Fix CVE-2011-4317

git-svn-id: svn+ssh://svn.debian.org/svn/pkg-apache/trunk/apache2@1372 01b336ce-410b-0410-9a02-a0e7f243c266

3 files changed, 74 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index cad57fad..67f42828 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 apache2 (2.2.21-3) UNRELEASED; urgency=low
 
+  * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
+    reverse proxy configurations. (Similar to CVE-2011-3368, but different
+    attack vector.)
   * Fix broken link in docs. Closes: #650528
   * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
     Thanks for your work in the past.
diff --git a/debian/patches/00list b/debian/patches/00list
index 3748fd44..0681229f 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -23,6 +23,7 @@
 079_polish_translation.dpatch
 082_ab_num_requests
 083_CVE-2011-3368.dpatch
+084_CVE-2011-4317.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch
diff --git a/debian/patches/084_CVE-2011-4317.dpatch b/debian/patches/084_CVE-2011-4317.dpatch
new file mode 100644
index 00000000..18f69a2a
--- /dev/null
+++ b/debian/patches/084_CVE-2011-4317.dpatch
@@ -0,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1209432
+
+@DPATCH@
+commit 318b86756de2049f652561e1a66420b4a92d4a7e
+Author: Joe Orton <jorton@apache.org>
+Date:   Fri Dec 2 12:04:20 2011 +0000
+
+    Fix for additional cases of URL rewriting with ProxyPassMatch or
+    RewriteRule, where particular request-URIs could result in undesired
+    backend network exposure in some configurations. (CVE-2011-4317)
+    
+    Thanks to Prutha Parikh from Qualys for reporting this issue.
+    
+    * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
+      request-URI.  Fail for cases where r->uri does not begin with a "/".
+    
+    * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
+    
+    
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 470e01c..d29cb45 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -4419,6 +4419,18 @@ static int hook_uri2file(request_rec *r)
+         return DECLINED;
+     }
+ 
++    if (strcmp(r->unparsed_uri, "*") == 0) {
++        /* Don't apply rewrite rules to "*". */
++        return DECLINED;
++    }
++
++    /* Check that the URI is valid. */
++    if (!r->uri || r->uri[0] != '/') {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                     "Invalid URI in request %s", r->the_request);
++        return HTTP_BAD_REQUEST;
++    }
++    
+     /*
+      *  add the SCRIPT_URL variable to the env. this is a bit complicated
+      *  due to the fact that apache uses subrequests and internal redirects
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 35195f8..8e90c9e 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -655,6 +655,18 @@ static int proxy_trans(request_rec *r)
+         return OK;
+     }
+ 
++    if (strcmp(r->unparsed_uri, "*") == 0) {
++        /* "*" cannot be proxied. */
++        return DECLINED;
++    }
++
++    /* Check that the URI is valid. */
++    if (!r->uri || r->uri[0] != '/') {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                     "Invalid URI in request %s", r->the_request);
++        return HTTP_BAD_REQUEST;
++    }
++
+     /* XXX: since r->uri has been manipulated already we're not really
+      * compliant with RFC1945 at this point.  But this probably isn't
+      * an issue because this is a hybrid proxy/origin server.