diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/CVE-2019-10092.patch | 193 |
1 files changed, 0 insertions, 193 deletions
diff --git a/debian/patches/CVE-2019-10092.patch b/debian/patches/CVE-2019-10092.patch deleted file mode 100644 index eb3352c..0000000 --- a/debian/patches/CVE-2019-10092.patch +++ /dev/null @@ -1,193 +0,0 @@ -Description: Fix for CVE-2019-10092 -Author: Stefan Eissing -Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1864191 -Bug: https://security-tracker.debian.org/tracker/CVE-2019-10092 -Forwarded: not-needed -Reviewed-By: Xavier Guimard <yadd@debian.org> -Last-Update: 2019-10-11 -[Salvatore Bonaccorso: Add additional change from https://svn.apache.org/r1864699 -to add missing APLOGNO's in mod_proxy.c and mod_proxy_ftp.c] ---- a/modules/http/http_protocol.c -+++ b/modules/http/http_protocol.c -@@ -1132,13 +1132,10 @@ - "\">here</a>.</p>\n", - NULL)); - case HTTP_USE_PROXY: -- return(apr_pstrcat(p, -- "<p>This resource is only accessible " -- "through the proxy\n", -- ap_escape_html(r->pool, location), -- "<br />\nYou will need to configure " -- "your client to use that proxy.</p>\n", -- NULL)); -+ return("<p>This resource is only accessible " -+ "through the proxy\n" -+ "<br />\nYou will need to configure " -+ "your client to use that proxy.</p>\n"); - case HTTP_PROXY_AUTHENTICATION_REQUIRED: - case HTTP_UNAUTHORIZED: - return("<p>This server could not verify that you\n" -@@ -1154,34 +1151,20 @@ - "error-notes", - "</p>\n")); - case HTTP_FORBIDDEN: -- s1 = apr_pstrcat(p, -- "<p>You don't have permission to access ", -- ap_escape_html(r->pool, r->uri), -- "\non this server.<br />\n", -- NULL); -- return(add_optional_notes(r, s1, "error-notes", "</p>\n")); -+ return(add_optional_notes(r, "<p>You don't have permission to access this resource.", "error-notes", "</p>\n")); - case HTTP_NOT_FOUND: -- return(apr_pstrcat(p, -- "<p>The requested URL ", -- ap_escape_html(r->pool, r->uri), -- " was not found on this server.</p>\n", -- NULL)); -+ return("<p>The requested URL was not found on this server.</p>\n"); - case HTTP_METHOD_NOT_ALLOWED: - return(apr_pstrcat(p, - "<p>The requested method ", - ap_escape_html(r->pool, r->method), -- " is not allowed for the URL ", -- ap_escape_html(r->pool, r->uri), -- ".</p>\n", -+ " is not allowed for this URL.</p>\n", - NULL)); - case HTTP_NOT_ACCEPTABLE: -- s1 = apr_pstrcat(p, -- "<p>An appropriate representation of the " -- "requested resource ", -- ap_escape_html(r->pool, r->uri), -- " could not be found on this server.</p>\n", -- NULL); -- return(add_optional_notes(r, s1, "variant-list", "")); -+ return(add_optional_notes(r, -+ "<p>An appropriate representation of the requested resource " -+ "could not be found on this server.</p>\n", -+ "variant-list", "")); - case HTTP_MULTIPLE_CHOICES: - return(add_optional_notes(r, "", "variant-list", "")); - case HTTP_LENGTH_REQUIRED: -@@ -1192,18 +1175,13 @@ - NULL); - return(add_optional_notes(r, s1, "error-notes", "</p>\n")); - case HTTP_PRECONDITION_FAILED: -- return(apr_pstrcat(p, -- "<p>The precondition on the request " -- "for the URL ", -- ap_escape_html(r->pool, r->uri), -- " evaluated to false.</p>\n", -- NULL)); -+ return("<p>The precondition on the request " -+ "for this URL evaluated to false.</p>\n"); - case HTTP_NOT_IMPLEMENTED: - s1 = apr_pstrcat(p, - "<p>", -- ap_escape_html(r->pool, r->method), " to ", -- ap_escape_html(r->pool, r->uri), -- " not supported.<br />\n", -+ ap_escape_html(r->pool, r->method), " ", -+ " not supported for current URL.<br />\n", - NULL); - return(add_optional_notes(r, s1, "error-notes", "</p>\n")); - case HTTP_BAD_GATEWAY: -@@ -1211,29 +1189,19 @@ - "response from an upstream server.<br />" CRLF; - return(add_optional_notes(r, s1, "error-notes", "</p>\n")); - case HTTP_VARIANT_ALSO_VARIES: -- return(apr_pstrcat(p, -- "<p>A variant for the requested " -- "resource\n<pre>\n", -- ap_escape_html(r->pool, r->uri), -- "\n</pre>\nis itself a negotiable resource. " -- "This indicates a configuration error.</p>\n", -- NULL)); -+ return("<p>A variant for the requested " -+ "resource\n<pre>\n" -+ "\n</pre>\nis itself a negotiable resource. " -+ "This indicates a configuration error.</p>\n"); - case HTTP_REQUEST_TIME_OUT: - return("<p>Server timeout waiting for the HTTP request from the client.</p>\n"); - case HTTP_GONE: -- return(apr_pstrcat(p, -- "<p>The requested resource<br />", -- ap_escape_html(r->pool, r->uri), -- "<br />\nis no longer available on this server " -- "and there is no forwarding address.\n" -- "Please remove all references to this " -- "resource.</p>\n", -- NULL)); -+ return("<p>The requested resource is no longer available on this server" -+ " and there is no forwarding address.\n" -+ "Please remove all references to this resource.</p>\n"); - case HTTP_REQUEST_ENTITY_TOO_LARGE: - return(apr_pstrcat(p, -- "The requested resource<br />", -- ap_escape_html(r->pool, r->uri), "<br />\n", -- "does not allow request data with ", -+ "The requested resource does not allow request data with ", - ap_escape_html(r->pool, r->method), - " requests, or the amount of data provided in\n" - "the request exceeds the capacity limit.\n", -@@ -1317,11 +1285,9 @@ - "the Server Name Indication (SNI) in use for this\n" - "connection.</p>\n"); - case HTTP_UNAVAILABLE_FOR_LEGAL_REASONS: -- s1 = apr_pstrcat(p, -- "<p>Access to ", ap_escape_html(r->pool, r->uri), -- "\nhas been denied for legal reasons.<br />\n", -- NULL); -- return(add_optional_notes(r, s1, "error-notes", "</p>\n")); -+ return(add_optional_notes(r, -+ "<p>Access to this URL has been denied for legal reasons.<br />\n", -+ "error-notes", "</p>\n")); - default: /* HTTP_INTERNAL_SERVER_ERROR */ - /* - * This comparison to expose error-notes could be modified to ---- a/modules/proxy/mod_proxy.c -+++ b/modules/proxy/mod_proxy.c -@@ -1049,9 +1049,10 @@ - char *end; - maxfwd = apr_strtoi64(str, &end, 10); - if (maxfwd < 0 || maxfwd == APR_INT64_MAX || *end) { -- return ap_proxyerror(r, HTTP_BAD_REQUEST, -- apr_psprintf(r->pool, -- "Max-Forwards value '%s' could not be parsed", str)); -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10188) -+ "Max-Forwards value '%s' could not be parsed", str); -+ return ap_proxyerror(r, HTTP_BAD_REQUEST, -+ "Max-Forwards request header could not be parsed"); - } - else if (maxfwd == 0) { - switch (r->method_number) { ---- a/modules/proxy/mod_proxy_ftp.c -+++ b/modules/proxy/mod_proxy_ftp.c -@@ -1024,8 +1024,9 @@ - /* We break the URL into host, port, path-search */ - if (r->parsed_uri.hostname == NULL) { - if (APR_SUCCESS != apr_uri_parse(p, url, &uri)) { -- return ap_proxyerror(r, HTTP_BAD_REQUEST, -- apr_psprintf(p, "URI cannot be parsed: %s", url)); -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10189) -+ "URI cannot be parsed: %s", url); -+ return ap_proxyerror(r, HTTP_BAD_REQUEST, "URI cannot be parsed"); - } - connectname = uri.hostname; - connectport = uri.port; ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -368,12 +368,9 @@ - - PROXY_DECLARE(int) ap_proxyerror(request_rec *r, int statuscode, const char *message) - { -- const char *uri = ap_escape_html(r->pool, r->uri); - apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, -- "The proxy server could not handle the request <em><a href=\"", -- uri, "\">", ap_escape_html(r->pool, r->method), " ", uri, -- "</a></em>.<p>\n" -+ "The proxy server could not handle the request<p>" - "Reason: <strong>", ap_escape_html(r->pool, message), - "</strong></p>", - NULL)); |