httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r1209436 - in /httpd/httpd/branches/2.4.x/modules: mappers/mod_rewrite.c proxy/mod_proxy.c
Date Fri, 02 Dec 2011 12:12:25 GMT
Author: jorton
Date: Fri Dec  2 12:12:24 2011
New Revision: 1209436

URL: http://svn.apache.org/viewvc?rev=1209436&view=rev
Log:
Merge r1209432 from trunk:

Fix for additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations. (CVE-2011-4317)

Thanks to Prutha Parikh from Qualys for reporting this issue.

* modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
  request-URI.  Fail for cases where r->uri does not begin with a "/".

* modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.


Modified:
    httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c
    httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c

Modified: httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c?rev=1209436&r1=1209435&r2=1209436&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c (original)
+++ httpd/httpd/branches/2.4.x/modules/mappers/mod_rewrite.c Fri Dec  2 12:12:24 2011
@@ -4419,6 +4419,18 @@ static int hook_uri2file(request_rec *r)
         return DECLINED;
     }
 
+    if (strcmp(r->unparsed_uri, "*") == 0) {
+        /* Don't apply rewrite rules to "*". */
+        return DECLINED;
+    }
+
+    /* Check that the URI is valid. */
+    if (!r->uri || r->uri[0] != '/') {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "Invalid URI in request %s", r->the_request);
+        return HTTP_BAD_REQUEST;
+    }
+    
     /*
      *  add the SCRIPT_URL variable to the env. this is a bit complicated
      *  due to the fact that apache uses subrequests and internal redirects

Modified: httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c?rev=1209436&r1=1209435&r2=1209436&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c (original)
+++ httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c Fri Dec  2 12:12:24 2011
@@ -655,6 +655,18 @@ static int proxy_trans(request_rec *r)
         return OK;
     }
 
+    if (strcmp(r->unparsed_uri, "*") == 0) {
+        /* "*" cannot be proxied. */
+        return DECLINED;
+    }
+
+    /* Check that the URI is valid. */
+    if (!r->uri || r->uri[0] != '/') {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "Invalid URI in request %s", r->the_request);
+        return HTTP_BAD_REQUEST;
+    }
+
     /* XXX: since r->uri has been manipulated already we're not really
      * compliant with RFC1945 at this point.  But this probably isn't
      * an issue because this is a hybrid proxy/origin server.



Mime
View raw message