On Tue, Feb 2, 2021 at 11:32 AM Ruediger Pluem <rpl...@apache.org> wrote: > > On 1/7/21 2:19 PM, yla...@apache.org wrote: > > Author: ylavic > > Date: Thu Jan 7 13:19:08 2021 > > New Revision: 1885239 [] > > > > - /* find the scheme */ > > - u = strchr(url, ':'); > > - if (u == NULL || u[1] != '/' || u[2] != '/' || u[3] == '\0') > > + scheme = get_url_scheme(&u, &is_ssl); > > + if (!scheme && proxyname && strncasecmp(url, "ftp:", 4) == 0) { > > + u = url + 4; > > + scheme = "ftp"; > > + is_ssl = 0; > > + } > > + if (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') { > > + if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) { > > + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262) > > + "overlong proxy URL scheme in %s", url); > > + return HTTP_BAD_REQUEST; > > + } > > This breaks forward proxies with the CONNECT method. > For CONNECT somwhere123456789.com:443 schema is NULL and u[0] is 's' and > hence != /.
Yes, sorry about that. > > The following patches fixes this: > > Index: mod_proxy_http.c > =================================================================== > --- mod_proxy_http.c (revision 1886120) > +++ mod_proxy_http.c (working copy) > @@ -1903,15 +1903,15 @@ > is_ssl = 0; > } > if (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') { > - if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) { > - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262) > - "overlong proxy URL scheme in %s", url); > - return HTTP_BAD_REQUEST; > - } > ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01113) > "HTTP: declining URL %s", url); > return DECLINED; /* only interested in HTTP, WS or FTP via proxy */ > } > + if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) { > + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262) > + "overlong proxy URL scheme in %s", url); > + return HTTP_BAD_REQUEST; > + } > if (is_ssl && !ap_proxy_ssl_enable(NULL)) { > ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01112) > "HTTP: declining URL %s (mod_ssl not configured?)", > url); +1 > > Unfortunately this has been already backported in r1885605 and hence 2.4.x is > now broken as well. Will you commit the above patch (or should I)? Then I could propose it for backport with the other needed core_output_filter() change. Thanks for the review (again and again :). Regards; Yann.