httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r1235443 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/mappers/mod_rewrite.c modules/proxy/mod_proxy.c server/protocol.c
Date Tue, 24 Jan 2012 19:39:32 GMT
Author: trawick
Date: Tue Jan 24 19:39:31 2012
New Revision: 1235443

URL: http://svn.apache.org/viewvc?rev=1235443&view=rev
Log:
Backport trunk revisions 1209432 and 1233604:

SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.

Submitted by: jorton
Reviewed by: trawick, covener, gregames

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/mappers/mod_rewrite.c
    httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy.c
    httpd/httpd/branches/2.2.x/server/protocol.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1235443&r1=1235442&r2=1235443&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Tue Jan 24 19:39:31 2012
@@ -6,6 +6,12 @@ Changes with Apache 2.2.22
      could cause the parent to crash at shutdown rather than terminate 
      cleanly.  [Joe Orton]
 
+  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+     Resolve additional cases of URL rewriting with ProxyPassMatch or
+     RewriteRule, where particular request-URIs could result in undesired
+     backend network exposure in some configurations.
+     [Joe Orton]
+
   *) SECURITY: CVE-2011-3368 (cve.mitre.org)
      Reject requests where the request-URI does not match the HTTP
      specification, preventing unexpected expansion of target URLs in

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1235443&r1=1235442&r2=1235443&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Tue Jan 24 19:39:31 2012
@@ -138,25 +138,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
 	2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=27976
 	+1: igalic, jim
 
-  * mod_rewrite, mod_proxy: Fix CVE-2011-4317
-      Trunk patch: http://svn.apache.org/viewvc?rev=1209432&view=rev
-      2.2.x patch: trunk patch works
-    +1: jorton
-    trawick: http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
-    wrowe: Prefer Jeff's premise (a) to reject all non-resource URIs from httpd
-           rather than a module-by-module test.  In particular, '*' should just
-           work and bypass most hook phases.  In any case, in the revised
-           patch of 12/16, (r->unparsed_uri[0] == '*' && !r->unparsed_uri[1])
-           should be much faster than a callout to strcmp.
-    wrowe: Shouldn't this all simply be handled with an error result from
-           apr_uri_parse?
-    trawick: valid URIs can be used to exploit this, so apr_uri_parse() won't help
-
-    Plan (b) from mail discussion above
-      Adds trunk revision 1233604
-      2.2.x patch: http://people.apache.org/~trawick/CVE-2011-4317-2.2.x.txt
-    +1: trawick, covener, gregames
-
   * mod_proxy: cure size_t abuse part 1, backport relevant bits of r1227856,
     Specifically normalizes ap_proxy_string_read so that the prototype
     agrees with the actual implementation, which I believe is a bug fix

Modified: httpd/httpd/branches/2.2.x/modules/mappers/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/mappers/mod_rewrite.c?rev=1235443&r1=1235442&r2=1235443&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/mappers/mod_rewrite.c (original)
+++ httpd/httpd/branches/2.2.x/modules/mappers/mod_rewrite.c Tue Jan 24 19:39:31 2012
@@ -4266,6 +4266,11 @@ static int hook_uri2file(request_rec *r)
         return DECLINED;
     }
 
+    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+        || !r->uri || r->uri[0] != '/') {
+        return DECLINED;
+    }
+
     /*
      *  add the SCRIPT_URL variable to the env. this is a bit complicated
      *  due to the fact that apache uses subrequests and internal redirects

Modified: httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy.c?rev=1235443&r1=1235442&r2=1235443&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy.c Tue Jan 24 19:39:31 2012
@@ -566,6 +566,11 @@ static int proxy_trans(request_rec *r)
         return OK;
     }
 
+    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+        || !r->uri || r->uri[0] != '/') {
+        return DECLINED;
+    }
+
     /* XXX: since r->uri has been manipulated already we're not really
      * compliant with RFC1945 at this point.  But this probably isn't
      * an issue because this is a hybrid proxy/origin server.

Modified: httpd/httpd/branches/2.2.x/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/protocol.c?rev=1235443&r1=1235442&r2=1235443&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/protocol.c (original)
+++ httpd/httpd/branches/2.2.x/server/protocol.c Tue Jan 24 19:39:31 2012
@@ -640,25 +640,6 @@ static int read_request_line(request_rec
 
     ap_parse_uri(r, uri);
 
-    /* RFC 2616:
-     *   Request-URI    = "*" | absoluteURI | abs_path | authority
-     *
-     * authority is a special case for CONNECT.  If the request is not
-     * using CONNECT, and the parsed URI does not have scheme, and
-     * it does not begin with '/', and it is not '*', then, fail
-     * and give a 400 response. */
-    if (r->method_number != M_CONNECT 
-        && !r->parsed_uri.scheme 
-        && uri[0] != '/'
-        && !(uri[0] == '*' && uri[1] == '\0')) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                      "invalid request-URI %s", uri);
-        r->args = NULL;
-        r->hostname = NULL;
-        r->status = HTTP_BAD_REQUEST;
-        r->uri = apr_pstrdup(r->pool, uri);
-    }
-
     if (ll[0]) {
         r->assbackwards = 0;
         pro = ll;



Mime
View raw message