You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/10/05 21:18:11 UTC
[Bug 65616] CVE-2021-36160 regression
https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
--- Comment #1 from Yann Ylavic <yl...@gmail.com> ---
>
> ProxyPass /uwsgi-pp uwsgi://localhost:8001/
The double '/' comes from the above, and could be avoided by using:
ProxyPass /uwsgi-pp uwsgi://localhost:8001
or:
ProxyPass /uwsgi-pp/ uwsgi://localhost:8001/
Using one or the other depends on whether you want e.g."/uwsgi-ppfoo" to be
passed too or not (whereas "/uwsgi-pp/foo" will be passed by both).
> ProxyPass /uwsgi-pps/ uwsgi://localhost:8001/
This one looks good.
> ProxyPassMatch ^/admin uwsgi://localhost:8001/
Same here:
ProxyPassMatch ^/admin uwsgi://localhost:8001
or:
ProxyPassMatch ^/(admin/.*) uwsgi://localhost:8001/$1
>
> I can dedicate time to work on a patch, if you have a test case for
> CVE-2021-36160 (to ensure the vulnerability stay fixed).
CVE-2021-36160 is actually fixed by r1892874, though depending on the playload
it might have crashed here (we don't disclose exploits so there is no known
test case).
Pointing u_path_info (PATH_INFO) to the right most leading '/' to fix your
issue is an option, if you want to address it at the code level (rather than in
your configuration).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org