From 0f5bd9d1714b54f3c79d8e3516e91cb5f905565f Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 23 Jan 2012 15:05:08 +0000 Subject: [PATCH] SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1234838 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ server/protocol.c | 24 ++++++++++++------------ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 85ff373283..4ceb1e4e20 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.1 + *) SECURITY: CVE-2012-0053 (cve.mitre.org) + Fix an issue in error responses that could expose "httpOnly" cookies + when no custom ErrorDocument is specified for status code 400. + [Eric Covener] + *) configure: Disable modules at configure time if a prerequisite module is not enabled. PR 52487. [Stefan Fritsch] diff --git a/server/protocol.c b/server/protocol.c index 11a82e1acb..3635ce049f 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -753,12 +753,12 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb /* insure ap_escape_html will terminate correctly */ field[len - 1] = '\0'; apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "exceeds server limit.
\n" - "
\n",
-                                           ap_escape_html(r->pool, field),
-                                           "
\n", NULL)); + "
\n%.*s\n
\n", + field_name_len(field), + ap_escape_html(r->pool, field))); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00561) "Request header exceeds LimitRequestFieldSize: " "%.*s", field_name_len(field), field); @@ -782,13 +782,13 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb * overflow (last_field) as the field with the problem */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "after folding " "exceeds server limit.
\n" - "
\n",
-                                               ap_escape_html(r->pool, last_field),
-                                               "
\n", NULL)); + "
\n%.*s\n
\n", + field_name_len(last_field), + ap_escape_html(r->pool, last_field))); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00562) "Request header exceeds LimitRequestFieldSize " "after folding: %.*s", @@ -827,13 +827,13 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ r->status = HTTP_BAD_REQUEST; /* abort bad request */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Request header field is " "missing ':' separator.
\n" - "
\n",
+                                               "
\n%.*s
\n", + (int)LOG_NAME_MAX_LEN, ap_escape_html(r->pool, - last_field), - "
\n", NULL)); + last_field))); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00564) "Request header field is missing ':' " "separator: %.*s", (int)LOG_NAME_MAX_LEN, -- 2.40.0