arrfab / rpms / httpd

Forked from rpms/httpd 5 years ago
Clone

Blame SOURCES/httpd-2.4.6-CVE-2017-3167.patch

749353
diff --git a/include/http_protocol.h b/include/http_protocol.h
749353
index 5ac0ce3..f3a5137 100644
749353
--- a/include/http_protocol.h
749353
+++ b/include/http_protocol.h
749353
@@ -558,7 +558,11 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
749353
 AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type))
749353
 
749353
 /**
749353
- * Get the password from the request headers
749353
+ * Get the password from the request headers. This function has multiple side
749353
+ * effects due to its prior use in the old authentication framework.
749353
+ * ap_get_basic_auth_components() should be preferred.
749353
+ *
749353
+ * @deprecated @see ap_get_basic_auth_components
749353
  * @param r The current request
749353
  * @param pw The password as set in the headers
749353
  * @return 0 (OK) if it set the 'pw' argument (and assured
749353
@@ -571,6 +575,25 @@ AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type))
749353
  */
749353
 AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw);
749353
 
749353
+#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE"
749353
+
749353
+/**
749353
+ * Get the username and/or password from the request's Basic authentication
749353
+ * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side
749353
+ * effects on the passed request_rec.
749353
+ *
749353
+ * @param r The current request
749353
+ * @param username If not NULL, set to the username sent by the client
749353
+ * @param password If not NULL, set to the password sent by the client
749353
+ * @return APR_SUCCESS if the credentials were successfully parsed and returned;
749353
+ *         APR_EINVAL if there was no authentication header sent or if the
749353
+ *         client was not using the Basic authentication scheme. username and
749353
+ *         password are unchanged on failure.
749353
+ */
749353
+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
749353
+                                                      const char **username,
749353
+                                                      const char **password);
749353
+
749353
 /**
749353
  * parse_uri: break apart the uri
749353
  * @warning Side Effects:
749353
diff --git a/include/httpd.h b/include/httpd.h
749353
index 652a212..176ef5e 100644
749353
--- a/include/httpd.h
749353
+++ b/include/httpd.h
749353
@@ -2272,6 +2272,34 @@ AP_DECLARE(char *) ap_get_exec_line(apr_pool_t *p,
749353
 
749353
 #define AP_NORESTART APR_OS_START_USEERR + 1
749353
 
749353
+/**
749353
+ * Perform a case-insensitive comparison of two strings @a atr1 and @a atr2,
749353
+ * treating upper and lower case values of the 26 standard C/POSIX alphabetic
749353
+ * characters as equivalent. Extended latin characters outside of this set
749353
+ * are treated as unique octets, irrespective of the current locale.
749353
+ *
749353
+ * Returns in integer greater than, equal to, or less than 0,
749353
+ * according to whether @a str1 is considered greater than, equal to,
749353
+ * or less than @a str2.
749353
+ *
749353
+ * @note Same code as apr_cstr_casecmp, which arrives in APR 1.6
749353
+ */
749353
+AP_DECLARE(int) ap_cstr_casecmp(const char *s1, const char *s2);
749353
+
749353
+/**
749353
+ * Perform a case-insensitive comparison of two strings @a atr1 and @a atr2,
749353
+ * treating upper and lower case values of the 26 standard C/POSIX alphabetic
749353
+ * characters as equivalent. Extended latin characters outside of this set
749353
+ * are treated as unique octets, irrespective of the current locale.
749353
+ *
749353
+ * Returns in integer greater than, equal to, or less than 0,
749353
+ * according to whether @a str1 is considered greater than, equal to,
749353
+ * or less than @a str2.
749353
+ *
749353
+ * @note Same code as apr_cstr_casecmpn, which arrives in APR 1.6
749353
+ */
749353
+AP_DECLARE(int) ap_cstr_casecmpn(const char *s1, const char *s2, apr_size_t n);
749353
+
749353
 #ifdef __cplusplus
749353
 }
749353
 #endif
749353
diff --git a/server/protocol.c b/server/protocol.c
749353
index 24355c7..868c3e3 100644
749353
--- a/server/protocol.c
749353
+++ b/server/protocol.c
749353
@@ -1567,6 +1567,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
749353
 
749353
     t = ap_pbase64decode(r->pool, auth_line);
749353
     r->user = ap_getword_nulls (r->pool, &t, ':');
749353
+    apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1");
749353
     r->ap_auth_type = "Basic";
749353
 
749353
     *pw = t;
749353
@@ -1574,6 +1575,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
749353
     return OK;
749353
 }
749353
 
749353
+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
749353
+                                                      const char **username,
749353
+                                                      const char **password)
749353
+{
749353
+    const char *auth_header;
749353
+    const char *credentials;
749353
+    const char *decoded;
749353
+    const char *user;
749353
+
749353
+    auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
749353
+                                                  : "Authorization";
749353
+    credentials = apr_table_get(r->headers_in, auth_header);
749353
+
749353
+    if (!credentials) {
749353
+        /* No auth header. */
749353
+        return APR_EINVAL;
749353
+    }
749353
+
749353
+    if (ap_cstr_casecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) {
749353
+        /* These aren't Basic credentials. */
749353
+        return APR_EINVAL;
749353
+    }
749353
+
749353
+    while (*credentials == ' ' || *credentials == '\t') {
749353
+        credentials++;
749353
+    }
749353
+
749353
+    /* XXX Our base64 decoding functions don't actually error out if the string
749353
+     * we give it isn't base64; they'll just silently stop and hand us whatever
749353
+     * they've parsed up to that point.
749353
+     *
749353
+     * Since this function is supposed to be a drop-in replacement for the
749353
+     * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x.
749353
+     */
749353
+    decoded = ap_pbase64decode(r->pool, credentials);
749353
+    user = ap_getword_nulls(r->pool, &decoded, ':');
749353
+
749353
+    if (username) {
749353
+        *username = user;
749353
+    }
749353
+    if (password) {
749353
+        *password = decoded;
749353
+    }
749353
+
749353
+    return APR_SUCCESS;
749353
+}
749353
+
749353
 struct content_length_ctx {
749353
     int data_sent;  /* true if the C-L filter has already sent at
749353
                      * least one bucket on to the next output filter
749353
diff --git a/server/request.c b/server/request.c
749353
index 2711bed..4eef097 100644
749353
--- a/server/request.c
749353
+++ b/server/request.c
749353
@@ -124,6 +124,8 @@ static int decl_die(int status, const char *phase, request_rec *r)
749353
 AP_DECLARE(int) ap_some_authn_required(request_rec *r)
749353
 {
749353
     int access_status;
749353
+    char *olduser = r->user;
749353
+    int rv = FALSE;
749353
 
749353
     switch (ap_satisfies(r)) {
749353
     case SATISFY_ALL:
749353
@@ -134,7 +136,7 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r)
749353
 
749353
         access_status = ap_run_access_checker_ex(r);
749353
         if (access_status == DECLINED) {
749353
-            return TRUE;
749353
+            rv = TRUE;
749353
         }
749353
 
749353
         break;
749353
@@ -145,13 +147,14 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r)
749353
 
749353
         access_status = ap_run_access_checker_ex(r);
749353
         if (access_status == DECLINED) {
749353
-            return TRUE;
749353
+            rv = TRUE;
749353
         }
749353
 
749353
         break;
749353
     }
749353
 
749353
-    return FALSE;
749353
+    r->user = olduser;
749353
+    return rv;
749353
 }
749353
 
749353
 /* This is the master logic for processing requests.  Do NOT duplicate
749353
@@ -259,6 +262,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
749353
         r->ap_auth_type = r->main->ap_auth_type;
749353
     }
749353
     else {
749353
+        /* A module using a confusing API (ap_get_basic_auth_pw) caused
749353
+        ** r->user to be filled out prior to check_authn hook. We treat
749353
+        ** it is inadvertent.
749353
+        */
749353
+        if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) { 
749353
+            r->user = NULL;
749353
+        }
749353
+
749353
         switch (ap_satisfies(r)) {
749353
         case SATISFY_ALL:
749353
         case SATISFY_NOSPEC:
749353
diff --git a/server/util.c b/server/util.c
749353
index db22b50..70fd662 100644
749353
--- a/server/util.c
749353
+++ b/server/util.c
749353
@@ -96,7 +96,6 @@
749353
 #undef APLOG_MODULE_INDEX
749353
 #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX
749353
 
749353
-
749353
 /*
749353
  * Examine a field value (such as a media-/content-type) string and return
749353
  * it sans any parameters; e.g., strip off any ';charset=foo' and the like.
749353
@@ -3036,3 +3035,128 @@ AP_DECLARE(char *) ap_get_exec_line(apr_pool_t *p,
749353
 
749353
     return apr_pstrndup(p, buf, k);
749353
 }
749353
+
749353
+#if !APR_CHARSET_EBCDIC
749353
+/*
749353
+ * Our own known-fast translation table for casecmp by character.
749353
+ * Only ASCII alpha characters 41-5A are folded to 61-7A, other
749353
+ * octets (such as extended latin alphabetics) are never case-folded.
749353
+ * NOTE: Other than Alpha A-Z/a-z, each code point is unique!
749353
+*/
749353
+static const short ucharmap[] = {
749353
+    0x0,  0x1,  0x2,  0x3,  0x4,  0x5,  0x6,  0x7,
749353
+    0x8,  0x9,  0xa,  0xb,  0xc,  0xd,  0xe,  0xf,
749353
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
749353
+    0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
749353
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
749353
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
749353
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
749353
+    0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
749353
+    0x40,  'a',  'b',  'c',  'd',  'e',  'f',  'g',
749353
+     'h',  'i',  'j',  'k',  'l',  'm',  'n',  'o',
749353
+     'p',  'q',  'r',  's',  't',  'u',  'v',  'w',
749353
+     'x',  'y',  'z', 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
749353
+    0x60,  'a',  'b',  'c',  'd',  'e',  'f',  'g',
749353
+     'h',  'i',  'j',  'k',  'l',  'm',  'n',  'o',
749353
+     'p',  'q',  'r',  's',  't',  'u',  'v',  'w',
749353
+     'x',  'y',  'z', 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
749353
+    0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
749353
+    0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
749353
+    0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
749353
+    0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
749353
+    0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
749353
+    0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
749353
+    0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
749353
+    0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
749353
+    0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
749353
+    0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
749353
+    0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
749353
+    0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
749353
+    0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
749353
+    0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
749353
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
749353
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
749353
+};
749353
+#else /* APR_CHARSET_EBCDIC */
749353
+/*
749353
+ * Derived from apr-iconv/ccs/cp037.c for EBCDIC case comparison,
749353
+ * provides unique identity of every char value (strict ISO-646
749353
+ * conformance, arbitrary election of an ISO-8859-1 ordering, and
749353
+ * very arbitrary control code assignments into C1 to achieve
749353
+ * identity and a reversible mapping of code points),
749353
+ * then folding the equivalences of ASCII 41-5A into 61-7A, 
749353
+ * presenting comparison results in a somewhat ISO/IEC 10646
749353
+ * (ASCII-like) order, depending on the EBCDIC code page in use.
749353
+ *
749353
+ * NOTE: Other than Alpha A-Z/a-z, each code point is unique!
749353
+ */
749353
+static const short ucharmap[] = {
749353
+  0x00, 0x01, 0x02, 0x03, 0x9C, 0x09, 0x86, 0x7F,
749353
+  0x97, 0x8D, 0x8E, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
749353
+  0x10, 0x11, 0x12, 0x13, 0x9D, 0x85, 0x08, 0x87,
749353
+  0x18, 0x19, 0x92, 0x8F, 0x1C, 0x1D, 0x1E, 0x1F,
749353
+  0x80, 0x81, 0x82, 0x83, 0x84, 0x0A, 0x17, 0x1B,
749353
+  0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x05, 0x06, 0x07,
749353
+  0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04,
749353
+  0x98, 0x99, 0x9A, 0x9B, 0x14, 0x15, 0x9E, 0x1A,
749353
+  0x20, 0xA0, 0xE2, 0xE4, 0xE0, 0xE1, 0xE3, 0xE5,
749353
+  0xE7, 0xF1, 0xA2, 0x2E, 0x3C, 0x28, 0x2B, 0x7C,
749353
+  0x26, 0xE9, 0xEA, 0xEB, 0xE8, 0xED, 0xEE, 0xEF,
749353
+  0xEC, 0xDF, 0x21, 0x24, 0x2A, 0x29, 0x3B, 0xAC,
749353
+  0x2D, 0x2F, 0xC2, 0xC4, 0xC0, 0xC1, 0xC3, 0xC5,
749353
+  0xC7, 0xD1, 0xA6, 0x2C, 0x25, 0x5F, 0x3E, 0x3F,
749353
+  0xF8, 0xC9, 0xCA, 0xCB, 0xC8, 0xCD, 0xCE, 0xCF,
749353
+  0xCC, 0x60, 0x3A, 0x23, 0x40, 0x27, 0x3D, 0x22,
749353
+  0xD8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
749353
+  0x68, 0x69, 0xAB, 0xBB, 0xF0, 0xFD, 0xFE, 0xB1,
749353
+  0xB0, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70,
749353
+  0x71, 0x72, 0xAA, 0xBA, 0xE6, 0xB8, 0xC6, 0xA4,
749353
+  0xB5, 0x7E, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
749353
+  0x79, 0x7A, 0xA1, 0xBF, 0xD0, 0xDD, 0xDE, 0xAE,
749353
+  0x5E, 0xA3, 0xA5, 0xB7, 0xA9, 0xA7, 0xB6, 0xBC,
749353
+  0xBD, 0xBE, 0x5B, 0x5D, 0xAF, 0xA8, 0xB4, 0xD7,
749353
+  0x7B, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
749353
+  0x68, 0x69, 0xAD, 0xF4, 0xF6, 0xF2, 0xF3, 0xF5,
749353
+  0x7D, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70,
749353
+  0x71, 0x72, 0xB9, 0xFB, 0xFC, 0xF9, 0xFA, 0xFF,
749353
+  0x5C, 0xF7, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
749353
+  0x79, 0x7A, 0xB2, 0xD4, 0xD6, 0xD2, 0xD3, 0xD5,
749353
+  0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
749353
+  0x38, 0x39, 0xB3, 0xDB, 0xDC, 0xD9, 0xDA, 0x9F
749353
+};
749353
+#endif
749353
+
749353
+AP_DECLARE(int) ap_cstr_casecmp(const char *s1, const char *s2)
749353
+{
749353
+    const unsigned char *str1 = (const unsigned char *)s1;
749353
+    const unsigned char *str2 = (const unsigned char *)s2;
749353
+    for (;;)
749353
+    {
749353
+        const int c1 = (int)(*str1);
749353
+        const int c2 = (int)(*str2);
749353
+        const int cmp = ucharmap[c1] - ucharmap[c2];
749353
+        /* Not necessary to test for !c2, this is caught by cmp */
749353
+        if (cmp || !c1)
749353
+            return cmp;
749353
+        str1++;
749353
+        str2++;
749353
+    }
749353
+}
749353
+
749353
+AP_DECLARE(int) ap_cstr_casecmpn(const char *s1, const char *s2, apr_size_t n)
749353
+{
749353
+    const unsigned char *str1 = (const unsigned char *)s1;
749353
+    const unsigned char *str2 = (const unsigned char *)s2;
749353
+    while (n--)
749353
+    {
749353
+        const int c1 = (int)(*str1);
749353
+        const int c2 = (int)(*str2);
749353
+        const int cmp = ucharmap[c1] - ucharmap[c2];
749353
+        /* Not necessary to test for !c2, this is caught by cmp */
749353
+        if (cmp || !c1)
749353
+            return cmp;
749353
+        str1++;
749353
+        str2++;
749353
+    }
749353
+    return 0;
749353
+}