packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-44224 sync from 22.03

Browse Source
This commit is contained in:
yangl777 2022-03-30 10:44:24 +08:00
parent 2fedea6cdc
commit aa32753582
3 changed files with 388 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

275
backport-001-CVE-2021-44224.patch Normal file
View File

@ -0,0 +1,275 @@
From a962ba73047b5478d702c8ad09fd1a167e1d3736 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 14 Dec 2021 15:35:56 +0000
Subject: [PATCH] Merge r1895914, r1895921 from trunk:
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
trunk patch: http://svn.apache.org/r1895914
http://svn.apache.org/r1895921
2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/286.patch
backport PR: https://github.com/apache/httpd/pull/286
+1: ylavic, minfrin, gbechis
mod_proxy: Detect unix: scheme syntax errors at load time.
* modules/proxy/mod_proxy.c(add_pass, add_member, set_proxy_param,
proxysection):
Check return value of ap_proxy_de_socketfy().
* modules/proxy/proxy_util.c(ap_proxy_get_worker_ex):
Check return value of ap_proxy_de_socketfy().
http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
The early checks avoid failing the request later on and thus save cycles
for those invalid cases.
Submitted by: ylavic
Reviewed by: ylavic, minfrin, gbechis
Closes #286
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1895955 13f79535-47bb-0310-9956-ffa450edef68
---
include/ap_mmn.h | 3 ++-
include/http_protocol.h | 7 ++++++
modules/http/http_request.c | 2 +-
modules/http2/h2_request.c | 2 +-
modules/proxy/mod_proxy.c | 44 ++++++++++++++++++++++++++-----------
modules/proxy/proxy_util.c | 3 +++
server/protocol.c | 23 ++++++++++++++++++-
7 files changed, 71 insertions(+), 17 deletions(-)
diff --git a/include/ap_mmn.h b/include/ap_mmn.h
index fe24261ee87..90ff1a86a6f 100644
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@@ -586,6 +586,7 @@
* 20120211.117 (2.4.50-dev) Add ap_pre_connection
* 20120211.118 (2.4.51-dev) Add ap_unescape_url_ex() and deprecate
* AP_NORMALIZE_DROP_PARAMETERS
+ * 20120211.121 (2.4.51-dev) Add ap_post_read_request()
*
*/
diff --git a/include/http_protocol.h b/include/http_protocol.h
index 9ccac893fcb..20bd2022266 100644
--- a/include/http_protocol.h
+++ b/include/http_protocol.h
@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(request_rec *r);
AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
apr_bucket_brigade *bb);
+/**
+ * Run post_read_request hook and validate.
+ * @param r The current request
+ * @return OK or HTTP_...
+ */
+AP_DECLARE(int) ap_post_read_request(request_rec *r);
+
/* Finish up stuff after a request */
/**
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
index c9ae5af2864..d59cfe25999 100644
--- a/modules/http/http_request.c
+++ b/modules/http/http_request.c
@@ -680,7 +680,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
* to do their thing on internal redirects as well. Perhaps this is a
* misnamed function.
*/
- if ((access_status = ap_run_post_read_request(new))) {
+ if ((access_status = ap_post_read_request(new))) {
ap_die(access_status, new);
return NULL;
}
diff --git a/modules/http2/h2_request.c b/modules/http2/h2_request.c
index 7c4fb95ea48..9ff6feb675f 100644
--- a/modules/http2/h2_request.c
+++ b/modules/http2/h2_request.c
@@ -370,7 +370,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c)
ap_add_input_filter_handle(ap_http_input_filter_handle,
NULL, r, r->connection);
- if ((access_status = ap_run_post_read_request(r))) {
+ if ((access_status = ap_post_read_request(r))) {
/* Request check post hooks failed. An example of this would be a
* request for a vhost where h2 is disabled --> 421.
*/
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 3fb84c85935..85d7ce2e6c1 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -775,13 +775,13 @@ static int proxy_detect(request_rec *r)
/* Ick... msvc (perhaps others) promotes ternary short results to int */
- if (conf->req && r->parsed_uri.scheme) {
+ if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) {
/* but it might be something vhosted */
- if (!(r->parsed_uri.hostname
- && !ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r))
- && ap_matches_request_vhost(r, r->parsed_uri.hostname,
- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port
- : ap_default_port(r))))) {
+ if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
+ || !ap_matches_request_vhost(r, r->parsed_uri.hostname,
+ (apr_port_t)(r->parsed_uri.port_str
+ ? r->parsed_uri.port
+ : ap_default_port(r)))) {
r->proxyreq = PROXYREQ_PROXY;
r->uri = r->unparsed_uri;
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
@@ -2007,6 +2007,7 @@ static const char *
struct proxy_alias *new;
char *f = cmd->path;
char *r = NULL;
+ const char *real;
char *word;
apr_table_t *params = apr_table_make(cmd->pool, 5);
const apr_array_header_t *arr;
@@ -2093,6 +2094,10 @@ static const char *
if (r == NULL) {
return "ProxyPass|ProxyPassMatch needs a path when not defined in a location";
}
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) {
+ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL";
+ }
+
/* if per directory, save away the single alias */
if (cmd->path) {
@@ -2109,7 +2114,7 @@ static const char *
}
new->fake = apr_pstrdup(cmd->pool, f);
- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r));
+ new->real = apr_pstrdup(cmd->pool, real);
new->flags = flags;
if (worker_type & AP_PROXY_WORKER_IS_MATCH) {
new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED);
@@ -2635,6 +2640,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
proxy_worker *worker;
char *path = cmd->path;
char *name = NULL;
+ const char *real;
char *word;
apr_table_t *params = apr_table_make(cmd->pool, 5);
const apr_array_header_t *arr;
@@ -2675,6 +2681,9 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
return "BalancerMember must define balancer name when outside <Proxy > section";
if (!name)
return "BalancerMember must define remote proxy server";
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
+ return "BalancerMember uses an invalid \"unix:\" URL";
+ }
ap_str_tolower(path); /* lowercase scheme://hostname */
@@ -2687,8 +2696,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
}
/* Try to find existing worker */
- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf,
- ap_proxy_de_socketfy(cmd->temp_pool, name));
+ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real);
if (!worker) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147)
"Defining worker '%s' for balancer '%s'",
@@ -2785,9 +2793,14 @@ static const char *
}
}
else {
+ const char *real;
+
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
+ return "ProxySet uses an invalid \"unix:\" URL";
+ }
+
worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, conf,
- ap_proxy_de_socketfy(cmd->temp_pool, name),
- worker_type);
+ real, worker_type);
if (!worker) {
if (in_proxy_section) {
err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL,
@@ -2930,9 +2943,14 @@ static const char *proxysection(cmd_parms *cmd, void *mconfig, const char *arg)
}
}
else {
+ const char *real;
+
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) {
+ return "<Proxy/ProxyMatch > uses an invalid \"unix:\" URL";
+ }
+
worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, sconf,
- ap_proxy_de_socketfy(cmd->temp_pool, conf->p),
- worker_type);
+ real, worker_type);
if (!worker) {
err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, sconf,
conf->p, worker_type);
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index a3cf5460487..b4f6dcfadc6 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -1742,6 +1742,9 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p,
}
url = ap_proxy_de_socketfy(p, url);
+ if (!url) {
+ return NULL;
+ }
c = ap_strchr_c(url, ':');
if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') {
diff --git a/server/protocol.c b/server/protocol.c
index 3d74c5b3058..2214f72b5a4 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -1548,7 +1548,7 @@ request_rec *ap_read_request(conn_rec *conn)
/* we may have switched to another server */
apply_server_config(r);
- if ((access_status = ap_run_post_read_request(r))) {
+ if ((access_status = ap_post_read_request(r))) {
goto die;
}
@@ -1603,6 +1603,27 @@ request_rec *ap_read_request(conn_rec *conn)
return NULL;
}
+AP_DECLARE(int) ap_post_read_request(request_rec *r)
+{
+ int status;
+
+ if ((status = ap_run_post_read_request(r))) {
+ return status;
+ }
+
+ /* Enforce http(s) only scheme for non-forward-proxy requests */
+ if (!r->proxyreq
+ && r->parsed_uri.scheme
+ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
+ || (r->parsed_uri.scheme[4] != '\0'
+ && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
+ || r->parsed_uri.scheme[5] != '\0')))) {
+ return HTTP_BAD_REQUEST;
+ }
+
+ return OK;
+}
+
/* if a request with a body creates a subrequest, remove original request's
* input headers which pertain to the body which has already been read.
* out-of-line helper function for ap_set_sub_req_protocol.

104
backport-002-CVE-2021-44224.patch Normal file
View File

@ -0,0 +1,104 @@
From a0521d289ae14e4ac004811dc1ef91b3e118a2f6 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Thu, 16 Dec 2021 11:23:49 +0000
Subject: [PATCH] Merge of r1895981,r1895986 from trunk:
*) mod_proxy: Don't prevent forwarding URIs w/ no hostname.
(fix for r1895955 already in 2.4.x)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896044 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/mod_proxy.c | 5 +++--
modules/proxy/mod_proxy.h | 1 +
modules/proxy/proxy_util.c | 22 ++++++++++++----------
3 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 85d7ce2e6c1..f8a4db68892 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -775,9 +775,10 @@ static int proxy_detect(request_rec *r)
/* Ick... msvc (perhaps others) promotes ternary short results to int */
- if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) {
+ if (conf->req && r->parsed_uri.scheme) {
/* but it might be something vhosted */
- if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
+ if (!r->parsed_uri.hostname
+ || ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
|| !ap_matches_request_vhost(r, r->parsed_uri.hostname,
(apr_port_t)(r->parsed_uri.port_str
? r->parsed_uri.port
diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
index 35acc49a4a3..be5b3a85394 100644
--- a/modules/proxy/mod_proxy.h
+++ b/modules/proxy/mod_proxy.h
@@ -750,6 +750,7 @@ PROXY_DECLARE(int) ap_proxy_worker_can_upgrade(apr_pool_t *p,
#define AP_PROXY_WORKER_IS_PREFIX (1u << 0)
#define AP_PROXY_WORKER_IS_MATCH (1u << 1)
#define AP_PROXY_WORKER_IS_MALLOCED (1u << 2)
+#define AP_PROXY_WORKER_NO_UDS (1u << 3)
/**
* Get the worker from proxy configuration, looking for either PREFIXED or
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index b4f6dcfadc6..8cb315d9103 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -1741,9 +1741,11 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p,
return NULL;
}
- url = ap_proxy_de_socketfy(p, url);
- if (!url) {
- return NULL;
+ if (!(mask & AP_PROXY_WORKER_NO_UDS)) {
+ url = ap_proxy_de_socketfy(p, url);
+ if (!url) {
+ return NULL;
+ }
}
c = ap_strchr_c(url, ':');
@@ -2326,22 +2328,22 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
access_status = proxy_run_pre_request(worker, balancer, r, conf, url);
if (access_status == DECLINED && *balancer == NULL) {
- *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url);
+ const int forward = (r->proxyreq == PROXYREQ_PROXY);
+ *worker = ap_proxy_get_worker_ex(r->pool, NULL, conf, *url,
+ forward ? AP_PROXY_WORKER_NO_UDS : 0);
if (*worker) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"%s: found worker %s for %s",
(*worker)->s->scheme, (*worker)->s->name, *url);
- *balancer = NULL;
- if (!fix_uds_filename(r, url)) {
+ if (!forward && !fix_uds_filename(r, url)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
access_status = OK;
}
- else if (r->proxyreq == PROXYREQ_PROXY) {
+ else if (forward) {
if (conf->forward) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"*: found forward proxy worker for %s", *url);
- *balancer = NULL;
*worker = conf->forward;
access_status = OK;
/*
@@ -2355,8 +2357,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
else if (r->proxyreq == PROXYREQ_REVERSE) {
if (conf->reverse) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
- "*: using default reverse proxy worker for %s (no keepalive)", *url);
- *balancer = NULL;
+ "*: using default reverse proxy worker for %s "
+ "(no keepalive)", *url);
*worker = conf->reverse;
access_status = OK;
/*

10
httpd.spec
View File

@ -8,7 +8,7 @@
Name: httpd Name: httpd
Summary: Apache HTTP Server Summary: Apache HTTP Server
Version: 2.4.51 Version: 2.4.51
Release: 2 Release: 3
License: ASL 2.0 License: ASL 2.0
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -75,6 +75,8 @@ Patch21: backport-CVE-2022-22721.patch
Patch22: backport-001-CVE-2022-23934.patch Patch22: backport-001-CVE-2022-23934.patch
Patch23: backport-002-CVE-2022-23934.patch Patch23: backport-002-CVE-2022-23934.patch
Patch24: backport-CVE-2021-44790.patch Patch24: backport-CVE-2021-44790.patch
Patch25: backport-001-CVE-2021-44224.patch
Patch26: backport-002-CVE-2021-44224.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -507,6 +509,12 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Wed Mar 30 2022 yanglu <yanglu72@h-partners.com> - 2.4.51-3
- Type:cves
- ID:NA
- SUG:restart
- DESC:fix CVE-2021-44224
* Mon Mar 28 2022 yanglu <yanglu72@h-partners.com> - 2.4.51-2 * Mon Mar 28 2022 yanglu <yanglu72@h-partners.com> - 2.4.51-2
- Type:cves - Type:cves
- ID:NA - ID:NA