On 14 January 2015 at 09:10, <wr...@rowe-clan.net> wrote: > > > > --------- Original Message --------- > Subject: Re: Re: CVE-2013-5704 fix breaks mod_wsgi > From: "Graham Dumpleton" <grah...@apache.org> > Date: 1/12/15 11:34 pm > To: "dev@httpd.apache.org" <dev@httpd.apache.org> > > > But the damage has been done for some months on 2.2, and we are noticing > this, now? > All distros still shipping Apache 2.2 still are using older mod_wsgi 3.X > versions > > > Makes sense... > > which I don't at this point believe are affected by this issue. > > And why not? > > https://github.com/GrahamDumpleton/mod_wsgi/blob/stable/3.X/mod_wsgi.c > > /* Create and populate our own request object. */ > apr_pool_create(&p, c->pool); > r = apr_pcalloc(p, sizeof(request_rec)); > >
Because the code which is doing this is not running inside of the normal Apache child worker processes but a separate managed process that mod_wsgi creates just to run the WSGI application. In that separate process things are much more controlled and arbitrary Apache modules don't run stuff. The only parts of the Apache code base that touch the new structure members that I can find are the HTTP input filter, the proxy modules, sub requests and logging. In this separate managed processes the proxy modules are never use nor are sub requests. The log functions which use the new structure members are also not triggered as that only occurs in the Apache child worker processes. The HTTP input filter is used, but due to the specific way that mod_wsgi transfers data from the Apache child process to the separate managed process, that request content is never chunked. As a consequence the read_chunked_trailers() function which updates the structure members is never called. So although the request_rec size is going to be wrong, nothing ever attempts to read or write past the short memory which is created in the case of mod_wsgi <4.4.0 and so old versions aren't crashing when tested. I agree this isn't ideal and users should update in case some other change is made to Apache down the track which may change this, but right now it at least means those older versions will not crash as mod_wsgi 4.4.0+ is. FWIW, version 4.4.0 was only released November 28th 2014 and so not many are actually likely using it. Graham
