Summary: | [Patch] mod_rewrite local DOS using path info | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Jeff W <apache> |
Component: | mod_rewrite | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | critical | Keywords: | FixedInTrunk |
Priority: | P2 | ||
Version: | 2.4-HEAD | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | FreeBSD | ||
Attachments: | Patch to limit expansion by looping mod_rewrite rules |
Description
Jeff W
2016-12-14 16:13:18 UTC
Thanks for the report and patch. I applied it but doubled LimitRequestLine just for some leeway. Will propose for 2.4.x. Thanks Eric! Backport is complete and should be in 2.4.24. For posterity: We don't consider most intentional or unintentional config problems as vulnerabilities, but if there's any question about a report, it's best to start with security@httpd.apache.org so it can be reviewed. Fixed in 2.4.25 |