1 files changed, 170 insertions, 0 deletions

diff --git a/debian/patches/0053-CVE-2023-25690-1.patch b/debian/patches/0053-CVE-2023-25690-1.patch
new file mode 100644
index 0000000..a7370c7
--- /dev/null
+++ b/debian/patches/0053-CVE-2023-25690-1.patch
@@ -0,0 +1,170 @@
+From 8789f6bb926fa4c33b4231a8444340515c82bdff Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Sun, 5 Mar 2023 20:28:43 +0000
+Subject: [PATCH] [1/2] Fix CVE-2023-25690: HTTP Request Smuggling in mod_proxy*
+
+    don't forward invalid query strings
+
+    Submitted by: rpluem
+
+Reviewed By:  covener, fielding, rpluem, gbechis
+bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-25690
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-25690
+origin: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908096 13f79535-47bb-0310-9956-ffa450edef68
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908096 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/http2/mod_proxy_http2.c    | 10 ++++++++++
+ modules/mappers/mod_rewrite.c      | 22 ++++++++++++++++++++++
+ modules/proxy/mod_proxy_ajp.c      | 10 ++++++++++
+ modules/proxy/mod_proxy_balancer.c | 10 ++++++++++
+ modules/proxy/mod_proxy_http.c     | 10 ++++++++++
+ modules/proxy/mod_proxy_wstunnel.c | 10 ++++++++++
+ 6 files changed, 72 insertions(+)
+
+diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
+index 3faf03472bb..aa299b937a5 100644
+--- a/modules/http2/mod_proxy_http2.c
++++ b/modules/http2/mod_proxy_http2.c
+@@ -158,6 +158,16 @@ static int proxy_http2_canon(request_rec *r, char *url)
+             path = ap_proxy_canonenc(r->pool, url, (int)strlen(url),
+                                      enc_path, 0, r->proxyreq);
+             search = r->args;
++            if (search && *(ap_scan_vchar_obstext(search))) {
++                /*
++                 * We have a raw control character or a ' ' in r->args.
++                 * Correct encoding was missed.
++                 */
++                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
++                              "To be forwarded query string contains control "
++                              "characters or spaces");
++                return HTTP_FORBIDDEN;
++            }
+         }
+         break;
+     case PROXYREQ_PROXY:
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 943996560e5..f6398f19386 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -4729,6 +4729,17 @@ static int hook_uri2file(request_rec *r)
+         unsigned skip;
+         apr_size_t flen;
+ 
++        if (r->args && *(ap_scan_vchar_obstext(r->args))) {
++            /*
++             * We have a raw control character or a ' ' in r->args.
++             * Correct encoding was missed.
++             */
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
++                          "Rewritten query string contains control "
++                          "characters or spaces");
++            return HTTP_FORBIDDEN;
++        }
++
+         if (ACTION_STATUS == rulestatus) {
+             int n = r->status;
+ 
+@@ -5013,6 +5024,17 @@ static int hook_fixup(request_rec *r)
+     if (rulestatus) {
+         unsigned skip;
+ 
++        if (r->args && *(ap_scan_vchar_obstext(r->args))) {
++            /*
++             * We have a raw control character or a ' ' in r->args.
++             * Correct encoding was missed.
++             */
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411)
++                          "Rewritten query string contains control "
++                          "characters or spaces");
++            return HTTP_FORBIDDEN;
++        }
++
+         if (ACTION_STATUS == rulestatus) {
+             int n = r->status;
+ 
+diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
+index 1449acad733..e46bd903a36 100644
+--- a/modules/proxy/mod_proxy_ajp.c
++++ b/modules/proxy/mod_proxy_ajp.c
+@@ -69,6 +69,16 @@ static int proxy_ajp_canon(request_rec *r, char *url)
+         path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+                                  r->proxyreq);
+         search = r->args;
++        if (search && *(ap_scan_vchar_obstext(search))) {
++            /*
++             * We have a raw control character or a ' ' in r->args.
++             * Correct encoding was missed.
++             */
++             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
++                           "To be forwarded query string contains control "
++                           "characters or spaces");
++             return HTTP_FORBIDDEN;
++        }
+     }
+     if (path == NULL)
+         return HTTP_BAD_REQUEST;
+diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
+index f6fb6345ae3..7f990084336 100644
+--- a/modules/proxy/mod_proxy_balancer.c
++++ b/modules/proxy/mod_proxy_balancer.c
+@@ -106,6 +106,16 @@ static int proxy_balancer_canon(request_rec *r, char *url)
+         path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+                                  r->proxyreq);
+         search = r->args;
++        if (search && *(ap_scan_vchar_obstext(search))) {
++            /*
++             * We have a raw control character or a ' ' in r->args.
++             * Correct encoding was missed.
++             */
++             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
++                           "To be forwarded query string contains control "
++                           "characters or spaces");
++             return HTTP_FORBIDDEN;
++        }
+     }
+     if (path == NULL)
+         return HTTP_BAD_REQUEST;
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index ec4e7fb06b5..51d19a0a21b 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -125,6 +125,16 @@ static int proxy_http_canon(request_rec *r, char *url)
+             path = ap_proxy_canonenc(r->pool, url, strlen(url),
+                                      enc_path, 0, r->proxyreq);
+             search = r->args;
++            if (search && *(ap_scan_vchar_obstext(search))) {
++                /*
++                 * We have a raw control character or a ' ' in r->args.
++                 * Correct encoding was missed.
++                 */
++                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
++                              "To be forwarded query string contains control "
++                              "characters or spaces");
++                return HTTP_FORBIDDEN;
++            }
+         }
+         break;
+     case PROXYREQ_PROXY:
+diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
+index bcbba42f9a4..88f86a49dbb 100644
+--- a/modules/proxy/mod_proxy_wstunnel.c
++++ b/modules/proxy/mod_proxy_wstunnel.c
+@@ -114,6 +114,16 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)
+         path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+                                  r->proxyreq);
+         search = r->args;
++        if (search && *(ap_scan_vchar_obstext(search))) {
++            /*
++             * We have a raw control character or a ' ' in r->args.
++             * Correct encoding was missed.
++             */
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
++                          "To be forwarded query string contains control "
++                          "characters or spaces");
++            return HTTP_FORBIDDEN;
++        }
+     }
+     if (path == NULL)
+         return HTTP_BAD_REQUEST;
+