cvs commit: apache-site/contributors index.html
lars98/10/29 18:16:09 Modified:contributors index.html Log: little update Revision ChangesPath 1.53 +2 -2 apache-site/contributors/index.html Index: index.html === RCS file: /home/cvs/apache-site/contributors/index.html,v retrieving revision 1.52 retrieving revision 1.53 diff -u -r1.52 -r1.53 --- index.html1998/09/24 10:11:00 1.52 +++ index.html1998/10/30 02:16:08 1.53 @@ -195,8 +195,8 @@ STRONGName:/STRONG A NAME=larsLars Eilebrecht/ABR STRONGEmail:/STRONG A HREF=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/ABR STRONGURL:/STRONG A HREF=http://www.home.unix-ag.org/sfx/;http://www.home.unix-ag.org/sfx//ABR -STRONGOrganization:/STRONG German Unix-AG Association; University of Siegen, GermanyBR -STRONGOccupation:/STRONG Studying computer science and electronics; writing Apache booksBR +STRONGOrganization:/STRONG German Unix-AG AssociationBR +STRONGOccupation:/STRONG Freelance consultant; writing Apache booksBR STRONGLocation:/STRONG Kreuztal, GermanyBR STRONGComments:/STRONG To err is human, but I can EMreally/EM foul things up.BR STRONGOS Expertise:/STRONG Linux, Solaris, (Digital Unix, AIX, FreeBSD) and AmigaOSBR
cvs commit: apache-1.3/src/main http_core.c
fielding98/10/29 19:08:56 Modified:src CHANGES src/include http_log.h src/main http_core.c Log: Eliminate DoS attack when a bad URI path contains what looks like a printf format escape. This was caused by allowing tainted data from the network to be placed within the format string of a call to ap_log_rerror. PR: Reported by Remco van de Meent [EMAIL PROTECTED], Studenten Net Twente Submitted by: Marc Slemko Reviewed by: Roy Fielding Revision ChangesPath 1.1129+3 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1128 retrieving revision 1.1129 diff -u -r1.1128 -r1.1129 --- CHANGES 1998/10/28 19:33:52 1.1128 +++ CHANGES 1998/10/30 03:08:52 1.1129 @@ -1,5 +1,8 @@ Changes with Apache 1.3.4 + *) SECURITY: Eliminate DoS attack when a bad URI path contains what + looks like a printf format escape. [Marc Slemko, Studenten Net Twente] + *) Fix in mod_autoindex: for files where the last modified time stamp was unavailable, an empty string was printed which was 2 bytes short. The size and description columns were therefore not aligned correctly. 1.32 +9 -0 apache-1.3/src/include/http_log.h Index: http_log.h === RCS file: /home/cvs/apache-1.3/src/include/http_log.h,v retrieving revision 1.31 retrieving revision 1.32 diff -u -r1.31 -r1.32 --- http_log.h1998/08/06 17:30:24 1.31 +++ http_log.h1998/10/30 03:08:55 1.32 @@ -105,6 +105,15 @@ #define APLOG_MARK __FILE__,__LINE__ void ap_open_logs (server_rec *, pool *p); + +/* The two primary logging functions, ap_log_error and ap_log_rerror, + * use a printf style format string to build the log message. It is + * VERY IMPORTANT that you not include any raw data from the network, + * such as the request-URI or request header fields, within the format + * string. Doing so makes the server vulnerable to a denial-of-service + * attack and other messy behavior. Instead, use a simple format string + * like %s, followed by the string containing the untrusted data. + */ API_EXPORT(void) ap_log_error(const char *file, int line, int level, const server_rec *s, const char *fmt, ...) __attribute__((format(printf,5,6))); 1.238 +1 -1 apache-1.3/src/main/http_core.c Index: http_core.c === RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v retrieving revision 1.237 retrieving revision 1.238 diff -u -r1.237 -r1.238 --- http_core.c 1998/10/23 20:07:39 1.237 +++ http_core.c 1998/10/30 03:08:55 1.238 @@ -2783,7 +2783,7 @@ else { emsg = ap_pstrcat(r-pool, emsg, r-filename, r-path_info, NULL); } - ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, emsg); + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, %s, emsg); return HTTP_NOT_FOUND; } if (r-method_number != M_GET) {
cvs commit: apache-1.3/src/modules/proxy mod_proxy.c
fielding98/10/30 14:41:28 Modified:src CHANGES src/main http_config.c http_protocol.c src/modules/proxy mod_proxy.c Log: Disable sending of error-notes on a 500 (Internal Server Error) response since it often includes file path info. Enable sending of error-notes on a 501 (Method Not Implemented). http_config.c would respond with 501 (Method Not Implemented) if a content type handler was specified but could not be found, which should have been a 500 response. Likewise, mod_proxy.c would responsd with a 501 if the URI scheme is unrecognized instead of the correct response of 403 (Forbidden). PR: 3173 Revision ChangesPath 1.1130+10 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1129 retrieving revision 1.1130 diff -u -r1.1129 -r1.1130 --- CHANGES 1998/10/30 03:08:52 1.1129 +++ CHANGES 1998/10/30 22:41:21 1.1130 @@ -1,5 +1,15 @@ Changes with Apache 1.3.4 + *) Disable sending of error-notes on a 500 (Internal Server Error) response + since it often includes file path info. Enable sending of error-notes + on a 501 (Method Not Implemented). [Roy Fielding] PR#3173 + + *) http_config.c would respond with 501 (Method Not Implemented) if a + content type handler was specified but could not be found, which + should have been a 500 response. Likewise, mod_proxy.c would responsd + with a 501 if the URI scheme is unrecognized instead of the correct + response of 403 (Forbidden). [Roy Fielding] + *) SECURITY: Eliminate DoS attack when a bad URI path contains what looks like a printf format escape. [Marc Slemko, Studenten Net Twente] 1.135 +3 -3 apache-1.3/src/main/http_config.c Index: http_config.c === RCS file: /home/cvs/apache-1.3/src/main/http_config.c,v retrieving revision 1.134 retrieving revision 1.135 diff -u -r1.134 -r1.135 --- http_config.c 1998/09/26 00:07:08 1.134 +++ http_config.c 1998/10/30 22:41:24 1.135 @@ -479,7 +479,7 @@ const char *handler; char *p; size_t handler_len; -int result = NOT_IMPLEMENTED; +int result = HTTP_INTERNAL_SERVER_ERROR; if (r-handler) { handler = r-handler; @@ -509,7 +509,7 @@ } } -if (result == NOT_IMPLEMENTED r-handler) { +if (result == HTTP_INTERNAL_SERVER_ERROR r-handler) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, r, handler \%s\ not found for: %s, r-handler, r-filename); } @@ -526,7 +526,7 @@ } } -return NOT_IMPLEMENTED; +return HTTP_INTERNAL_SERVER_ERROR; } /* One-time setup for precompiled modules --- NOT to be done on restart */ 1.247 +17 -4 apache-1.3/src/main/http_protocol.c Index: http_protocol.c === RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.246 retrieving revision 1.247 diff -u -r1.246 -r1.247 --- http_protocol.c 1998/10/19 05:59:35 1.246 +++ http_protocol.c 1998/10/30 22:41:24 1.247 @@ -2297,10 +2297,13 @@ ap_escape_html(r-pool, r-uri), evaluated to false.P\n, NULL); break; - case NOT_IMPLEMENTED: + case HTTP_NOT_IMPLEMENTED: ap_bvputs(fd, ap_escape_html(r-pool, r-method), to , ap_escape_html(r-pool, r-uri), not supported.P\n, NULL); + if ((error_notes = ap_table_get(r-notes, error-notes)) != NULL) { + ap_bvputs(fd, error_notes, P\n, NULL); + } break; case BAD_GATEWAY: ap_bputs(The proxy server received an invalid\015\012, fd); @@ -2387,9 +2390,19 @@ caused the error.P\n More information about this error may be available\n in the server error log.P\n, NULL); - if ((error_notes = ap_table_get(r-notes, error-notes)) != NULL) { - ap_bvputs(fd, error_notes, P\n, NULL); - } + /* + * It would be nice to give the user the information they need to + * fix the problem directly since many users don't have access to + * the error_log (think University sites) even though they can easily + * get this error by misconfiguring an htaccess file. However, the + * error notes tend to include the real file pathname in this case, + * which some people consider to be a breach of privacy. Until we + * can figure out a way to remove the pathname, leave this commented.