don't forward invalid query strings

Submitted by: rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908095 13f79535-47bb-0310-9956-ffa450edef68

docs/log-message-tags/next-number

@@ -1 +1 @@
-10406
+10412

modules/http2/mod_proxy_http2.c

@@ -162,6 +162,16 @@ static int proxy_http2_canon(request_rec *r, char *url)
             path = ap_proxy_canonenc(r->pool, url, (int)strlen(url),
                                      enc_path, 0, r->proxyreq);
             search = r->args;
+            if (search && *(ap_scan_vchar_obstext(search))) {
+                /*
+                 * We have a raw control character or a ' ' in r->args.
+                 * Correct encoding was missed.
+                 */
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+                              "To be forwarded query string contains control "
+                              "characters or spaces");
+                return HTTP_FORBIDDEN;
+            }
         }
         break;
     case PROXYREQ_PROXY:

modules/mappers/mod_rewrite.c

@@ -4794,6 +4794,17 @@ static int hook_uri2file(request_rec *r)
         apr_size_t flen;
         int to_proxyreq;
 
+        if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+            /*
+             * We have a raw control character or a ' ' in r->args.
+             * Correct encoding was missed.
+             */
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
+                          "Rewritten query string contains control "
+                          "characters or spaces");
+            return HTTP_FORBIDDEN;
+        }
+
         if (ACTION_STATUS == rulestatus) {
             int n = r->status;
 
@@ -5092,6 +5103,17 @@ static int hook_fixup(request_rec *r)
     if (rulestatus) {
         unsigned skip;
 
+        if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+            /*
+             * We have a raw control character or a ' ' in r->args.
+             * Correct encoding was missed.
+             */
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411)
+                          "Rewritten query string contains control "
+                          "characters or spaces");
+            return HTTP_FORBIDDEN;
+        }
+
         if (ACTION_STATUS == rulestatus) {
             int n = r->status;
 

modules/proxy/mod_proxy_ajp.c

@@ -73,6 +73,16 @@ static int proxy_ajp_canon(request_rec *r, char *url)
         path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
                                  r->proxyreq);
         search = r->args;
+        if (search && *(ap_scan_vchar_obstext(search))) {
+            /*
+             * We have a raw control character or a ' ' in r->args.
+             * Correct encoding was missed.
+             */
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
+                           "To be forwarded query string contains control "
+                           "characters or spaces");
+             return HTTP_FORBIDDEN;
+        }
     }
     if (path == NULL)
         return HTTP_BAD_REQUEST;

modules/proxy/mod_proxy_balancer.c

@@ -110,6 +110,16 @@ static int proxy_balancer_canon(request_rec *r, char *url)
         path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
                                  r->proxyreq);
         search = r->args;
+        if (search && *(ap_scan_vchar_obstext(search))) {
+            /*
+             * We have a raw control character or a ' ' in r->args.
+             * Correct encoding was missed.
+             */
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
+                           "To be forwarded query string contains control "
+                           "characters or spaces");
+             return HTTP_FORBIDDEN;
+        }
     }
     if (path == NULL)
         return HTTP_BAD_REQUEST;

modules/proxy/mod_proxy_http.c

@@ -126,6 +126,16 @@ static int proxy_http_canon(request_rec *r, char *url)
             path = ap_proxy_canonenc(r->pool, url, strlen(url),
                                      enc_path, 0, r->proxyreq);
             search = r->args;
+            if (search && *(ap_scan_vchar_obstext(search))) {
+                /*
+                 * We have a raw control character or a ' ' in r->args.
+                 * Correct encoding was missed.
+                 */
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
+                              "To be forwarded query string contains control "
+                              "characters or spaces");
+                return HTTP_FORBIDDEN;
+            }
         }
         break;
     case PROXYREQ_PROXY:

modules/proxy/mod_proxy_wstunnel.c

@@ -203,6 +203,16 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)
         path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
                                  r->proxyreq);
         search = r->args;
+        if (search && *(ap_scan_vchar_obstext(search))) {
+            /*
+             * We have a raw control character or a ' ' in r->args.
+             * Correct encoding was missed.
+             */
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
+                          "To be forwarded query string contains control "
+                          "characters or spaces");
+            return HTTP_FORBIDDEN;
+        }
     }
     if (path == NULL)
         return HTTP_BAD_REQUEST;