From: Joe Orton Date: Fri, 7 Oct 2011 13:15:01 +0000 (+0000) Subject: Merge r1179239 from trunk: X-Git-Tag: 2.0.65~105 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c06546422ff2c5c0bb3709a1c4577537d70b6f7b;p=thirdparty%2Fapache%2Fhttpd.git Merge r1179239 from trunk: SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some reverse proxy configurations by strictly validating the request-URI: * server/protocol.c (read_request_line): Send a 400 response if the request-URI does not match the grammar from RFC 2616. This ensures the input string for RewriteRule et al really is an absolute path. Reviewed by: jim, rjung, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1180030 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 0321a4c4dac..16f01d45be3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ - -*- coding: utf-8 -*- + -*- coding: utf-8 -*- Changes with Apache 2.0.65 + *) SECURITY: CVE-2011-3368 (cve.mitre.org) + Reject requests where the request-URI does not match the HTTP + specification, preventing unexpected expansion of target URLs in + some reverse proxy configurations. [Joe Orton] + *) SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than @@ -8,7 +13,6 @@ Changes with Apache 2.0.65 PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, ] - Changes with Apache 2.0.64 *) SECURITY: CVE-2010-1452 (cve.mitre.org) diff --git a/server/protocol.c b/server/protocol.c index 1e624f3d8bc..918555b0245 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -628,6 +628,25 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) ap_parse_uri(r, uri); + /* RFC 2616: + * Request-URI = "*" | absoluteURI | abs_path | authority + * + * authority is a special case for CONNECT. If the request is not + * using CONNECT, and the parsed URI does not have scheme, and + * it does not begin with '/', and it is not '*', then, fail + * and give a 400 response. */ + if (r->method_number != M_CONNECT + && !r->parsed_uri.scheme + && uri[0] != '/' + && !(uri[0] == '*' && uri[1] == '\0')) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "invalid request-URI %s", uri); + r->args = NULL; + r->hostname = NULL; + r->status = HTTP_BAD_REQUEST; + r->uri = apr_pstrdup(r->pool, uri); + } + if (ll[0]) { r->assbackwards = 0; pro = ll;