[Bug 65616] CVE-2021-36160 regression

Wed, 06 Oct 2021 00:27:55 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65616

--- Comment #2 from Ruediger Pluem <rpl...@apache.org> ---
I agree with Yann here. The fix to CVE-2021-36160 made a wrong configuration
visible. See also http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
and look for the warning there:

If the first argument ends with a trailing /, the second argument should also
end with a trailing /, and vice versa. Otherwise, the resulting requests to the
backend may miss some needed slashes and do not deliver the expected results. 

However, I guess the following patch would remove multiple leading slashes:

Index: modules/proxy/mod_proxy_uwsgi.c
===================================================================
--- modules/proxy/mod_proxy_uwsgi.c     (revision 1893605)
+++ modules/proxy/mod_proxy_uwsgi.c     (working copy)
@@ -481,6 +481,10 @@
                       "unable to decode uwsgi uri: %s", url);
         return HTTP_INTERNAL_SERVER_ERROR;
     }
+    /* Remove duplicate slashes at the beginning of PATH_INFO */
+    while (u_path_info[1] == '/') {
+        u_path_info++;
+    }
     apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info);

The other question is if want to ensure that PATH_INFO at least consist of a
'/'.

A request to /backend could cause an internal server error with the following
configuration:

ProxyPass /backend uwsgi://localhost:8001

This would be something like this:

Index: modules/proxy/mod_proxy_uwsgi.c
===================================================================
--- modules/proxy/mod_proxy_uwsgi.c     (revision 1893605)
+++ modules/proxy/mod_proxy_uwsgi.c     (working copy)
@@ -476,11 +476,20 @@

     /* ADD PATH_INFO (unescaped) */
     u_path_info = ap_strchr(url + sizeof(UWSGI_SCHEME) + 2, '/');
-    if (!u_path_info || ap_unescape_url(u_path_info) != OK) {
+    if (!u_path_info) {
+        u_path_info = apr_pstrdup(r->pool, "/");
+    }
+    else if (ap_unescape_url(u_path_info) != OK) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10100)
                       "unable to decode uwsgi uri: %s", url);
         return HTTP_INTERNAL_SERVER_ERROR;
     }
+    else {
+        /* Remove duplicate slashes at the beginning of PATH_INFO */
+        while (u_path_info[1] == '/') {
+            u_path_info++;
+        }
+    }
     apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info);

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

Reply via email to