Description: Fix for CVE-2019-10092 Author: Stefan Eissing Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1864191 Bug: https://security-tracker.debian.org/tracker/CVE-2019-10092 Forwarded: not-needed Reviewed-By: Xavier Guimard Last-Update: 2019-10-11 [Salvatore Bonaccorso: Add additional change from https://svn.apache.org/r1864699 to add missing APLOGNO's in mod_proxy.c and mod_proxy_ftp.c] --- a/modules/http/http_protocol.c +++ b/modules/http/http_protocol.c @@ -1132,13 +1132,10 @@ "\">here.

\n", NULL)); case HTTP_USE_PROXY: - return(apr_pstrcat(p, - "

This resource is only accessible " - "through the proxy\n", - ap_escape_html(r->pool, location), - "
\nYou will need to configure " - "your client to use that proxy.

\n", - NULL)); + return("

This resource is only accessible " + "through the proxy\n" + "
\nYou will need to configure " + "your client to use that proxy.

\n"); case HTTP_PROXY_AUTHENTICATION_REQUIRED: case HTTP_UNAUTHORIZED: return("

This server could not verify that you\n" @@ -1154,34 +1151,20 @@ "error-notes", "

\n")); case HTTP_FORBIDDEN: - s1 = apr_pstrcat(p, - "

You don't have permission to access ", - ap_escape_html(r->pool, r->uri), - "\non this server.
\n", - NULL); - return(add_optional_notes(r, s1, "error-notes", "

\n")); + return(add_optional_notes(r, "

You don't have permission to access this resource.", "error-notes", "

\n")); case HTTP_NOT_FOUND: - return(apr_pstrcat(p, - "

The requested URL ", - ap_escape_html(r->pool, r->uri), - " was not found on this server.

\n", - NULL)); + return("

The requested URL was not found on this server.

\n"); case HTTP_METHOD_NOT_ALLOWED: return(apr_pstrcat(p, "

The requested method ", ap_escape_html(r->pool, r->method), - " is not allowed for the URL ", - ap_escape_html(r->pool, r->uri), - ".

\n", + " is not allowed for this URL.

\n", NULL)); case HTTP_NOT_ACCEPTABLE: - s1 = apr_pstrcat(p, - "

An appropriate representation of the " - "requested resource ", - ap_escape_html(r->pool, r->uri), - " could not be found on this server.

\n", - NULL); - return(add_optional_notes(r, s1, "variant-list", "")); + return(add_optional_notes(r, + "

An appropriate representation of the requested resource " + "could not be found on this server.

\n", + "variant-list", "")); case HTTP_MULTIPLE_CHOICES: return(add_optional_notes(r, "", "variant-list", "")); case HTTP_LENGTH_REQUIRED: @@ -1192,18 +1175,13 @@ NULL); return(add_optional_notes(r, s1, "error-notes", "

\n")); case HTTP_PRECONDITION_FAILED: - return(apr_pstrcat(p, - "

The precondition on the request " - "for the URL ", - ap_escape_html(r->pool, r->uri), - " evaluated to false.

\n", - NULL)); + return("

The precondition on the request " + "for this URL evaluated to false.

\n"); case HTTP_NOT_IMPLEMENTED: s1 = apr_pstrcat(p, "

", - ap_escape_html(r->pool, r->method), " to ", - ap_escape_html(r->pool, r->uri), - " not supported.
\n", + ap_escape_html(r->pool, r->method), " ", + " not supported for current URL.
\n", NULL); return(add_optional_notes(r, s1, "error-notes", "

\n")); case HTTP_BAD_GATEWAY: @@ -1211,29 +1189,19 @@ "response from an upstream server.
" CRLF; return(add_optional_notes(r, s1, "error-notes", "

\n")); case HTTP_VARIANT_ALSO_VARIES: - return(apr_pstrcat(p, - "

A variant for the requested " - "resource\n

\n",
-                           ap_escape_html(r->pool, r->uri),
-                           "\n
\nis itself a negotiable resource. " - "This indicates a configuration error.

\n", - NULL)); + return("

A variant for the requested " + "resource\n

\n"
+               "\n
\nis itself a negotiable resource. " + "This indicates a configuration error.

\n"); case HTTP_REQUEST_TIME_OUT: return("

Server timeout waiting for the HTTP request from the client.

\n"); case HTTP_GONE: - return(apr_pstrcat(p, - "

The requested resource
", - ap_escape_html(r->pool, r->uri), - "
\nis no longer available on this server " - "and there is no forwarding address.\n" - "Please remove all references to this " - "resource.

\n", - NULL)); + return("

The requested resource is no longer available on this server" + " and there is no forwarding address.\n" + "Please remove all references to this resource.

\n"); case HTTP_REQUEST_ENTITY_TOO_LARGE: return(apr_pstrcat(p, - "The requested resource
", - ap_escape_html(r->pool, r->uri), "
\n", - "does not allow request data with ", + "The requested resource does not allow request data with ", ap_escape_html(r->pool, r->method), " requests, or the amount of data provided in\n" "the request exceeds the capacity limit.\n", @@ -1317,11 +1285,9 @@ "the Server Name Indication (SNI) in use for this\n" "connection.

\n"); case HTTP_UNAVAILABLE_FOR_LEGAL_REASONS: - s1 = apr_pstrcat(p, - "

Access to ", ap_escape_html(r->pool, r->uri), - "\nhas been denied for legal reasons.
\n", - NULL); - return(add_optional_notes(r, s1, "error-notes", "

\n")); + return(add_optional_notes(r, + "

Access to this URL has been denied for legal reasons.
\n", + "error-notes", "

\n")); default: /* HTTP_INTERNAL_SERVER_ERROR */ /* * This comparison to expose error-notes could be modified to --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -1049,9 +1049,10 @@ char *end; maxfwd = apr_strtoi64(str, &end, 10); if (maxfwd < 0 || maxfwd == APR_INT64_MAX || *end) { - return ap_proxyerror(r, HTTP_BAD_REQUEST, - apr_psprintf(r->pool, - "Max-Forwards value '%s' could not be parsed", str)); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10188) + "Max-Forwards value '%s' could not be parsed", str); + return ap_proxyerror(r, HTTP_BAD_REQUEST, + "Max-Forwards request header could not be parsed"); } else if (maxfwd == 0) { switch (r->method_number) { --- a/modules/proxy/mod_proxy_ftp.c +++ b/modules/proxy/mod_proxy_ftp.c @@ -1024,8 +1024,9 @@ /* We break the URL into host, port, path-search */ if (r->parsed_uri.hostname == NULL) { if (APR_SUCCESS != apr_uri_parse(p, url, &uri)) { - return ap_proxyerror(r, HTTP_BAD_REQUEST, - apr_psprintf(p, "URI cannot be parsed: %s", url)); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10189) + "URI cannot be parsed: %s", url); + return ap_proxyerror(r, HTTP_BAD_REQUEST, "URI cannot be parsed"); } connectname = uri.hostname; connectport = uri.port; --- a/modules/proxy/proxy_util.c +++ b/modules/proxy/proxy_util.c @@ -368,12 +368,9 @@ PROXY_DECLARE(int) ap_proxyerror(request_rec *r, int statuscode, const char *message) { - const char *uri = ap_escape_html(r->pool, r->uri); apr_table_setn(r->notes, "error-notes", apr_pstrcat(r->pool, - "The proxy server could not handle the request ", ap_escape_html(r->pool, r->method), " ", uri, - ".

\n" + "The proxy server could not handle the request

" "Reason: ", ap_escape_html(r->pool, message), "

", NULL));