https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
--- Comment #12 from Gordon <[email protected]> --- Created attachment 28842 --> https://issues.apache.org/bugzilla/attachment.cgi?id=28842&action=edit Patch for CVE-2011-4317 effecting only rewriterule proxy I had a few hours spare today and wrote a patch on 2.2.22. This would appear to allow both continued use of rewriterule in proxy and connect conditions, while enforcing a rule for [P] type modrewrite. Unfortunately I could not test the problems of CVE-2011-4317 in these changes as they seem for me to be blocked early in the process (perhaps due to me using an rpms from fedora). Could someone validate that the problem URIs are still blocked? The previous CVE-2011-4317 fix ignored modrewrite when the URI was invalid, and this caused my config to allow requests which would have otherwise been blocked (as I use [F] rewriterule for security). I think this patch is better as it make the request FORBIDDEN if a [p] rule was the one that matched and the URI is not safe. The previous rule ignored proxy in .htaccess files. I assume this was already thought through? As per the previous fix I ignore this. I had to add an extra flag to one of the functions to indicate that a proxy modrewrite was used. Just using a match on "proxy:" incorrectly trapped simple rewrite rules involving the CONNECT method. I hope this is useful to you... -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
