author | Petr Sumbera <petr.sumbera@oracle.com> |
Wed, 16 Sep 2015 01:25:52 -0700 | |
branch | s11u3-sru |
changeset 4883 | cd5ceed10e53 |
parent 2428 | 77b26ec5be97 |
permissions | -rw-r--r-- |
795
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
1 |
https://issues.apache.org/bugzilla/show_bug.cgi?id=52774 |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
2 |
|
2428
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
3 |
--- modules/mappers/mod_rewrite.c Mon Aug 20 10:22:53 2012 |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
4 |
+++ modules/mappers/mod_rewrite.c Tue Sep 18 04:02:33 2012 |
4883
cd5ceed10e53
21479636 Upgrade Apache Web Server to version 2.2.31
Petr Sumbera <petr.sumbera@oracle.com>
parents:
2428
diff
changeset
|
5 |
@@ -4319,14 +4319,29 @@ |
2428
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
6 |
/* Unless the anyuri option is set, ensure that the input to the |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
7 |
* first rule really is a URL-path, avoiding security issues with |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
8 |
* poorly configured rules. See CVE-2011-3368, CVE-2011-4317. */ |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
9 |
+ /* |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
10 |
+ * We believe that URI starting with "http://" is valid and thus we fork |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
11 |
+ * here little bit from upstream. I'm intentionally not optimizing |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
12 |
+ * following if statement to keep changes against upstream clear. |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
13 |
+ * See also: https://issues.apache.org/bugzilla/show_bug.cgi?id=52774 |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
14 |
+ */ |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
15 |
if ((dconf->options & OPTION_ANYURI) == 0 |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
16 |
&& ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
17 |
- || !r->uri || r->uri[0] != '/')) { |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
18 |
+ || !r->uri)) { |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
19 |
rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. " |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
20 |
"Consult the manual entry for the RewriteOptions directive " |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
21 |
"for options and caveats about matching other strings.", |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
22 |
r->uri)); |
795
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
23 |
return DECLINED; |
2428
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
24 |
+ } else if ((dconf->options & OPTION_ANYURI) == 0 && r->uri[0] != '/') { |
795
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
25 |
+ if (strncmp(r->uri, "http://" , 7) != 0 && |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
26 |
+ strncmp(r->uri, "https://", 8 )!= 0) { |
2428
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
27 |
+ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. " |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
28 |
+ "Consult the manual entry for the RewriteOptions directive " |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
29 |
+ "for options and caveats about matching other strings.", |
77b26ec5be97
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
30 |
+ r->uri)); |
795
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
31 |
+ return DECLINED; |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
32 |
+ } |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
33 |
} |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
34 |
|
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
35 |
/* |