From: Jeff Trawick <trawick@apache.org>
Date: Thu, 23 Jun 2005 19:20:29 +0000 (+0000)
Subject: proxy HTTP: If a response contains both Transfer-Encoding and a
X-Git-Tag: 2.1.6~5
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f5cd1725712a2720836cfb0d6c93ad4241af4809;p=apache

proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, stopping some HTTP Request smuggling attacks.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@193205 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 1bd701c957..c0a1eb2b54 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
 Changes with Apache 2.1.6
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) SECURITY: 
+     proxy HTTP: If a response contains both Transfer-Encoding and a 
+     Content-Length, remove the Content-Length and don't reuse the
+     connection, stopping some HTTP Request smuggling attacks.
+     [Jeff Trawick]
+
   *) mod_cgid: Fix buffer overflow processing ScriptSock directive.
      [Steve Kemp <steve steve.org.uk>]
 
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index 24ad9ced99..19c7550238 100644
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -1128,7 +1128,22 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
                                                        r->headers_out,
                                                        save_table);
                 }
-                
+
+                /* can't have both Content-Length and Transfer-Encoding */
+                if (apr_table_get(r->headers_out, "Transfer-Encoding")
+                    && apr_table_get(r->headers_out, "Content-Length")) {
+                    /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+                     * and Content-Length are received, the latter MUST be
+                     * ignored"; so unset it here to prevent any confusion
+                     * later. */
+                    apr_table_unset(r->headers_out, "Content-Length");
+                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+                                 r->server,
+                                 "proxy: server %s returned Transfer-Encoding and Content-Length",
+                                 backend->hostname);
+                    backend->close += 1;
+                }
+
                 /* strip connection listed hop-by-hop headers from response */
                 backend->close += ap_proxy_liststr(apr_table_get(r->headers_out,
                                                                  "Connection"),