mod_proxy: Check for space/ctrls in nocanon path/urls before forwarding.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908827 13f79535-47bb-0310-9956-ffa450edef68
2025-07-29 12:37:06 +00:00 · 2023-03-31 00:11:02 +00:00
parent 0a9193072a
commit 2eceb6a9fe
7 changed files with 101 additions and 48 deletions
--- a/modules/http2/mod_proxy_http2.c
+++ b/modules/http2/mod_proxy_http2.c
@ -164,26 +164,31 @@ static int proxy_http2_canon(request_rec *r, char *url)

            path = ap_proxy_canonenc_ex(r->pool, url, (int)strlen(url),
                                        enc_path, flags, r->proxyreq);
+            if (!path) {
+                return HTTP_BAD_REQUEST;
+            }
            search = r->args;
        }
-        if (search && *ap_scan_vchar_obstext(search)) {
-            /*
-             * We have a raw control character or a ' ' in r->args.
-             * Correct encoding was missed.
-             */
-            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
-                          "To be forwarded query string contains control "
-                          "characters or spaces");
-            return HTTP_FORBIDDEN;
-        }
        break;
    case PROXYREQ_PROXY:
        path = url;
        break;
    }
-
-    if (path == NULL) {
-        return HTTP_BAD_REQUEST;
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10420)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
+    if (search && *ap_scan_vchar_obstext(search)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
+                      "To be forwarded query string contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
    }

    if (port != def_port) {
--- a/modules/proxy/mod_proxy_ajp.c
+++ b/modules/proxy/mod_proxy_ajp.c
@ -75,20 +75,27 @@ static int proxy_ajp_canon(request_rec *r, char *url)

        path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                    r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
        search = r->args;
    }
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10418)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
    if (search && *ap_scan_vchar_obstext(search)) {
-        /*
-         * We have a raw control character or a ' ' in r->args.
-         * Correct encoding was missed.
-         */
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
                       "To be forwarded query string contains control "
                       "characters or spaces");
         return HTTP_FORBIDDEN;
    }
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;

    if (port != def_port)
         apr_snprintf(sport, sizeof(sport), ":%d", port);
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@ -112,20 +112,27 @@ static int proxy_balancer_canon(request_rec *r, char *url)

        path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                    r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
        search = r->args;
    }
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10416)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
    if (search && *ap_scan_vchar_obstext(search)) {
-        /*
-         * We have a raw control character or a ' ' in r->args.
-         * Correct encoding was missed.
-         */
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
                       "To be forwarded query string contains control "
                       "characters or spaces");
         return HTTP_FORBIDDEN;
    }
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;

    r->filename = apr_pstrcat(r->pool, "proxy:" BALANCER_PREFIX, host,
            "/", path, (search) ? "?" : "", (search) ? search : "", NULL);
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@ -102,9 +102,20 @@ static int proxy_fcgi_canon(request_rec *r, char *url)

        path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                    r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
+    }
+    /*
+     * If we have a raw control character or a ' ' in nocanon path,
+     * correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10414)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
    }
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;

    r->filename = apr_pstrcat(r->pool, "proxy:fcgi://", host, sport, "/",
                              path, NULL);
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@ -128,26 +128,32 @@ static int proxy_http_canon(request_rec *r, char *url)

            path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path,
                                        flags, r->proxyreq);
+            if (!path) {
+                return HTTP_BAD_REQUEST;
+            }
            search = r->args;
        }
-        if (search && *ap_scan_vchar_obstext(search)) {
-            /*
-             * We have a raw control character or a ' ' in r->args.
-             * Correct encoding was missed.
-             */
-            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
-                          "To be forwarded query string contains control "
-                          "characters or spaces");
-            return HTTP_FORBIDDEN;
-        }
        break;
    case PROXYREQ_PROXY:
        path = url;
        break;
    }
-
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10415)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
+    if (search && *ap_scan_vchar_obstext(search)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
+                      "To be forwarded query string contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }

    if (port != def_port)
        apr_snprintf(sport, sizeof(sport), ":%d", port);
--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
@ -94,9 +94,19 @@ static int uwsgi_canon(request_rec *r, char *url)

        path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                    r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
    }
-    if (!path) {
-        return HTTP_BAD_REQUEST;
+    /*
+     * If we have a raw control character or a ' ' in nocanon path,
+     * correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10417)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
    }

    r->filename =
--- a/modules/proxy/mod_proxy_wstunnel.c
+++ b/modules/proxy/mod_proxy_wstunnel.c
@ -205,20 +205,27 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)

        path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                    r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
        search = r->args;
    }
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10419)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
    if (search && *ap_scan_vchar_obstext(search)) {
-        /*
-         * We have a raw control character or a ' ' in r->args.
-         * Correct encoding was missed.
-         */
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
                      "To be forwarded query string contains control "
                      "characters or spaces");
        return HTTP_FORBIDDEN;
    }
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;

    if (port != def_port)
        apr_snprintf(sport, sizeof(sport), ":%d", port);