File apache2-CVE-2021-44224.patch of Package apache2.24654

Index: httpd-2.4.51/include/http_protocol.h
===================================================================
--- httpd-2.4.51.orig/include/http_protocol.h	2021-05-27 15:08:21.000000000 +0200
+++ httpd-2.4.51/include/http_protocol.h	2021-12-22 11:05:06.714950531 +0100
@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(req
 AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
                                           apr_bucket_brigade *bb);
 
+/**
+ * Run post_read_request hook and validate.
+ * @param r The current request
+ * @return OK or HTTP_...
+ */
+AP_DECLARE(int) ap_post_read_request(request_rec *r);
+
 /* Finish up stuff after a request */
 
 /**
Index: httpd-2.4.51/modules/http/http_request.c
===================================================================
--- httpd-2.4.51.orig/modules/http/http_request.c	2020-01-02 00:14:08.000000000 +0100
+++ httpd-2.4.51/modules/http/http_request.c	2021-12-22 11:05:06.714950531 +0100
@@ -680,7 +680,7 @@ static request_rec *internal_internal_re
      * to do their thing on internal redirects as well.  Perhaps this is a
      * misnamed function.
      */
-    if ((access_status = ap_run_post_read_request(new))) {
+    if ((access_status = ap_post_read_request(new))) {
         ap_die(access_status, new);
         return NULL;
     }
Index: httpd-2.4.51/modules/http2/h2_request.c
===================================================================
--- httpd-2.4.51.orig/modules/http2/h2_request.c	2021-09-26 16:30:51.000000000 +0200
+++ httpd-2.4.51/modules/http2/h2_request.c	2021-12-22 11:05:06.714950531 +0100
@@ -370,7 +370,7 @@ request_rec *h2_request_create_rec(const
     ap_add_input_filter_handle(ap_http_input_filter_handle,
                                NULL, r, r->connection);
     
-    if ((access_status = ap_run_post_read_request(r))) {
+    if ((access_status = ap_post_read_request(r))) {
         /* Request check post hooks failed. An example of this would be a
          * request for a vhost where h2 is disabled --> 421.
          */
Index: httpd-2.4.51/modules/proxy/mod_proxy.c
===================================================================
--- httpd-2.4.51.orig/modules/proxy/mod_proxy.c	2021-09-09 17:22:23.000000000 +0200
+++ httpd-2.4.51/modules/proxy/mod_proxy.c	2021-12-22 11:05:06.714950531 +0100
@@ -2007,6 +2008,7 @@ static const char *
     struct proxy_alias *new;
     char *f = cmd->path;
     char *r = NULL;
+    const char *real;
     char *word;
     apr_table_t *params = apr_table_make(cmd->pool, 5);
     const apr_array_header_t *arr;
@@ -2093,6 +2095,10 @@ static const char *
     if (r == NULL) {
         return "ProxyPass|ProxyPassMatch needs a path when not defined in a location";
     }
+    if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) {
+        return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL";
+    }
+
 
     /* if per directory, save away the single alias */
     if (cmd->path) {
@@ -2109,7 +2115,7 @@ static const char *
     }
 
     new->fake = apr_pstrdup(cmd->pool, f);
-    new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r));
+    new->real = apr_pstrdup(cmd->pool, real);
     new->flags = flags;
     if (worker_type & AP_PROXY_WORKER_IS_MATCH) {
         new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED);
@@ -2635,6 +2641,7 @@ static const char *add_member(cmd_parms
     proxy_worker *worker;
     char *path = cmd->path;
     char *name = NULL;
+    const char *real;
     char *word;
     apr_table_t *params = apr_table_make(cmd->pool, 5);
     const apr_array_header_t *arr;
@@ -2675,6 +2682,9 @@ static const char *add_member(cmd_parms
         return "BalancerMember must define balancer name when outside <Proxy > section";
     if (!name)
         return "BalancerMember must define remote proxy server";
+    if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
+        return "BalancerMember uses an invalid \"unix:\" URL";
+    }
 
     ap_str_tolower(path);   /* lowercase scheme://hostname */
 
@@ -2687,8 +2697,7 @@ static const char *add_member(cmd_parms
     }
 
     /* Try to find existing worker */
-    worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf,
-                                 ap_proxy_de_socketfy(cmd->temp_pool, name));
+    worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real);
     if (!worker) {
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147)
                      "Defining worker '%s' for balancer '%s'",
@@ -2785,9 +2794,14 @@ static const char *
         }
     }
     else {
+        const char *real;
+
+        if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
+            return "ProxySet uses an invalid \"unix:\" URL";
+        }
+
         worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, conf,
-                                        ap_proxy_de_socketfy(cmd->temp_pool, name),
-                                        worker_type);
+                                        real, worker_type);
         if (!worker) {
             if (in_proxy_section) {
                 err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL,
@@ -2930,9 +2944,14 @@ static const char *proxysection(cmd_parm
             }
         }
         else {
+            const char *real;
+
+            if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) {
+                return "<Proxy/ProxyMatch > uses an invalid \"unix:\" URL";
+            }
+
             worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, sconf,
-                                            ap_proxy_de_socketfy(cmd->temp_pool, conf->p),
-                                            worker_type);
+                                            real, worker_type);
             if (!worker) {
                 err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, sconf,
                                                 conf->p, worker_type);
Index: httpd-2.4.51/modules/proxy/proxy_util.c
===================================================================
--- httpd-2.4.51.orig/modules/proxy/proxy_util.c	2021-09-23 14:31:53.000000000 +0200
+++ httpd-2.4.51/modules/proxy/proxy_util.c	2021-12-22 11:05:06.714950531 +0100
@@ -1741,7 +1741,12 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_g
         return NULL;
     }
 
-    url = ap_proxy_de_socketfy(p, url);
+    if (!(mask & AP_PROXY_WORKER_NO_UDS)) {
+        url = ap_proxy_de_socketfy(p, url);
+        if (!url) {
+            return NULL;
+        }
+    }
 
     c = ap_strchr_c(url, ':');
     if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') {
@@ -2323,22 +2328,22 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
 
     access_status = proxy_run_pre_request(worker, balancer, r, conf, url);
     if (access_status == DECLINED && *balancer == NULL) {
-        *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url);
+        const int forward = (r->proxyreq == PROXYREQ_PROXY);
+        *worker = ap_proxy_get_worker_ex(r->pool, NULL, conf, *url,
+                                         forward ? AP_PROXY_WORKER_NO_UDS : 0);
         if (*worker) {
             ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
                           "%s: found worker %s for %s",
                           (*worker)->s->scheme, (*worker)->s->name, *url);
-            *balancer = NULL;
-            if (!fix_uds_filename(r, url)) {
+            if (!forward && !fix_uds_filename(r, url)) {
                 return HTTP_INTERNAL_SERVER_ERROR;
             }
             access_status = OK;
         }
-        else if (r->proxyreq == PROXYREQ_PROXY) {
+        else if (forward) {
             if (conf->forward) {
                 ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
                               "*: found forward proxy worker for %s", *url);
-                *balancer = NULL;
                 *worker = conf->forward;
                 access_status = OK;
                 /*
@@ -2352,8 +2357,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
         else if (r->proxyreq == PROXYREQ_REVERSE) {
             if (conf->reverse) {
                 ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
-                              "*: using default reverse proxy worker for %s (no keepalive)", *url);
-                *balancer = NULL;
+                              "*: using default reverse proxy worker for %s "
+                              "(no keepalive)", *url);
                 *worker = conf->reverse;
                 access_status = OK;
                 /*
Index: httpd-2.4.51/server/protocol.c
===================================================================
--- httpd-2.4.51.orig/server/protocol.c	2021-12-22 11:05:06.702950468 +0100
+++ httpd-2.4.51/server/protocol.c	2021-12-22 11:05:06.714950531 +0100
@@ -1553,7 +1553,7 @@ request_rec *ap_read_request(conn_rec *c
     /* we may have switched to another server */
     apply_server_config(r);
 
-    if ((access_status = ap_run_post_read_request(r))) {
+    if ((access_status = ap_post_read_request(r))) {
         goto die;
     }
 
@@ -1608,6 +1608,27 @@ ignore:
     return NULL;
 }
 
+AP_DECLARE(int) ap_post_read_request(request_rec *r)
+{
+    int status;
+
+    if ((status = ap_run_post_read_request(r))) {
+        return status;
+    }
+
+    /* Enforce http(s) only scheme for non-forward-proxy requests */
+    if (!r->proxyreq
+            && r->parsed_uri.scheme
+            && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
+                || (r->parsed_uri.scheme[4] != '\0'
+                    && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
+                        || r->parsed_uri.scheme[5] != '\0')))) {
+        return HTTP_BAD_REQUEST;
+    }
+
+    return OK;
+}
+
 /* if a request with a body creates a subrequest, remove original request's
  * input headers which pertain to the body which has already been read.
  * out-of-line helper function for ap_set_sub_req_protocol.
Index: httpd-2.4.51/modules/proxy/mod_proxy.h
===================================================================
--- httpd-2.4.51.orig/modules/proxy/mod_proxy.h	2021-12-22 11:05:06.690950404 +0100
+++ httpd-2.4.51/modules/proxy/mod_proxy.h	2021-12-22 11:07:55.599846497 +0100
@@ -750,6 +750,7 @@ PROXY_DECLARE(int) ap_proxy_worker_can_u
 #define AP_PROXY_WORKER_IS_PREFIX   (1u << 0)
 #define AP_PROXY_WORKER_IS_MATCH    (1u << 1)
 #define AP_PROXY_WORKER_IS_MALLOCED (1u << 2)
+#define AP_PROXY_WORKER_NO_UDS      (1u << 3)
 
 /**
  * Get the worker from proxy configuration, looking for either PREFIXED or
openSUSE Build Service is sponsored by