Re: svn commit: r1885239 - in /httpd/httpd/trunk: changes-entries/proxy_wstunnel_to_http.txt docs/log-message-tags/next-number modules/proxy/mod_proxy.h modules/proxy/mod_proxy_http.c modules/proxy/mod_proxy_wstunnel.c modules/proxy/proxy_util.c

Tue, 02 Feb 2021 06:05:23 -0800 

On Tue, Feb 2, 2021 at 11:32 AM Ruediger Pluem <rpl...@apache.org> wrote:
>
> On 1/7/21 2:19 PM, yla...@apache.org wrote:
> > Author: ylavic
> > Date: Thu Jan  7 13:19:08 2021
> > New Revision: 1885239
[]
> >
> > -    /* find the scheme */
> > -    u = strchr(url, ':');
> > -    if (u == NULL || u[1] != '/' || u[2] != '/' || u[3] == '\0')
> > +    scheme = get_url_scheme(&u, &is_ssl);
> > +    if (!scheme && proxyname && strncasecmp(url, "ftp:", 4) == 0) {
> > +        u = url + 4;
> > +        scheme = "ftp";
> > +        is_ssl = 0;
> > +    }
> > +    if (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') {
> > +        if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) {
> > +            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262)
> > +                          "overlong proxy URL scheme in %s", url);
> > +            return HTTP_BAD_REQUEST;
> > +        }
>
> This breaks forward proxies with the CONNECT method.
> For CONNECT somwhere123456789.com:443 schema is NULL and u[0] is 's' and 
> hence != /.

Yes, sorry about that.

>
> The following patches fixes this:
>
> Index: mod_proxy_http.c
> ===================================================================
> --- mod_proxy_http.c    (revision 1886120)
> +++ mod_proxy_http.c    (working copy)
> @@ -1903,15 +1903,15 @@
>          is_ssl = 0;
>      }
>      if (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') {
> -        if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) {
> -            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262)
> -                          "overlong proxy URL scheme in %s", url);
> -            return HTTP_BAD_REQUEST;
> -        }
>          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01113)
>                        "HTTP: declining URL %s", url);
>          return DECLINED; /* only interested in HTTP, WS or FTP via proxy */
>      }
> +    if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) {
> +        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262)
> +                      "overlong proxy URL scheme in %s", url);
> +        return HTTP_BAD_REQUEST;
> +    }
>      if (is_ssl && !ap_proxy_ssl_enable(NULL)) {
>          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01112)
>                        "HTTP: declining URL %s (mod_ssl not configured?)", 
> url);

+1

>
> Unfortunately this has been already backported in r1885605 and hence 2.4.x is 
> now broken as well.

Will you commit the above patch (or should I)?
Then I could propose it for backport with the other needed
core_output_filter() change.

Thanks for the review (again and again :).

Regards;
Yann.

Reply via email to