http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
reverse proxy configurations by strictly validating the request-URI.
http://svn.apache.org/viewvc?rev=1179239&view=rev
--- server/protocol.c 2011-05-07 11:39:29.000000000 +0000
+++ server/protocol.c.oden 2011-10-08 08:50:09.000000000 +0000
@@ -640,6 +640,25 @@ static int read_request_line(request_rec
ap_parse_uri(r, uri);
+ /* RFC 2616:
+ * Request-URI = "*" | absoluteURI | abs_path | authority
+ *
+ * authority is a special case for CONNECT. If the request is not
+ * using CONNECT, and the parsed URI does not have scheme, and
+ * it does not begin with '/', and it is not '*', then, fail
+ * and give a 400 response. */
+ if (r->method_number != M_CONNECT
+ && !r->parsed_uri.scheme
+ && uri[0] != '/'
+ && !(uri[0] == '*' && uri[1] == '\0')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "invalid request-URI %s", uri);
+ r->args = NULL;
+ r->hostname = NULL;
+ r->status = HTTP_BAD_REQUEST;
+ r->uri = apr_pstrdup(r->pool, uri);
+ }
+
if (ll[0]) {
r->assbackwards = 0;
pro = ll;
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
2ecc1f71865a53cdac1cdca1b8b8cad2
>
files
>
50
