kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add three patches to resolve security issue:

Browse source 
SECURITY [CAN-2003-0020]: escape arbitrary data before writing into the errorlog

The three patches are from Apache cvs.
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/

Also bump PKGREVISION too.
This commit is contained in:
reed 2004-04-07 19:53:27 +00:00
parent 9e3b9ebea0
commit 9e1d8c8a1c
4 changed files with 121 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
www/apache/Makefile
View file

@ -1,10 +1,11 @@
# $NetBSD: Makefile,v 1.139 2004/02/28 22:18:35 snj Exp $
# $NetBSD: Makefile,v 1.140 2004/04/07 19:53:27 reed Exp $
#
# This pkg does not compile in mod_ssl, only the `mod_ssl EAPI' (a set of
# code hooks that allow mod_ssl to be compiled separately later, if desired).
DISTNAME= apache_${APACHE_VERSION}
PKGNAME= apache-${APACHE_VERSION}
PKGREVISION= 1
APACHE_VERSION= 1.3.29
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \

30
www/apache/patches/patch-ap Normal file
View file

@ -0,0 +1,30 @@
$NetBSD: patch-ap,v 1.3 2004/04/07 19:53:27 reed Exp $
SECURITY [CAN-2003-0020]: escape arbitrary data before writing into the errorlog
--- src/main/http_log.c.orig 2003-02-03 09:13:21.000000000 -0800
+++ src/main/http_log.c
@@ -314,6 +314,9 @@ static void log_error_core(const char *f
const char *fmt, va_list args)
{
char errstr[MAX_STRING_LEN];
+#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED
+ char scratch[MAX_STRING_LEN];
+#endif
size_t len;
int save_errno = errno;
FILE *logf;
@@ -445,7 +448,14 @@ static void log_error_core(const char *f
}
#endif
+#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED
+ if (ap_vsnprintf(scratch, sizeof(scratch) - len, fmt, args)) {
+ len += ap_escape_errorlog_item(errstr + len, scratch,
+ sizeof(errstr) - len);
+ }
+#else
len += ap_vsnprintf(errstr + len, sizeof(errstr) - len, fmt, args);
+#endif
/* NULL if we are logging to syslog */
if (logf) {

14
www/apache/patches/patch-aq Normal file
View file

@ -0,0 +1,14 @@
$NetBSD: patch-aq,v 1.3 2004/04/07 19:53:27 reed Exp $
SECURITY [CAN-2003-0020]: escape arbitrary data before writing into the errorlog
--- src/include/httpd.h.orig 2004-04-07 12:24:10.967724616 -0700
+++ src/include/httpd.h
@@ -1072,6 +1072,8 @@ API_EXPORT(char *) ap_escape_html(pool *
API_EXPORT(char *) ap_construct_server(pool *p, const char *hostname,
unsigned port, const request_rec *r);
API_EXPORT(char *) ap_escape_logitem(pool *p, const char *str);
+API_EXPORT(size_t) ap_escape_errorlog_item(char *dest, const char *source,
+ size_t buflen);
API_EXPORT(char *) ap_escape_shell_cmd(pool *p, const char *s);
API_EXPORT(int) ap_count_dirs(const char *path);

75
www/apache/patches/patch-ar Normal file
View file

@ -0,0 +1,75 @@
$NetBSD: patch-ar,v 1.3 2004/04/07 19:53:27 reed Exp $
SECURITY [CAN-2003-0020]: escape arbitrary data before writing into the errorlog
--- src/main/util.c.orig 2003-02-03 09:13:23.000000000 -0800
+++ src/main/util.c
@@ -1520,6 +1520,69 @@ API_EXPORT(char *) ap_escape_logitem(poo
return ret;
}
+API_EXPORT(size_t) ap_escape_errorlog_item(char *dest, const char *source,
+ size_t buflen)
+{
+ unsigned char *d, *ep;
+ const unsigned char *s;
+
+ if (!source || !buflen) { /* be safe */
+ return 0;
+ }
+
+ d = (unsigned char *)dest;
+ s = (const unsigned char *)source;
+ ep = d + buflen - 1;
+
+ for (; d < ep && *s; ++s) {
+
+ if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) {
+ *d++ = '\\';
+ if (d >= ep) {
+ --d;
+ break;
+ }
+
+ switch(*s) {
+ case '\b':
+ *d++ = 'b';
+ break;
+ case '\n':
+ *d++ = 'n';
+ break;
+ case '\r':
+ *d++ = 'r';
+ break;
+ case '\t':
+ *d++ = 't';
+ break;
+ case '\v':
+ *d++ = 'v';
+ break;
+ case '\\':
+ *d++ = *s;
+ break;
+ case '"': /* no need for this in error log */
+ d[-1] = *s;
+ break;
+ default:
+ if (d >= ep - 2) {
+ ep = --d; /* break the for loop as well */
+ break;
+ }
+ c2x(*s, d);
+ *d = 'x';
+ d += 3;
+ }
+ }
+ else {
+ *d++ = *s;
+ }
+ }
+ *d = '\0';
+
+ return (d - (unsigned char *)dest);
+}
API_EXPORT(char *) ap_escape_shell_cmd(pool *p, const char *str)
{