[Pkg-apache-commits] r1372 - in /trunk/apache2: changelog patches/00list patches/084_CVE-2011-4317.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Sat Dec 3 17:14:39 UTC 2011
Author: sf
Date: Sat Dec 3 17:14:38 2011
New Revision: 1372
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1372
Log:
Fix CVE-2011-4317
Added:
trunk/apache2/patches/084_CVE-2011-4317.dpatch
Modified:
trunk/apache2/changelog
trunk/apache2/patches/00list
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1372&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Sat Dec 3 17:14:38 2011
@@ -1,5 +1,8 @@
apache2 (2.2.21-3) UNRELEASED; urgency=low
+ * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
+ reverse proxy configurations. (Similar to CVE-2011-3368, but different
+ attack vector.)
* Fix broken link in docs. Closes: #650528
* Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
Thanks for your work in the past.
Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1372&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Sat Dec 3 17:14:38 2011
@@ -23,6 +23,7 @@
079_polish_translation.dpatch
082_ab_num_requests
083_CVE-2011-3368.dpatch
+084_CVE-2011-4317.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: trunk/apache2/patches/084_CVE-2011-4317.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/084_CVE-2011-4317.dpatch?rev=1372&op=file
==============================================================================
--- trunk/apache2/patches/084_CVE-2011-4317.dpatch (added)
+++ trunk/apache2/patches/084_CVE-2011-4317.dpatch Sat Dec 3 17:14:38 2011
@@ -1,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1209432
+
+ at DPATCH@
+commit 318b86756de2049f652561e1a66420b4a92d4a7e
+Author: Joe Orton <jorton at apache.org>
+Date: Fri Dec 2 12:04:20 2011 +0000
+
+ Fix for additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations. (CVE-2011-4317)
+
+ Thanks to Prutha Parikh from Qualys for reporting this issue.
+
+ * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
+ request-URI. Fail for cases where r->uri does not begin with a "/".
+
+ * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 470e01c..d29cb45 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -4419,6 +4419,18 @@ static int hook_uri2file(request_rec *r)
+ return DECLINED;
+ }
+
++ if (strcmp(r->unparsed_uri, "*") == 0) {
++ /* Don't apply rewrite rules to "*". */
++ return DECLINED;
++ }
++
++ /* Check that the URI is valid. */
++ if (!r->uri || r->uri[0] != '/') {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Invalid URI in request %s", r->the_request);
++ return HTTP_BAD_REQUEST;
++ }
++
+ /*
+ * add the SCRIPT_URL variable to the env. this is a bit complicated
+ * due to the fact that apache uses subrequests and internal redirects
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 35195f8..8e90c9e 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -655,6 +655,18 @@ static int proxy_trans(request_rec *r)
+ return OK;
+ }
+
++ if (strcmp(r->unparsed_uri, "*") == 0) {
++ /* "*" cannot be proxied. */
++ return DECLINED;
++ }
++
++ /* Check that the URI is valid. */
++ if (!r->uri || r->uri[0] != '/') {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Invalid URI in request %s", r->the_request);
++ return HTTP_BAD_REQUEST;
++ }
++
+ /* XXX: since r->uri has been manipulated already we're not really
+ * compliant with RFC1945 at this point. But this probably isn't
+ * an issue because this is a hybrid proxy/origin server.
More information about the Pkg-apache-commits
mailing list