Imported Upstream version 2.4.3upstream/2.4.3

1 files changed, 41 insertions, 25 deletions

diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index fe2ac43e..4aaaf9bc 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -373,7 +373,7 @@ PROXY_DECLARE(int) ap_proxyerror(request_rec *r, int statuscode, const char *mes
             NULL));
 
     /* Allow "error-notes" string to be printed by ap_send_error_response() */
-    apr_table_setn(r->notes, "verbose-error-to", apr_pstrdup(r->pool, "*"));
+    apr_table_setn(r->notes, "verbose-error-to", "*");
 
     r->status_line = apr_psprintf(r->pool, "%3.3u Proxy Error", statuscode);
     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00898) "%s returned by %s", message,
@@ -759,48 +759,63 @@ static int proxy_match_word(struct dirconn_entry *This, request_rec *r)
     return host != NULL && ap_strstr_c(host, This->name) != NULL;
 }
 
-/* checks whether a host in uri_addr matches proxyblock */
+/* Backwards-compatible interface. */
 PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec *r, proxy_server_conf *conf,
                              apr_sockaddr_t *uri_addr)
 {
+    return ap_proxy_checkproxyblock2(r, conf, uri_addr->hostname, uri_addr);
+}
+
+#define MAX_IP_STR_LEN (46)
+
+PROXY_DECLARE(int) ap_proxy_checkproxyblock2(request_rec *r, proxy_server_conf *conf,
+                                             const char *hostname, apr_sockaddr_t *addr)
+{
     int j;
-    apr_sockaddr_t * src_uri_addr = uri_addr;
+
     /* XXX FIXME: conf->noproxies->elts is part of an opaque structure */
     for (j = 0; j < conf->noproxies->nelts; j++) {
         struct noproxy_entry *npent = (struct noproxy_entry *) conf->noproxies->elts;
-        struct apr_sockaddr_t *conf_addr = npent[j].addr;
-        uri_addr = src_uri_addr;
+        struct apr_sockaddr_t *conf_addr;
+
         ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
                       "checking remote machine [%s] against [%s]",
-                      uri_addr->hostname, npent[j].name);
-        if (ap_strstr_c(uri_addr->hostname, npent[j].name)
-            || npent[j].name[0] == '*') {
+                      hostname, npent[j].name);
+        if (ap_strstr_c(hostname, npent[j].name) || npent[j].name[0] == '*') {
             ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(00916)
                           "connect to remote machine %s blocked: name %s "
-                          "matched", uri_addr->hostname, npent[j].name);
+                          "matched", hostname, npent[j].name);
             return HTTP_FORBIDDEN;
         }
-        while (conf_addr) {
-            uri_addr = src_uri_addr;
-            while (uri_addr) {
-                char *conf_ip;
-                char *uri_ip;
-                apr_sockaddr_ip_get(&conf_ip, conf_addr);
-                apr_sockaddr_ip_get(&uri_ip, uri_addr);
+
+        /* No IP address checks if no IP address was passed in,
+         * i.e. the forward address proxy case, where this server does
+         * not resolve the hostname.  */
+        if (!addr)
+            continue;
+
+        for (conf_addr = npent[j].addr; conf_addr; conf_addr = conf_addr->next) {
+            char caddr[MAX_IP_STR_LEN], uaddr[MAX_IP_STR_LEN];
+            apr_sockaddr_t *uri_addr;
+
+            if (apr_sockaddr_ip_getbuf(caddr, sizeof caddr, conf_addr))
+                continue;
+
+            for (uri_addr = addr; uri_addr; uri_addr = uri_addr->next) {
+                if (apr_sockaddr_ip_getbuf(uaddr, sizeof uaddr, uri_addr))
+                    continue;
                 ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
-                              "ProxyBlock comparing %s and %s", conf_ip,
-                              uri_ip);
-                if (!apr_strnatcasecmp(conf_ip, uri_ip)) {
+                              "ProxyBlock comparing %s and %s", caddr, uaddr);
+                if (!strcmp(caddr, uaddr)) {
                     ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(00917)
-                                 "connect to remote machine %s blocked: "
-                                 "IP %s matched", uri_addr->hostname, conf_ip);
+                                  "connect to remote machine %s blocked: "
+                                  "IP %s matched", hostname, caddr);
                     return HTTP_FORBIDDEN;
                 }
-                uri_addr = uri_addr->next;
             }
-            conf_addr = conf_addr->next;
         }
     }
+
     return OK;
 }
 
@@ -852,7 +867,7 @@ PROXY_DECLARE(const char *) ap_proxy_location_reverse_map(request_rec *r,
             (balancer = ap_proxy_get_balancer(r->pool, sconf, real, 1))) {
             int n, l3 = 0;
             proxy_worker **worker = (proxy_worker **)balancer->workers->elts;
-            const char *urlpart = ap_strchr_c(real, '/');
+            const char *urlpart = ap_strchr_c(real + sizeof(BALANCER_PREFIX) - 1, '/');
             if (urlpart) {
                 if (!urlpart[1])
                     urlpart = NULL;
@@ -2128,7 +2143,8 @@ ap_proxy_determine_connection(apr_pool_t *p, request_rec *r,
         }
     }
     /* check if ProxyBlock directive on this host */
-    if (OK != ap_proxy_checkproxyblock(r, conf, conn->addr)) {
+    if (OK != ap_proxy_checkproxyblock2(r, conf, uri->hostname, 
+                                       proxyname ? NULL : conn->addr)) {
         return ap_proxyerror(r, HTTP_FORBIDDEN,
                              "Connect to remote machine blocked");
     }