From: Daniel Gruno Date: Thu, 27 Mar 2014 11:00:34 +0000 (+0000) Subject: mod_lua: escape key/value pairs when setting cookies to prevent header splitting... X-Git-Tag: 2.4.10~401 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7ed8b01180841317aeb20298e8dd6f61d4a2d0ce;p=apache mod_lua: escape key/value pairs when setting cookies to prevent header splitting with tainted cookies. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1582255 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 36af84a928..410cc75f4d 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,10 @@ Changes with Apache 2.4.10 *) mod_lua: Reformat and escape script error output. [Daniel Gruno, Felipe Daragon ] + *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data + from causing response splitting. + [Daniel Gruno, Felipe Daragon ] + Changes with Apache 2.4.9 *) mod_ssl: Work around a bug in some older versions of OpenSSL that diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c index 609b01673c..f3217f38d8 100644 --- a/modules/lua/lua_request.c +++ b/modules/lua/lua_request.c @@ -2048,6 +2048,10 @@ static int lua_set_cookie(lua_State *L) /* Domain does NOT like quotes in most browsers, so let's avoid that */ strdomain = apr_psprintf(r->pool, "Domain=%s;", domain); } + + /* URL-encode key/value */ + value = ap_escape_urlencoded(r->pool, value); + key = ap_escape_urlencoded(r->pool, key); /* Create the header */ out = apr_psprintf(r->pool, "%s=%s; %s %s %s %s %s", key, value,