summaryrefslogtreecommitdiffstats
path: root/debian/tests/CVE-2023-25690
diff options
context:
space:
mode:
Diffstat (limited to 'debian/tests/CVE-2023-25690')
-rw-r--r--debian/tests/CVE-2023-25690110
1 files changed, 110 insertions, 0 deletions
diff --git a/debian/tests/CVE-2023-25690 b/debian/tests/CVE-2023-25690
new file mode 100644
index 0000000..2aa916f
--- /dev/null
+++ b/debian/tests/CVE-2023-25690
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+# test CVE-2023-25690
+set -eux
+
+RC=0
+fail () {
+ echo "FAIL: $@" >&2
+ RC=1
+}
+
+
+function exit_handler()
+{
+ # fix cp: cannot access '/tmp/autopkgtest-lxc.x06nhp9r/downtmp/CVE-2023-25690-artifacts/apache2': Permission denied
+ chmod -R a+rwX "$AUTOPKGTEST_ARTIFACTS/apache2" || true
+ systemctl status apache2.service || true
+ systemctl stop apache2 || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/error.8080.log || true
+ cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log || true
+}
+trap exit_handler EXIT
+
+
+a2enmod proxy
+a2enmod proxy_http
+a2enmod rewrite
+
+rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS"
+rm /var/log/apache2/*
+mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2
+
+tee /etc/apache2/ports.conf <<'EOF'
+Listen 80
+Listen 8080
+EOF
+
+
+tee /etc/apache2/sites-available/000-default.conf <<'EOF'
+<VirtualHost *:8080>
+ # The ServerName directive sets the request scheme, hostname and port that
+ # the server uses to identify itself. This is used when creating
+ # redirection URLs. In the context of virtual hosts, the ServerName
+ # specifies what hostname must appear in the request's Host: header to
+ # match this virtual host. For the default virtual host (this file) this
+ # value is not decisive as it is used as a last resort host regardless.
+ # However, you must set it for any further virtual host explicitly.
+ #ServerName www.example.com
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.8080.log
+ CustomLog ${APACHE_LOG_DIR}/access.8080.log combined
+
+ # For most configuration files from conf-available/, which are
+ # enabled or disabled at a global level, it is possible to
+ # include a line for only one particular virtual host. For example the
+ # following line enables the CGI configuration for this host only
+ # after it has been globally disabled with "a2disconf".
+ #Include conf-available/serve-cgi-bin.conf
+</VirtualHost>
+<VirtualHost *:80>
+ # The ServerName directive sets the request scheme, hostname and port that
+ # the server uses to identify itself. This is used when creating
+ # redirection URLs. In the context of virtual hosts, the ServerName
+ # specifies what hostname must appear in the request's Host: header to
+ # match this virtual host. For the default virtual host (this file) this
+ # value is not decisive as it is used as a last resort host regardless.
+ # However, you must set it for any further virtual host explicitly.
+ #ServerName www.example.com
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
+ LogLevel alert rewrite:trace6
+ LogLevel error proxy:trace6
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ RewriteEngine on
+ RewriteRule "^/here/(.*)" "http://localhost:8080/index.html?$1" [P]
+ ProxyPassReverse "/here/" "http://localhost:8080/"
+</VirtualHost>
+EOF
+
+systemctl restart apache2
+
+CHOKEURL="http://localhost/here/index.html%20HTTP/1.1%0d%0aHost:%20localhost%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/BAD.html%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1"
+wget -S -q --output-document - "$CHOKEURL" || true
+(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true)
+(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) | grep -e '^[[:space:]]*HTTP/1.1 4[[:digit:]][[:digit:]] '
+
+cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log | grep '] "GET /BAD.html HTTP/1.1"' && exit 1
+
+exit 0
+