Commit 16e241ed authored by Eric Covener's avatar Eric Covener
Browse files

Merge r1610814, r1610686, r1610707 from trunk:

      *) SECURITY: CVE-2013-5704 (cve.mitre.org)
         core: HTTP trailers could be used to replace HTTP headers
         late during request processing, potentially undoing or
         otherwise confusing modules that examined or modified
         request headers earlier.  Adds "MergeTrailers" directive to restore
         legacy behavior.

    Submitted By: Edward Lu, Yann Ylavic, Joe Orton, Eric Covener
    Committed By: covener

Reviewed By:  covener, wrowe, rpluem
 


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1619489 13f79535-47bb-0310-9956-ffa450edef68
parent 877b3138
Loading
Loading
Loading
Loading
+7 −1
Original line number Diff line number Diff line
@@ -21,6 +21,13 @@ Changes with Apache 2.2.28
     Fix a race condition in scoreboard handling, which could lead to
     a heap buffer overflow.  [Joe Orton, Eric Covener, Jeff Trawick]

  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
     core: HTTP trailers could be used to replace HTTP headers
     late during request processing, potentially undoing or
     otherwise confusing modules that examined or modified
     request headers earlier.  Adds "MergeTrailers" directive to restore
     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]

  *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
     differs. PR 55782.  [Yann Ylavic]
 
@@ -630,7 +637,6 @@ Changes with Apache 2.2.16
  *) mod_rewrite: Allow to set environment variables without explicitly
     giving a value. [Rainer Jung]


Changes with Apache 2.2.15

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+0 −16
Original line number Diff line number Diff line
@@ -99,22 +99,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
  [ start all new proposals below, under PATCHES PROPOSED. ]

  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
     core: HTTP trailers could be used to replace HTTP headers
     late during request processing, potentially undoing or
     otherwise confusing modules that examined or modified
     request headers earlier.  Adds "MergeTrailers" directive to restore
     legacy behavior. 
     trunk patch: http://svn.apache.org/r1610814 
                  http://svn.apache.org/r1610686 (mod_log_config ^XX support) 
                  http://svn.apache.org/r1610707 (mod_log_cofnig ^XX support)
     2.2.x patch:  http://people.apache.org/~covener/patches/httpd-2.2.x-trailers-2.diff
     +1: covener, wrowe, rpluem
     covener: Since this was not released yet in 2.4.x, maybe it's better to cut 2.2.28 w/o it?
     mrumph:  Delaying a nonCVE fix would be reasonable to maintain backward compatibility.
              But for a CVE that has already been made public,
              wouldn't it make more sense to make the fix available as quickly as possible?
     
   * mod_deflate: Fix reentrance in output and input filters (buffering of
                  incomplete Zlib header or validation bytes). PR 46146.
     trunk patch: https://svn.apache.org/r1572655
+19 −0
Original line number Diff line number Diff line
@@ -3655,4 +3655,23 @@ hostname or IP address</description>
    different sections are combined when a request is received</seealso>
</directivesynopsis>

<directivesynopsis>
<name>MergeTrailers</name>
<description>Determins whether trailers are merged into headers</description>
<syntax>MergeTrailers [on|off]</syntax>
<default>MergeTrailers off</default>
<contextlist><context>server config</context><context>virtual host</context></contextlist>
<compatibility>2.4.10 and later</compatibility>

<usage>
    <p>This directive controls whether HTTP trailers are copied into the
    internal representation of HTTP headers. This mergeing occurs when the 
    request body has been completely consumed, long after most header 
    processing would have a chance to examine or modify request headers.</p>
    <p>This option is provided for compatibility with releases prior to 2.4.10,
    where trailers were always merged.</p>
</usage>
</directivesynopsis>


</modulesynopsis>
+9 −0
Original line number Diff line number Diff line
@@ -225,6 +225,15 @@
    <tr><td><code>%O</code></td>
        <td>Bytes sent, including headers, cannot be zero. You need to
        enable <module>mod_logio</module> to use this.</td></tr>
 
    <tr><td><code>%{<var>VARNAME</var>}^ti</code></td>
        <td>The contents of <code><var>VARNAME</var>:</code> trailer line(s)
        in the request sent to the server.  </td></tr>

    <tr><td><code>%{<var>VARNAME</var>}^to</code></td>
        <td>The contents of <code><var>VARNAME</var>:</code> trailer line(s)
        in the response sent from the server.  </td></tr>

    </table>

    <section id="modifiers"><title>Modifiers</title>
+2 −1
Original line number Diff line number Diff line
@@ -153,6 +153,7 @@
 * 20051115.33 (2.2.24) Add ap_pregsub_ex()
 * 20051115.34 (2.2.28) Add ap_copy_scoreboard_worker()
 * 20051115.35 (2.2.28) Add SSL reusable SNI to mod_proxy.h's proxy_conn_rec
 * 20051115.36 (2.2.28) Add r->trailers_{in,out}
 */

#define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
@@ -160,7 +161,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20051115
#endif
#define MODULE_MAGIC_NUMBER_MINOR 35                    /* 0...n */
#define MODULE_MAGIC_NUMBER_MINOR 36                    /* 0...n */

/**
 * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Loading