[PATCH] CVE-2011-3368, CVE-2011-4317, trunk

[Jeff Trawick <tr...@gmail.com>]

Following the thread
http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
and the related discussion in 2.2.x/STATUS, attached is a patch for
trunk that implements the checking according to the following
criteria:

* modules can handle whatever valid URIs they want in the translate_name phase
* our modules (rewrite, proxy, alias, whatever) decline URIs they can't handle
* core's translate_name enforces HTTP constraints on the URI,
returning 400 otherwise

(This patch is based on a 2.2.x patch from jorton with a tweak
suggested by wrowe, with the necessary reverts to fit it on trunk.)

The obvious alternative is to reverse the long-standing design and

* remove the check in core's translate name that currently returns
400, and implement it before calling translate name
* remove the check in alias, rewrite, proxy, whatever that currently declines

(That long-standing design was missing checks in rewrite and proxy,
and changing the design would resolve the same issue in third-party
modules while yanking the right of some module to implement other URI
forms.)

Re: [PATCH] CVE-2011-3368, CVE-2011-4317, trunk

[Jeff Trawick <tr...@gmail.com>]

On Thu, Jan 19, 2012 at 6:15 AM, Joe Orton <jo...@redhat.com> wrote:
> On Wed, Jan 18, 2012 at 11:16:18AM -0500, Jeff Trawick wrote:
>> Following the thread
>> http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
>> and the related discussion in 2.2.x/STATUS, attached is a patch for
>> trunk that implements the checking according to the following
>> criteria:
>>
>> * modules can handle whatever valid URIs they want in the translate_name phase
>> * our modules (rewrite, proxy, alias, whatever) decline URIs they can't handle
>> * core's translate_name enforces HTTP constraints on the URI,
>> returning 400 otherwise
>
> +1 to that patch, thanks a lot Jeff for following through on this.

Thanks for looking, Joe and Rüdiger!

Unless I get contradictory conflicts in the short term, I'll commit to
trunk and 2.4.x, and update 2.2.x STATUS.

Re: [PATCH] CVE-2011-3368, CVE-2011-4317, trunk

[Joe Orton <jo...@redhat.com>]

On Wed, Jan 18, 2012 at 11:16:18AM -0500, Jeff Trawick wrote:
> Following the thread
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
> and the related discussion in 2.2.x/STATUS, attached is a patch for
> trunk that implements the checking according to the following
> criteria:
> 
> * modules can handle whatever valid URIs they want in the translate_name phase
> * our modules (rewrite, proxy, alias, whatever) decline URIs they can't handle
> * core's translate_name enforces HTTP constraints on the URI,
> returning 400 otherwise

+1 to that patch, thanks a lot Jeff for following through on this.

Regards, Joe

Re: [PATCH] CVE-2011-3368, CVE-2011-4317, trunk

[Ruediger Pluem <rp...@apache.org>]

Jeff Trawick wrote:
> Following the thread
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
> and the related discussion in 2.2.x/STATUS, attached is a patch for
> trunk that implements the checking according to the following
> criteria:
> 
> * modules can handle whatever valid URIs they want in the translate_name phase
> * our modules (rewrite, proxy, alias, whatever) decline URIs they can't handle
> * core's translate_name enforces HTTP constraints on the URI,
> returning 400 otherwise

Sounds sensible. Looking forward to other comments :-)

Regards

Rüdiger

Re: [PATCH] CVE-2011-3368, CVE-2011-4317, trunk

[Jeff Trawick <tr...@gmail.com>]

On Wed, Jan 18, 2012 at 11:16 AM, Jeff Trawick <tr...@gmail.com> wrote:
> Following the thread
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
> and the related discussion in 2.2.x/STATUS, attached is a patch for
> trunk that implements the checking according to the following
> criteria:

attached is the 2.2.x version