Merge r1685345, r1685347, r1685349 and r1685350 from trunk. (46a23c4d) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+3 −0

Original line number	Diff line number	Diff line
		@@ -8,6 +8,9 @@ Changes with Apache 2.2.30
		Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
		authorized characters. [Graham Leggett, Yann Ylavic]

		*) core: Allow spaces after chunk-size for compatibility with implementations
		using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]

		*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
		no longer send warning-level unrecognized_name(112) alerts. PR 56241.
		[Kaspar Brand]

STATUS

+0 −36

Original line number	Diff line number	Diff line
		@@ -101,42 +101,6 @@ RELEASE SHOWSTOPPERS:
		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

		*) SECURITY: CVE-2015-3183 (cve.mitre.org)
		core: Fix chunk header parsing defect.
		Remove apr_brigade_flatten(), buffering and duplicated code from
		the HTTP_IN filter, parse chunks in a single pass with zero copy.
		Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
		authorized characters. [Graham Leggett, Yann Ylavic]
		Submitted by: minfrin, ylavic
		Reviewed by: ylavic, wrowe,
		Backports: 1484852, 1684513
		Reported by: regilero <regis.leroy makina-corpus.com>

		trunk
		http://svn.apache.org/r1484852
		http://svn.apache.org/r1684513
		2.4.x branch
		http://svn.apache.org/r1684515
		2.2.x branch
		http://people.apache.org/~wrowe/httpd-2.2.x-ap_http_filter-chunked-v6.patch
		+1: ylavic, wrowe, minfrin
		jim notes: test framework errors due to 413->400 error change [test adjusted]
		wrowe notes: r1684513 was not neglected in this patch, already included

		*) core: Allow spaces after chunk-size for compatibility with implementations
		using a pre-filled buffer.
		trunk patch: http://svn.apache.org/r1685345
		http://svn.apache.org/r1685347
		http://svn.apache.org/r1685349
		http://svn.apache.org/r1685350
		2.[24].x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_http_filter_chunked-v3.patch
		(trunk works but CHANGES entry in the above patch is
		better since the APLOG_INFO part is already included
		in the CVE-2015-3183 patch)
		+1: ylavic, wrowe, minfrin
		ylavic: CVE-2015-3183 patch httpd-2.2.x-ap_http_filter-chunked-v6.patch
		above must be applied first.


		PATCHES PROPOSED TO BACKPORT FROM TRUNK:
		[ New proposals should be added at the end of the list ]

modules/http/http_filters.c

+12 −2

Original line number	Diff line number	Diff line
		@@ -70,10 +70,11 @@ typedef struct http_filter_ctx
		BODY_CHUNK, /* chunk expected */
		BODY_CHUNK_PART, /* chunk digits */
		BODY_CHUNK_EXT, /* chunk extension */
		BODY_CHUNK_LF, /* got CR, expect LF after digits/extension */
		BODY_CHUNK_CR, /* got space(s) after digits, expect [CR]LF or ext */
		BODY_CHUNK_LF, /* got CR after digits or ext, expect LF */
		BODY_CHUNK_DATA, /* data constrained by chunked encoding */
		BODY_CHUNK_END, /* chunked data terminating CRLF */
		BODY_CHUNK_END_LF, /* got CR, expect LF after data */
		BODY_CHUNK_END_LF, /* got CR after data, expect LF */
		BODY_CHUNK_TRAILER /* trailers */
		} state;
		unsigned int eos_sent :1;
		@@ -203,6 +204,15 @@ static apr_status_t parse_chunk_size(http_ctx_t ctx, const char buffer,
		return APR_EINVAL;
		}
		}
		else if (c == ' ' \|\| c == '\t') {
		ctx->state = BODY_CHUNK_CR;
		}
		else if (ctx->state == BODY_CHUNK_CR) {
		/*
		* ';', CR or LF expected.
		*/
		return APR_EINVAL;
		}
		else if (ctx->state == BODY_CHUNK_PART) {
		int xvalue;