mod_xml2enc: fix media type handling

This commit is contained in:
Joe Orton 2024-02-07 15:44:56 +00:00 committed by root
parent df3e6a5147
commit ff4c2c66c0
3 changed files with 50 additions and 2 deletions

3
.httpd.metadata Normal file
View File

@ -0,0 +1,3 @@
01044512374941fad939ec4b1537428cc7edc769 httpd-2.4.57.tar.bz2
5cac6152cf2f175cc35ca0cf9d00b797c949b273 httpd-2.4.57.tar.bz2.asc
b2457e3ce46a7634bf9272a92b4214974b9bc9e0 KEYS

View File

@ -0,0 +1,39 @@
# ./pullrev.sh 1884505 1915625
http://svn.apache.org/viewvc?view=revision&revision=1884505
http://svn.apache.org/viewvc?view=revision&revision=1915625
--- httpd-2.4.57/modules/filters/mod_xml2enc.c
+++ httpd-2.4.57/modules/filters/mod_xml2enc.c
@@ -329,7 +329,7 @@
apr_bucket* bstart;
apr_size_t insz = 0;
int pending_meta = 0;
- char *ctype;
+ char *mtype;
char *p;
if (!ctx || !f->r->content_type) {
@@ -338,13 +338,17 @@
return ap_pass_brigade(f->next, bb) ;
}
- ctype = apr_pstrdup(f->r->pool, f->r->content_type);
- for (p = ctype; *p; ++p)
- if (isupper(*p))
- *p = tolower(*p);
+ /* Extract the media type, ignoring parameters in content-type. */
+ mtype = apr_pstrdup(f->r->pool, f->r->content_type);
+ if ((p = ap_strchr(mtype, ';')) != NULL) *p = '\0';
+ ap_str_tolower(mtype);
- /* only act if starts-with "text/" or contains "xml" */
- if (strncmp(ctype, "text/", 5) && !strstr(ctype, "xml")) {
+ /* Accept text/ types, plus any XML media type per RFC 7303. */
+ if (!(strncmp(mtype, "text/", 5) == 0
+ || strcmp(mtype, "application/xml") == 0
+ || (strlen(mtype) > 7 /* minimum 'a/b+xml' length */
+ && (p = strstr(mtype, "+xml")) != NULL
+ && strlen(p) == 4 /* ensures +xml is a suffix */))) {
ap_remove_output_filter(f);
return ap_pass_brigade(f->next, bb) ;
}

View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.57
Release: 7%{?dist}
Release: 8%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -118,7 +118,8 @@ Patch69: httpd-2.4.57-covscan.patch
Patch70: httpd-2.4.57-mod_status-duplicate-key.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2217726
Patch71: httpd-2.4.57-davenoent.patch
# https://issues.redhat.com/browse/RHEL-17686
Patch72: httpd-2.4.57-r1884505+.patch
# Security fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=...
@ -295,6 +296,7 @@ written in the Lua programming language.
%patch69 -p1 -b .covstan
%patch70 -p1 -b .duplicate-key
%patch71 -p1 -b .davenoent
%patch72 -p1 -b .r1884505+
%patch200 -p1 -b .CVE-2023-31122
@ -857,6 +859,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Wed Feb 7 2024 Joe Orton <jorton@redhat.com> - 2.4.57-8
- mod_xml2enc: fix media type handling
Resolves: RHEL-17686
* Mon Feb 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-7
- Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
vulnerability (CVE-2023-31122)