Merge r1774288 from trunk:

short-circuit some kinds of looping in RewriteRule. PR60478 Submitted By: Jeff Wheelouse <apache wheelhouse.org> Committed By: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1774352 13f79535-47bb-0310-9956-ffa450edef68
author: Eric Covener <covener@apache.org> 2016-12-14 22:27:25 +0000
committer: Eric Covener <covener@apache.org> 2016-12-14 22:27:25 +0000
commit: 48100751013bf08880bbe0c97cc99bae55b4d952 (patch)
tree: 4100b27efad88d376e4c1272d74d83fcd59a3f6d
parent: 077e0042efd456f003ac103ef8207f82346257a3 (diff)
download: httpd-48100751013bf08880bbe0c97cc99bae55b4d952.tar.gz
3 files changed, 16 insertions, 7 deletions
diff --git a/CHANGES b/CHANGES
index 964c51c55a..11152777d0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,7 @@
                                                          -*- coding: utf-8 -*-
 
 Changes with Apache 2.4.24
- 
+
   *) SECURITY: CVE-2016-8740 (cve.mitre.org)
      mod_http2: Mitigate DoS memory exhaustion via endless
      CONTINUATION frames.
@@ -33,6 +33,10 @@ Changes with Apache 2.4.24
      pollution by malicious clients, upstream servers or faulty modules.
      [Stefan Fritsch, Eric Covener, Yann Ylavic]
 
+  *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
+     looping RewriteRules when the local path significantly exceeds 
+     LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
+
   *) mod_ratelimit: Allow for initial "burst" amount at full speed before
      throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
      Jim Jagielski]
diff --git a/STATUS b/STATUS
index c166c7816d..71752d5fb9 100644
--- a/STATUS
+++ b/STATUS
@@ -118,12 +118,6 @@ RELEASE SHOWSTOPPERS:
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
- 
-  *) Limit some kinds of rewrite looping. PR60478
-     trunk patch: http://svn.apache.org/r1774288.
-     2.4.x patch: trunk works
-     +1: covener, ylavic, jchampion
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 56957c904a..dcf7988ed0 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4295,6 +4295,17 @@ static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules,
         rc = apply_rewrite_rule(p, ctx);
 
         if (rc) {
+
+            /* Catch looping rules with pathinfo growing unbounded */
+            if ( strlen( r->filename ) > 2*r->server->limit_req_line ) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "RewriteRule '%s' and URI '%s' "
+                              "exceeded maximum length (%d)", 
+                              p->pattern, r->uri, 2*r->server->limit_req_line );
+                r->status = HTTP_INTERNAL_SERVER_ERROR;
+                return ACTION_STATUS;
+            }
+
             /* Regardless of what we do next, we've found a match. Check to see
              * if any of the request header fields were involved, and add them
              * to the Vary field of the response.
author	Eric Covener <covener@apache.org>	2016-12-14 22:27:25 +0000
committer	Eric Covener <covener@apache.org>	2016-12-14 22:27:25 +0000
commit	48100751013bf08880bbe0c97cc99bae55b4d952 (patch)
tree	4100b27efad88d376e4c1272d74d83fcd59a3f6d
parent	077e0042efd456f003ac103ef8207f82346257a3 (diff)
download	httpd-48100751013bf08880bbe0c97cc99bae55b4d952.tar.gz