rpms / httpd24-httpd

Clone
Source Code
GIT

Blame SOURCES/httpd-2.4.34-CVE-2018-17199.patch

c7
  1.   e8122d447d312afb94d4bb709eef3c0a410b1e50
  2.   SOURCES
  3.   httpd-2.4.34-CVE-2018-17199.patch
Blob History Raw
ad4e62 
From 34f58ae20d9a85f2a1508a9a732874239491d456 Mon Sep 17 00:00:00 2001
ad4e62 
From: Hank Ibell <hwibell@apache.org>
ad4e62 
Date: Tue, 15 Jan 2019 19:54:41 +0000
ad4e62 
Subject: [PATCH] mod_session: Always decode session attributes early.
ad4e62
ad4e62 
Backport r1850947 from trunk
ad4e62 
Submitted by: hwibell
ad4e62 
Reviewed by: hwibell, covener, wrowe
ad4e62
ad4e62
ad4e62 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1851409 13f79535-47bb-0310-9956-ffa450edef68
ad4e62 
---
ad4e62 
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
ad4e62 
index d517020d995..64e6e4a8132 100644
ad4e62 
--- a/modules/session/mod_session.c
ad4e62 
+++ b/modules/session/mod_session.c
ad4e62 
@@ -126,20 +126,23 @@ static apr_status_t ap_session_load(request_rec * r, session_rec ** z)
ad4e62
ad4e62 
     /* found a session that hasn't expired? */
ad4e62 
     now = apr_time_now();
ad4e62 
+
ad4e62 
     if (zz) {
ad4e62 
-        if (zz->expiry && zz->expiry < now) {
ad4e62 
+        /* load the session attibutes */
ad4e62 
+        rv = ap_run_session_decode(r, zz);
ad4e62 
+
ad4e62 
+        /* having a session we cannot decode is just as good as having
ad4e62 
+           none at all */
ad4e62 
+       if (OK != rv) {
ad4e62 
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
ad4e62 
+                    "error while decoding the session, "
ad4e62 
+                    "session not loaded: %s", r->uri);
ad4e62 
             zz = NULL;
ad4e62 
         }
ad4e62 
-        else {
ad4e62 
-            /* having a session we cannot decode is just as good as having
ad4e62 
-               none at all */
ad4e62 
-            rv = ap_run_session_decode(r, zz);
ad4e62 
-            if (OK != rv) {
ad4e62 
-                ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
ad4e62 
-                              "error while decoding the session, "
ad4e62 
-                              "session not loaded: %s", r->uri);
ad4e62 
-                zz = NULL;
ad4e62 
-            }
ad4e62 
+
ad4e62 
+       /* invalidate session if session is expired */
ad4e62 
+        if (zz && zz->expiry && zz->expiry < now) {
ad4e62 
+            zz = NULL;
ad4e62 
         }
ad4e62 
     }
ad4e62

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation