www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

http: Enforce that fully qualified uri-paths not to be forward-proxied

Browse Source 
have an http(s) scheme, and that the ones to be forward proxied have a
      hostname, per HTTP specifications.

The early checks avoid failing the request later on and thus save cycles
for those invalid cases.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895921 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2021-12-13 18:55:18 +00:00
parent 5c49a85c12
commit 3ec0ffb9e1
7 changed files with 42 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changes-entries/http_enforcements.txt Normal file
View File

@@ -0,0 +1,3 @@
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications. [Yann Ylavic]

3
include/ap_mmn.h
View File

@@ -695,6 +695,7 @@
* 20210926.0 (2.5.1-dev) Add dav_get_liveprop_element(), remove DAV_PROP_ELEMENT. * 20210926.0 (2.5.1-dev) Add dav_get_liveprop_element(), remove DAV_PROP_ELEMENT.
* 20210926.1 (2.5.1-dev) Add ap_unescape_url_ex() and deprecate * 20210926.1 (2.5.1-dev) Add ap_unescape_url_ex() and deprecate
* AP_NORMALIZE_DROP_PARAMETERS * AP_NORMALIZE_DROP_PARAMETERS
* 20210926.2 (2.5.1-dev) Add ap_post_read_request()
* *
*/ */
@@ -703,7 +704,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR #ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20210926 #define MODULE_MAGIC_NUMBER_MAJOR 20210926
#endif #endif
#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */ #define MODULE_MAGIC_NUMBER_MINOR 2 /* 0...n */
/** /**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a * Determine if the server's current MODULE_MAGIC_NUMBER is at least a

7
include/http_protocol.h
View File

@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(request_rec *r);
AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
apr_bucket_brigade *bb); apr_bucket_brigade *bb);
/**
* Run post_read_request hook and validate.
* @param r The current request
* @return OK or HTTP_...
*/
AP_DECLARE(int) ap_post_read_request(request_rec *r);
/* Finish up stuff after a request */ /* Finish up stuff after a request */
/** /**

2
modules/http/http_request.c
View File

@@ -690,7 +690,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
* to do their thing on internal redirects as well. Perhaps this is a * to do their thing on internal redirects as well. Perhaps this is a
* misnamed function. * misnamed function.
*/ */
if ((access_status = ap_run_post_read_request(new))) { if ((access_status = ap_post_read_request(new))) {
ap_die(access_status, new); ap_die(access_status, new);
return NULL; return NULL;
} }

2
modules/http2/h2_request.c
View File

@@ -383,7 +383,7 @@ request_rec *h2_create_request_rec(const h2_request *req, conn_rec *c)
ap_add_input_filter_handle(ap_http_input_filter_handle, ap_add_input_filter_handle(ap_http_input_filter_handle,
NULL, r, r->connection); NULL, r, r->connection);
if ((access_status = ap_run_post_read_request(r))) { if ((access_status = ap_post_read_request(r))) {
/* Request check post hooks failed. An example of this would be a /* Request check post hooks failed. An example of this would be a
* request for a vhost where h2 is disabled --> 421. * request for a vhost where h2 is disabled --> 421.
*/ */

12
modules/proxy/mod_proxy.c
View File

@@ -781,13 +781,13 @@ static int proxy_detect(request_rec *r)
/* Ick... msvc (perhaps others) promotes ternary short results to int */ /* Ick... msvc (perhaps others) promotes ternary short results to int */
if (conf->req && r->parsed_uri.scheme) { if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) {
/* but it might be something vhosted */ /* but it might be something vhosted */
if (!(r->parsed_uri.hostname if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
&& !ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) || !ap_matches_request_vhost(r, r->parsed_uri.hostname,
&& ap_matches_request_vhost(r, r->parsed_uri.hostname, (apr_port_t)(r->parsed_uri.port_str
(apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port ? r->parsed_uri.port
: ap_default_port(r))))) { : ap_default_port(r)))) {
r->proxyreq = PROXYREQ_PROXY; r->proxyreq = PROXYREQ_PROXY;
r->uri = r->unparsed_uri; r->uri = r->unparsed_uri;
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL); r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);

23
server/protocol.c
View File

@@ -1595,7 +1595,7 @@ request_rec *ap_read_request(conn_rec *conn)
/* we may have switched to another server */ /* we may have switched to another server */
apply_server_config(r); apply_server_config(r);
if ((access_status = ap_run_post_read_request(r))) { if ((access_status = ap_post_read_request(r))) {
goto die; goto die;
} }
@@ -1650,6 +1650,27 @@ ignore:
return NULL; return NULL;
} }
AP_DECLARE(int) ap_post_read_request(request_rec *r)
{
int status;
if ((status = ap_run_post_read_request(r))) {
return status;
}
/* Enforce http(s) only scheme for non-forward-proxy requests */
if (!r->proxyreq
&& r->parsed_uri.scheme
&& (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
|| (r->parsed_uri.scheme[4] != '\0'
&& (apr_tolower(r->parsed_uri.scheme[4]) != 's'
|| r->parsed_uri.scheme[5] != '\0')))) {
return HTTP_BAD_REQUEST;
}
return OK;
}
/* if a request with a body creates a subrequest, remove original request's /* if a request with a body creates a subrequest, remove original request's
* input headers which pertain to the body which has already been read. * input headers which pertain to the body which has already been read.
* out-of-line helper function for ap_set_sub_req_protocol. * out-of-line helper function for ap_set_sub_req_protocol.