From 41488e891d12eddcf21bb435d90ae71eda8d218a Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Wed, 23 Oct 2013 19:26:08 +0000 Subject: [PATCH] SECURITY (CVE-2014-0231): Fix for DoS due to hang waiting for CGI script. Patch one of two. Permit a read timeout to be used in mod_cgid to give up on a slow CGI script. In trunk, it defaults to the servers Timeout. PR43494 Submitted By: Eric Covener, Toshikuni Fukaya Reviewed By: Eric Covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1535125 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 7 +++++ docs/log-message-tags/next-number | 2 +- docs/manual/mod/core.xml | 4 +-- docs/manual/mod/mod_cgid.xml | 27 +++++++++++++++++++ docs/manual/upgrading.xml | 6 +++++ modules/generators/mod_cgid.c | 44 +++++++++++++++++++++++++++++-- 6 files changed, 85 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index d77d03ef09..43aae40368 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,13 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_cgid: Use the servers Timeout for each read from a CGI script, + allow override with new CGIDRequestTimeout directive. PR43494 + [Eric Covener, Toshikuni Fukaya ] + + *) core: Add missing Reason-Phrase in HTTP response headers. + PR 54946. [Rainer Jung] + *) core: ensure any abnormal exit is reported to stderr if it's a tty. PR 55670 [Nick Kew] diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index 5cf23a56c5..668cebd7cd 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -2548 +2551 diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index ecd588653d..ef194c6a19 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -4164,8 +4164,8 @@ certain events before failing a request for an acknowledgement of a packet if the send buffer is full. -
  • In mod_cgi, the length of time to wait for - output from a CGI script.
    • +
  • In mod_cgi and mod_cgid, + the length of time to wait for output from a CGI script.
  • In mod_ext_filter, the length of time to wait for output from a filtering process.
    • diff --git a/docs/manual/mod/mod_cgid.xml b/docs/manual/mod/mod_cgid.xml index d49bcc2a72..a901ebb5d0 100644 --- a/docs/manual/mod/mod_cgid.xml +++ b/docs/manual/mod/mod_cgid.xml @@ -102,5 +102,32 @@ the cgi daemon + +CGIDScriptTimeout +The length of time to wait for more output from the +CGI program +CGIDScriptTimeout time[s|ms] +value of Timeout directive when +unset +server config +virtual hostdirectory +.htaccess +CGIDScriptTimeout defaults to zero in releases 2.4 and earlier + + + +

    This directive limits the length of time to wait for more output from + the CGI program. If the time is exceeded, the request and CGI are + terminated.

    + + Example + + CGIDScriptTimeout 20 + + + +     +     + diff --git a/docs/manual/upgrading.xml b/docs/manual/upgrading.xml index 936d61800c..e2653e410a 100644 --- a/docs/manual/upgrading.xml +++ b/docs/manual/upgrading.xml @@ -360,6 +360,12 @@ Allow from example.org has been moved into mod_authn_core. +
  • mod_cgid uses the servers Timeout to limit the length of time to wait for CGI output. + This timeout can be overridden with + CGIDScriptTImeout. +
    • + diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c index 07c31930e5..71e2b32eb1 100644 --- a/modules/generators/mod_cgid.c +++ b/modules/generators/mod_cgid.c @@ -98,6 +98,10 @@ static apr_socklen_t server_addr_len; static pid_t parent_pid; static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 }; +typedef struct { + apr_interval_time_t timeout; +} cgid_dirconf; + /* The APR other-child API doesn't tell us how the daemon exited * (SIGSEGV vs. exit(1)). The other-child maintenance function * needs to decide whether to restart the daemon after a failure @@ -973,7 +977,14 @@ static void *merge_cgid_config(apr_pool_t *p, void *basev, void *overridesv) return overrides->logname ? overrides : base; } +static void *create_cgid_dirconf(apr_pool_t *p, char *dummy) +{ + cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf)); + return c; +} + static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) + { server_rec *s = cmd->server; cgid_server_conf *conf = ap_get_module_config(s->module_config, @@ -1026,7 +1037,16 @@ static const char *set_script_socket(cmd_parms *cmd, void *dummy, const char *ar return NULL; } +static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg) +{ + cgid_dirconf *dc = dummy; + if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { + return "CGIDScriptTimeout has wrong format"; + } + + return NULL; +} static const command_rec cgid_cmds[] = { AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF, @@ -1038,6 +1058,10 @@ static const command_rec cgid_cmds[] = AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF, "the name of the socket to use for communication with " "the cgi daemon."), + AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF, + "The amount of time to wait between successful reads from " + "the CGI script, in seconds."), + {NULL} }; @@ -1361,12 +1385,16 @@ static int cgid_handler(request_rec *r) apr_file_t *tempsock; struct cleanup_script_info *info; apr_status_t rv; + cgid_dirconf *dc; if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) { return DECLINED; } conf = ap_get_module_config(r->server->module_config, &cgid_module); + dc = ap_get_module_config(r->per_dir_config, &cgid_module); + + is_included = !strcmp(r->protocol, "INCLUDED"); if ((argv0 = strrchr(r->filename, '/')) != NULL) { @@ -1446,6 +1474,12 @@ static int cgid_handler(request_rec *r) */ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); + if (dc->timeout > 0) { + apr_file_pipe_timeout_set(tempsock, dc->timeout); + } + else { + apr_file_pipe_timeout_set(tempsock, r->server->timeout); + } apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); /* Transfer any put/post args, CERN style... @@ -1615,7 +1649,13 @@ static int cgid_handler(request_rec *r) return HTTP_MOVED_TEMPORARILY; } - ap_pass_brigade(r->output_filters, bb); + rv = ap_pass_brigade(r->output_filters, bb); + if (rv != APR_SUCCESS) { + /* APLOG_ERR because the core output filter message is at error, + * but doesn't know it's passing CGI output + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02550) "Failed to flush CGI output to client"); + } } if (nph) { @@ -1880,7 +1920,7 @@ static void register_hook(apr_pool_t *p) AP_DECLARE_MODULE(cgid) = { STANDARD20_MODULE_STUFF, - NULL, /* dir config creater */ + create_cgid_dirconf, /* dir config creater */ NULL, /* dir merger --- default is to override */ create_cgid_config, /* server config */ merge_cgid_config, /* merge server config */ -- 2.40.0