Commit 90a8bc7f authored by William A. Rowe Jr's avatar William A. Rowe Jr
Browse files

mod_rewrite: (CVE-2013-1862 (cve.mitre.org)) Ensure that client data 

written to the RewriteLog is escaped to prevent terminal escape sequences
from entering the log file.

Backports: r1482349
Submitted by: jorton
Reviewed by: wrowe, covener, trawick



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1497018 13f79535-47bb-0310-9956-ffa450edef68
parent a199d5cb

CHANGES

+5 −0
Original line number Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

Changes with Apache 2.0.65



  *) SECURITY: CVE-2013-1862 (cve.mitre.org)

     mod_rewrite: Ensure that client data written to the RewriteLog is

     escaped to prevent terminal escape sequences from entering the

     log file.  [Joe Orton]



  *) SECURITY: CVE-2012-0053 (cve.mitre.org)

     Fix an issue in error responses that could expose "httpOnly" cookies

     when no custom ErrorDocument is specified for status code 400.

STATUS

+0 −6
Original line number Diff line number Diff line
@@ -118,12 +118,6 @@ RELEASE SHOWSTOPPERS: 
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

  [ start all new proposals below, under PATCHES PROPOSED. ]



   * mod_rewrite: (CVE-2013-1862 (cve.mitre.org)) Ensure that client data

     written to the RewriteLog is escaped to prevent terminal escape sequences

     from entering the log file. [Joe Orton]

     http://svn.apache.org/viewvc?view=revision&revision=1482349

     2.0.x: http://people.apache.org/~covener/patches/2.0.x-rewritelog.diff 

     +1: wrowe, covener, trawick



PATCHES PROPOSED TO BACKPORT FROM TRUNK:

  [ please place SVN revisions from trunk here, so it is easy to

modules/mappers/mod_rewrite.c

+8 −6
Original line number Diff line number Diff line
@@ -3599,10 +3599,11 @@ static void rewritelog(request_rec *r, int level, const char *text, ...) 
        rhost = "UNKNOWN-HOST";

    }



    str1 = apr_pstrcat(r->pool, rhost, " ",

                      (conn->remote_logname != NULL ?

                      conn->remote_logname : "-"), " ",

                      ruser, NULL);

    str1 = apr_pstrcat(r->pool, ap_escape_logitem(r->pool, rhost), " ",

                       (conn->remote_logname != NULL

                            ? ap_escape_logitem(r->pool, conn->remote_logname)

                            : "-"),

                       " ", ap_escape_logitem(r->pool, ruser), NULL);

    apr_vsnprintf(str2, sizeof(str2), text, ap);



    if (r->main == NULL) {
@@ -3624,9 +3625,10 @@ static void rewritelog(request_rec *r, int level, const char *text, ...) 


    apr_snprintf(str3, sizeof(str3),

                "%s %s [%s/sid#%lx][rid#%lx/%s%s] (%d) %s" APR_EOL_STR, str1,

                current_logtime(r), ap_get_server_name(r),

                current_logtime(r),

                ap_escape_logitem(r->pool, ap_get_server_name(r)),

                (unsigned long)(r->server), (unsigned long)r,

                type, redir, level, str2);

                type, redir, level, ap_escape_logitem(r->pool, str2));



    rv = apr_global_mutex_lock(rewrite_log_lock);

    if (rv != APR_SUCCESS) {