Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/apache2/patches/CVE-2011-3368.patch
branchs11-sru
changeset 2249 9c4f7d7572dd
parent 2248 c2beb07524a9
child 2250 e145454a43d2 
--- a/components/apache2/patches/CVE-2011-3368.patch	Tue Mar 06 10:46:23 2012 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,34 +0,0 @@
-
-SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
-reverse proxy configurations by strictly validating the request-URI.
-
-http://svn.apache.org/viewvc?rev=1179239&view=rev
-
---- server/protocol.c
-+++ server/protocol.c
-@@ -640,6 +640,25 @@
- 
-     ap_parse_uri(r, uri);
- 
-+    /* RFC 2616:
-+     *   Request-URI    = "*" | absoluteURI | abs_path | authority
-+     *
-+     * authority is a special case for CONNECT.  If the request is not
-+     * using CONNECT, and the parsed URI does not have scheme, and
-+     * it does not begin with '/', and it is not '*', then, fail
-+     * and give a 400 response. */
-+    if (r->method_number != M_CONNECT 
-+        && !r->parsed_uri.scheme 
-+        && uri[0] != '/'
-+        && !(uri[0] == '*' && uri[1] == '\0')) {
-+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+                      "invalid request-URI %s", uri);
-+        r->args = NULL;
-+        r->hostname = NULL;
-+        r->status = HTTP_BAD_REQUEST;
-+        r->uri = apr_pstrdup(r->pool, uri);
-+    }
-+
-     if (ll[0]) {
-         r->assbackwards = 0;
-         pro = ll;
upstream/oracle/userland-gate