【安全漏洞】CVE-2021-41773和CVE-2021-42013漏洞分析_cve-2021-43116

CVE-2021-41773

漏洞成因

Apache HTTP Server 2.4.49版本使用的ap_normalize_path函数在对路径参数进行规范化时会先进行url解码，然后判断是否存在…/的路径穿越符，如下所示：

while (path[l] != '\0') {
   
    if ((flags & AP_NORMALIZE_DECODE_UNRESERVED)
            && path[l] == '%' && apr_isxdigit(path[l + 1])
            && apr_isxdigit(path[l + 2])) {
   
        const char c = x2c(&path[l + 1]);
        if (apr_isalnum(c) || (c && strchr("-._~", c))) {
   
            /* Replace last char and fall through as the current
                * read position */
            l += 2;
            path[l] = c;
        }
    }
    ......

    if (w == 0 || IS_SLASH(path[w - 1])) {
   
        /* Collapse / sequences to / */
        if ((flags & AP_NORMALIZE_MERGE_SLASHES) && IS_SLASH(path[l])) {
   
            do {
   
                l++;
            } while (IS_SLASH(path[l]));
            continue;
        }

        if (path[l] == '.') {
   
            /* Remove /./ segments */
            if (IS_SLASH_OR_NUL(path[l + 1])) {
   
                l++;
                if (path[l]) {
   
                    l++;
                }
                continue;
            }

            /* Remove /xx/../ segments */
            if (path[l + 1] == '.' && IS_SLASH_OR_NUL(path[l + 2])) {
   
                /* Wind w back to remove the previous segment */
                if (w > 1) {
   
                    do {
   
                        w--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50