From: Eric Covener Date: Sun, 5 Mar 2023 20:27:11 +0000 (+0000) Subject: don't forward invalid query strings X-Git-Tag: 2.5.0-alpha2-ci-test-only~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51;p=thirdparty%2Fapache%2Fhttpd.git don't forward invalid query strings Submitted by: rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908095 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index d422fc6c8e7..6325971b95a 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -10406 +10412 diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c index 11d2c785c51..b316aa885ab 100644 --- a/modules/http2/mod_proxy_http2.c +++ b/modules/http2/mod_proxy_http2.c @@ -162,6 +162,16 @@ static int proxy_http2_canon(request_rec *r, char *url) path = ap_proxy_canonenc(r->pool, url, (int)strlen(url), enc_path, 0, r->proxyreq); search = r->args; + if (search && *(ap_scan_vchar_obstext(search))) { + /* + * We have a raw control character or a ' ' in r->args. + * Correct encoding was missed. + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() + "To be forwarded query string contains control " + "characters or spaces"); + return HTTP_FORBIDDEN; + } } break; case PROXYREQ_PROXY: diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 94aefc9c20c..a315b84b32e 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -4794,6 +4794,17 @@ static int hook_uri2file(request_rec *r) apr_size_t flen; int to_proxyreq; + if (r->args && *(ap_scan_vchar_obstext(r->args))) { + /* + * We have a raw control character or a ' ' in r->args. + * Correct encoding was missed. + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410) + "Rewritten query string contains control " + "characters or spaces"); + return HTTP_FORBIDDEN; + } + if (ACTION_STATUS == rulestatus) { int n = r->status; @@ -5092,6 +5103,17 @@ static int hook_fixup(request_rec *r) if (rulestatus) { unsigned skip; + if (r->args && *(ap_scan_vchar_obstext(r->args))) { + /* + * We have a raw control character or a ' ' in r->args. + * Correct encoding was missed. + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411) + "Rewritten query string contains control " + "characters or spaces"); + return HTTP_FORBIDDEN; + } + if (ACTION_STATUS == rulestatus) { int n = r->status; diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c index 4ca436188e4..ddbb098f12b 100644 --- a/modules/proxy/mod_proxy_ajp.c +++ b/modules/proxy/mod_proxy_ajp.c @@ -73,6 +73,16 @@ static int proxy_ajp_canon(request_rec *r, char *url) path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, r->proxyreq); search = r->args; + if (search && *(ap_scan_vchar_obstext(search))) { + /* + * We have a raw control character or a ' ' in r->args. + * Correct encoding was missed. + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406) + "To be forwarded query string contains control " + "characters or spaces"); + return HTTP_FORBIDDEN; + } } if (path == NULL) return HTTP_BAD_REQUEST; diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c index c5f60f673c6..5d77d23429c 100644 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -110,6 +110,16 @@ static int proxy_balancer_canon(request_rec *r, char *url) path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, r->proxyreq); search = r->args; + if (search && *(ap_scan_vchar_obstext(search))) { + /* + * We have a raw control character or a ' ' in r->args. + * Correct encoding was missed. + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407) + "To be forwarded query string contains control " + "characters or spaces"); + return HTTP_FORBIDDEN; + } } if (path == NULL) return HTTP_BAD_REQUEST; diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index 8789dcae29e..5d2826a14bd 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -126,6 +126,16 @@ static int proxy_http_canon(request_rec *r, char *url) path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, r->proxyreq); search = r->args; + if (search && *(ap_scan_vchar_obstext(search))) { + /* + * We have a raw control character or a ' ' in r->args. + * Correct encoding was missed. + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408) + "To be forwarded query string contains control " + "characters or spaces"); + return HTTP_FORBIDDEN; + } } break; case PROXYREQ_PROXY: diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c index 8a7d21c8676..b2349d4a24b 100644 --- a/modules/proxy/mod_proxy_wstunnel.c +++ b/modules/proxy/mod_proxy_wstunnel.c @@ -203,6 +203,16 @@ static int proxy_wstunnel_canon(request_rec *r, char *url) path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, r->proxyreq); search = r->args; + if (search && *(ap_scan_vchar_obstext(search))) { + /* + * We have a raw control character or a ' ' in r->args. + * Correct encoding was missed. + */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409) + "To be forwarded query string contains control " + "characters or spaces"); + return HTTP_FORBIDDEN; + } } if (path == NULL) return HTTP_BAD_REQUEST;