author | Petr Sumbera <petr.sumbera@oracle.com> |
Mon, 03 Dec 2012 05:38:16 -0800 | |
branch | s11u1-sru |
changeset 2436 | d83dc24582fe |
parent 795 | 6344ba200d21 |
child 4696 | 96b9957387bf |
permissions | -rw-r--r-- |
795
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
1 |
https://issues.apache.org/bugzilla/show_bug.cgi?id=52774 |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
2 |
|
2436
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
3 |
--- modules/mappers/mod_rewrite.c Mon Aug 20 10:22:53 2012 |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
4 |
+++ modules/mappers/mod_rewrite.c Tue Sep 18 04:02:33 2012 |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
5 |
@@ -4302,14 +4302,29 @@ |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
6 |
/* Unless the anyuri option is set, ensure that the input to the |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
7 |
* first rule really is a URL-path, avoiding security issues with |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
8 |
* poorly configured rules. See CVE-2011-3368, CVE-2011-4317. */ |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
9 |
+ /* |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
10 |
+ * We believe that URI starting with "http://" is valid and thus we fork |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
11 |
+ * here little bit from upstream. I'm intentionally not optimizing |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
12 |
+ * following if statement to keep changes against upstream clear. |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
13 |
+ * See also: https://issues.apache.org/bugzilla/show_bug.cgi?id=52774 |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
14 |
+ */ |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
15 |
if ((dconf->options & OPTION_ANYURI) == 0 |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
16 |
&& ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
17 |
- || !r->uri || r->uri[0] != '/')) { |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
18 |
+ || !r->uri)) { |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
19 |
rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. " |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
20 |
"Consult the manual entry for the RewriteOptions directive " |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
21 |
"for options and caveats about matching other strings.", |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
22 |
r->uri)); |
795
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
23 |
return DECLINED; |
2436
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
24 |
+ } else if ((dconf->options & OPTION_ANYURI) == 0 && r->uri[0] != '/') { |
795
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
25 |
+ if (strncmp(r->uri, "http://" , 7) != 0 && |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
26 |
+ strncmp(r->uri, "https://", 8 )!= 0) { |
2436
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
27 |
+ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. " |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
28 |
+ "Consult the manual entry for the RewriteOptions directive " |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
29 |
+ "for options and caveats about matching other strings.", |
d83dc24582fe
15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23
Petr Sumbera <petr.sumbera@oracle.com>
parents:
795
diff
changeset
|
30 |
+ r->uri)); |
795
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
31 |
+ return DECLINED; |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
32 |
+ } |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
33 |
} |
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
34 |
|
6344ba200d21
7157313 Apache ignores RewriteRule directives for proxied requests
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
35 |
/* |