#! /bin/sh /usr/share/dpatch/dpatch-run
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Upstream r1209432

@DPATCH@
commit 318b86756de2049f652561e1a66420b4a92d4a7e
Author: Joe Orton <jorton@apache.org>
Date:   Fri Dec 2 12:04:20 2011 +0000

    Fix for additional cases of URL rewriting with ProxyPassMatch or
    RewriteRule, where particular request-URIs could result in undesired
    backend network exposure in some configurations. (CVE-2011-4317)
    
    Thanks to Prutha Parikh from Qualys for reporting this issue.
    
    * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
      request-URI.  Fail for cases where r->uri does not begin with a "/".
    
    * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
    
    
    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68

--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4283,6 +4283,18 @@
         return DECLINED;
     }
 
+    if (strcmp(r->unparsed_uri, "*") == 0) {
+        /* Don't apply rewrite rules to "*". */
+        return DECLINED;
+    }
+
+    /* Check that the URI is valid. */
+    if (!r->uri || r->uri[0] != '/') {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "Invalid URI in request %s", r->the_request);
+        return HTTP_BAD_REQUEST;
+    }
+    
     /*
      *  add the SCRIPT_URL variable to the env. this is a bit complicated
      *  due to the fact that apache uses subrequests and internal redirects
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -566,6 +566,18 @@
         return OK;
     }
 
+    if (strcmp(r->unparsed_uri, "*") == 0) {
+        /* "*" cannot be proxied. */
+        return DECLINED;
+    }
+
+    /* Check that the URI is valid. */
+    if (!r->uri || r->uri[0] != '/') {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "Invalid URI in request %s", r->the_request);
+        return HTTP_BAD_REQUEST;
+    }
+
     /* XXX: since r->uri has been manipulated already we're not really
      * compliant with RFC1945 at this point.  But this probably isn't
      * an issue because this is a hybrid proxy/origin server.
