Re: [PATCH] CVE-2011-3368, CVE-2011-4317, trunk

Wed, 18 Jan 2012 10:42:43 -0800 

On Wed, Jan 18, 2012 at 11:16 AM, Jeff Trawick <[email protected]> wrote:
> Following the thread
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
> and the related discussion in 2.2.x/STATUS, attached is a patch for
> trunk that implements the checking according to the following
> criteria:

attached is the 2.2.x version

Index: server/protocol.c
===================================================================
--- server/protocol.c   (revision 1232983)
+++ server/protocol.c   (working copy)
@@ -640,25 +640,6 @@
 
     ap_parse_uri(r, uri);
 
-    /* RFC 2616:
-     *   Request-URI    = "*" | absoluteURI | abs_path | authority
-     *
-     * authority is a special case for CONNECT.  If the request is not
-     * using CONNECT, and the parsed URI does not have scheme, and
-     * it does not begin with '/', and it is not '*', then, fail
-     * and give a 400 response. */
-    if (r->method_number != M_CONNECT 
-        && !r->parsed_uri.scheme 
-        && uri[0] != '/'
-        && !(uri[0] == '*' && uri[1] == '\0')) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                      "invalid request-URI %s", uri);
-        r->args = NULL;
-        r->hostname = NULL;
-        r->status = HTTP_BAD_REQUEST;
-        r->uri = apr_pstrdup(r->pool, uri);
-    }
-
     if (ll[0]) {
         r->assbackwards = 0;
         pro = ll;
Index: modules/proxy/mod_proxy.c
===================================================================
--- modules/proxy/mod_proxy.c   (revision 1232983)
+++ modules/proxy/mod_proxy.c   (working copy)
@@ -566,6 +566,11 @@
         return OK;
     }
 
+    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+        || !r->uri || r->uri[0] != '/') {
+        return DECLINED;
+    }
+
     /* XXX: since r->uri has been manipulated already we're not really
      * compliant with RFC1945 at this point.  But this probably isn't
      * an issue because this is a hybrid proxy/origin server.
Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c       (revision 1232983)
+++ modules/mappers/mod_rewrite.c       (working copy)
@@ -4266,6 +4266,11 @@
         return DECLINED;
     }
 
+    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+        || !r->uri || r->uri[0] != '/') {
+        return DECLINED;
+    }
+
     /*
      *  add the SCRIPT_URL variable to the env. this is a bit complicated
      *  due to the fact that apache uses subrequests and internal redirects

Reply via email to