Merge r1773397 from trunk:

ProxyPass ! doesn't block per-directory ProxyPass

 *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
     configured in <Location>, like in 2.2. PR 60458.
     [Eric Covener]

Submitted by: covener
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1773800 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index e1568e2307a709c1f8e21851c1fe96d0168cf0ef..9f841a619145090839c30d170c04ba5b3db691bd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,7 @@
                                                          -*- coding: utf-8 -*-
 
 Changes with Apache 2.4.24
-
+ 
   *) SECURITY: CVE-2016-8740 (cve.mitre.org)
      mod_http2: Mitigate DoS memory exhaustion via endless
      CONTINUATION frames.
@@ -22,6 +22,10 @@ Changes with Apache 2.4.24
      MAC (SipHash) to prevent deciphering or tampering with a padding
      oracle attack.  [Yann Ylavic, Colm MacCarthaigh]
 
+ *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
+     configured in <Location>, like in 2.2. PR 60458.
+     [Eric Covener]
+
   *) mod_lua: Fix default value of LuaInherit directive. It should be 
      'parent-first' instead of 'none', as per documentation.  PR 60419
      [Christophe Jaillet]

diff --git a/STATUS b/STATUS
index e7d3b381cb5384203a857aa4d55d3ce82d35f944..4fe0e94bfda05203008384b875f8c2177e73a52d 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -117,11 +117,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) ProxyPass ! in server scope doesn't block per-location ProxyPass. Worked in 2.2
-     Trunk patch: https://svn.apache.org/r1773397
-     2.4.x patch: trunk works
-     +1 covener, jim, ylavic
-
   *) Propose we apr_pstrdup constant r->protocol assignments, and always fail
      entirely invalid protocols (expecting these are part two of a URL with
      embedded raw SP characters), without considering 'strict'-ness.

diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index d47127f37cb46714b03a32de4c84809ac34e2513..d6e65004e32ac29d9d06891e9a764685c6a50f94 100644 (file)
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -771,18 +771,29 @@ static int proxy_trans(request_rec *r)
      */
 
     dconf = ap_get_module_config(r->per_dir_config, &proxy_module);
-
+    conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config,
+                                                      &proxy_module);
     /* short way - this location is reverse proxied? */
     if (dconf->alias) {
         int rv = ap_proxy_trans_match(r, dconf->alias, dconf);
+        if (OK == rv) { 
+            /* Got a hit. Need to make sure it's not explicitly declined */
+            if (conf->aliases->nelts) {
+                ent = (struct proxy_alias *) conf->aliases->elts;
+                for (i = 0; i < conf->aliases->nelts; i++) {
+                    int rv = ap_proxy_trans_match(r, &ent[i], dconf);
+                    if (DECLINED == rv) { 
+                        return DECLINED;
+                    }
+                }
+            }
+            return OK; 
+        }
         if (DONE != rv) {
             return rv;
         }
     }
 
-    conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config,
-                                                      &proxy_module);
-
     /* long way - walk the list of aliases, find a match */
     if (conf->aliases->nelts) {
         ent = (struct proxy_alias *) conf->aliases->elts;