*) SECURITY: CVE-2015-0253 (cve.mitre.org)

core: Fix a crash introduced in with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. [Yann Ylavic] Submitted By: ylavic Committed By: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1664205 13f79535-47bb-0310-9956-ffa450edef68
apache · Mar 5, 2015 · 6a97405 · 6a97405
1 parent 1fd42eb
commit 6a97405
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) SECURITY: CVE-2015-0253 (cve.mitre.org)
+     core: Fix a crash introduced in with ErrorDocument 400 pointing
+     to a local URL-path with the INCLUDES filter active, introduced
+     in 2.4.11. PR 57531. [Yann Ylavic]
+
   *) core: If explicitly configured, use the KeepaliveTimeout value of the
      virtual host which handled the latest request on the connection, or by
      default the one of the first virtual host bound to the same IP:port.

diff --git a/server/protocol.c b/server/protocol.c
@@ -606,15 +606,15 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
              */
             if (APR_STATUS_IS_ENOSPC(rv)) {
                 r->status    = HTTP_REQUEST_URI_TOO_LARGE;
-                r->proto_num = HTTP_VERSION(1,0);
-                r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
             }
             else if (APR_STATUS_IS_TIMEUP(rv)) {
                 r->status = HTTP_REQUEST_TIME_OUT;
             }
             else if (APR_STATUS_IS_EINVAL(rv)) {
                 r->status = HTTP_BAD_REQUEST;
             }
+            r->proto_num = HTTP_VERSION(1,0);
+            r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
             return 0;
         }
     } while ((len <= 0) && (++num_blank_lines < max_blank_lines));