http: Enforce that fully qualified uri-paths not to be forward-proxied

      have an http(s) scheme, and that the ones to be forward proxied have a
      hostname, per HTTP specifications.

The early checks avoid failing the request later on and thus save cycles
for those invalid cases.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895921 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 22 insertions, 1 deletions

diff --git a/server/protocol.c b/server/protocol.c
index c4dc7b5763..0c3b770ad5 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -1595,7 +1595,7 @@ request_rec *ap_read_request(conn_rec *conn)
     /* we may have switched to another server */
     apply_server_config(r);
 
-    if ((access_status = ap_run_post_read_request(r))) {
+    if ((access_status = ap_post_read_request(r))) {
         goto die;
     }
 
@@ -1650,6 +1650,27 @@ ignore:
     return NULL;
 }
 
+AP_DECLARE(int) ap_post_read_request(request_rec *r)
+{
+    int status;
+
+    if ((status = ap_run_post_read_request(r))) {
+        return status;
+    }
+
+    /* Enforce http(s) only scheme for non-forward-proxy requests */
+    if (!r->proxyreq
+            && r->parsed_uri.scheme
+            && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
+                || (r->parsed_uri.scheme[4] != '\0'
+                    && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
+                        || r->parsed_uri.scheme[5] != '\0')))) {
+        return HTTP_BAD_REQUEST;
+    }
+
+    return OK;
+}
+
 /* if a request with a body creates a subrequest, remove original request's
  * input headers which pertain to the body which has already been read.
  * out-of-line helper function for ap_set_sub_req_protocol.