Bug#316173: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers
I hope this will be of some help.
If it's OK, someone tag this bug with PATCH or whatever is appropriate:
sorry about the long URL:
http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/STATUS?rev=208744&view=diff&r1=208744&r2=208743&p1=httpd/httpd/branches/2.0.x/STATUS&p2=/httpd/httpd/branches/2.0.x/STATUS
and from there:
http://people.apache.org/~jorton/ap_tevscl.diff
Pasting in case that URL goes 404:
Index: server/protocol.c
===================================================================
--- server/protocol.c (revision 208743)
+++ server/protocol.c (working copy)
@@ -885,6 +885,15 @@
apr_brigade_destroy(tmp_bb);
return r;
}
+
+ if (apr_table_get(r->headers_in, "Transfer-Encoding")
+ && apr_table_get(r->headers_in, "Content-Length")) {
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ apr_table_unset(r->headers_in, "Content-Length");
+ }
}
else {
if (r->header_only) {
It seems this is the vulnerability-specific part of the patch.
Reply to: