Commit 7014ef83 authored by Jeff Trawick's avatar Jeff Trawick
Browse files

The merge of AllowAnyURI to 2.0.x (r1489910) included the changes I 

wanted, and 2.0.x-HEAD passes my 3368/4317 testcases with HTTP 0.9
and 1.0, so I have no remaining concerns.  (Thanks rjung+covener.)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1496984 13f79535-47bb-0310-9956-ffa450edef68
parent c7efd2a0

STATUS

+0 −49
Original line number Diff line number Diff line
@@ -114,55 +114,6 @@ CURRENT RELEASE NOTES: 


RELEASE SHOWSTOPPERS:



  *) SECURITY: CVE-2011-4317 (cve.mitre.org)

     Resolve additional cases of URL rewriting with ProxyPassMatch or

     RewriteRule, where particular request-URIs could result in undesired

     backend network exposure in some configurations.

     [Joe Orton]



     trawick: Applying the existing 2.0.x patch for CVE-2011-3368 to

              2.0.64, the three well-known testcases work for HTTP 1.0

              but fail with HTTP 0.9; after applying r1235443 (backing

              out the server/protocol.c change and fixing rewrite and

              proxy), the three well-known testcases work for me with

              both HTTP 1.0 and HTTP 0.9.



              The reason is that ap_read_request() looks for a bad

              status only for HTTP >= 1.0; processing proceeds for

              HTTP/0.9 even after going through the error path in the 

              existing CVE-2011-3368 patch.



              The CVE-2011-3368 solution for 2.0 could be modified,

              but I prefer going with the current CVE-2011-4317

              solution since it handles everything.



              While 2.2 also skips checking r->status for HTTP 0.9

              in the obvious place, this logic in ap_read_request()

              finally catches the problem before proceeding too far 

              with the request:



1052	     * status codes that do not cause the connection to be dropped and

1053	     * in situations where the connection should be kept alive.

1054	     */

1055	

1056	    ap_add_input_filter_handle(ap_http_input_filter_handle,

1057	                               NULL, r, r->connection);

1058	

1059	    if (r->status != HTTP_OK) {

1060	        ap_send_error_response(r, 0);

1061	        ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);



     From 2.2.x: http://svn.apache.org/viewvc?view=revision&revision=1235443

        Individual patches apply with offsets; here's a clean all-in-one:

        http://people.apache.org/~trawick/2.0-CVE-2011-4317-r1235443.patch

       +1: jim, wrowe (as incorporated by rjung below)

       trawick: 2.2/2.4 now have a different solution (AllowAnyURI).

       rjung: I added the AllowAnyURI patch below. Version 2 of the patch

              integrates your 2.0-CVE-2011-4317-r1235443.patch.

       covener: this is no longer needed after rjungs AllowAnyURI which is now 

                backported, right?

                http://svn.apache.org/viewvc?view=revision&revision=r1489910





PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

  [ start all new proposals below, under PATCHES PROPOSED. ]