upstream/oracle/userland-gate: components/apache2/patches/bug52774.patch@d83dc24582fe (annotated)

795 6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	1	https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	2
2436 d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	3	--- modules/mappers/mod_rewrite.c Mon Aug 20 10:22:53 2012
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	4	+++ modules/mappers/mod_rewrite.c Tue Sep 18 04:02:33 2012
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	5	@@ -4302,14 +4302,29 @@
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	6	/* Unless the anyuri option is set, ensure that the input to the
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	7	* first rule really is a URL-path, avoiding security issues with
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	8	* poorly configured rules. See CVE-2011-3368, CVE-2011-4317. */
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	9	+ /*
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	10	+ * We believe that URI starting with "http://" is valid and thus we fork
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	11	+ * here little bit from upstream. I'm intentionally not optimizing
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	12	+ * following if statement to keep changes against upstream clear.
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	13	+ * See also: https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	14	+ */
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	15	if ((dconf->options & OPTION_ANYURI) == 0
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	16	&& ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	17	- \|\| !r->uri \|\| r->uri[0] != '/')) {
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	18	+ \|\| !r->uri)) {
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	19	rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	20	"Consult the manual entry for the RewriteOptions directive "
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	21	"for options and caveats about matching other strings.",
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	22	r->uri));
795 6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	23	return DECLINED;
2436 d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	24	+ } else if ((dconf->options & OPTION_ANYURI) == 0 && r->uri[0] != '/') {
795 6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	25	+ if (strncmp(r->uri, "http://" , 7) != 0 &&
6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	26	+ strncmp(r->uri, "https://", 8 )!= 0) {
2436 d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	27	+ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	28	+ "Consult the manual entry for the RewriteOptions directive "
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	29	+ "for options and caveats about matching other strings.",
d83dc24582fe 15819621 SUNBT7202142 Upgrade Apache Web Server to version 2.2.23 Petr Sumbera <petr.sumbera@oracle.com> parents: 795 diff changeset	30	+ r->uri));
795 6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	31	+ return DECLINED;
6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	32	+ }
6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	33	}
6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	34
6344ba200d21 7157313 Apache ignores RewriteRule directives for proxied requests Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	35	/*

author	Petr Sumbera <petr.sumbera@oracle.com>
	Mon, 03 Dec 2012 05:38:16 -0800
branch	s11u1-sru
changeset 2436	d83dc24582fe
parent 795	6344ba200d21
child 4696	96b9957387bf
permissions	-rw-r--r--