summaryrefslogtreecommitdiffstats
path: root/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch')
-rw-r--r--debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch75
1 files changed, 75 insertions, 0 deletions
diff --git a/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch b/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch
new file mode 100644
index 0000000..4c5ff8c
--- /dev/null
+++ b/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch
@@ -0,0 +1,75 @@
+From: Eric Covener <covener@apache.org>
+Date: Fri, 27 Sep 2024 13:11:05 +0000
+Subject: CVE-2024-38474 regression mod_rewrite: Improve safe question mark
+ detection
+
+ Trunk version of patch:
+ https://svn.apache.org/r1920566
+ Backport version for 2.4.x of patch:
+ Trunk version of patch works
+ svn merge -c 1920566 ^/httpd/httpd/trunk .
+ +1: rpluem, covener, jorton
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1920982 13f79535-47bb-0310-9956-ffa450edef68
+origin: https://github.com/apache/httpd/commit/c91445b7f905587aa86ad552f4a1a3f29345e695
+---
+ modules/mappers/mod_rewrite.c | 32 ++++++++++++++------------------
+ 1 file changed, 14 insertions(+), 18 deletions(-)
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 53fb1e9..c8c5dbd 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -2404,21 +2404,19 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry,
+ *unsafe_qmark = 0;
+
+ /* keep tracking only if interested in the last qmark */
+- if (entry && (entry->flags & RULEFLAG_QSLAST)) {
+- do {
+- span++;
+- span += strcspn(input + span, EXPAND_SPECIALS "?");
+- } while (input[span] == '?');
+- }
+- else {
++ if (!entry || !(entry->flags & RULEFLAG_QSLAST)) {
+ unsafe_qmark = NULL;
+- span += strcspn(input + span, EXPAND_SPECIALS);
+ }
++
++ /* find the next real special char, any (last) qmark up to
++ * there is safe too
++ */
++ span += strcspn(input + span, EXPAND_SPECIALS);
+ }
+ }
+
+- /* fast exit */
+- if (inputlen == span) {
++ /* fast path (no specials) */
++ if (span >= inputlen) {
+ return apr_pstrmemdup(pool, input, inputlen);
+ }
+
+@@ -2599,16 +2597,14 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry,
+ *unsafe_qmark = 0;
+
+ /* keep tracking only if interested in the last qmark */
+- if (entry && (entry->flags & RULEFLAG_QSLAST)) {
+- do {
+- span++;
+- span += strcspn(p + span, EXPAND_SPECIALS "?");
+- } while (p[span] == '?');
+- }
+- else {
++ if (!entry || !(entry->flags & RULEFLAG_QSLAST)) {
+ unsafe_qmark = NULL;
+- span += strcspn(p + span, EXPAND_SPECIALS);
+ }
++
++ /* find the next real special char, any (last) qmark up to
++ * there is safe too
++ */
++ span += strcspn(p + span, EXPAND_SPECIALS);
+ }
+ }
+ if (span > 0) {