File httpd-2.4.x-bnc869106-CVE-2014-0098-log_cookie_c.diff of Package apache2.openSUSE_13.1_Update
diff -rNU 30 ../httpd-2.4.6-o/modules/loggers/mod_log_config.c ./modules/loggers/mod_log_config.c
--- ../httpd-2.4.6-o/modules/loggers/mod_log_config.c 2013-04-15 14:42:29.000000000 +0200
+++ ./modules/loggers/mod_log_config.c 2014-07-29 18:42:12.000000000 +0200
@@ -516,76 +516,87 @@
static const char *log_note(request_rec *r, char *a)
{
return ap_escape_logitem(r->pool, apr_table_get(r->notes, a));
}
static const char *log_env_var(request_rec *r, char *a)
{
return ap_escape_logitem(r->pool, apr_table_get(r->subprocess_env, a));
}
static const char *log_cookie(request_rec *r, char *a)
{
const char *cookies_entry;
/*
* This supports Netscape version 0 cookies while being tolerant to
* some properties of RFC2109/2965 version 1 cookies:
* - case-insensitive match of cookie names
* - white space between the tokens
* It does not support the following version 1 features:
* - quoted strings as cookie values
* - commas to separate cookies
*/
if ((cookies_entry = apr_table_get(r->headers_in, "Cookie"))) {
char *cookie, *last1, *last2;
char *cookies = apr_pstrdup(r->pool, cookies_entry);
while ((cookie = apr_strtok(cookies, ";", &last1))) {
char *name = apr_strtok(cookie, "=", &last2);
- if (name) {
- char *value = name + strlen(name) + 1;
- apr_collapse_spaces(name, name);
+ /* last2 points to the next char following an '=' delim,
+ or the trailing NUL char of the string */
+ char *value = last2;
+ if (name && *name && value && *value) {
+ char *last = value - 2;
+ /* Move past leading WS */
+ name += strspn(name, " \t");
+ while (last >= name && apr_isspace(*last)) {
+ *last = '\0';
+ --last;
+ }
if (!strcasecmp(name, a)) {
- char *last;
- value += strspn(value, " \t"); /* Move past leading WS */
- last = value + strlen(value) - 1;
+ /* last1 points to the next char following the ';' delim,
+ or the trailing NUL char of the string */
+ last = last1 - (*last1 ? 2 : 1);
+ /* Move past leading WS */
+ value += strspn(value, " \t");
while (last >= value && apr_isspace(*last)) {
*last = '\0';
--last;
}
return ap_escape_logitem(r->pool, value);
}
}
+ /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
cookies = NULL;
}
}
return NULL;
}
static const char *log_request_time_custom(request_rec *r, char *a,
apr_time_exp_t *xt)
{
apr_size_t retcode;
char tstr[MAX_STRING_LEN];
apr_strftime(tstr, &retcode, sizeof(tstr), a, xt);
return apr_pstrdup(r->pool, tstr);
}
#define DEFAULT_REQUEST_TIME_SIZE 32
typedef struct {
unsigned t;
char timestr[DEFAULT_REQUEST_TIME_SIZE];
unsigned t_validate;
} cached_request_time;
#define TIME_FMT_CUSTOM 0
#define TIME_FMT_CLF 1
#define TIME_FMT_ABS_SEC 2
#define TIME_FMT_ABS_MSEC 3
#define TIME_FMT_ABS_USEC 4
#define TIME_FMT_ABS_MSEC_FRAC 5
#define TIME_FMT_ABS_USEC_FRAC 6
