PR47765: ProxyPass and ProxyPassReverse should not be accepted in

Directory or Files sections.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1031758 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index ae012392d4c1b04da56798b559ed04a9d09d53b0..db498904c1d3427302e1aa8ba44794c62ddb76a8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
      Fix a denial of service attack against mod_reqtimeout.
      [Stefan Fritsch]
 
+  *) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in
+     <Directory> or <Files>. PR47765 [Eric Covener]
+
   *) prefork/worker/event MPMS: default value (when no directive is present)
      of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000 
      to match default configuration and manual. PR47782 [Eric Covener]

diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index ac89447365b02b8e212cf4dccd241f5c6c41f355..b449d4a282a58bdd555b1f4e91bff9e9b2daa245 100644 (file)
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -1337,6 +1337,12 @@ static const char *
     int i;
     int use_regex = is_regex;
     unsigned int flags = 0;
+    const char *err;
+
+    err = ap_check_cmd_context(cmd, NOT_IN_DIRECTORY|NOT_IN_FILES);
+    if (err) { 
+        return err;
+    }
 
     while (*arg) {
         word = ap_getword_conf(cmd->pool, &arg);
@@ -1490,6 +1496,12 @@ static const char * add_pass_reverse(cmd_parms *cmd, void *dconf, const char *f,
     const char *fake;
     const char *real;
     const char *interp;
+    const char *err;
+
+    err = ap_check_cmd_context(cmd, NOT_IN_DIRECTORY|NOT_IN_FILES);
+    if (err) { 
+        return err;
+    }
 
     if (cmd->path == NULL) {
         if (r == NULL || !strcasecmp(r, "interpolate")) {