2 *) SECURITY [CAN-2003-0020]: Escape arbitrary data before writing
3 into the errorlog. [André Malo]
5 --- httpd-2.0.48/server/log.c.can0020 2003-06-23 14:03:59.000000000 +0100
6 +++ httpd-2.0.48/server/log.c 2004-01-19 14:14:42.000000000 +0000
8 const request_rec *r, apr_pool_t *pool,
9 const char *fmt, va_list args)
11 - char errstr[MAX_STRING_LEN];
12 + char errstr[MAX_STRING_LEN], scratch[MAX_STRING_LEN];
13 apr_size_t len, errstrlen;
14 apr_file_t *logf = NULL;
22 - len += apr_vsnprintf(errstr + len, MAX_STRING_LEN - len, fmt, args);
23 + if (apr_vsnprintf(scratch, MAX_STRING_LEN - len, fmt, args)) {
24 + len += ap_escape_errorlog_item(errstr + len, scratch,
25 + MAX_STRING_LEN - len);
28 - if (r && (referer = apr_table_get(r->headers_in, "Referer"))) {
29 + if ( r && (referer = apr_table_get(r->headers_in, "Referer"))
30 + && ap_escape_errorlog_item(scratch, referer, MAX_STRING_LEN - len)) {
31 len += apr_snprintf(errstr + len, MAX_STRING_LEN - len,
32 - ", referer: %s", referer);
33 + ", referer: %s", scratch);
36 /* NULL if we are logging to syslog */
37 --- httpd-2.0.48/server/util.c.can0020 2003-06-17 18:39:10.000000000 +0100
38 +++ httpd-2.0.48/server/util.c 2004-01-19 14:14:42.000000000 +0000
39 @@ -1837,6 +1837,70 @@
43 +AP_DECLARE(apr_size_t) ap_escape_errorlog_item(char *dest, const char *source,
46 + unsigned char *d, *ep;
47 + const unsigned char *s;
49 + if (!source || !buflen) { /* be safe */
53 + d = (unsigned char *)dest;
54 + s = (const unsigned char *)source;
55 + ep = d + buflen - 1;
57 + for (; d < ep && *s; ++s) {
59 + if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) {
85 + case '"': /* no need for this in error log */
90 + ep = --d; /* break the for loop as well */
104 + return (d - (unsigned char *)dest);
107 AP_DECLARE(int) ap_is_directory(apr_pool_t *p, const char *path)
110 --- httpd-2.0.48/include/ap_mmn.h.can0020 2003-07-07 01:45:23.000000000 +0100
111 +++ httpd-2.0.48/include/ap_mmn.h 2004-01-19 14:14:42.000000000 +0000
113 * 20020903.2 (2.0.46-dev) add ap_escape_logitem
114 * 20020903.3 (2.0.46-dev) allow_encoded_slashes added to core_dir_config
115 * 20020903.4 (2.0.47-dev) add ap_is_recursion_limit_exceeded()
116 + * 20020903.5 (2.0.49-dev) add ap_escape_errorlog_item()
119 #define MODULE_MAGIC_COOKIE 0x41503230UL /* "AP20" */
121 #ifndef MODULE_MAGIC_NUMBER_MAJOR
122 #define MODULE_MAGIC_NUMBER_MAJOR 20020903
124 -#define MODULE_MAGIC_NUMBER_MINOR 4 /* 0...n */
125 +#define MODULE_MAGIC_NUMBER_MINOR 5 /* 0...n */
128 * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
129 --- httpd-2.0.48/include/httpd.h.can0020 2004-01-19 14:14:41.000000000 +0000
130 +++ httpd-2.0.48/include/httpd.h 2004-01-19 14:14:42.000000000 +0000
131 @@ -1370,12 +1370,22 @@
133 * Escape a string for logging
134 * @param p The pool to allocate from
135 - * @param s The string to escape
136 + * @param str The string to escape
137 * @return The escaped string
139 AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char *str);
142 + * Escape a string for logging into the error log (without a pool)
143 + * @param dest The buffer to write to
144 + * @param source The string to escape
145 + * @param buflen The buffer size for the escaped string (including \0)
146 + * @return The len of the escaped string (always < maxlen)
148 +AP_DECLARE(apr_size_t) ap_escape_errorlog_item(char *dest, const char *source,
149 + apr_size_t buflen);
152 * Construct a full hostname
153 * @param p The pool to allocate from
154 * @param hostname The hostname of the server