Commit 11070515 authored by Joe Orton's avatar Joe Orton
Browse files

Merge r1179239 from trunk: 

SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
reverse proxy configurations by strictly validating the request-URI:

* server/protocol.c (read_request_line): Send a 400 response if the
  request-URI does not match the grammar from RFC 2616.  This ensures
  the input string for RewriteRule et al really is an absolute path.

Reviewed by: jim, rjung, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1180030 13f79535-47bb-0310-9956-ffa450edef68
parent e838a014

CHANGES

+6 −2
Original line number Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

                                                         -*- coding: utf-8 -*-

Changes with Apache 2.0.65



  *) SECURITY: CVE-2011-3368 (cve.mitre.org)

     Reject requests where the request-URI does not match the HTTP

     specification, preventing unexpected expansion of target URLs in

     some reverse proxy configurations.  [Joe Orton]



  *) SECURITY: CVE-2011-3192 (cve.mitre.org)

     core: Fix handling of byte-range requests to use less memory, to avoid

     denial of service. If the sum of all ranges in a request is larger than
@@ -8,7 +13,6 @@ Changes with Apache 2.0.65 
     PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,

     Eric Covener, <lowprio20 gmail.com>]





Changes with Apache 2.0.64



  *) SECURITY: CVE-2010-1452 (cve.mitre.org)

server/protocol.c

+19 −0
Original line number Diff line number Diff line
@@ -628,6 +628,25 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) 


    ap_parse_uri(r, uri);



    /* RFC 2616:

     *   Request-URI    = "*" | absoluteURI | abs_path | authority

     *

     * authority is a special case for CONNECT.  If the request is not

     * using CONNECT, and the parsed URI does not have scheme, and

     * it does not begin with '/', and it is not '*', then, fail

     * and give a 400 response. */

    if (r->method_number != M_CONNECT 

        && !r->parsed_uri.scheme 

        && uri[0] != '/'

        && !(uri[0] == '*' && uri[1] == '\0')) {

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,

                      "invalid request-URI %s", uri);

        r->args = NULL;

        r->hostname = NULL;

        r->status = HTTP_BAD_REQUEST;

        r->uri = apr_pstrdup(r->pool, uri);

    }



    if (ll[0]) {

        r->assbackwards = 0;

        pro = ll;