1 files changed, 206 insertions, 0 deletions

diff --git a/debian/patches/CVE-2021-44224-1.patch b/debian/patches/CVE-2021-44224-1.patch
new file mode 100644
index 0000000..0f540c8
--- /dev/null
+++ b/debian/patches/CVE-2021-44224-1.patch
@@ -0,0 +1,206 @@
+Description: CVE-2021-44224
+Author: Yann Ylavic <ylavic@apache.org>
+Origin: upstream, https://github.com/apache/httpd/commit/a962ba73
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-44224
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-12-21
+
+--- a/include/http_protocol.h
++++ b/include/http_protocol.h
+@@ -75,6 +75,13 @@
+ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
+                                           apr_bucket_brigade *bb);
+ 
++/**
++ * Run post_read_request hook and validate.
++ * @param r The current request
++ * @return OK or HTTP_...
++ */
++AP_DECLARE(int) ap_post_read_request(request_rec *r);
++
+ /* Finish up stuff after a request */
+ 
+ /**
+--- a/modules/http/http_request.c
++++ b/modules/http/http_request.c
+@@ -681,7 +681,7 @@
+      * to do their thing on internal redirects as well.  Perhaps this is a
+      * misnamed function.
+      */
+-    if ((access_status = ap_run_post_read_request(new))) {
++    if ((access_status = ap_post_read_request(new))) {
+         ap_die(access_status, new);
+         return NULL;
+     }
+--- a/modules/http2/h2_request.c
++++ b/modules/http2/h2_request.c
+@@ -337,7 +337,7 @@
+                                NULL, r, r->connection);
+     
+     if (access_status != HTTP_OK
+-        || (access_status = ap_run_post_read_request(r))) {
++        || (access_status = ap_post_read_request(r))) {
+         /* Request check post hooks failed. An example of this would be a
+          * request for a vhost where h2 is disabled --> 421.
+          */
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -576,13 +576,13 @@
+ 
+     /* Ick... msvc (perhaps others) promotes ternary short results to int */
+ 
+-    if (conf->req && r->parsed_uri.scheme) {
++    if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) {
+         /* but it might be something vhosted */
+-        if (!(r->parsed_uri.hostname
+-              && !strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r))
+-              && ap_matches_request_vhost(r, r->parsed_uri.hostname,
+-                                          (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port
+-                                                       : ap_default_port(r))))) {
++        if (strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
++            || !ap_matches_request_vhost(r, r->parsed_uri.hostname,
++                                         (apr_port_t)(r->parsed_uri.port_str
++                                                      ? r->parsed_uri.port
++                                                      : ap_default_port(r)))) {
+             r->proxyreq = PROXYREQ_PROXY;
+             r->uri = r->unparsed_uri;
+             r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
+@@ -1722,6 +1722,7 @@
+     struct proxy_alias *new;
+     char *f = cmd->path;
+     char *r = NULL;
++    const char *real;
+     char *word;
+     apr_table_t *params = apr_table_make(cmd->pool, 5);
+     const apr_array_header_t *arr;
+@@ -1787,6 +1788,10 @@
+     if (r == NULL) {
+         return "ProxyPass|ProxyPassMatch needs a path when not defined in a location";
+     }
++    if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) {
++        return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL";
++    }
++
+ 
+     /* if per directory, save away the single alias */
+     if (cmd->path) {
+@@ -1803,7 +1808,7 @@
+     }
+ 
+     new->fake = apr_pstrdup(cmd->pool, f);
+-    new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r));
++    new->real = apr_pstrdup(cmd->pool, real);
+     new->flags = flags;
+     if (use_regex) {
+         new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED);
+@@ -2280,6 +2285,7 @@
+     proxy_worker *worker;
+     char *path = cmd->path;
+     char *name = NULL;
++    const char *real;
+     char *word;
+     apr_table_t *params = apr_table_make(cmd->pool, 5);
+     const apr_array_header_t *arr;
+@@ -2320,6 +2326,9 @@
+         return "BalancerMember must define balancer name when outside <Proxy > section";
+     if (!name)
+         return "BalancerMember must define remote proxy server";
++    if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
++        return "BalancerMember uses an invalid \"unix:\" URL";
++    }
+ 
+     ap_str_tolower(path);   /* lowercase scheme://hostname */
+ 
+@@ -2332,7 +2341,7 @@
+     }
+ 
+     /* Try to find existing worker */
+-    worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, ap_proxy_de_socketfy(cmd->temp_pool, name));
++    worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real);
+     if (!worker) {
+         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147)
+                      "Defining worker '%s' for balancer '%s'",
+@@ -2421,7 +2430,14 @@
+         }
+     }
+     else {
+-        worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, ap_proxy_de_socketfy(cmd->temp_pool, name));
++        const char *real;
++
++        if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
++            return "ProxySet uses an invalid \"unix:\" URL";
++        }
++
++        worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf,
++                                real);
+         if (!worker) {
+             if (in_proxy_section) {
+                 err = ap_proxy_define_worker(cmd->pool, &worker, NULL,
+@@ -2563,8 +2579,14 @@
+             }
+         }
+         else {
++            const char *real;
++
++            if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) {
++                return "<Proxy/ProxyMatch > uses an invalid \"unix:\" URL";
++            }
++
+             worker = ap_proxy_get_worker(cmd->temp_pool, NULL, sconf,
+-                                         ap_proxy_de_socketfy(cmd->temp_pool, (char*)conf->p));
++                                         real);
+             if (!worker) {
+                 err = ap_proxy_define_worker(cmd->pool, &worker, NULL,
+                                           sconf, conf->p, 0);
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -1662,6 +1662,9 @@
+     }
+ 
+     url = ap_proxy_de_socketfy(p, url);
++    if (!url) {
++        return NULL;
++    }
+ 
+     c = ap_strchr_c(url, ':');
+     if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') {
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -1465,7 +1465,7 @@
+                                NULL, r, r->connection);
+ 
+     if (access_status != HTTP_OK
+-        || (access_status = ap_run_post_read_request(r))) {
++        || (access_status = ap_post_read_request(r))) {
+         ap_die(access_status, r);
+         ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+         ap_run_log_transaction(r);
+@@ -1503,6 +1503,27 @@
+     return r;
+ }
+ 
++AP_DECLARE(int) ap_post_read_request(request_rec *r)
++{
++    int status;
++
++    if ((status = ap_run_post_read_request(r))) {
++        return status;
++    }
++
++    /* Enforce http(s) only scheme for non-forward-proxy requests */
++    if (!r->proxyreq
++            && r->parsed_uri.scheme
++            && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
++                || (r->parsed_uri.scheme[4] != '\0'
++                    && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
++                        || r->parsed_uri.scheme[5] != '\0')))) {
++        return HTTP_BAD_REQUEST;
++    }
++
++    return OK;
++}
++
+ /* if a request with a body creates a subrequest, remove original request's
+  * input headers which pertain to the body which has already been read.
+  * out-of-line helper function for ap_set_sub_req_protocol.