Description: CVE-2021-44224 Author: Yann Ylavic Origin: upstream, https://github.com/apache/httpd/commit/a962ba73 Bug: https://security-tracker.debian.org/tracker/CVE-2021-44224 Forwarded: not-needed Reviewed-By: Yadd Last-Update: 2021-12-21 --- a/include/http_protocol.h +++ b/include/http_protocol.h @@ -75,6 +75,13 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb); +/** + * Run post_read_request hook and validate. + * @param r The current request + * @return OK or HTTP_... + */ +AP_DECLARE(int) ap_post_read_request(request_rec *r); + /* Finish up stuff after a request */ /** --- a/modules/http/http_request.c +++ b/modules/http/http_request.c @@ -681,7 +681,7 @@ * to do their thing on internal redirects as well. Perhaps this is a * misnamed function. */ - if ((access_status = ap_run_post_read_request(new))) { + if ((access_status = ap_post_read_request(new))) { ap_die(access_status, new); return NULL; } --- a/modules/http2/h2_request.c +++ b/modules/http2/h2_request.c @@ -337,7 +337,7 @@ NULL, r, r->connection); if (access_status != HTTP_OK - || (access_status = ap_run_post_read_request(r))) { + || (access_status = ap_post_read_request(r))) { /* Request check post hooks failed. An example of this would be a * request for a vhost where h2 is disabled --> 421. */ --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -576,13 +576,13 @@ /* Ick... msvc (perhaps others) promotes ternary short results to int */ - if (conf->req && r->parsed_uri.scheme) { + if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) { /* but it might be something vhosted */ - if (!(r->parsed_uri.hostname - && !strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r)) - && ap_matches_request_vhost(r, r->parsed_uri.hostname, - (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port - : ap_default_port(r))))) { + if (strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 + || !ap_matches_request_vhost(r, r->parsed_uri.hostname, + (apr_port_t)(r->parsed_uri.port_str + ? r->parsed_uri.port + : ap_default_port(r)))) { r->proxyreq = PROXYREQ_PROXY; r->uri = r->unparsed_uri; r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL); @@ -1722,6 +1722,7 @@ struct proxy_alias *new; char *f = cmd->path; char *r = NULL; + const char *real; char *word; apr_table_t *params = apr_table_make(cmd->pool, 5); const apr_array_header_t *arr; @@ -1787,6 +1788,10 @@ if (r == NULL) { return "ProxyPass|ProxyPassMatch needs a path when not defined in a location"; } + if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) { + return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL"; + } + /* if per directory, save away the single alias */ if (cmd->path) { @@ -1803,7 +1808,7 @@ } new->fake = apr_pstrdup(cmd->pool, f); - new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r)); + new->real = apr_pstrdup(cmd->pool, real); new->flags = flags; if (use_regex) { new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED); @@ -2280,6 +2285,7 @@ proxy_worker *worker; char *path = cmd->path; char *name = NULL; + const char *real; char *word; apr_table_t *params = apr_table_make(cmd->pool, 5); const apr_array_header_t *arr; @@ -2320,6 +2326,9 @@ return "BalancerMember must define balancer name when outside section"; if (!name) return "BalancerMember must define remote proxy server"; + if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { + return "BalancerMember uses an invalid \"unix:\" URL"; + } ap_str_tolower(path); /* lowercase scheme://hostname */ @@ -2332,7 +2341,7 @@ } /* Try to find existing worker */ - worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, ap_proxy_de_socketfy(cmd->temp_pool, name)); + worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real); if (!worker) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147) "Defining worker '%s' for balancer '%s'", @@ -2421,7 +2430,14 @@ } } else { - worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, ap_proxy_de_socketfy(cmd->temp_pool, name)); + const char *real; + + if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { + return "ProxySet uses an invalid \"unix:\" URL"; + } + + worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, + real); if (!worker) { if (in_proxy_section) { err = ap_proxy_define_worker(cmd->pool, &worker, NULL, @@ -2563,8 +2579,14 @@ } } else { + const char *real; + + if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) { + return " uses an invalid \"unix:\" URL"; + } + worker = ap_proxy_get_worker(cmd->temp_pool, NULL, sconf, - ap_proxy_de_socketfy(cmd->temp_pool, (char*)conf->p)); + real); if (!worker) { err = ap_proxy_define_worker(cmd->pool, &worker, NULL, sconf, conf->p, 0); --- a/modules/proxy/proxy_util.c +++ b/modules/proxy/proxy_util.c @@ -1662,6 +1662,9 @@ } url = ap_proxy_de_socketfy(p, url); + if (!url) { + return NULL; + } c = ap_strchr_c(url, ':'); if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') { --- a/server/protocol.c +++ b/server/protocol.c @@ -1465,7 +1465,7 @@ NULL, r, r->connection); if (access_status != HTTP_OK - || (access_status = ap_run_post_read_request(r))) { + || (access_status = ap_post_read_request(r))) { ap_die(access_status, r); ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); ap_run_log_transaction(r); @@ -1503,6 +1503,27 @@ return r; } +AP_DECLARE(int) ap_post_read_request(request_rec *r) +{ + int status; + + if ((status = ap_run_post_read_request(r))) { + return status; + } + + /* Enforce http(s) only scheme for non-forward-proxy requests */ + if (!r->proxyreq + && r->parsed_uri.scheme + && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0 + || (r->parsed_uri.scheme[4] != '\0' + && (apr_tolower(r->parsed_uri.scheme[4]) != 's' + || r->parsed_uri.scheme[5] != '\0')))) { + return HTTP_BAD_REQUEST; + } + + return OK; +} + /* if a request with a body creates a subrequest, remove original request's * input headers which pertain to the body which has already been read. * out-of-line helper function for ap_set_sub_req_protocol.