You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by fi...@apache.org on 2023/03/07 17:37:10 UTC

svn commit: r1908165 - /httpd/httpd/branches/2.4.x/CHANGES

Author: fielding
Date: Tue Mar  7 17:37:10 2023
New Revision: 1908165

URL: http://svn.apache.org/viewvc?rev=1908165&view=rev
Log:
unmangle the example config for CVE-2023-2569

Modified:
    httpd/httpd/branches/2.4.x/CHANGES

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1908165&r1=1908164&r2=1908165&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Mar  7 17:37:10 2023
@@ -17,18 +17,13 @@ Changes with Apache 2.4.56
      Some mod_proxy configurations on Apache HTTP Server versions
      2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
      Configurations are affected when mod_proxy is enabled along with
-     some form of RewriteRule
-     or ProxyPassMatch in which a non-specific pattern matches
-     some portion of the user-supplied request-target (URL) data and
-     is then
-     re-inserted into the proxied request-target using variable
-     substitution. For example, something like:
-     RewriteEngine on
-     RewriteRule "^/here/(.*)" "
-     http://example.com:8080/elsewhere?$1"
-     http://example.com:8080/elsewhere ; [P]
-     ProxyPassReverse /here/  http://example.com:8080/
-     http://example.com:8080/
+     some form of RewriteRule or ProxyPassMatch in which a non-specific
+     pattern matches some portion of the user-supplied request-target (URL)
+     data and is then re-inserted into the proxied request-target
+     using variable substitution. For example, something like:
+        RewriteEngine on
+        RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
+        ProxyPassReverse /here/  http://example.com:8080/
      Request splitting/smuggling could result in bypass of access
      controls in the proxy server, proxying unintended URLs to
      existing origin servers, and cache poisoning.