From 7aca5f86c580b5764da06ca04402ebb31c47ed8d Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Fri, 26 Sep 2014 11:00:14 +0000 Subject: [PATCH] Merge r1624234 from trunk: SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference in Content-Type handling. mod_cache: Avoid a crash when Content-Type has an empty value. PR56924. Submitted By: Mark Montague Reviewed By: Jan Kaluza Submitted by: jkaluza Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1627749 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 5 ----- modules/cache/cache_util.c | 6 ++++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 9970e0256b..57afe6612d 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.4.11 + *) SECURITY: CVE-2014-3581 (cve.mitre.org) + mod_cache: Avoid a crash when Content-Type has an empty value. + PR 56924. [Mark Montague , Jan Kaluza] + *) mod_cache: Avoid sending 304 responses during failed revalidations PR56881. [Eric Covener] diff --git a/STATUS b/STATUS index 477c0511dd..e758c22a12 100644 --- a/STATUS +++ b/STATUS @@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_cache: CVE-2014-3581 - Avoid a crash when Content-Type has an empty - value. PR56924. - trunk patch: http://svn.apache.org/r1624234 - 2.4.x patch: trunk works (modulo CHANGES) - +1: jkaluza, jim, ylavic PATCHES PROPOSED TO BACKPORT FROM TRUNK: diff --git a/modules/cache/cache_util.c b/modules/cache/cache_util.c index 6368af0968..b7454ad6a1 100644 --- a/modules/cache/cache_util.c +++ b/modules/cache/cache_util.c @@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(request_rec *r) if (r->content_type && !apr_table_get(headers_out, "Content-Type")) { - apr_table_setn(headers_out, "Content-Type", - ap_make_content_type(r, r->content_type)); + const char *ctype = ap_make_content_type(r, r->content_type); + if (ctype) { + apr_table_setn(headers_out, "Content-Type", ctype); + } } if (r->content_encoding -- 2.40.0