diff options
Diffstat (limited to 'debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch')
-rw-r--r-- | debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch b/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch new file mode 100644 index 0000000..4c5ff8c --- /dev/null +++ b/debian/patches/0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch @@ -0,0 +1,75 @@ +From: Eric Covener <covener@apache.org> +Date: Fri, 27 Sep 2024 13:11:05 +0000 +Subject: CVE-2024-38474 regression mod_rewrite: Improve safe question mark + detection + + Trunk version of patch: + https://svn.apache.org/r1920566 + Backport version for 2.4.x of patch: + Trunk version of patch works + svn merge -c 1920566 ^/httpd/httpd/trunk . + +1: rpluem, covener, jorton + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1920982 13f79535-47bb-0310-9956-ffa450edef68 +origin: https://github.com/apache/httpd/commit/c91445b7f905587aa86ad552f4a1a3f29345e695 +--- + modules/mappers/mod_rewrite.c | 32 ++++++++++++++------------------ + 1 file changed, 14 insertions(+), 18 deletions(-) + +diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c +index 53fb1e9..c8c5dbd 100644 +--- a/modules/mappers/mod_rewrite.c ++++ b/modules/mappers/mod_rewrite.c +@@ -2404,21 +2404,19 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry, + *unsafe_qmark = 0; + + /* keep tracking only if interested in the last qmark */ +- if (entry && (entry->flags & RULEFLAG_QSLAST)) { +- do { +- span++; +- span += strcspn(input + span, EXPAND_SPECIALS "?"); +- } while (input[span] == '?'); +- } +- else { ++ if (!entry || !(entry->flags & RULEFLAG_QSLAST)) { + unsafe_qmark = NULL; +- span += strcspn(input + span, EXPAND_SPECIALS); + } ++ ++ /* find the next real special char, any (last) qmark up to ++ * there is safe too ++ */ ++ span += strcspn(input + span, EXPAND_SPECIALS); + } + } + +- /* fast exit */ +- if (inputlen == span) { ++ /* fast path (no specials) */ ++ if (span >= inputlen) { + return apr_pstrmemdup(pool, input, inputlen); + } + +@@ -2599,16 +2597,14 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry, + *unsafe_qmark = 0; + + /* keep tracking only if interested in the last qmark */ +- if (entry && (entry->flags & RULEFLAG_QSLAST)) { +- do { +- span++; +- span += strcspn(p + span, EXPAND_SPECIALS "?"); +- } while (p[span] == '?'); +- } +- else { ++ if (!entry || !(entry->flags & RULEFLAG_QSLAST)) { + unsafe_qmark = NULL; +- span += strcspn(p + span, EXPAND_SPECIALS); + } ++ ++ /* find the next real special char, any (last) qmark up to ++ * there is safe too ++ */ ++ span += strcspn(p + span, EXPAND_SPECIALS); + } + } + if (span > 0) { |