summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2021-44224-1.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-07 02:04:07 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-07 02:04:07 +0000
commit1221c736f9a90756d47ea6d28320b6b83602dd2a (patch)
treeb453ba7b1393205258c9b098a773b4330984672f /debian/patches/CVE-2021-44224-1.patch
parentAdding upstream version 2.4.38. (diff)
downloadapache2-debian/2.4.38-3+deb10u8.tar.xz
apache2-debian/2.4.38-3+deb10u8.zip
Adding debian version 2.4.38-3+deb10u8.debian/2.4.38-3+deb10u8debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/CVE-2021-44224-1.patch')
-rw-r--r--debian/patches/CVE-2021-44224-1.patch206
1 files changed, 206 insertions, 0 deletions
diff --git a/debian/patches/CVE-2021-44224-1.patch b/debian/patches/CVE-2021-44224-1.patch
new file mode 100644
index 0000000..0f540c8
--- /dev/null
+++ b/debian/patches/CVE-2021-44224-1.patch
@@ -0,0 +1,206 @@
+Description: CVE-2021-44224
+Author: Yann Ylavic <ylavic@apache.org>
+Origin: upstream, https://github.com/apache/httpd/commit/a962ba73
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-44224
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-12-21
+
+--- a/include/http_protocol.h
++++ b/include/http_protocol.h
+@@ -75,6 +75,13 @@
+ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
+ apr_bucket_brigade *bb);
+
++/**
++ * Run post_read_request hook and validate.
++ * @param r The current request
++ * @return OK or HTTP_...
++ */
++AP_DECLARE(int) ap_post_read_request(request_rec *r);
++
+ /* Finish up stuff after a request */
+
+ /**
+--- a/modules/http/http_request.c
++++ b/modules/http/http_request.c
+@@ -681,7 +681,7 @@
+ * to do their thing on internal redirects as well. Perhaps this is a
+ * misnamed function.
+ */
+- if ((access_status = ap_run_post_read_request(new))) {
++ if ((access_status = ap_post_read_request(new))) {
+ ap_die(access_status, new);
+ return NULL;
+ }
+--- a/modules/http2/h2_request.c
++++ b/modules/http2/h2_request.c
+@@ -337,7 +337,7 @@
+ NULL, r, r->connection);
+
+ if (access_status != HTTP_OK
+- || (access_status = ap_run_post_read_request(r))) {
++ || (access_status = ap_post_read_request(r))) {
+ /* Request check post hooks failed. An example of this would be a
+ * request for a vhost where h2 is disabled --> 421.
+ */
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -576,13 +576,13 @@
+
+ /* Ick... msvc (perhaps others) promotes ternary short results to int */
+
+- if (conf->req && r->parsed_uri.scheme) {
++ if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) {
+ /* but it might be something vhosted */
+- if (!(r->parsed_uri.hostname
+- && !strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r))
+- && ap_matches_request_vhost(r, r->parsed_uri.hostname,
+- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port
+- : ap_default_port(r))))) {
++ if (strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
++ || !ap_matches_request_vhost(r, r->parsed_uri.hostname,
++ (apr_port_t)(r->parsed_uri.port_str
++ ? r->parsed_uri.port
++ : ap_default_port(r)))) {
+ r->proxyreq = PROXYREQ_PROXY;
+ r->uri = r->unparsed_uri;
+ r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
+@@ -1722,6 +1722,7 @@
+ struct proxy_alias *new;
+ char *f = cmd->path;
+ char *r = NULL;
++ const char *real;
+ char *word;
+ apr_table_t *params = apr_table_make(cmd->pool, 5);
+ const apr_array_header_t *arr;
+@@ -1787,6 +1788,10 @@
+ if (r == NULL) {
+ return "ProxyPass|ProxyPassMatch needs a path when not defined in a location";
+ }
++ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) {
++ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL";
++ }
++
+
+ /* if per directory, save away the single alias */
+ if (cmd->path) {
+@@ -1803,7 +1808,7 @@
+ }
+
+ new->fake = apr_pstrdup(cmd->pool, f);
+- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r));
++ new->real = apr_pstrdup(cmd->pool, real);
+ new->flags = flags;
+ if (use_regex) {
+ new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED);
+@@ -2280,6 +2285,7 @@
+ proxy_worker *worker;
+ char *path = cmd->path;
+ char *name = NULL;
++ const char *real;
+ char *word;
+ apr_table_t *params = apr_table_make(cmd->pool, 5);
+ const apr_array_header_t *arr;
+@@ -2320,6 +2326,9 @@
+ return "BalancerMember must define balancer name when outside <Proxy > section";
+ if (!name)
+ return "BalancerMember must define remote proxy server";
++ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
++ return "BalancerMember uses an invalid \"unix:\" URL";
++ }
+
+ ap_str_tolower(path); /* lowercase scheme://hostname */
+
+@@ -2332,7 +2341,7 @@
+ }
+
+ /* Try to find existing worker */
+- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, ap_proxy_de_socketfy(cmd->temp_pool, name));
++ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real);
+ if (!worker) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147)
+ "Defining worker '%s' for balancer '%s'",
+@@ -2421,7 +2430,14 @@
+ }
+ }
+ else {
+- worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, ap_proxy_de_socketfy(cmd->temp_pool, name));
++ const char *real;
++
++ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
++ return "ProxySet uses an invalid \"unix:\" URL";
++ }
++
++ worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf,
++ real);
+ if (!worker) {
+ if (in_proxy_section) {
+ err = ap_proxy_define_worker(cmd->pool, &worker, NULL,
+@@ -2563,8 +2579,14 @@
+ }
+ }
+ else {
++ const char *real;
++
++ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) {
++ return "<Proxy/ProxyMatch > uses an invalid \"unix:\" URL";
++ }
++
+ worker = ap_proxy_get_worker(cmd->temp_pool, NULL, sconf,
+- ap_proxy_de_socketfy(cmd->temp_pool, (char*)conf->p));
++ real);
+ if (!worker) {
+ err = ap_proxy_define_worker(cmd->pool, &worker, NULL,
+ sconf, conf->p, 0);
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -1662,6 +1662,9 @@
+ }
+
+ url = ap_proxy_de_socketfy(p, url);
++ if (!url) {
++ return NULL;
++ }
+
+ c = ap_strchr_c(url, ':');
+ if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') {
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -1465,7 +1465,7 @@
+ NULL, r, r->connection);
+
+ if (access_status != HTTP_OK
+- || (access_status = ap_run_post_read_request(r))) {
++ || (access_status = ap_post_read_request(r))) {
+ ap_die(access_status, r);
+ ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+ ap_run_log_transaction(r);
+@@ -1503,6 +1503,27 @@
+ return r;
+ }
+
++AP_DECLARE(int) ap_post_read_request(request_rec *r)
++{
++ int status;
++
++ if ((status = ap_run_post_read_request(r))) {
++ return status;
++ }
++
++ /* Enforce http(s) only scheme for non-forward-proxy requests */
++ if (!r->proxyreq
++ && r->parsed_uri.scheme
++ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
++ || (r->parsed_uri.scheme[4] != '\0'
++ && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
++ || r->parsed_uri.scheme[5] != '\0')))) {
++ return HTTP_BAD_REQUEST;
++ }
++
++ return OK;
++}
++
+ /* if a request with a body creates a subrequest, remove original request's
+ * input headers which pertain to the body which has already been read.
+ * out-of-line helper function for ap_set_sub_req_protocol.