--- httpd-2.2.22.orig/modules/mappers/mod_rewrite.c 2012-01-24 19:39:31.000000000 +0000 +++ httpd-2.2.22/modules/mappers/mod_rewrite.c 2012-05-28 16:52:38.790119737 +0100 @@ -155,6 +155,7 @@ #define ACTION_NORMAL 1<<0 #define ACTION_NOESCAPE 1<<1 #define ACTION_STATUS 1<<2 +#define ACTION_FORBIDDEN 1<<3 #define MAPTYPE_TXT 1<<0 @@ -4079,6 +4080,22 @@ static int apply_rewrite_list(request_re * last-rule and new-round flags. */ if (p->flags & (RULEFLAG_PROXY | RULEFLAG_LASTRULE)) { + /* If the rewrite involved PROXY, and the URI seems to risk + * causing an issue mentioned in CVE-2011-4317, then + * FORBID the request. Just disabling the related [P] + * rewriterule could cause a later rule to run with unexpected + * results. + * Only do the blocking if the executed last rule was PROXY + */ + if (p->flags & RULEFLAG_PROXY && + r->uri[0] != '/' && + strncmp(r->uri, "http://" , 7) != 0 && + strncmp(r->uri, "https://", 8 )!= 0) { + rewritelog((r, 2, NULL, + "uri %s is considered a proxy security risk", + r->uri ? r->uri : "")); + return ACTION_FORBIDDEN; + } break; } @@ -4267,7 +4284,9 @@ static int hook_uri2file(request_rec *r) } if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') - || !r->uri || r->uri[0] != '/') { + || !r->uri ) { + rewritelog((r, 2, NULL, "uri %s is considered a security risk", + r->uri ? r->uri : "")); return DECLINED; } @@ -4342,6 +4361,10 @@ static int hook_uri2file(request_rec *r) unsigned skip; apr_size_t flen; + if (rulestatus == ACTION_FORBIDDEN) { + return HTTP_FORBIDDEN; + } + if (ACTION_STATUS == rulestatus) { int n = r->status; @@ -4522,6 +4545,7 @@ static int hook_fixup(request_rec *r) char *ofilename; int is_proxyreq; + dconf = (rewrite_perdir_conf *)ap_get_module_config(r->per_dir_config, &rewrite_module); @@ -4599,6 +4623,10 @@ static int hook_fixup(request_rec *r) if (rulestatus) { unsigned skip; + if (rulestatus == ACTION_FORBIDDEN) { + return HTTP_FORBIDDEN; + } + if (ACTION_STATUS == rulestatus) { int n = r->status;