From 031bcdc79454aca45bf1aa5d7836b59355f71453 Mon Sep 17 00:00:00 2001 From: pojunxing Date: Sat, 22 Feb 2025 19:39:23 +0800 Subject: [PATCH] fix overlong scheme check --- backport-fix-overlong-scheme-check.patch | 54 ++++++++++++++++++++++++ httpd.spec | 9 +++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 backport-fix-overlong-scheme-check.patch diff --git a/backport-fix-overlong-scheme-check.patch b/backport-fix-overlong-scheme-check.patch new file mode 100644 index 0000000..4812a0f --- /dev/null +++ b/backport-fix-overlong-scheme-check.patch @@ -0,0 +1,54 @@ +From 9f7d27daddf1c1df1f6f6b56c756c04fe51470b5 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Tue, 2 Mar 2021 20:50:40 +0000 +Subject: [PATCH] Merge r1886141, r1886151 from trunk: + +* We need to check for (!scheme && (u = strchr(url, ':')) && (u - url) > 14) + later as (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') is true + for requests with the CONNECT method which we need to decline. But in many + cases requests with the CONNECT method have (u - url) > 14 as in this + case (u - url) is the length of the FQDN the forward proxy should connect + to. + + +mod_proxy_http: follow up to r1886141, axe overlong scheme check. + +Since mod_proxy can see CONNECT URIs, "hostname:port" versus "scheme:" +is hardly distinguishable (we don't want to limit the length of hostnames), +and we don't allocate the scheme anymore while parsing, let's simply decline +unrecognized schemes (overlong or not) and be caught by the no-handler case +if there really is no proxy handler interested. + + +Submitted by: rpluem, ylavic +Reviewed by: ylavic, covener, icing + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1887118 13f79535-47bb-0310-9956-ffa450edef68 + +Conflict:httpd-2.4.43 don`t have should_send_brigade function +Reference:https://github.com/apache/httpd/commit/9f7d27dad + +--- + modules/proxy/mod_proxy_http.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c +index 14f94b1..ada5ae0 100644 +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -2120,11 +2120,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker, + is_ssl = 0; + } + if (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') { +- if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262) +- "overlong proxy URL scheme in %s", url); +- return HTTP_BAD_REQUEST; +- } + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01113) + "HTTP: declining URL %s", url); + return DECLINED; /* only interested in HTTP, WS or FTP via proxy */ +-- +2.33.0 + diff --git a/httpd.spec b/httpd.spec index b0414ae..28b078f 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.43 -Release: 26 +Release: 27 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -125,6 +125,7 @@ Patch71: backport-CVE-2024-38476-add-ap_set_content_type_ex-to-differen Patch72: backport-CVE-2024-38477-validate-hostsname.patch Patch73: backport-CVE-2024-39884-maintain-trusted-flag.patch Patch74: backport-CVE-2024-40725.patch +Patch75: backport-fix-overlong-scheme-check.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -561,6 +562,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Sat Mar 01 2025 chengyechun 2.4.43-27 +- Type:bugfix +- ID: +- SUG:NA +- DESC:fix overlong scheme check + * Wed Aug 28 2024 Han Jinpeng - 2.4.43-26 - Type:CVE - ID:CVE-2024-40725 -- Gitee