.9.2, which is distributed with the httpd 
+     source tarball for Apache 2.0.45.  PR 17206
+     [Christian Kratzer <ck@cksoft.de>, Bjoern A. Zeeb <bz@zabbadoz.net>]
+
   *) Prevent endless loops of internal redirects in mod_rewrite by
      aborting after exceeding a limit of internal redirects. The
      limit defaults to 10 and can be changed using the RewriteOptions

diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c
index 032b806d9b40e51d56dd2bba103864e94fdb64bb..0e28ac5f99ffbc866b7a8f61d15f42890eb97450 100644 (file)
--- a/modules/loggers/mod_log_config.c
+++ b/modules/loggers/mod_log_config.c
@@ -1300,7 +1300,6 @@ static void *ap_default_log_writer_init(apr_pool_t *p, server_rec *s,
                             "could not open transfer log file %s.", fname);
             return NULL;
         }
-        apr_file_inherit_set(fd);
         return fd;
     }
 }

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index a5b8fdc7ef184fb4102cba1c54f572bf7b92c6e0..d95249b215343c4d9188a58b74bba24dbc34425d 100644 (file)
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -3429,7 +3429,6 @@ static void open_rewritelog(server_rec *s, apr_pool_t *p)
                          "file %s", fname);
             exit(1);
         }
-        apr_file_inherit_set(conf->rewritelogfp);
     }
     return;
 }

diff --git a/server/log.c b/server/log.c
index ec7c44acfd85d72f9d05c11c7a6f255e486e1924..95ab4aa2e8edda408f041616cc88362754594ac6 100644 (file)
--- a/server/log.c
+++ b/server/log.c
@@ -320,8 +320,6 @@ static int open_error_log(server_rec *s, apr_pool_t *p)
                          ap_server_argv0, fname);
             return DONE;
         }
-
-        apr_file_inherit_set(s->error_log);
     }
 
     return OK;

diff --git a/server/mpm/worker/pod.c b/server/mpm/worker/pod.c
index e568d229f040f8e81ae87d57192d4cc549aa18f3..072777c9c7887e6c2b4c30dc54d7126e2b3a27c7 100644 (file)
--- a/server/mpm/worker/pod.c
+++ b/server/mpm/worker/pod.c
@@ -76,6 +76,10 @@ AP_DECLARE(apr_status_t) ap_mpm_pod_open(apr_pool_t *p, ap_pod_t **pod)
 */
     (*pod)->p = p;
     
+    /* close these before exec. */
+    apr_file_unset_inherit((*pod)->pod_in);
+    apr_file_unset_inherit((*pod)->pod_out);
+
     return APR_SUCCESS;
 }
 

diff --git a/server/mpm_common.c b/server/mpm_common.c
index 86e8ceba853f9f53580eab9a518e52cdcafd1ac4..0632ed63ba0b75dac6fc9622a35bf12c8ad370fc 100644 (file)
--- a/server/mpm_common.c
+++ b/server/mpm_common.c
@@ -410,6 +410,10 @@ AP_DECLARE(apr_status_t) ap_mpm_pod_open(apr_pool_t *p, ap_pod_t **pod)
     apr_sockaddr_info_get(&(*pod)->sa, ap_listeners->bind_addr->hostname,
                           APR_UNSPEC, ap_listeners->bind_addr->port, 0, p);
 
+    /* close these before exec. */
+    apr_file_unset_inherit((*pod)->pod_in);
+    apr_file_unset_inherit((*pod)->pod_out);
+
     return APR_SUCCESS;
 }