Merge r1908827, r1908838 from trunk:

mod_proxy: Check for space/ctrls in nocanon path/urls before forwarding.



Follow up to r1908827: CHANGES entry.
Submitted by: ylavic
Reviewed by: ylavic, rpluem, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908865 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 13 insertions, 6 deletions

diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
index f5b25662e1..65773ce768 100644
--- a/modules/proxy/mod_proxy_ajp.c
+++ b/modules/proxy/mod_proxy_ajp.c
@@ -75,20 +75,27 @@ static int proxy_ajp_canon(request_rec *r, char *url)
 
         path = ap_proxy_canonenc_ex(r->pool, url, strlen(url), enc_path, flags,
                                     r->proxyreq);
+        if (!path) {
+            return HTTP_BAD_REQUEST;
+        }
         search = r->args;
     }
+    /*
+     * If we have a raw control character or a ' ' in nocanon path or
+     * r->args, correct encoding was missed.
+     */
+    if (path == url && *ap_scan_vchar_obstext(path)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10418)
+                      "To be forwarded path contains control "
+                      "characters or spaces");
+        return HTTP_FORBIDDEN;
+    }
     if (search && *ap_scan_vchar_obstext(search)) {
-        /*
-         * We have a raw control character or a ' ' in r->args.
-         * Correct encoding was missed.
-         */
          ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
                        "To be forwarded query string contains control "
                        "characters or spaces");
          return HTTP_FORBIDDEN;
     }
-    if (path == NULL)
-        return HTTP_BAD_REQUEST;
 
     if (port != def_port)
          apr_snprintf(sport, sizeof(sport), ":%d", port);