HTTPProtoco Options Apache 2.2

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

HTTPProtoco Options Apache 2.2

Rashmi Srinivasan
Hi Yann/Eric.
-        We have ported the changes for CVE -2016-8743. into apache 2.2 on HP-UX
           But while testing we find that HTTPProtocolOption Unsafe tested with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to succeed.

           However after making changes as mentioned in 
           https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe option responds with a success.

Is the below change valid for 2.2?

in 2.2.32:
static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
{
    core_server_config *base = (core_server_config *)basev;
    core_server_config *virt = (core_server_config *)virtv;
    core_server_config *conf;

    conf = (core_server_config *)apr_pmemdup(p, base, sizeof(core_server_config));

in 2.4.25:
static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
{
    core_server_config *base = (core_server_config *)basev;
    core_server_config *virt = (core_server_config *)virtv;
    core_server_config *conf = (core_server_config *)
                               apr_pmemdup(p, base, sizeof(core_server_config));

Please advise.

Thanks
Rashmi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTPProtoco Options Apache 2.2

Eric Covener
http://svn.apache.org/viewvc?view=revision&revision=1783440


On Tue, Jun 13, 2017 at 2:19 PM, Rashmi Srinivasan
<[hidden email]> wrote:

> Hi Yann/Eric.
> -        We have ported the changes for CVE -2016-8743. into apache 2.2 on
> HP-UX
>            But while testing we find that HTTPProtocolOption Unsafe tested
> with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to
> succeed.
>
>            However after making changes as mentioned in
>            https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe
> option responds with a success.
>
> Is the below change valid for 2.2?
>
> in 2.2.32:
> static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> *virtv)
> {
>     core_server_config *base = (core_server_config *)basev;
>     core_server_config *virt = (core_server_config *)virtv;
>     core_server_config *conf;
>
>     conf = (core_server_config *)apr_pmemdup(p, base,
> sizeof(core_server_config));
>
> in 2.4.25:
> static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> *virtv)
> {
>     core_server_config *base = (core_server_config *)basev;
>     core_server_config *virt = (core_server_config *)virtv;
>     core_server_config *conf = (core_server_config *)
>                                apr_pmemdup(p, base,
> sizeof(core_server_config));
>
>
> Please advise.
>
> Thanks
> Rashmi



--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTPProtoco Options Apache 2.2

Rashmi Srinivasan
Thanks for your response Eric.
Porting the changes from http://svn.apache.org/viewvc?view=revision&revision=1783440 also didn't help.

However making a single change as bellow, got the Unsafe option to work.
conf = (core_server_config *)apr_pmemdup(p, virt, sizeof(core_server_config));
to 
conf = (core_server_config *)apr_pmemdup(p, base, sizeof(core_server_config));
Also, when both the changes exist, the Unsafe option doesn't seem to work

IS this change valid? Should we commit this to 2.2? or is Unsafe option suppose to report with a "BAD Request" response.
Please advise.

regards,
Rashmi




On Tue, Jun 13, 2017 at 11:56 PM, Eric Covener <[hidden email]> wrote:
http://svn.apache.org/viewvc?view=revision&revision=1783440


On Tue, Jun 13, 2017 at 2:19 PM, Rashmi Srinivasan
<[hidden email]> wrote:
> Hi Yann/Eric.
> -        We have ported the changes for CVE -2016-8743. into apache 2.2 on
> HP-UX
>            But while testing we find that HTTPProtocolOption Unsafe tested
> with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to
> succeed.
>
>            However after making changes as mentioned in
>            https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe
> option responds with a success.
>
> Is the below change valid for 2.2?
>
> in 2.2.32:
> static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> *virtv)
> {
>     core_server_config *base = (core_server_config *)basev;
>     core_server_config *virt = (core_server_config *)virtv;
>     core_server_config *conf;
>
>     conf = (core_server_config *)apr_pmemdup(p, base,
> sizeof(core_server_config));
>
> in 2.4.25:
> static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> *virtv)
> {
>     core_server_config *base = (core_server_config *)basev;
>     core_server_config *virt = (core_server_config *)virtv;
>     core_server_config *conf = (core_server_config *)
>                                apr_pmemdup(p, base,
> sizeof(core_server_config));
>
>
> Please advise.
>
> Thanks
> Rashmi



--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTPProtoco Options Apache 2.2

Rashmi Srinivasan
Thanks Eric, Please ignore my previous message.

Porting from above, httpprotocoloptions works as expected.

Thanks,
Rashmi

On Wed, Jun 14, 2017 at 9:25 AM, Rashmi Srinivasan <[hidden email]> wrote:
Thanks for your response Eric.
Porting the changes from http://svn.apache.org/viewvc?view=revision&revision=1783440 also didn't help.

However making a single change as bellow, got the Unsafe option to work.
conf = (core_server_config *)apr_pmemdup(p, virt, sizeof(core_server_config));
to 
conf = (core_server_config *)apr_pmemdup(p, base, sizeof(core_server_config));
Also, when both the changes exist, the Unsafe option doesn't seem to work

IS this change valid? Should we commit this to 2.2? or is Unsafe option suppose to report with a "BAD Request" response.
Please advise.

regards,
Rashmi




On Tue, Jun 13, 2017 at 11:56 PM, Eric Covener <[hidden email]> wrote:
http://svn.apache.org/viewvc?view=revision&revision=1783440


On Tue, Jun 13, 2017 at 2:19 PM, Rashmi Srinivasan
<[hidden email]> wrote:
> Hi Yann/Eric.
> -        We have ported the changes for CVE -2016-8743. into apache 2.2 on
> HP-UX
>            But while testing we find that HTTPProtocolOption Unsafe tested
> with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to
> succeed.
>
>            However after making changes as mentioned in
>            https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe
> option responds with a success.
>
> Is the below change valid for 2.2?
>
> in 2.2.32:
> static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> *virtv)
> {
>     core_server_config *base = (core_server_config *)basev;
>     core_server_config *virt = (core_server_config *)virtv;
>     core_server_config *conf;
>
>     conf = (core_server_config *)apr_pmemdup(p, base,
> sizeof(core_server_config));
>
> in 2.4.25:
> static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> *virtv)
> {
>     core_server_config *base = (core_server_config *)basev;
>     core_server_config *virt = (core_server_config *)virtv;
>     core_server_config *conf = (core_server_config *)
>                                apr_pmemdup(p, base,
> sizeof(core_server_config));
>
>
> Please advise.
>
> Thanks
> Rashmi



--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTPProtoco Options Apache 2.2

Eric Covener
In reply to this post by Rashmi Srinivasan
On Tue, Jun 13, 2017 at 11:55 PM, Rashmi Srinivasan
<[hidden email]> wrote:
> However making a single change as bellow, got the Unsafe option to work.


I think that is wrong for the rest of the merge function.

--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...