From: Eric Covener <covener@apache.org>
Date: Wed, 14 Dec 2016 22:27:25 +0000 (+0000)
Subject: Merge r1774288 from trunk:
X-Git-Tag: 2.4.24~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48100751013bf08880bbe0c97cc99bae55b4d952;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1774288 from trunk:

short-circuit some kinds of looping in RewriteRule.

PR60478

Submitted By: Jeff Wheelouse <apache wheelhouse.org>
Committed By: covener



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1774352 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 964c51c55ab..11152777d0b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,7 @@
                                                          -*- coding: utf-8 -*-
 
 Changes with Apache 2.4.24
- 
+
   *) SECURITY: CVE-2016-8740 (cve.mitre.org)
      mod_http2: Mitigate DoS memory exhaustion via endless
      CONTINUATION frames.
@@ -33,6 +33,10 @@ Changes with Apache 2.4.24
      pollution by malicious clients, upstream servers or faulty modules.
      [Stefan Fritsch, Eric Covener, Yann Ylavic]
 
+  *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
+     looping RewriteRules when the local path significantly exceeds 
+     LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
+
   *) mod_ratelimit: Allow for initial "burst" amount at full speed before
      throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
      Jim Jagielski]
diff --git a/STATUS b/STATUS
index c166c7816da..71752d5fb92 100644
--- a/STATUS
+++ b/STATUS
@@ -118,12 +118,6 @@ RELEASE SHOWSTOPPERS:
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
- 
-  *) Limit some kinds of rewrite looping. PR60478
-     trunk patch: http://svn.apache.org/r1774288.
-     2.4.x patch: trunk works
-     +1: covener, ylavic, jchampion
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 56957c904a3..dcf7988ed0d 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4295,6 +4295,17 @@ static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules,
         rc = apply_rewrite_rule(p, ctx);
 
         if (rc) {
+
+            /* Catch looping rules with pathinfo growing unbounded */
+            if ( strlen( r->filename ) > 2*r->server->limit_req_line ) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "RewriteRule '%s' and URI '%s' "
+                              "exceeded maximum length (%d)", 
+                              p->pattern, r->uri, 2*r->server->limit_req_line );
+                r->status = HTTP_INTERNAL_SERVER_ERROR;
+                return ACTION_STATUS;
+            }
+
             /* Regardless of what we do next, we've found a match. Check to see
              * if any of the request header fields were involved, and add them
              * to the Vary field of the response.