From 7ed8b01180841317aeb20298e8dd6f61d4a2d0ce Mon Sep 17 00:00:00 2001 From: Daniel Gruno Date: Thu, 27 Mar 2014 11:00:34 +0000 Subject: [PATCH] mod_lua: escape key/value pairs when setting cookies to prevent header splitting with tainted cookies. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1582255 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ modules/lua/lua_request.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/CHANGES b/CHANGES index 36af84a928..410cc75f4d 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,10 @@ Changes with Apache 2.4.10 *) mod_lua: Reformat and escape script error output. [Daniel Gruno, Felipe Daragon ] + *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data + from causing response splitting. + [Daniel Gruno, Felipe Daragon ] + Changes with Apache 2.4.9 *) mod_ssl: Work around a bug in some older versions of OpenSSL that diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c index 609b01673c..f3217f38d8 100644 --- a/modules/lua/lua_request.c +++ b/modules/lua/lua_request.c @@ -2048,6 +2048,10 @@ static int lua_set_cookie(lua_State *L) /* Domain does NOT like quotes in most browsers, so let's avoid that */ strdomain = apr_psprintf(r->pool, "Domain=%s;", domain); } + + /* URL-encode key/value */ + value = ap_escape_urlencoded(r->pool, value); + key = ap_escape_urlencoded(r->pool, key); /* Create the header */ out = apr_psprintf(r->pool, "%s=%s; %s %s %s %s %s", key, value, -- 2.50.1