File apache2-CVE-2021-44224-2.patch of Package apache2.27541
Index: httpd-2.4.33/include/http_protocol.h
===================================================================
--- httpd-2.4.33.orig/include/http_protocol.h 2017-05-30 14:27:41.000000000 +0200
+++ httpd-2.4.33/include/http_protocol.h 2022-01-05 10:34:33.100267847 +0100
@@ -75,6 +75,13 @@ AP_DECLARE(void) ap_get_mime_headers(req
AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
apr_bucket_brigade *bb);
+/**
+ * Run post_read_request hook and validate.
+ * @param r The current request
+ * @return OK or HTTP_...
+ */
+AP_DECLARE(int) ap_post_read_request(request_rec *r);
+
/* Finish up stuff after a request */
/**
Index: httpd-2.4.33/modules/http/http_request.c
===================================================================
--- httpd-2.4.33.orig/modules/http/http_request.c 2018-03-16 00:19:12.000000000 +0100
+++ httpd-2.4.33/modules/http/http_request.c 2022-01-05 10:34:33.100267847 +0100
@@ -662,7 +662,7 @@ static request_rec *internal_internal_re
* to do their thing on internal redirects as well. Perhaps this is a
* misnamed function.
*/
- if ((access_status = ap_run_post_read_request(new))) {
+ if ((access_status = ap_post_read_request(new))) {
ap_die(access_status, new);
return NULL;
}
Index: httpd-2.4.33/modules/http2/h2_request.c
===================================================================
--- httpd-2.4.33.orig/modules/http2/h2_request.c 2022-01-05 10:34:33.100267847 +0100
+++ httpd-2.4.33/modules/http2/h2_request.c 2022-01-05 10:37:34.469281690 +0100
@@ -345,7 +345,7 @@ request_rec *h2_request_create_rec(const
NULL, r, r->connection);
if (access_status != HTTP_OK
- || (access_status = ap_run_post_read_request(r))) {
+ || (access_status = ap_post_read_request(r))) {
/* Request check post hooks failed. An example of this would be a
* request for a vhost where h2 is disabled --> 421.
*/
Index: httpd-2.4.33/modules/proxy/mod_proxy.c
===================================================================
--- httpd-2.4.33.orig/modules/proxy/mod_proxy.c 2022-01-05 10:34:33.088267779 +0100
+++ httpd-2.4.33/modules/proxy/mod_proxy.c 2022-01-05 10:40:23.114224450 +0100
@@ -573,13 +573,13 @@ static int proxy_detect(request_rec *r)
/* Ick... msvc (perhaps others) promotes ternary short results to int */
- if (conf->req && r->parsed_uri.scheme) {
+ if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) {
/* but it might be something vhosted */
- if (!(r->parsed_uri.hostname
- && !strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r))
- && ap_matches_request_vhost(r, r->parsed_uri.hostname,
- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port
- : ap_default_port(r))))) {
+ if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
+ || !ap_matches_request_vhost(r, r->parsed_uri.hostname,
+ (apr_port_t)(r->parsed_uri.port_str
+ ? r->parsed_uri.port
+ : ap_default_port(r)))) {
r->proxyreq = PROXYREQ_PROXY;
r->uri = r->unparsed_uri;
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
@@ -1719,6 +1719,7 @@ static const char *
struct proxy_alias *new;
char *f = cmd->path;
char *r = NULL;
+ const char *real;
char *word;
apr_table_t *params = apr_table_make(cmd->pool, 5);
const apr_array_header_t *arr;
@@ -1785,6 +1786,10 @@ static const char *
if (r == NULL) {
return "ProxyPass|ProxyPassMatch needs a path when not defined in a location";
}
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) {
+ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL";
+ }
+
/* if per directory, save away the single alias */
if (cmd->path) {
@@ -1801,7 +1806,7 @@ static const char *
}
new->fake = apr_pstrdup(cmd->pool, f);
- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r));
+ new->real = apr_pstrdup(cmd->pool, real);
new->flags = flags;
if (worker_type & AP_PROXY_WORKER_IS_MATCH) {
new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED);
@@ -2281,6 +2286,7 @@ static const char *add_member(cmd_parms
proxy_worker *worker;
char *path = cmd->path;
char *name = NULL;
+ const char *real;
char *word;
apr_table_t *params = apr_table_make(cmd->pool, 5);
const apr_array_header_t *arr;
@@ -2321,6 +2327,9 @@ static const char *add_member(cmd_parms
return "BalancerMember must define balancer name when outside <Proxy > section";
if (!name)
return "BalancerMember must define remote proxy server";
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
+ return "BalancerMember uses an invalid \"unix:\" URL";
+ }
ap_str_tolower(path); /* lowercase scheme://hostname */
@@ -2333,8 +2342,7 @@ static const char *add_member(cmd_parms
}
/* Try to find existing worker */
- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf,
- ap_proxy_de_socketfy(cmd->temp_pool, name));
+ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real);
if (!worker) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147)
"Defining worker '%s' for balancer '%s'",
@@ -2431,9 +2439,14 @@ static const char *
}
}
else {
+ const char *real;
+
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
+ return "ProxySet uses an invalid \"unix:\" URL";
+ }
+
worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, conf,
- ap_proxy_de_socketfy(cmd->temp_pool, name),
- worker_type);
+ real, worker_type);
if (!worker) {
if (in_proxy_section) {
err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL,
@@ -2578,9 +2591,14 @@ static const char *proxysection(cmd_parm
}
}
else {
+ const char *real;
+
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) {
+ return "<Proxy/ProxyMatch > uses an invalid \"unix:\" URL";
+ }
+
worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, sconf,
- ap_proxy_de_socketfy(cmd->temp_pool, conf->p),
- worker_type);
+ real, worker_type);
if (!worker) {
err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, sconf,
conf->p, worker_type);
Index: httpd-2.4.33/modules/proxy/proxy_util.c
===================================================================
--- httpd-2.4.33.orig/modules/proxy/proxy_util.c 2022-01-05 10:34:33.088267779 +0100
+++ httpd-2.4.33/modules/proxy/proxy_util.c 2022-01-05 10:34:33.100267847 +0100
@@ -1525,6 +1525,9 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_g
}
url = ap_proxy_de_socketfy(p, url);
+ if (!url) {
+ return NULL;
+ }
c = ap_strchr_c(url, ':');
if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') {
Index: httpd-2.4.33/server/protocol.c
===================================================================
--- httpd-2.4.33.orig/server/protocol.c 2022-01-05 10:34:32.772266013 +0100
+++ httpd-2.4.33/server/protocol.c 2022-01-05 10:46:31.256289079 +0100
@@ -1401,7 +1401,7 @@ request_rec *ap_read_request(conn_rec *c
NULL, r, r->connection);
if (access_status != HTTP_OK
- || (access_status = ap_run_post_read_request(r))) {
+ || (access_status = ap_post_read_request(r))) {
ap_die(access_status, r);
ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
ap_run_log_transaction(r);
@@ -1448,6 +1448,27 @@ request_rec *ap_read_request(conn_rec *c
return r;
}
+AP_DECLARE(int) ap_post_read_request(request_rec *r)
+{
+ int status;
+
+ if ((status = ap_run_post_read_request(r))) {
+ return status;
+ }
+
+ /* Enforce http(s) only scheme for non-forward-proxy requests */
+ if (!r->proxyreq
+ && r->parsed_uri.scheme
+ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
+ || (r->parsed_uri.scheme[4] != '\0'
+ && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
+ || r->parsed_uri.scheme[5] != '\0')))) {
+ return HTTP_BAD_REQUEST;
+ }
+
+ return OK;
+}
+
/* if a request with a body creates a subrequest, remove original request's
* input headers which pertain to the body which has already been read.
* out-of-line helper function for ap_set_sub_req_protocol.