From bb85ed16453629b03e478d33dbe2a2439232c9bf Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Mon, 12 Dec 2016 15:20:04 +0000 Subject: [PATCH] Merge r1773397 from trunk: ProxyPass ! doesn't block per-directory ProxyPass *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is configured in , like in 2.2. PR 60458. [Eric Covener] Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1773800 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 6 +++++- STATUS | 5 ----- modules/proxy/mod_proxy.c | 19 +++++++++++++++---- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index e1568e2307..9f841a6191 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,7 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.24 - + *) SECURITY: CVE-2016-8740 (cve.mitre.org) mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames. @@ -22,6 +22,10 @@ Changes with Apache 2.4.24 MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack. [Yann Ylavic, Colm MacCarthaigh] + *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is + configured in , like in 2.2. PR 60458. + [Eric Covener] + *) mod_lua: Fix default value of LuaInherit directive. It should be 'parent-first' instead of 'none', as per documentation. PR 60419 [Christophe Jaillet] diff --git a/STATUS b/STATUS index e7d3b381cb..4fe0e94bfd 100644 --- a/STATUS +++ b/STATUS @@ -117,11 +117,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) ProxyPass ! in server scope doesn't block per-location ProxyPass. Worked in 2.2 - Trunk patch: https://svn.apache.org/r1773397 - 2.4.x patch: trunk works - +1 covener, jim, ylavic - *) Propose we apr_pstrdup constant r->protocol assignments, and always fail entirely invalid protocols (expecting these are part two of a URL with embedded raw SP characters), without considering 'strict'-ness. diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index d47127f37c..d6e65004e3 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -771,18 +771,29 @@ static int proxy_trans(request_rec *r) */ dconf = ap_get_module_config(r->per_dir_config, &proxy_module); - + conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config, + &proxy_module); /* short way - this location is reverse proxied? */ if (dconf->alias) { int rv = ap_proxy_trans_match(r, dconf->alias, dconf); + if (OK == rv) { + /* Got a hit. Need to make sure it's not explicitly declined */ + if (conf->aliases->nelts) { + ent = (struct proxy_alias *) conf->aliases->elts; + for (i = 0; i < conf->aliases->nelts; i++) { + int rv = ap_proxy_trans_match(r, &ent[i], dconf); + if (DECLINED == rv) { + return DECLINED; + } + } + } + return OK; + } if (DONE != rv) { return rv; } } - conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config, - &proxy_module); - /* long way - walk the list of aliases, find a match */ if (conf->aliases->nelts) { ent = (struct proxy_alias *) conf->aliases->elts; -- 2.50.1