Bug#316173: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers
Package apache2
Tags 316173 +patch
thanks
Borut Mrak wrote on 08/07/2005 17:25:
> I hope this will be of some help.
Me too ;-)
> If it's OK, someone tag this bug with PATCH or whatever is appropriate:
>
> sorry about the long URL:
>
> http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/STATUS?rev=208744&view=diff&r1=208744&r2=208743&p1=httpd/httpd/branches/2.0.x/STATUS&p2=/httpd/httpd/branches/2.0.x/STATUS
>
> and from there:
>
> http://people.apache.org/~jorton/ap_tevscl.diff
>
> Pasting in case that URL goes 404:
>
> Index: server/protocol.c
> ===================================================================
> --- server/protocol.c (revision 208743)
> +++ server/protocol.c (working copy)
[...]
> It seems this is the vulnerability-specific part of the patch.
To me, this seems to be a similar patch, but unrelated to the proxy
issue this bug is about. In my opinion,
http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c?rev=219059&view=diff&r1=219059&r2=219058&p1=httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c&p2=/httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c
or http://people.apache.org/~trawick/20.te-cl.txt
looks more like it. That changeset (attached below) also contains an
entry in CHANGES which reads:
*) proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, mitigating some HTTP Response Splitting attacks.
[Jeff Trawick]
So in my opinion, this would be the real fix to this bug. But given that
the issue is so similar, I would suggest to also incorporate the fix to
server/protocol.c mentioned above.
cu,
sven
--- /httpd/httpd/branches/2.0.x/CHANGES 2005/07/14 16:29:27 219058
+++ httpd/httpd/branches/2.0.x/CHANGES 2005/07/14 16:47:30 219059
@@ -1,5 +1,10 @@
Changes with Apache 2.0.55
+ *) proxy HTTP: If a response contains both Transfer-Encoding and a
+ Content-Length, remove the Content-Length and don't reuse the
+ connection, mitigating some HTTP Response Splitting attacks.
+ [Jeff Trawick]
+
*) Prevent hangs of child processes when writing to piped loggers at
the time of graceful restart. PR 26467. [Jeff Trawick]
--- /httpd/httpd/branches/2.0.x/STATUS 2005/07/14 16:29:27 219058
+++ httpd/httpd/branches/2.0.x/STATUS 2005/07/14 16:47:30 219059
@@ -111,10 +111,6 @@
* Various fixes to T-E and C-L processing from trunk
- + proxy HTTP - ignore C-L and disable keepalive to origin server
- http://people.apache.org/~trawick/20.te-cl.txt
- +1: trawick, jorton
-
+ core: strip C-L from any request with a T-E header
http://people.apache.org/~jorton/ap_tevscl.diff
(CVE CAN-2005-2088)
--- /httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c 2005/07/14 16:29:27 219058
+++ httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c 2005/07/14 16:47:30 219059
@@ -1201,8 +1201,24 @@
return r->status;
} else {
- /* strip connection listed hop-by-hop headers from response */
const char *buf;
+
+ /* can't have both Content-Length and Transfer-Encoding */
+ if (apr_table_get(r->headers_out, "Transfer-Encoding")
+ && apr_table_get(r->headers_out, "Content-Length")) {
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ apr_table_unset(r->headers_out, "Content-Length");
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
+ r->server,
+ "proxy: server %s returned Transfer-Encoding and Content-Length",
+ p_conn->name);
+ p_conn->close += 1;
+ }
+
+ /* strip connection listed hop-by-hop headers from response */
p_conn->close += ap_proxy_liststr(apr_table_get(r->headers_out,
"Connection"),
"close");
Reply to: