Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
apache2.33764
apache2-CVE-2019-10092.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apache2-CVE-2019-10092.patch of Package apache2.33764
Index: httpd-2.4.23/modules/proxy/mod_proxy_balancer.c =================================================================== --- httpd-2.4.23.orig/modules/proxy/mod_proxy_balancer.c 2016-05-21 17:13:48.000000000 +0200 +++ httpd-2.4.23/modules/proxy/mod_proxy_balancer.c 2021-03-04 15:17:52.434063368 +0100 @@ -981,6 +981,18 @@ static void push2table(const char *input } } +/* Returns non-zero if the Referer: header value passed matches the + * host of the request. */ +static int safe_referer(request_rec *r, const char *ref) +{ + apr_uri_t uri; + + if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname) + return 0; + + return strcmp(uri.hostname, ap_get_server_name(r)) == 0; +} + /* Manages the loadfactors and member status * The balancer, worker and nonce are obtained from * the request args (?b=...&w=...&nonce=....). @@ -999,7 +1011,7 @@ static int balancer_handler(request_rec apr_table_t *params; int i, n; int ok2change = 1; - const char *name; + const char *name, *ref; const char *action; apr_status_t rv; @@ -1055,6 +1067,16 @@ static int balancer_handler(request_rec buf[len] = '\0'; push2table(buf, params, NULL, r->pool); } + + /* Ignore parameters if this looks like XSRF */ + ref = apr_table_get(r->headers_in, "Referer"); + if (apr_table_elts(params) + && (!ref || !safe_referer(r, ref))) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10187) + "ignoring params in balancer-manager cross-site access"); + apr_table_clear(params); + } + if ((name = apr_table_get(params, "b"))) bsel = ap_proxy_get_balancer(r->pool, conf, apr_pstrcat(r->pool, BALANCER_PREFIX, name, NULL), 0); @@ -1319,7 +1341,7 @@ static int balancer_handler(request_rec /* Start proxy_balancer */ ap_rvputs(r, " <httpd:name>", balancer->s->name, "</httpd:name>\n", NULL); if (*balancer->s->sticky) { - ap_rvputs(r, " <httpd:stickysession>", balancer->s->sticky, + ap_rvputs(r, " <httpd:stickysession>", ap_escape_html(r->pool, balancer->s->sticky), "</httpd:stickysession>\n", NULL); ap_rprintf(r, " <httpd:nofailover>%s</httpd:nofailover>\n", @@ -1529,10 +1551,10 @@ static int balancer_handler(request_rec for (i = 0; i < conf->balancers->nelts; i++) { ap_rputs("<hr />\n<h3>LoadBalancer Status for ", r); - ap_rvputs(r, "<a href='", ap_escape_uri(r->pool, r->uri), "?b=", + ap_rvputs(r, "<a href=\"", ap_escape_uri(r->pool, r->uri), "?b=", balancer->s->name + sizeof(BALANCER_PREFIX) - 1, "&nonce=", balancer->s->nonce, - "'>", NULL); + "\">", NULL); ap_rvputs(r, balancer->s->name, "</a> [",balancer->s->sname, "]</h3>\n", NULL); ap_rputs("\n\n<table><tr>" "<th>MaxMembers</th><th>StickySession</th><th>DisableFailover</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th>" @@ -1543,11 +1565,11 @@ static int balancer_handler(request_rec balancer->max_workers - (int)storage->num_free_slots(balancer->wslot)); if (*balancer->s->sticky) { if (strcmp(balancer->s->sticky, balancer->s->sticky_path)) { - ap_rvputs(r, "<td>", balancer->s->sticky, " | ", - balancer->s->sticky_path, NULL); + ap_rvputs(r, "<td>", ap_escape_html(r->pool, balancer->s->sticky), " | ", + ap_escape_html(r->pool, balancer->s->sticky_path), NULL); } else { - ap_rvputs(r, "<td>", balancer->s->sticky, NULL); + ap_rvputs(r, "<td>", ap_escape_html(r->pool, balancer->s->sticky), NULL); } } else { @@ -1582,12 +1604,12 @@ static int balancer_handler(request_rec for (n = 0; n < balancer->workers->nelts; n++) { char fbuf[50]; worker = *workers; - ap_rvputs(r, "<tr>\n<td><a href='", + ap_rvputs(r, "<tr>\n<td><a href=\"", ap_escape_uri(r->pool, r->uri), "?b=", balancer->s->name + sizeof(BALANCER_PREFIX) - 1, "&w=", ap_escape_uri(r->pool, worker->s->name), "&nonce=", balancer->s->nonce, - "'>", NULL); + "\">", NULL); ap_rvputs(r, (*worker->s->uds_path ? "<i>" : ""), ap_proxy_worker_name(r->pool, worker), (*worker->s->uds_path ? "</i>" : ""), "</a></td>", NULL); ap_rvputs(r, "<td>", ap_escape_html(r->pool, worker->s->route), @@ -1609,7 +1631,7 @@ static int balancer_handler(request_rec ap_rprintf(r, "<td>%d</td>", (int)apr_time_sec(worker->s->interval)); ap_rprintf(r, "<td>%d (%d)</td>", worker->s->passes,worker->s->pcount); ap_rprintf(r, "<td>%d (%d)</td>", worker->s->fails, worker->s->fcount); - ap_rprintf(r, "<td>%s</td>", worker->s->hcuri); + ap_rprintf(r, "<td>%s</td>", ap_escape_html(r->pool, worker->s->hcuri)); ap_rprintf(r, "<td>%s", worker->s->hcexpr); } ap_rputs("</td></tr>\n", r); @@ -1626,20 +1648,20 @@ static int balancer_handler(request_rec if (wsel && bsel) { ap_rputs("<h3>Edit worker settings for ", r); ap_rvputs(r, (*wsel->s->uds_path?"<i>":""), ap_proxy_worker_name(r->pool, wsel), (*wsel->s->uds_path?"</i>":""), "</h3>\n", NULL); - ap_rputs("<form method='POST' enctype='application/x-www-form-urlencoded' action='", r); - ap_rvputs(r, ap_escape_uri(r->pool, action), "'>\n", NULL); + ap_rputs("<form method='POST' enctype='application/x-www-form-urlencoded' action=\"", r); + ap_rvputs(r, ap_escape_uri(r->pool, action), "\">\n", NULL); ap_rputs("<table><tr><td>Load factor:</td><td><input name='w_lf' id='w_lf' type=text ", r); ap_rprintf(r, "value='%d'></td></tr>\n", wsel->s->lbfactor); ap_rputs("<tr><td>LB Set:</td><td><input name='w_ls' id='w_ls' type=text ", r); ap_rprintf(r, "value='%d'></td></tr>\n", wsel->s->lbset); ap_rputs("<tr><td>Route:</td><td><input name='w_wr' id='w_wr' type=text ", r); - ap_rvputs(r, "value='", ap_escape_html(r->pool, wsel->s->route), + ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->route), NULL); - ap_rputs("'></td></tr>\n", r); + ap_rputs("\"></td></tr>\n", r); ap_rputs("<tr><td>Route Redirect:</td><td><input name='w_rr' id='w_rr' type=text ", r); - ap_rvputs(r, "value='", ap_escape_html(r->pool, wsel->s->redirect), + ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->redirect), NULL); - ap_rputs("'></td></tr>\n", r); + ap_rputs("\"></td></tr>\n", r); ap_rputs("<tr><td>Status:</td>", r); ap_rputs("<td><table><tr>" "<th>Ignore Errors</th>" @@ -1682,15 +1704,15 @@ static int balancer_handler(request_rec ap_rprintf(r, "<tr><td>Fails trigger)</td><td><input name='w_hf' id='w_hf' type='text'" "value='%d'></td></tr>\n", wsel->s->fails); ap_rprintf(r, "<tr><td>HC uri</td><td><input name='w_hu' id='w_hu' type='text'" - "value='%s'</td></tr>\n", ap_escape_html(r->pool, wsel->s->hcuri)); + "value=\"%s\"></td></tr>\n", ap_escape_html(r->pool, wsel->s->hcuri)); ap_rputs("</table>\n</td></tr>\n", r); } ap_rputs("<tr><td colspan='2'><input type=submit value='Submit'></td></tr>\n", r); ap_rvputs(r, "</table>\n<input type=hidden name='w' id='w' ", NULL); - ap_rvputs(r, "value='", ap_escape_uri(r->pool, wsel->s->name), "'>\n", NULL); + ap_rvputs(r, "value=\"", ap_escape_uri(r->pool, wsel->s->name), "\">\n", NULL); ap_rvputs(r, "<input type=hidden name='b' id='b' ", NULL); - ap_rvputs(r, "value='", bsel->s->name + sizeof(BALANCER_PREFIX) - 1, - "'>\n", NULL); + ap_rvputs(r, "value=\"", ap_escape_html(r->pool, bsel->s->name + sizeof(BALANCER_PREFIX) - 1), + "\">\n", NULL); ap_rvputs(r, "<input type=hidden name='nonce' id='nonce' value='", bsel->s->nonce, "'>\n", NULL); ap_rputs("</form>\n", r); @@ -1700,9 +1722,9 @@ static int balancer_handler(request_rec const ap_list_provider_names_t *pname; int i; ap_rputs("<h3>Edit balancer settings for ", r); - ap_rvputs(r, bsel->s->name, "</h3>\n", NULL); - ap_rputs("<form method='POST' enctype='application/x-www-form-urlencoded' action='", r); - ap_rvputs(r, ap_escape_uri(r->pool, action), "'>\n", NULL); + ap_rvputs(r, ap_escape_html(r->pool, bsel->s->name), "</h3>\n", NULL); + ap_rputs("<form method='POST' enctype='application/x-www-form-urlencoded' action=\"", r); + ap_rvputs(r, ap_escape_uri(r->pool, action), "\">\n", NULL); ap_rputs("<table>\n", r); provs = ap_list_provider_names(r->pool, PROXY_LBMETHOD, "0"); if (provs) { @@ -1725,13 +1747,13 @@ static int balancer_handler(request_rec create_radio("b_sforce", bsel->s->sticky_force, r); ap_rputs("<tr><td>Sticky Session:</td><td><input name='b_ss' id='b_ss' size=64 type=text ", r); if (strcmp(bsel->s->sticky, bsel->s->sticky_path)) { - ap_rvputs(r, "value ='", bsel->s->sticky, " | ", - bsel->s->sticky_path, NULL); + ap_rvputs(r, "value =\"", ap_escape_html(r->pool, bsel->s->sticky), " | ", + ap_escape_html(r->pool, bsel->s->sticky_path), NULL); } else { - ap_rvputs(r, "value ='", bsel->s->sticky, NULL); + ap_rvputs(r, "value =\"", ap_escape_html(r->pool, bsel->s->sticky), NULL); } - ap_rputs("'> (Use '-' to delete)</td></tr>\n", r); + ap_rputs("\"> (Use '-' to delete)</td></tr>\n", r); if (storage->num_free_slots(bsel->wslot) != 0) { ap_rputs("<tr><td>Add New Worker:</td><td><input name='b_nwrkr' id='b_nwrkr' size=32 type=text>" " Are you sure? <input name='b_wyes' id='b_wyes' type=checkbox value='1'>" @@ -1739,8 +1761,8 @@ static int balancer_handler(request_rec } ap_rputs("<tr><td colspan=2><input type=submit value='Submit'></td></tr>\n", r); ap_rvputs(r, "</table>\n<input type=hidden name='b' id='b' ", NULL); - ap_rvputs(r, "value='", bsel->s->name + sizeof(BALANCER_PREFIX) - 1, - "'>\n", NULL); + ap_rvputs(r, "value=\"", ap_escape_html(r->pool, bsel->s->name + sizeof(BALANCER_PREFIX) - 1), + "\">\n", NULL); ap_rvputs(r, "<input type=hidden name='nonce' id='nonce' value='", bsel->s->nonce, "'>\n", NULL); ap_rputs("</form>\n", r); Index: httpd-2.4.23/modules/proxy/proxy_util.c =================================================================== --- httpd-2.4.23.orig/modules/proxy/proxy_util.c 2016-06-11 00:01:40.000000000 +0200 +++ httpd-2.4.23/modules/proxy/proxy_util.c 2021-03-04 15:17:52.434063368 +0100 @@ -361,12 +361,9 @@ PROXY_DECLARE(char *) PROXY_DECLARE(int) ap_proxyerror(request_rec *r, int statuscode, const char *message) { - const char *uri = ap_escape_html(r->pool, r->uri); apr_table_setn(r->notes, "error-notes", apr_pstrcat(r->pool, - "The proxy server could not handle the request <em><a href=\"", - uri, "\">", ap_escape_html(r->pool, r->method), " ", uri, - "</a></em>.<p>\n" + "The proxy server could not handle the request<p>" "Reason: <strong>", ap_escape_html(r->pool, message), "</strong></p>", NULL)); @@ -1235,10 +1232,11 @@ PROXY_DECLARE(apr_status_t) ap_proxy_sha if (*balancer->s->nonce == PROXY_UNSET_NONCE) { char nonce[APR_UUID_FORMATTED_LENGTH + 1]; apr_uuid_t uuid; - /* Retrieve a UUID and store the nonce for the lifetime of - * the process. - */ - apr_uuid_get(&uuid); + + /* Generate a pseudo-UUID from the PRNG to use as a nonce for + * the lifetime of the process. uuid.data is a char array so + * this is an adequate substitute for apr_uuid_get(). */ + ap_random_insecure_bytes(uuid.data, sizeof uuid.data); apr_uuid_format(nonce, &uuid); rv = PROXY_STRNCPY(balancer->s->nonce, nonce); } Index: httpd-2.4.23/modules/http/http_protocol.c =================================================================== --- httpd-2.4.23.orig/modules/http/http_protocol.c 2016-06-13 15:00:34.000000000 +0200 +++ httpd-2.4.23/modules/http/http_protocol.c 2021-03-04 15:20:50.791061250 +0100 @@ -1134,13 +1134,10 @@ static const char *get_canned_error_stri "\">here</a>.</p>\n", NULL)); case HTTP_USE_PROXY: - return(apr_pstrcat(p, - "<p>This resource is only accessible " - "through the proxy\n", - ap_escape_html(r->pool, location), - "<br />\nYou will need to configure " - "your client to use that proxy.</p>\n", - NULL)); + return("<p>This resource is only accessible " + "through the proxy\n" + "<br />\nYou will need to configure " + "your client to use that proxy.</p>\n"); case HTTP_PROXY_AUTHENTICATION_REQUIRED: case HTTP_UNAUTHORIZED: return("<p>This server could not verify that you\n" @@ -1156,34 +1153,20 @@ static const char *get_canned_error_stri "error-notes", "</p>\n")); case HTTP_FORBIDDEN: - s1 = apr_pstrcat(p, - "<p>You don't have permission to access ", - ap_escape_html(r->pool, r->uri), - "\non this server.<br />\n", - NULL); - return(add_optional_notes(r, s1, "error-notes", "</p>\n")); + return(add_optional_notes(r, "<p>You don't have permission to access this resource.", "error-notes", "</p>\n")); case HTTP_NOT_FOUND: - return(apr_pstrcat(p, - "<p>The requested URL ", - ap_escape_html(r->pool, r->uri), - " was not found on this server.</p>\n", - NULL)); + return("<p>The requested URL was not found on this server.</p>\n"); case HTTP_METHOD_NOT_ALLOWED: return(apr_pstrcat(p, "<p>The requested method ", ap_escape_html(r->pool, r->method), - " is not allowed for the URL ", - ap_escape_html(r->pool, r->uri), - ".</p>\n", + " is not allowed for this URL.</p>\n", NULL)); case HTTP_NOT_ACCEPTABLE: - s1 = apr_pstrcat(p, - "<p>An appropriate representation of the " - "requested resource ", - ap_escape_html(r->pool, r->uri), - " could not be found on this server.</p>\n", - NULL); - return(add_optional_notes(r, s1, "variant-list", "")); + return(add_optional_notes(r, + "<p>An appropriate representation of the requested resource " + "could not be found on this server.</p>\n", + "variant-list", "")); case HTTP_MULTIPLE_CHOICES: return(add_optional_notes(r, "", "variant-list", "")); case HTTP_LENGTH_REQUIRED: @@ -1194,18 +1177,13 @@ static const char *get_canned_error_stri NULL); return(add_optional_notes(r, s1, "error-notes", "</p>\n")); case HTTP_PRECONDITION_FAILED: - return(apr_pstrcat(p, - "<p>The precondition on the request " - "for the URL ", - ap_escape_html(r->pool, r->uri), - " evaluated to false.</p>\n", - NULL)); + return("<p>The precondition on the request " + "for this URL evaluated to false.</p>\n"); case HTTP_NOT_IMPLEMENTED: s1 = apr_pstrcat(p, "<p>", - ap_escape_html(r->pool, r->method), " to ", - ap_escape_html(r->pool, r->uri), - " not supported.<br />\n", + ap_escape_html(r->pool, r->method), " ", + " not supported for current URL.<br />\n", NULL); return(add_optional_notes(r, s1, "error-notes", "</p>\n")); case HTTP_BAD_GATEWAY: @@ -1213,29 +1191,19 @@ static const char *get_canned_error_stri "response from an upstream server.<br />" CRLF; return(add_optional_notes(r, s1, "error-notes", "</p>\n")); case HTTP_VARIANT_ALSO_VARIES: - return(apr_pstrcat(p, - "<p>A variant for the requested " - "resource\n<pre>\n", - ap_escape_html(r->pool, r->uri), - "\n</pre>\nis itself a negotiable resource. " - "This indicates a configuration error.</p>\n", - NULL)); + return("<p>A variant for the requested " + "resource\n<pre>\n" + "\n</pre>\nis itself a negotiable resource. " + "This indicates a configuration error.</p>\n"); case HTTP_REQUEST_TIME_OUT: return("<p>Server timeout waiting for the HTTP request from the client.</p>\n"); case HTTP_GONE: - return(apr_pstrcat(p, - "<p>The requested resource<br />", - ap_escape_html(r->pool, r->uri), - "<br />\nis no longer available on this server " - "and there is no forwarding address.\n" - "Please remove all references to this " - "resource.</p>\n", - NULL)); + return("<p>The requested resource is no longer available on this server" + " and there is no forwarding address.\n" + "Please remove all references to this resource.</p>\n"); case HTTP_REQUEST_ENTITY_TOO_LARGE: return(apr_pstrcat(p, - "The requested resource<br />", - ap_escape_html(r->pool, r->uri), "<br />\n", - "does not allow request data with ", + "The requested resource does not allow request data with ", ap_escape_html(r->pool, r->method), " requests, or the amount of data provided in\n" "the request exceeds the capacity limit.\n", @@ -1319,11 +1287,9 @@ static const char *get_canned_error_stri "the Server Name Indication (SNI) in use for this\n" "connection.</p>\n"); case HTTP_UNAVAILABLE_FOR_LEGAL_REASONS: - s1 = apr_pstrcat(p, - "<p>Access to ", ap_escape_html(r->pool, r->uri), - "\nhas been denied for legal reasons.<br />\n", - NULL); - return(add_optional_notes(r, s1, "error-notes", "</p>\n")); + return(add_optional_notes(r, + "<p>Access to this URL has been denied for legal reasons.<br />\n", + "error-notes", "</p>\n")); default: /* HTTP_INTERNAL_SERVER_ERROR */ /* * This comparison to expose error-notes could be modified to Index: httpd-2.4.23/modules/proxy/mod_proxy.c =================================================================== --- httpd-2.4.23.orig/modules/proxy/mod_proxy.c 2016-05-21 17:13:48.000000000 +0200 +++ httpd-2.4.23/modules/proxy/mod_proxy.c 2021-03-04 15:20:50.795061272 +0100 @@ -1001,9 +1001,10 @@ static int proxy_handler(request_rec *r) char *end; maxfwd = apr_strtoi64(str, &end, 10); if (maxfwd < 0 || maxfwd == APR_INT64_MAX || *end) { - return ap_proxyerror(r, HTTP_BAD_REQUEST, - apr_psprintf(r->pool, - "Max-Forwards value '%s' could not be parsed", str)); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() + "Max-Forwards value '%s' could not be parsed", str); + return ap_proxyerror(r, HTTP_BAD_REQUEST, + "Max-Forwards request header could not be parsed"); } else if (maxfwd == 0) { switch (r->method_number) { Index: httpd-2.4.23/modules/proxy/mod_proxy_ftp.c =================================================================== --- httpd-2.4.23.orig/modules/proxy/mod_proxy_ftp.c 2016-03-10 13:15:59.000000000 +0100 +++ httpd-2.4.23/modules/proxy/mod_proxy_ftp.c 2021-03-04 15:20:50.795061272 +0100 @@ -1024,8 +1024,9 @@ static int proxy_ftp_handler(request_rec /* We break the URL into host, port, path-search */ if (r->parsed_uri.hostname == NULL) { if (APR_SUCCESS != apr_uri_parse(p, url, &uri)) { - return ap_proxyerror(r, HTTP_BAD_REQUEST, - apr_psprintf(p, "URI cannot be parsed: %s", url)); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() + "URI cannot be parsed: %s", url); + return ap_proxyerror(r, HTTP_BAD_REQUEST, "URI cannot be parsed"); } connectname = uri.hostname; connectport = uri.port;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor