http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some reverse proxy configurations by strictly validating the request-URI. http://svn.apache.org/viewvc?rev=1179239&view=rev --- server/protocol.c 2011-05-07 11:39:29.000000000 +0000 +++ server/protocol.c.oden 2011-10-08 08:50:09.000000000 +0000 @@ -640,6 +640,25 @@ static int read_request_line(request_rec ap_parse_uri(r, uri); + /* RFC 2616: + * Request-URI = "*" | absoluteURI | abs_path | authority + * + * authority is a special case for CONNECT. If the request is not + * using CONNECT, and the parsed URI does not have scheme, and + * it does not begin with '/', and it is not '*', then, fail + * and give a 400 response. */ + if (r->method_number != M_CONNECT + && !r->parsed_uri.scheme + && uri[0] != '/' + && !(uri[0] == '*' && uri[1] == '\0')) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "invalid request-URI %s", uri); + r->args = NULL; + r->hostname = NULL; + r->status = HTTP_BAD_REQUEST; + r->uri = apr_pstrdup(r->pool, uri); + } + if (ll[0]) { r->assbackwards = 0; pro = ll;