You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2012/07/02 10:51:03 UTC
svn commit: r1356115 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_rewrite.xml modules/mappers/mod_rewrite.c
Author: jorton
Date: Mon Jul 2 08:51:01 2012
New Revision: 1356115
URL: http://svn.apache.org/viewvc?rev=1356115&view=rev
Log:
* modules/mappers/mod_rewrite.c (cmd_rewriteoptions, hook_uri2file):
Add "AllowAnyURI" flag which disables the strict URL-path input
string check introduced to fix CVE-2011-3368/CVE-2011-4317.
* docs/manual: Update docs.
Inspired by: covener
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
httpd/httpd/trunk/modules/mappers/mod_rewrite.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1356115&r1=1356114&r2=1356115&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Jul 2 08:51:01 2012
@@ -6,6 +6,8 @@ Changes with Apache 2.5.0
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+ *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
+
*) mod_ssl: Add RFC 5878 support. [Ben Laurie]
*) mod_authz_core: If an expression in "Require expr" returns denied and
Modified: httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml?rev=1356115&r1=1356114&r2=1356115&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml Mon Jul 2 08:51:01 2012
@@ -188,6 +188,38 @@ later</compatibility>
later.</p>
</dd>
+ <dt><code>AllowAnyURI</code></dt>
+ <dd>
+
+ <p>When <directive module="mod_rewrite">RewriteRule</directive>
+ is used in <code>VirtualHost</code> or server context with
+ version 2.2.22 or later of httpd, <module>mod_rewrite</module>
+ will only process the rewrite rules if the request URI is a <a
+ href="./directive-dict.html#Syntax">URL-path</a>. This avoids
+ some security issues where particular rules could allow
+ "surprising" pattern expansions (see <a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368">CVE-2011-3368</a>
+ and <a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317">CVE-2011-4317</a>).
+ To lift the restriction on matching a URL-path, the
+ <code>AllowAnyURI</code> option can be enabled, and
+ <module>mod_rewrite</module> will apply the rule set to any
+ request URI string, regardless of whether that string matches
+ the URL-path grammar required by the HTTP specification.</p>
+
+ <note type="warning">
+ <title>Security Warning</title>
+
+ <p>Enabling this option will make the server vulnerable to
+ security issues if used with rewrite rules which are not
+ carefully authored. It is <strong>strongly recommended</strong>
+ that this option is not used. In particular, beware of input
+ strings containing the '<code>@</code>' character which could
+ change the interpretation of the transformed URI, as per the
+ above CVE names.</p>
+ </note>
+ </dd>
+
</dl>
</usage>
Modified: httpd/httpd/trunk/modules/mappers/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?rev=1356115&r1=1356114&r2=1356115&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/mappers/mod_rewrite.c (original)
+++ httpd/httpd/trunk/modules/mappers/mod_rewrite.c Mon Jul 2 08:51:01 2012
@@ -190,6 +190,7 @@ static const char* really_last_key = "re
#define OPTION_INHERIT 1<<1
#define OPTION_INHERIT_BEFORE 1<<2
#define OPTION_NOSLASH 1<<3
+#define OPTION_ANYURI 1<<4
#ifndef RAND_MAX
#define RAND_MAX 32767
@@ -2895,6 +2896,9 @@ static const char *cmd_rewriteoptions(cm
"LimitInternalRecursion directive and will be "
"ignored.");
}
+ else if (!strcasecmp(w, "allowanyuri")) {
+ options |= OPTION_ANYURI;
+ }
else {
return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '",
w, "'", NULL);
@@ -4443,8 +4447,14 @@ static int hook_uri2file(request_rec *r)
return DECLINED;
}
- if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
- || !r->uri || r->uri[0] != '/') {
+ /* Unless the anyuri option is set, ensure that the input to the
+ * first rule really is a URL-path, avoiding security issues with
+ * poorly configured rules. See CVE-2011-3368, CVE-2011-4317. */
+ if ((dconf->options & OPTION_ANYURI) == 0
+ && ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+ || !r->uri || r->uri[0] != '/')) {
+ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path",
+ r->uri));
return DECLINED;
}