# CVE-2012-0053: Error response issue that could expose "httpOnly"
# cookies
#
# Further details organized by httpd release may be available from:
#
# http://httpd.apache.org/security_report.html
#
Index: src/main/http_protocol.c
===================================================================
--- src/main/http_protocol.c (revision 1238011)
+++ src/main/http_protocol.c (working copy)
@@ -1076,6 +1076,16 @@
return 1;
}
+/* get the length of the field name for logging, but no more than 80 bytes */
+#define LOG_NAME_MAX_LEN 80
+static int field_name_len(const char *field)
+{
+ const char *end = strchr(field, ':');
+ if (end == NULL || end - field > LOG_NAME_MAX_LEN)
+ return LOG_NAME_MAX_LEN;
+ return end - field;
+}
+
static void get_mime_headers(request_rec *r)
{
char field[DEFAULT_LIMIT_REQUEST_FIELDSIZE + 2]; /* ap_getline's two extra */
@@ -1109,9 +1119,14 @@
*/
if (len > r->server->limit_req_fieldsize) {
r->status = HTTP_BAD_REQUEST;
- ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool,
- "Size of a request header field exceeds server limit.\n"
- "
\n", ap_escape_html(r->pool, field), "
\n", NULL));
+ ap_table_setn(r->notes, "error-notes",
+ ap_psprintf(r->pool,
+ "Size of a request header field exceeds server limit.\n"
+ "
\n%.*s\n
\n",
+ field_name_len(field), field));
+ ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, r,
+ "Request header exceeds LimitRequestFieldSize: "
+ "%.*s", field_name_len(field), field);
return;
}
copy = ap_palloc(r->pool, len + 1);
@@ -1119,9 +1134,12 @@
if (!(value = strchr(copy, ':'))) { /* Find the colon separator */
r->status = HTTP_BAD_REQUEST; /* or abort the bad request */
- ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool,
- "Request header field is missing colon separator.\n"
- "
\n", ap_escape_html(r->pool, copy), "
\n", NULL));
+ ap_table_setn(r->notes, "error-notes",
+ ap_psprintf(r->pool,
+ "Request header field is missing colon separator.\n"
+ "
\n%.*s
\n",
+ (int)LOG_NAME_MAX_LEN,
+ ap_escape_html(r->pool, copy)));
return;
}