On 2/2/21 11:32 AM, Ruediger Pluem wrote:
>
>
> On 1/7/21 2:19 PM, yla...@apache.org wrote:
>> Author: ylavic
>> Date: Thu Jan 7 13:19:08 2021
>> New Revision: 1885239
>> Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_http.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?rev=1885239&r1=1885238&r2=1885239&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/proxy/mod_proxy_http.c (original)
>> +++ httpd/httpd/trunk/modules/proxy/mod_proxy_http.c Thu Jan 7 13:19:08 2021
>> @@ -1840,9 +1877,8 @@ static int proxy_http_handler(request_re
>> apr_port_t proxyport)
>> {
>> int status;
>> - char *scheme;
>> - const char *proxy_function;
>> - const char *u;
>> + const char *scheme;
>> + const char *u = url;
>> proxy_http_req_t *req = NULL;
>> proxy_conn_rec *backend = NULL;
>> apr_bucket_brigade *input_brigade = NULL;
>> @@ -1860,41 +1896,31 @@ static int proxy_http_handler(request_re
>> apr_pool_t *p = r->pool;
>> apr_uri_t *uri;
>>
>> - /* find the scheme */
>> - u = strchr(url, ':');
>> - if (u == NULL || u[1] != '/' || u[2] != '/' || u[3] == '\0')
>> + scheme = get_url_scheme(&u, &is_ssl);
>> + if (!scheme && proxyname && strncasecmp(url, "ftp:", 4) == 0) {
>> + u = url + 4;
>> + scheme = "ftp";
>> + is_ssl = 0;
>> + }
>> + if (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') {
>> + if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) {
>> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262)
>> + "overlong proxy URL scheme in %s", url);
>> + return HTTP_BAD_REQUEST;
>> + }
>
> This breaks forward proxies with the CONNECT method.
> For CONNECT somwhere123456789.com:443 schema is NULL and u[0] is 's' and
> hence != /.
>
> The following patches fixes this:
>
> Index: mod_proxy_http.c
> ===================================================================
> --- mod_proxy_http.c (revision 1886120)
> +++ mod_proxy_http.c (working copy)
> @@ -1903,15 +1903,15 @@
> is_ssl = 0;
> }
> if (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') {
> - if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) {
> - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262)
> - "overlong proxy URL scheme in %s", url);
> - return HTTP_BAD_REQUEST;
> - }
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01113)
> "HTTP: declining URL %s", url);
> return DECLINED; /* only interested in HTTP, WS or FTP via proxy */
> }
> + if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262)
> + "overlong proxy URL scheme in %s", url);
> + return HTTP_BAD_REQUEST;
> + }
> if (is_ssl && !ap_proxy_ssl_enable(NULL)) {
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01112)
> "HTTP: declining URL %s (mod_ssl not configured?)",
> url);
>
> Unfortunately this has been already backported in r1885605 and hence 2.4.x is
> now broken as well.
>
And it looks like that the test suite has no forward proxy tests at all which
caused this to be missed by the test framework.
Regards
RĂ¼diger