main configuration file (httpd.conf) to register HTTP methods before the
.htaccess files. [Yann Ylavic]
+ *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
+ length in a password file.
+ [Luca Toscano, Hanno Böck <hanno hboeck de>]
+
*) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
PR 61142.
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) htdigest: prevent a buffer overflow when a string exceeds its maximum size
- in a password file. PR: 61511
- trunk patch: http://svn.apache.org/r1808008
- http://svn.apache.org/r1808085
- 2.4.x patch: svn merge -c1808008 -c1808085 ^/httpd/httpd/trunk .
- +1: elukey, icing, ylavic
-
*) Makefile: Use different variables to track normal modules and MPMs during
build. Only the enabled MPM is uncommented in the configuration
if multiple DSOs are built, and LoadModule for MPMs will now come
#endif /* APR_CHARSET_EBCDIC */
#define MAX_STRING_LEN 256
+#define MAX_LINE_LEN 768
apr_file_t *tfp = NULL;
apr_file_t *errfile;
exit(rc);
}
-static void getword(char *word, char *line, char stop)
+static int getword(char *word, char *line, char stop)
{
int x = 0, y;
- for (x = 0; ((line[x]) && (line[x] != stop)); x++)
+ for (x = 0; ((line[x]) && (line[x] != stop)); x++) {
+ if (x == (MAX_STRING_LEN - 1)) {
+ return 1;
+ }
word[x] = line[x];
+ }
word[x] = '\0';
if (line[x])
y = 0;
while ((line[y++] = line[x++]));
+
+ return 0;
}
static int get_line(char *s, int n, apr_file_t *f)
char *pw;
apr_md5_ctx_t context;
unsigned char digest[16];
- char string[3 * MAX_STRING_LEN]; /* this includes room for 2 * ':' + '\0' */
+ char string[MAX_LINE_LEN]; /* this includes room for 2 * ':' + '\0' */
char pwin[MAX_STRING_LEN];
char pwv[MAX_STRING_LEN];
unsigned int i;
char *dirname;
char user[MAX_STRING_LEN];
char realm[MAX_STRING_LEN];
- char line[3 * MAX_STRING_LEN];
- char l[3 * MAX_STRING_LEN];
+ char line[MAX_LINE_LEN];
+ char l[MAX_LINE_LEN];
char w[MAX_STRING_LEN];
char x[MAX_STRING_LEN];
int found;
continue;
}
strcpy(l, line);
- getword(w, l, ':');
- getword(x, l, ':');
+ if (getword(w, l, ':') || getword(x, l, ':')) {
+ apr_file_printf(errfile, "The following line contains a string longer than the "
+ "allowed maximum size (%i): %s\n", MAX_STRING_LEN - 1, line);
+ cleanup_tempfile_and_exit(1);
+ }
if (strcmp(user, w) || strcmp(realm, x)) {
putline(tfp, line);
continue;