[DRE-maint] diff for passenger in Squeeze
Guido Günther
agx at sigxcpu.org
Tue Dec 29 12:36:30 UTC 2015
Hi Thorsten,
On Mon, Dec 28, 2015 at 11:13:32PM +0100, Thorsten Alteholz wrote:
> Hi everybody,
>
> can someone please have a look at the diff for passenger=2.2.11debian-2 in
> Squeeze that should solve CVE-2015-7519[1] and nod?
>
> Thanks!
> Thorsten
>
>
> [1] https://security-tracker.debian.org/tracker/CVE-2015-7519
>
>
>
> diff -Nru passenger-2.2.11debian/ext/apache2/Hooks.cpp passenger-2.2.11debian/ext/apache2/Hooks.cpp
> --- passenger-2.2.11debian/ext/apache2/Hooks.cpp 2010-03-05 10:35:16.000000000 +0100
> +++ passenger-2.2.11debian/ext/apache2/Hooks.cpp 2015-12-28 20:04:14.000000000 +0100
> @@ -779,9 +779,33 @@
> char *lookupEnv(request_rec *r, const char *name) {
> return lookupName(r->subprocess_env, name);
> }
> +
> + static bool
> + isAlphaNum(char ch) {
> + return (ch >= '0' && ch <= '9') || (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z');
> + }
> +
> + /**
> + * For CGI, alphanum headers with optional dashes are mapped to UPP3R_CAS3. This
> + * function can be used to reject non-alphanum/dash headers that would end up with
> + * the same mapping (e.g. upp3r_cas3 and upp3r-cas3 would end up the same, and
> + * potentially collide each other in the receiving application). This is
> + * used to fix CVE-2015-7519.
> + */
> + static bool
> + containsNonAlphaNumDash(const char *s) {
> + size_t len = strlen(s);
> + for (size_t i = 0; i < len; i++) {
> + const char start = s[i];
> + if (start != '-' && !isAlphaNum(start)) {
> + return true;
> + }
> + }
> + return false;
> + }
>
> void inline addHeader(apr_table_t *table, const char *name, const char *value) {
> - if (name != NULL && value != NULL) {
> + if ((name != NULL && value != NULL) || containsNonAlphaNumDash(name)) {
> apr_table_addn(table, name, value);
Isn't the logic reversed here? We want so _skip_ the header if it
containsNonAlphaNumDash not add it?
Cheers,
-- Guido
More information about the Pkg-ruby-extras-maintainers
mailing list