Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 89BD47189 for ; Wed, 23 Nov 2011 14:23:50 +0000 (UTC) Received: (qmail 31848 invoked by uid 500); 23 Nov 2011 14:23:49 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 31798 invoked by uid 500); 23 Nov 2011 14:23:49 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 31790 invoked by uid 99); 23 Nov 2011 14:23:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Nov 2011 14:23:49 +0000 X-ASF-Spam-Status: No, hits=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jorton@redhat.com designates 209.132.183.28 as permitted sender) Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Nov 2011 14:23:44 +0000 Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id pANENM2g025012 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 23 Nov 2011 09:23:23 -0500 Received: from turnip.manyfish.co.uk (vpn-8-18.rdu.redhat.com [10.11.8.18]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id pANENLCx021687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Nov 2011 09:23:22 -0500 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.72) (envelope-from ) id 1RTDjN-0005wy-4f for dev@httpd.apache.org; Wed, 23 Nov 2011 14:23:21 +0000 Date: Wed, 23 Nov 2011 14:23:21 +0000 From: Joe Orton To: dev@httpd.apache.org Subject: [RFC] further proxy/rewrite URL validation security issue (CVE-2011-4317) Message-ID: <20111123142321.GB22547@redhat.com> Mail-Followup-To: dev@httpd.apache.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-12-10) Organization: Registered in England and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Mark Hegarty (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25 Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack against certain mod_proxy/mod_rewrite configurations. A new CVE name, CVE-2011-4317, has been assigned to this variant. The configurations in question are the same as affected by -3368, e.g.: RewriteRule ^(.*) http://www.example.com$1 [P] and the equivalent ProxyPassMatch. Request examples are: GET @localhost::8880 HTTP/1.0\r\n\r\n GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n These unfortunately do not get trapped in the request parsing trap added in r1179239, so result in an input to rewrite rule processing which does not match the URL-path grammar (i.e. does not start with "/"). We could try improve that fix, but I think it would be simpler to change the translate_name hooks in mod_proxy and mod_rewrite to enforce the requirement in the "right" place. Other translate_name hooks do this already. I propose the patch below. Any comments? Index: modules/proxy/mod_proxy.c =================================================================== --- modules/proxy/mod_proxy.c (revision 1179633) +++ modules/proxy/mod_proxy.c (working copy) @@ -566,6 +566,13 @@ return OK; } + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* XXX: since r->uri has been manipulated already we're not really * compliant with RFC1945 at this point. But this probably isn't * an issue because this is a hybrid proxy/origin server. Index: modules/mappers/mod_rewrite.c =================================================================== --- modules/mappers/mod_rewrite.c (revision 1179633) +++ modules/mappers/mod_rewrite.c (working copy) @@ -4266,6 +4266,13 @@ return DECLINED; } + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* * add the SCRIPT_URL variable to the env. this is a bit complicated * due to the fact that apache uses subrequests and internal redirects