forked from pool/apache2
7a70b52ac1
- Update to 2.4.61
*) SECURITY: CVE-2024-39884: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
[boo#1227353]
A regression in the core of Apache HTTP Server 2.4.60 ignores
some use of the legacy content-type based configuration of
handlers. "AddType" and similar configuration, under some
circumstances where files are requested indirectly, result in
source code disclosure of local content. For example, PHP
scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.61, which fixes
this issue.
- Update to 2.4.60
*) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
handler substitution (cve.mitre.org) [boo#1227271]
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
earlier allows an attacker to cause unsafe RewriteRules to
unexpectedly setup URL's to be handled by mod_proxy.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
Denial of Service in mod_proxy via a malicious request
(cve.mitre.org) [boo#1227270]
null pointer dereference in mod_proxy in Apache HTTP Server
2.4.59 and earlier allows an attacker to crash the server via a
malicious request.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org) [boo#1227269]
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
are vulnerably to information disclosure, SSRF or local script
execution via backend applications whose response headers are
malicious or exploitable.
Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'AddHandler' after this fix.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
mod_rewrite when first segment of substitution matches
filesystem path. (cve.mitre.org) [boo#1227268]
Improper escaping of output in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows an attacker to map URLs to filesystem
locations that are permitted to be served by the server but are
not intentionally/directly reachable by any URL, resulting in
code execution or source code disclosure.
Substitutions in server context that use a backreferences or
variables as the first segment of the substitution are affected.
Some unsafe RewiteRules will be broken by this change and the
rewrite flag "UnsafePrefixStat" can be used to opt back in once
ensuring the substitution is appropriately constrained.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
encoded question marks in backreferences (cve.mitre.org)
[boo#1227278]
Substitution encoding issue in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly
reachable by any URL or source disclosure of scripts meant to
only to be executed as CGI.
Note: Some RewriteRules that capture and substitute unsafely will now
fail unless rewrite flag "UnsafeAllow3F" is specified.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
problem (cve.mitre.org) [boo#1227276]
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
earlier allows request URLs with incorrect encoding to be sent
to backend services, potentially bypassing authentication via
crafted requests.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF
(cve.mitre.org) [boo#1227267]
SSRF in Apache HTTP Server on Windows allows to potentially leak
NTML hashes to a malicious server via SSRF and malicious
requests or content
Note: Existing configurations that access UNC paths
will have to configure new directive "UNCList" to allow access
during request processing.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
pointer in websocket over HTTP/2 (cve.mitre.org) [boo#1227272]
Serving WebSocket protocol upgrades over a HTTP/2 connection
could result in a Null Pointer dereference, leading to a crash
of the server process, degrading performance.
Credits: Marc Stern (<marc.stern AT approach-cyber.com>)
OBS-URL: https://build.opensuse.org/request/show/1185778
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=704
174 lines
7.2 KiB
Diff
174 lines
7.2 KiB
Diff
From 530b5797af919d6d7ab7d6418d9feeb1abb914ae Mon Sep 17 00:00:00 2001
|
|
From: Justin Erenkrantz <jerenkrantz@apache.org>
|
|
Date: Mon, 30 Dec 2013 20:01:14 +0000
|
|
Subject: [PATCH] Add directives to control two protocol options:
|
|
|
|
HttpContentLengthHeadZero - allow Content-Length of 0 to be returned on HEAD
|
|
HttpExpectStrict - allow admin to control whether we must see "100-continue"
|
|
|
|
This is helpful when using Ceph's radosgw and httpd.
|
|
|
|
Inspired by: Yehuda Sadeh <yehuda@inktank.com>
|
|
See https://github.com/ceph/apache2/commits/precise
|
|
|
|
* include/http_core.h
|
|
(core_server_config): Add http_cl_head_zero and http_expect_strict fields.
|
|
* modules/http/http_filters.c
|
|
(ap_http_header_filter): Only clear out the C-L if http_cl_head_zero is not
|
|
explictly set.
|
|
* server/core.c
|
|
(merge_core_server_configs): Add new fields.
|
|
(set_cl_head_zero, set_expect_strict): New config helpers.
|
|
(HttpContentLengthHeadZero, HttpExpectStrict): Declare new directives.
|
|
* server/protocol.c
|
|
(ap_read_request): Allow http_expect_strict to control if we return 417.
|
|
* include/ap_mmn.h
|
|
(MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR): Bump.
|
|
* CHANGES: Add a brief description.
|
|
|
|
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1554303 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
|
Conflicts:
|
|
CHANGES
|
|
include/ap_mmn.h
|
|
include/http_core.h
|
|
server/core.c
|
|
---
|
|
CHANGES | 3 +++
|
|
include/ap_mmn.h | 4 +++-
|
|
include/http_core.h | 9 +++++++++
|
|
modules/http/http_filters.c | 10 +++++++++-
|
|
server/core.c | 36 ++++++++++++++++++++++++++++++++++++
|
|
server/protocol.c | 25 +++++++++++++++++--------
|
|
6 files changed, 77 insertions(+), 10 deletions(-)
|
|
|
|
Index: httpd-2.4.49/modules/http/http_filters.c
|
|
===================================================================
|
|
--- httpd-2.4.49.orig/modules/http/http_filters.c 2021-05-11 17:21:43.000000000 +0200
|
|
+++ httpd-2.4.49/modules/http/http_filters.c 2021-09-17 09:33:49.496853894 +0200
|
|
@@ -1488,10 +1488,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
|
|
* zero C-L to the client. We can't just remove the C-L filter,
|
|
* because well behaved 2.0 handlers will send their data down the stack,
|
|
* and we will compute a real C-L for the head request. RBB
|
|
+ *
|
|
+ * Allow modification of this behavior through the
|
|
+ * HttpContentLengthHeadZero directive.
|
|
+ *
|
|
+ * The default (unset) behavior is to squelch the C-L in this case.
|
|
*/
|
|
+ core_server_config *conf = ap_get_core_module_config(r->server->module_config);
|
|
if (r->header_only
|
|
&& (clheader = apr_table_get(r->headers_out, "Content-Length"))
|
|
- && !strcmp(clheader, "0")) {
|
|
+ && !strcmp(clheader, "0")
|
|
+ && conf->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_ENABLE) {
|
|
apr_table_unset(r->headers_out, "Content-Length");
|
|
}
|
|
|
|
Index: httpd-2.4.49/server/core.c
|
|
===================================================================
|
|
--- httpd-2.4.49.orig/server/core.c 2021-05-27 15:08:21.000000000 +0200
|
|
+++ httpd-2.4.49/server/core.c 2021-09-17 09:33:49.496853894 +0200
|
|
@@ -551,6 +551,12 @@ static void *merge_core_server_configs(a
|
|
if (virt->http_methods != AP_HTTP_METHODS_UNSET)
|
|
conf->http_methods = virt->http_methods;
|
|
|
|
+ if (virt->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_UNSET)
|
|
+ conf->http_cl_head_zero = virt->http_cl_head_zero;
|
|
+
|
|
+ if (virt->http_expect_strict != AP_HTTP_EXPECT_STRICT_UNSET)
|
|
+ conf->http_expect_strict = virt->http_expect_strict;
|
|
+
|
|
/* no action for virt->accf_map, not allowed per-vhost */
|
|
|
|
if (virt->protocol)
|
|
@@ -4142,6 +4148,32 @@ static const char *set_http_method(cmd_p
|
|
return NULL;
|
|
}
|
|
|
|
+static const char *set_cl_head_zero(cmd_parms *cmd, void *dummy, int arg)
|
|
+{
|
|
+ core_server_config *conf =
|
|
+ ap_get_core_module_config(cmd->server->module_config);
|
|
+
|
|
+ if (arg) {
|
|
+ conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_ENABLE;
|
|
+ } else {
|
|
+ conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_DISABLE;
|
|
+ }
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
+static const char *set_expect_strict(cmd_parms *cmd, void *dummy, int arg)
|
|
+{
|
|
+ core_server_config *conf =
|
|
+ ap_get_core_module_config(cmd->server->module_config);
|
|
+
|
|
+ if (arg) {
|
|
+ conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_ENABLE;
|
|
+ } else {
|
|
+ conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_DISABLE;
|
|
+ }
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
static apr_hash_t *errorlog_hash;
|
|
|
|
static int log_constant_item(const ap_errorlog_info *info, const char *arg,
|
|
@@ -4685,6 +4717,10 @@ AP_INIT_TAKE1("TraceEnable", set_trace_e
|
|
"'on' (default), 'off' or 'extended' to trace request body content"),
|
|
AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF,
|
|
"merge request trailers into request headers or not"),
|
|
+AP_INIT_FLAG("HttpContentLengthHeadZero", set_cl_head_zero, NULL, OR_OPTIONS,
|
|
+ "whether to permit Content-Length of 0 responses to HEAD requests"),
|
|
+AP_INIT_FLAG("HttpExpectStrict", set_expect_strict, NULL, OR_OPTIONS,
|
|
+ "whether to return a 417 if a client doesn't send 100-Continue"),
|
|
AP_INIT_ITERATE("Protocols", set_protocols, NULL, RSRC_CONF,
|
|
"Controls which protocols are allowed"),
|
|
AP_INIT_TAKE1("ProtocolsHonorOrder", set_protocols_honor_order, NULL, RSRC_CONF,
|
|
Index: httpd-2.4.49/server/protocol.c
|
|
===================================================================
|
|
--- httpd-2.4.49.orig/server/protocol.c 2021-09-17 09:33:49.496853894 +0200
|
|
+++ httpd-2.4.49/server/protocol.c 2021-09-17 10:15:28.643596021 +0200
|
|
@@ -1056,6 +1056,11 @@ AP_DECLARE(int) ap_check_request_header(
|
|
if (ap_cstr_casecmp(expect, "100-continue") == 0) {
|
|
r->expecting_100 = 1;
|
|
}
|
|
+ else if (conf->http_expect_strict == AP_HTTP_EXPECT_STRICT_DISABLE) {
|
|
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02595)
|
|
+ "client sent an unrecognized expectation value "
|
|
+ "of Expect (not fatal): %s", expect);
|
|
+ }
|
|
else {
|
|
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00570)
|
|
"client sent an unrecognized expectation value "
|
|
Index: httpd-2.4.49/include/http_core.h
|
|
===================================================================
|
|
--- httpd-2.4.49.orig/include/http_core.h 2021-05-27 15:08:21.000000000 +0200
|
|
+++ httpd-2.4.49/include/http_core.h 2021-09-17 09:33:49.496853894 +0200
|
|
@@ -733,6 +733,16 @@ typedef struct {
|
|
#define AP_MERGE_TRAILERS_DISABLE 2
|
|
int merge_trailers;
|
|
|
|
+#define AP_HTTP_CL_HEAD_ZERO_UNSET 0
|
|
+#define AP_HTTP_CL_HEAD_ZERO_ENABLE 1
|
|
+#define AP_HTTP_CL_HEAD_ZERO_DISABLE 2
|
|
+ int http_cl_head_zero;
|
|
+
|
|
+#define AP_HTTP_EXPECT_STRICT_UNSET 0
|
|
+#define AP_HTTP_EXPECT_STRICT_ENABLE 1
|
|
+#define AP_HTTP_EXPECT_STRICT_DISABLE 2
|
|
+ int http_expect_strict;
|
|
+
|
|
apr_array_header_t *protocols;
|
|
int protocols_honor_order;
|
|
|
|
@@ -776,7 +786,6 @@ apr_status_t ap_core_input_filter(ap_fil
|
|
apr_off_t readbytes);
|
|
apr_status_t ap_core_output_filter(ap_filter_t *f, apr_bucket_brigade *b);
|
|
|
|
-
|
|
AP_DECLARE(const char*) ap_get_server_protocol(server_rec* s);
|
|
AP_DECLARE(void) ap_set_server_protocol(server_rec* s, const char* proto);
|
|
|