proxy HTTP: If a response contains both Transfer-Encoding and a

author Jeff Trawick <trawick@apache.org>

Thu, 23 Jun 2005 19:20:29 +0000 (19:20 +0000)

committer Jeff Trawick <trawick@apache.org>

Thu, 23 Jun 2005 19:20:29 +0000 (19:20 +0000)
author Jeff Trawick <trawick@apache.org>
Thu, 23 Jun 2005 19:20:29 +0000 (19:20 +0000)
committer Jeff Trawick <trawick@apache.org>
Thu, 23 Jun 2005 19:20:29 +0000 (19:20 +0000)
diff --git a/CHANGES b/CHANGES

index 1bd701c9578718eebaf5c0724fe0af901eee9fd9..c0a1eb2b54a6f5ed7541a3c545acdb86e15397a8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
  Changes with Apache 2.1.6
    [Remove entries to the current 2.0 section below, when backported]
  
+  *) SECURITY: 
+     proxy HTTP: If a response contains both Transfer-Encoding and a 
+     Content-Length, remove the Content-Length and don't reuse the
+     connection, stopping some HTTP Request smuggling attacks.
+     [Jeff Trawick]
+
    *) mod_cgid: Fix buffer overflow processing ScriptSock directive.
       [Steve Kemp <steve steve.org.uk>]
  
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c

index 24ad9ced9984bb13b2cbb3dde595397f8df8d3b8..19c7550238bd8510e1d5dbd23a5d941e15277d65 100644 (file)
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -1128,7 +1128,22 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
                                                         r->headers_out,
                                                         save_table);
                  }
-                
+
+                /* can't have both Content-Length and Transfer-Encoding */
+                if (apr_table_get(r->headers_out, "Transfer-Encoding")
+                    && apr_table_get(r->headers_out, "Content-Length")) {
+                    /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+                     * and Content-Length are received, the latter MUST be
+                     * ignored"; so unset it here to prevent any confusion
+                     * later. */
+                    apr_table_unset(r->headers_out, "Content-Length");
+                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                                 r->server,
+                                 "proxy: server %s returned Transfer-Encoding and Content-Length",
+                                 backend->hostname);
+                    backend->close += 1;
+                }
+
                  /* strip connection listed hop-by-hop headers from response */
                  backend->close += ap_proxy_liststr(apr_table_get(r->headers_out,
                                                                   "Connection"),
author	Jeff Trawick <trawick@apache.org>
	Thu, 23 Jun 2005 19:20:29 +0000 (19:20 +0000)
committer	Jeff Trawick <trawick@apache.org>
	Thu, 23 Jun 2005 19:20:29 +0000 (19:20 +0000)
CHANGES		patch \| blob \| history
modules/proxy/mod_proxy_http.c		patch \| blob \| history