File httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff of Package apache2
diff -rNU 20 ../httpd-2.2.21-o/modules/mappers/mod_rewrite.c ./modules/mappers/mod_rewrite.c
--- ../httpd-2.2.21-o/modules/mappers/mod_rewrite.c 2011-09-04 00:54:25.000000000 +0200
+++ ./modules/mappers/mod_rewrite.c 2013-01-28 14:31:53.000000000 +0100
@@ -4249,40 +4249,51 @@
/*
* only do something under runtime if the engine is really enabled,
* else return immediately!
*/
if (conf->state == ENGINE_DISABLED) {
return DECLINED;
}
/*
* check for the ugly API case of a virtual host section where no
* mod_rewrite directives exists. In this situation we became no chance
* by the API to setup our default per-server config so we have to
* on-the-fly assume we have the default config. But because the default
* config has a disabled rewriting engine we are lucky because can
* just stop operating now.
*/
if (conf->server != r->server) {
return DECLINED;
}
+ /* Check that the URI is valid. CVE-2011-3368, CVE-2011-4317, bnc722545 */
+ if ( (r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+ || !r->uri || r->uri[0] != '/') {
+ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
+ "Consult the manual entry for the RewriteOptions directive "
+ "for options and caveats about matching other strings.",
+ r->uri));
+ return DECLINED;
+ }
+
+
/*
* add the SCRIPT_URL variable to the env. this is a bit complicated
* due to the fact that apache uses subrequests and internal redirects
*/
if (r->main == NULL) {
var = apr_table_get(r->subprocess_env, REDIRECT_ENVVAR_SCRIPT_URL);
if (var == NULL) {
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, r->uri);
}
else {
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var);
}
}
else {
var = apr_table_get(r->main->subprocess_env, ENVVAR_SCRIPT_URL);
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var);
}
/*
diff -rNU 20 ../httpd-2.2.21-o/modules/proxy/mod_proxy.c ./modules/proxy/mod_proxy.c
--- ../httpd-2.2.21-o/modules/proxy/mod_proxy.c 2010-10-07 20:51:18.000000000 +0200
+++ ./modules/proxy/mod_proxy.c 2013-01-28 14:33:58.000000000 +0100
@@ -549,40 +549,48 @@
proxy_server_conf *conf =
(proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
int i, len;
struct proxy_alias *ent = (struct proxy_alias *) conf->aliases->elts;
proxy_dir_conf *dconf = ap_get_module_config(r->per_dir_config,
&proxy_module);
const char *fake;
const char *real;
ap_regmatch_t regm[AP_MAX_REG_MATCH];
ap_regmatch_t reg1[AP_MAX_REG_MATCH];
char *found = NULL;
int mismatch = 0;
if (r->proxyreq) {
/* someone has already set up the proxy, it was possibly ourselves
* in proxy_detect
*/
return OK;
}
+ /* Check that the URI is valid. CVE-2011-3368, CVE-2011-4317, bnc722545 */
+ if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+ || !r->uri || r->uri[0] != '/') {
+ return DECLINED;
+ }
+
+
+
/* XXX: since r->uri has been manipulated already we're not really
* compliant with RFC1945 at this point. But this probably isn't
* an issue because this is a hybrid proxy/origin server.
*/
for (i = 0; i < conf->aliases->nelts; i++) {
unsigned int nocanon = ent[i].flags & PROXYPASS_NOCANON;
const char *use_uri = nocanon ? r->unparsed_uri : r->uri;
if ((dconf->interpolate_env == 1)
&& (ent[i].flags & PROXYPASS_INTERPOLATE)) {
fake = proxy_interpolate(r, ent[i].fake);
real = proxy_interpolate(r, ent[i].real);
}
else {
fake = ent[i].fake;
real = ent[i].real;
}
if (ent[i].regex) {
if (!ap_regexec(ent[i].regex, r->uri, AP_MAX_REG_MATCH, regm, 0)) {
if ((real[0] == '!') && (real[1] == '\0')) {
