1 files changed, 75 insertions, 0 deletions

diff --git a/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch b/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch
new file mode 100644
index 0000000..4c5ff8c
--- /dev/null
+++ b/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch
@@ -0,0 +1,75 @@
+From: Eric Covener <covener@apache.org>
+Date: Fri, 27 Sep 2024 13:11:05 +0000
+Subject: CVE-2024-38474 regression mod_rewrite: Improve safe question mark
+ detection
+
+     Trunk version of patch:
+        https://svn.apache.org/r1920566
+     Backport version for 2.4.x of patch:
+      Trunk version of patch works
+      svn merge -c 1920566 ^/httpd/httpd/trunk .
+     +1: rpluem, covener, jorton
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1920982 13f79535-47bb-0310-9956-ffa450edef68
+origin: https://github.com/apache/httpd/commit/c91445b7f905587aa86ad552f4a1a3f29345e695
+---
+ modules/mappers/mod_rewrite.c | 32 ++++++++++++++------------------
+ 1 file changed, 14 insertions(+), 18 deletions(-)
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 53fb1e9..c8c5dbd 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -2404,21 +2404,19 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry,
+             *unsafe_qmark = 0;
+ 
+             /* keep tracking only if interested in the last qmark */
+-            if (entry && (entry->flags & RULEFLAG_QSLAST)) {
+-                do {
+-                    span++;
+-                    span += strcspn(input + span, EXPAND_SPECIALS "?");
+-                } while (input[span] == '?');
+-            }
+-            else {
++            if (!entry || !(entry->flags & RULEFLAG_QSLAST)) {
+                 unsafe_qmark = NULL;
+-                span += strcspn(input + span, EXPAND_SPECIALS);
+             }
++
++            /* find the next real special char, any (last) qmark up to
++             * there is safe too
++             */
++            span += strcspn(input + span, EXPAND_SPECIALS);
+         }
+     }
+ 
+-    /* fast exit */
+-    if (inputlen == span) {
++    /* fast path (no specials) */
++    if (span >= inputlen) {
+         return apr_pstrmemdup(pool, input, inputlen);
+     }
+ 
+@@ -2599,16 +2597,14 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry,
+                 *unsafe_qmark = 0;
+ 
+                 /* keep tracking only if interested in the last qmark */
+-                if (entry && (entry->flags & RULEFLAG_QSLAST)) {
+-                    do {
+-                        span++;
+-                        span += strcspn(p + span, EXPAND_SPECIALS "?");
+-                    } while (p[span] == '?');
+-                }
+-                else {
++                if (!entry || !(entry->flags & RULEFLAG_QSLAST)) {
+                     unsafe_qmark = NULL;
+-                    span += strcspn(p + span, EXPAND_SPECIALS);
+                 }
++
++                /* find the next real special char, any (last) qmark up to
++                 * there is safe too
++                 */
++                span += strcspn(p + span, EXPAND_SPECIALS);
+             }
+         }
+         if (span > 0) {