httpd/httpd-2.4.37-CVE-2023-27522.patch

diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
index 9dcbed1..a1b564d 100644
--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -304,18 +304,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
     pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);
 
     len = ap_getline(buffer, sizeof(buffer), rp, 1);
-
     if (len <= 0) {
-        /* oops */
+        /* invalid or empty */
         return HTTP_INTERNAL_SERVER_ERROR;
     }
-
     backend->worker->s->read += len;
-
-    if (len >= sizeof(buffer) - 1) {
-        /* oops */
+    if ((apr_size_t)len >= sizeof(buffer)) {
+        /* too long */
         return HTTP_INTERNAL_SERVER_ERROR;
     }
+
     /* Position of http status code */
     if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
         status_start = 9;
@@ -324,8 +322,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
         status_start = 7;
     }
     else {
-        /* oops */
-        return HTTP_INTERNAL_SERVER_ERROR;
+        /* not HTTP */
+        return HTTP_BAD_GATEWAY;
     }
     status_end = status_start + 3;
 
@@ -345,21 +343,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
     }
     r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);
 
-    /* start parsing headers */
+    /* parse headers */
     while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {
+        if ((apr_size_t)len >= sizeof(buffer)) {
+            /* too long */
+            len = -1;
+            break;
+        }
         value = strchr(buffer, ':');
-        /* invalid header skip */
-        if (!value)
-            continue;
-        *value = '\0';
-        ++value;
+        if (!value) {
+            /* invalid header */
+            len = -1;
+            break;
+        }
+        *value++ = '\0';
+        if (*ap_scan_http_token(buffer)) {
+            /* invalid name */
+            len = -1;
+            break;
+        }
         while (apr_isspace(*value))
             ++value;
         for (end = &value[strlen(value) - 1];
              end > value && apr_isspace(*end); --end)
             *end = '\0';
+        if (*ap_scan_http_field_content(value)) {
+            /* invalid value */
+            len = -1;
+            break;
+        }
         apr_table_add(r->headers_out, buffer, value);
     }
+    if (len < 0) {
+        /* Reset headers, but not to NULL because things below the chain expect
+         * this to be non NULL e.g. the ap_content_length_filter.
+         */
+        r->headers_out = apr_table_make(r->pool, 1);
+        return HTTP_BAD_GATEWAY;
+    }
 
     if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
         ap_set_content_type(r, apr_pstrdup(r->pool, buf));
Resolves: #2176723 - CVE-2023-27522 httpd:2.4/httpd: mod_proxy_uwsgi HTTP response splitting 2023-05-25 16:43:02 +00:00			`diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c`
			`index 9dcbed1..a1b564d 100644`
			`--- a/modules/proxy/mod_proxy_uwsgi.c`
			`+++ b/modules/proxy/mod_proxy_uwsgi.c`
			`@@ -304,18 +304,16 @@ static int uwsgi_response(request_rec r, proxy_conn_rec backend,`
			`pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);`

			`len = ap_getline(buffer, sizeof(buffer), rp, 1);`
			`-`
			`if (len <= 0) {`
			`- /* oops */`
			`+ /* invalid or empty */`
			`return HTTP_INTERNAL_SERVER_ERROR;`
			`}`
			`-`
			`backend->worker->s->read += len;`
			`-`
			`- if (len >= sizeof(buffer) - 1) {`
			`- /* oops */`
			`+ if ((apr_size_t)len >= sizeof(buffer)) {`
			`+ /* too long */`
			`return HTTP_INTERNAL_SERVER_ERROR;`
			`}`
			`+`
			`/* Position of http status code */`
			`if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {`
			`status_start = 9;`
			`@@ -324,8 +322,8 @@ static int uwsgi_response(request_rec r, proxy_conn_rec backend,`
			`status_start = 7;`
			`}`
			`else {`
			`- /* oops */`
			`- return HTTP_INTERNAL_SERVER_ERROR;`
			`+ /* not HTTP */`
			`+ return HTTP_BAD_GATEWAY;`
			`}`
			`status_end = status_start + 3;`

			`@@ -345,21 +343,44 @@ static int uwsgi_response(request_rec r, proxy_conn_rec backend,`
			`}`
			`r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);`

			`- /* start parsing headers */`
			`+ /* parse headers */`
			`while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {`
			`+ if ((apr_size_t)len >= sizeof(buffer)) {`
			`+ /* too long */`
			`+ len = -1;`
			`+ break;`
			`+ }`
			`value = strchr(buffer, ':');`
			`- /* invalid header skip */`
			`- if (!value)`
			`- continue;`
			`- *value = '\0';`
			`- ++value;`
			`+ if (!value) {`
			`+ /* invalid header */`
			`+ len = -1;`
			`+ break;`
			`+ }`
			`+ *value++ = '\0';`
			`+ if (*ap_scan_http_token(buffer)) {`
			`+ /* invalid name */`
			`+ len = -1;`
			`+ break;`
			`+ }`
			`while (apr_isspace(*value))`
			`++value;`
			`for (end = &value[strlen(value) - 1];`
			`end > value && apr_isspace(*end); --end)`
			`*end = '\0';`
			`+ if (*ap_scan_http_field_content(value)) {`
			`+ /* invalid value */`
			`+ len = -1;`
			`+ break;`
			`+ }`
			`apr_table_add(r->headers_out, buffer, value);`
			`}`
			`+ if (len < 0) {`
			`+ /* Reset headers, but not to NULL because things below the chain expect`
			`+ * this to be non NULL e.g. the ap_content_length_filter.`
			`+ */`
			`+ r->headers_out = apr_table_make(r->pool, 1);`
			`+ return HTTP_BAD_GATEWAY;`
			`+ }`

			`if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {`
			`ap_set_content_type(r, apr_pstrdup(r->pool, buf));`