[Pkg-apache-commits] r1372 - in /trunk/apache2: changelog patches/00list patches/084_CVE-2011-4317.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Sat Dec 3 17:14:39 UTC 2011 

Author: sf
Date: Sat Dec  3 17:14:38 2011
New Revision: 1372

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1372
Log:
Fix CVE-2011-4317

Added:
    trunk/apache2/patches/084_CVE-2011-4317.dpatch
Modified:
    trunk/apache2/changelog
    trunk/apache2/patches/00list

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1372&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Sat Dec  3 17:14:38 2011
@@ -1,5 +1,8 @@
 apache2 (2.2.21-3) UNRELEASED; urgency=low
 
+  * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
+    reverse proxy configurations. (Similar to CVE-2011-3368, but different
+    attack vector.)
   * Fix broken link in docs. Closes: #650528
   * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
     Thanks for your work in the past.

Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1372&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Sat Dec  3 17:14:38 2011
@@ -23,6 +23,7 @@
 079_polish_translation.dpatch
 082_ab_num_requests
 083_CVE-2011-3368.dpatch
+084_CVE-2011-4317.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch

Added: trunk/apache2/patches/084_CVE-2011-4317.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/084_CVE-2011-4317.dpatch?rev=1372&op=file
==============================================================================
--- trunk/apache2/patches/084_CVE-2011-4317.dpatch (added)
+++ trunk/apache2/patches/084_CVE-2011-4317.dpatch Sat Dec  3 17:14:38 2011
@@ -1,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1209432
+
+ at DPATCH@
+commit 318b86756de2049f652561e1a66420b4a92d4a7e
+Author: Joe Orton <jorton at apache.org>
+Date:   Fri Dec 2 12:04:20 2011 +0000
+
+    Fix for additional cases of URL rewriting with ProxyPassMatch or
+    RewriteRule, where particular request-URIs could result in undesired
+    backend network exposure in some configurations. (CVE-2011-4317)
+    
+    Thanks to Prutha Parikh from Qualys for reporting this issue.
+    
+    * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
+      request-URI.  Fail for cases where r->uri does not begin with a "/".
+    
+    * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
+    
+    
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 470e01c..d29cb45 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -4419,6 +4419,18 @@ static int hook_uri2file(request_rec *r)
+         return DECLINED;
+     }
+ 
++    if (strcmp(r->unparsed_uri, "*") == 0) {
++        /* Don't apply rewrite rules to "*". */
++        return DECLINED;
++    }
++
++    /* Check that the URI is valid. */
++    if (!r->uri || r->uri[0] != '/') {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                     "Invalid URI in request %s", r->the_request);
++        return HTTP_BAD_REQUEST;
++    }
++    
+     /*
+      *  add the SCRIPT_URL variable to the env. this is a bit complicated
+      *  due to the fact that apache uses subrequests and internal redirects
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 35195f8..8e90c9e 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -655,6 +655,18 @@ static int proxy_trans(request_rec *r)
+         return OK;
+     }
+ 
++    if (strcmp(r->unparsed_uri, "*") == 0) {
++        /* "*" cannot be proxied. */
++        return DECLINED;
++    }
++
++    /* Check that the URI is valid. */
++    if (!r->uri || r->uri[0] != '/') {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                     "Invalid URI in request %s", r->the_request);
++        return HTTP_BAD_REQUEST;
++    }
++
+     /* XXX: since r->uri has been manipulated already we're not really
+      * compliant with RFC1945 at this point.  But this probably isn't
+      * an issue because this is a hybrid proxy/origin server.

More information about the Pkg-apache-commits mailing list