9ac936a203
*) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
[boo#1228098]
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to
a malicious server via SSRF and malicious requests.
Users are recommended to upgrade to version 2.4.62 which fixes
this issue.
Credits: Smi1e (DBAPPSecurity Ltd.)
*) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
[boo#1228097]
A partial fix for CVE-2024-39884 in the core of Apache HTTP
Server 2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.62, which fixes
this issue.
*) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
with BalancerMember(s). PR 69168. [Yann Ylavic]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
PR 69160 [Yann Ylavic]
*) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
[Joe Orton]
*) mod_ssl: Add support for loading certs/keys from pkcs11: URIs
via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>]
*) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
[Ruediger Pluem, Yann Ylavic]
*) mpm_worker: Fix possible warning (AH00045) about children processes not
terminating timely. [Yann Ylavic]
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=706
174 lines
7.2 KiB
Diff
174 lines
7.2 KiB
Diff
From 530b5797af919d6d7ab7d6418d9feeb1abb914ae Mon Sep 17 00:00:00 2001
|
|
From: Justin Erenkrantz <jerenkrantz@apache.org>
|
|
Date: Mon, 30 Dec 2013 20:01:14 +0000
|
|
Subject: [PATCH] Add directives to control two protocol options:
|
|
|
|
HttpContentLengthHeadZero - allow Content-Length of 0 to be returned on HEAD
|
|
HttpExpectStrict - allow admin to control whether we must see "100-continue"
|
|
|
|
This is helpful when using Ceph's radosgw and httpd.
|
|
|
|
Inspired by: Yehuda Sadeh <yehuda@inktank.com>
|
|
See https://github.com/ceph/apache2/commits/precise
|
|
|
|
* include/http_core.h
|
|
(core_server_config): Add http_cl_head_zero and http_expect_strict fields.
|
|
* modules/http/http_filters.c
|
|
(ap_http_header_filter): Only clear out the C-L if http_cl_head_zero is not
|
|
explictly set.
|
|
* server/core.c
|
|
(merge_core_server_configs): Add new fields.
|
|
(set_cl_head_zero, set_expect_strict): New config helpers.
|
|
(HttpContentLengthHeadZero, HttpExpectStrict): Declare new directives.
|
|
* server/protocol.c
|
|
(ap_read_request): Allow http_expect_strict to control if we return 417.
|
|
* include/ap_mmn.h
|
|
(MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR): Bump.
|
|
* CHANGES: Add a brief description.
|
|
|
|
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1554303 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
Conflicts:
|
|
CHANGES
|
|
include/ap_mmn.h
|
|
include/http_core.h
|
|
server/core.c
|
|
---
|
|
CHANGES | 3 +++
|
|
include/ap_mmn.h | 4 +++-
|
|
include/http_core.h | 9 +++++++++
|
|
modules/http/http_filters.c | 10 +++++++++-
|
|
server/core.c | 36 ++++++++++++++++++++++++++++++++++++
|
|
server/protocol.c | 25 +++++++++++++++++--------
|
|
6 files changed, 77 insertions(+), 10 deletions(-)
|
|
|
|
Index: httpd-2.4.49/modules/http/http_filters.c
|
|
===================================================================
|
|
--- httpd-2.4.49.orig/modules/http/http_filters.c 2021-05-11 17:21:43.000000000 +0200
|
|
+++ httpd-2.4.49/modules/http/http_filters.c 2021-09-17 09:33:49.496853894 +0200
|
|
@@ -1488,10 +1488,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
|
|
* zero C-L to the client. We can't just remove the C-L filter,
|
|
* because well behaved 2.0 handlers will send their data down the stack,
|
|
* and we will compute a real C-L for the head request. RBB
|
|
+ *
|
|
+ * Allow modification of this behavior through the
|
|
+ * HttpContentLengthHeadZero directive.
|
|
+ *
|
|
+ * The default (unset) behavior is to squelch the C-L in this case.
|
|
*/
|
|
+ core_server_config *conf = ap_get_core_module_config(r->server->module_config);
|
|
if (r->header_only
|
|
&& (clheader = apr_table_get(r->headers_out, "Content-Length"))
|
|
- && !strcmp(clheader, "0")) {
|
|
+ && !strcmp(clheader, "0")
|
|
+ && conf->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_ENABLE) {
|
|
apr_table_unset(r->headers_out, "Content-Length");
|
|
}
|
|
|
|
Index: httpd-2.4.49/server/core.c
|
|
===================================================================
|
|
--- httpd-2.4.49.orig/server/core.c 2021-05-27 15:08:21.000000000 +0200
|
|
+++ httpd-2.4.49/server/core.c 2021-09-17 09:33:49.496853894 +0200
|
|
@@ -551,6 +551,12 @@ static void *merge_core_server_configs(a
|
|
if (virt->http_methods != AP_HTTP_METHODS_UNSET)
|
|
conf->http_methods = virt->http_methods;
|
|
|
|
+ if (virt->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_UNSET)
|
|
+ conf->http_cl_head_zero = virt->http_cl_head_zero;
|
|
+
|
|
+ if (virt->http_expect_strict != AP_HTTP_EXPECT_STRICT_UNSET)
|
|
+ conf->http_expect_strict = virt->http_expect_strict;
|
|
+
|
|
/* no action for virt->accf_map, not allowed per-vhost */
|
|
|
|
if (virt->protocol)
|
|
@@ -4142,6 +4148,32 @@ static const char *set_http_method(cmd_p
|
|
return NULL;
|
|
}
|
|
|
|
+static const char *set_cl_head_zero(cmd_parms *cmd, void *dummy, int arg)
|
|
+{
|
|
+ core_server_config *conf =
|
|
+ ap_get_core_module_config(cmd->server->module_config);
|
|
+
|
|
+ if (arg) {
|
|
+ conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_ENABLE;
|
|
+ } else {
|
|
+ conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_DISABLE;
|
|
+ }
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
+static const char *set_expect_strict(cmd_parms *cmd, void *dummy, int arg)
|
|
+{
|
|
+ core_server_config *conf =
|
|
+ ap_get_core_module_config(cmd->server->module_config);
|
|
+
|
|
+ if (arg) {
|
|
+ conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_ENABLE;
|
|
+ } else {
|
|
+ conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_DISABLE;
|
|
+ }
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
static apr_hash_t *errorlog_hash;
|
|
|
|
static int log_constant_item(const ap_errorlog_info *info, const char *arg,
|
|
@@ -4685,6 +4717,10 @@ AP_INIT_TAKE1("TraceEnable", set_trace_e
|
|
"'on' (default), 'off' or 'extended' to trace request body content"),
|
|
AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF,
|
|
"merge request trailers into request headers or not"),
|
|
+AP_INIT_FLAG("HttpContentLengthHeadZero", set_cl_head_zero, NULL, OR_OPTIONS,
|
|
+ "whether to permit Content-Length of 0 responses to HEAD requests"),
|
|
+AP_INIT_FLAG("HttpExpectStrict", set_expect_strict, NULL, OR_OPTIONS,
|
|
+ "whether to return a 417 if a client doesn't send 100-Continue"),
|
|
AP_INIT_ITERATE("Protocols", set_protocols, NULL, RSRC_CONF,
|
|
"Controls which protocols are allowed"),
|
|
AP_INIT_TAKE1("ProtocolsHonorOrder", set_protocols_honor_order, NULL, RSRC_CONF,
|
|
Index: httpd-2.4.49/server/protocol.c
|
|
===================================================================
|
|
--- httpd-2.4.49.orig/server/protocol.c 2021-09-17 09:33:49.496853894 +0200
|
|
+++ httpd-2.4.49/server/protocol.c 2021-09-17 10:15:28.643596021 +0200
|
|
@@ -1056,6 +1056,11 @@ AP_DECLARE(int) ap_check_request_header(
|
|
if (ap_cstr_casecmp(expect, "100-continue") == 0) {
|
|
r->expecting_100 = 1;
|
|
}
|
|
+ else if (conf->http_expect_strict == AP_HTTP_EXPECT_STRICT_DISABLE) {
|
|
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02595)
|
|
+ "client sent an unrecognized expectation value "
|
|
+ "of Expect (not fatal): %s", expect);
|
|
+ }
|
|
else {
|
|
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00570)
|
|
"client sent an unrecognized expectation value "
|
|
Index: httpd-2.4.49/include/http_core.h
|
|
===================================================================
|
|
--- httpd-2.4.49.orig/include/http_core.h 2021-05-27 15:08:21.000000000 +0200
|
|
+++ httpd-2.4.49/include/http_core.h 2021-09-17 09:33:49.496853894 +0200
|
|
@@ -733,6 +733,16 @@ typedef struct {
|
|
#define AP_MERGE_TRAILERS_DISABLE 2
|
|
int merge_trailers;
|
|
|
|
+#define AP_HTTP_CL_HEAD_ZERO_UNSET 0
|
|
+#define AP_HTTP_CL_HEAD_ZERO_ENABLE 1
|
|
+#define AP_HTTP_CL_HEAD_ZERO_DISABLE 2
|
|
+ int http_cl_head_zero;
|
|
+
|
|
+#define AP_HTTP_EXPECT_STRICT_UNSET 0
|
|
+#define AP_HTTP_EXPECT_STRICT_ENABLE 1
|
|
+#define AP_HTTP_EXPECT_STRICT_DISABLE 2
|
|
+ int http_expect_strict;
|
|
+
|
|
apr_array_header_t *protocols;
|
|
int protocols_honor_order;
|
|
|
|
@@ -776,7 +786,6 @@ apr_status_t ap_core_input_filter(ap_fil
|
|
apr_off_t readbytes);
|
|
apr_status_t ap_core_output_filter(ap_filter_t *f, apr_bucket_brigade *b);
|
|
|
|
-
|
|
AP_DECLARE(const char*) ap_get_server_protocol(server_rec* s);
|
|
AP_DECLARE(void) ap_set_server_protocol(server_rec* s, const char* proto);
|
|
|