Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
apache2.36335
apache2-CVE-2024-38475-3.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apache2-CVE-2024-38475-3.patch of Package apache2.36335
Index: httpd-2.4.51/modules/mappers/mod_rewrite.c =================================================================== --- httpd-2.4.51.orig/modules/mappers/mod_rewrite.c +++ httpd-2.4.51/modules/mappers/mod_rewrite.c @@ -167,6 +167,10 @@ static const char* really_last_key = "re #define RULEFLAG_END (1<<17) #define RULEFLAG_ESCAPENOPLUS (1<<18) #define RULEFLAG_QSLAST (1<<19) +#define RULEFLAG_QSNONE (1<<20) /* programattic only */ +#define RULEFLAG_ESCAPECTLS (1<<21) +#define RULEFLAG_UNSAFE_PREFIX_STAT (1<<22) +#define RULEFLAG_UNSAFE_ALLOW3F (1<<23) /* return code of the rewrite rule * the result may be escaped - or not @@ -174,7 +178,7 @@ static const char* really_last_key = "re #define ACTION_NORMAL (1<<0) #define ACTION_NOESCAPE (1<<1) #define ACTION_STATUS (1<<2) - +#define ACTION_STATUS_SET (1<<3) #define MAPTYPE_TXT (1<<0) #define MAPTYPE_DBM (1<<1) @@ -198,6 +202,7 @@ static const char* really_last_key = "re #define OPTION_IGNORE_INHERIT (1<<8) #define OPTION_IGNORE_CONTEXT_INFO (1<<9) #define OPTION_LEGACY_PREFIX_DOCROOT (1<<10) +#define OPTION_UNSAFE_PREFIX_STAT (1<<12) #ifndef RAND_MAX #define RAND_MAX 32767 @@ -291,6 +296,14 @@ typedef enum { CONDPAT_AP_EXPR } pattern_type; +typedef enum { + RULE_RC_NOMATCH = 0, /* the rule didn't match */ + RULE_RC_MATCH = 1, /* a matching rule w/ substitution */ + RULE_RC_NOSUB = 2, /* a matching rule w/ no substitution */ + RULE_RC_STATUS_SET = 3 /* a matching rule that has set an HTTP error + to be returned in r->status */ +} rule_return_type; + typedef struct { char *input; /* Input string of RewriteCond */ char *pattern; /* the RegExp pattern string */ @@ -914,10 +927,15 @@ static void fully_qualify_uri(request_re return; } +static int startsWith(request_rec *r, const char *haystack, const char *needle) { + int rc = (ap_strstr_c(haystack, needle) == haystack); + rewritelog((r, 5, NULL, "prefix_stat startsWith(%s, %s) %d", haystack, needle, rc)); + return rc; +} /* - * stat() only the first segment of a path + * stat() only the first segment of a path, and only if it matches the output of the last matching rule */ -static int prefix_stat(const char *path, apr_pool_t *pool) +static int prefix_stat(request_rec *r, const char *path, apr_pool_t *pool, rewriterule_entry *lastsub) { const char *curpath = path; const char *root; @@ -951,10 +969,36 @@ static int prefix_stat(const char *path, apr_finfo_t sb; if (apr_stat(&sb, statpath, APR_FINFO_MIN, pool) == APR_SUCCESS) { - return 1; + if (!lastsub) { + rewritelog((r, 3, NULL, "prefix_stat no lastsub subst prefix %s", statpath)); + return 1; + } + + rewritelog((r, 3, NULL, "prefix_stat compare statpath %s and lastsub output %s STATOK %d ", + statpath, lastsub->output, lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT)); + if (lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT) { + return 1; + } + else { + const char *docroot = ap_document_root(r); + const char *context_docroot = ap_context_document_root(r); + /* + * As an example, path (r->filename) is /var/foo/bar/baz.html + * even if the flag is not set, we can accept a rule that + * began with a literal /var (stapath), or if the entire path + * starts with the docroot or context document root + */ + if (startsWith(r, lastsub->output, statpath) || + startsWith(r, path, docroot) || + ((docroot != context_docroot) && + startsWith(r, path, context_docroot))) { + return 1; + } + } } } + /* prefix will be added */ return 0; } @@ -3036,6 +3080,9 @@ static const char *cmd_rewriteoptions(cm else if (!strcasecmp(w, "legacyprefixdocroot")) { options |= OPTION_LEGACY_PREFIX_DOCROOT; } + else if (!strcasecmp(w, "UnsafePrefixStat")) { + options |= OPTION_UNSAFE_PREFIX_STAT; + } else { return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '", w, "'", NULL); @@ -3733,6 +3780,18 @@ static const char *cmd_rewriterule_setfl ++error; } break; + case 'u': + case 'U': + if (!strcasecmp(key, "nsafePrefixStat")){ + cfg->flags |= (RULEFLAG_UNSAFE_PREFIX_STAT); + } + else if(!strcasecmp(key, "nsafeAllow3F")) { + cfg->flags |= RULEFLAG_UNSAFE_ALLOW3F; + } + else { + ++error; + } + break; default: ++error; break; @@ -4070,7 +4129,8 @@ static APR_INLINE void force_type_handle /* * Apply a single RewriteRule */ -static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) +static rule_return_type apply_rewrite_rule(rewriterule_entry *p, + rewrite_ctx *ctx) { ap_regmatch_t regmatch[AP_MAX_REG_MATCH]; apr_array_header_t *rewriteconds; @@ -4121,7 +4181,7 @@ static int apply_rewrite_rule(rewriterul rc = !ap_regexec(p->regexp, ctx->uri, AP_MAX_REG_MATCH, regmatch, 0); if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) || (!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) { - return 0; + return RULE_RC_NOMATCH; } /* It matched, wow! Now it's time to prepare the context structure for @@ -4172,7 +4232,7 @@ static int apply_rewrite_rule(rewriterul } } else if (!rc) { - return 0; + return RULE_RC_NOMATCH; } /* If some HTTP header was involved in the condition, remember it @@ -4192,6 +4252,15 @@ static int apply_rewrite_rule(rewriterul newuri = do_expand(p->output, ctx, p); rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri, newuri)); + if (!(p->flags & RULEFLAG_UNSAFE_ALLOW3F) && + ap_strcasestr(r->unparsed_uri, "%3f") && + ap_strchr_c(newuri, '?')) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() + "Unsafe URL with %%3f URL rewritten without " + "UnsafeAllow3F"); + r->status = HTTP_FORBIDDEN; + return RULE_RC_STATUS_SET; + } } /* expand [E=var:val] and [CO=<cookie>] */ @@ -4209,7 +4278,7 @@ static int apply_rewrite_rule(rewriterul r->status = p->forced_responsecode; } - return 2; + return RULE_RC_NOSUB; } /* Add the previously stripped per-directory location prefix, unless @@ -4277,7 +4346,7 @@ static int apply_rewrite_rule(rewriterul r->filename)); r->filename = apr_pstrcat(r->pool, "proxy:", r->filename, NULL); - return 1; + return RULE_RC_MATCH; } /* If this rule is explicitly forced for HTTP redirection @@ -4292,7 +4361,7 @@ static int apply_rewrite_rule(rewriterul r->filename)); r->status = p->forced_responsecode; - return 1; + return RULE_RC_MATCH; } /* Special Rewriting Feature: Self-Reduction @@ -4314,7 +4383,7 @@ static int apply_rewrite_rule(rewriterul "with %s", p->forced_responsecode, r->filename)); r->status = p->forced_responsecode; - return 1; + return RULE_RC_MATCH; } /* Finally remember the forced mime-type */ @@ -4323,7 +4392,7 @@ static int apply_rewrite_rule(rewriterul /* Puuhhhhhhhh... WHAT COMPLICATED STUFF ;_) * But now we're done for this particular rule. */ - return 1; + return RULE_RC_MATCH; } /* @@ -4331,13 +4400,13 @@ static int apply_rewrite_rule(rewriterul * i.e. a list of rewrite rules */ static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules, - char *perdir) + char *perdir, rewriterule_entry **lastsub) { rewriterule_entry *entries; rewriterule_entry *p; int i; int changed; - int rc; + rule_return_type rc; int s; rewrite_ctx *ctx; int round = 1; @@ -4345,6 +4414,7 @@ static int apply_rewrite_list(request_re ctx = apr_palloc(r->pool, sizeof(*ctx)); ctx->perdir = perdir; ctx->r = r; + *lastsub = NULL; /* * Iterate over all existing rules @@ -4372,7 +4442,12 @@ static int apply_rewrite_list(request_re ctx->vary = NULL; rc = apply_rewrite_rule(p, ctx); - if (rc) { + if (rc != RULE_RC_NOMATCH) { + + if (!(p->flags & RULEFLAG_NOSUB)) { + rewritelog((r, 2, perdir, "setting lastsub to rule with output %s", p->output)); + *lastsub = p; + } /* Catch looping rules with pathinfo growing unbounded */ if ( strlen( r->filename ) > 2*r->server->limit_req_line ) { @@ -4392,6 +4467,12 @@ static int apply_rewrite_list(request_re apr_table_merge(r->headers_out, "Vary", ctx->vary); } + + /* Error while evaluating rule, r->status set */ + if (RULE_RC_STATUS_SET == rc) { + return ACTION_STATUS_SET; + } + /* * The rule sets the response code (implies match-only) */ @@ -4402,7 +4483,7 @@ static int apply_rewrite_list(request_re /* * Indicate a change if this was not a match-only rule. */ - if (rc != 2) { + if (rc != RULE_RC_NOSUB) { changed = ((p->flags & RULEFLAG_NOESCAPE) ? ACTION_NOESCAPE : ACTION_NORMAL); } @@ -4591,6 +4672,7 @@ static int hook_uri2file(request_rec *r) int rulestatus; void *skipdata; const char *oargs; + rewriterule_entry *lastsub = NULL; /* * retrieve the config structures @@ -4702,7 +4784,7 @@ static int hook_uri2file(request_rec *r) /* * now apply the rules ... */ - rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL); + rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL, &lastsub); apr_table_setn(r->notes, "mod_rewrite_rewritten", apr_psprintf(r->pool,"%d",rulestatus)); } @@ -4734,6 +4816,9 @@ static int hook_uri2file(request_rec *r) r->status = HTTP_OK; return n; } + else if (ACTION_STATUS_SET == rulestatus) { + return r->status; + } flen = r->filename ? strlen(r->filename) : 0; if (flen > 6 && strncmp(r->filename, "proxy:", 6) == 0) { @@ -4854,23 +4939,29 @@ static int hook_uri2file(request_rec *r) return HTTP_BAD_REQUEST; } - /* if there is no valid prefix, we call - * the translator from the core and - * prefix the filename with document_root + /* We have r->filename as a path in a server-context rewrite without + * the PT flag. The historical behavior is to treat it as a verbatim + * filesystem path iff the first component of the path exists and is + * readable by httpd. Otherwise, it is interpreted as DocumentRoot + * relative. * * NOTICE: * We cannot leave out the prefix_stat because - * - when we always prefix with document_root - * then no absolute path can be created, e.g. via - * emulating a ScriptAlias directive, etc. - * - when we always NOT prefix with document_root + * - If we always prefix with document_root + * then no absolute path can could ever be used in + * a substitution. e.g. emulating an Alias. + * - If we never prefix with document_root * then the files under document_root have to * be references directly and document_root * gets never used and will be a dummy parameter - - * this is also bad + * this is also bad. + * - Later addition: This part is questionable. + * If we had never prefixed, users would just + * need %{DOCUMENT_ROOT} in substitutions or the + * [PT] flag. * * BUT: - * Under real Unix systems this is no problem, + * Under real Unix systems this is no perf problem, * because we only do stat() on the first directory * and this gets cached by the kernel for along time! */ @@ -4879,7 +4970,9 @@ static int hook_uri2file(request_rec *r) uri_reduced = apr_table_get(r->notes, "mod_rewrite_uri_reduced"); } - if (!prefix_stat(r->filename, r->pool) || uri_reduced != NULL) { + if (!prefix_stat(r, r->filename, r->pool, + conf->options & OPTION_UNSAFE_PREFIX_STAT ? NULL : lastsub) + || uri_reduced != NULL) { int res; char *tmp = r->uri; @@ -4924,6 +5017,7 @@ static int hook_fixup(request_rec *r) char *ofilename, *oargs; int is_proxyreq; void *skipdata; + rewriterule_entry *lastsub; dconf = (rewrite_perdir_conf *)ap_get_module_config(r->per_dir_config, &rewrite_module); @@ -5008,7 +5102,7 @@ static int hook_fixup(request_rec *r) /* * now apply the rules ... */ - rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory); + rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory, &lastsub); if (rulestatus) { unsigned skip; @@ -5029,6 +5123,9 @@ static int hook_fixup(request_rec *r) r->status = HTTP_OK; return n; } + else if (ACTION_STATUS_SET == rulestatus) { + return r->status; + } l = strlen(r->filename); if (l > 6 && strncmp(r->filename, "proxy:", 6) == 0) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor