[Pkg-apache-commits] r1012 - in /trunk/apache2: changelog patches/00list patches/069_no_deflate_for_HEAD.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Thu Jul 30 11:48:42 UTC 2009 

Author: sf
Date: Thu Jul 30 11:48:42 2009
New Revision: 1012

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1012
Log:
Make mod_deflate not compress the content for HEAD requests

Added:
    trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch
Modified:
    trunk/apache2/changelog
    trunk/apache2/patches/00list

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1012&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Thu Jul 30 11:48:42 2009
@@ -5,6 +5,8 @@
     - Fixes timefmt config in SSI (closes: #363964).
     - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
       to enable stricter checking of remote server certificates.
+  * Make mod_deflate not compress the content for HEAD requests. This is a
+    similar issue as CVE-2009-1891.
   * Enable hardening compile options.
   * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
     sent) (closes: #272476 LP: #255124)

Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1012&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Thu Jul 30 11:48:42 2009
@@ -18,6 +18,7 @@
 058_suexec-CVE-2007-1742.dpatch
 067_fix_segfault_in_ab.dpatch
 068_mod_dav_detect_EOF.dpatch
+069_no_deflate_for_HEAD.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch

Added: trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch?rev=1012&op=file
==============================================================================
--- trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch (added)
+++ trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch Thu Jul 30 11:48:42 2009
@@ -1,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: mod_deflate DoS
+## DP: This should switch off deflate for HEAD requests
+## DP: Patch by Ruediger Pluem
+
+ at DPATCH@
+--- a/modules/filters/mod_deflate.c       (revision 793927)
++++ a/modules/filters/mod_deflate.c       (working copy)
+@@ -629,6 +629,19 @@
+         apr_bucket *b;
+         apr_size_t len;
+
++        /*
++         * Optimization: If we are a HEAD request and bytes_sent is not zero
++         * it means that we have passed the content-length filter once and
++         * have more data to sent. This means that the content-length filter
++         * could not determine our content-length for the response to the
++         * HEAD request anyway (the associated GET request would deliver the
++         * body in chunked encoding) and we can stop compressing.
++         */
++        if (r->header_only && r->bytes_sent) {
++            ap_remove_output_filter(f);
++            return ap_pass_brigade(f->next, bb);
++        }
++
+         e = APR_BRIGADE_FIRST(bb);
+
+         if (APR_BUCKET_IS_EOS(e)) {

More information about the Pkg-apache-commits mailing list