File apache2-CVE-2024-38477.patch of Package apache2.36090

Index: httpd-2.4.51/modules/proxy/proxy_util.c
===================================================================
--- httpd-2.4.51.orig/modules/proxy/proxy_util.c
+++ httpd-2.4.51/modules/proxy/proxy_util.c
@@ -2586,6 +2586,13 @@ ap_proxy_determine_connection(apr_pool_t
                              apr_pstrcat(p,"URI cannot be parsed: ", *url,
                                          NULL));
     }
+
+    if (!uri->hostname) {
+        return ap_proxyerror(r, HTTP_BAD_REQUEST,
+                             apr_pstrcat(p,"URI has no hostname: ", *url,
+                                         NULL));
+    }
+
     if (!uri->port) {
         uri->port = ap_proxy_port_of_scheme(uri->scheme);
     }
@@ -3945,6 +3952,10 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbr
      * way. No telling which legacy backend is relying no this.
      */
     if (dconf->preserve_host == 0) {
+        if (!uri->hostname) {
+            rc = HTTP_BAD_REQUEST;
+            goto cleanup;
+        }
         if (ap_strchr_c(uri->hostname, ':')) { /* if literal IPv6 address */
             if (uri->port_str && uri->port != DEFAULT_HTTP_PORT) {
                 buf = apr_pstrcat(p, "Host: [", uri->hostname, "]:",