From: Joe Orton Date: Mon, 2 Jul 2012 08:51:01 +0000 (+0000) Subject: * modules/mappers/mod_rewrite.c (cmd_rewriteoptions, hook_uri2file): X-Git-Tag: 2.5.0-alpha~6683 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83acd755ee086266e9fa1c85bddadf6b14ad5c1e;p=thirdparty%2Fapache%2Fhttpd.git * modules/mappers/mod_rewrite.c (cmd_rewriteoptions, hook_uri2file): Add "AllowAnyURI" flag which disables the strict URL-path input string check introduced to fix CVE-2011-3368/CVE-2011-4317. * docs/manual: Update docs. Inspired by: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1356115 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 706120633f8..e153e7eb647 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,8 @@ Changes with Apache 2.5.0 possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. [Niels Heinen ] + *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton] + *) mod_ssl: Add RFC 5878 support. [Ben Laurie] *) mod_authz_core: If an expression in "Require expr" returns denied and diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml index 7ba1eddd3f5..ae2b9acc6a1 100644 --- a/docs/manual/mod/mod_rewrite.xml +++ b/docs/manual/mod/mod_rewrite.xml @@ -188,6 +188,38 @@ later later.

+
AllowAnyURI
+
+ +

When RewriteRule + is used in VirtualHost or server context with + version 2.2.22 or later of httpd, mod_rewrite + will only process the rewrite rules if the request URI is a URL-path. This avoids + some security issues where particular rules could allow + "surprising" pattern expansions (see CVE-2011-3368 + and CVE-2011-4317). + To lift the restriction on matching a URL-path, the + AllowAnyURI option can be enabled, and + mod_rewrite will apply the rule set to any + request URI string, regardless of whether that string matches + the URL-path grammar required by the HTTP specification.

+ + + Security Warning + +

Enabling this option will make the server vulnerable to + security issues if used with rewrite rules which are not + carefully authored. It is strongly recommended + that this option is not used. In particular, beware of input + strings containing the '@' character which could + change the interpretation of the transformed URI, as per the + above CVE names.

+ +
+ diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 314b48a1e51..7024eae7d4e 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -190,6 +190,7 @@ static const char* really_last_key = "rewrite_really_last"; #define OPTION_INHERIT 1<<1 #define OPTION_INHERIT_BEFORE 1<<2 #define OPTION_NOSLASH 1<<3 +#define OPTION_ANYURI 1<<4 #ifndef RAND_MAX #define RAND_MAX 32767 @@ -2895,6 +2896,9 @@ static const char *cmd_rewriteoptions(cmd_parms *cmd, "LimitInternalRecursion directive and will be " "ignored."); } + else if (!strcasecmp(w, "allowanyuri")) { + options |= OPTION_ANYURI; + } else { return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '", w, "'", NULL); @@ -4443,8 +4447,14 @@ static int hook_uri2file(request_rec *r) return DECLINED; } - if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') - || !r->uri || r->uri[0] != '/') { + /* Unless the anyuri option is set, ensure that the input to the + * first rule really is a URL-path, avoiding security issues with + * poorly configured rules. See CVE-2011-3368, CVE-2011-4317. */ + if ((dconf->options & OPTION_ANYURI) == 0 + && ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') + || !r->uri || r->uri[0] != '/')) { + rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path", + r->uri)); return DECLINED; }