1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
From 8b93a6512f14f5f68887ddfe677e91233ed79fb0 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <rpluem@apache.org>
Date: Mon, 6 Mar 2023 10:00:09 +0000
Subject: [PATCH] [2/2] Fix CVE-2023-25690: HTTP Request Smuggling in mod_proxy*
* modules/http2/mod_proxy_http2.c: Fix missing APLOGNO.
Submitted by: jorton
Reviewed by: rpluem
Note: mod_proxy_http2 is CTR on 2.4.x.
bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-25690
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-25690
origin: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908118 13f79535-47bb-0310-9956-ffa450edef68
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908118 13f79535-47bb-0310-9956-ffa450edef68
---
modules/http2/mod_proxy_http2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
index aa299b937a5..2a9967e5d57 100644
--- a/modules/http2/mod_proxy_http2.c
+++ b/modules/http2/mod_proxy_http2.c
@@ -163,7 +163,7 @@ static int proxy_http2_canon(request_rec *r, char *url)
* We have a raw control character or a ' ' in r->args.
* Correct encoding was missed.
*/
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
"To be forwarded query string contains control "
"characters or spaces");
return HTTP_FORBIDDEN;
|
