Patch to fix Reverse Proxy Mode Security Bypass (CVE-2011-3368).

1 files changed, 34 insertions, 0 deletions

diff --git a/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch b/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch
new file mode 100644
index 0000000..e8125d9
--- /dev/null
+++ b/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch
@@ -0,0 +1,34 @@
+
+SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
+reverse proxy configurations by strictly validating the request-URI.
+
+http://svn.apache.org/viewvc?rev=1179239&view=rev
+
+--- httpd-2.2.21/server/protocol.c
++++ httpd-2.2.21/server/protocol.c
+@@ -640,6 +640,25 @@
+ 
+     ap_parse_uri(r, uri);
+ 
++    /* RFC 2616:
++     *   Request-URI    = "*" | absoluteURI | abs_path | authority
++     *
++     * authority is a special case for CONNECT.  If the request is not
++     * using CONNECT, and the parsed URI does not have scheme, and
++     * it does not begin with '/', and it is not '*', then, fail
++     * and give a 400 response. */
++    if (r->method_number != M_CONNECT 
++        && !r->parsed_uri.scheme 
++        && uri[0] != '/'
++        && !(uri[0] == '*' && uri[1] == '\0')) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                      "invalid request-URI %s", uri);
++        r->args = NULL;
++        r->hostname = NULL;
++        r->status = HTTP_BAD_REQUEST;
++        r->uri = apr_pstrdup(r->pool, uri);
++    }
++
+     if (ll[0]) {
+         r->assbackwards = 0;
+         pro = ll;