diff options
Diffstat (limited to '')
| -rw-r--r-- | debian/tests/CVE-2023-25690 | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/debian/tests/CVE-2023-25690 b/debian/tests/CVE-2023-25690 new file mode 100644 index 0000000..2aa916f --- /dev/null +++ b/debian/tests/CVE-2023-25690 @@ -0,0 +1,110 @@ +#!/bin/bash + +# test CVE-2023-25690 +set -eux + +RC=0 +fail () { + echo "FAIL: $@" >&2 + RC=1 +} + + +function exit_handler() +{ + # fix cp: cannot access '/tmp/autopkgtest-lxc.x06nhp9r/downtmp/CVE-2023-25690-artifacts/apache2': Permission denied + chmod -R a+rwX "$AUTOPKGTEST_ARTIFACTS/apache2" || true + systemctl status apache2.service || true + systemctl stop apache2 || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.8080.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log || true +} +trap exit_handler EXIT + + +a2enmod proxy +a2enmod proxy_http +a2enmod rewrite + +rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS" +rm /var/log/apache2/* +mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2 + +tee /etc/apache2/ports.conf <<'EOF' +Listen 80 +Listen 8080 +EOF + + +tee /etc/apache2/sites-available/000-default.conf <<'EOF' +<VirtualHost *:8080> + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.8080.log + CustomLog ${APACHE_LOG_DIR}/access.8080.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf +</VirtualHost> +<VirtualHost *:80> + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + LogLevel alert rewrite:trace6 + LogLevel error proxy:trace6 + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + RewriteEngine on + RewriteRule "^/here/(.*)" "http://localhost:8080/index.html?$1" [P] + ProxyPassReverse "/here/" "http://localhost:8080/" +</VirtualHost> +EOF + +systemctl restart apache2 + +CHOKEURL="http://localhost/here/index.html%20HTTP/1.1%0d%0aHost:%20localhost%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/BAD.html%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1" +wget -S -q --output-document - "$CHOKEURL" || true +(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) +(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) | grep -e '^[[:space:]]*HTTP/1.1 4[[:digit:]][[:digit:]] ' + +cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log | grep '] "GET /BAD.html HTTP/1.1"' && exit 1 + +exit 0 + |