From: Joe Orton Date: Fri, 2 Dec 2011 12:04:20 +0000 (+0000) Subject: Fix for additional cases of URL rewriting with ProxyPassMatch or X-Git-Tag: 2.5.0-alpha~7759 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=14fef5ae8528914791df2dd5041cb804c1c7b793;p=apache Fix for additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. (CVE-2011-4317) Thanks to Prutha Parikh from Qualys for reporting this issue. * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*" request-URI. Fail for cases where r->uri does not begin with a "/". * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 470e01cdd3..d29cb454ef 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -4419,6 +4419,18 @@ static int hook_uri2file(request_rec *r) return DECLINED; } + if (strcmp(r->unparsed_uri, "*") == 0) { + /* Don't apply rewrite rules to "*". */ + return DECLINED; + } + + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* * add the SCRIPT_URL variable to the env. this is a bit complicated * due to the fact that apache uses subrequests and internal redirects diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index 35195f8cce..8e90c9e340 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -655,6 +655,18 @@ static int proxy_trans(request_rec *r) return OK; } + if (strcmp(r->unparsed_uri, "*") == 0) { + /* "*" cannot be proxied. */ + return DECLINED; + } + + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* XXX: since r->uri has been manipulated already we're not really * compliant with RFC1945 at this point. But this probably isn't * an issue because this is a hybrid proxy/origin server.