[Pkg-apache-commits] r1012 - in /trunk/apache2: changelog patches/00list patches/069_no_deflate_for_HEAD.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Thu Jul 30 11:48:42 UTC 2009
Author: sf
Date: Thu Jul 30 11:48:42 2009
New Revision: 1012
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1012
Log:
Make mod_deflate not compress the content for HEAD requests
Added:
trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch
Modified:
trunk/apache2/changelog
trunk/apache2/patches/00list
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1012&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Thu Jul 30 11:48:42 2009
@@ -5,6 +5,8 @@
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
to enable stricter checking of remote server certificates.
+ * Make mod_deflate not compress the content for HEAD requests. This is a
+ similar issue as CVE-2009-1891.
* Enable hardening compile options.
* Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1012&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Thu Jul 30 11:48:42 2009
@@ -18,6 +18,7 @@
058_suexec-CVE-2007-1742.dpatch
067_fix_segfault_in_ab.dpatch
068_mod_dav_detect_EOF.dpatch
+069_no_deflate_for_HEAD.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch?rev=1012&op=file
==============================================================================
--- trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch (added)
+++ trunk/apache2/patches/069_no_deflate_for_HEAD.dpatch Thu Jul 30 11:48:42 2009
@@ -1,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: mod_deflate DoS
+## DP: This should switch off deflate for HEAD requests
+## DP: Patch by Ruediger Pluem
+
+ at DPATCH@
+--- a/modules/filters/mod_deflate.c (revision 793927)
++++ a/modules/filters/mod_deflate.c (working copy)
+@@ -629,6 +629,19 @@
+ apr_bucket *b;
+ apr_size_t len;
+
++ /*
++ * Optimization: If we are a HEAD request and bytes_sent is not zero
++ * it means that we have passed the content-length filter once and
++ * have more data to sent. This means that the content-length filter
++ * could not determine our content-length for the response to the
++ * HEAD request anyway (the associated GET request would deliver the
++ * body in chunked encoding) and we can stop compressing.
++ */
++ if (r->header_only && r->bytes_sent) {
++ ap_remove_output_filter(f);
++ return ap_pass_brigade(f->next, bb);
++ }
++
+ e = APR_BRIGADE_FIRST(bb);
+
+ if (APR_BUCKET_IS_EOS(e)) {
More information about the Pkg-apache-commits
mailing list