Tagging httpd-2.2 as 2.2.9
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.9@666274 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/CHANGES b/CHANGES
index e9e3b3e..591a8fb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.9
+ *) SECURITY: CVE-2008-2364 (cve.mitre.org)
+ mod_proxy_http: Better handling of excessive interim responses
+ from origin server to prevent potential denial of service and high
+ memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
+ Joe Orton, Jim Jagielski]
+
*) SECURITY: CVE-2007-6420 (cve.mitre.org)
mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
interface. [Joe Orton]
diff --git a/STATUS b/STATUS
index bd298de..bb3a13d 100644
--- a/STATUS
+++ b/STATUS
@@ -26,8 +26,7 @@
[NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
while x.{even}.z versions are Stable/GA releases.]
- 2.2.9 : In development. Jim would like to do a release early
- June and offers to RM.
+ 2.2.9 : Tagged June 10, 2008.
2.2.8 : Released January 19, 2008.
2.2.7 : Tagged January 4, 2008. Not released.
2.2.6 : Released September 7, 2007.
@@ -130,16 +129,6 @@
-1: niq - strcasecmp(NULL, ...) when secure is not set
rpluem: Good catch. Should be fixed by r660461.
- * mod_proxy_http: Handle interim responses better to avoid
- excessive memory usage and potential denial of service
- CVE-2008-2364
- Trunk version of patch:
- http://svn.apache.org/viewvc?view=rev&revision=666154
- http://svn.apache.org/viewvc?view=rev&revision=666180
- Backport version for 2.2.x of patch:
- Trunk version of patch works
- +1: jim
-
* mod_proxy_http: Do not forward an Expect: 100-continue to
an HTTP/1.0 server
Trunk version of patch:
diff --git a/docs/manual/howto/access.html.en b/docs/manual/howto/access.html.en
index 010a40c..e7755ed 100644
--- a/docs/manual/howto/access.html.en
+++ b/docs/manual/howto/access.html.en
@@ -138,14 +138,6 @@
this variable is set. This blocks that particular user agent from
the site.
</p>
-
- <p>An environment variable test can be negated using the <code>=!</code>
- syntax:</p>
-
- <div class="example"><p>
- Allow from env=!GoAway
- </p></div>
-
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="rewrite" id="rewrite">Access control with mod_rewrite</a></h2>
diff --git a/include/ap_release.h b/include/ap_release.h
index 7e5f206..af9b323 100644
--- a/include/ap_release.h
+++ b/include/ap_release.h
@@ -46,7 +46,7 @@
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 2
#define AP_SERVER_PATCHLEVEL_NUMBER 9
-#define AP_SERVER_DEVBUILD_BOOLEAN 1
+#define AP_SERVER_DEVBUILD_BOOLEAN 0
#if AP_SERVER_DEVBUILD_BOOLEAN
#define AP_SERVER_ADD_STRING "-dev"
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index b2c87b8..3ca2189 100644
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -1307,6 +1307,16 @@
return rv;
}
+/*
+ * Limit the number of interim respones we sent back to the client. Otherwise
+ * we suffer from a memory build up. Besides there is NO sense in sending back
+ * an unlimited number of interim responses to the client. Thus if we cross
+ * this limit send back a 502 (Bad Gateway).
+ */
+#ifndef AP_MAX_INTERIM_RESPONSES
+#define AP_MAX_INTERIM_RESPONSES 10
+#endif
+
static
apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
proxy_conn_rec *backend,
@@ -1321,8 +1331,8 @@
apr_bucket *e;
apr_bucket_brigade *bb, *tmp_bb;
int len, backasswards;
- int interim_response; /* non-zero whilst interim 1xx responses
- * are being read. */
+ int interim_response = 0; /* non-zero whilst interim 1xx responses
+ * are being read. */
int pread_len = 0;
apr_table_t *save_table;
int backend_broke = 0;
@@ -1523,7 +1533,9 @@
if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
ap_set_content_type(r, apr_pstrdup(p, buf));
}
- ap_proxy_pre_http_request(origin,rp);
+ if (!ap_is_HTTP_INFO(r->status)) {
+ ap_proxy_pre_http_request(origin, rp);
+ }
/* Clear hop-by-hop headers */
for (i=0; hop_by_hop_hdrs[i]; ++i) {
@@ -1572,7 +1584,12 @@
backend->close += 1;
}
- interim_response = ap_is_HTTP_INFO(r->status);
+ if (ap_is_HTTP_INFO(r->status)) {
+ interim_response++;
+ }
+ else {
+ interim_response = 0;
+ }
if (interim_response) {
/* RFC2616 tells us to forward this.
*
@@ -1773,7 +1790,15 @@
apr_brigade_cleanup(bb);
}
- } while (interim_response);
+ } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES));
+
+ /* See define of AP_MAX_INTERIM_RESPONSES for why */
+ if (interim_response >= AP_MAX_INTERIM_RESPONSES) {
+ return ap_proxyerror(r, HTTP_BAD_GATEWAY,
+ apr_psprintf(p,
+ "Too many (%d) interim responses from origin server",
+ interim_response));
+ }
/* If our connection with the client is to be aborted, return DONE. */
if (c->aborted || backend_broke) {