[pkg-lighttpd] Bug#428368: lighttpd vuln patch
Pierre Habouzit
madcoder at debian.org
Fri Jul 20 09:07:33 UTC 2007
On Fri, Jul 20, 2007 at 11:02:07AM +0200, Pierre Habouzit wrote:
> attached is the patch that fixes it. I'm going to NMU lighttpd in
> unstable, please someone takes care of etch.
I obviously forgot the patch...
--
·O· Pierre Habouzit
··O madcoder at debian.org
OOO http://www.madism.org
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 04_wrapping_headers_bugfix.dpatch by Pierre Habouzit <madcoder at debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad lighttpd-1.4.15~/src/request.c lighttpd-1.4.15/src/request.c
--- lighttpd-1.4.15~/src/request.c 2007-04-13 17:26:31.000000000 +0200
+++ lighttpd-1.4.15/src/request.c 2007-07-20 11:03:12.000000000 +0200
@@ -284,8 +284,6 @@
int done = 0;
- data_string *ds = NULL;
-
/*
* Request: "^(GET|POST|HEAD) ([^ ]+(\\?[^ ]+|)) (HTTP/1\\.[01])$"
* Option : "^([-a-zA-Z]+): (.+)$"
@@ -715,12 +713,24 @@
switch(*cur) {
case '\r':
if (con->parse_request->ptr[i+1] == '\n') {
+ data_string *ds = NULL;
+
/* End of Headerline */
con->parse_request->ptr[i] = '\0';
con->parse_request->ptr[i+1] = '\0';
if (in_folding) {
- if (!ds) {
+ buffer *key_b;
+ /**
+ * we use a evil hack to handle the line-folding
+ *
+ * As array_insert_unique() deletes 'ds' in the case of a duplicate
+ * ds points somewhere and we get a evil crash. As a solution we keep the old
+ * "key" and get the current value from the hash and append us
+ *
+ * */
+
+ if (!key || !key_len) {
/* 400 */
if (srv->srvconf.log_request_header_on_error) {
@@ -737,7 +747,15 @@
con->response.keep_alive = 0;
return 0;
}
- buffer_append_string(ds->value, value);
+
+ key_b = buffer_init();
+ buffer_copy_string_len(key_b, key, key_len);
+
+ if (NULL != (ds = (data_string *)array_get_element(con->request.headers, key_b->ptr))) {
+ buffer_append_string(ds->value, value);
+ }
+
+ buffer_free(key_b);
} else {
int s_len;
key = con->parse_request->ptr + first;
@@ -969,7 +987,12 @@
first = i+1;
is_key = 1;
value = 0;
- key_len = 0;
+#if 0
+ /**
+ * for Bug 1230 keep the key_len a live
+ */
+ key_len = 0;
+#endif
in_folding = 0;
} else {
if (srv->srvconf.log_request_header_on_error) {
diff -urNad lighttpd-1.4.15~/tests/core-request.t lighttpd-1.4.15/tests/core-request.t
--- lighttpd-1.4.15~/tests/core-request.t 2007-02-08 17:34:47.000000000 +0100
+++ lighttpd-1.4.15/tests/core-request.t 2007-07-20 11:03:12.000000000 +0200
@@ -8,7 +8,7 @@
use strict;
use IO::Socket;
-use Test::More tests => 33;
+use Test::More tests => 36;
use LightyTest;
my $tf = LightyTest->new();
@@ -273,6 +273,38 @@
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
ok($tf->handle_http($t) == 0, 'uppercase filenames');
+$t->{REQUEST} = ( <<EOF
+GET / HTTP/1.0
+Location: foo
+Location: foobar
+ baz
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
+ok($tf->handle_http($t) == 0, '#1209 - duplicate headers with line-wrapping');
+
+$t->{REQUEST} = ( <<EOF
+GET / HTTP/1.0
+Location:
+Location: foobar
+ baz
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
+ok($tf->handle_http($t) == 0, '#1209 - duplicate headers with line-wrapping - test 2');
+
+$t->{REQUEST} = ( <<EOF
+GET / HTTP/1.0
+A:
+Location: foobar
+ baz
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
+ok($tf->handle_http($t) == 0, '#1209 - duplicate headers with line-wrapping - test 3');
+
+
+
ok($tf->stop_proc == 0, "Stopping lighttpd");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20070720/d4e8c471/attachment.pgp
More information about the pkg-lighttpd-maintainers
mailing list