[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, squeeze, updated. a40771997c44c700df5a3baf73d15af08b31aa9f
Stefan Fritsch
sf at sfritsch.de
Sun Feb 5 20:35:44 UTC 2012
The following commit has been merged in the squeeze branch:
commit 1b4fbe5605e0b0f91893ac5b6ab5f350bb9fef87
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sat Feb 4 17:36:58 2012 +0100
update fix for CVE-2011-4317
diff --git a/debian/patches/090_CVE-2011-4317.dpatch b/debian/patches/090_CVE-2011-4317.dpatch
index 18f69a2..7e9a54b 100755
--- a/debian/patches/090_CVE-2011-4317.dpatch
+++ b/debian/patches/090_CVE-2011-4317.dpatch
@@ -1,70 +1,85 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
##
## All lines beginning with `## DP:' are a description of the patch.
-## DP: Upstream r1209432
+## DP: Upstream r1235443
@DPATCH@
-commit 318b86756de2049f652561e1a66420b4a92d4a7e
-Author: Joe Orton <jorton at apache.org>
-Date: Fri Dec 2 12:04:20 2011 +0000
+commit 99f9da5c79bc0de71f0982ac1c47a615d86b8b62
+Author: Jeff Trawick <trawick at apache.org>
+Date: Tue Jan 24 19:39:31 2012 +0000
- Fix for additional cases of URL rewriting with ProxyPassMatch or
- RewriteRule, where particular request-URIs could result in undesired
- backend network exposure in some configurations. (CVE-2011-4317)
-
- Thanks to Prutha Parikh from Qualys for reporting this issue.
+ Backport trunk revisions 1209432 and 1233604:
- * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
- request-URI. Fail for cases where r->uri does not begin with a "/".
+ SECURITY: CVE-2011-4317 (cve.mitre.org)
+ Resolve additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations.
- * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
+ Submitted by: jorton
+ Reviewed by: trawick, covener, gregames
- git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1235443 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
-index 470e01c..d29cb45 100644
+index 8887bea..89b5af5 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
-@@ -4419,6 +4419,18 @@ static int hook_uri2file(request_rec *r)
+@@ -4266,6 +4266,11 @@ static int hook_uri2file(request_rec *r)
return DECLINED;
}
-+ if (strcmp(r->unparsed_uri, "*") == 0) {
-+ /* Don't apply rewrite rules to "*". */
++ if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
++ || !r->uri || r->uri[0] != '/') {
+ return DECLINED;
+ }
+
-+ /* Check that the URI is valid. */
-+ if (!r->uri || r->uri[0] != '/') {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Invalid URI in request %s", r->the_request);
-+ return HTTP_BAD_REQUEST;
-+ }
-+
/*
* add the SCRIPT_URL variable to the env. this is a bit complicated
* due to the fact that apache uses subrequests and internal redirects
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
-index 35195f8..8e90c9e 100644
+index 1efe95c..fb9ff39 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
-@@ -655,6 +655,18 @@ static int proxy_trans(request_rec *r)
+@@ -566,6 +566,11 @@ static int proxy_trans(request_rec *r)
return OK;
}
-+ if (strcmp(r->unparsed_uri, "*") == 0) {
-+ /* "*" cannot be proxied. */
++ if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
++ || !r->uri || r->uri[0] != '/') {
+ return DECLINED;
+ }
+
-+ /* Check that the URI is valid. */
-+ if (!r->uri || r->uri[0] != '/') {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Invalid URI in request %s", r->the_request);
-+ return HTTP_BAD_REQUEST;
-+ }
-+
/* XXX: since r->uri has been manipulated already we're not really
* compliant with RFC1945 at this point. But this probably isn't
* an issue because this is a hybrid proxy/origin server.
+diff --git a/server/protocol.c b/server/protocol.c
+index d018096..2e3ce93 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -640,25 +640,6 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
+
+ ap_parse_uri(r, uri);
+
+- /* RFC 2616:
+- * Request-URI = "*" | absoluteURI | abs_path | authority
+- *
+- * authority is a special case for CONNECT. If the request is not
+- * using CONNECT, and the parsed URI does not have scheme, and
+- * it does not begin with '/', and it is not '*', then, fail
+- * and give a 400 response. */
+- if (r->method_number != M_CONNECT
+- && !r->parsed_uri.scheme
+- && uri[0] != '/'
+- && !(uri[0] == '*' && uri[1] == '\0')) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+- "invalid request-URI %s", uri);
+- r->args = NULL;
+- r->hostname = NULL;
+- r->status = HTTP_BAD_REQUEST;
+- r->uri = apr_pstrdup(r->pool, uri);
+- }
+-
+ if (ll[0]) {
+ r->assbackwards = 0;
+ pro = ll;
--
Debian packaging for apache2 (Apache HTTPD 2.x)
More information about the Pkg-apache-commits
mailing list