diff options
Diffstat (limited to 'debian/patches/CVE-2019-0220-1.patch')
| -rw-r--r-- | debian/patches/CVE-2019-0220-1.patch | 278 |
1 files changed, 278 insertions, 0 deletions
diff --git a/debian/patches/CVE-2019-0220-1.patch b/debian/patches/CVE-2019-0220-1.patch new file mode 100644 index 0000000..021c369 --- /dev/null +++ b/debian/patches/CVE-2019-0220-1.patch @@ -0,0 +1,278 @@ +From 9bc1917a27a2323e535aadb081e38172ae0e3fc2 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <icing@apache.org> +Date: Mon, 18 Mar 2019 08:49:59 +0000 +Subject: [PATCH] Merge of r1855705 from trunk: + +core: merge consecutive slashes in the path + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855737 13f79535-47bb-0310-9956-ffa450edef68 +--- + CHANGES | 4 ++++ + docs/manual/mod/core.xml | 26 ++++++++++++++++++++++++++ + include/ap_mmn.h | 4 +++- + include/http_core.h | 2 +- + include/httpd.h | 14 ++++++++++++-- + server/core.c | 13 +++++++++++++ + server/request.c | 25 +++++++++---------------- + server/util.c | 10 +++++++--- + 8 files changed, 75 insertions(+), 23 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index e3e8a98db24..9dd7045c232 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -1,6 +1,10 @@ +# -*- coding: utf-8 -*- +# Changes with Apache 2.4.39 +# +#+ *) core: new configuration option 'MergeSlashes on|off' that controls handling of +#+ multiple, consecutive slash ('/') characters in the path component of the request URL. +#+ [Eric Covener] +#+ +# *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is +# in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED. +# Fixed. [Michael Kaufmann] +#diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml +#index fc664116727..460b4367621 100644 +#--- a/docs/manual/mod/core.xml +#+++ b/docs/manual/mod/core.xml +#@@ -5138,4 +5138,30 @@ recognized methods to modules.</p> +# <seealso><directive module="mod_allowmethods">AllowMethods</directive></seealso> +# </directivesynopsis> +# +#+<directivesynopsis> +#+<name>MergeSlashes</name> +#+<description>Controls whether the server merges consecutive slashes in URLs. +#+</description> +#+<syntax>MergeSlashes ON|OFF</syntax> +#+<default>MergeSlashes ON</default> +#+<contextlist><context>server config</context><context>virtual host</context> +#+</contextlist> +#+<compatibility>Added in 2.5.1</compatibility> +#+ +#+<usage> +#+ <p>By default, the server merges (or collapses) multiple consecutive slash +#+ ('/') characters in the path component of the request URL.</p> +#+ +#+ <p>When mapping URL's to the filesystem, these multiple slashes are not +#+ significant. However, URL's handled other ways, such as by CGI or proxy, +#+ might prefer to retain the significance of multiple consecutive slashes. +#+ In these cases <directive>MergeSlashes</directive> can be set to +#+ <em>OFF</em> to retain the multiple consecutive slashes. In these +#+ configurations, regular expressions used in the configuration file that match +#+ the path component of the URL (<directive>LocationMatch</directive>, +#+ <directive>RewriteRule</directive>, ...) need to take into account multiple +#+ consecutive slashes.</p> +#+</usage> +#+</directivesynopsis> +#+ +# </modulesynopsis> +diff --git a/include/ap_mmn.h b/include/ap_mmn.h +index 2167baa0325..4739f7f64d3 100644 +--- a/include/ap_mmn.h ++++ b/include/ap_mmn.h +@@ -523,6 +523,8 @@ + * 20120211.82 (2.4.35-dev) Add optional function declaration for + * ap_proxy_balancer_get_best_worker to mod_proxy.h. + * 20120211.83 (2.4.35-dev) Add client64 field to worker_score struct ++ * 20120211.84 (2.4.35-dev) Add ap_no2slash_ex() and merge_slashes to ++ * core_server_conf. + * + */ + +@@ -531,7 +533,7 @@ + #ifndef MODULE_MAGIC_NUMBER_MAJOR + #define MODULE_MAGIC_NUMBER_MAJOR 20120211 + #endif +-#define MODULE_MAGIC_NUMBER_MINOR 83 /* 0...n */ ++#define MODULE_MAGIC_NUMBER_MINOR 84 /* 0...n */ + + /** + * Determine if the server's current MODULE_MAGIC_NUMBER is at least a +diff --git a/include/http_core.h b/include/http_core.h +index 35df5dc9601..8e109882244 100644 +--- a/include/http_core.h ++++ b/include/http_core.h +@@ -740,7 +740,7 @@ typedef struct { + #define AP_HTTP_METHODS_LENIENT 1 + #define AP_HTTP_METHODS_REGISTERED 2 + char http_methods; +- ++ unsigned int merge_slashes; + } core_server_config; + + /* for AddOutputFiltersByType in core.c */ +diff --git a/include/httpd.h b/include/httpd.h +index 65392f83546..99f7f041aea 100644 +--- a/include/httpd.h ++++ b/include/httpd.h +@@ -1697,11 +1697,21 @@ AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes); + AP_DECLARE(int) ap_unescape_urlencoded(char *query); + + /** +- * Convert all double slashes to single slashes +- * @param name The string to convert ++ * Convert all double slashes to single slashes, except where significant ++ * to the filesystem on the current platform. ++ * @param name The string to convert, assumed to be a filesystem path + */ + AP_DECLARE(void) ap_no2slash(char *name); + ++/** ++ * Convert all double slashes to single slashes, except where significant ++ * to the filesystem on the current platform. ++ * @param name The string to convert ++ * @param is_fs_path if set to 0, the significance of any double-slashes is ++ * ignored. ++ */ ++AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path); ++ + /** + * Remove all ./ and xx/../ substrings from a file name. Also remove + * any leading ../ or /../ substrings. +diff --git a/server/core.c b/server/core.c +index e2a91c7a0c6..eacb54fecec 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -490,6 +490,7 @@ static void *create_core_server_config(apr_pool_t *a, server_rec *s) + + conf->protocols = apr_array_make(a, 5, sizeof(const char *)); + conf->protocols_honor_order = -1; ++ conf->merge_slashes = AP_CORE_CONFIG_UNSET; + + return (void *)conf; + } +@@ -555,6 +556,7 @@ static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv) + conf->protocols_honor_order = ((virt->protocols_honor_order < 0)? + base->protocols_honor_order : + virt->protocols_honor_order); ++ AP_CORE_MERGE_FLAG(merge_slashes, conf, base, virt); + + return conf; + } +@@ -1863,6 +1865,13 @@ static const char *set_qualify_redirect_url(cmd_parms *cmd, void *d_, int flag) + return NULL; + } + ++static const char *set_core_server_flag(cmd_parms *cmd, void *s_, int flag) ++{ ++ core_server_config *conf = ++ ap_get_core_module_config(cmd->server->module_config); ++ return ap_set_flag_slot(cmd, conf, flag); ++} ++ + static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[]) + { + core_dir_config *d = d_; +@@ -4562,6 +4571,10 @@ AP_INIT_ITERATE("HttpProtocolOptions", set_http_protocol_options, NULL, RSRC_CON + "'Unsafe' or 'Strict' (default). Sets HTTP acceptance rules"), + AP_INIT_ITERATE("RegisterHttpMethod", set_http_method, NULL, RSRC_CONF, + "Registers non-standard HTTP methods"), ++AP_INIT_FLAG("MergeSlashes", set_core_server_flag, ++ (void *)APR_OFFSETOF(core_server_config, merge_slashes), ++ RSRC_CONF, ++ "Controls whether consecutive slashes in the URI path are merged"), + { NULL } + }; + +diff --git a/server/request.c b/server/request.c +index dbe3e07f150..1ce8908824b 100644 +--- a/server/request.c ++++ b/server/request.c +@@ -167,6 +167,8 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) + int file_req = (r->main && r->filename); + int access_status; + core_dir_config *d; ++ core_server_config *sconf = ++ ap_get_core_module_config(r->server->module_config); + + /* Ignore embedded %2F's in path for proxy requests */ + if (!r->proxyreq && r->parsed_uri.path) { +@@ -191,6 +193,10 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) + } + + ap_getparents(r->uri); /* OK --- shrinking transformations... */ ++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) { ++ ap_no2slash(r->uri); ++ ap_no2slash(r->parsed_uri.path); ++ } + + /* All file subrequests are a huge pain... they cannot bubble through the + * next several steps. Only file subrequests are allowed an empty uri, +@@ -1411,20 +1417,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) + + cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r); + cached = (cache->cached != NULL); +- +- /* Location and LocationMatch differ on their behaviour w.r.t. multiple +- * slashes. Location matches multiple slashes with a single slash, +- * LocationMatch doesn't. An exception, for backwards brokenness is +- * absoluteURIs... in which case neither match multiple slashes. +- */ +- if (r->uri[0] != '/') { +- entry_uri = r->uri; +- } +- else { +- char *uri = apr_pstrdup(r->pool, r->uri); +- ap_no2slash(uri); +- entry_uri = uri; +- } ++ entry_uri = r->uri; + + /* If we have an cache->cached location that matches r->uri, + * and the vhost's list of locations hasn't changed, we can skip +@@ -1491,7 +1484,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) + pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t)); + } + +- if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) { ++ if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) { + continue; + } + +@@ -1501,7 +1494,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) + apr_table_setn(r->subprocess_env, + ((const char **)entry_core->refs->elts)[i], + apr_pstrndup(r->pool, +- r->uri + pmatch[i].rm_so, ++ entry_uri + pmatch[i].rm_so, + pmatch[i].rm_eo - pmatch[i].rm_so)); + } + } +diff --git a/server/util.c b/server/util.c +index fd7a0a14763..607c4850d86 100644 +--- a/server/util.c ++++ b/server/util.c +@@ -561,16 +561,16 @@ AP_DECLARE(void) ap_getparents(char *name) + name[l] = '\0'; + } + } +- +-AP_DECLARE(void) ap_no2slash(char *name) ++AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path) + { ++ + char *d, *s; + + s = d = name; + + #ifdef HAVE_UNC_PATHS + /* Check for UNC names. Leave leading two slashes. */ +- if (s[0] == '/' && s[1] == '/') ++ if (is_fs_path && s[0] == '/' && s[1] == '/') + *d++ = *s++; + #endif + +@@ -587,6 +587,10 @@ AP_DECLARE(void) ap_no2slash(char *name) + *d = '\0'; + } + ++AP_DECLARE(void) ap_no2slash(char *name) ++{ ++ ap_no2slash_ex(name, 1); ++} + + /* + * copy at most n leading directories of s into d |