In 2.4.26 and later, you can limit the escaping to specific characters
+-in backreferences by listing them: [B=#?;]. Note: The space
+-character can be used in the list of characters to escape, but it cannot be
+-the last character in the list.
+
+ In 2.4.26 and later, you can limit the escaping to specific characters
++in backreferences by listing them: [B=#?;]. Note: The space
++character can be used in the list of characters to escape, but you must quote
++the entire third argument of RewriteRule
++and the space must not be the last character in the list.
++
++
+
+diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
+index a7e0dcd..9aa1f89 100644
+--- a/modules/http2/mod_proxy_http2.c
++++ b/modules/http2/mod_proxy_http2.c
+@@ -178,6 +178,16 @@ static int proxy_http2_canon(request_rec *r, char *url)
+ path = ap_proxy_canonenc(r->pool, url, (int)strlen(url),
+ enc_path, 0, r->proxyreq);
+ search = r->args;
++ if (search && *(ap_scan_vchar_obstext(search))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ }
+ break;
+ case PROXYREQ_PROXY:
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 38dbb24..7e2b452 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -168,6 +168,7 @@ static const char* really_last_key = "rewrite_really_last";
+ #define RULEFLAG_END (1<<17)
+ #define RULEFLAG_ESCAPENOPLUS (1<<18)
+ #define RULEFLAG_QSLAST (1<<19)
++#define RULEFLAG_QSNONE (1<<20) /* programattic only */
+
+ /* return code of the rewrite rule
+ * the result may be escaped - or not
+@@ -761,15 +762,24 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme)
+ ap_escape_uri(p, cp), NULL);
+ }
+
++
+ /*
+ * split out a QUERY_STRING part from
+ * the current URI string
+ */
+-static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+- int qslast)
++static void splitout_queryargs(request_rec *r, int flags)
+ {
+ char *q;
+ int split;
++ int qsappend = flags & RULEFLAG_QSAPPEND;
++ int qsdiscard = flags & RULEFLAG_QSDISCARD;
++ int qslast = flags & RULEFLAG_QSLAST;
++
++ if (flags & RULEFLAG_QSNONE) {
++ rewritelog((r, 2, NULL, "discarding query string, no parse from substitution"));
++ r->args = NULL;
++ return;
++ }
+
+ /* don't touch, unless it's a scheme for which a query string makes sense.
+ * See RFC 1738 and RFC 2368.
+@@ -794,7 +804,7 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+ olduri = apr_pstrdup(r->pool, r->filename);
+ *q++ = '\0';
+ if (qsappend) {
+- if (*q) {
++ if (*q) {
+ r->args = apr_pstrcat(r->pool, q, "&" , r->args, NULL);
+ }
+ }
+@@ -802,9 +812,9 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+ r->args = apr_pstrdup(r->pool, q);
+ }
+
+- if (r->args) {
++ if (r->args) {
+ len = strlen(r->args);
+-
++
+ if (!len) {
+ r->args = NULL;
+ }
+@@ -2733,7 +2743,7 @@ static apr_status_t rewritelock_remove(void *data)
+ * XXX: what an inclined parser. Seems we have to leave it so
+ * for backwards compat. *sigh*
+ */
+-static int parseargline(char *str, char **a1, char **a2, char **a3)
++static int parseargline(char *str, char **a1, char **a2, char **a2_end, char **a3)
+ {
+ char quote;
+
+@@ -2784,8 +2794,10 @@ static int parseargline(char *str, char **a1, char **a2, char **a3)
+
+ if (!*str) {
+ *a3 = NULL; /* 3rd argument is optional */
++ *a2_end = str;
+ return 0;
+ }
++ *a2_end = str;
+ *str++ = '\0';
+
+ while (apr_isspace(*str)) {
+@@ -3323,7 +3335,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
+ rewrite_server_conf *sconf;
+ rewritecond_entry *newcond;
+ ap_regex_t *regexp;
+- char *a1 = NULL, *a2 = NULL, *a3 = NULL;
++ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL;
+ const char *err;
+
+ sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module);
+@@ -3341,7 +3353,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
+ * of the argument line. So we can use a1 .. a3 without
+ * copying them again.
+ */
+- if (parseargline(str, &a1, &a2, &a3)) {
++ if (parseargline(str, &a1, &a2, &a2_end, &a3)) {
+ return apr_pstrcat(cmd->pool, "RewriteCond: bad argument line '", str,
+ "'", NULL);
+ }
+@@ -3749,7 +3761,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+ rewrite_server_conf *sconf;
+ rewriterule_entry *newrule;
+ ap_regex_t *regexp;
+- char *a1 = NULL, *a2 = NULL, *a3 = NULL;
++ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL;
+ const char *err;
+
+ sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module);
+@@ -3763,7 +3775,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+ }
+
+ /* parse the argument line ourself */
+- if (parseargline(str, &a1, &a2, &a3)) {
++ if (parseargline(str, &a1, &a2, &a2_end, &a3)) {
+ return apr_pstrcat(cmd->pool, "RewriteRule: bad argument line '", str,
+ "'", NULL);
+ }
+@@ -3810,6 +3822,17 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+ newrule->flags |= RULEFLAG_NOSUB;
+ }
+
++ if (*(a2_end-1) == '?') {
++ /* a literal ? at the end of the unsubstituted rewrite rule */
++ newrule->flags |= RULEFLAG_QSNONE;
++ *(a2_end-1) = '\0'; /* trailing ? has done its job */
++ }
++ else if (newrule->flags & RULEFLAG_QSDISCARD) {
++ if (NULL == ap_strchr(newrule->output, '?')) {
++ newrule->flags |= RULEFLAG_QSNONE;
++ }
++ }
++
+ /* now, if the server or per-dir config holds an
+ * array of RewriteCond entries, we take it for us
+ * and clear the array
+@@ -4215,9 +4238,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
+ r->path_info = NULL;
+ }
+
+- splitout_queryargs(r, p->flags & RULEFLAG_QSAPPEND,
+- p->flags & RULEFLAG_QSDISCARD,
+- p->flags & RULEFLAG_QSLAST);
++ splitout_queryargs(r, p->flags);
+
+ /* Add the previously stripped per-directory location prefix, unless
+ * (1) it's an absolute URL path and
+@@ -4699,6 +4720,17 @@ static int hook_uri2file(request_rec *r)
+ unsigned skip;
+ apr_size_t flen;
+
++ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
++ "Rewritten query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
++
+ if (ACTION_STATUS == rulestatus) {
+ int n = r->status;
+
+@@ -4983,6 +5015,17 @@ static int hook_fixup(request_rec *r)
+ if (rulestatus) {
+ unsigned skip;
+
++ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411)
++ "Rewritten query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
++
+ if (ACTION_STATUS == rulestatus) {
+ int n = r->status;
+
+diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
+index eb550e5..8b8d09e 100644
+--- a/modules/proxy/mod_proxy_ajp.c
++++ b/modules/proxy/mod_proxy_ajp.c
+@@ -69,6 +69,16 @@ static int proxy_ajp_canon(request_rec *r, char *url)
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+ r->proxyreq);
+ search = r->args;
++ if (search && *(ap_scan_vchar_obstext(search))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ }
+ if (path == NULL)
+ return HTTP_BAD_REQUEST;
+diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
+index c6c7e89..9a5cb08 100644
+--- a/modules/proxy/mod_proxy_balancer.c
++++ b/modules/proxy/mod_proxy_balancer.c
+@@ -106,6 +106,16 @@ static int proxy_balancer_canon(request_rec *r, char *url)
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+ r->proxyreq);
+ search = r->args;
++ if (search && *(ap_scan_vchar_obstext(search))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ }
+ if (path == NULL)
+ return HTTP_BAD_REQUEST;
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index a33b57b..f528d94 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -90,6 +90,16 @@ static int proxy_http_canon(request_rec *r, char *url)
+ path = ap_proxy_canonenc(r->pool, url, strlen(url),
+ enc_path, 0, r->proxyreq);
+ search = r->args;
++ if (search && *(ap_scan_vchar_obstext(search))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ }
+ break;
+ case PROXYREQ_PROXY:
+diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
+index 9dda010..05f5d1e 100644
+--- a/modules/proxy/mod_proxy_wstunnel.c
++++ b/modules/proxy/mod_proxy_wstunnel.c
+@@ -73,6 +73,16 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+ r->proxyreq);
+ search = r->args;
++ if (search && *(ap_scan_vchar_obstext(search))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ }
+ if (path == NULL)
+ return HTTP_BAD_REQUEST;
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index c192171..9fdd96e 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -51,7 +51,7 @@
Summary: Apache HTTP Server
Name: %{?scl:%scl_prefix}httpd
Version: 2.4.34
-Release: 23%{?dist}.5
+Release: 23%{?dist}.6
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -212,6 +212,8 @@ Patch228: httpd-2.4.34-CVE-2022-30522.patch
Patch229: httpd-2.4.34-CVE-2022-30556.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2098249
Patch230: httpd-2.4.34-CVE-2022-31813.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2176209
+Patch231: httpd-2.4.34-CVE-2023-25690.patch
License: ASL 2.0
Group: System Environment/Daemons
@@ -449,6 +451,7 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH
%patch228 -p1 -b .CVE-2022-30522
%patch229 -p1 -b .CVE-2022-30556
%patch230 -p1 -b .CVE-2022-31813
+%patch231 -p1 -b .CVE-2023-25690
# Patch in the vendor string and the release string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -1107,6 +1110,10 @@ rm -rf $RPM_BUILD_ROOT
%endif
%changelog
+* Thu Apr 13 2023 Luboš Uhliarik
- 2.4.34-23.6
+- Resolves: #2176722 - CVE-2023-25690 httpd24-httpd: httpd: HTTP request
+ splitting with mod_rewrite and mod_proxy
+
* Tue Sep 20 2022 Luboš Uhliarik - 2.4.34-23.5
- Related: #2035029 - CVE-2021-44224 httpd24-httpd: httpd: possible NULL
dereference or SSRF in forward proxy configurations
