altarch-user / rpms / httpd

Forked from rpms/httpd 2 years ago
Clone

Blame SOURCES/httpd-2.4.6-CVE-2019-0220.patch

008793
diff --git a/docs/manual/mod/core.html.en b/docs/manual/mod/core.html.en
008793
index 86d9bee..e08034b 100644
008793
--- a/docs/manual/mod/core.html.en
008793
+++ b/docs/manual/mod/core.html.en
008793
@@ -90,6 +90,7 @@ available
008793
 
  • MaxRangeOverlaps
  • 008793
     
  • MaxRangeReversals
  • 008793
     
  • MaxRanges
  • 008793
    +
  • MergeSlashes
  • 008793
     
  • Mutex
  • 008793
     
  • NameVirtualHost
  • 008793
     
  • Options
  • 008793
    @@ -3170,6 +3171,30 @@ resource 
    008793
     
    008793
     
    008793
     
    top
    008793
    +
    008793
    +
    008793
    +Description:Controls whether the server merges consecutive slashes in URLs. 
    008793
    +Syntax:MergeSlashes ON | OFF
    008793
    +Default:MergeSlashes ON
    008793
    +Context:server config, virtual host
    008793
    +Status:Core
    008793
    +Module:core
    008793
    +Compatibility:Available in Apache HTTP Server 2.4.6 in Red Hat Enterprise Linux 7
    008793
    +
    008793
    +    

    By default, the server merges (or collapses) multiple consecutive slash

    008793
    +       ('/') characters in the path component of the request URL.

    008793
    +
    008793
    +    

    When mapping URL's to the filesystem, these multiple slashes are not

    008793
    +       significant.  However, URL's handled other ways, such as by CGI or proxy,
    008793
    +       might prefer to retain the significance of multiple consecutive slashes. 
    008793
    +       In these cases MergeSlashes can be set to 
    008793
    +       OFF to retain the multiple consecutive slashes.  In these
    008793
    +       configurations, regular expressions used in the configuration file that match
    008793
    +       the path component of the URL (LocationMatch,
    008793
    +       RewriteRule, ...) need to take into account multiple 
    008793
    +       consecutive slashes.

    008793
    +
    008793
    +
    top
    008793
     
    008793
     
    008793
     Description:Configures mutex mechanism and lock file directory for all
    008793
    diff --git a/include/http_core.h b/include/http_core.h
    008793
    index c05d06e..76bf5a4 100644
    008793
    --- a/include/http_core.h
    008793
    +++ b/include/http_core.h
    008793
    @@ -465,6 +465,17 @@ typedef unsigned long etag_components_t;
    008793
     /* This is the default value used */
    008793
     #define ETAG_BACKWARD (ETAG_MTIME | ETAG_SIZE)
    008793
     
    008793
    +/* Generic ON/OFF/UNSET for unsigned int foo :2 */
    008793
    +#define AP_CORE_CONFIG_OFF   (0)
    008793
    +#define AP_CORE_CONFIG_ON    (1)
    008793
    +#define AP_CORE_CONFIG_UNSET (2)
    008793
    +
    008793
    +/* Generic merge of flag */
    008793
    +#define AP_CORE_MERGE_FLAG(field, to, base, over) to->field = \
    008793
    +               over->field != AP_CORE_CONFIG_UNSET            \
    008793
    +               ? over->field                                  \
    008793
    +               : base->field
    008793
    +
    008793
     /**
    008793
      * @brief Server Signature Enumeration
    008793
      */
    008793
    @@ -682,7 +693,7 @@ typedef struct {
    008793
     #define AP_HTTP_METHODS_LENIENT       1
    008793
     #define AP_HTTP_METHODS_REGISTERED    2
    008793
         char http_methods;
    008793
    -
    008793
    +    unsigned int merge_slashes;
    008793
     } core_server_config;
    008793
     
    008793
     /* for AddOutputFiltersByType in core.c */
    008793
    diff --git a/include/httpd.h b/include/httpd.h
    008793
    index 176ef5e..a552358 100644
    008793
    --- a/include/httpd.h
    008793
    +++ b/include/httpd.h
    008793
    @@ -1622,11 +1622,21 @@ AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes);
    008793
     AP_DECLARE(int) ap_unescape_urlencoded(char *query);
    008793
     
    008793
     /**
    008793
    - * Convert all double slashes to single slashes
    008793
    - * @param name The string to convert
    008793
    + * Convert all double slashes to single slashes, except where significant
    008793
    + * to the filesystem on the current platform.
    008793
    + * @param name The string to convert, assumed to be a filesystem path
    008793
      */
    008793
     AP_DECLARE(void) ap_no2slash(char *name);
    008793
     
    008793
    +/**
    008793
    + * Convert all double slashes to single slashes, except where significant
    008793
    + * to the filesystem on the current platform.
    008793
    + * @param name The string to convert
    008793
    + * @param is_fs_path if set to 0, the significance of any double-slashes is 
    008793
    + *        ignored.
    008793
    + */
    008793
    +AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path);
    008793
    +
    008793
     /**
    008793
      * Remove all ./ and xx/../ substrings from a file name. Also remove
    008793
      * any leading ../ or /../ substrings.
    008793
    diff --git a/server/core.c b/server/core.c
    008793
    index 0e69f8c..67efd7e 100644
    008793
    --- a/server/core.c
    008793
    +++ b/server/core.c
    008793
    @@ -476,6 +476,7 @@ static void *create_core_server_config(apr_pool_t *a, server_rec *s)
    008793
          */
    008793
     
    008793
         conf->trace_enable = AP_TRACE_UNSET;
    008793
    +    conf->merge_slashes = AP_CORE_CONFIG_UNSET;
    008793
     
    008793
         return (void *)conf;
    008793
     }
    008793
    @@ -536,6 +537,8 @@ static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
    008793
                                ? virt->merge_trailers
    008793
                                : base->merge_trailers;
    008793
     
    008793
    +    AP_CORE_MERGE_FLAG(merge_slashes, conf, base, virt);
    008793
    +
    008793
         return conf;
    008793
     }
    008793
     
    008793
    @@ -1673,6 +1676,13 @@ static const char *set_override(cmd_parms *cmd, void *d_, const char *l)
    008793
         return NULL;
    008793
     }
    008793
     
    008793
    +static const char *set_core_server_flag(cmd_parms *cmd, void *s_, int flag)
    008793
    +{
    008793
    +    core_server_config *conf =
    008793
    +        ap_get_core_module_config(cmd->server->module_config);
    008793
    +    return ap_set_flag_slot(cmd, conf, flag);
    008793
    +}
    008793
    +
    008793
     static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[])
    008793
     {
    008793
         core_dir_config *d = d_;
    008793
    @@ -4216,6 +4226,10 @@ AP_INIT_ITERATE("HttpProtocolOptions", set_http_protocol_options, NULL, RSRC_CON
    008793
     ,
    008793
     AP_INIT_ITERATE("RegisterHttpMethod", set_http_method, NULL, RSRC_CONF,
    008793
                     "Registers non-standard HTTP methods"),
    008793
    +AP_INIT_FLAG("MergeSlashes", set_core_server_flag, 
    008793
    +             (void *)APR_OFFSETOF(core_server_config, merge_slashes),  
    008793
    +             RSRC_CONF,
    008793
    +             "Controls whether consecutive slashes in the URI path are merged"),
    008793
     { NULL }
    008793
     };
    008793
     
    008793
    diff --git a/server/request.c b/server/request.c
    008793
    index 4eef097..cba3891 100644
    008793
    --- a/server/request.c
    008793
    +++ b/server/request.c
    008793
    @@ -167,6 +167,8 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
    008793
         int file_req = (r->main && r->filename);
    008793
         int access_status;
    008793
         core_dir_config *d;
    008793
    +    core_server_config *sconf =
    008793
    +        ap_get_core_module_config(r->server->module_config);
    008793
     
    008793
         /* Ignore embedded %2F's in path for proxy requests */
    008793
         if (!r->proxyreq && r->parsed_uri.path) {
    008793
    @@ -191,6 +193,12 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
    008793
         }
    008793
     
    008793
         ap_getparents(r->uri);     /* OK --- shrinking transformations... */
    008793
    +    if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) { 
    008793
    +        ap_no2slash(r->uri);
    008793
    +        if (r->parsed_uri.path) {
    008793
    +            ap_no2slash(r->parsed_uri.path);
    008793
    +        }
    008793
    +     }
    008793
     
    008793
         /* All file subrequests are a huge pain... they cannot bubble through the
    008793
          * next several steps.  Only file subrequests are allowed an empty uri,
    008793
    @@ -1383,20 +1391,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
    008793
     
    008793
         cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
    008793
         cached = (cache->cached != NULL);
    008793
    -
    008793
    -    /* Location and LocationMatch differ on their behaviour w.r.t. multiple
    008793
    -     * slashes.  Location matches multiple slashes with a single slash,
    008793
    -     * LocationMatch doesn't.  An exception, for backwards brokenness is
    008793
    -     * absoluteURIs... in which case neither match multiple slashes.
    008793
    -     */
    008793
    -    if (r->uri[0] != '/') {
    008793
    -        entry_uri = r->uri;
    008793
    -    }
    008793
    -    else {
    008793
    -        char *uri = apr_pstrdup(r->pool, r->uri);
    008793
    -        ap_no2slash(uri);
    008793
    -        entry_uri = uri;
    008793
    -    }
    008793
    +    entry_uri = r->uri;
    008793
     
    008793
         /* If we have an cache->cached location that matches r->uri,
    008793
          * and the vhost's list of locations hasn't changed, we can skip
    008793
    @@ -1449,7 +1444,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
    008793
                  * terminated (or at the end of the string) to match.
    008793
                  */
    008793
                 if (entry_core->r
    008793
    -                ? ap_regexec(entry_core->r, r->uri, 0, NULL, 0)
    008793
    +                ? ap_regexec(entry_core->r, entry_uri, 0, NULL, 0)
    008793
                     : (entry_core->d_is_fnmatch
    008793
                        ? apr_fnmatch(entry_core->d, cache->cached, APR_FNM_PATHNAME)
    008793
                        : (strncmp(entry_core->d, cache->cached, len)
    008793
    diff --git a/server/util.c b/server/util.c
    008793
    index f9e3b51..4eac462 100644
    008793
    --- a/server/util.c
    008793
    +++ b/server/util.c
    008793
    @@ -561,16 +561,20 @@ AP_DECLARE(void) ap_getparents(char *name)
    008793
             name[l] = '\0';
    008793
         }
    008793
     }
    008793
    -
    008793
    -AP_DECLARE(void) ap_no2slash(char *name)
    008793
    +AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path)
    008793
     {
    008793
    +
    008793
         char *d, *s;
    008793
     
    008793
    +    if (!*name) {
    008793
    +        return;
    008793
    +    }
    008793
    +
    008793
         s = d = name;
    008793
     
    008793
     #ifdef HAVE_UNC_PATHS
    008793
         /* Check for UNC names.  Leave leading two slashes. */
    008793
    -    if (s[0] == '/' && s[1] == '/')
    008793
    +    if (is_fs_path && s[0] == '/' && s[1] == '/')
    008793
             *d++ = *s++;
    008793
     #endif
    008793
     
    008793
    @@ -587,6 +591,10 @@ AP_DECLARE(void) ap_no2slash(char *name)
    008793
         *d = '\0';
    008793
     }
    008793
     
    008793
    +AP_DECLARE(void) ap_no2slash(char *name)
    008793
    +{
    008793
    +    ap_no2slash_ex(name, 1);
    008793
    +}
    008793
     
    008793
     /*
    008793
      * copy at most n leading directories of s into d