[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, squeeze, updated. a40771997c44c700df5a3baf73d15af08b31aa9f

Stefan Fritsch sf at sfritsch.de
Sun Feb 5 20:35:44 UTC 2012 

The following commit has been merged in the squeeze branch:
commit 1b4fbe5605e0b0f91893ac5b6ab5f350bb9fef87
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sat Feb 4 17:36:58 2012 +0100

    update fix for CVE-2011-4317

diff --git a/debian/patches/090_CVE-2011-4317.dpatch b/debian/patches/090_CVE-2011-4317.dpatch
index 18f69a2..7e9a54b 100755
--- a/debian/patches/090_CVE-2011-4317.dpatch
+++ b/debian/patches/090_CVE-2011-4317.dpatch
@@ -1,70 +1,85 @@
 #! /bin/sh /usr/share/dpatch/dpatch-run
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: Upstream r1209432
+## DP: Upstream r1235443
 
 @DPATCH@
-commit 318b86756de2049f652561e1a66420b4a92d4a7e
-Author: Joe Orton <jorton at apache.org>
-Date:   Fri Dec 2 12:04:20 2011 +0000
+commit 99f9da5c79bc0de71f0982ac1c47a615d86b8b62
+Author: Jeff Trawick <trawick at apache.org>
+Date:   Tue Jan 24 19:39:31 2012 +0000
 
-    Fix for additional cases of URL rewriting with ProxyPassMatch or
-    RewriteRule, where particular request-URIs could result in undesired
-    backend network exposure in some configurations. (CVE-2011-4317)
-    
-    Thanks to Prutha Parikh from Qualys for reporting this issue.
+    Backport trunk revisions 1209432 and 1233604:
     
-    * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
-      request-URI.  Fail for cases where r->uri does not begin with a "/".
+    SECURITY: CVE-2011-4317 (cve.mitre.org)
+    Resolve additional cases of URL rewriting with ProxyPassMatch or
+    RewriteRule, where particular request-URIs could result in undesired
+    backend network exposure in some configurations.
     
-    * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
+    Submitted by: jorton
+    Reviewed by: trawick, covener, gregames
     
     
-    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1235443 13f79535-47bb-0310-9956-ffa450edef68
 
 diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
-index 470e01c..d29cb45 100644
+index 8887bea..89b5af5 100644
 --- a/modules/mappers/mod_rewrite.c
 +++ b/modules/mappers/mod_rewrite.c
-@@ -4419,6 +4419,18 @@ static int hook_uri2file(request_rec *r)
+@@ -4266,6 +4266,11 @@ static int hook_uri2file(request_rec *r)
          return DECLINED;
      }
  
-+    if (strcmp(r->unparsed_uri, "*") == 0) {
-+        /* Don't apply rewrite rules to "*". */
++    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
++        || !r->uri || r->uri[0] != '/') {
 +        return DECLINED;
 +    }
 +
-+    /* Check that the URI is valid. */
-+    if (!r->uri || r->uri[0] != '/') {
-+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+                     "Invalid URI in request %s", r->the_request);
-+        return HTTP_BAD_REQUEST;
-+    }
-+    
      /*
       *  add the SCRIPT_URL variable to the env. this is a bit complicated
       *  due to the fact that apache uses subrequests and internal redirects
 diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
-index 35195f8..8e90c9e 100644
+index 1efe95c..fb9ff39 100644
 --- a/modules/proxy/mod_proxy.c
 +++ b/modules/proxy/mod_proxy.c
-@@ -655,6 +655,18 @@ static int proxy_trans(request_rec *r)
+@@ -566,6 +566,11 @@ static int proxy_trans(request_rec *r)
          return OK;
      }
  
-+    if (strcmp(r->unparsed_uri, "*") == 0) {
-+        /* "*" cannot be proxied. */
++    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
++        || !r->uri || r->uri[0] != '/') {
 +        return DECLINED;
 +    }
 +
-+    /* Check that the URI is valid. */
-+    if (!r->uri || r->uri[0] != '/') {
-+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+                     "Invalid URI in request %s", r->the_request);
-+        return HTTP_BAD_REQUEST;
-+    }
-+
      /* XXX: since r->uri has been manipulated already we're not really
       * compliant with RFC1945 at this point.  But this probably isn't
       * an issue because this is a hybrid proxy/origin server.
+diff --git a/server/protocol.c b/server/protocol.c
+index d018096..2e3ce93 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -640,25 +640,6 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
+ 
+     ap_parse_uri(r, uri);
+ 
+-    /* RFC 2616:
+-     *   Request-URI    = "*" | absoluteURI | abs_path | authority
+-     *
+-     * authority is a special case for CONNECT.  If the request is not
+-     * using CONNECT, and the parsed URI does not have scheme, and
+-     * it does not begin with '/', and it is not '*', then, fail
+-     * and give a 400 response. */
+-    if (r->method_number != M_CONNECT 
+-        && !r->parsed_uri.scheme 
+-        && uri[0] != '/'
+-        && !(uri[0] == '*' && uri[1] == '\0')) {
+-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+-                      "invalid request-URI %s", uri);
+-        r->args = NULL;
+-        r->hostname = NULL;
+-        r->status = HTTP_BAD_REQUEST;
+-        r->uri = apr_pstrdup(r->pool, uri);
+-    }
+-
+     if (ll[0]) {
+         r->assbackwards = 0;
+         pro = ll;

-- 
Debian packaging for apache2 (Apache HTTPD 2.x)

More information about the Pkg-apache-commits mailing list