mod_proxy: Check for space/ctrls in nocanon path/urls before forwarding.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908827 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
index 8af0a34165dc53d695aaac7fdcdbce49952fba32..5abccab09729deeb0f901c6429aee5e45d2cf163 100644 (file)
--- a/modules/http2/mod_proxy_http2.c
+++ b/modules/http2/mod_proxy_http2.c
@@ -164,26 +164,31 @@ static int proxy_http2_canon(request_rec *r, char *url)
 
             path = ap_proxy_canonenc_ex(r->pool, url, (int)strlen(url),
                                         enc_path, flags, r->proxyreq);
+            if (!path) {
+                return HTTP_BAD_REQUEST;
+            }
             search = r->args;
         }
-        if (search && *ap_scan_vchar_obstext(search)) {
-            /*
-             * We have a raw control character or a ' ' in r->args.
-             * Correct encoding was missed.
-             */
-            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
-                          "To be forwarded query string contains control "
-                          "characters or spaces");
-            return HTTP_FORBIDDEN;
-        }
         break;
     case PROXYREQ_PROXY:
         path = url;
         break;
     }
-
-    if (path == NULL) {
-        return HTTP_BAD_REQUEST;
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10420)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
+    if (search && *ap_scan_vchar_obstext(search)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
+                      "To be forwarded query string contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
     }
 
     if (port != def_port) {

diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
index 6ccc66de4a0a71cf8d84174fc17c5bcb47cf7f1b..cedf71379c1588b953b2de2552def7c96bc96126 100644 (file)
--- a/modules/proxy/mod_proxy_ajp.c
+++ b/modules/proxy/mod_proxy_ajp.c
@@ -75,20 +75,27 @@ static int proxy_ajp_canon(request_rec *r, char *url)
 
         path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                     r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
         search = r->args;
     }
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10418)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
     if (search && *ap_scan_vchar_obstext(search)) {
-        /*
-         * We have a raw control character or a ' ' in r->args.
-         * Correct encoding was missed.
-         */
          ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
                        "To be forwarded query string contains control "
                        "characters or spaces");
          return HTTP_FORBIDDEN;
     }
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;
 
     if (port != def_port)
          apr_snprintf(sport, sizeof(sport), ":%d", port);

diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index 123eba7300abf7ff67d050025eb501b8bae999cd..0bf4e9db15b0e4bae2c3b4ff1bbd4114f769c215 100644 (file)
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -112,20 +112,27 @@ static int proxy_balancer_canon(request_rec *r, char *url)
 
         path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                     r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
         search = r->args;
     }
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10416)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
     if (search && *ap_scan_vchar_obstext(search)) {
-        /*
-         * We have a raw control character or a ' ' in r->args.
-         * Correct encoding was missed.
-         */
          ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
                        "To be forwarded query string contains control "
                        "characters or spaces");
          return HTTP_FORBIDDEN;
     }
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;
 
     r->filename = apr_pstrcat(r->pool, "proxy:" BALANCER_PREFIX, host,
             "/", path, (search) ? "?" : "", (search) ? search : "", NULL);

diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
index a422b4e20c57ba768c1669066812e094ecec0d7a..831bd15ae9d48019b355779291ccb9755473e8e4 100644 (file)
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -102,9 +102,20 @@ static int proxy_fcgi_canon(request_rec *r, char *url)
 
         path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                     r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
+    }
+    /*
+     * If we have a raw control character or a ' ' in nocanon path,
+     * correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10414)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
     }
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;
 
     r->filename = apr_pstrcat(r->pool, "proxy:fcgi://", host, sport, "/",
                               path, NULL);

diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index dfa68d86b193d297ad80a8e556887ab092a44559..4a8bab1bd67267209c3ae8486ee920d3cd270e23 100644 (file)
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -128,26 +128,32 @@ static int proxy_http_canon(request_rec *r, char *url)
 
             path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path,
                                         flags, r->proxyreq);
+            if (!path) {
+                return HTTP_BAD_REQUEST;
+            }
             search = r->args;
         }
-        if (search && *ap_scan_vchar_obstext(search)) {
-            /*
-             * We have a raw control character or a ' ' in r->args.
-             * Correct encoding was missed.
-             */
-            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
-                          "To be forwarded query string contains control "
-                          "characters or spaces");
-            return HTTP_FORBIDDEN;
-        }
         break;
     case PROXYREQ_PROXY:
         path = url;
         break;
     }
-
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10415)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
+    if (search && *ap_scan_vchar_obstext(search)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
+                      "To be forwarded query string contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
 
     if (port != def_port)
         apr_snprintf(sport, sizeof(sport), ":%d", port);

diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
index 5eee84f65ec3f3a4765eb1172455e14d3382ae11..8232633ce3aeca0bc541926e7502c2202be95ad0 100644 (file)
--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -94,9 +94,19 @@ static int uwsgi_canon(request_rec *r, char *url)
 
         path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                     r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
     }
-    if (!path) {
-        return HTTP_BAD_REQUEST;
+    /*
+     * If we have a raw control character or a ' ' in nocanon path,
+     * correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10417)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
     }
 
     r->filename =

diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
index 54f1dc896798ab99ddec73c9e10af36a859ed025..0e5e6cb812805c886980c130622f67253e9f452a 100644 (file)
--- a/modules/proxy/mod_proxy_wstunnel.c
+++ b/modules/proxy/mod_proxy_wstunnel.c
@@ -205,20 +205,27 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)
 
         path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                     r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
         search = r->args;
     }
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10419)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
     if (search && *ap_scan_vchar_obstext(search)) {
-        /*
-         * We have a raw control character or a ' ' in r->args.
-         * Correct encoding was missed.
-         */
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
                       "To be forwarded query string contains control "
                       "characters or spaces");
         return HTTP_FORBIDDEN;
     }
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;
 
     if (port != def_port)
         apr_snprintf(sport, sizeof(sport), ":%d", port);