diff options
| author | tron <tron@pkgsrc.org> | 2011-12-12 18:43:14 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2011-12-12 18:43:14 +0000 |
| commit | dbb45bcd9887990ca9146a5c7938735a5549cfce (patch) | |
| tree | fa6a49fbf6cebb2e9264b62350647815eaf50d37 /www/apache22 | |
| parent | 4180943f28faab66f6732bc3e62737fb03449c3a (diff) | |
| download | pkgsrc-dbb45bcd9887990ca9146a5c7938735a5549cfce.tar.gz | |
Remove duplicate error check from security patch. No revision bump as
there is no functional change.
Problem pointed out by S.P. Zeidler.
Diffstat (limited to 'www/apache22')
| -rw-r--r-- | www/apache22/distinfo | 4 | ||||
| -rw-r--r-- | www/apache22/patches/patch-server_protocol.c | 25 |
2 files changed, 5 insertions, 24 deletions
diff --git a/www/apache22/distinfo b/www/apache22/distinfo index 7ae2d811917..35c9cebfda7 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.45 2011/12/07 22:58:12 tron Exp $ +$NetBSD: distinfo,v 1.46 2011/12/12 18:43:14 tron Exp $ SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4 RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1 @@ -16,5 +16,5 @@ SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 -SHA1 (patch-server_protocol.c) = fc77c3293f6f2f73a40e88098ba1483d3e605b66 +SHA1 (patch-server_protocol.c) = 2be3e4fc08da717fa55b058eb32e398f6546d457 SHA1 (patch-server_util.c) = b63f73e2a482facd188eecb0864fc612d1b7b3a5 diff --git a/www/apache22/patches/patch-server_protocol.c b/www/apache22/patches/patch-server_protocol.c index 72efabef372..336edb08fc1 100644 --- a/www/apache22/patches/patch-server_protocol.c +++ b/www/apache22/patches/patch-server_protocol.c @@ -1,4 +1,4 @@ -$NetBSD: patch-server_protocol.c,v 1.2 2011/12/07 22:58:12 tron Exp $ +$NetBSD: patch-server_protocol.c,v 1.3 2011/12/12 18:43:14 tron Exp $ revision 1179239 from http://svn.apache.org/: SECURITY (CVE-2011-3368): Prevent unintended pattern expansion @@ -13,8 +13,8 @@ revision 1179525 from http://svn.apache.org/: the input string for RewriteRule et al really is an absolute path. --- server/protocol.c.orig 2011-05-07 12:39:29.000000000 +0100 -+++ server/protocol.c 2011-12-07 22:48:17.000000000 +0000 -@@ -640,6 +640,44 @@ ++++ server/protocol.c 2011-12-12 18:37:04.000000000 +0000 +@@ -640,6 +640,25 @@ ap_parse_uri(r, uri); @@ -37,25 +37,6 @@ revision 1179525 from http://svn.apache.org/: + r->uri = apr_pstrdup(r->pool, uri); + } + -+ /* RFC 2616: -+ * Request-URI = "*" | absoluteURI | abs_path | authority -+ * -+ * authority is a special case for CONNECT. If the request is not -+ * using CONNECT, and the parsed URI does not have scheme, and -+ * it does not begin with '/', and it is not '*', then, fail -+ * and give a 400 response. */ -+ if (r->method_number != M_CONNECT -+ && !r->parsed_uri.scheme -+ && uri[0] != '/' -+ && !(uri[0] == '*' && uri[1] == '\0')) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "invalid request-URI %s", uri); -+ r->args = NULL; -+ r->hostname = NULL; -+ r->status = HTTP_BAD_REQUEST; -+ r->uri = apr_pstrdup(r->pool, uri); -+ } -+ if (ll[0]) { r->assbackwards = 0; pro = ll; |