From 9e659703d46cfeced79cfa44917b24a95781ae8d Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Mon, 10 Mar 2014 11:23:47 +0000 Subject: [PATCH] Merge r1575400 from trunk: CVE-2014-0098 (reported by Rainer Canavan ) Segfaults w/ truncated cookie logging. Clean up the cookie logging parser to recognize only the cookie=value pairs, not valueless cookies. This refactors multiple passes over the same string buffer into a single pass parser. Submitted by: wrowe Reviewed by: rpluem, jim Submitted by: wrowe Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1575904 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 6 ------ modules/loggers/mod_log_config.c | 23 +++++++++++++++++------ 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 64fe91d62d..6175ad40c8 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.4.8 + *) Clean up cookie logging with fewer redundant string parsing passes. + Log only cookies with a value assignment. + [William Rowe, Ruediger Pluem, Jim Jagielski] + *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping execution when a handler is already set. PR53929. [Eric Covener] diff --git a/STATUS b/STATUS index 4c8fb581af..853d5f2040 100644 --- a/STATUS +++ b/STATUS @@ -98,12 +98,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_log_config: Clean up cookie logging with fewer redundant - string parsing passes. Log only cookies with a value assignment. - [William Rowe, Ruediger Pluem, Jim Jagielski] - trunk patch: http://svn.apache.org/r1575400 - 2.4.x patch: trunk works - +1: wrowe, jim, ylavic PATCHES PROPOSED TO BACKPORT FROM TRUNK: diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c index f17e164156..792756db07 100644 --- a/modules/loggers/mod_log_config.c +++ b/modules/loggers/mod_log_config.c @@ -543,14 +543,24 @@ static const char *log_cookie(request_rec *r, char *a) while ((cookie = apr_strtok(cookies, ";", &last1))) { char *name = apr_strtok(cookie, "=", &last2); - if (name) { - char *value = name + strlen(name) + 1; - apr_collapse_spaces(name, name); + /* last2 points to the next char following an '=' delim, + or the trailing NUL char of the string */ + char *value = last2; + if (name && *name && value && *value) { + char *last = value - 2; + /* Move past leading WS */ + name += strspn(name, " \t"); + while (last >= name && apr_isspace(*last)) { + *last = '\0'; + --last; + } if (!strcasecmp(name, a)) { - char *last; - value += strspn(value, " \t"); /* Move past leading WS */ - last = value + strlen(value) - 1; + /* last1 points to the next char following the ';' delim, + or the trailing NUL char of the string */ + last = last1 - (*last1 ? 2 : 1); + /* Move past leading WS */ + value += strspn(value, " \t"); while (last >= value && apr_isspace(*last)) { *last = '\0'; --last; @@ -559,6 +569,7 @@ static const char *log_cookie(request_rec *r, char *a) return ap_escape_logitem(r->pool, value); } } + /* Iterate the remaining tokens using apr_strtok(NULL, ...) */ cookies = NULL; } } -- 2.40.0