# CVE-2012-0053: Error response issue that could expose "httpOnly"
# cookies
#
# Further details organized by httpd release may be available from:
#
# http://httpd.apache.org/security_report.html
#
Index: server/protocol.c
===================================================================
--- server/protocol.c (revision 1237150)
+++ server/protocol.c (working copy)
@@ -677,6 +677,16 @@
return 1;
}
+/* get the length of the field name for logging, but no more than 80 bytes */
+#define LOG_NAME_MAX_LEN 80
+static int field_name_len(const char *field)
+{
+ const char *end = ap_strchr_c(field, ':');
+ if (end == NULL || end - field > LOG_NAME_MAX_LEN)
+ return LOG_NAME_MAX_LEN;
+ return end - field;
+}
+
AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb)
{
char *last_field = NULL;
@@ -709,12 +719,15 @@
/* insure ap_escape_html will terminate correctly */
field[len - 1] = '\0';
apr_table_setn(r->notes, "error-notes",
- apr_pstrcat(r->pool,
+ apr_psprintf(r->pool,
"Size of a request header field "
"exceeds server limit.
\n"
- "\n",
- ap_escape_html(r->pool, field),
- "
\n", NULL));
+ "\n%.*s\n
/n",
+ field_name_len(field),
+ ap_escape_html(r->pool, field)));
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+ "Request header exceeds LimitRequestFieldSize: "
+ "%.*s", field_name_len(field), field);
return;
}
@@ -739,13 +752,17 @@
* overflow (last_field) as the field with the problem
*/
apr_table_setn(r->notes, "error-notes",
- apr_pstrcat(r->pool,
+ apr_psprintf(r->pool,
"Size of a request header field "
"after folding "
"exceeds server limit.
\n"
- "\n",
- ap_escape_html(r->pool, last_field),
- "
\n", NULL));
+ "\n%.*s\n
\n",
+ field_name_len(last_field),
+ ap_escape_html(r->pool, last_field)));
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+ "Request header exceeds LimitRequestFieldSize "
+ "after folding: %.*s",
+ field_name_len(last_field), last_field);
return;
}
@@ -777,13 +794,17 @@
if (!(value = strchr(last_field, ':'))) { /* Find ':' or */
r->status = HTTP_BAD_REQUEST; /* abort bad request */
apr_table_setn(r->notes, "error-notes",
- apr_pstrcat(r->pool,
+ apr_psprintf(r->pool,
"Request header field is "
"missing ':' separator.
\n"
- "\n",
- ap_escape_html(r->pool,
- last_field),
- "
\n", NULL));
+ "\n%.*s
\n",
+ (int)LOG_NAME_MAX_LEN,
+ ap_escape_html(r->pool,
+ last_field)));
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "Request header field is missing ':' "
+ "separator: %.*s", (int)LOG_NAME_MAX_LEN,
+ last_field);
return;
}