[interchange/STABLE_5_6-branch] Fix "HTTP Response Splitting" security exploit
David Christensen
interchange-cvs at icdevgroup.org
Thu Mar 25 04:44:08 UTC 2010
commit f8d6a56957a873f50512f730fd39966d67ee0fa5
Author: David Christensen <david at endpoint.com>
Date: Mon Mar 22 17:29:22 2010 -0500
Fix "HTTP Response Splitting" security exploit
Discovery and patch from Justin Otten <justin.otten at gmail.com>:
Added new method to Util.pm for scrubbing newlines from header data.
Updated all discovered instances of the use of the "Location" header
ran the URL through the routine.
code/SystemTag/deliver.coretag | 4 ++++
lib/Vend/Dispatch.pm | 1 +
lib/Vend/Error.pm | 2 ++
lib/Vend/Parse.pm | 3 +++
lib/Vend/Util.pm | 11 +++++++++++
5 files changed, 21 insertions(+), 0 deletions(-)
---
diff --git a/code/SystemTag/deliver.coretag b/code/SystemTag/deliver.coretag
index 08b4955..3cbd226 100644
--- a/code/SystemTag/deliver.coretag
+++ b/code/SystemTag/deliver.coretag
@@ -32,6 +32,10 @@ sub {
## This is a bounce, returns
if($opt->{location}) {
+ $type = Vend::Util::header_data_scrub($type);
+ $opt->{status} = Vend::Util::header_data_scrub($opt->{status});
+ $opt->{location} = Vend::Util::header_data_scrub($opt->{location});
+
$type and $Tag->tag( {
op => 'header',
name => 'Content-Type',
diff --git a/lib/Vend/Dispatch.pm b/lib/Vend/Dispatch.pm
index 0db15cc..f268cbd 100644
--- a/lib/Vend/Dispatch.pm
+++ b/lib/Vend/Dispatch.pm
@@ -1456,6 +1456,7 @@ EOF
grep !/^mv_(?:pc|source)$/,
sort keys %CGI::values;
my $url = vendUrl($path eq '' ? $Vend::Cfg->{DirectoryIndex} : $path, undef, undef, { form => $form, match_security => 1 });
+ $url = header_data_scrub($url);
my $msg = get_locale_message(
301,
"Redirected to %s.",
diff --git a/lib/Vend/Error.pm b/lib/Vend/Error.pm
index 4a1f352..f399dd2 100644
--- a/lib/Vend/Error.pm
+++ b/lib/Vend/Error.pm
@@ -56,6 +56,8 @@ sub get_locale_message {
}
if($message !~ /\s/) {
if($message =~ /^http:/) {
+ $message = header_data_scrub($message);
+
$Vend::StatusLine =~ s/([^\r\n])$/$1\r\n/;
$Vend::StatusLine .= "Status: 302 Moved\r\nLocation: $message\r\n";
$message = "Redirected to $message.";
diff --git a/lib/Vend/Parse.pm b/lib/Vend/Parse.pm
index 96536a2..328e080 100644
--- a/lib/Vend/Parse.pm
+++ b/lib/Vend/Parse.pm
@@ -751,6 +751,9 @@ sub start {
if(! $attr->{href} and $attr->{page}) {
$attr->{href} = Vend::Interpolate::tag_area($attr->{page});
}
+
+ $attr->{href} = header_data_scrub($attr->{href});
+
$Vend::StatusLine = '' if ! $Vend::StatusLine;
$Vend::StatusLine .= "\n" if $Vend::StatusLine !~ /\n$/;
$Vend::StatusLine .= <<EOF if $attr->{target};
diff --git a/lib/Vend/Util.pm b/lib/Vend/Util.pm
index 866aa4f..54e303d 100644
--- a/lib/Vend/Util.pm
+++ b/lib/Vend/Util.pm
@@ -44,6 +44,7 @@ require Exporter;
generate_key
get_option_hash
hash_string
+ header_data_scrub
hexify
is_hash
is_no
@@ -2295,6 +2296,16 @@ sub backtrace {
undef;
}
+sub header_data_scrub {
+ my ($head_data) = @_;
+
+ ## "HTTP Response Splitting" Exploit Fix
+ ## http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
+ $head_data =~ s/(?:%0[da]|[\r\n]+)+//ig;
+
+ return $head_data;
+}
+
### Provide stubs for former Vend::Util functions relocated to Vend::File
*canonpath = \&Vend::File::canonpath;
*catdir = \&Vend::File::catdir;
More information about the interchange-cvs
mailing list