httpd/httpd-2.4.37-CVE-2024-39573.patch
Luboš Uhliarik 51b23565c0 Resolves: RHEL-45812 - httpd:2.4/httpd: Substitution encoding issue
in mod_rewrite (CVE-2024-38474)
Resolves: RHEL-45785 - httpd:2.4/httpd: Encoding problem in
  mod_proxy (CVE-2024-38473)
Resolves: RHEL-45777 - httpd:2.4/httpd: Improper escaping of output
  in mod_rewrite (CVE-2024-38475)
Resolves: RHEL-45758 - httpd:2.4/httpd: null pointer dereference
  in mod_proxy (CVE-2024-38477)
Resolves: RHEL-45743 - httpd:2.4/httpd: Potential SSRF
  in mod_rewrite (CVE-2024-39573)
2024-07-12 00:55:48 +02:00

57 lines
2.4 KiB
Diff

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 797f093..114b126 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4311,6 +4311,32 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
return RULE_RC_NOSUB;
}
+ /* Add the previously stripped per-directory location prefix, unless
+ * (1) it's an absolute URL path and
+ * (2) it's a full qualified URL
+ */
+ if (!is_proxyreq && *newuri != '/' && !is_absolute_uri(newuri, NULL)) {
+ if (ctx->perdir) {
+ rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s",
+ newuri, ctx->perdir, newuri));
+
+ newuri = apr_pstrcat(r->pool, ctx->perdir, newuri, NULL);
+ }
+ else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) {
+ /* Not an absolute URI-path and the scheme (if any) is unknown,
+ * and it won't be passed to fully_qualify_uri() below either,
+ * so add an implicit '/' prefix. This avoids potentially a common
+ * rule like "RewriteRule ^/some/path(.*) $1" that is given a path
+ * like "/some/pathscheme:..." to produce the fully qualified URL
+ * "scheme:..." which could be misinterpreted later.
+ */
+ rewritelog((r, 3, ctx->perdir, "add root prefix: %s -> /%s",
+ newuri, newuri));
+
+ newuri = apr_pstrcat(r->pool, "/", newuri, NULL);
+ }
+ }
+
/* Now adjust API's knowledge about r->filename and r->args */
r->filename = newuri;
@@ -4320,18 +4346,6 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
splitout_queryargs(r, p->flags);
- /* Add the previously stripped per-directory location prefix, unless
- * (1) it's an absolute URL path and
- * (2) it's a full qualified URL
- */
- if ( ctx->perdir && !is_proxyreq && *r->filename != '/'
- && !is_absolute_uri(r->filename, NULL)) {
- rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s",
- r->filename, ctx->perdir, r->filename));
-
- r->filename = apr_pstrcat(r->pool, ctx->perdir, r->filename, NULL);
- }
-
/* If this rule is forced for proxy throughput
* (`RewriteRule ... ... [P]') then emulate mod_proxy's
* URL-to-filename handler to be sure mod_proxy is triggered