mod_xml2enc: fix media type handling

vulnerability (CVE-2023-31122)

httpd-2.4.57-r1884505+.patch

@@ -0,0 +1,39 @@
+# ./pullrev.sh 1884505 1915625
+http://svn.apache.org/viewvc?view=revision&revision=1884505
+http://svn.apache.org/viewvc?view=revision&revision=1915625
+
+--- httpd-2.4.57/modules/filters/mod_xml2enc.c
++++ httpd-2.4.57/modules/filters/mod_xml2enc.c
+@@ -329,7 +329,7 @@
+     apr_bucket* bstart;
+     apr_size_t insz = 0;
+     int pending_meta = 0;
+-    char *ctype;
++    char *mtype;
+     char *p;
+ 
+     if (!ctx || !f->r->content_type) {
+@@ -338,13 +338,17 @@
+         return ap_pass_brigade(f->next, bb) ;
+     }
+ 
+-    ctype = apr_pstrdup(f->r->pool, f->r->content_type);
+-    for (p = ctype; *p; ++p)
+-        if (isupper(*p))
+-            *p = tolower(*p);
++    /* Extract the media type, ignoring parameters in content-type. */
++    mtype = apr_pstrdup(f->r->pool, f->r->content_type);
++    if ((p = ap_strchr(mtype, ';')) != NULL) *p = '\0';
++    ap_str_tolower(mtype);
+ 
+-    /* only act if starts-with "text/" or contains "xml" */
+-    if (strncmp(ctype, "text/", 5) && !strstr(ctype, "xml"))  {
++    /* Accept text/ types, plus any XML media type per RFC 7303. */
++    if (!(strncmp(mtype, "text/", 5) == 0
++          || strcmp(mtype, "application/xml") == 0
++          || (strlen(mtype) > 7 /* minimum 'a/b+xml' length */
++              && (p = strstr(mtype, "+xml")) != NULL
++              && strlen(p) == 4 /* ensures +xml is a suffix */))) {
+         ap_remove_output_filter(f);
+         return ap_pass_brigade(f->next, bb) ;
+     }

httpd.spec

@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.57
-Release: 7%{?dist}
+Release: 8%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -118,7 +118,8 @@ Patch69: httpd-2.4.57-covscan.patch
 Patch70: httpd-2.4.57-mod_status-duplicate-key.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2217726
 Patch71: httpd-2.4.57-davenoent.patch
-
+# https://issues.redhat.com/browse/RHEL-17686
+Patch72: httpd-2.4.57-r1884505+.patch
 
 # Security fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=...
@@ -295,6 +296,7 @@ written in the Lua programming language.
 %patch69 -p1 -b .covstan
 %patch70 -p1 -b .duplicate-key
 %patch71 -p1 -b .davenoent
+%patch72 -p1 -b .r1884505+
 
 %patch200 -p1 -b .CVE-2023-31122
 
@@ -857,6 +859,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Wed Feb  7 2024 Joe Orton <jorton@redhat.com> - 2.4.57-8
+- mod_xml2enc: fix media type handling
+  Resolves: RHEL-17686
+
 * Mon Feb 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-7
 - Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
   vulnerability (CVE-2023-31122)