File httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff of Package apache2.openSUSE_12.1
diff -rNU 20 ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c ./modules/mappers/mod_rewrite.c
--- ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c 2009-07-10 14:20:45.000000000 +0200
+++ ./modules/mappers/mod_rewrite.c 2011-11-24 04:08:35.000000000 +0100
@@ -4230,40 +4230,47 @@
/*
* only do something under runtime if the engine is really enabled,
* else return immediately!
*/
if (conf->state == ENGINE_DISABLED) {
return DECLINED;
}
/*
* check for the ugly API case of a virtual host section where no
* mod_rewrite directives exists. In this situation we became no chance
* by the API to setup our default per-server config so we have to
* on-the-fly assume we have the default config. But because the default
* config has a disabled rewriting engine we are lucky because can
* just stop operating now.
*/
if (conf->server != r->server) {
return DECLINED;
}
+ /* Check that the URI is valid. */
+ if (!r->uri || r->uri[0] != '/') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid URI in request %s", r->the_request);
+ return HTTP_BAD_REQUEST;
+ }
+
/*
* add the SCRIPT_URL variable to the env. this is a bit complicated
* due to the fact that apache uses subrequests and internal redirects
*/
if (r->main == NULL) {
var = apr_table_get(r->subprocess_env, REDIRECT_ENVVAR_SCRIPT_URL);
if (var == NULL) {
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, r->uri);
}
else {
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var);
}
}
else {
var = apr_table_get(r->main->subprocess_env, ENVVAR_SCRIPT_URL);
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var);
}
/*
diff -rNU 20 ../httpd-2.2.12-o/modules/proxy/mod_proxy.c ./modules/proxy/mod_proxy.c
--- ../httpd-2.2.12-o/modules/proxy/mod_proxy.c 2009-01-31 21:58:07.000000000 +0100
+++ ./modules/proxy/mod_proxy.c 2011-11-24 04:08:35.000000000 +0100
@@ -527,40 +527,47 @@
proxy_server_conf *conf =
(proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
int i, len;
struct proxy_alias *ent = (struct proxy_alias *) conf->aliases->elts;
proxy_dir_conf *dconf = ap_get_module_config(r->per_dir_config,
&proxy_module);
const char *fake;
const char *real;
ap_regmatch_t regm[AP_MAX_REG_MATCH];
ap_regmatch_t reg1[AP_MAX_REG_MATCH];
char *found = NULL;
int mismatch = 0;
if (r->proxyreq) {
/* someone has already set up the proxy, it was possibly ourselves
* in proxy_detect
*/
return OK;
}
+ /* Check that the URI is valid. */
+ if (!r->uri || r->uri[0] != '/') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid URI in request %s", r->the_request);
+ return HTTP_BAD_REQUEST;
+ }
+
/* XXX: since r->uri has been manipulated already we're not really
* compliant with RFC1945 at this point. But this probably isn't
* an issue because this is a hybrid proxy/origin server.
*/
for (i = 0; i < conf->aliases->nelts; i++) {
unsigned int nocanon = ent[i].flags & PROXYPASS_NOCANON;
const char *use_uri = nocanon ? r->unparsed_uri : r->uri;
if ((dconf->interpolate_env == 1)
&& (ent[i].flags & PROXYPASS_INTERPOLATE)) {
fake = proxy_interpolate(r, ent[i].fake);
real = proxy_interpolate(r, ent[i].real);
}
else {
fake = ent[i].fake;
real = ent[i].real;
}
if (ent[i].regex) {
if (!ap_regexec(ent[i].regex, r->uri, AP_MAX_REG_MATCH, regm, 0)) {
if ((real[0] == '!') && (real[1] == '\0')) {
