httpd/httpd-2.4.63-CVE-2026-24072.patch
2026-07-01 07:22:56 -04:00

81 lines
3.4 KiB
Diff

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 93430e5..c718f6f 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -3673,12 +3673,17 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
newcond->regexp = regexp;
}
else if (newcond->ptype == CONDPAT_AP_EXPR) {
+ int in_htaccess = cmd->pool == cmd->temp_pool;
unsigned int flags = newcond->flags & CONDFLAG_NOVARY ?
AP_EXPR_FLAG_DONT_VARY : 0;
+ /* Use restricted ap_expr() parser in htaccess context. */
+ if (in_htaccess) flags |= AP_EXPR_FLAG_RESTRICTED;
newcond->expr = ap_expr_parse_cmd(cmd, a2, flags, &err, NULL);
if (err)
return apr_psprintf(cmd->pool, "RewriteCond: cannot compile "
- "expression \"%s\": %s", a2, err);
+ "expression%s \"%s\" %s",
+ in_htaccess ? " in htaccess context" : "",
+ a2, err);
}
return NULL;
diff --git a/modules/metadata/mod_setenvif.c b/modules/metadata/mod_setenvif.c
index 23d60cd..b74c9c0 100644
--- a/modules/metadata/mod_setenvif.c
+++ b/modules/metadata/mod_setenvif.c
@@ -422,6 +422,12 @@ static const char *add_setenvifexpr(cmd_parms *cmd, void *mconfig,
sei_cfg_rec *sconf;
sei_entry *new;
const char *err;
+ unsigned int flags = 0;
+
+ /* Use restricted ap_expr() parser in htaccess context. */
+ if (cmd->pool == cmd->temp_pool) {
+ flags |= AP_EXPR_FLAG_RESTRICTED;
+ }
/*
* Determine from our context into which record to put the entry.
@@ -445,7 +451,7 @@ static const char *add_setenvifexpr(cmd_parms *cmd, void *mconfig,
new->regex = NULL;
new->pattern = NULL;
new->preg = NULL;
- new->expr = ap_expr_parse_cmd(cmd, expr, 0, &err, NULL);
+ new->expr = ap_expr_parse_cmd(cmd, expr, flags, &err, NULL);
if (err)
return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
expr, err);
diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
index 128cf1e..ef090dd 100644
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -1338,9 +1338,15 @@ static const char *cmd_setenv(cmd_parms *cmd, void *in_dconf,
const char *err;
sei_entry *new;
const char *envvar = arg2;
+ unsigned int flags = 0;
+
+ /* Use restricted ap_expr() parser in htaccess context. */
+ if (cmd->pool == cmd->temp_pool) {
+ flags |= AP_EXPR_FLAG_RESTRICTED;
+ }
new = apr_array_push(dconf->env_fixups);
- new->cond = ap_expr_parse_cmd(cmd, arg1, 0, &err, NULL);
+ new->cond = ap_expr_parse_cmd(cmd, arg1, flags, &err, NULL);
if (err) {
return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
arg1, err);
@@ -1367,7 +1373,8 @@ static const char *cmd_setenv(cmd_parms *cmd, void *in_dconf,
arg3 = "";
}
- new->subst = ap_expr_parse_cmd(cmd, arg3, AP_EXPR_FLAG_STRING_RESULT, &err, NULL);
+ flags |= AP_EXPR_FLAG_STRING_RESULT;
+ new->subst = ap_expr_parse_cmd(cmd, arg3, flags, &err, NULL);
if (err) {
return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
arg3, err);