File CVE-2025-65082.patch of Package apache2.42011
From e4f00c5eb71d8a7aa1f52b5279832986f669d463 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 1 Dec 2025 12:03:12 +0000
Subject: [PATCH] envvars from HTTP headers low precedence
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930163 13f79535-47bb-0310-9956-ffa450edef68
---
server/util_script.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
Index: httpd-2.4.58/server/util_script.c
===================================================================
--- httpd-2.4.58.orig/server/util_script.c
+++ httpd-2.4.58/server/util_script.c
@@ -114,6 +114,8 @@ AP_DECLARE(char **) ap_create_environmen
}
}
for (i = 0; i < env_arr->nelts; ++i) {
+ int changed = 0;
+
if (!elts[i].key) {
continue;
}
@@ -121,18 +123,36 @@ AP_DECLARE(char **) ap_create_environmen
whack = env[j];
if (apr_isdigit(*whack)) {
*whack++ = '_';
+ changed = 1;
}
while (*whack != '=') {
#ifdef WIN32
- if (!apr_isalnum(*whack) && *whack != '(' && *whack != ')') {
+ if (!apr_isalnum(*whack) && *whack != '_' && *whack != '(' && *whack != ')') {
#else
- if (!apr_isalnum(*whack)) {
+ if (!apr_isalnum(*whack) && *whack != '_') {
#endif
*whack = '_';
+ changed = 1;
}
++whack;
}
- ++j;
+ if (changed) {
+ *whack = '\0';
+ /*
+ * If after cleaning up the key the key is identical to an existing key
+ * in the table drop this environment variable. This also prevents
+ * to override CGI reserved environment variables with variables whose
+ * names have an invalid character instead of '_', but are otherwise
+ * equal to the names CGI reserved environment variables.
+ */
+ if (!apr_table_get(t, env[j])) {
+ ++j;
+ *whack = '=';
+ }
+ }
+ else {
+ ++j;
+ }
}
env[j] = NULL;
