From 64b94b8a987536adcf219b8694d674a3a26b2b21 Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Tue, 10 Jul 2012 14:10:40 +0000
Subject: [PATCH]    * mod_rewrite: add "AllowAnyURI" option.      trunk patch:
 http://svn.apache.org/viewvc?rev=1356115&view=rev                  
 http://svn.apache.org/viewvc?view=revision&revision=1356813      2.4.x patch:
 http://people.apache.org/~jorton/httpd-pr52774.patch      +1: jorton,
 covener, druggeri, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1359687 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  2 ++
 STATUS                          |  6 ------
 docs/manual/mod/mod_rewrite.xml | 32 ++++++++++++++++++++++++++++++++
 modules/mappers/mod_rewrite.c   | 16 ++++++++++++++--
 4 files changed, 48 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 94df531e82..c39538d992 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,8 @@ Changes with Apache 2.4.3
      possible XSS for a site where untrusted users can upload files to
      a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
 
+  *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
+
   *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 
      [Paul Wouters <pwouters redhat.com>, Joe Orton]
 
diff --git a/STATUS b/STATUS
index 1071a75e73..0dfe3e6fa2 100644
--- a/STATUS
+++ b/STATUS
@@ -109,12 +109,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.4.x patch: trunk patch works
      +1: jorton, covener, jim
 
-   * mod_rewrite: add "AllowAnyURI" option.
-     trunk patch: http://svn.apache.org/viewvc?rev=1356115&view=rev
-                  http://svn.apache.org/viewvc?view=revision&revision=1356813
-     2.4.x patch: http://people.apache.org/~jorton/httpd-pr52774.patch
-     +1: jorton, covener, druggeri, jim
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml
index 7ba1eddd3f..ae2b9acc6a 100644
--- a/docs/manual/mod/mod_rewrite.xml
+++ b/docs/manual/mod/mod_rewrite.xml
@@ -188,6 +188,38 @@ later</compatibility>
       later.</p>
       </dd>
 
+      <dt><code>AllowAnyURI</code></dt>
+      <dd>
+
+      <p>When <directive module="mod_rewrite">RewriteRule</directive>
+      is used in <code>VirtualHost</code> or server context with
+      version 2.2.22 or later of httpd, <module>mod_rewrite</module>
+      will only process the rewrite rules if the request URI is a <a
+      href="./directive-dict.html#Syntax">URL-path</a>.  This avoids
+      some security issues where particular rules could allow
+      "surprising" pattern expansions (see <a
+      href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368">CVE-2011-3368</a>
+      and <a
+      href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317">CVE-2011-4317</a>).
+      To lift the restriction on matching a URL-path, the
+      <code>AllowAnyURI</code> option can be enabled, and
+      <module>mod_rewrite</module> will apply the rule set to any
+      request URI string, regardless of whether that string matches
+      the URL-path grammar required by the HTTP specification.</p>
+
+      <note type="warning">
+      <title>Security Warning</title> 
+
+      <p>Enabling this option will make the server vulnerable to
+      security issues if used with rewrite rules which are not
+      carefully authored.  It is <strong>strongly recommended</strong>
+      that this option is not used.  In particular, beware of input
+      strings containing the '<code>@</code>' character which could
+      change the interpretation of the transformed URI, as per the
+      above CVE names.</p>
+      </note>
+      </dd>
+
       </dl>
 
 </usage>
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index a7fb0666d3..10aec8f3af 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -190,6 +190,7 @@ static const char* really_last_key = "rewrite_really_last";
 #define OPTION_INHERIT              1<<1
 #define OPTION_INHERIT_BEFORE       1<<2
 #define OPTION_NOSLASH              1<<3
+#define OPTION_ANYURI               1<<4
 
 #ifndef RAND_MAX
 #define RAND_MAX 32767
@@ -2893,6 +2894,9 @@ static const char *cmd_rewriteoptions(cmd_parms *cmd,
                          "LimitInternalRecursion directive and will be "
                          "ignored.");
         }
+        else if (!strcasecmp(w, "allowanyuri")) {
+            options |= OPTION_ANYURI;
+        }
         else {
             return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '",
                                w, "'", NULL);
@@ -4419,8 +4423,16 @@ static int hook_uri2file(request_rec *r)
         return DECLINED;
     }
 
-    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
-        || !r->uri || r->uri[0] != '/') {
+    /* Unless the anyuri option is set, ensure that the input to the
+     * first rule really is a URL-path, avoiding security issues with
+     * poorly configured rules.  See CVE-2011-3368, CVE-2011-4317. */
+    if ((dconf->options & OPTION_ANYURI) == 0
+        && ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+            || !r->uri || r->uri[0] != '/')) {
+        rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
+                    "Consult the manual entry for the RewriteOptions directive "
+                    "for options and caveats about matching other strings.",
+                    r->uri));
         return DECLINED;
     }
 
-- 
2.40.0