path: root/debian/tests/CVE-2023-25690

#!/bin/bash

# test CVE-2023-25690
set -eux

RC=0
fail () {
	echo "FAIL: $@" >&2
	RC=1
}


function exit_handler()
{
    # fix cp: cannot access '/tmp/autopkgtest-lxc.x06nhp9r/downtmp/CVE-2023-25690-artifacts/apache2': Permission denied
    chmod -R a+rwX "$AUTOPKGTEST_ARTIFACTS/apache2" || true
    systemctl status apache2.service || true
    systemctl stop apache2 || true
    cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true
    cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true
    cat $AUTOPKGTEST_ARTIFACTS/apache2/error.8080.log || true
    cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log || true
}
trap exit_handler EXIT


a2enmod proxy
a2enmod proxy_http
a2enmod rewrite

rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS"
rm /var/log/apache2/*
mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2

tee /etc/apache2/ports.conf <<'EOF'
Listen 80
Listen 8080
EOF


tee /etc/apache2/sites-available/000-default.conf <<'EOF'
<VirtualHost *:8080>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.8080.log
	CustomLog ${APACHE_LOG_DIR}/access.8080.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn
	LogLevel alert rewrite:trace6
	LogLevel error proxy:trace6
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	RewriteEngine on
	RewriteRule "^/here/(.*)" "http://localhost:8080/index.html?$1" [P]
	ProxyPassReverse "/here/"  "http://localhost:8080/"
</VirtualHost>
EOF

systemctl restart apache2

CHOKEURL="http://localhost/here/index.html%20HTTP/1.1%0d%0aHost:%20localhost%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/BAD.html%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1"
wget -S -q --output-document - "$CHOKEURL" || true
(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true)
(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) | grep -e '^[[:space:]]*HTTP/1.1 4[[:digit:]][[:digit:]] '

cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log | grep '] "GET /BAD.html HTTP/1.1"' && exit 1

exit 0