httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r1180030 - in /httpd/httpd/branches/2.0.x: CHANGES server/protocol.c
Date Fri, 07 Oct 2011 13:15:01 GMT
Author: jorton
Date: Fri Oct  7 13:15:01 2011
New Revision: 1180030

URL: http://svn.apache.org/viewvc?rev=1180030&view=rev
Log:
Merge r1179239 from trunk:

SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
reverse proxy configurations by strictly validating the request-URI:

* server/protocol.c (read_request_line): Send a 400 response if the
  request-URI does not match the grammar from RFC 2616.  This ensures
  the input string for RewriteRule et al really is an absolute path.

Reviewed by: jim, rjung, jorton

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/server/protocol.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1180030&r1=1180029&r2=1180030&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Fri Oct  7 13:15:01 2011
@@ -1,6 +1,11 @@
-                                                         -*- coding: utf-8 -*-
+                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.0.65
 
+  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
+     Reject requests where the request-URI does not match the HTTP
+     specification, preventing unexpected expansion of target URLs in
+     some reverse proxy configurations.  [Joe Orton]
+
   *) SECURITY: CVE-2011-3192 (cve.mitre.org)
      core: Fix handling of byte-range requests to use less memory, to avoid
      denial of service. If the sum of all ranges in a request is larger than
@@ -8,7 +13,6 @@ Changes with Apache 2.0.65
      PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,
      Eric Covener, <lowprio20 gmail.com>]
 
-
 Changes with Apache 2.0.64
 
   *) SECURITY: CVE-2010-1452 (cve.mitre.org)

Modified: httpd/httpd/branches/2.0.x/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/server/protocol.c?rev=1180030&r1=1180029&r2=1180030&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/server/protocol.c (original)
+++ httpd/httpd/branches/2.0.x/server/protocol.c Fri Oct  7 13:15:01 2011
@@ -628,6 +628,25 @@ static int read_request_line(request_rec
 
     ap_parse_uri(r, uri);
 
+    /* RFC 2616:
+     *   Request-URI    = "*" | absoluteURI | abs_path | authority
+     *
+     * authority is a special case for CONNECT.  If the request is not
+     * using CONNECT, and the parsed URI does not have scheme, and
+     * it does not begin with '/', and it is not '*', then, fail
+     * and give a 400 response. */
+    if (r->method_number != M_CONNECT 
+        && !r->parsed_uri.scheme 
+        && uri[0] != '/'
+        && !(uri[0] == '*' && uri[1] == '\0')) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "invalid request-URI %s", uri);
+        r->args = NULL;
+        r->hostname = NULL;
+        r->status = HTTP_BAD_REQUEST;
+        r->uri = apr_pstrdup(r->pool, uri);
+    }
+
     if (ll[0]) {
         r->assbackwards = 0;
         pro = ll;



Mime
View raw message