You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/10/05 21:18:11 UTC

[Bug 65616] CVE-2021-36160 regression

https://bz.apache.org/bugzilla/show_bug.cgi?id=65616

--- Comment #1 from Yann Ylavic <yl...@gmail.com> ---
> 
>         ProxyPass /uwsgi-pp uwsgi://localhost:8001/

The double '/' comes from the above, and could be avoided by using:
  ProxyPass /uwsgi-pp uwsgi://localhost:8001
or:
  ProxyPass /uwsgi-pp/ uwsgi://localhost:8001/

Using one or the other depends on whether you want e.g."/uwsgi-ppfoo" to be
passed too or not (whereas "/uwsgi-pp/foo" will be passed by both).

>         ProxyPass /uwsgi-pps/ uwsgi://localhost:8001/

This one looks good.

>         ProxyPassMatch ^/admin uwsgi://localhost:8001/

Same here:
  ProxyPassMatch ^/admin uwsgi://localhost:8001
or:
  ProxyPassMatch ^/(admin/.*) uwsgi://localhost:8001/$1

> 
> I can dedicate time to work on a patch, if you have a test case for
> CVE-2021-36160 (to ensure the vulnerability stay fixed).

CVE-2021-36160 is actually fixed by r1892874, though depending on the playload
it might have crashed here (we don't disclose exploits so there is no known
test case).

Pointing u_path_info (PATH_INFO) to the right most leading '/' to fix your
issue is an option, if you want to address it at the code level (rather than in
your configuration).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org