diff options
author | Eric Covener <covener@apache.org> | 2016-12-14 22:27:25 +0000 |
---|---|---|
committer | Eric Covener <covener@apache.org> | 2016-12-14 22:27:25 +0000 |
commit | 48100751013bf08880bbe0c97cc99bae55b4d952 (patch) | |
tree | 4100b27efad88d376e4c1272d74d83fcd59a3f6d | |
parent | 077e0042efd456f003ac103ef8207f82346257a3 (diff) | |
download | httpd-48100751013bf08880bbe0c97cc99bae55b4d952.tar.gz |
Merge r1774288 from trunk:
short-circuit some kinds of looping in RewriteRule.
PR60478
Submitted By: Jeff Wheelouse <apache wheelhouse.org>
Committed By: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1774352 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 6 | ||||
-rw-r--r-- | STATUS | 6 | ||||
-rw-r--r-- | modules/mappers/mod_rewrite.c | 11 |
3 files changed, 16 insertions, 7 deletions
@@ -1,7 +1,7 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.24 - + *) SECURITY: CVE-2016-8740 (cve.mitre.org) mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames. @@ -33,6 +33,10 @@ Changes with Apache 2.4.24 pollution by malicious clients, upstream servers or faulty modules. [Stefan Fritsch, Eric Covener, Yann Ylavic] + *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of + looping RewriteRules when the local path significantly exceeds + LimitRequestLine. PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>] + *) mod_ratelimit: Allow for initial "burst" amount at full speed before throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>, Jim Jagielski] @@ -118,12 +118,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - - *) Limit some kinds of rewrite looping. PR60478 - trunk patch: http://svn.apache.org/r1774288. - 2.4.x patch: trunk works - +1: covener, ylavic, jchampion - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 56957c904a..dcf7988ed0 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -4295,6 +4295,17 @@ static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules, rc = apply_rewrite_rule(p, ctx); if (rc) { + + /* Catch looping rules with pathinfo growing unbounded */ + if ( strlen( r->filename ) > 2*r->server->limit_req_line ) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "RewriteRule '%s' and URI '%s' " + "exceeded maximum length (%d)", + p->pattern, r->uri, 2*r->server->limit_req_line ); + r->status = HTTP_INTERNAL_SERVER_ERROR; + return ACTION_STATUS; + } + /* Regardless of what we do next, we've found a match. Check to see * if any of the request header fields were involved, and add them * to the Vary field of the response. |