* We need to check for (!scheme && (u = strchr(url, ':')) && (u - url) > 14)

  later as (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') is true
  for requests with the CONNECT method which we need to decline. But in many
  cases requests with the CONNECT method have (u - url) > 14 as in this
  case (u - url) is the length of the FQDN the forward proxy should connect
  to.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1886141 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index f5d6fe24f29c460a08128af823c5a889297da419..637fc8760908a96d3f439d2c89f12bffc929e62b 100644 (file)
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -1903,15 +1903,15 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
         is_ssl = 0;
     }
     if (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') {
-        if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) {
-            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262)
-                          "overlong proxy URL scheme in %s", url);
-            return HTTP_BAD_REQUEST;
-        }
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01113)
                       "HTTP: declining URL %s", url);
         return DECLINED; /* only interested in HTTP, WS or FTP via proxy */
     }
+    if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262)
+                      "overlong proxy URL scheme in %s", url);
+        return HTTP_BAD_REQUEST;
+    }
     if (is_ssl && !ap_proxy_ssl_enable(NULL)) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01112)
                       "HTTP: declining URL %s (mod_ssl not configured?)", url);