https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
Bug ID: 65616
Summary: CVE-2021-36160 regression
Product: Apache httpd-2
Version: 2.4.49
Hardware: PC
OS: Linux
Status: NEW
Severity: regression
Priority: P2
Component: mod_proxy_uwsgi
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Hi,
2.4.49 introduces a regression in mod_proxy_uwsgi where PATH_INFO may be
prepended with an extra slash '/'.
This causes applications such as Django to reject the request and breaks
existing setups (we've got a couple reports at Debian).
How to reproduce:
- httpd.conf:
LoadModule proxy_module modules/mod_proxy.so
LoadModule alias_module modules/mod_alias.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule unixd_module modules/mod_unixd.so
Listen 8050
<VirtualHost *:8050>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog logs/error.log
CustomLog logs/access.log combined
ProxyPass /uwsgi-pp uwsgi://localhost:8001/
ProxyPass /uwsgi-pps/ uwsgi://localhost:8001/
ProxyPassMatch ^/admin uwsgi://localhost:8001/
Alias /static
/usr/lib/python3/dist-packages/django/contrib/admin/static/
<Directory /usr/lib/python3/dist-packages/django/contrib/admin/static/>
Require all granted
</Directory>
</VirtualHost>
- test.py:
def application(env, start_response):
start_response('200 OK', [('Content-Type','text/plain')])
return [(
('REQUEST_URI: ' + env['REQUEST_URI'] + '\n') +
('PATH_INFO: ' + env['PATH_INFO'] + '\n') +
('SCRIPT_FILENAME: ' + env['SCRIPT_FILENAME'] + '\n')
).encode('UTF-8')
]
$ uwsgi_python3 --socket :8001 --module mysite.wsgi
- 2.4.46 (valid):
http://127.0.1.1:8046/uwsgi-pp/1/2
REQUEST_URI: /uwsgi-pp/1/2
PATH_INFO: /1/2
SCRIPT_FILENAME: proxy:uwsgi://localhost:8001//1/2
http://127.0.1.1:8046/uwsgi-pps/1/2
REQUEST_URI: /uwsgi-pps/1/2
PATH_INFO: /1/2
SCRIPT_FILENAME: proxy:uwsgi://localhost:8001/1/2
http://127.0.1.1:8046/admin/1/2
REQUEST_URI: /admin/1/2
PATH_INFO: /admin/1/2
SCRIPT_FILENAME: proxy:uwsgi://localhost:8001//admin/1/2
- 2.4.49-2.4.50 (regression):
http://127.0.1.1:8050/uwsgi-pp/1/2
REQUEST_URI: /uwsgi-pp/1/2
PATH_INFO: //1/2
SCRIPT_FILENAME: proxy:uwsgi://localhost:8001//1/2
http://127.0.1.1:8050/uwsgi-pps/1/2
REQUEST_URI: /uwsgi-pps/1/2
PATH_INFO: /1/2
SCRIPT_FILENAME: proxy:uwsgi://localhost:8001/1/2
http://127.0.1.1:8050/admin/1/2
REQUEST_URI: /admin/1/2
PATH_INFO: //admin/1/2
SCRIPT_FILENAME: proxy:uwsgi://localhost:8001//admin/1/2
I can dedicate time to work on a patch, if you have a test case for
CVE-2021-36160 (to ensure the vulnerability stay fixed).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
