Prevent unintended pattern expansion in some reverse proxy

configurations by strictly validating the request-URI. Fixes CVE-2011-3368, CVE-2011-3639, CVE-2011-4317. git-svn-id: svn+ssh://svn.debian.org/svn/pkg-apache/branches/squeeze-apache2@1375 01b336ce-410b-0410-9a02-a0e7f243c266
author: Stefan Fritsch <sf@debian.org> 2011-12-03 17:40:34 +0000
committer: Stefan Fritsch <sf@sfritsch.de> 2012-01-02 10:37:24 +0100
commit: 5ed2891e662cf65477dbe06778be752145436c00 (patch)
tree: 2af64830b62cf5d4b4726b3e1bc14bd7b539e7c1
parent: 41d6e77fc57d2ce12296ec8f6535829795af240e (diff)
download: apache2-5ed2891e662cf65477dbe06778be752145436c00.tar.gz
5 files changed, 180 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index a383ebbc..7910ed31 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+apache2 (2.2.16-6+squeeze5) UNRELEASED; urgency=high
+
+  * Prevent unintended pattern expansion in some reverse proxy
+    configurations by strictly validating the request-URI. Fixes
+    CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
+
+ -- Stefan Fritsch <sf@debian.org>  Sat, 03 Dec 2011 18:38:51 +0100
+
 apache2 (2.2.16-6+squeeze4) squeeze; urgency=low
 
   * Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp
diff --git a/debian/patches/00list b/debian/patches/00list
index 6e5f37e3..e7407b98 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -30,6 +30,9 @@
 085_CVE-2011-3192.dpatch
 086_range_regressions.dpatch
 087_mod_proxy_ajp_CVE-2011-3348.dpatch
+089_CVE-2011-3368.dpatch
+090_CVE-2011-4317.dpatch
+091_CVE-2011-3639.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch
diff --git a/debian/patches/089_CVE-2011-3368.dpatch b/debian/patches/089_CVE-2011-3368.dpatch
new file mode 100755
index 00000000..3b2bf8ca
--- /dev/null
+++ b/debian/patches/089_CVE-2011-3368.dpatch
@@ -0,0 +1,54 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1179525
+
+@DPATCH@
+commit d239e98144d468928fbd2d3f519bd9265d162932
+Author: Joe Orton <jorton@apache.org>
+Date:   Thu Oct 6 07:39:13 2011 +0000
+
+    Merge r1179239 from trunk:
+    
+    SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
+    reverse proxy configurations by strictly validating the request-URI:
+    
+    * server/protocol.c (read_request_line): Send a 400 response if the
+      request-URI does not match the grammar from RFC 2616.  This ensures
+      the input string for RewriteRule et al really is an absolute path.
+    
+    Reviewed by: jim, covener, rjung
+    
+    
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1179525 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/server/protocol.c b/server/protocol.c
+index 55468fc..b45851a 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -640,6 +640,25 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
+ 
+     ap_parse_uri(r, uri);
+ 
++    /* RFC 2616:
++     *   Request-URI    = "*" | absoluteURI | abs_path | authority
++     *
++     * authority is a special case for CONNECT.  If the request is not
++     * using CONNECT, and the parsed URI does not have scheme, and
++     * it does not begin with '/', and it is not '*', then, fail
++     * and give a 400 response. */
++    if (r->method_number != M_CONNECT 
++        && !r->parsed_uri.scheme 
++        && uri[0] != '/'
++        && !(uri[0] == '*' && uri[1] == '\0')) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                      "invalid request-URI %s", uri);
++        r->args = NULL;
++        r->hostname = NULL;
++        r->status = HTTP_BAD_REQUEST;
++        r->uri = apr_pstrdup(r->pool, uri);
++    }
++
+     if (ll[0]) {
+         r->assbackwards = 0;
+         pro = ll;
diff --git a/debian/patches/090_CVE-2011-4317.dpatch b/debian/patches/090_CVE-2011-4317.dpatch
new file mode 100755
index 00000000..18f69a2a
--- /dev/null
+++ b/debian/patches/090_CVE-2011-4317.dpatch
@@ -0,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1209432
+
+@DPATCH@
+commit 318b86756de2049f652561e1a66420b4a92d4a7e
+Author: Joe Orton <jorton@apache.org>
+Date:   Fri Dec 2 12:04:20 2011 +0000
+
+    Fix for additional cases of URL rewriting with ProxyPassMatch or
+    RewriteRule, where particular request-URIs could result in undesired
+    backend network exposure in some configurations. (CVE-2011-4317)
+    
+    Thanks to Prutha Parikh from Qualys for reporting this issue.
+    
+    * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
+      request-URI.  Fail for cases where r->uri does not begin with a "/".
+    
+    * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
+    
+    
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 470e01c..d29cb45 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -4419,6 +4419,18 @@ static int hook_uri2file(request_rec *r)
+         return DECLINED;
+     }
+ 
++    if (strcmp(r->unparsed_uri, "*") == 0) {
++        /* Don't apply rewrite rules to "*". */
++        return DECLINED;
++    }
++
++    /* Check that the URI is valid. */
++    if (!r->uri || r->uri[0] != '/') {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                     "Invalid URI in request %s", r->the_request);
++        return HTTP_BAD_REQUEST;
++    }
++    
+     /*
+      *  add the SCRIPT_URL variable to the env. this is a bit complicated
+      *  due to the fact that apache uses subrequests and internal redirects
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 35195f8..8e90c9e 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -655,6 +655,18 @@ static int proxy_trans(request_rec *r)
+         return OK;
+     }
+ 
++    if (strcmp(r->unparsed_uri, "*") == 0) {
++        /* "*" cannot be proxied. */
++        return DECLINED;
++    }
++
++    /* Check that the URI is valid. */
++    if (!r->uri || r->uri[0] != '/') {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                     "Invalid URI in request %s", r->the_request);
++        return HTTP_BAD_REQUEST;
++    }
++
+     /* XXX: since r->uri has been manipulated already we're not really
+      * compliant with RFC1945 at this point.  But this probably isn't
+      * an issue because this is a hybrid proxy/origin server.
diff --git a/debian/patches/091_CVE-2011-3639.dpatch b/debian/patches/091_CVE-2011-3639.dpatch
new file mode 100755
index 00000000..83edd5bf
--- /dev/null
+++ b/debian/patches/091_CVE-2011-3639.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 091_CVE-2011-3639.dpatch by Stefan Fritsch <sf@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: backport of upstream r1188745
+commit daadb710ab9c207e717a6cfdd5e9cf0ed3ba4f59
+Author: Ruediger Pluem <rpluem@apache.org>
+Date:   Tue Oct 25 15:56:08 2011 +0000
+
+    * Correctly return a 400 (Bad request) in case of a HTTP/0.9 request like GET @example.org/foo
+
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1188745 13f79535-47bb-0310-9956-ffa450edef68
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze-apache2~/server/protocol.c squeeze-apache2/server/protocol.c
+--- squeeze-apache2~/server/protocol.c	2011-12-03 18:28:59.000000000 +0100
++++ squeeze-apache2/server/protocol.c	2011-12-03 18:33:23.331921967 +0100
+@@ -654,6 +654,7 @@
+         r->hostname = NULL;
+         r->status = HTTP_BAD_REQUEST;
+         r->uri = apr_pstrdup(r->pool, uri);
++        return 0;
+     }
+ 
+     if (ll[0]) {
+@@ -908,9 +909,17 @@
+ 
+     /* Get the request... */
+     if (!read_request_line(r, tmp_bb)) {
+-        if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
+-            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+-                          "request failed: URI too long (longer than %d)", r->server->limit_req_line);
++        if (r->status == HTTP_REQUEST_URI_TOO_LARGE
++            || r->status == HTTP_BAD_REQUEST) {
++            if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
++                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                              "request failed: URI too long (longer than %d)",
++                              r->server->limit_req_line);
++            }
++            else if (r->method == NULL) {
++                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++                              "request failed: invalid characters in URI");
++            }
+             ap_send_error_response(r, 0);
+             ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+             ap_run_log_transaction(r);
author	Stefan Fritsch <sf@debian.org>	2011-12-03 17:40:34 +0000
committer	Stefan Fritsch <sf@sfritsch.de>	2012-01-02 10:37:24 +0100
commit	5ed2891e662cf65477dbe06778be752145436c00 (patch)
tree	2af64830b62cf5d4b4726b3e1bc14bd7b539e7c1
parent	41d6e77fc57d2ce12296ec8f6535829795af240e (diff)
download	apache2-5ed2891e662cf65477dbe06778be752145436c00.tar.gz