| 1 |
pva |
239 |
|
| 2 |
|
|
SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some |
| 3 |
|
|
reverse proxy configurations by strictly validating the request-URI. |
| 4 |
|
|
|
| 5 |
|
|
http://svn.apache.org/viewvc?rev=1179239&view=rev |
| 6 |
|
|
|
| 7 |
|
|
--- httpd-2.2.21/server/protocol.c |
| 8 |
|
|
+++ httpd-2.2.21/server/protocol.c |
| 9 |
|
|
@@ -640,6 +640,25 @@ |
| 10 |
|
|
|
| 11 |
|
|
ap_parse_uri(r, uri); |
| 12 |
|
|
|
| 13 |
|
|
+ /* RFC 2616: |
| 14 |
|
|
+ * Request-URI = "*" | absoluteURI | abs_path | authority |
| 15 |
|
|
+ * |
| 16 |
|
|
+ * authority is a special case for CONNECT. If the request is not |
| 17 |
|
|
+ * using CONNECT, and the parsed URI does not have scheme, and |
| 18 |
|
|
+ * it does not begin with '/', and it is not '*', then, fail |
| 19 |
|
|
+ * and give a 400 response. */ |
| 20 |
|
|
+ if (r->method_number != M_CONNECT |
| 21 |
|
|
+ && !r->parsed_uri.scheme |
| 22 |
|
|
+ && uri[0] != '/' |
| 23 |
|
|
+ && !(uri[0] == '*' && uri[1] == '\0')) { |
| 24 |
|
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
| 25 |
|
|
+ "invalid request-URI %s", uri); |
| 26 |
|
|
+ r->args = NULL; |
| 27 |
|
|
+ r->hostname = NULL; |
| 28 |
|
|
+ r->status = HTTP_BAD_REQUEST; |
| 29 |
|
|
+ r->uri = apr_pstrdup(r->pool, uri); |
| 30 |
|
|
+ } |
| 31 |
|
|
+ |
| 32 |
|
|
if (ll[0]) { |
| 33 |
|
|
r->assbackwards = 0; |
| 34 |
|
|
pro = ll; |
Parent Directory
| 
Revision Log