fanf 99/12/21 03:33:23
Modified: src CHANGES src/main http_protocol.c http_vhost.c Log: Fix the mass vhosting security problem spotted by Lars, as in 1.3 Submitted by: Ben Hyde Reviewed by: Tony Finch Revision Changes Path 1.19 +5 -0 apache-2.0/src/CHANGES Index: CHANGES =================================================================== RCS file: /home/cvs/apache-2.0/src/CHANGES,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- CHANGES 1999/12/21 07:54:07 1.18 +++ CHANGES 1999/12/21 11:33:21 1.19 @@ -1,4 +1,9 @@ Changes with Apache 2.0-dev + + *) More rigorous checking of Host: headers to fix security problems + with mass name-based virtual hosting (whether using mod_rewrite + or mod_vhost_alias). + [Ben Hyde, Tony Finch] *) Add back support for UseCanonicalName in <Directory> containers. [Manoj Kasichainula] 1.43 +3 -1 apache-2.0/src/main/http_protocol.c Index: http_protocol.c =================================================================== RCS file: /home/cvs/apache-2.0/src/main/http_protocol.c,v retrieving revision 1.42 retrieving revision 1.43 diff -u -r1.42 -r1.43 --- http_protocol.c 1999/12/20 16:38:34 1.42 +++ http_protocol.c 1999/12/21 11:33:22 1.43 @@ -1033,7 +1033,7 @@ r->status = HTTP_OK; /* Until further notice. */ /* update what we think the virtual host is based on the headers we've - * now read + * now read. may update status. */ ap_update_vhost_from_headers(r); @@ -1056,6 +1056,8 @@ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r, "client sent HTTP/1.1 request without hostname " "(see RFC2068 section 9, and 14.23): %s", r->uri); + } + if (r->status != HTTP_OK) { ap_send_error_response(r, 0); ap_run_log_transaction(r); return r; 1.10 +41 -10 apache-2.0/src/main/http_vhost.c Index: http_vhost.c =================================================================== RCS file: /home/cvs/apache-2.0/src/main/http_vhost.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- http_vhost.c 1999/12/15 00:59:56 1.9 +++ http_vhost.c 1999/12/21 11:33:23 1.10 @@ -658,22 +658,51 @@ * run-time vhost matching functions */ -/* Remove :port and optionally a single trailing . from the hostname, this - * canonicalizes it somewhat. +/* Lowercase and remove any trailing dot and/or :port from the hostname, + * and check that it is sane. */ static void fix_hostname(request_rec *r) { - const char *hostname = r->hostname; - char *host = ap_getword(r->pool, &hostname, ':'); /* get rid of port */ - size_t l; - - /* trim a trailing . */ - l = strlen(host); - if (l > 0 && host[l-1] == '.') { - host[l-1] = '\0'; + char *host = ap_palloc(r->pool, strlen(r->hostname) + 1); + const char *src; + char *dst; + + /* check and copy the host part */ + src = r->hostname; + dst = host; + while (*src) { + if (!isalnum(*src) && *src != '.' && *src != '-') { + if (*src == ':') + break; + else + goto bad; + } else { + *dst++ = *src++; + } + } + /* check the port part */ + if (*src++ == ':') { + while (*src) { + if (!isdigit(*src++)) { + goto bad; + } + } + } + /* strip trailing gubbins */ + if (dst > host && dst[-1] == '.') { + dst[-1] = '\0'; + } else { + dst[0] = '\0'; } r->hostname = host; + return; + +bad: + r->status = HTTP_BAD_REQUEST; + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "Client sent malformed Host header"); + return; } @@ -876,6 +905,8 @@ /* must set this for HTTP/1.1 support */ if (r->hostname || (r->hostname = ap_table_get(r->headers_in, "Host"))) { fix_hostname(r); + if (r->status != HTTP_OK) + return; } /* check if we tucked away a name_chain */ if (r->connection->vhost_lookup_data) {