PR47765: ProxyPass and ProxyPassReverse should not be accepted in

Directory or Files sections.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1031758 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
      Fix a denial of service attack against mod_reqtimeout.
      [Stefan Fritsch]
 
+  *) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in
+     <Directory> or <Files>. PR47765 [Eric Covener]
+
   *) prefork/worker/event MPMS: default value (when no directive is present)
      of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000 
      to match default configuration and manual. PR47782 [Eric Covener]

modules/proxy/mod_proxy.c

@@ -1337,6 +1337,12 @@ static const char *
     int i;
     int use_regex = is_regex;
     unsigned int flags = 0;
+    const char *err;
+
+    err = ap_check_cmd_context(cmd, NOT_IN_DIRECTORY|NOT_IN_FILES);
+    if (err) { 
+        return err;
+    }
 
     while (*arg) {
         word = ap_getword_conf(cmd->pool, &arg);
@@ -1490,6 +1496,12 @@ static const char * add_pass_reverse(cmd_parms *cmd, void *dconf, const char *f,
     const char *fake;
     const char *real;
     const char *interp;
+    const char *err;
+
+    err = ap_check_cmd_context(cmd, NOT_IN_DIRECTORY|NOT_IN_FILES);
+    if (err) { 
+        return err;
+    }
 
     if (cmd->path == NULL) {
         if (r == NULL || !strcasecmp(r, "interpolate")) {