blob: cad5774d75004b5f7da21f9b3013e8e1ed66393c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
Description: mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
Relaxes the behaviour introduced by the CVE-2021-36160 fix
Author: Stefan Eissing <icing@apache.org>
Origin: upstream, https://github.com/apache/httpd/commit/8966e290a
Forwarded: not-needed
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2021-12-21
--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -467,11 +467,20 @@
/* ADD PATH_INFO (unescaped) */
u_path_info = ap_strchr(url + sizeof(UWSGI_SCHEME) + 2, '/');
- if (!u_path_info || ap_unescape_url(u_path_info) != OK) {
+ if (!u_path_info) {
+ u_path_info = apr_pstrdup(r->pool, "/");
+ }
+ else if (ap_unescape_url(u_path_info) != OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10100)
"unable to decode uwsgi uri: %s", url);
return HTTP_INTERNAL_SERVER_ERROR;
}
+ else {
+ /* Remove duplicate slashes at the beginning of PATH_INFO */
+ while (u_path_info[1] == '/') {
+ u_path_info++;
+ }
+ }
apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info);
|
