From: Jeff Trawick <trawick@apache.org>
Date: Tue, 24 Jan 2012 19:39:31 +0000 (+0000)
Subject: Backport trunk revisions 1209432 and 1233604:
X-Git-Tag: 2.2.22~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6627c80356324786fca40c51afb24fc799803f81;p=thirdparty%2Fapache%2Fhttpd.git

Backport trunk revisions 1209432 and 1233604:

SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.

Submitted by: jorton
Reviewed by: trawick, covener, gregames


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1235443 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 38a1a9ad407..e57cd06b6a2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,12 @@ Changes with Apache 2.2.22
      could cause the parent to crash at shutdown rather than terminate 
      cleanly.  [Joe Orton]
 
+  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+     Resolve additional cases of URL rewriting with ProxyPassMatch or
+     RewriteRule, where particular request-URIs could result in undesired
+     backend network exposure in some configurations.
+     [Joe Orton]
+
   *) SECURITY: CVE-2011-3368 (cve.mitre.org)
      Reject requests where the request-URI does not match the HTTP
      specification, preventing unexpected expansion of target URLs in
diff --git a/STATUS b/STATUS
index 1339dc986cb..9b4ab1180dd 100644
--- a/STATUS
+++ b/STATUS
@@ -138,25 +138,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
 	2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=27976
 	+1: igalic, jim
 
-  * mod_rewrite, mod_proxy: Fix CVE-2011-4317
-      Trunk patch: http://svn.apache.org/viewvc?rev=1209432&view=rev
-      2.2.x patch: trunk patch works
-    +1: jorton
-    trawick: http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
-    wrowe: Prefer Jeff's premise (a) to reject all non-resource URIs from httpd
-           rather than a module-by-module test.  In particular, '*' should just
-           work and bypass most hook phases.  In any case, in the revised
-           patch of 12/16, (r->unparsed_uri[0] == '*' && !r->unparsed_uri[1])
-           should be much faster than a callout to strcmp.
-    wrowe: Shouldn't this all simply be handled with an error result from
-           apr_uri_parse?
-    trawick: valid URIs can be used to exploit this, so apr_uri_parse() won't help
-
-    Plan (b) from mail discussion above
-      Adds trunk revision 1233604
-      2.2.x patch: http://people.apache.org/~trawick/CVE-2011-4317-2.2.x.txt
-    +1: trawick, covener, gregames
-
   * mod_proxy: cure size_t abuse part 1, backport relevant bits of r1227856,
     Specifically normalizes ap_proxy_string_read so that the prototype
     agrees with the actual implementation, which I believe is a bug fix
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 8887bea53a3..89b5af55bf3 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4266,6 +4266,11 @@ static int hook_uri2file(request_rec *r)
         return DECLINED;
     }
 
+    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+        || !r->uri || r->uri[0] != '/') {
+        return DECLINED;
+    }
+
     /*
      *  add the SCRIPT_URL variable to the env. this is a bit complicated
      *  due to the fact that apache uses subrequests and internal redirects
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 1efe95ce4d0..fb9ff39dd32 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -566,6 +566,11 @@ static int proxy_trans(request_rec *r)
         return OK;
     }
 
+    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+        || !r->uri || r->uri[0] != '/') {
+        return DECLINED;
+    }
+
     /* XXX: since r->uri has been manipulated already we're not really
      * compliant with RFC1945 at this point.  But this probably isn't
      * an issue because this is a hybrid proxy/origin server.
diff --git a/server/protocol.c b/server/protocol.c
index d0180962e44..2e3ce935a4b 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -640,25 +640,6 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
 
     ap_parse_uri(r, uri);
 
-    /* RFC 2616:
-     *   Request-URI    = "*" | absoluteURI | abs_path | authority
-     *
-     * authority is a special case for CONNECT.  If the request is not
-     * using CONNECT, and the parsed URI does not have scheme, and
-     * it does not begin with '/', and it is not '*', then, fail
-     * and give a 400 response. */
-    if (r->method_number != M_CONNECT 
-        && !r->parsed_uri.scheme 
-        && uri[0] != '/'
-        && !(uri[0] == '*' && uri[1] == '\0')) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                      "invalid request-URI %s", uri);
-        r->args = NULL;
-        r->hostname = NULL;
-        r->status = HTTP_BAD_REQUEST;
-        r->uri = apr_pstrdup(r->pool, uri);
-    }
-
     if (ll[0]) {
         r->assbackwards = 0;
         pro = ll;