Backport of upstream fix for CVE-2022-29718

0001-Disable-commands-that-can-alter-the-binary.patch

@@ -1,7 +1,7 @@
 From 7bf03a1414b1ebc1a9ef573369fe8e7ee9956a33 Mon Sep 17 00:00:00 2001
 From: Carl George <carl@george.computer>
 Date: Wed, 16 Feb 2022 11:45:03 -0600
-Subject: [PATCH] Disable commands that can alter the binary
+Subject: [PATCH 1/2] Disable commands that can alter the binary
 
 ---
  cmd/commands.go | 48 ------------------------------------------------
@@ -67,5 +67,5 @@ index 1e2c40de..cc091bce 100644
  
  // RegisterCommand registers the command cmd.
 -- 
-2.35.1
+2.39.2
 

0002-caddyhttp-Fix-MatchPath-sanitizing-4499.patch

@@ -0,0 +1,43 @@
+From 7681fd2370d3b36e2839717fce59e6e6a9d5d00a Mon Sep 17 00:00:00 2001
+From: Francis Lavoie <lavofr@gmail.com>
+Date: Thu, 30 Dec 2021 04:15:48 -0500
+Subject: [PATCH 2/2] caddyhttp: Fix `MatchPath` sanitizing (#4499)
+
+This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542
+
+Turns out that doing `TrimRight` to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.
+---
+ modules/caddyhttp/matchers.go | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/modules/caddyhttp/matchers.go b/modules/caddyhttp/matchers.go
+index 439c4073..272c9242 100644
+--- a/modules/caddyhttp/matchers.go
++++ b/modules/caddyhttp/matchers.go
+@@ -325,6 +325,11 @@ func (m MatchPath) Match(r *http.Request) bool {
+ 
+ 	lowerPath := strings.ToLower(unescapedPath)
+ 
++	// Clean the path, merges doubled slashes, etc.
++	// This ensures maliciously crafted requests can't bypass
++	// the path matcher. See #4407
++	lowerPath = path.Clean(lowerPath)
++
+ 	// see #2917; Windows ignores trailing dots and spaces
+ 	// when accessing files (sigh), potentially causing a
+ 	// security risk (cry) if PHP files end up being served
+@@ -332,11 +337,6 @@ func (m MatchPath) Match(r *http.Request) bool {
+ 	// being matched by *.php to be treated as PHP scripts
+ 	lowerPath = strings.TrimRight(lowerPath, ". ")
+ 
+-	// Clean the path, merges doubled slashes, etc.
+-	// This ensures maliciously crafted requests can't bypass
+-	// the path matcher. See #4407
+-	lowerPath = path.Clean(lowerPath)
+-
+ 	// Cleaning may remove the trailing slash, but we want to keep it
+ 	if lowerPath != "/" && strings.HasSuffix(r.URL.Path, "/") {
+ 		lowerPath = lowerPath + "/"
+-- 
+2.39.2
+

caddy.spec

@@ -17,7 +17,7 @@ Version:                %{basever}%{?prerel:~%{prerel}%{prerelnum}}
 Caddy is the web server with automatic HTTPS.}
 
 Name:           caddy
-Release:        4%{?dist}
+Release:        6%{?dist}
 Summary:        Web server with automatic HTTPS
 %if %{with vendor}
 # github.com/caddyserver/caddy ASL 2.0
@@ -80,6 +80,9 @@ Source7:        zsh-completion
 
 # downstream only patch to disable commands that can alter the binary
 Patch:          0001-Disable-commands-that-can-alter-the-binary.patch
+# backport of upstream fix for CVE-2022-29718
+# https://github.com/caddyserver/caddy/pull/4499
+Patch:          0002-caddyhttp-Fix-MatchPath-sanitizing-4499.patch
 
 # https://github.com/caddyserver/caddy/commit/6bc87ea2ff50a962f16dfafeb125f0f947c1a885
 BuildRequires:  golang >= 1.16
@@ -295,6 +298,12 @@ fi
 
 
 %changelog
+* Wed Mar 01 2023 Carl George <carl@george.computer> - 2.4.6-6
+- Backport of upstream fix for CVE-2022-29718
+
+* Tue Jan 24 2023 Carl George <carl@george.computer> - 2.4.6-5
+- Rebuild for CVE-2022-41717 in golang
+
 * Tue Jul 19 2022 Maxwell G <gotmax@e.email> - 2.4.6-4
 - Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in
   golang