登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 40

Jason011125 / httpd

forked from src-openEuler / httpd 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
backport-CVE-2023-25690.patch 8.16 KB
一键复制 编辑 原始数据 按行查看 历史
pojunxing 提交于 2023-03-09 15:05 . fix CVE-2023-27522
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205
From d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51 Mon Sep 17 00:00:00 2001

From: covener <covener@apache.org>

Date: Mon, 6 Mar 2023 4:27:31 AM GMT+0800

Subject: [PATCH] don't forward invalid query strings



Conflict:NA

Reference:https://github.com/apache/httpd/commit/d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51



---

 modules/http2/mod_proxy_http2.c    | 14 ++++++++++++++

 modules/mappers/mod_rewrite.c      | 22 ++++++++++++++++++++++

 modules/proxy/mod_proxy_ajp.c      | 14 ++++++++++++++

 modules/proxy/mod_proxy_balancer.c | 14 ++++++++++++++

 modules/proxy/mod_proxy_http.c     | 14 ++++++++++++++

 modules/proxy/mod_proxy_wstunnel.c | 14 ++++++++++++++

 6 files changed, 92 insertions(+)



diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c

index 3faf034..b316aa8 100644

--- a/modules/http2/mod_proxy_http2.c

+++ b/modules/http2/mod_proxy_http2.c

@@ -154,10 +154,24 @@ static int proxy_http2_canon(request_rec *r, char *url)

         if (apr_table_get(r->notes, "proxy-nocanon")) {

             path = url;   /* this is the raw path */

         }

+        else if (apr_table_get(r->notes, "proxy-noencode")) {

+            path = url;   /* this is the encoded path already */

+            search = r->args;

+        }

         else {

             path = ap_proxy_canonenc(r->pool, url, (int)strlen(url),

                                      enc_path, 0, r->proxyreq);

             search = r->args;

+            if (search && *(ap_scan_vchar_obstext(search))) {

+                /*

+                 * We have a raw control character or a ' ' in r->args.

+                 * Correct encoding was missed.

+                 */

+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()

+                              "To be forwarded query string contains control "

+                              "characters or spaces");

+                return HTTP_FORBIDDEN;

+            }

         }

         break;

     case PROXYREQ_PROXY:

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c

index 9439965..f6398f1 100644

--- a/modules/mappers/mod_rewrite.c

+++ b/modules/mappers/mod_rewrite.c

@@ -4729,6 +4729,17 @@ static int hook_uri2file(request_rec *r)

         unsigned skip;

         apr_size_t flen;

 

+        if (r->args && *(ap_scan_vchar_obstext(r->args))) {

+            /*

+             * We have a raw control character or a ' ' in r->args.

+             * Correct encoding was missed.

+             */

+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)

+                          "Rewritten query string contains control "

+                          "characters or spaces");

+            return HTTP_FORBIDDEN;

+        }

+

         if (ACTION_STATUS == rulestatus) {

             int n = r->status;

 

@@ -5013,6 +5024,17 @@ static int hook_fixup(request_rec *r)

     if (rulestatus) {

         unsigned skip;

 

+        if (r->args && *(ap_scan_vchar_obstext(r->args))) {

+            /*

+             * We have a raw control character or a ' ' in r->args.

+             * Correct encoding was missed.

+             */

+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411)

+                          "Rewritten query string contains control "

+                          "characters or spaces");

+            return HTTP_FORBIDDEN;

+        }

+

         if (ACTION_STATUS == rulestatus) {

             int n = r->status;

 

diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c

index 1449aca..aa3441a 100644

--- a/modules/proxy/mod_proxy_ajp.c

+++ b/modules/proxy/mod_proxy_ajp.c

@@ -65,10 +65,24 @@ static int proxy_ajp_canon(request_rec *r, char *url)

     if (apr_table_get(r->notes, "proxy-nocanon")) {

         path = url;   /* this is the raw path */

     }

+    else if (apr_table_get(r->notes, "proxy-noencode")) {

+        path = url;   /* this is the encoded path already */

+        search = r->args;

+    }

     else {

         path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,

                                  r->proxyreq);

         search = r->args;

+        if (search && *(ap_scan_vchar_obstext(search))) {

+            /*

+             * We have a raw control character or a ' ' in r->args.

+             * Correct encoding was missed.

+             */

+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)

+                           "To be forwarded query string contains control "

+                           "characters or spaces");

+             return HTTP_FORBIDDEN;

+        }

     }

     if (path == NULL)

         return HTTP_BAD_REQUEST;

diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c

index f6fb634..de5ac8a 100644

--- a/modules/proxy/mod_proxy_balancer.c

+++ b/modules/proxy/mod_proxy_balancer.c

@@ -102,10 +102,24 @@ static int proxy_balancer_canon(request_rec *r, char *url)

     if (apr_table_get(r->notes, "proxy-nocanon")) {

         path = url;   /* this is the raw path */

     }

+    else if (apr_table_get(r->notes, "proxy-noencode")) {

+        path = url;   /* this is the encoded path already */

+        search = r->args;

+    }

     else {

         path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,

                                  r->proxyreq);

         search = r->args;

+        if (search && *(ap_scan_vchar_obstext(search))) {

+            /*

+             * We have a raw control character or a ' ' in r->args.

+             * Correct encoding was missed.

+             */

+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)

+                           "To be forwarded query string contains control "

+                           "characters or spaces");

+             return HTTP_FORBIDDEN;

+        }

     }

     if (path == NULL)

         return HTTP_BAD_REQUEST;

diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c

index ec4e7fb..85f16f2 100644

--- a/modules/proxy/mod_proxy_http.c

+++ b/modules/proxy/mod_proxy_http.c

@@ -121,10 +121,24 @@ static int proxy_http_canon(request_rec *r, char *url)

         if (apr_table_get(r->notes, "proxy-nocanon")) {

             path = url;   /* this is the raw path */

         }

+        else if (apr_table_get(r->notes, "proxy-noencode")) {

+            path = url;   /* this is the encoded path already */

+            search = r->args;

+        }

         else {

             path = ap_proxy_canonenc(r->pool, url, strlen(url),

                                      enc_path, 0, r->proxyreq);

             search = r->args;

+            if (search && *(ap_scan_vchar_obstext(search))) {

+                /*

+                 * We have a raw control character or a ' ' in r->args.

+                 * Correct encoding was missed.

+                 */

+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)

+                              "To be forwarded query string contains control "

+                              "characters or spaces");

+                return HTTP_FORBIDDEN;

+            }

         }

         break;

     case PROXYREQ_PROXY:

diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c

index bcbba42..16502e2 100644

--- a/modules/proxy/mod_proxy_wstunnel.c

+++ b/modules/proxy/mod_proxy_wstunnel.c

@@ -110,10 +110,24 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)

     if (apr_table_get(r->notes, "proxy-nocanon")) {

         path = url;   /* this is the raw path */

     }

+    else if (apr_table_get(r->notes, "proxy-noencode")) {

+        path = url;   /* this is the encoded path already */

+        search = r->args;

+    }

     else {

         path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,

                                  r->proxyreq);

         search = r->args;

+        if (search && *(ap_scan_vchar_obstext(search))) {

+            /*

+             * We have a raw control character or a ' ' in r->args.

+             * Correct encoding was missed.

+             */

+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)

+                          "To be forwarded query string contains control "

+                          "characters or spaces");

+            return HTTP_FORBIDDEN;

+        }

     }

     if (path == NULL)

         return HTTP_BAD_REQUEST;

-- 

2.27.0
1
https://gitee.com/Jason_828e/httpd.git
git@gitee.com:Jason_828e/httpd.git
Jason_828e
httpd
httpd
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部