cvs commit: apache-site/contributors index.html
lars98/10/29 18:16:09 Modified:contributors index.html Log: little update Revision ChangesPath 1.53 +2 -2 apache-site/contributors/index.html Index: index.html === RCS file: /home/cvs/apache-site/contributors/index.html,v retrieving revision 1.52 retrieving revision 1.53 diff -u -r1.52 -r1.53 --- index.html1998/09/24 10:11:00 1.52 +++ index.html1998/10/30 02:16:08 1.53 @@ -195,8 +195,8 @@ STRONGName:/STRONG A NAME=larsLars Eilebrecht/ABR STRONGEmail:/STRONG A HREF=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABR STRONGURL:/STRONG A HREF=http://www.home.unix-ag.org/sfx/;http://www.home.unix-ag.org/sfx//ABR -STRONGOrganization:/STRONG German Unix-AG Association; University of Siegen, GermanyBR -STRONGOccupation:/STRONG Studying computer science and electronics; writing Apache booksBR +STRONGOrganization:/STRONG German Unix-AG AssociationBR +STRONGOccupation:/STRONG Freelance consultant; writing Apache booksBR STRONGLocation:/STRONG Kreuztal, GermanyBR STRONGComments:/STRONG To err is human, but I can EMreally/EM foul things up.BR STRONGOS Expertise:/STRONG Linux, Solaris, (Digital Unix, AIX, FreeBSD) and AmigaOSBR
cvs commit: apache-1.3/src/main http_core.c
fielding98/10/29 19:08:56
Modified:src CHANGES
src/include http_log.h
src/main http_core.c
Log:
Eliminate DoS attack when a bad URI path contains what
looks like a printf format escape. This was caused by allowing
tainted data from the network to be placed within the format string
of a call to ap_log_rerror.
PR: Reported by Remco van de Meent [EMAIL PROTECTED], Studenten Net Twente
Submitted by: Marc Slemko
Reviewed by: Roy Fielding
Revision ChangesPath
1.1129+3 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1128
retrieving revision 1.1129
diff -u -r1.1128 -r1.1129
--- CHANGES 1998/10/28 19:33:52 1.1128
+++ CHANGES 1998/10/30 03:08:52 1.1129
@@ -1,5 +1,8 @@
Changes with Apache 1.3.4
+ *) SECURITY: Eliminate DoS attack when a bad URI path contains what
+ looks like a printf format escape. [Marc Slemko, Studenten Net Twente]
+
*) Fix in mod_autoindex: for files where the last modified time stamp was
unavailable, an empty string was printed which was 2 bytes short.
The size and description columns were therefore not aligned correctly.
1.32 +9 -0 apache-1.3/src/include/http_log.h
Index: http_log.h
===
RCS file: /home/cvs/apache-1.3/src/include/http_log.h,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- http_log.h1998/08/06 17:30:24 1.31
+++ http_log.h1998/10/30 03:08:55 1.32
@@ -105,6 +105,15 @@
#define APLOG_MARK __FILE__,__LINE__
void ap_open_logs (server_rec *, pool *p);
+
+/* The two primary logging functions, ap_log_error and ap_log_rerror,
+ * use a printf style format string to build the log message. It is
+ * VERY IMPORTANT that you not include any raw data from the network,
+ * such as the request-URI or request header fields, within the format
+ * string. Doing so makes the server vulnerable to a denial-of-service
+ * attack and other messy behavior. Instead, use a simple format string
+ * like %s, followed by the string containing the untrusted data.
+ */
API_EXPORT(void) ap_log_error(const char *file, int line, int level,
const server_rec *s, const char *fmt, ...)
__attribute__((format(printf,5,6)));
1.238 +1 -1 apache-1.3/src/main/http_core.c
Index: http_core.c
===
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.237
retrieving revision 1.238
diff -u -r1.237 -r1.238
--- http_core.c 1998/10/23 20:07:39 1.237
+++ http_core.c 1998/10/30 03:08:55 1.238
@@ -2783,7 +2783,7 @@
else {
emsg = ap_pstrcat(r-pool, emsg, r-filename, r-path_info, NULL);
}
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, emsg);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, %s, emsg);
return HTTP_NOT_FOUND;
}
if (r-method_number != M_GET) {
cvs commit: apache-1.3/src/modules/proxy mod_proxy.c
fielding98/10/30 14:41:28
Modified:src CHANGES
src/main http_config.c http_protocol.c
src/modules/proxy mod_proxy.c
Log:
Disable sending of error-notes on a 500 (Internal Server Error) response
since it often includes file path info. Enable sending of error-notes
on a 501 (Method Not Implemented).
http_config.c would respond with 501 (Method Not Implemented) if a
content type handler was specified but could not be found, which
should have been a 500 response. Likewise, mod_proxy.c would responsd
with a 501 if the URI scheme is unrecognized instead of the correct
response of 403 (Forbidden).
PR: 3173
Revision ChangesPath
1.1130+10 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1129
retrieving revision 1.1130
diff -u -r1.1129 -r1.1130
--- CHANGES 1998/10/30 03:08:52 1.1129
+++ CHANGES 1998/10/30 22:41:21 1.1130
@@ -1,5 +1,15 @@
Changes with Apache 1.3.4
+ *) Disable sending of error-notes on a 500 (Internal Server Error) response
+ since it often includes file path info. Enable sending of error-notes
+ on a 501 (Method Not Implemented). [Roy Fielding] PR#3173
+
+ *) http_config.c would respond with 501 (Method Not Implemented) if a
+ content type handler was specified but could not be found, which
+ should have been a 500 response. Likewise, mod_proxy.c would responsd
+ with a 501 if the URI scheme is unrecognized instead of the correct
+ response of 403 (Forbidden). [Roy Fielding]
+
*) SECURITY: Eliminate DoS attack when a bad URI path contains what
looks like a printf format escape. [Marc Slemko, Studenten Net Twente]
1.135 +3 -3 apache-1.3/src/main/http_config.c
Index: http_config.c
===
RCS file: /home/cvs/apache-1.3/src/main/http_config.c,v
retrieving revision 1.134
retrieving revision 1.135
diff -u -r1.134 -r1.135
--- http_config.c 1998/09/26 00:07:08 1.134
+++ http_config.c 1998/10/30 22:41:24 1.135
@@ -479,7 +479,7 @@
const char *handler;
char *p;
size_t handler_len;
-int result = NOT_IMPLEMENTED;
+int result = HTTP_INTERNAL_SERVER_ERROR;
if (r-handler) {
handler = r-handler;
@@ -509,7 +509,7 @@
}
}
-if (result == NOT_IMPLEMENTED r-handler) {
+if (result == HTTP_INTERNAL_SERVER_ERROR r-handler) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, r,
handler \%s\ not found for: %s, r-handler, r-filename);
}
@@ -526,7 +526,7 @@
}
}
-return NOT_IMPLEMENTED;
+return HTTP_INTERNAL_SERVER_ERROR;
}
/* One-time setup for precompiled modules --- NOT to be done on restart */
1.247 +17 -4 apache-1.3/src/main/http_protocol.c
Index: http_protocol.c
===
RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.246
retrieving revision 1.247
diff -u -r1.246 -r1.247
--- http_protocol.c 1998/10/19 05:59:35 1.246
+++ http_protocol.c 1998/10/30 22:41:24 1.247
@@ -2297,10 +2297,13 @@
ap_escape_html(r-pool, r-uri),
evaluated to false.P\n, NULL);
break;
- case NOT_IMPLEMENTED:
+ case HTTP_NOT_IMPLEMENTED:
ap_bvputs(fd, ap_escape_html(r-pool, r-method), to ,
ap_escape_html(r-pool, r-uri),
not supported.P\n, NULL);
+ if ((error_notes = ap_table_get(r-notes, error-notes)) != NULL) {
+ ap_bvputs(fd, error_notes, P\n, NULL);
+ }
break;
case BAD_GATEWAY:
ap_bputs(The proxy server received an invalid\015\012, fd);
@@ -2387,9 +2390,19 @@
caused the error.P\n
More information about this error may be available\n
in the server error log.P\n, NULL);
- if ((error_notes = ap_table_get(r-notes, error-notes)) != NULL) {
- ap_bvputs(fd, error_notes, P\n, NULL);
- }
+ /*
+ * It would be nice to give the user the information they need to
+ * fix the problem directly since many users don't have access to
+ * the error_log (think University sites) even though they can easily
+ * get this error by misconfiguring an htaccess file. However, the
+ * error notes tend to include the real file pathname in this case,
+ * which some people consider to be a breach of privacy. Until we
+ * can figure out a way to remove the pathname, leave this commented.
