File apache2-CVE-2024-38473-4.patch of Package apache2.35278
From 4326d6b9041a3bcb9b529f9163d0761c2d760700 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 26 Jun 2024 14:56:47 +0000
Subject: [PATCH] factor out IS_SLASH, perdir fix
in per-dir, the filename will be internally redirected, so / is OK too.
don't add / to / in the non-perdir
match AP_IS_SLASH macro
followup to 1918651
Merges r1918651, r1918652, r1918663 from trunk
Reviewed by: covener, ylavic, rpluem
GH: close #458
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918668 13f79535-47bb-0310-9956-ffa450edef68
---
include/ap_mmn.h | 3 ++-
include/httpd.h | 11 +++++++++++
modules/mappers/mod_rewrite.c | 11 ++++-------
server/util.c | 31 ++++++++++---------------------
4 files changed, 27 insertions(+), 29 deletions(-)
Index: httpd-2.4.51/include/httpd.h
===================================================================
--- httpd-2.4.51.orig/include/httpd.h
+++ httpd-2.4.51/include/httpd.h
@@ -2597,6 +2597,17 @@ AP_DECLARE(const char *)ap_dir_fnmatch(a
*/
AP_DECLARE(int) ap_is_chunked(apr_pool_t *p, const char *line);
+/* Win32/NetWare/OS2 need to check for both forward and back slashes
+ * in ap_normalize_path() and ap_escape_url().
+ */
+#ifdef CASE_BLIND_FILESYSTEM
+#define AP_IS_SLASH(s) ((s == '/') || (s == '\\'))
+#define AP_SLASHES "/\\"
+#else
+#define AP_IS_SLASH(s) (s == '/')
+#define AP_SLASHES "/"
+#endif
+
#ifdef __cplusplus
}
#endif
Index: httpd-2.4.51/modules/mappers/mod_rewrite.c
===================================================================
--- httpd-2.4.51.orig/modules/mappers/mod_rewrite.c
+++ httpd-2.4.51/modules/mappers/mod_rewrite.c
@@ -644,14 +644,11 @@ static unsigned is_absolute_uri(char *ur
static int is_absolute_path(const char *path)
{
-#ifndef WIN32
+#ifndef CASE_BLIND_FILESYSTEM
return (path[0] == '/');
#else
-#define IS_SLASH(c) ((c) == '/' || (c) == '\\')
- /* "//", "\\", "x:/" and "x:\" are absolute paths on Windows */
- return ((IS_SLASH(path[0]) && path[1] == path[0])
- || (apr_isalpha(path[0]) && path[1] == ':' && IS_SLASH(path[2])));
-#undef IS_SLASH
+ return ((AP_IS_SLASH(path[0]) && path[1] == path[0])
+ || (apr_isalpha(path[0]) && path[1] == ':' && AP_IS_SLASH(path[2])));
#endif
}
Index: httpd-2.4.51/server/util.c
===================================================================
--- httpd-2.4.51.orig/server/util.c
+++ httpd-2.4.51/server/util.c
@@ -75,17 +75,6 @@
*/
#include "test_char.h"
-/* Win32/NetWare/OS2 need to check for both forward and back slashes
- * in ap_normalize_path() and ap_escape_url().
- */
-#ifdef CASE_BLIND_FILESYSTEM
-#define IS_SLASH(s) ((s == '/') || (s == '\\'))
-#define SLASHES "/\\"
-#else
-#define IS_SLASH(s) (s == '/')
-#define SLASHES "/"
-#endif
-
/* we know core's module_index is 0 */
#undef APLOG_MODULE_INDEX
#define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX
@@ -494,7 +483,7 @@ AP_DECLARE(apr_status_t) ap_pregsub_ex(a
/* Forward declare */
static char x2c(const char *what);
-#define IS_SLASH_OR_NUL(s) (s == '\0' || IS_SLASH(s))
+#define IS_SLASH_OR_NUL(s) (s == '\0' || AP_IS_SLASH(s))
/*
* Inspired by mod_jk's jk_servlet_normalize().
@@ -505,7 +494,7 @@ AP_DECLARE(int) ap_normalize_path(char *
apr_size_t l = 1, w = 1, n;
int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0;
- if (!IS_SLASH(path[0])) {
+ if (!AP_IS_SLASH(path[0])) {
/* Besides "OPTIONS *", a request-target should start with '/'
* per RFC 7230 section 5.3, so anything else is invalid.
*/
@@ -546,12 +535,12 @@ AP_DECLARE(int) ap_normalize_path(char *
}
}
- if (w == 0 || IS_SLASH(path[w - 1])) {
+ if (w == 0 || AP_IS_SLASH(path[w - 1])) {
/* Collapse ///// sequences to / */
- if ((flags & AP_NORMALIZE_MERGE_SLASHES) && IS_SLASH(path[l])) {
+ if ((flags & AP_NORMALIZE_MERGE_SLASHES) && AP_IS_SLASH(path[l])) {
do {
l++;
- } while (IS_SLASH(path[l]));
+ } while (AP_IS_SLASH(path[l]));
continue;
}
@@ -580,7 +569,7 @@ AP_DECLARE(int) ap_normalize_path(char *
if (w > 1) {
do {
w--;
- } while (w && !IS_SLASH(path[w - 1]));
+ } while (w && !AP_IS_SLASH(path[w - 1]));
}
else {
/* Already at root, ignore and return a failure
@@ -1916,7 +1905,7 @@ static int unescape_url(char *url, const
char decoded;
decoded = x2c(y + 1);
if ((decoded == '\0')
- || (forbid_slashes && IS_SLASH(decoded))
+ || (forbid_slashes && AP_IS_SLASH(decoded))
|| (forbid && ap_strchr_c(forbid, decoded))) {
badpath = 1;
*x = decoded;
@@ -1924,7 +1913,7 @@ static int unescape_url(char *url, const
}
else if ((keep_unreserved && TEST_CHAR(decoded,
T_URI_UNRESERVED))
- || (keep_slashes && IS_SLASH(decoded))
+ || (keep_slashes && AP_IS_SLASH(decoded))
|| (reserved && ap_strchr_c(reserved, decoded))) {
*x++ = *y++;
*x++ = *y++;
@@ -1951,7 +1940,7 @@ static int unescape_url(char *url, const
AP_DECLARE(int) ap_unescape_url(char *url)
{
/* Traditional */
- return unescape_url(url, SLASHES, NULL, 0);
+ return unescape_url(url, AP_SLASHES, NULL, 0);
}
AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes)
{
@@ -1961,7 +1950,7 @@ AP_DECLARE(int) ap_unescape_url_keep2f(c
return unescape_url(url, NULL, NULL, 0);
} else {
/* reserve (do not decode) encoded slashes */
- return unescape_url(url, NULL, SLASHES, 0);
+ return unescape_url(url, NULL, AP_SLASHES, 0);
}
}
AP_DECLARE(int) ap_unescape_url_ex(char *url, unsigned int flags)
