Return-Path:
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by minotaur.apache.org (Postfix) with SMTP id EA1949FCB
for ;
Fri, 8 Jun 2012 08:38:32 +0000 (UTC)
Received: (qmail 28866 invoked by uid 500); 8 Jun 2012 08:38:32 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 28753 invoked by uid 500); 8 Jun 2012 08:38:30 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 28081 invoked by uid 99); 8 Jun 2012 08:38:27 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jun 2012 08:38:27 +0000
X-ASF-Spam-Status: No, hits=-5.0 required=5.0
tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of jorton@redhat.com designates
209.132.183.28 as permitted sender)
Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jun 2012 08:38:20 +0000
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q588bwE1013061
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for ; Fri, 8 Jun 2012 04:37:58 -0400
Received: from iberis.manyfish.co.uk (vpn-8-226.rdu.redhat.com [10.11.8.226])
by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
q588bvVp018149
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for ; Fri, 8 Jun 2012 04:37:58 -0400
Received: from jorton by iberis.manyfish.co.uk with local (Exim 4.76)
(envelope-from )
id 1Scuhg-0005QG-MQ
for dev@httpd.apache.org; Fri, 08 Jun 2012 09:37:56 +0100
Date: Fri, 8 Jun 2012 09:37:56 +0100
From: Joe Orton
To: dev@httpd.apache.org
Subject: Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation)
rewrite PR's
Message-ID: <20120608083756.GA20711@redhat.com>
Mail-Followup-To: dev@httpd.apache.org
References:
<4FC0D859.3010101@kippdata.de>
<20120607155510.GA27883@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To:
User-Agent: Mutt/1.5.21 (2010-09-15)
Organization: Registered in England and Wales under Company Registration No.
03798903
Directors: Michael Cunningham (USA), Mark Hegarty (Ireland),
Matt Parson (USA), Charlie Peters (USA)
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
On Thu, Jun 07, 2012 at 01:23:29PM -0400, Eric Covener wrote:
> e.g. RewriteOptions +"I know I'm running this regex against something
> that's not guaranteed to look like a URL-path, and I'll write a regex
> that carefully matches/captures the input"
How about this? I'm not sure how to put the right level of fear into
the name. AllowUnsafeURI? AllowInsecureURIMatch?
(This patch works for the CONNECT rewriting case, I haven't tested the
other problematic cases.)
Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c (revision 1347667)
+++ modules/mappers/mod_rewrite.c (working copy)
@@ -190,6 +190,7 @@
#define OPTION_INHERIT 1<<1
#define OPTION_INHERIT_BEFORE 1<<2
#define OPTION_NOSLASH 1<<3
+#define OPTION_ANYURI 1<<4
#ifndef RAND_MAX
#define RAND_MAX 32767
@@ -2895,6 +2896,9 @@
"LimitInternalRecursion directive and will be "
"ignored.");
}
+ else if (!strcasecmp(w, "allowanyuri")) {
+ options |= OPTION_ANYURI;
+ }
else {
return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '",
w, "'", NULL);
@@ -4443,8 +4447,14 @@
return DECLINED;
}
- if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
- || !r->uri || r->uri[0] != '/') {
+ /* Unless the anyuri option is set, ensure that the input to the
+ * first rule really is a URL-path, avoiding security issues with
+ * poorly configured rules. See CVE-2011-3368, CVE-2011-4317. */
+ if ((dconf->options & OPTION_ANYURI) == 0
+ && ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+ || !r->uri || r->uri[0] != '/')) {
+ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path",
+ r->uri));
return DECLINED;
}
Index: docs/manual/mod/mod_rewrite.xml
===================================================================
--- docs/manual/mod/mod_rewrite.xml (revision 1347667)
+++ docs/manual/mod/mod_rewrite.xml (working copy)
@@ -188,6 +188,37 @@
later.
+ AllowAnyURI
+
+
+ When RewriteRule
+ is used in VirtualHost
or server context with
+ version 2.2.22 or later of httpd, mod_rewrite
+ will only process the rewrite rules if the request URI is a URL-path. This avoids
+ some security issues where particular rules could allow
+ "surprising" pattern expansions (see CVE-2011-3368
+ and CVE-2011-4317).
+ To lift the restriction on matching a URL-path, the
+ AllowAnyURI
option can be enabled, and
+ mod_rewrite will apply the rule set to any
+ request URI string, regardless of whether that string matches
+ the URL-path grammar required by the HTTP specification.
+
+
+ Security Warning
+
+ Enabling this option will make the server vulnerable to
+ security issues if used with rewrite rules which are not
+ carefully authored. It is strongly recommended
+ that this option is not used. In particularly, beware of input
+ strings containing the '@
' character which could
+ change the interpretation of the transformed URI.
+
+
+