Re: [users@httpd] HTTPProtoco Options Apache 2.2

Tue, 13 Jun 2017 20:56:22 -0700 

Thanks for your response Eric.
Porting the changes from http://svn.apache.org/
viewvc?view=revision&revision=1783440 also didn't help.

However making a single change as bellow, got the Unsafe option to work.

conf = (core_server_config *)apr_pmemdup(p, virt, sizeof(core_server_config));

to

conf = (core_server_config *)apr_pmemdup(p, base, sizeof(core_server_config));

Also, when both the changes exist, the Unsafe option doesn't seem to work


IS this change valid? Should we commit this to 2.2? or is Unsafe
option suppose to report with a "BAD Request" response.

Please advise.


regards,
Rashmi





On Tue, Jun 13, 2017 at 11:56 PM, Eric Covener <cove...@gmail.com> wrote:

> http://svn.apache.org/viewvc?view=revision&revision=1783440
>
>
> On Tue, Jun 13, 2017 at 2:19 PM, Rashmi Srinivasan
> <rashmisrinivasan2...@gmail.com> wrote:
> > Hi Yann/Eric.
> > -        We have ported the changes for CVE -2016-8743. into apache 2.2
> on
> > HP-UX
> >            But while testing we find that HTTPProtocolOption Unsafe
> tested
> > with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to
> > succeed.
> >
> >            However after making changes as mentioned in
> >            https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe
> > option responds with a success.
> >
> > Is the below change valid for 2.2?
> >
> > in 2.2.32:
> > static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> > *virtv)
> > {
> >     core_server_config *base = (core_server_config *)basev;
> >     core_server_config *virt = (core_server_config *)virtv;
> >     core_server_config *conf;
> >
> >     conf = (core_server_config *)apr_pmemdup(p, base,
> > sizeof(core_server_config));
> >
> > in 2.4.25:
> > static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> > *virtv)
> > {
> >     core_server_config *base = (core_server_config *)basev;
> >     core_server_config *virt = (core_server_config *)virtv;
> >     core_server_config *conf = (core_server_config *)
> >                                apr_pmemdup(p, base,
> > sizeof(core_server_config));
> >
> >
> > Please advise.
> >
> > Thanks
> > Rashmi
>
>
>
> --
> Eric Covener
> cove...@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Reply via email to