From: William A. Rowe Jr Date: Fri, 9 Sep 2011 13:31:06 +0000 (+0000) Subject: AJP_EBAD_METHOD is also a bad request so return HTTP_NOT_IMPLEMENTED X-Git-Tag: 2.2.21~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e183825696cf9ea761559eafb08863230a03d4f;p=thirdparty%2Fapache%2Fhttpd.git AJP_EBAD_METHOD is also a bad request so return HTTP_NOT_IMPLEMENTED Submitted by: jfclere Backports: r1166551, r1166657 Reviewed by: wrowe, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1167158 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 0fe3146f0e9..13ca80ce051 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@  -*- coding: utf-8 -*- Changes with Apache 2.2.21 + *) SECURITY: CVE-2011-3348 (cve.mitre.org) + mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not + recognized. [Jean-Frederic Clere] + *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20. PR 51748. [] diff --git a/STATUS b/STATUS index 0ea546884a5..625c36e320d 100644 --- a/STATUS +++ b/STATUS @@ -93,10 +93,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_proxy_ajp: return HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD - Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1166551 & - http://svn.apache.org/viewvc?view=revision&revision=1166657 - +1: jfclere, jorton, wrowe PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c index 0d8095fa598..92084e31829 100644 --- a/modules/proxy/mod_proxy_ajp.c +++ b/modules/proxy/mod_proxy_ajp.c @@ -214,7 +214,9 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, conn->worker->hostname); if (status == AJP_EOVERFLOW) return HTTP_BAD_REQUEST; - else { + else if (status == AJP_EBAD_METHOD) { + return HTTP_NOT_IMPLEMENTED; + } else { /* * This is only non fatal when the method is idempotent. In this * case we can dare to retry it with a different worker if we are