File apache2-CVE-2023-25690.patch of Package apache2.27904
From d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 5 Mar 2023 20:27:11 +0000
Subject: [PATCH] don't forward invalid query strings
Submitted by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908095 13f79535-47bb-0310-9956-ffa450edef68
---
docs/log-message-tags/next-number | 2 +-
modules/http2/mod_proxy_http2.c | 10 ++++++++++
modules/mappers/mod_rewrite.c | 22 ++++++++++++++++++++++
modules/proxy/mod_proxy_ajp.c | 10 ++++++++++
modules/proxy/mod_proxy_balancer.c | 10 ++++++++++
modules/proxy/mod_proxy_http.c | 10 ++++++++++
modules/proxy/mod_proxy_wstunnel.c | 10 ++++++++++
7 files changed, 73 insertions(+), 1 deletion(-)
Index: httpd-2.4.51/modules/http2/mod_proxy_http2.c
===================================================================
--- httpd-2.4.51.orig/modules/http2/mod_proxy_http2.c
+++ httpd-2.4.51/modules/http2/mod_proxy_http2.c
@@ -158,6 +158,16 @@ static int proxy_http2_canon(request_rec
path = ap_proxy_canonenc(r->pool, url, (int)strlen(url),
enc_path, 0, r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
break;
case PROXYREQ_PROXY:
Index: httpd-2.4.51/modules/mappers/mod_rewrite.c
===================================================================
--- httpd-2.4.51.orig/modules/mappers/mod_rewrite.c
+++ httpd-2.4.51/modules/mappers/mod_rewrite.c
@@ -4703,6 +4703,17 @@ static int hook_uri2file(request_rec *r)
unsigned skip;
apr_size_t flen;
+ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
+ "Rewritten query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
+
if (ACTION_STATUS == rulestatus) {
int n = r->status;
@@ -4987,6 +4998,17 @@ static int hook_fixup(request_rec *r)
if (rulestatus) {
unsigned skip;
+ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411)
+ "Rewritten query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
+
if (ACTION_STATUS == rulestatus) {
int n = r->status;
Index: httpd-2.4.51/modules/proxy/mod_proxy_ajp.c
===================================================================
--- httpd-2.4.51.orig/modules/proxy/mod_proxy_ajp.c
+++ httpd-2.4.51/modules/proxy/mod_proxy_ajp.c
@@ -69,6 +69,16 @@ static int proxy_ajp_canon(request_rec *
path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
if (path == NULL)
return HTTP_BAD_REQUEST;
Index: httpd-2.4.51/modules/proxy/mod_proxy_balancer.c
===================================================================
--- httpd-2.4.51.orig/modules/proxy/mod_proxy_balancer.c
+++ httpd-2.4.51/modules/proxy/mod_proxy_balancer.c
@@ -106,6 +106,16 @@ static int proxy_balancer_canon(request_
path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
if (path == NULL)
return HTTP_BAD_REQUEST;
Index: httpd-2.4.51/modules/proxy/mod_proxy_http.c
===================================================================
--- httpd-2.4.51.orig/modules/proxy/mod_proxy_http.c
+++ httpd-2.4.51/modules/proxy/mod_proxy_http.c
@@ -125,6 +125,16 @@ static int proxy_http_canon(request_rec
path = ap_proxy_canonenc(r->pool, url, strlen(url),
enc_path, 0, r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
break;
case PROXYREQ_PROXY:
Index: httpd-2.4.51/modules/proxy/mod_proxy_wstunnel.c
===================================================================
--- httpd-2.4.51.orig/modules/proxy/mod_proxy_wstunnel.c
+++ httpd-2.4.51/modules/proxy/mod_proxy_wstunnel.c
@@ -114,6 +114,16 @@ static int proxy_wstunnel_canon(request_
path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
if (path == NULL)
return HTTP_BAD_REQUEST;