From 76aa41352dca4c8b6a6ae4c5f2efa451f6a99779 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 23 Jan 2012 15:04:09 +0000 Subject: [PATCH] CVE-2012-0053: Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1234837 13f79535-47bb-0310-9956-ffa450edef68 --- server/protocol.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/server/protocol.c b/server/protocol.c index 73889ca7ed..0781b26e44 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -750,12 +750,12 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb /* insure ap_escape_html will terminate correctly */ field[len - 1] = '\0'; apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "exceeds server limit.
\n" - "
\n",
-                                           ap_escape_html(r->pool, field),
-                                           "
\n", NULL)); + "
\n%.*s\n
\n", + field_name_len(field), + ap_escape_html(r->pool, field))); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00561) "Request header exceeds LimitRequestFieldSize: " "%.*s", field_name_len(field), field); @@ -779,13 +779,13 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb * overflow (last_field) as the field with the problem */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "after folding " "exceeds server limit.
\n" - "
\n",
-                                               ap_escape_html(r->pool, last_field),
-                                               "
\n", NULL)); + "
\n%.*s\n
\n", + field_name_len(last_field), + ap_escape_html(r->pool, last_field))); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00562) "Request header exceeds LimitRequestFieldSize " "after folding: %.*s", @@ -824,13 +824,13 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ r->status = HTTP_BAD_REQUEST; /* abort bad request */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Request header field is " "missing ':' separator.
\n" - "
\n",
+                                               "
\n%.*s
\n", 
+                                               (int)LOG_NAME_MAX_LEN,
                                                ap_escape_html(r->pool,
-                                                              last_field),
-                                               "
\n", NULL)); + last_field))); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00564) "Request header field is missing ':' " "separator: %.*s", (int)LOG_NAME_MAX_LEN, -- 2.50.1