Overview

File apache2-CVE-2024-38473-2.patch of Package apache2.35276

From 6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 26 Jun 2024 14:51:32 +0000
Subject: [PATCH] mod_proxy: Fixup UDS filename for mod_proxy called through
 r->handler.

* modules/proxy/proxy_util.c:
  Export ap_proxy_fixup_uds_filename() from fix_uds_filename.
  Call it from ap_proxy_pre_request() even for rewritten balancer workers.

* modules/proxy/mod_proxy.h:
  Declare ap_proxy_fixup_uds_filename()

* modules/proxy/mod_proxy.c:
  Fixup UDS filename from r->handler in proxy_handler().

* include/ap_mmn.h:
  Bump MMN minor for ap_proxy_fixup_uds_filename()


mod_proxy: follow up to r1918626: Simplify ap_proxy_fixup_uds_filename() and callers.


Merges r1918626, r1918647 from trunk
GH: closes #457


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918666 13f79535-47bb-0310-9956-ffa450edef68
---
 include/ap_mmn.h           |  3 ++-
 modules/proxy/mod_proxy.c  | 33 ++++++++++++++++++------------
 modules/proxy/mod_proxy.h  |  8 ++++++++
 modules/proxy/proxy_util.c | 41 ++++++++++++++++++++++----------------
 4 files changed, 54 insertions(+), 31 deletions(-)

Index: httpd-2.4.58/modules/proxy/mod_proxy.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy.c
+++ httpd-2.4.58/modules/proxy/mod_proxy.c
@@ -1227,6 +1227,7 @@ static int proxy_fixup(request_rec *r)
 
     return OK;      /* otherwise; we've done the best we can */
 }
+
 /* Send a redirection if the request contains a hostname which is not */
 /* fully qualified, i.e. doesn't have a domain name appended. Some proxy */
 /* servers like Netscape's allow this and access hosts from the local */
@@ -1280,7 +1281,7 @@ static int proxy_handler(request_rec *r)
         ap_get_module_config(sconf, &proxy_module);
     apr_array_header_t *proxies = conf->proxies;
     struct proxy_remote *ents = (struct proxy_remote *) proxies->elts;
-    int i, rc, access_status;
+    int rc = DECLINED, access_status, i;
     int direct_connect = 0;
     const char *str;
     apr_int64_t maxfwd;
@@ -1295,22 +1296,28 @@ static int proxy_handler(request_rec *r)
         return DECLINED;
     }
 
-    if (!r->proxyreq) {
-        rc = DECLINED;
-        /* We may have forced the proxy handler via config or .htaccess */
-        if (r->handler &&
-            strncmp(r->handler, "proxy:", 6) == 0 &&
-            strncmp(r->filename, "proxy:", 6) != 0) {
-            r->proxyreq = PROXYREQ_REVERSE;
-            r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
-            /* Still need to fixup/canonicalize r->filename */
+    /* We may have forced the proxy handler via config or .htaccess */
+    if (!r->proxyreq && r->handler && strncmp(r->handler, "proxy:", 6) == 0) {
+        char *old_filename = r->filename;
+
+        r->proxyreq = PROXYREQ_REVERSE;
+        r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
+
+        /* Still need to fixup/canonicalize r->filename */
+        rc = ap_proxy_fixup_uds_filename(r);
+        if (rc <= OK) {
             rc = proxy_fixup(r);
         }
         if (rc != OK) {
-            return rc;
+            r->filename = old_filename;
+            r->proxyreq = 0;
         }
-    } else if (strncmp(r->filename, "proxy:", 6) != 0) {
-        return DECLINED;
+    }
+    else if (r->proxyreq && strncmp(r->filename, "proxy:", 6) == 0) {
+        rc = OK;
+    }
+    if (rc != OK) {
+        return rc;
     }
 
     /* handle max-forwards / OPTIONS / TRACE */
Index: httpd-2.4.58/modules/proxy/mod_proxy.h
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy.h
+++ httpd-2.4.58/modules/proxy/mod_proxy.h
@@ -993,6 +993,14 @@ PROXY_DECLARE(proxy_balancer_shared *) a
                                                                  proxy_balancer *balancer,
                                                                  unsigned int *index);
 
+/*
+ * Strip the UDS part of r->filename if any, and put the UDS path in
+ * r->notes ("uds_path")
+ * @param r        current request
+ * @return         OK if fixed up, DECLINED if not UDS, or an HTTP_XXX error
+ */
+PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r);
+
 /**
  * Get the most suitable worker and/or balancer for the request
  * @param worker   worker used for processing request
Index: httpd-2.4.58/modules/proxy/proxy_util.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/proxy_util.c
+++ httpd-2.4.58/modules/proxy/proxy_util.c
@@ -2316,7 +2316,7 @@ static int ap_proxy_retry_worker(const c
  * were passed a UDS url (eg: from mod_proxy) and adjust uds_path
  * as required.  
  */
-static int fix_uds_filename(request_rec *r, char **url) 
+PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r) 
 {
     char *uds_url = r->filename + 6, *origin_url;
 
@@ -2324,7 +2324,6 @@ static int fix_uds_filename(request_rec
             !ap_cstr_casecmpn(uds_url, "unix:", 5) &&
             (origin_url = ap_strchr(uds_url + 5, '|'))) {
         char *uds_path = NULL;
-        apr_size_t url_len;
         apr_uri_t urisock;
         apr_status_t rv;
 
@@ -2339,20 +2338,20 @@ static int fix_uds_filename(request_rec
         if (!uds_path) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292)
                     "Invalid proxy UDS filename (%s)", r->filename);
-            return 0;
+            return HTTP_BAD_REQUEST;
         }
         apr_table_setn(r->notes, "uds_path", uds_path);
 
-        /* Remove the UDS path from *url and r->filename */
-        url_len = strlen(origin_url);
-        *url = apr_pstrmemdup(r->pool, origin_url, url_len);
-        memcpy(uds_url, *url, url_len + 1);
-
         ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
-                "*: rewrite of url due to UDS(%s): %s (%s)",
-                uds_path, *url, r->filename);
+                "*: fixup UDS from %s: %s (%s)",
+                r->filename, origin_url, uds_path);
+
+        /* Overwrite the UDS part in place */
+        memmove(uds_url, origin_url, strlen(origin_url) + 1);
+        return OK;
     }
-    return 1;
+
+    return DECLINED;
 }
 
 PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
@@ -2371,9 +2370,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
             ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
                           "%s: found worker %s for %s",
                           (*worker)->s->scheme, (*worker)->s->name_ex, *url);
-            if (!forward && !fix_uds_filename(r, url)) {
-                return HTTP_INTERNAL_SERVER_ERROR;
-            }
             access_status = OK;
         }
         else if (forward) {
@@ -2403,9 +2399,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
                  * regarding the Connection header in the request.
                  */
                 apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1");
-                if (!fix_uds_filename(r, url)) {
-                    return HTTP_INTERNAL_SERVER_ERROR;
-                }
             }
         }
     }
@@ -2415,6 +2408,20 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
                       "all workers are busy.  Unable to serve %s", *url);
         access_status = HTTP_SERVICE_UNAVAILABLE;
     }
+
+    if (access_status == OK && r->proxyreq == PROXYREQ_REVERSE) {
+        int rc = ap_proxy_fixup_uds_filename(r);
+        if (ap_is_HTTP_ERROR(rc)) {
+            return rc;
+        }
+        /* If the URL has changed in r->filename, take everything after
+         * the "proxy:" prefix.
+         */
+        if (rc == OK) {
+            *url = apr_pstrdup(r->pool, r->filename + 6);
+        }
+    }
+
     return access_status;
 }
openSUSE Build Service is sponsored by
Places