7202142 Upgrade Apache Web Server to version 2.2.23
7164140 ErrorDocument can not handle 400 status properly in case of HTTP 1.1
7198847 Problem with utility/apache
https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
--- modules/mappers/mod_rewrite.c Mon Aug 20 10:22:53 2012
+++ modules/mappers/mod_rewrite.c Tue Sep 18 04:02:33 2012
@@ -4302,14 +4302,29 @@
/* Unless the anyuri option is set, ensure that the input to the
* first rule really is a URL-path, avoiding security issues with
* poorly configured rules. See CVE-2011-3368, CVE-2011-4317. */
+ /*
+ * We believe that URI starting with "http://" is valid and thus we fork
+ * here little bit from upstream. I'm intentionally not optimizing
+ * following if statement to keep changes against upstream clear.
+ * See also: https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
+ */
if ((dconf->options & OPTION_ANYURI) == 0
&& ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
- || !r->uri || r->uri[0] != '/')) {
+ || !r->uri)) {
rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
"Consult the manual entry for the RewriteOptions directive "
"for options and caveats about matching other strings.",
r->uri));
return DECLINED;
+ } else if ((dconf->options & OPTION_ANYURI) == 0 && r->uri[0] != '/') {
+ if (strncmp(r->uri, "http://" , 7) != 0 &&
+ strncmp(r->uri, "https://", 8 )!= 0) {
+ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
+ "Consult the manual entry for the RewriteOptions directive "
+ "for options and caveats about matching other strings.",
+ r->uri));
+ return DECLINED;
+ }
}
/*