File httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff of Package apache2

diff -rNU 20 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c
--- ../httpd-2.2.21-o/server/protocol.c	2011-05-07 13:39:29.000000000 +0200
+++ ./server/protocol.c	2011-10-07 17:10:46.000000000 +0200
@@ -623,40 +623,64 @@
 
 #if 0
 /* XXX If we want to keep track of the Method, the protocol module should do
  * it.  That support isn't in the scoreboard yet.  Hopefully next week
  * sometime.   rbb */
     ap_update_connection_status(AP_CHILD_THREAD_FROM_ID(conn->id), "Method",
                                 r->method);
 #endif
 
     uri = ap_getword_white(r->pool, &ll);
 
     /* Provide quick information about the request method as soon as known */
 
     r->method_number = ap_method_number_of(r->method);
     if (r->method_number == M_GET && r->method[0] == 'H') {
         r->header_only = 1;
     }
 
     ap_parse_uri(r, uri);
 
+/* 
+	https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&view=patch
+	This is the fix for CVE-2011-3368; via bnc#722545.
+ */
+
+    /* RFC 2616:
+     *   Request-URI    = "*" | absoluteURI | abs_path | authority
+     *
+     * authority is a special case for CONNECT.  If the request is not
+     * using CONNECT, and the parsed URI does not have scheme, and
+     * it does not begin with '/', and it is not '*', then, fail
+     * and give a 400 response. */
+    if (r->method_number != M_CONNECT 
+        && !r->parsed_uri.scheme 
+        && uri[0] != '/'
+        && !(uri[0] == '*' && uri[1] == '\0')) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "invalid request-URI %s", uri);
+        r->args = NULL;
+        r->hostname = NULL;
+        r->status = HTTP_BAD_REQUEST;
+        r->uri = apr_pstrdup(r->pool, uri);
+    }
+
     if (ll[0]) {
         r->assbackwards = 0;
         pro = ll;
         len = strlen(ll);
     } else {
         r->assbackwards = 1;
         pro = "HTTP/0.9";
         len = 8;
     }
     r->protocol = apr_pstrmemdup(r->pool, pro, len);
 
     /* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */
 
     /* Avoid sscanf in the common case */
     if (len == 8
         && pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P'
         && pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.'
         && apr_isdigit(pro[7])) {
         r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0');
     }