diff options
| author | Chad Loder <cloder@cvs.openbsd.org> | 2003-02-15 18:04:39 +0000 |
|---|---|---|
| committer | Chad Loder <cloder@cvs.openbsd.org> | 2003-02-15 18:04:39 +0000 |
| commit | 58a8a0ab9b8e8b4ab947c9442c8cc73da2cf0995 (patch) | |
| tree | f28d615bf0e0ddd9797cac256ab5cd993f7e69f0 /usr.sbin/httpd | |
| parent | 1ee8c29679cdb7a167f0e6d5c0400027d1240245 (diff) | |
Don't leak httpd child PIDs via multipart MIME boundary separators.
Instead, generate a random MIME boundary separator that is also
much longer, which makes it less likely to occur in the data.
Before:
HTTP/1.1 206 Partial Content
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3
Content-Type: multipart/byteranges; boundary=3e4e7d648e6
where the first 6 hex digits of the boundary is the request
time and the last 4 hex digits of the boundary (48e6) is the PID
of the httpd process that served the request.
After:
HTTP/1.1 206 Partial Content
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3
Content-Type: multipart/byteranges; boundary=lqmQDSxeaFSosnx+R46M94slY7G5BKGVPIhCc4ffoW852Vz0RbOaLJfMCAHHTfvR
The boundary now consists of 48 pseudorandom bytes encoded into 64
base64 characters. This is in accordance with RFC 1341 section 7.2.1.
Based on conversations with deraadt@. OK deraadt@
Diffstat (limited to 'usr.sbin/httpd')
| -rw-r--r-- | usr.sbin/httpd/src/main/http_protocol.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/usr.sbin/httpd/src/main/http_protocol.c b/usr.sbin/httpd/src/main/http_protocol.c index 80fcf8b558c..12793195e1d 100644 --- a/usr.sbin/httpd/src/main/http_protocol.c +++ b/usr.sbin/httpd/src/main/http_protocol.c @@ -284,7 +284,10 @@ static int byterange_boundary(request_rec *r, long start, long end, int output) API_EXPORT(int) ap_set_byterange(request_rec *r) { const char *range, *if_range, *match; + char *bbuf; + u_int32_t rbuf[12]; /* 48 bytes yields 64 base64 chars */ long length, start, end, one_start = 0, one_end = 0; + size_t u; int ranges, empty; if (!r->clength || r->assbackwards) @@ -330,8 +333,13 @@ API_EXPORT(int) ap_set_byterange(request_rec *r) * caller will perform if we return 1. */ r->range = range; - r->boundary = ap_psprintf(r->pool, "%lx%lx", - r->request_time, (long) getpid()); + for (u = 0; u < sizeof(rbuf)/sizeof(rbuf[0]); u++) + rbuf[u] = htonl(arc4random()); + + bbuf = ap_palloc(r->pool, ap_base64encode_len(sizeof(rbuf))); + ap_base64encode(bbuf, (const unsigned char *)rbuf, sizeof(rbuf)); + r->boundary = bbuf; + length = 0; ranges = 0; empty = 1; |