Tue Dec 13 15:37:57 2011 UTC ()

add revision 1209432 from http://svn.apache.org/ as patches:
fix for CVE-2011-4317


(spz)

diff -r1.75 -r1.76 pkgsrc/www/apache22/Makefile
diff -r1.46 -r1.47 pkgsrc/www/apache22/distinfo
diff -r0 -r1.1 pkgsrc/www/apache22/patches/patch-modules_mappers_mod_rewrite.c
diff -r0 -r1.1 pkgsrc/www/apache22/patches/patch-modules_proxy_mod_proxy.c

--- pkgsrc/www/apache22/Attic/Makefile 2011/12/07 22:58:12 1.75
+++ pkgsrc/www/apache22/Attic/Makefile 2011/12/13 15:37:56 1.76

 @@ -1,19 +1,19 @@
-# $NetBSD: Makefile,v 1.75 2011/12/07 22:58:12 tron Exp $
+# $NetBSD: Makefile,v 1.76 2011/12/13 15:37:56 spz Exp $
 DISTNAME=	httpd-2.2.21
 PKGNAME=	${DISTNAME:S/httpd/apache/}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/} \
 		http://archive.apache.org/dist/httpd/ \
 		http://archive.eu.apache.org/dist/httpd/
 EXTRACT_SUFX=	.tar.bz2
 MAINTAINER=	tron@NetBSD.org
 HOMEPAGE=	http://httpd.apache.org/
 COMMENT=	Apache HTTP (Web) server, version 2.2
 LICENSE=	apache-2.0
 PKG_DESTDIR_SUPPORT=	user-destdir

--- pkgsrc/www/apache22/Attic/distinfo 2011/12/12 18:43:14 1.46
+++ pkgsrc/www/apache22/Attic/distinfo 2011/12/13 15:37:56 1.47

 @@ -1,20 +1,22 @@
-$NetBSD: distinfo,v 1.46 2011/12/12 18:43:14 tron Exp $
+$NetBSD: distinfo,v 1.47 2011/12/13 15:37:56 spz Exp $
 SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4
 RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1
 Size (httpd-2.2.21.tar.bz2) = 5324905 bytes
 SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7
 SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
 SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
 SHA1 (patch-af) = 312d3bce5e1bf6e747b5f0f313d89bf5b4636392
 SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01
 SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312
 SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
 SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
 SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
 SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
 SHA1 (patch-modules_mappers_mod_rewrite.c) = de7bbdf02dda38e2542e4967ee6f22745ec0f118
 SHA1 (patch-modules_proxy_mod_proxy.c) = bab58b70eee22d7c08be9a4a9ada3fad886fa796
 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
 SHA1 (patch-server_protocol.c) = 2be3e4fc08da717fa55b058eb32e398f6546d457
 SHA1 (patch-server_util.c) = b63f73e2a482facd188eecb0864fc612d1b7b3a5

$NetBSD: patch-modules_mappers_mod_rewrite.c,v 1.1 2011/12/13 15:37:56 spz Exp $

revision 1209432 from http://svn.apache.org/:
	Fix for additional cases of URL rewriting with ProxyPassMatch or
	RewriteRule, where particular request-URIs could result in undesired
	backend network exposure in some configurations. (CVE-2011-4317)

	Thanks to Prutha Parikh from Qualys for reporting this issue.

	* modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
	  request-URI.  Fail for cases where r->uri does not begin with a "/".

	* modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.

--- modules/mappers/mod_rewrite.c.orig	2011-09-03 22:54:25.000000000 +0000
+++ modules/mappers/mod_rewrite.c
@@ -4266,6 +4266,18 @@ static int hook_uri2file(request_rec *r)
         return DECLINED;
     }
 
+    if (strcmp(r->unparsed_uri, "*") == 0) {
+        /* Don't apply rewrite rules to "*". */
+        return DECLINED;
+    }
+
+    /* Check that the URI is valid. */
+    if (!r->uri || r->uri[0] != '/') {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "Invalid URI in request %s", r->the_request);
+        return HTTP_BAD_REQUEST;
+    }
+
     /*
      *  add the SCRIPT_URL variable to the env. this is a bit complicated
      *  due to the fact that apache uses subrequests and internal redirects

$NetBSD: patch-modules_proxy_mod_proxy.c,v 1.1 2011/12/13 15:37:57 spz Exp $

revision 1209432 from http://svn.apache.org/:
        Fix for additional cases of URL rewriting with ProxyPassMatch or
        RewriteRule, where particular request-URIs could result in undesired
        backend network exposure in some configurations. (CVE-2011-4317)

        Thanks to Prutha Parikh from Qualys for reporting this issue.

        * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
          request-URI.  Fail for cases where r->uri does not begin with a "/".

        * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.

--- modules/proxy/mod_proxy.c.orig	2010-10-07 18:51:18.000000000 +0000
+++ modules/proxy/mod_proxy.c
@@ -566,6 +566,18 @@ static int proxy_trans(request_rec *r)
         return OK;
     }
 
+    if (strcmp(r->unparsed_uri, "*") == 0) {
+        /* "*" cannot be proxied. */
+        return DECLINED;
+    }
+
+    /* Check that the URI is valid. */
+    if (!r->uri || r->uri[0] != '/') {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "Invalid URI in request %s", r->the_request);
+        return HTTP_BAD_REQUEST;
+    }
+
     /* XXX: since r->uri has been manipulated already we're not really
      * compliant with RFC1945 at this point.  But this probably isn't
      * an issue because this is a hybrid proxy/origin server.