Apache Source Defense Patch Brian Shire & Facebook Inc. Provides some protection from revealing source code when Apache is misconfigured. Tested against Apache-1.3.37 To use: Apply the patch with the following commands: cd apache-1.3.x patch -p1 -i ap_source_defense.patch Edit the src/main/http_core.c file and modify the following lines: --------------------------------------------------------------------------------------------------------------------------- /**** BEGIN PATCH: "source defense", (c)2007 Brian Shire & Facbeook Inc, Licensed under MIT License ***/ /* Don't allow source files to be displayed! (final line of defense) */ { /*** Set the default redirect location URL and extensions to filter here: ***/ char *source_defense_deflocation = "/"; char *source_defense_exts[] = { "php", NULL }; int i; --------------------------------------------------------------------------------------------------------------------------- Set this to the URL that you would like to redirect to in cases where source would have displayed: --------------------------------------------------------------------------------------------------------------------------- char *source_defense_deflocation = "/"; --------------------------------------------------------------------------------------------------------------------------- A list of extensions (without '.') that should never be displayed to the user in their original source format. aka: php, py, cgi, pl Be sure to leave in the last 'NULL'! --------------------------------------------------------------------------------------------------------------------------- char *source_defense_exts[] = { "php", "py", "cgi", "pl", NULL }; --------------------------------------------------------------------------------------------------------------------------- Provide feedback to diff --git a/src/include/http_core.h b/src/include/http_core.h index bbe2bb6..1ae3846 100644 --- a/src/include/http_core.h +++ b/src/include/http_core.h @@ -319,6 +319,11 @@ typedef struct { /* Digest auth. */ char *ap_auth_nonce; + + /**** BEGIN PATCH: "source defense", (c)2007 Brian Shire & Facbeook Inc, Licensed under MIT License ***/ + char *source_defense_location; + /*** END PATCH: "source defense" ***/ + } core_dir_config; /* Per-server core configuration */ diff --git a/src/main/http_core.c b/src/main/http_core.c index c29dc87..b9cc04e 100644 --- a/src/main/http_core.c +++ b/src/main/http_core.c @@ -1464,6 +1464,13 @@ static const char *satisfy(cmd_parms *cmd, core_dir_config *c, char *arg) return NULL; } +/**** BEGIN PATCH: "source defense", (c)2007 Brian Shire & Facbeook Inc, Licensed under MIT License ***/ +static const char *set_source_defense_location(cmd_parms *cmd, core_dir_config *c, char *arg) { + c->source_defense_location = arg; + return NULL; +} +/*** END PACH: source defense ***/ + static const char *require(cmd_parms *cmd, core_dir_config *c, char *arg) { require_line *r; @@ -3531,6 +3538,10 @@ static const command_rec core_cmds[] = { "Selects which authenticated users or groups may access a protected space" }, { "Satisfy", satisfy, NULL, OR_AUTHCFG, TAKE1, "access policy if both allow and require used ('all' or 'any')" }, +/**** BEGIN PATCH: "source defense", (c)2007 Brian Shire & Facbeook Inc, Licensed under MIT License ***/ +{ "SourceDefenseLocation", set_source_defense_location, NULL, OR_ALL, TAKE1, + "Source defense, redirect here in case the handler isn't available." }, +/**** END PATCH: "source defense" ***/ #ifdef GPROF { "GprofDir", set_gprof_dir, NULL, RSRC_CONF, TAKE1, "Directory to plop gmon.out files" }, @@ -4169,6 +4180,45 @@ static int default_handler(request_rec *r) return errstatus; } + /**** BEGIN PATCH: "source defense", (c)2007 Brian Shire & Facbeook Inc, Licensed under MIT License ***/ + /* Don't allow source files to be displayed! (final line of defense) */ + { + + /*** Set the default redirect location URL and extensions to filter here: ***/ + char *source_defense_deflocation = "/"; + char *source_defense_exts[] = { "php", + NULL + }; + int i; + + // drop leading */ element (taken from mod_mime.c) + char *fn; + char *ext; + char *filename = ap_pstrdup(r->pool, r->filename); + core_dir_config *conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module); + fn = strrchr(filename, '/'); + if(fn == NULL) + fn = filename; + else + ++fn; + ap_getword(r->pool, (const char**)&filename, '.'); // part of . + ext = ap_getword(r->pool, (const char**)&filename, '.'); + + for(i=0; source_defense_exts[i]; i++) { + if(!strcasecmp(ext, source_defense_exts[i])) { + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "Server misconfigured and attempting to display source code! Redirecting request. (%s)", r->filename); + if(conf->source_defense_location) { + ap_table_setn(r->headers_out, "Location", conf->source_defense_location); + } else { + ap_table_setn(r->headers_out, "Location", source_defense_deflocation); + } + return REDIRECT; + } + } + + } + /**** END PATCH: "source defense" ***/ + #ifdef USE_MMAP_FILES ap_block_alarms(); if ((r->finfo.st_size >= MMAP_THRESHOLD)