short-circuit some kinds of looping in RewriteRule.
PR60478
Submitted By: Jeff Wheelouse <apache wheelhouse.org>
Committed By: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@
1774352 13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.4.24
-
+
*) SECURITY: CVE-2016-8740 (cve.mitre.org)
mod_http2: Mitigate DoS memory exhaustion via endless
CONTINUATION frames.
pollution by malicious clients, upstream servers or faulty modules.
[Stefan Fritsch, Eric Covener, Yann Ylavic]
+ *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
+ looping RewriteRules when the local path significantly exceeds
+ LimitRequestLine. PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
+
*) mod_ratelimit: Allow for initial "burst" amount at full speed before
throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
Jim Jagielski]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
-
- *) Limit some kinds of rewrite looping. PR60478
- trunk patch: http://svn.apache.org/r1774288.
- 2.4.x patch: trunk works
- +1: covener, ylavic, jchampion
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
rc = apply_rewrite_rule(p, ctx);
if (rc) {
+
+ /* Catch looping rules with pathinfo growing unbounded */
+ if ( strlen( r->filename ) > 2*r->server->limit_req_line ) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "RewriteRule '%s' and URI '%s' "
+ "exceeded maximum length (%d)",
+ p->pattern, r->uri, 2*r->server->limit_req_line );
+ r->status = HTTP_INTERNAL_SERVER_ERROR;
+ return ACTION_STATUS;
+ }
+
/* Regardless of what we do next, we've found a match. Check to see
* if any of the request header fields were involved, and add them
* to the Vary field of the response.
projects / apache / commitdiff