Re: HTTPProtoco Options Apache 2.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Eric, Please ignore my previous message.
http://svn.apache.org/viewvc?view=revision&revision=1783440

Porting from above, httpprotocoloptions works as expected.

Thanks,
Rashmi

On Wed, Jun 14, 2017 at 9:25 AM, Rashmi Srinivasan <rashmisrinivasan2007@xxxxxxxxx> wrote:
Thanks for your response Eric.
Porting the changes from http://svn.apache.org/viewvc?view=revision&revision=1783440 also didn't help.

However making a single change as bellow, got the Unsafe option to work.
conf = (core_server_config *)apr_pmemdup(p, virt, sizeof(core_server_config));
to 
conf = (core_server_config *)apr_pmemdup(p, base, sizeof(core_server_config));
Also, when both the changes exist, the Unsafe option doesn't seem to work

IS this change valid? Should we commit this to 2.2? or is Unsafe option suppose to report with a "BAD Request" response.
Please advise.

regards,
Rashmi




On Tue, Jun 13, 2017 at 11:56 PM, Eric Covener <covener@xxxxxxxxx> wrote:
http://svn.apache.org/viewvc?view=revision&revision=1783440


On Tue, Jun 13, 2017 at 2:19 PM, Rashmi Srinivasan
<rashmisrinivasan2007@xxxxxxxxm> wrote:
> Hi Yann/Eric.
> -        We have ported the changes for CVE -2016-8743. into apache 2.2 on
> HP-UX
>            But while testing we find that HTTPProtocolOption Unsafe tested
> with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to
> succeed.
>
>            However after making changes as mentioned in
>            https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe
> option responds with a success.
>
> Is the below change valid for 2.2?
>
> in 2.2.32:
> static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> *virtv)
> {
>     core_server_config *base = (core_server_config *)basev;
>     core_server_config *virt = (core_server_config *)virtv;
>     core_server_config *conf;
>
>     conf = (core_server_config *)apr_pmemdup(p, base,
> sizeof(core_server_config));
>
> in 2.4.25:
> static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
> *virtv)
> {
>     core_server_config *base = (core_server_config *)basev;
>     core_server_config *virt = (core_server_config *)virtv;
>     core_server_config *conf = (core_server_config *)
>                                apr_pmemdup(p, base,
> sizeof(core_server_config));
>
>
> Please advise.
>
> Thanks
> Rashmi



--
Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux