At 03:03 PM 7/14/2005, William A. Rowe, Jr. wrote: >To simplify - Jeff Joe and I reviewed two of the patches, and they >are committed. Two patches are available for comment;
changelog; *) Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default remains 'TraceEnable on'. [William Rowe] >http://people.apache.org/~wrowe/httpd-2.0-trace.patch and changelog; *) SECURITY: CAN-2005-2088 proxy: Correctly handle the Transfer-Encoding and Content-Length headers. Discard the request Content-Length whenever T-E: chunked is used, always passing one of either C-L or T-E: chunked whenever the request includes a request body. Resolves an entire class of proxy HTTP Request Splitting/Spoofing attacks. [William Rowe] The newest flavor based on my most recent commits from Roy and Jeff's feedback is available at; http://people.apache.org/~wrowe/httpd-2.0-proxy-request-2.patch and 2.0 STATUS is updated accordingly. Votes/Comments please? >Although proxy-request.patch will evolve as this discussion >continues; Jeff caused me to look, again, at the code and >recognize another edge case already committed to trunk >(and also in the patch.) proxy-request.patch will ultimately >mirror what we agree to on trunk. > >And FYI, revert r219061 (below) from 2.1 or 2.0 to see the >continued misbehavior of proxy without the proxy-request.patch. > >Bill > >--- httpd/httpd/branches/2.0.x/server/protocol.c (original) >+++ httpd/httpd/branches/2.0.x/server/protocol.c Thu Jul 14 09:51:55 2005 >@@ -885,6 +885,15 @@ > apr_brigade_destroy(tmp_bb); > return r; > } >+ >+ if (apr_table_get(r->headers_in, "Transfer-Encoding") >+ && apr_table_get(r->headers_in, "Content-Length")) { >+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding >+ * and Content-Length are received, the latter MUST be >+ * ignored"; so unset it here to prevent any confusion >+ * later. */ >+ apr_table_unset(r->headers_in, "Content-Length"); >+ } > } > else { > if (r->header_only) {