Security fix for CVE-2009-2855

ok brad (MAINTAINER)
This commit is contained in:
jasper 2009-08-30 21:52:44 +00:00
parent 8be8b697a1
commit 34c1f307c2
2 changed files with 42 additions and 2 deletions

View File

@ -1,10 +1,11 @@
# $OpenBSD: Makefile,v 1.98 2009/02/08 15:04:33 sthen Exp $
# $OpenBSD: Makefile,v 1.99 2009/08/30 21:52:44 jasper Exp $
COMMENT= WWW and FTP proxy cache and accelerator
DISTNAME= squid-2.7.STABLE6
PKGNAME= ${DISTNAME}p0
CATEGORIES= www
MASTER_SITES= ${HOMEPAGE}Versions/v2/2.7/
MASTER_SITES= ${HOMEPAGE}/Versions/v2/2.7/
DIST_SUBDIR= squid
HOMEPAGE= http://www.squid-cache.org/

View File

@ -0,0 +1,39 @@
$OpenBSD: patch-src_HttpHeaderTools_c,v 1.1 2009/08/30 21:52:44 jasper Exp $
Security fix for CVE-2009-2855.
Patch from upstream repository:
http://www.squid-cache.org/Versions/v2/HEAD/changesets/12541.patch
--- src/HttpHeaderTools.c.orig Sun Aug 30 20:43:57 2009
+++ src/HttpHeaderTools.c Sun Aug 30 20:44:54 2009
@@ -239,6 +239,10 @@ int
strListGetItem(const String * str, char del, const char **item, int *ilen, const char **pos)
{
size_t len;
+ /* ',' is always enabled as field delimiter as this is required for
+ * processing merged header values properly, even if Cookie normally
+ * uses ';' as delimiter.
+ */
static char delim[3][8] =
{
"\"?,",
@@ -261,16 +265,15 @@ strListGetItem(const String * str, char del, const cha
/* find next delimiter */
do {
*pos += strcspn(*pos, delim[quoted]);
- if (**pos == del)
- break;
if (**pos == '"') {
quoted = !quoted;
*pos += 1;
- }
- if (quoted && **pos == '\\') {
+ } else if (quoted && **pos == '\\') {
*pos += 1;
if (**pos)
*pos += 1;
+ } else {
+ break; /* Delimiter found, marking the end of this value */
}
} while (**pos);
len = *pos - *item; /* *pos points to del or '\0' */