SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
Submitted by: jorton
Reviewed by: trawick, covener, gregames
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@
1235443 13f79535-47bb-0310-9956-
ffa450edef68
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
+ *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+ Resolve additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations.
+ [Joe Orton]
+
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=27976
+1: igalic, jim
- * mod_rewrite, mod_proxy: Fix CVE-2011-4317
- Trunk patch: http://svn.apache.org/viewvc?rev=1209432&view=rev
- 2.2.x patch: trunk patch works
- +1: jorton
- trawick: http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
- wrowe: Prefer Jeff's premise (a) to reject all non-resource URIs from httpd
- rather than a module-by-module test. In particular, '*' should just
- work and bypass most hook phases. In any case, in the revised
- patch of 12/16, (r->unparsed_uri[0] == '*' && !r->unparsed_uri[1])
- should be much faster than a callout to strcmp.
- wrowe: Shouldn't this all simply be handled with an error result from
- apr_uri_parse?
- trawick: valid URIs can be used to exploit this, so apr_uri_parse() won't help
-
- Plan (b) from mail discussion above
- Adds trunk revision 1233604
- 2.2.x patch: http://people.apache.org/~trawick/CVE-2011-4317-2.2.x.txt
- +1: trawick, covener, gregames
-
* mod_proxy: cure size_t abuse part 1, backport relevant bits of r1227856,
Specifically normalizes ap_proxy_string_read so that the prototype
agrees with the actual implementation, which I believe is a bug fix
return DECLINED;
}
+ if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+ || !r->uri || r->uri[0] != '/') {
+ return DECLINED;
+ }
+
/*
* add the SCRIPT_URL variable to the env. this is a bit complicated
* due to the fact that apache uses subrequests and internal redirects
return OK;
}
+ if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+ || !r->uri || r->uri[0] != '/') {
+ return DECLINED;
+ }
+
/* XXX: since r->uri has been manipulated already we're not really
* compliant with RFC1945 at this point. But this probably isn't
* an issue because this is a hybrid proxy/origin server.
ap_parse_uri(r, uri);
- /* RFC 2616:
- * Request-URI = "*" | absoluteURI | abs_path | authority
- *
- * authority is a special case for CONNECT. If the request is not
- * using CONNECT, and the parsed URI does not have scheme, and
- * it does not begin with '/', and it is not '*', then, fail
- * and give a 400 response. */
- if (r->method_number != M_CONNECT
- && !r->parsed_uri.scheme
- && uri[0] != '/'
- && !(uri[0] == '*' && uri[1] == '\0')) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "invalid request-URI %s", uri);
- r->args = NULL;
- r->hostname = NULL;
- r->status = HTTP_BAD_REQUEST;
- r->uri = apr_pstrdup(r->pool, uri);
- }
-
if (ll[0]) {
r->assbackwards = 0;
pro = ll;
projects / thirdparty / apache / httpd.git / commitdiff
