httpd/httpd-2.4.37-r1919325.patch

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 114b126..a25c7ae 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -2343,9 +2343,16 @@ static APR_INLINE char *find_char_in_curlies(char *s, int c)
  * of an earlier expansion to include expansion specifiers that
  * are interpreted by a later expansion, producing results that
  * were not intended by the administrator.
+ *
+ * unsafe_qmark if not NULL will be set to 1 or 0 if a question mark
+ * is found respectively in a literal or in a lookup/expansion (whether
+ * it's the first or last qmark depends on [QSL]). Should be initialized
+ * to -1 and remains so if no qmark is found.
  */
-static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry)
+static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry,
+                       int *unsafe_qmark)
 {
+#define EXPAND_SPECIALS "\\$%"
     result_list *result, *current;
     result_list sresult[SMALL_EXPANSION];
     unsigned spc = 0;
@@ -2353,8 +2360,29 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry)
     char *p, *c;
     apr_pool_t *pool = ctx->r->pool;
 
-    span = strcspn(input, "\\$%");
     inputlen = strlen(input);
+    if (!unsafe_qmark) {
+        span = strcspn(input, EXPAND_SPECIALS);
+    }
+    else {
+        span = strcspn(input, EXPAND_SPECIALS "?");
+        if (input[span] == '?') {
+            /* this qmark is not from an expansion thus safe */
+            *unsafe_qmark = 0;
+
+            /* keep tracking only if interested in the last qmark */
+            if (entry && (entry->flags & RULEFLAG_QSLAST)) {
+                do {
+                    span++;
+                    span += strcspn(input + span, EXPAND_SPECIALS "?");
+                } while (input[span] == '?');
+            }
+            else {
+                unsafe_qmark = NULL;
+                span += strcspn(input + span, EXPAND_SPECIALS);
+            }
+        }
+    }
 
     /* fast exit */
     if (inputlen == span) {
@@ -2372,6 +2400,8 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry)
 
     /* loop for specials */
     do {
+        int expanded = 0;
+
         /* prepare next entry */
         if (current->len) {
             current->next = (spc < SMALL_EXPANSION)
@@ -2417,6 +2447,8 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry)
                 current->len = span;
                 current->string = p;
                 outlen += span;
+
+                expanded = 1;
                 p = endp + 1;
             }
 
@@ -2456,19 +2488,18 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry)
                     }
 
                     /* reuse of key variable as result */
-                    key = lookup_map(ctx->r, map, do_expand(key, ctx, entry));
-
+                    key = lookup_map(ctx->r, map, do_expand(key, ctx, entry, NULL));
                     if (!key && dflt && *dflt) {
-                        key = do_expand(dflt, ctx, entry);
+                        key = do_expand(dflt, ctx, entry, NULL);
                     }
-
-                    if (key) {
+                    if (key && *key) {
                         span = strlen(key);
                         current->len = span;
                         current->string = key;
                         outlen += span;
                     }
 
+                    expanded = 1;
                     p = endp + 1;
                 }
             }
@@ -2498,8 +2529,9 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry)
                     current->len = span;
                     current->string = bri->source + bri->regmatch[n].rm_so;
                 }
-
                 outlen += span;
+
+                expanded = 1;
             }
 
             p += 2;
@@ -2512,8 +2544,41 @@ static char *do_expand(char *input, rewrite_ctx *ctx, rewriterule_entry *entry)
             ++outlen;
         }
 
+        if (unsafe_qmark && expanded && current->len
+            && memchr(current->string, '?', current->len)) {
+            /* this qmark is from an expansion thus unsafe */
+            *unsafe_qmark = 1;
+
+            /* keep tracking only if interested in the last qmark */
+            if (!entry || !(entry->flags & RULEFLAG_QSLAST)) {
+                unsafe_qmark = NULL;
+            }
+        }
+
         /* check the remainder */
-        if (*p && (span = strcspn(p, "\\$%")) > 0) {
+        if (!unsafe_qmark) {
+            span = strcspn(p, EXPAND_SPECIALS);
+        }
+        else {
+            span = strcspn(p, EXPAND_SPECIALS "?");
+            if (p[span] == '?') {
+                /* this qmark is not from an expansion thus safe */
+                *unsafe_qmark = 0;
+
+                /* keep tracking only if interested in the last qmark */
+                if (entry && (entry->flags & RULEFLAG_QSLAST)) {
+                    do {
+                        span++;
+                        span += strcspn(p + span, EXPAND_SPECIALS "?");
+                    } while (p[span] == '?');
+                }
+                else {
+                    unsafe_qmark = NULL;
+                    span += strcspn(p + span, EXPAND_SPECIALS);
+                }
+            }
+        }
+        if (span > 0) {
             if (current->len) {
                 current->next = (spc < SMALL_EXPANSION)
                                 ? &(sresult[spc++])
@@ -2558,7 +2623,7 @@ static void do_expand_env(data_item *env, rewrite_ctx *ctx)
     char *name, *val;
 
     while (env) {
-        name = do_expand(env->data, ctx, NULL);
+        name = do_expand(env->data, ctx, NULL, NULL);
         if (*name == '!') {
             name++;
             apr_table_unset(ctx->r->subprocess_env, name);
@@ -2685,7 +2750,7 @@ static void add_cookie(request_rec *r, char *s)
 static void do_expand_cookie(data_item *cookie, rewrite_ctx *ctx)
 {
     while (cookie) {
-        add_cookie(ctx->r, do_expand(cookie->data, ctx, NULL));
+        add_cookie(ctx->r, do_expand(cookie->data, ctx, NULL, NULL));
         cookie = cookie->next;
     }
 
@@ -3964,7 +4029,7 @@ static int apply_rewrite_cond(rewritecond_entry *p, rewrite_ctx *ctx)
     int basis;
 
     if (p->ptype != CONDPAT_AP_EXPR)
-        input = do_expand(p->input, ctx, NULL);
+        input = do_expand(p->input, ctx, NULL, NULL);
 
     switch (p->ptype) {
     case CONDPAT_FILE_EXISTS:
@@ -4128,7 +4193,7 @@ static APR_INLINE void force_type_handler(rewriterule_entry *p,
     char *expanded;
 
     if (p->forced_mimetype) {
-        expanded = do_expand(p->forced_mimetype, ctx, p);
+        expanded = do_expand(p->forced_mimetype, ctx, p, NULL);
 
         if (*expanded) {
             ap_str_tolower(expanded);
@@ -4142,7 +4207,7 @@ static APR_INLINE void force_type_handler(rewriterule_entry *p,
     }
 
     if (p->forced_handler) {
-        expanded = do_expand(p->forced_handler, ctx, p);
+        expanded = do_expand(p->forced_handler, ctx, p, NULL);
 
         if (*expanded) {
             ap_str_tolower(expanded);
@@ -4279,12 +4344,18 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
 
     /* expand the result */
     if (!(p->flags & RULEFLAG_NOSUB)) {
-        newuri = do_expand(p->output, ctx, p);
+        int unsafe_qmark = -1;
+
+        if (p->flags & RULEFLAG_UNSAFE_ALLOW3F) {
+            newuri = do_expand(p->output, ctx, p, NULL);
+        }
+        else {
+            newuri = do_expand(p->output, ctx, p, &unsafe_qmark);
+        }
         rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri,
                     newuri));
-        if (!(p->flags & RULEFLAG_UNSAFE_ALLOW3F) &&
-            ap_strcasestr(r->unparsed_uri, "%3f") &&
-            ap_strchr_c(newuri, '?')) {
+
+        if (unsafe_qmark > 0) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
                     "Unsafe URL with %%3f URL rewritten without "
                     "UnsafeAllow3F");
Resolves: RHEL-46040 - httpd:2.4/httpd: Security issues via backend applications whose response headers are malicious or exploitable (CVE-2024-38476) Resolves: RHEL-53022 - Regression introduced by CVE-2024-38474 fix 2024-08-06 15:17:15 +00:00			`diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c`
			`index 114b126..a25c7ae 100644`
			`--- a/modules/mappers/mod_rewrite.c`
			`+++ b/modules/mappers/mod_rewrite.c`
			`@@ -2343,9 +2343,16 @@ static APR_INLINE char find_char_in_curlies(char s, int c)`
			`* of an earlier expansion to include expansion specifiers that`
			`* are interpreted by a later expansion, producing results that`
			`* were not intended by the administrator.`
			`+ *`
			`+ * unsafe_qmark if not NULL will be set to 1 or 0 if a question mark`
			`+ * is found respectively in a literal or in a lookup/expansion (whether`
			`+ * it's the first or last qmark depends on [QSL]). Should be initialized`
			`+ * to -1 and remains so if no qmark is found.`
			`*/`
			`-static char do_expand(char input, rewrite_ctx ctx, rewriterule_entry entry)`
			`+static char do_expand(char input, rewrite_ctx ctx, rewriterule_entry entry,`
			`+ int *unsafe_qmark)`
			`{`
			`+#define EXPAND_SPECIALS "\\$%"`
			`result_list result, current;`
			`result_list sresult[SMALL_EXPANSION];`
			`unsigned spc = 0;`
			`@@ -2353,8 +2360,29 @@ static char do_expand(char input, rewrite_ctx ctx, rewriterule_entry entry)`
			`char p, c;`
			`apr_pool_t *pool = ctx->r->pool;`

			`- span = strcspn(input, "\\$%");`
			`inputlen = strlen(input);`
			`+ if (!unsafe_qmark) {`
			`+ span = strcspn(input, EXPAND_SPECIALS);`
			`+ }`
			`+ else {`
			`+ span = strcspn(input, EXPAND_SPECIALS "?");`
			`+ if (input[span] == '?') {`
			`+ /* this qmark is not from an expansion thus safe */`
			`+ *unsafe_qmark = 0;`
			`+`
			`+ /* keep tracking only if interested in the last qmark */`
			`+ if (entry && (entry->flags & RULEFLAG_QSLAST)) {`
			`+ do {`
			`+ span++;`
			`+ span += strcspn(input + span, EXPAND_SPECIALS "?");`
			`+ } while (input[span] == '?');`
			`+ }`
			`+ else {`
			`+ unsafe_qmark = NULL;`
			`+ span += strcspn(input + span, EXPAND_SPECIALS);`
			`+ }`
			`+ }`
			`+ }`

			`/* fast exit */`
			`if (inputlen == span) {`
			`@@ -2372,6 +2400,8 @@ static char do_expand(char input, rewrite_ctx ctx, rewriterule_entry entry)`

			`/* loop for specials */`
			`do {`
			`+ int expanded = 0;`
			`+`
			`/* prepare next entry */`
			`if (current->len) {`
			`current->next = (spc < SMALL_EXPANSION)`
			`@@ -2417,6 +2447,8 @@ static char do_expand(char input, rewrite_ctx ctx, rewriterule_entry entry)`
			`current->len = span;`
			`current->string = p;`
			`outlen += span;`
			`+`
			`+ expanded = 1;`
			`p = endp + 1;`
			`}`

			`@@ -2456,19 +2488,18 @@ static char do_expand(char input, rewrite_ctx ctx, rewriterule_entry entry)`
			`}`

			`/* reuse of key variable as result */`
			`- key = lookup_map(ctx->r, map, do_expand(key, ctx, entry));`
			`-`
			`+ key = lookup_map(ctx->r, map, do_expand(key, ctx, entry, NULL));`
			`if (!key && dflt && *dflt) {`
			`- key = do_expand(dflt, ctx, entry);`
			`+ key = do_expand(dflt, ctx, entry, NULL);`
			`}`
			`-`
			`- if (key) {`
			`+ if (key && *key) {`
			`span = strlen(key);`
			`current->len = span;`
			`current->string = key;`
			`outlen += span;`
			`}`

			`+ expanded = 1;`
			`p = endp + 1;`
			`}`
			`}`
			`@@ -2498,8 +2529,9 @@ static char do_expand(char input, rewrite_ctx ctx, rewriterule_entry entry)`
			`current->len = span;`
			`current->string = bri->source + bri->regmatch[n].rm_so;`
			`}`
			`-`
			`outlen += span;`
			`+`
			`+ expanded = 1;`
			`}`

			`p += 2;`
			`@@ -2512,8 +2544,41 @@ static char do_expand(char input, rewrite_ctx ctx, rewriterule_entry entry)`
			`++outlen;`
			`}`

			`+ if (unsafe_qmark && expanded && current->len`
			`+ && memchr(current->string, '?', current->len)) {`
			`+ /* this qmark is from an expansion thus unsafe */`
			`+ *unsafe_qmark = 1;`
			`+`
			`+ /* keep tracking only if interested in the last qmark */`
			`+ if (!entry \|\| !(entry->flags & RULEFLAG_QSLAST)) {`
			`+ unsafe_qmark = NULL;`
			`+ }`
			`+ }`
			`+`
			`/* check the remainder */`
			`- if (*p && (span = strcspn(p, "\\$%")) > 0) {`
			`+ if (!unsafe_qmark) {`
			`+ span = strcspn(p, EXPAND_SPECIALS);`
			`+ }`
			`+ else {`
			`+ span = strcspn(p, EXPAND_SPECIALS "?");`
			`+ if (p[span] == '?') {`
			`+ /* this qmark is not from an expansion thus safe */`
			`+ *unsafe_qmark = 0;`
			`+`
			`+ /* keep tracking only if interested in the last qmark */`
			`+ if (entry && (entry->flags & RULEFLAG_QSLAST)) {`
			`+ do {`
			`+ span++;`
			`+ span += strcspn(p + span, EXPAND_SPECIALS "?");`
			`+ } while (p[span] == '?');`
			`+ }`
			`+ else {`
			`+ unsafe_qmark = NULL;`
			`+ span += strcspn(p + span, EXPAND_SPECIALS);`
			`+ }`
			`+ }`
			`+ }`
			`+ if (span > 0) {`
			`if (current->len) {`
			`current->next = (spc < SMALL_EXPANSION)`
			`? &(sresult[spc++])`
			`@@ -2558,7 +2623,7 @@ static void do_expand_env(data_item env, rewrite_ctx ctx)`
			`char name, val;`

			`while (env) {`
			`- name = do_expand(env->data, ctx, NULL);`
			`+ name = do_expand(env->data, ctx, NULL, NULL);`
			`if (*name == '!') {`
			`name++;`
			`apr_table_unset(ctx->r->subprocess_env, name);`
			`@@ -2685,7 +2750,7 @@ static void add_cookie(request_rec r, char s)`
			`static void do_expand_cookie(data_item cookie, rewrite_ctx ctx)`
			`{`
			`while (cookie) {`
			`- add_cookie(ctx->r, do_expand(cookie->data, ctx, NULL));`
			`+ add_cookie(ctx->r, do_expand(cookie->data, ctx, NULL, NULL));`
			`cookie = cookie->next;`
			`}`

			`@@ -3964,7 +4029,7 @@ static int apply_rewrite_cond(rewritecond_entry p, rewrite_ctx ctx)`
			`int basis;`

			`if (p->ptype != CONDPAT_AP_EXPR)`
			`- input = do_expand(p->input, ctx, NULL);`
			`+ input = do_expand(p->input, ctx, NULL, NULL);`

			`switch (p->ptype) {`
			`case CONDPAT_FILE_EXISTS:`
			`@@ -4128,7 +4193,7 @@ static APR_INLINE void force_type_handler(rewriterule_entry *p,`
			`char *expanded;`

			`if (p->forced_mimetype) {`
			`- expanded = do_expand(p->forced_mimetype, ctx, p);`
			`+ expanded = do_expand(p->forced_mimetype, ctx, p, NULL);`

			`if (*expanded) {`
			`ap_str_tolower(expanded);`
			`@@ -4142,7 +4207,7 @@ static APR_INLINE void force_type_handler(rewriterule_entry *p,`
			`}`

			`if (p->forced_handler) {`
			`- expanded = do_expand(p->forced_handler, ctx, p);`
			`+ expanded = do_expand(p->forced_handler, ctx, p, NULL);`

			`if (*expanded) {`
			`ap_str_tolower(expanded);`
			`@@ -4279,12 +4344,18 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,`

			`/* expand the result */`
			`if (!(p->flags & RULEFLAG_NOSUB)) {`
			`- newuri = do_expand(p->output, ctx, p);`
			`+ int unsafe_qmark = -1;`
			`+`
			`+ if (p->flags & RULEFLAG_UNSAFE_ALLOW3F) {`
			`+ newuri = do_expand(p->output, ctx, p, NULL);`
			`+ }`
			`+ else {`
			`+ newuri = do_expand(p->output, ctx, p, &unsafe_qmark);`
			`+ }`
			`rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri,`
			`newuri));`
			`- if (!(p->flags & RULEFLAG_UNSAFE_ALLOW3F) &&`
			`- ap_strcasestr(r->unparsed_uri, "%3f") &&`
			`- ap_strchr_c(newuri, '?')) {`
			`+`
			`+ if (unsafe_qmark > 0) {`
			`ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()`
			`"Unsafe URL with %%3f URL rewritten without "`
			`"UnsafeAllow3F");`