File apache2-CVE-2016-8743-1.patch of Package apache2.18661
https://bugzilla.suse.com/show_bug.cgi?id=1016715#c19
Index: httpd-2.4.23/modules/http/http_filters.c
===================================================================
--- httpd-2.4.23.orig/modules/http/http_filters.c 2017-03-02 14:26:12.852522616 +0100
+++ httpd-2.4.23/modules/http/http_filters.c 2017-03-02 14:39:12.382245577 +0100
@@ -690,10 +690,11 @@ struct check_header_ctx {
};
/* check a single header, to be used with apr_table_do() */
-static int check_header(void *arg, const char *name, const char *val)
+static int check_header(struct check_header_ctx *ctx,
+ const char *name, const char **val)
{
- struct check_header_ctx *ctx = arg;
- const char *test;
+ const char *pos, *end;
+ char *dst = NULL;
if (name[0] == '\0') {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02428)
@@ -702,12 +703,12 @@ static int check_header(void *arg, const
}
if (ctx->strict) {
- test = ap_scan_http_token(name);
+ end = ap_scan_http_token(name);
}
else {
- test = ap_scan_vchar_obstext(name);
+ end = ap_scan_vchar_obstext(name);
}
- if (*test) {
+ if (*end) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02429)
"Response header name '%s' contains invalid "
"characters, aborting request",
@@ -715,23 +716,51 @@ static int check_header(void *arg, const
return 0;
}
- if (ctx->strict) {
- test = ap_scan_http_field_content(val);
+ for (pos = *val; *pos; pos = end) {
+ end = ap_scan_http_field_content(pos);
+ if (*end) {
+ if (end[0] != CR || end[1] != LF || (end[2] != ' ' &&
+ end[2] != '\t')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02430)
+ "Response header '%s' value of '%s' contains "
+ "invalid characters, aborting request",
+ name, pos);
+ return 0;
+ }
+ if (!dst) {
+ *val = dst = apr_palloc(ctx->r->pool, strlen(*val) + 1);
+ }
+ }
+ if (dst) {
+ memcpy(dst, pos, end - pos);
+ dst += end - pos;
+ if (*end) {
+ /* skip folding and replace with a single space */
+ end += 3 + strspn(end + 3, "\t ");
+ *dst++ = ' ';
+ }
+ }
}
- else {
- /* Simply terminate scanning on a CTL char, allowing whitespace */
- test = val;
- do {
- while (*test == ' ' || *test == '\t') test++;
- test = ap_scan_vchar_obstext(test);
- } while (*test == ' ' || *test == '\t');
- }
- if (*test) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02430)
- "Response header '%s' value of '%s' contains invalid "
- "characters, aborting request",
- name, val);
- return 0;
+ if (dst) {
+ *dst = '\0';
+ }
+ return 1;
+}
+
+static int check_headers_table(apr_table_t *t, struct check_header_ctx *ctx)
+{
+ const apr_array_header_t *headers = apr_table_elts(t);
+ apr_table_entry_t *header;
+ int i;
+
+ for (i = 0; i < headers->nelts; ++i) {
+ header = &APR_ARRAY_IDX(headers, i, apr_table_entry_t);
+ if (!header->key) {
+ continue;
+ }
+ if (!check_header(ctx, header->key, (const char **)&header->val)) {
+ return 0;
+ }
}
return 1;
}
@@ -748,8 +777,8 @@ static APR_INLINE int check_headers(requ
ctx.r = r;
ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE);
- if (!apr_table_do(check_header, &ctx, r->headers_out, NULL))
- return 0; /* problem has been logged by check_header() */
+ return check_headers_table(r->headers_out, &ctx) &&
+ check_headers_table(r->err_headers_out, &ctx);
return 1;
}