diff options
Diffstat (limited to '2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch')
| -rw-r--r-- | 2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch | 309 |
1 files changed, 0 insertions, 309 deletions
diff --git a/2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch b/2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch deleted file mode 100644 index 6db06ba..0000000 --- a/2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch +++ /dev/null @@ -1,309 +0,0 @@ -Author: jim -Date: Thu Jul 17 18:20:46 2014 -New Revision: 1611426 - -URL: http://svn.apache.org/r1611426 -Log: -Merge r1610501 from trunk: - - *) SECURITY: CVE-2014-0118 (cve.mitre.org) - mod_deflate: The DEFLATE input filter (inflates request bodies) now - limits the length and compression ratio of inflated request bodies to avoid - denial of sevice via highly compressed bodies. See directives - DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, - and DeflateInflateRatioBurst. - -Thanks to Giancarlo Pellegrino and Davide Balzarotti for reporting the issue. - -Submitted By: ylavic, covener -Reviewed By: jorton, covener, jim - - - -Submitted by: covener -Reviewed/backported by: jim - -Modified: - httpd/httpd/branches/2.2.x/ (props changed) - httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c - -Propchange: httpd/httpd/branches/2.2.x/ ------------------------------------------------------------------------------- - Merged /httpd/httpd/trunk:r1610501 - -Modified: httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c -URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c?rev=1611426&r1=1611425&r2=1611426&view=diff -============================================================================== ---- httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c (original) -+++ httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c Thu Jul 17 18:20:46 2014 -@@ -37,6 +37,7 @@ - #include "httpd.h" - #include "http_config.h" - #include "http_log.h" -+#include "http_core.h" - #include "apr_lib.h" - #include "apr_strings.h" - #include "apr_general.h" -@@ -51,6 +52,9 @@ - static const char deflateFilterName[] = "DEFLATE"; - module AP_MODULE_DECLARE_DATA deflate_module; - -+#define AP_INFLATE_RATIO_LIMIT 200 -+#define AP_INFLATE_RATIO_BURST 3 -+ - typedef struct deflate_filter_config_t - { - int windowSize; -@@ -62,6 +66,12 @@ typedef struct deflate_filter_config_t - char *note_output_name; - } deflate_filter_config; - -+typedef struct deflate_dirconf_t { -+ apr_off_t inflate_limit; -+ int ratio_limit, -+ ratio_burst; -+} deflate_dirconf_t; -+ - /* RFC 1952 Section 2.3 defines the gzip header: - * - * +---+---+---+---+---+---+---+---+---+---+ -@@ -193,6 +203,14 @@ static void *create_deflate_server_confi - return c; - } - -+static void *create_deflate_dirconf(apr_pool_t *p, char *dummy) -+{ -+ deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc)); -+ dc->ratio_limit = AP_INFLATE_RATIO_LIMIT; -+ dc->ratio_burst = AP_INFLATE_RATIO_BURST; -+ return dc; -+} -+ - static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy, - const char *arg) - { -@@ -284,6 +302,55 @@ static const char *deflate_set_compressi - return NULL; - } - -+ -+static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf, -+ const char *arg) -+{ -+ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; -+ char *errp; -+ -+ if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) { -+ return "DeflateInflateLimitRequestBody is not parsable."; -+ } -+ if (*errp || dc->inflate_limit < 0) { -+ return "DeflateInflateLimitRequestBody requires a non-negative integer."; -+ } -+ -+ return NULL; -+} -+ -+static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd, -+ void *dirconf, -+ const char *arg) -+{ -+ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; -+ int i; -+ -+ i = atoi(arg); -+ if (i <= 0) -+ return "DeflateInflateRatioLimit must be positive"; -+ -+ dc->ratio_limit = i; -+ -+ return NULL; -+} -+ -+static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd, -+ void *dirconf, -+ const char *arg) -+{ -+ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; -+ int i; -+ -+ i = atoi(arg); -+ if (i <= 0) -+ return "DeflateInflateRatioBurst must be positive"; -+ -+ dc->ratio_burst = i; -+ -+ return NULL; -+} -+ - typedef struct deflate_ctx_t - { - z_stream stream; -@@ -294,8 +361,26 @@ typedef struct deflate_ctx_t - unsigned char *validation_buffer; - apr_size_t validation_buffer_length; - int inflate_init; -+ int ratio_hits; -+ apr_off_t inflate_total; - } deflate_ctx; - -+/* Check whether the (inflate) ratio exceeds the configured limit/burst. */ -+static int check_ratio(request_rec *r, deflate_ctx *ctx, -+ const deflate_dirconf_t *dc) -+{ -+ if (ctx->stream.total_in) { -+ int ratio = ctx->stream.total_out / ctx->stream.total_in; -+ if (ratio < dc->ratio_limit) { -+ ctx->ratio_hits = 0; -+ } -+ else if (++ctx->ratio_hits > dc->ratio_burst) { -+ return 0; -+ } -+ } -+ return 1; -+} -+ - /* Number of validation bytes (CRC and length) after the compressed data */ - #define VALIDATION_SIZE 8 - /* Do not update ctx->crc, see comment in flush_libz_buffer */ -@@ -744,6 +829,8 @@ static apr_status_t deflate_in_filter(ap - int zRC; - apr_status_t rv; - deflate_filter_config *c; -+ deflate_dirconf_t *dc; -+ apr_off_t inflate_limit; - - /* just get out of the way of things we don't want. */ - if (mode != AP_MODE_READBYTES) { -@@ -751,6 +838,7 @@ static apr_status_t deflate_in_filter(ap - } - - c = ap_get_module_config(r->server->module_config, &deflate_module); -+ dc = ap_get_module_config(r->per_dir_config, &deflate_module); - - if (!ctx) { - char deflate_hdr[10]; -@@ -803,11 +891,13 @@ static apr_status_t deflate_in_filter(ap - if (len != 10 || - deflate_hdr[0] != deflate_magic[0] || - deflate_hdr[1] != deflate_magic[1]) { -+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: wrong/partial magic bytes"); - return APR_EGENERAL; - } - - /* We can't handle flags for now. */ - if (deflate_hdr[3] != 0) { -+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: cannot handle deflate flags"); - return APR_EGENERAL; - } - -@@ -831,6 +921,12 @@ static apr_status_t deflate_in_filter(ap - apr_brigade_cleanup(ctx->bb); - } - -+ inflate_limit = dc->inflate_limit; -+ if (inflate_limit == 0) { -+ /* The core is checking the deflated body, we'll check the inflated */ -+ inflate_limit = ap_get_limit_req_body(f->r); -+ } -+ - if (APR_BRIGADE_EMPTY(ctx->proc_bb)) { - rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes); - -@@ -863,6 +959,17 @@ static apr_status_t deflate_in_filter(ap - - ctx->stream.next_out = ctx->buffer; - len = c->bufferSize - ctx->stream.avail_out; -+ -+ ctx->inflate_total += len; -+ if (inflate_limit && ctx->inflate_total > inflate_limit) { -+ inflateEnd(&ctx->stream); -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, -+ "Inflated content length of %" APR_OFF_T_FMT -+ " is larger than the configured limit" -+ " of %" APR_OFF_T_FMT, -+ ctx->inflate_total, inflate_limit); -+ return APR_ENOSPC; -+ } - - ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); - tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, -@@ -891,6 +998,26 @@ static apr_status_t deflate_in_filter(ap - ctx->stream.next_out = ctx->buffer; - len = c->bufferSize - ctx->stream.avail_out; - -+ ctx->inflate_total += len; -+ if (inflate_limit && ctx->inflate_total > inflate_limit) { -+ inflateEnd(&ctx->stream); -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, -+ "Inflated content length of %" APR_OFF_T_FMT -+ " is larger than the configured limit" -+ " of %" APR_OFF_T_FMT, -+ ctx->inflate_total, inflate_limit); -+ return APR_ENOSPC; -+ } -+ -+ if (!check_ratio(r, ctx, dc)) { -+ inflateEnd(&ctx->stream); -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, -+ "Inflated content ratio is larger than the " -+ "configured limit %i by %i time(s)", -+ dc->ratio_limit, dc->ratio_burst); -+ return APR_EINVAL; -+ } -+ - ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); - tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, - NULL, f->c->bucket_alloc); -@@ -1003,6 +1130,7 @@ static apr_status_t inflate_out_filter(a - int zRC; - apr_status_t rv; - deflate_filter_config *c; -+ deflate_dirconf_t *dc; - - /* Do nothing if asked to filter nothing. */ - if (APR_BRIGADE_EMPTY(bb)) { -@@ -1010,6 +1138,7 @@ static apr_status_t inflate_out_filter(a - } - - c = ap_get_module_config(r->server->module_config, &deflate_module); -+ dc = ap_get_module_config(r->per_dir_config, &deflate_module); - - if (!ctx) { - -@@ -1272,6 +1401,14 @@ static apr_status_t inflate_out_filter(a - while (ctx->stream.avail_in != 0) { - if (ctx->stream.avail_out == 0) { - -+ if (!check_ratio(r, ctx, dc)) { -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, -+ "Inflated content ratio is larger than the " -+ "configured limit %i by %i time(s)", -+ dc->ratio_limit, dc->ratio_burst); -+ return APR_EINVAL; -+ } -+ - ctx->stream.next_out = ctx->buffer; - len = c->bufferSize - ctx->stream.avail_out; - -@@ -1346,12 +1483,20 @@ static const command_rec deflate_filter_ - "Set the Deflate Memory Level (1-9)"), - AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF, - "Set the Deflate Compression Level (1-9)"), -+ AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL, -+ "Set a limit on size of inflated input"), -+ AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL, -+ "Set the inflate ratio limit above which inflation is " -+ "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"), -+ AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL, -+ "Set the maximum number of following inflate ratios above limit " -+ "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"), - {NULL} - }; - - module AP_MODULE_DECLARE_DATA deflate_module = { - STANDARD20_MODULE_STUFF, -- NULL, /* dir config creater */ -+ create_deflate_dirconf, /* dir config creater */ - NULL, /* dir merger --- default is to override */ - create_deflate_server_config, /* server config */ - NULL, /* merge server config */ |