[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    CVE-2013-5704, mod_headers and chunked trailer fields
From:       Joe Orton <jorton () redhat ! com>
Date:       2014-04-01 14:37:39
Message-ID: 20140401143739.GA18783 () redhat ! com
[Download RAW message or body]

For context: http://martin.swende.se/blog/HTTPChunked.html

This was discussed a little on the security@ list last year but it's a 
difficult issue and there was not any consensus beyond the fact that the 
current behaviour is wrong, and "punt to dev@".  There is a separate 
thread about how to fix this, which Eric just re-started, but it would 
be good to discuss/find consensus on the security impact.

The API for handling trailer fields is unspecified, which is really why 
this bug exists; modules don't really expect those trailers to get 
merged into r->headers_in at a "surprising" time during request 
processing.

I'd argue that gateway modules can/should handle this case correctly, 
regardless of the httpd API; hence this is not a security issue in httpd 
as such.  For example, with mod_proxy acting as a reverse proxy, no 
headers can get "accidentally" passed through, since mod_proxy captures 
the request headers before processing the request body.

Regards, Joe
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic