diff --git a/backport-001-CVE-2021-44224.patch b/backport-001-CVE-2021-44224.patch deleted file mode 100644 index 65c1e92..0000000 --- a/backport-001-CVE-2021-44224.patch +++ /dev/null @@ -1,275 +0,0 @@ -From a962ba73047b5478d702c8ad09fd1a167e1d3736 Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Tue, 14 Dec 2021 15:35:56 +0000 -Subject: [PATCH] Merge r1895914, r1895921 from trunk: - - *) http: Enforce that fully qualified uri-paths not to be forward-proxied - have an http(s) scheme, and that the ones to be forward proxied have a - hostname, per HTTP specifications. - trunk patch: http://svn.apache.org/r1895914 - http://svn.apache.org/r1895921 - 2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/286.patch - backport PR: https://github.com/apache/httpd/pull/286 - +1: ylavic, minfrin, gbechis - - -mod_proxy: Detect unix: scheme syntax errors at load time. - -* modules/proxy/mod_proxy.c(add_pass, add_member, set_proxy_param, - proxysection): - Check return value of ap_proxy_de_socketfy(). - -* modules/proxy/proxy_util.c(ap_proxy_get_worker_ex): - Check return value of ap_proxy_de_socketfy(). - - - -http: Enforce that fully qualified uri-paths not to be forward-proxied - have an http(s) scheme, and that the ones to be forward proxied have a - hostname, per HTTP specifications. - -The early checks avoid failing the request later on and thus save cycles -for those invalid cases. - - -Submitted by: ylavic -Reviewed by: ylavic, minfrin, gbechis -Closes #286 - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1895955 13f79535-47bb-0310-9956-ffa450edef68 ---- - include/ap_mmn.h | 3 ++- - include/http_protocol.h | 7 ++++++ - modules/http/http_request.c | 2 +- - modules/http2/h2_request.c | 2 +- - modules/proxy/mod_proxy.c | 44 ++++++++++++++++++++++++++----------- - modules/proxy/proxy_util.c | 3 +++ - server/protocol.c | 23 ++++++++++++++++++- - 7 files changed, 71 insertions(+), 17 deletions(-) - -diff --git a/include/ap_mmn.h b/include/ap_mmn.h -index fe24261ee87..90ff1a86a6f 100644 ---- a/include/ap_mmn.h -+++ b/include/ap_mmn.h -@@ -586,6 +586,7 @@ - * 20120211.117 (2.4.50-dev) Add ap_pre_connection - * 20120211.118 (2.4.51-dev) Add ap_unescape_url_ex() and deprecate - * AP_NORMALIZE_DROP_PARAMETERS -+ * 20120211.121 (2.4.51-dev) Add ap_post_read_request() - * - */ - -diff --git a/include/http_protocol.h b/include/http_protocol.h -index 9ccac893fcb..20bd2022266 100644 ---- a/include/http_protocol.h -+++ b/include/http_protocol.h -@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(request_rec *r); - AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, - apr_bucket_brigade *bb); - -+/** -+ * Run post_read_request hook and validate. -+ * @param r The current request -+ * @return OK or HTTP_... -+ */ -+AP_DECLARE(int) ap_post_read_request(request_rec *r); -+ - /* Finish up stuff after a request */ - - /** -diff --git a/modules/http/http_request.c b/modules/http/http_request.c -index c9ae5af2864..d59cfe25999 100644 ---- a/modules/http/http_request.c -+++ b/modules/http/http_request.c -@@ -680,7 +680,7 @@ static request_rec *internal_internal_redirect(const char *new_uri, - * to do their thing on internal redirects as well. Perhaps this is a - * misnamed function. - */ -- if ((access_status = ap_run_post_read_request(new))) { -+ if ((access_status = ap_post_read_request(new))) { - ap_die(access_status, new); - return NULL; - } -diff --git a/modules/http2/h2_request.c b/modules/http2/h2_request.c -index 7c4fb95ea48..9ff6feb675f 100644 ---- a/modules/http2/h2_request.c -+++ b/modules/http2/h2_request.c -@@ -370,7 +370,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c) - ap_add_input_filter_handle(ap_http_input_filter_handle, - NULL, r, r->connection); - -- if ((access_status = ap_run_post_read_request(r))) { -+ if ((access_status = ap_post_read_request(r))) { - /* Request check post hooks failed. An example of this would be a - * request for a vhost where h2 is disabled --> 421. - */ -diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c -index 3fb84c85935..85d7ce2e6c1 100644 ---- a/modules/proxy/mod_proxy.c -+++ b/modules/proxy/mod_proxy.c -@@ -775,13 +775,13 @@ static int proxy_detect(request_rec *r) - - /* Ick... msvc (perhaps others) promotes ternary short results to int */ - -- if (conf->req && r->parsed_uri.scheme) { -+ if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) { - /* but it might be something vhosted */ -- if (!(r->parsed_uri.hostname -- && !ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) -- && ap_matches_request_vhost(r, r->parsed_uri.hostname, -- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port -- : ap_default_port(r))))) { -+ if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 -+ || !ap_matches_request_vhost(r, r->parsed_uri.hostname, -+ (apr_port_t)(r->parsed_uri.port_str -+ ? r->parsed_uri.port -+ : ap_default_port(r)))) { - r->proxyreq = PROXYREQ_PROXY; - r->uri = r->unparsed_uri; - r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL); -@@ -2007,6 +2007,7 @@ static const char * - struct proxy_alias *new; - char *f = cmd->path; - char *r = NULL; -+ const char *real; - char *word; - apr_table_t *params = apr_table_make(cmd->pool, 5); - const apr_array_header_t *arr; -@@ -2093,6 +2094,10 @@ static const char * - if (r == NULL) { - return "ProxyPass|ProxyPassMatch needs a path when not defined in a location"; - } -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) { -+ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL"; -+ } -+ - - /* if per directory, save away the single alias */ - if (cmd->path) { -@@ -2109,7 +2114,7 @@ static const char * - } - - new->fake = apr_pstrdup(cmd->pool, f); -- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r)); -+ new->real = apr_pstrdup(cmd->pool, real); - new->flags = flags; - if (worker_type & AP_PROXY_WORKER_IS_MATCH) { - new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED); -@@ -2635,6 +2640,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) - proxy_worker *worker; - char *path = cmd->path; - char *name = NULL; -+ const char *real; - char *word; - apr_table_t *params = apr_table_make(cmd->pool, 5); - const apr_array_header_t *arr; -@@ -2675,6 +2681,9 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) - return "BalancerMember must define balancer name when outside section"; - if (!name) - return "BalancerMember must define remote proxy server"; -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { -+ return "BalancerMember uses an invalid \"unix:\" URL"; -+ } - - ap_str_tolower(path); /* lowercase scheme://hostname */ - -@@ -2687,8 +2696,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) - } - - /* Try to find existing worker */ -- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, -- ap_proxy_de_socketfy(cmd->temp_pool, name)); -+ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real); - if (!worker) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147) - "Defining worker '%s' for balancer '%s'", -@@ -2785,9 +2793,14 @@ static const char * - } - } - else { -+ const char *real; -+ -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { -+ return "ProxySet uses an invalid \"unix:\" URL"; -+ } -+ - worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, conf, -- ap_proxy_de_socketfy(cmd->temp_pool, name), -- worker_type); -+ real, worker_type); - if (!worker) { - if (in_proxy_section) { - err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, -@@ -2930,9 +2943,14 @@ static const char *proxysection(cmd_parms *cmd, void *mconfig, const char *arg) - } - } - else { -+ const char *real; -+ -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) { -+ return " uses an invalid \"unix:\" URL"; -+ } -+ - worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, sconf, -- ap_proxy_de_socketfy(cmd->temp_pool, conf->p), -- worker_type); -+ real, worker_type); - if (!worker) { - err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, sconf, - conf->p, worker_type); -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index a3cf5460487..b4f6dcfadc6 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -1742,6 +1742,9 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p, - } - - url = ap_proxy_de_socketfy(p, url); -+ if (!url) { -+ return NULL; -+ } - - c = ap_strchr_c(url, ':'); - if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') { -diff --git a/server/protocol.c b/server/protocol.c -index 3d74c5b3058..2214f72b5a4 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -1548,7 +1548,7 @@ request_rec *ap_read_request(conn_rec *conn) - /* we may have switched to another server */ - apply_server_config(r); - -- if ((access_status = ap_run_post_read_request(r))) { -+ if ((access_status = ap_post_read_request(r))) { - goto die; - } - -@@ -1603,6 +1603,27 @@ request_rec *ap_read_request(conn_rec *conn) - return NULL; - } - -+AP_DECLARE(int) ap_post_read_request(request_rec *r) -+{ -+ int status; -+ -+ if ((status = ap_run_post_read_request(r))) { -+ return status; -+ } -+ -+ /* Enforce http(s) only scheme for non-forward-proxy requests */ -+ if (!r->proxyreq -+ && r->parsed_uri.scheme -+ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0 -+ || (r->parsed_uri.scheme[4] != '\0' -+ && (apr_tolower(r->parsed_uri.scheme[4]) != 's' -+ || r->parsed_uri.scheme[5] != '\0')))) { -+ return HTTP_BAD_REQUEST; -+ } -+ -+ return OK; -+} -+ - /* if a request with a body creates a subrequest, remove original request's - * input headers which pertain to the body which has already been read. - * out-of-line helper function for ap_set_sub_req_protocol. diff --git a/backport-001-CVE-2022-23943.patch b/backport-001-CVE-2022-23943.patch deleted file mode 100644 index 5556e8b..0000000 --- a/backport-001-CVE-2022-23943.patch +++ /dev/null @@ -1,358 +0,0 @@ -From 943f57b336f264d77e5b780c82ab73daf3d14deb Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Mon, 7 Mar 2022 14:52:42 +0000 -Subject: [PATCH] mod_sed: use size_t to allow for larger buffer sizes and - unsigned arithmetics. - -Let's switch to apr_size_t buffers and get rid of the ints. - - -Merge r1898690 from trunk. -Submitted by: rpluem -Reviewed by: rpluem, covener, ylavic - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898695 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/filters/libsed.h | 12 +++--- - modules/filters/mod_sed.c | 10 ++--- - modules/filters/sed1.c | 79 +++++++++++++++++++++++---------------- - 3 files changed, 58 insertions(+), 43 deletions(-) - -diff --git a/modules/filters/libsed.h b/modules/filters/libsed.h -index 76cbc0ce8ad..0256b1ea831 100644 ---- a/modules/filters/libsed.h -+++ b/modules/filters/libsed.h -@@ -60,7 +60,7 @@ struct sed_label_s { - }; - - typedef apr_status_t (sed_err_fn_t)(void *data, const char *error); --typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, int sz); -+typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, apr_size_t sz); - - typedef struct sed_commands_s sed_commands_t; - #define NWFILES 11 /* 10 plus one for standard output */ -@@ -69,7 +69,7 @@ struct sed_commands_s { - sed_err_fn_t *errfn; - void *data; - -- unsigned lsize; -+ apr_size_t lsize; - char *linebuf; - char *lbend; - const char *saveq; -@@ -116,15 +116,15 @@ struct sed_eval_s { - apr_int64_t lnum; - void *fout; - -- unsigned lsize; -+ apr_size_t lsize; - char *linebuf; - char *lspend; - -- unsigned hsize; -+ apr_size_t hsize; - char *holdbuf; - char *hspend; - -- unsigned gsize; -+ apr_size_t gsize; - char *genbuf; - char *lcomend; - -@@ -160,7 +160,7 @@ apr_status_t sed_init_eval(sed_eval_t *eval, sed_commands_t *commands, - sed_err_fn_t *errfn, void *data, - sed_write_fn_t *writefn, apr_pool_t *p); - apr_status_t sed_reset_eval(sed_eval_t *eval, sed_commands_t *commands, sed_err_fn_t *errfn, void *data); --apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout); -+apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout); - apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout); - apr_status_t sed_finalize_eval(sed_eval_t *eval, void *f); - void sed_destroy_eval(sed_eval_t *eval); -diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c -index 9b408029a86..7092dd5e7f1 100644 ---- a/modules/filters/mod_sed.c -+++ b/modules/filters/mod_sed.c -@@ -51,7 +51,7 @@ typedef struct sed_filter_ctxt - apr_bucket_brigade *bbinp; - char *outbuf; - char *curoutbuf; -- int bufsize; -+ apr_size_t bufsize; - apr_pool_t *tpool; - int numbuckets; - } sed_filter_ctxt; -@@ -100,7 +100,7 @@ static void alloc_outbuf(sed_filter_ctxt* ctx) - /* append_bucket - * Allocate a new bucket from buf and sz and append to ctx->bb - */ --static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz) -+static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, apr_size_t sz) - { - apr_status_t status = APR_SUCCESS; - apr_bucket *b; -@@ -133,7 +133,7 @@ static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz) - */ - static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx) - { -- int size = ctx->curoutbuf - ctx->outbuf; -+ apr_size_t size = ctx->curoutbuf - ctx->outbuf; - char *out; - apr_status_t status = APR_SUCCESS; - if ((ctx->outbuf == NULL) || (size <=0)) -@@ -147,12 +147,12 @@ static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx) - /* This is a call back function. When libsed wants to generate the output, - * this function will be invoked. - */ --static apr_status_t sed_write_output(void *dummy, char *buf, int sz) -+static apr_status_t sed_write_output(void *dummy, char *buf, apr_size_t sz) - { - /* dummy is basically filter context. Context is passed during invocation - * of sed_eval_buffer - */ -- int remainbytes = 0; -+ apr_size_t remainbytes = 0; - apr_status_t status = APR_SUCCESS; - sed_filter_ctxt *ctx = (sed_filter_ctxt *) dummy; - if (ctx->outbuf == NULL) { -diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c -index be035067885..67a8d06515e 100644 ---- a/modules/filters/sed1.c -+++ b/modules/filters/sed1.c -@@ -71,7 +71,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2); - static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - step_vars_storage *step_vars); --static apr_status_t wline(sed_eval_t *eval, char *buf, int sz); -+static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz); - static apr_status_t arout(sed_eval_t *eval); - - static void eval_errf(sed_eval_t *eval, const char *fmt, ...) -@@ -92,11 +92,11 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...) - * grow_buffer - */ - static void grow_buffer(apr_pool_t *pool, char **buffer, -- char **spend, unsigned int *cursize, -- unsigned int newsize) -+ char **spend, apr_size_t *cursize, -+ apr_size_t newsize) - { - char* newbuffer = NULL; -- int spendsize = 0; -+ apr_size_t spendsize = 0; - if (*cursize >= newsize) - return; - /* Avoid number of times realloc is called. It could cause huge memory -@@ -124,7 +124,7 @@ static void grow_buffer(apr_pool_t *pool, char **buffer, - /* - * grow_line_buffer - */ --static void grow_line_buffer(sed_eval_t *eval, int newsize) -+static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize) - { - grow_buffer(eval->pool, &eval->linebuf, &eval->lspend, - &eval->lsize, newsize); -@@ -133,7 +133,7 @@ static void grow_line_buffer(sed_eval_t *eval, int newsize) - /* - * grow_hold_buffer - */ --static void grow_hold_buffer(sed_eval_t *eval, int newsize) -+static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize) - { - grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend, - &eval->hsize, newsize); -@@ -142,7 +142,7 @@ static void grow_hold_buffer(sed_eval_t *eval, int newsize) - /* - * grow_gen_buffer - */ --static void grow_gen_buffer(sed_eval_t *eval, int newsize, -+static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize, - char **gspend) - { - if (gspend == NULL) { -@@ -156,9 +156,9 @@ static void grow_gen_buffer(sed_eval_t *eval, int newsize, - /* - * appendmem_to_linebuf - */ --static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len) -+static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len) - { -- unsigned int reqsize = (eval->lspend - eval->linebuf) + len; -+ apr_size_t reqsize = (eval->lspend - eval->linebuf) + len; - if (eval->lsize < reqsize) { - grow_line_buffer(eval, reqsize); - } -@@ -169,21 +169,36 @@ static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len) - /* - * append_to_linebuf - */ --static void append_to_linebuf(sed_eval_t *eval, const char* sz) -+static void append_to_linebuf(sed_eval_t *eval, const char* sz, -+ step_vars_storage *step_vars) - { -- int len = strlen(sz); -+ apr_size_t len = strlen(sz); -+ char *old_linebuf = eval->linebuf; - /* Copy string including null character */ - appendmem_to_linebuf(eval, sz, len + 1); - --eval->lspend; /* lspend will now point to NULL character */ -+ /* Sync step_vars after a possible linebuf expansion */ -+ if (step_vars && old_linebuf != eval->linebuf) { -+ if (step_vars->loc1) { -+ step_vars->loc1 = step_vars->loc1 - old_linebuf + eval->linebuf; -+ } -+ if (step_vars->loc2) { -+ step_vars->loc2 = step_vars->loc2 - old_linebuf + eval->linebuf; -+ } -+ if (step_vars->locs) { -+ step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf; -+ } -+ } - } - - /* - * copy_to_linebuf - */ --static void copy_to_linebuf(sed_eval_t *eval, const char* sz) -+static void copy_to_linebuf(sed_eval_t *eval, const char* sz, -+ step_vars_storage *step_vars) - { - eval->lspend = eval->linebuf; -- append_to_linebuf(eval, sz); -+ append_to_linebuf(eval, sz, step_vars); - } - - /* -@@ -191,8 +206,8 @@ static void copy_to_linebuf(sed_eval_t *eval, const char* sz) - */ - static void append_to_holdbuf(sed_eval_t *eval, const char* sz) - { -- int len = strlen(sz); -- unsigned int reqsize = (eval->hspend - eval->holdbuf) + len + 1; -+ apr_size_t len = strlen(sz); -+ apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1; - if (eval->hsize <= reqsize) { - grow_hold_buffer(eval, reqsize); - } -@@ -215,8 +230,8 @@ static void copy_to_holdbuf(sed_eval_t *eval, const char* sz) - */ - static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend) - { -- int len = strlen(sz); -- unsigned int reqsize = (*gspend - eval->genbuf) + len + 1; -+ apr_size_t len = strlen(sz); -+ apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1; - if (eval->gsize < reqsize) { - grow_gen_buffer(eval, reqsize, gspend); - } -@@ -230,8 +245,8 @@ static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend) - */ - static void copy_to_genbuf(sed_eval_t *eval, const char* sz) - { -- int len = strlen(sz); -- unsigned int reqsize = len + 1; -+ apr_size_t len = strlen(sz); -+ apr_size_t reqsize = len + 1; - if (eval->gsize < reqsize) { - grow_gen_buffer(eval, reqsize, NULL); - } -@@ -353,7 +368,7 @@ apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout) - /* - * sed_eval_buffer - */ --apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout) -+apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout) - { - apr_status_t rv; - -@@ -383,7 +398,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void - - while (bufsz) { - char *n; -- int llen; -+ apr_size_t llen; - - n = memchr(buf, '\n', bufsz); - if (n == NULL) -@@ -442,7 +457,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout) - * buffer is not a newline. - */ - /* Assure space for NULL */ -- append_to_linebuf(eval, ""); -+ append_to_linebuf(eval, "", NULL); - } - - *eval->lspend = '\0'; -@@ -666,7 +681,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - lp = step_vars->loc2; - step_vars->loc2 = sp - eval->genbuf + eval->linebuf; - append_to_genbuf(eval, lp, &sp); -- copy_to_linebuf(eval, eval->genbuf); -+ copy_to_linebuf(eval, eval->genbuf, step_vars); - return rv; - } - -@@ -676,8 +691,8 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2) - { - char *sp = asp; -- int n = al2 - al1; -- unsigned int reqsize = (sp - eval->genbuf) + n + 1; -+ apr_size_t n = al2 - al1; -+ apr_size_t reqsize = (sp - eval->genbuf) + n + 1; - - if (eval->gsize < reqsize) { - grow_gen_buffer(eval, reqsize, &sp); -@@ -735,7 +750,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - } - - p1++; -- copy_to_linebuf(eval, p1); -+ copy_to_linebuf(eval, p1, step_vars); - eval->jflag++; - break; - -@@ -745,12 +760,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - break; - - case GCOM: -- copy_to_linebuf(eval, eval->holdbuf); -+ copy_to_linebuf(eval, eval->holdbuf, step_vars); - break; - - case CGCOM: -- append_to_linebuf(eval, "\n"); -- append_to_linebuf(eval, eval->holdbuf); -+ append_to_linebuf(eval, "\n", step_vars); -+ append_to_linebuf(eval, eval->holdbuf, step_vars); - break; - - case HCOM: -@@ -881,7 +896,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - if (rv != APR_SUCCESS) - return rv; - } -- append_to_linebuf(eval, "\n"); -+ append_to_linebuf(eval, "\n", step_vars); - eval->pending = ipc->next; - break; - -@@ -956,7 +971,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - - case XCOM: - copy_to_genbuf(eval, eval->linebuf); -- copy_to_linebuf(eval, eval->holdbuf); -+ copy_to_linebuf(eval, eval->holdbuf, step_vars); - copy_to_holdbuf(eval, eval->genbuf); - break; - -@@ -1013,7 +1028,7 @@ static apr_status_t arout(sed_eval_t *eval) - /* - * wline - */ --static apr_status_t wline(sed_eval_t *eval, char *buf, int sz) -+static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz) - { - apr_status_t rv = APR_SUCCESS; - rv = eval->writefn(eval->fout, buf, sz); - diff --git a/backport-002-CVE-2021-44224.patch b/backport-002-CVE-2021-44224.patch deleted file mode 100644 index e815bbb..0000000 --- a/backport-002-CVE-2021-44224.patch +++ /dev/null @@ -1,104 +0,0 @@ -From a0521d289ae14e4ac004811dc1ef91b3e118a2f6 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 16 Dec 2021 11:23:49 +0000 -Subject: [PATCH] Merge of r1895981,r1895986 from trunk: - - *) mod_proxy: Don't prevent forwarding URIs w/ no hostname. - (fix for r1895955 already in 2.4.x) - - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896044 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/proxy/mod_proxy.c | 5 +++-- - modules/proxy/mod_proxy.h | 1 + - modules/proxy/proxy_util.c | 22 ++++++++++++---------- - 3 files changed, 16 insertions(+), 12 deletions(-) - -diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c -index 85d7ce2e6c1..f8a4db68892 100644 ---- a/modules/proxy/mod_proxy.c -+++ b/modules/proxy/mod_proxy.c -@@ -775,9 +775,10 @@ static int proxy_detect(request_rec *r) - - /* Ick... msvc (perhaps others) promotes ternary short results to int */ - -- if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) { -+ if (conf->req && r->parsed_uri.scheme) { - /* but it might be something vhosted */ -- if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 -+ if (!r->parsed_uri.hostname -+ || ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 - || !ap_matches_request_vhost(r, r->parsed_uri.hostname, - (apr_port_t)(r->parsed_uri.port_str - ? r->parsed_uri.port -diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h -index 35acc49a4a3..be5b3a85394 100644 ---- a/modules/proxy/mod_proxy.h -+++ b/modules/proxy/mod_proxy.h -@@ -750,6 +750,7 @@ PROXY_DECLARE(int) ap_proxy_worker_can_upgrade(apr_pool_t *p, - #define AP_PROXY_WORKER_IS_PREFIX (1u << 0) - #define AP_PROXY_WORKER_IS_MATCH (1u << 1) - #define AP_PROXY_WORKER_IS_MALLOCED (1u << 2) -+#define AP_PROXY_WORKER_NO_UDS (1u << 3) - - /** - * Get the worker from proxy configuration, looking for either PREFIXED or -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index b4f6dcfadc6..8cb315d9103 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -1741,9 +1741,11 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p, - return NULL; - } - -- url = ap_proxy_de_socketfy(p, url); -- if (!url) { -- return NULL; -+ if (!(mask & AP_PROXY_WORKER_NO_UDS)) { -+ url = ap_proxy_de_socketfy(p, url); -+ if (!url) { -+ return NULL; -+ } - } - - c = ap_strchr_c(url, ':'); -@@ -2326,22 +2328,22 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, - - access_status = proxy_run_pre_request(worker, balancer, r, conf, url); - if (access_status == DECLINED && *balancer == NULL) { -- *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url); -+ const int forward = (r->proxyreq == PROXYREQ_PROXY); -+ *worker = ap_proxy_get_worker_ex(r->pool, NULL, conf, *url, -+ forward ? AP_PROXY_WORKER_NO_UDS : 0); - if (*worker) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, - "%s: found worker %s for %s", - (*worker)->s->scheme, (*worker)->s->name, *url); -- *balancer = NULL; -- if (!fix_uds_filename(r, url)) { -+ if (!forward && !fix_uds_filename(r, url)) { - return HTTP_INTERNAL_SERVER_ERROR; - } - access_status = OK; - } -- else if (r->proxyreq == PROXYREQ_PROXY) { -+ else if (forward) { - if (conf->forward) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, - "*: found forward proxy worker for %s", *url); -- *balancer = NULL; - *worker = conf->forward; - access_status = OK; - /* -@@ -2355,8 +2357,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, - else if (r->proxyreq == PROXYREQ_REVERSE) { - if (conf->reverse) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, -- "*: using default reverse proxy worker for %s (no keepalive)", *url); -- *balancer = NULL; -+ "*: using default reverse proxy worker for %s " -+ "(no keepalive)", *url); - *worker = conf->reverse; - access_status = OK; - /* diff --git a/backport-002-CVE-2022-23943.patch b/backport-002-CVE-2022-23943.patch deleted file mode 100644 index 3f4fa11..0000000 --- a/backport-002-CVE-2022-23943.patch +++ /dev/null @@ -1,61 +0,0 @@ -From e266bd09c313a668d7cca17a8b096d189148be49 Mon Sep 17 00:00:00 2001 -From: Ruediger Pluem -Date: Wed, 9 Mar 2022 07:41:40 +0000 -Subject: [PATCH] Merge r1898735 from trunk: - -* Improve the logic flow - -Reviewed by: rpluem, covener, ylavic - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898772 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/filters/mod_sed.c | 30 +++++++++++++++++++----------- - 1 file changed, 19 insertions(+), 11 deletions(-) - -diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c -index 7092dd5e7f1..4bdb4ce33ae 100644 ---- a/modules/filters/mod_sed.c -+++ b/modules/filters/mod_sed.c -@@ -168,21 +168,29 @@ static apr_status_t sed_write_output(void *dummy, char *buf, apr_size_t sz) - } - /* buffer is now full */ - status = append_bucket(ctx, ctx->outbuf, ctx->bufsize); -- /* old buffer is now used so allocate new buffer */ -- alloc_outbuf(ctx); -- /* if size is bigger than the allocated buffer directly add to output -- * brigade */ -- if ((status == APR_SUCCESS) && (sz >= ctx->bufsize)) { -- char* newbuf = apr_pmemdup(ctx->tpool, buf, sz); -- status = append_bucket(ctx, newbuf, sz); -- /* pool might get clear after append_bucket */ -- if (ctx->outbuf == NULL) { -+ if (status == APR_SUCCESS) { -+ /* if size is bigger than the allocated buffer directly add to output -+ * brigade */ -+ if (sz >= ctx->bufsize) { -+ char* newbuf = apr_pmemdup(ctx->tpool, buf, sz); -+ status = append_bucket(ctx, newbuf, sz); -+ if (status == APR_SUCCESS) { -+ /* old buffer is now used so allocate new buffer */ -+ alloc_outbuf(ctx); -+ } -+ else { -+ clear_ctxpool(ctx); -+ } -+ } -+ else { -+ /* old buffer is now used so allocate new buffer */ - alloc_outbuf(ctx); -+ memcpy(ctx->curoutbuf, buf, sz); -+ ctx->curoutbuf += sz; - } - } - else { -- memcpy(ctx->curoutbuf, buf, sz); -- ctx->curoutbuf += sz; -+ clear_ctxpool(ctx); - } - } - else { - diff --git a/backport-CVE-2021-44790.patch b/backport-CVE-2021-44790.patch deleted file mode 100644 index 46f715c..0000000 --- a/backport-CVE-2021-44790.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 07b9768cef6a224d256358c404c6ed5622d8acce Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 16 Dec 2021 11:15:47 +0000 -Subject: [PATCH] Merge r1895970 from trunk: - - *) mod_lua: Improve error handling - - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896039 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/lua/lua_request.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c -index 67ff432e51f..493b2bb431c 100644 ---- a/modules/lua/lua_request.c -+++ b/modules/lua/lua_request.c -@@ -410,6 +410,7 @@ static int req_parsebody(lua_State *L) - if (end == NULL) break; - key = (char *) apr_pcalloc(r->pool, 256); - filename = (char *) apr_pcalloc(r->pool, 256); -+ if (end - crlf <= 8) break; - vlen = end - crlf - 8; - buffer = (char *) apr_pcalloc(r->pool, vlen+1); - memcpy(buffer, crlf + 4, vlen); diff --git a/backport-CVE-2022-22719.patch b/backport-CVE-2022-22719.patch deleted file mode 100644 index 4e71022..0000000 --- a/backport-CVE-2022-22719.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 1b96582269d9ec7c82ee0fea1f67934e4b8176ad Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Mon, 7 Mar 2022 14:51:19 +0000 -Subject: [PATCH] mod_lua: Error out if lua_read_body() or lua_write_body() - fail. - -Otherwise r:requestbody() or r:parsebody() failures might go unnoticed for -the user. - - -Merge r1898689 from trunk. -Submitted by: rpluem -Reviewed by: rpluem, covener, ylavic - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898694 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/lua/lua_request.c | 33 ++++++++++++++++++++------------- - 1 file changed, 20 insertions(+), 13 deletions(-) - -diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c -index 493b2bb431c..1eab7b6a47b 100644 ---- a/modules/lua/lua_request.c -+++ b/modules/lua/lua_request.c -@@ -235,14 +235,16 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size, - { - int rc = OK; - -+ *rbuf = NULL; -+ *size = 0; -+ - if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) { - return (rc); - } - if (ap_should_client_block(r)) { - - /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ -- char argsbuffer[HUGE_STRING_LEN]; -- apr_off_t rsize, len_read, rpos = 0; -+ apr_off_t len_read, rpos = 0; - apr_off_t length = r->remaining; - /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ - -@@ -250,18 +252,18 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size, - return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */ - } - *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1)); -- *size = length; -- while ((len_read = ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) { -- if ((rpos + len_read) > length) { -- rsize = length - rpos; -- } -- else { -- rsize = len_read; -- } -- -- memcpy((char *) *rbuf + rpos, argsbuffer, (size_t) rsize); -- rpos += rsize; -+ while ((rpos < length) -+ && (len_read = ap_get_client_block(r, (char *) *rbuf + rpos, -+ length - rpos)) > 0) { -+ rpos += len_read; -+ } -+ if (len_read < 0) { -+ return APR_EINCOMPLETE; - } -+ *size = rpos; -+ } -+ else { -+ rc = DONE; - } - - return (rc); -@@ -278,6 +280,8 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t * - { - apr_status_t rc = OK; - -+ *size = 0; -+ - if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) - return rc; - if (ap_should_client_block(r)) { -@@ -303,6 +307,9 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t * - rpos += rsize; - } - } -+ else { -+ rc = DONE; -+ } - - return rc; - } - diff --git a/backport-CVE-2022-22720.patch b/backport-CVE-2022-22720.patch deleted file mode 100644 index 3035110..0000000 --- a/backport-CVE-2022-22720.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 19aa2d83b379719420f3a178413325156d7a62f3 Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Mon, 7 Mar 2022 14:46:08 +0000 -Subject: [PATCH] core: Simpler connection close logic if discarding the - request body fails. - -If ap_discard_request_body() sets AP_CONN_CLOSE by itself it simplifies and -allows to consolidate end_output_stream() and error_output_stream(). - - -Merge r1898683 from trunk. -Submitted by: ylavic, rpluem -Reviewed by: ylavic, rpluem, covener - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898692 13f79535-47bb-0310-9956-ffa450edef68 ---- - changes-entries/discard_body.diff | 2 + - modules/http/http_filters.c | 69 ++++++++++++++++--------------- - server/protocol.c | 14 +++++-- - 3 files changed, 48 insertions(+), 37 deletions(-) - create mode 100644 changes-entries/discard_body.diff - -diff --git a/changes-entries/discard_body.diff b/changes-entries/discard_body.diff -new file mode 100644 -index 00000000000..6b467ac5ee3 ---- /dev/null -+++ b/changes-entries/discard_body.diff -@@ -0,0 +1,2 @@ -+ *) core: Simpler connection close logic if discarding the request body fails. -+ [Yann Ylavic, Ruediger Pluem] -\ No newline at end of file -diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c -index d9b36212155..43e8c6dd5d5 100644 ---- a/modules/http/http_filters.c -+++ b/modules/http/http_filters.c -@@ -1598,9 +1598,9 @@ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status) - */ - AP_DECLARE(int) ap_discard_request_body(request_rec *r) - { -+ int rc = OK; -+ conn_rec *c = r->connection; - apr_bucket_brigade *bb; -- int seen_eos; -- apr_status_t rv; - - /* Sometimes we'll get in a state where the input handling has - * detected an error where we want to drop the connection, so if -@@ -1609,54 +1609,57 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r) - * - * This function is also a no-op on a subrequest. - */ -- if (r->main || r->connection->keepalive == AP_CONN_CLOSE || -- ap_status_drops_connection(r->status)) { -+ if (r->main || c->keepalive == AP_CONN_CLOSE) { -+ return OK; -+ } -+ if (ap_status_drops_connection(r->status)) { -+ c->keepalive = AP_CONN_CLOSE; - return OK; - } - - bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); -- seen_eos = 0; -- do { -- apr_bucket *bucket; -+ for (;;) { -+ apr_status_t rv; - - rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, - APR_BLOCK_READ, HUGE_STRING_LEN); -- - if (rv != APR_SUCCESS) { -- apr_brigade_destroy(bb); -- return ap_map_http_request_error(rv, HTTP_BAD_REQUEST); -+ rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST); -+ goto cleanup; - } - -- for (bucket = APR_BRIGADE_FIRST(bb); -- bucket != APR_BRIGADE_SENTINEL(bb); -- bucket = APR_BUCKET_NEXT(bucket)) -- { -- const char *data; -- apr_size_t len; -+ while (!APR_BRIGADE_EMPTY(bb)) { -+ apr_bucket *b = APR_BRIGADE_FIRST(bb); - -- if (APR_BUCKET_IS_EOS(bucket)) { -- seen_eos = 1; -- break; -- } -- -- /* These are metadata buckets. */ -- if (bucket->length == 0) { -- continue; -+ if (APR_BUCKET_IS_EOS(b)) { -+ goto cleanup; - } - -- /* We MUST read because in case we have an unknown-length -- * bucket or one that morphs, we want to exhaust it. -+ /* There is no need to read empty or metadata buckets or -+ * buckets of known length, but we MUST read buckets of -+ * unknown length in order to exhaust them. - */ -- rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ); -- if (rv != APR_SUCCESS) { -- apr_brigade_destroy(bb); -- return HTTP_BAD_REQUEST; -+ if (b->length == (apr_size_t)-1) { -+ apr_size_t len; -+ const char *data; -+ -+ rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ); -+ if (rv != APR_SUCCESS) { -+ rc = HTTP_BAD_REQUEST; -+ goto cleanup; -+ } - } -+ -+ apr_bucket_delete(b); - } -- apr_brigade_cleanup(bb); -- } while (!seen_eos); -+ } - -- return OK; -+cleanup: -+ apr_brigade_cleanup(bb); -+ if (rc != OK) { -+ c->keepalive = AP_CONN_CLOSE; -+ } -+ return rc; - } - - /* Here we deal with getting the request message body from the client. -diff --git a/server/protocol.c b/server/protocol.c -index 2214f72b5a4..298f61e1fb8 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -1687,23 +1687,29 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew, - rnew->main = (request_rec *) r; - } - --static void end_output_stream(request_rec *r) -+static void end_output_stream(request_rec *r, int status) - { - conn_rec *c = r->connection; - apr_bucket_brigade *bb; - apr_bucket *b; - - bb = apr_brigade_create(r->pool, c->bucket_alloc); -+ if (status != OK) { -+ b = ap_bucket_error_create(status, NULL, r->pool, c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(bb, b); -+ } - b = apr_bucket_eos_create(c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, b); -+ - ap_pass_brigade(r->output_filters, bb); -+ apr_brigade_cleanup(bb); - } - - AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub) - { - /* tell the filter chain there is no more content coming */ - if (!sub->eos_sent) { -- end_output_stream(sub); -+ end_output_stream(sub, OK); - } - } - -@@ -1714,11 +1720,11 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub) - */ - AP_DECLARE(void) ap_finalize_request_protocol(request_rec *r) - { -- (void) ap_discard_request_body(r); -+ int status = ap_discard_request_body(r); - - /* tell the filter chain there is no more content coming */ - if (!r->eos_sent) { -- end_output_stream(r); -+ end_output_stream(r, status); - } - } - \ No newline at end of file diff --git a/backport-CVE-2022-22721.patch b/backport-CVE-2022-22721.patch deleted file mode 100644 index df904a2..0000000 --- a/backport-CVE-2022-22721.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 5a72f0fe6f2f8ce35c45242e99a421dc19251ab5 Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Mon, 7 Mar 2022 14:48:54 +0000 -Subject: [PATCH] core: Make sure and check that LimitXMLRequestBody fits in - system memory. - -LimitXMLRequestBody can not exceed the size needed to ap_escape_html2() the -body without failing to allocate memory, so enforce this at load time based -on APR_SIZE_MAX, and make sure that ap_escape_html2() is within the bounds. - -Document the limits for LimitXMLRequestBody in our docs. - - -Merge r1898686 from trunk. -Submitted by: ylavic, rpluem -Reviewed by: ylavic, covener, rpluem - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898693 13f79535-47bb-0310-9956-ffa450edef68 ---- - changes-entries/AP_MAX_LIMIT_XML_BODY.diff | 2 ++ - server/core.c | 9 +++++++++ - server/util.c | 8 ++++++-- - server/util_xml.c | 2 +- - 4 files changed, 27 insertions(+), 6 deletions(-) - create mode 100644 changes-entries/AP_MAX_LIMIT_XML_BODY.diff - -diff --git a/changes-entries/AP_MAX_LIMIT_XML_BODY.diff b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff -new file mode 100644 -index 00000000000..07fef3c624c ---- /dev/null -+++ b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff -@@ -0,0 +1,2 @@ -+ *) core: Make sure and check that LimitXMLRequestBody fits in system memory. -+ [Ruediger Pluem, Yann Ylavic] -\ No newline at end of file -diff --git a/server/core.c b/server/core.c -index 798212b4808..090e3976421 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -72,6 +72,8 @@ - /* LimitXMLRequestBody handling */ - #define AP_LIMIT_UNSET ((long) -1) - #define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000) -+/* Hard limit for ap_escape_html2() */ -+#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1)) - - #define AP_MIN_SENDFILE_BYTES (256) - -@@ -3761,6 +3763,11 @@ static const char *set_limit_xml_req_body(cmd_parms *cmd, void *conf_, - if (conf->limit_xml_body < 0) - return "LimitXMLRequestBody requires a non-negative integer."; - -+ /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */ -+ if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY) -+ return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed " -+ "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY); -+ - return NULL; - } - -@@ -3849,6 +3856,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_body(const request_rec *r) - conf = ap_get_core_module_config(r->per_dir_config); - if (conf->limit_xml_body == AP_LIMIT_UNSET) - return AP_DEFAULT_LIMIT_XML_BODY; -+ if (conf->limit_xml_body == 0) -+ return AP_MAX_LIMIT_XML_BODY; - - return (apr_size_t)conf->limit_xml_body; - } -diff --git a/server/util.c b/server/util.c -index 6cfe0035c49..604be1a1ce3 100644 ---- a/server/util.c -+++ b/server/util.c -@@ -2142,11 +2142,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(apr_pool_t *p, const char *buffer) - - AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) - { -- int i, j; -+ apr_size_t i, j; - char *x; - - /* first, count the number of extra characters */ -- for (i = 0, j = 0; s[i] != '\0'; i++) -+ for (i = 0, j = 0; s[i] != '\0'; i++) { -+ if (i + j > APR_SIZE_MAX - 6) { -+ abort(); -+ } - if (s[i] == '<' || s[i] == '>') - j += 3; - else if (s[i] == '&') -@@ -2155,6 +2158,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) - j += 5; - else if (toasc && !apr_isascii(s[i])) - j += 5; -+ } - - if (j == 0) - return apr_pstrmemdup(p, s, i); -diff --git a/server/util_xml.c b/server/util_xml.c -index 4845194656e..22806fa8a40 100644 ---- a/server/util_xml.c -+++ b/server/util_xml.c -@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(request_rec * r, apr_xml_doc **pdoc) - } - - total_read += len; -- if (limit_xml_body && total_read > limit_xml_body) { -+ if (total_read > limit_xml_body) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539) - "XML request body is larger than the configured " - "limit of %lu", (unsigned long)limit_xml_body); - diff --git a/backport-CVE-2022-26377.patch b/backport-CVE-2022-26377.patch deleted file mode 100644 index 5bebf98..0000000 --- a/backport-CVE-2022-26377.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f7f15f3d8bfe3032926c8c39eb8434529f680bd4 Mon Sep 17 00:00:00 2001 -From: ylavic -Date: Wed Jun 1 13:48:21 2022 UTC -Subject: [PATCH] mod_proxy_ajp: T-E has precedence over C-L. - ---- - modules/proxy/mod_proxy_ajp.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c -index e2992fc..a77a86b 100644 ---- a/modules/proxy/mod_proxy_ajp.c -+++ b/modules/proxy/mod_proxy_ajp.c -@@ -246,9 +246,18 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, - /* read the first block of data */ - input_brigade = apr_brigade_create(p, r->connection->bucket_alloc); - tenc = apr_table_get(r->headers_in, "Transfer-Encoding"); -- if (tenc && (ap_cstr_casecmp(tenc, "chunked") == 0)) { -- /* The AJP protocol does not want body data yet */ -- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870) "request is chunked"); -+ if (tenc) { -+ if (ap_cstr_casecmp(tenc, "chunked") == 0) { -+ /* The AJP protocol does not want body data yet */ -+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870) -+ "request is chunked"); -+ } -+ else { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396) -+ "%s Transfer-Encoding is not supported", -+ tenc); -+ return HTTP_INTERNAL_SERVER_ERROR; -+ } - } else { - /* Get client provided Content-Length header */ - content_length = get_content_length(r); --- -1.8.3.1 - diff --git a/backport-CVE-2022-28330.patch b/backport-CVE-2022-28330.patch deleted file mode 100644 index d944fa2..0000000 --- a/backport-CVE-2022-28330.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 258698607821acfda8f90d9d17e44d18c30f8d77 Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed, 1 Ju0 2022 12:37:44 UTC -Subject: [PATCH] mod_isapi:use consistent filename - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/258698607821acfda8f90d9d17e44d18c30f8d77 - ---- - modules/arch/win32/mod_isapi.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/modules/arch/win32/mod_isapi.c b/modules/arch/win32/mod_isapi.c -index 5592a57..a9816e5 100644 ---- a/modules/arch/win32/mod_isapi.c -+++ b/modules/arch/win32/mod_isapi.c -@@ -976,11 +976,11 @@ static int APR_THREAD_FUNC regfnServerSupportFunction(isapi_cid *cid, - return 0; - } - -- len = (apr_uint32_t)strlen(r->filename); -+ len = (apr_uint32_t)strlen(subreq->filename); - - if ((subreq->finfo.filetype == APR_DIR) - && (!subreq->path_info) -- && (file[len - 1] != '/')) -+ && (subreq->filename[len - 1] != '/')) - file = apr_pstrcat(cid->r->pool, subreq->filename, "/", NULL); - else - file = apr_pstrcat(cid->r->pool, subreq->filename, --- -2.23.0 - diff --git a/backport-CVE-2022-28614.patch b/backport-CVE-2022-28614.patch deleted file mode 100644 index 3f782ce..0000000 --- a/backport-CVE-2022-28614.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 8c14927162cf3b4f810683e1c5505e9ef9e1f123 Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 07:51:04 2022 UTC -Subject: [PATCH] handle large writes in ap_rputs - ---- - include/http_protocol.h | 22 +++++++++++++++++++++- - server/protocol.c | 3 +++ - 2 files changed, 24 insertions(+), 1 deletion(-) - -diff --git a/include/http_protocol.h b/include/http_protocol.h -index 20bd202..94c481e 100644 ---- a/include/http_protocol.h -+++ b/include/http_protocol.h -@@ -475,7 +475,27 @@ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r); - */ - static APR_INLINE int ap_rputs(const char *str, request_rec *r) - { -- return ap_rwrite(str, (int)strlen(str), r); -+ apr_size_t len; -+ -+ len = strlen(str); -+ -+ for (;;) { -+ if (len <= INT_MAX) { -+ return ap_rwrite(str, (int)len, r); -+ } -+ else { -+ int rc; -+ -+ rc = ap_rwrite(str, INT_MAX, r); -+ if (rc < 0) { -+ return rc; -+ } -+ else { -+ str += INT_MAX; -+ len -= INT_MAX; -+ } -+ } -+ } - } - - /** -diff --git a/server/protocol.c b/server/protocol.c -index 298f61e..7adc7f7 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -2128,6 +2128,9 @@ AP_DECLARE(int) ap_rputc(int c, request_rec *r) - - AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r) - { -+ if (nbyte < 0) -+ return -1; -+ - if (r->connection->aborted) - return -1; - --- -1.8.3.1 - diff --git a/backport-CVE-2022-28615.patch b/backport-CVE-2022-28615.patch deleted file mode 100644 index cf371ad..0000000 --- a/backport-CVE-2022-28615.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 929c7156cefdd2f74f83dcab2b15b2d09e80ec82 Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 12:20:56 2022 UTC -Subject: [PATCH] ap_strcasecmp_match/ap_strcmp_match:fix types - ---- - server/util.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/server/util.c b/server/util.c -index 633648c..09ac0c5 100644 ---- a/server/util.c -+++ b/server/util.c -@@ -185,7 +185,7 @@ AP_DECLARE(char *) ap_ht_time(apr_pool_t *p, apr_time_t t, const char *fmt, - */ - AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected) - { -- int x, y; -+ apr_size_t x, y; - - for (x = 0, y = 0; expected[y]; ++y, ++x) { - if (expected[y] == '*') { -@@ -209,7 +209,7 @@ AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected) - - AP_DECLARE(int) ap_strcasecmp_match(const char *str, const char *expected) - { -- int x, y; -+ apr_size_t x, y; - - for (x = 0, y = 0; expected[y]; ++y, ++x) { - if (!str[x] && expected[y] != '*') --- -1.8.3.1 - diff --git a/backport-CVE-2022-29404.patch b/backport-CVE-2022-29404.patch deleted file mode 100644 index 33633d4..0000000 --- a/backport-CVE-2022-29404.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 92499e20034485c5e2d29cb85940e309573d976e Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 12:30:46 2022 UTC -Subject: [PATCH] use a liberal default limit for LimitRequestBody of 1GB - ---- - modules/http/http_filters.c | 8 +++++++- - modules/proxy/proxy_util.c | 13 ------------- - server/core.c | 2 +- - 3 files changed, 8 insertions(+), 15 deletions(-) - -diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c -index 3e02da8..c3eab95 100644 ---- a/modules/http/http_filters.c -+++ b/modules/http/http_filters.c -@@ -1700,7 +1700,8 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy) - { - const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding"); - const char *lenp = apr_table_get(r->headers_in, "Content-Length"); -- -+ apr_off_t limit_req_body = ap_get_limit_req_body(r); -+ - r->read_body = read_policy; - r->read_chunked = 0; - r->remaining = 0; -@@ -1735,6 +1736,11 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy) - return HTTP_REQUEST_ENTITY_TOO_LARGE; - } - -+ if (limit_req_body > 0 && (r->remaining > limit_req_body)) { -+ /* will be logged when the body is discarded */ -+ return HTTP_REQUEST_ENTITY_TOO_LARGE; -+ } -+ - #ifdef AP_DEBUG - { - /* Make sure ap_getline() didn't leave any droppings. */ -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index 4f1610f..04733f2 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -4249,12 +4249,10 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r, - apr_bucket *e; - apr_off_t bytes, fsize = 0; - apr_file_t *tmpfile = NULL; -- apr_off_t limit; - - *bytes_spooled = 0; - body_brigade = apr_brigade_create(p, bucket_alloc); - -- limit = ap_get_limit_req_body(r); - - do { - if (APR_BRIGADE_EMPTY(input_brigade)) { -@@ -4273,17 +4271,6 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r, - apr_brigade_length(input_brigade, 1, &bytes); - - if (*bytes_spooled + bytes > max_mem_spool) { -- /* -- * LimitRequestBody does not affect Proxy requests (Should it?). -- * Let it take effect if we decide to store the body in a -- * temporary file on disk. -- */ -- if (limit && (*bytes_spooled + bytes > limit)) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088) -- "Request body is larger than the configured " -- "limit of %" APR_OFF_T_FMT, limit); -- return HTTP_REQUEST_ENTITY_TOO_LARGE; -- } - /* can't spool any more in memory; write latest brigade to disk */ - if (tmpfile == NULL) { - const char *temp_dir; -diff --git a/server/core.c b/server/core.c -index 957eeff..515047b 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -71,7 +71,7 @@ - - /* LimitRequestBody handling */ - #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) --#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -+#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ - - /* LimitXMLRequestBody handling */ - #define AP_LIMIT_UNSET ((long) -1) --- -1.8.3.1 - diff --git a/backport-CVE-2022-30522.patch b/backport-CVE-2022-30522.patch deleted file mode 100644 index b5f4c3a..0000000 --- a/backport-CVE-2022-30522.patch +++ /dev/null @@ -1,408 +0,0 @@ -From 65b8fb947b144556c7ad1cf7ddc3941010ad77ba Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 12:40:09 2022 UTC -Subject: [PATCH] limit mod_sed memory use - ---- - modules/filters/sed1.c | 156 +++++++++++++++++++++++++++++++++++-------------- - 1 file changed, 113 insertions(+), 43 deletions(-) - -diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c -index 67a8d06..a08068e 100644 ---- a/modules/filters/sed1.c -+++ b/modules/filters/sed1.c -@@ -87,18 +87,20 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...) - } - - #define INIT_BUF_SIZE 1024 -+#define MAX_BUF_SIZE 1024*8192 - - /* - * grow_buffer - */ --static void grow_buffer(apr_pool_t *pool, char **buffer, -+static apr_status_t grow_buffer(apr_pool_t *pool, char **buffer, - char **spend, apr_size_t *cursize, - apr_size_t newsize) - { - char* newbuffer = NULL; - apr_size_t spendsize = 0; -- if (*cursize >= newsize) -- return; -+ if (*cursize >= newsize) { -+ return APR_SUCCESS; -+ } - /* Avoid number of times realloc is called. It could cause huge memory - * requirement if line size is huge e.g 2 MB */ - if (newsize < *cursize * 2) { -@@ -107,6 +109,9 @@ static void grow_buffer(apr_pool_t *pool, char **buffer, - - /* Align it to 4 KB boundary */ - newsize = (newsize + ((1 << 12) - 1)) & ~((1 << 12) - 1); -+ if (newsize > MAX_BUF_SIZE) { -+ return APR_ENOMEM; -+ } - newbuffer = apr_pcalloc(pool, newsize); - if (*spend && *buffer && (*cursize > 0)) { - spendsize = *spend - *buffer; -@@ -119,63 +124,77 @@ static void grow_buffer(apr_pool_t *pool, char **buffer, - if (spend != buffer) { - *spend = *buffer + spendsize; - } -+ return APR_SUCCESS; - } - - /* - * grow_line_buffer - */ --static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize) -+static apr_status_t grow_line_buffer(sed_eval_t *eval, apr_size_t newsize) - { -- grow_buffer(eval->pool, &eval->linebuf, &eval->lspend, -+ return grow_buffer(eval->pool, &eval->linebuf, &eval->lspend, - &eval->lsize, newsize); - } - - /* - * grow_hold_buffer - */ --static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize) -+static apr_status_t grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize) - { -- grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend, -+ return grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend, - &eval->hsize, newsize); - } - - /* - * grow_gen_buffer - */ --static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize, -+static apr_status_t grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize, - char **gspend) - { -+ apr_status_t rc = 0; - if (gspend == NULL) { - gspend = &eval->genbuf; - } -- grow_buffer(eval->pool, &eval->genbuf, gspend, -+ rc = grow_buffer(eval->pool, &eval->genbuf, gspend, - &eval->gsize, newsize); -- eval->lcomend = &eval->genbuf[71]; -+ if (rc == APR_SUCCESS) { -+ eval->lcomend = &eval->genbuf[71]; -+ } -+ return rc; - } - - /* - * appendmem_to_linebuf - */ --static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len) -+static apr_status_t appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len) - { -+ apr_status_t rc = 0; - apr_size_t reqsize = (eval->lspend - eval->linebuf) + len; - if (eval->lsize < reqsize) { -- grow_line_buffer(eval, reqsize); -+ rc = grow_line_buffer(eval, reqsize); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - memcpy(eval->lspend, sz, len); - eval->lspend += len; -+ return APR_SUCCESS; - } - - /* - * append_to_linebuf - */ --static void append_to_linebuf(sed_eval_t *eval, const char* sz, -+static apr_status_t append_to_linebuf(sed_eval_t *eval, const char* sz, - step_vars_storage *step_vars) - { - apr_size_t len = strlen(sz); - char *old_linebuf = eval->linebuf; -+ apr_status_t rc = 0; - /* Copy string including null character */ -- appendmem_to_linebuf(eval, sz, len + 1); -+ rc = appendmem_to_linebuf(eval, sz, len + 1); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - --eval->lspend; /* lspend will now point to NULL character */ - /* Sync step_vars after a possible linebuf expansion */ - if (step_vars && old_linebuf != eval->linebuf) { -@@ -189,68 +208,84 @@ static void append_to_linebuf(sed_eval_t *eval, const char* sz, - step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf; - } - } -+ return APR_SUCCESS; - } - - /* - * copy_to_linebuf - */ --static void copy_to_linebuf(sed_eval_t *eval, const char* sz, -+static apr_status_t copy_to_linebuf(sed_eval_t *eval, const char* sz, - step_vars_storage *step_vars) - { - eval->lspend = eval->linebuf; -- append_to_linebuf(eval, sz, step_vars); -+ return append_to_linebuf(eval, sz, step_vars); - } - - /* - * append_to_holdbuf - */ --static void append_to_holdbuf(sed_eval_t *eval, const char* sz) -+static apr_status_t append_to_holdbuf(sed_eval_t *eval, const char* sz) - { - apr_size_t len = strlen(sz); - apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1; -+ apr_status_t rc = 0; - if (eval->hsize <= reqsize) { -- grow_hold_buffer(eval, reqsize); -+ rc = grow_hold_buffer(eval, reqsize); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - memcpy(eval->hspend, sz, len + 1); - /* hspend will now point to NULL character */ - eval->hspend += len; -+ return APR_SUCCESS; - } - - /* - * copy_to_holdbuf - */ --static void copy_to_holdbuf(sed_eval_t *eval, const char* sz) -+static apr_status_t copy_to_holdbuf(sed_eval_t *eval, const char* sz) - { - eval->hspend = eval->holdbuf; -- append_to_holdbuf(eval, sz); -+ return append_to_holdbuf(eval, sz); - } - - /* - * append_to_genbuf - */ --static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend) -+static apr_status_t append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend) - { - apr_size_t len = strlen(sz); - apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1; -+ apr_status_t rc = 0; - if (eval->gsize < reqsize) { -- grow_gen_buffer(eval, reqsize, gspend); -+ rc = grow_gen_buffer(eval, reqsize, gspend); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - memcpy(*gspend, sz, len + 1); - /* *gspend will now point to NULL character */ - *gspend += len; -+ return APR_SUCCESS; - } - - /* - * copy_to_genbuf - */ --static void copy_to_genbuf(sed_eval_t *eval, const char* sz) -+static apr_status_t copy_to_genbuf(sed_eval_t *eval, const char* sz) - { - apr_size_t len = strlen(sz); - apr_size_t reqsize = len + 1; -+ apr_status_t rc = APR_SUCCESS; - if (eval->gsize < reqsize) { -- grow_gen_buffer(eval, reqsize, NULL); -+ rc = grow_gen_buffer(eval, reqsize, NULL); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - memcpy(eval->genbuf, sz, len + 1); -+ return rc; - } - - /* -@@ -397,6 +432,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz - } - - while (bufsz) { -+ apr_status_t rc = 0; - char *n; - apr_size_t llen; - -@@ -411,7 +447,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz - break; - } - -- appendmem_to_linebuf(eval, buf, llen + 1); -+ rc = appendmem_to_linebuf(eval, buf, llen + 1); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - --eval->lspend; - /* replace new line character with NULL */ - *eval->lspend = '\0'; -@@ -426,7 +465,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz - - /* Save the leftovers for later */ - if (bufsz) { -- appendmem_to_linebuf(eval, buf, bufsz); -+ apr_status_t rc = appendmem_to_linebuf(eval, buf, bufsz); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - - return APR_SUCCESS; -@@ -448,6 +490,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout) - /* Process leftovers */ - if (eval->lspend > eval->linebuf) { - apr_status_t rv; -+ apr_status_t rc = 0; - - if (eval->lreadyflag) { - eval->lreadyflag = 0; -@@ -457,7 +500,10 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout) - * buffer is not a newline. - */ - /* Assure space for NULL */ -- append_to_linebuf(eval, "", NULL); -+ rc = append_to_linebuf(eval, "", NULL); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - - *eval->lspend = '\0'; -@@ -655,11 +701,15 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - sp = eval->genbuf; - rp = rhsbuf; - sp = place(eval, sp, lp, step_vars->loc1); -+ if (sp == NULL) { -+ return APR_EGENERAL; -+ } - while ((c = *rp++) != 0) { - if (c == '&') { - sp = place(eval, sp, step_vars->loc1, step_vars->loc2); -- if (sp == NULL) -+ if (sp == NULL) { - return APR_EGENERAL; -+ } - } - else if (c == '\\') { - c = *rp++; -@@ -675,13 +725,19 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - *sp++ = c; - if (sp >= eval->genbuf + eval->gsize) { - /* expand genbuf and set the sp appropriately */ -- grow_gen_buffer(eval, eval->gsize + 1024, &sp); -+ rv = grow_gen_buffer(eval, eval->gsize + 1024, &sp); -+ if (rv != APR_SUCCESS) { -+ return rv; -+ } - } - } - lp = step_vars->loc2; - step_vars->loc2 = sp - eval->genbuf + eval->linebuf; -- append_to_genbuf(eval, lp, &sp); -- copy_to_linebuf(eval, eval->genbuf, step_vars); -+ rv = append_to_genbuf(eval, lp, &sp); -+ if (rv != APR_SUCCESS) { -+ return rv; -+ } -+ rv = copy_to_linebuf(eval, eval->genbuf, step_vars); - return rv; - } - -@@ -695,7 +751,10 @@ static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2) - apr_size_t reqsize = (sp - eval->genbuf) + n + 1; - - if (eval->gsize < reqsize) { -- grow_gen_buffer(eval, reqsize, &sp); -+ apr_status_t rc = grow_gen_buffer(eval, reqsize, &sp); -+ if (rc != APR_SUCCESS) { -+ return NULL; -+ } - } - memcpy(sp, al1, n); - return sp + n; -@@ -750,7 +809,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - } - - p1++; -- copy_to_linebuf(eval, p1, step_vars); -+ rv = copy_to_linebuf(eval, p1, step_vars); -+ if (rv != APR_SUCCESS) return rv; - eval->jflag++; - break; - -@@ -760,21 +820,27 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - break; - - case GCOM: -- copy_to_linebuf(eval, eval->holdbuf, step_vars); -+ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars); -+ if (rv != APR_SUCCESS) return rv; - break; - - case CGCOM: -- append_to_linebuf(eval, "\n", step_vars); -- append_to_linebuf(eval, eval->holdbuf, step_vars); -+ rv = append_to_linebuf(eval, "\n", step_vars); -+ if (rv != APR_SUCCESS) return rv; -+ rv = append_to_linebuf(eval, eval->holdbuf, step_vars); -+ if (rv != APR_SUCCESS) return rv; - break; - - case HCOM: -- copy_to_holdbuf(eval, eval->linebuf); -+ rv = copy_to_holdbuf(eval, eval->linebuf); -+ if (rv != APR_SUCCESS) return rv; - break; - - case CHCOM: -- append_to_holdbuf(eval, "\n"); -- append_to_holdbuf(eval, eval->linebuf); -+ rv = append_to_holdbuf(eval, "\n"); -+ if (rv != APR_SUCCESS) return rv; -+ rv = append_to_holdbuf(eval, eval->linebuf); -+ if (rv != APR_SUCCESS) return rv; - break; - - case ICOM: -@@ -896,7 +962,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - if (rv != APR_SUCCESS) - return rv; - } -- append_to_linebuf(eval, "\n", step_vars); -+ rv = append_to_linebuf(eval, "\n", step_vars); -+ if (rv != APR_SUCCESS) return rv; - eval->pending = ipc->next; - break; - -@@ -970,9 +1037,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - break; - - case XCOM: -- copy_to_genbuf(eval, eval->linebuf); -- copy_to_linebuf(eval, eval->holdbuf, step_vars); -- copy_to_holdbuf(eval, eval->genbuf); -+ rv = copy_to_genbuf(eval, eval->linebuf); -+ if (rv != APR_SUCCESS) return rv; -+ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars); -+ if (rv != APR_SUCCESS) return rv; -+ rv = copy_to_holdbuf(eval, eval->genbuf); -+ if (rv != APR_SUCCESS) return rv; - break; - - case YCOM: --- -1.8.3.1 - diff --git a/backport-CVE-2022-30556.patch b/backport-CVE-2022-30556.patch deleted file mode 100644 index 4d54d14..0000000 --- a/backport-CVE-2022-30556.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 11a3fcbf9e64239d8fe8402d941bbdcbc4532c88 Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 12:36:13 2022 UTC -Subject: [PATCH] use filters consistently - ---- - modules/lua/lua_request.c | 145 +++++++++++++++++----------------------------- - 1 file changed, 54 insertions(+), 91 deletions(-) - -diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c -index 1eab7b6..a7e501b 100644 ---- a/modules/lua/lua_request.c -+++ b/modules/lua/lua_request.c -@@ -2227,23 +2227,20 @@ static int lua_websocket_greet(lua_State *L) - return 0; - } - --static apr_status_t lua_websocket_readbytes(conn_rec* c, char* buffer, -- apr_off_t len) -+static apr_status_t lua_websocket_readbytes(conn_rec* c, -+ apr_bucket_brigade *brigade, -+ char* buffer, apr_off_t len) - { -- apr_bucket_brigade *brigade = apr_brigade_create(c->pool, c->bucket_alloc); -+ apr_size_t delivered; - apr_status_t rv; -+ - rv = ap_get_brigade(c->input_filters, brigade, AP_MODE_READBYTES, - APR_BLOCK_READ, len); - if (rv == APR_SUCCESS) { -- if (!APR_BRIGADE_EMPTY(brigade)) { -- apr_bucket* bucket = APR_BRIGADE_FIRST(brigade); -- const char* data = NULL; -- apr_size_t data_length = 0; -- rv = apr_bucket_read(bucket, &data, &data_length, APR_BLOCK_READ); -- if (rv == APR_SUCCESS) { -- memcpy(buffer, data, len); -- } -- apr_bucket_delete(bucket); -+ delivered = len; -+ rv = apr_brigade_flatten(brigade, buffer, &delivered); -+ if ((rv == APR_SUCCESS) && (delivered < len)) { -+ rv = APR_INCOMPLETE; - } - } - apr_brigade_cleanup(brigade); -@@ -2273,35 +2270,29 @@ static int lua_websocket_peek(lua_State *L) - - static int lua_websocket_read(lua_State *L) - { -- apr_socket_t *sock; - apr_status_t rv; - int do_read = 1; - int n = 0; -- apr_size_t len = 1; - apr_size_t plen = 0; - unsigned short payload_short = 0; - apr_uint64_t payload_long = 0; - unsigned char *mask_bytes; - char byte; -- int plaintext; -- - -- request_rec *r = ap_lua_check_request_rec(L, 1); -- plaintext = ap_lua_ssl_is_https(r->connection) ? 0 : 1; -+ apr_bucket_brigade *brigade; -+ conn_rec* c; - -+ request_rec *r = ap_lua_check_request_rec(L, 1); -+ c = r->connection; - - mask_bytes = apr_pcalloc(r->pool, 4); -- sock = ap_get_conn_socket(r->connection); -+ -+ brigade = apr_brigade_create(r->pool, c->bucket_alloc); - - while (do_read) { - do_read = 0; - /* Get opcode and FIN bit */ -- if (plaintext) { -- rv = apr_socket_recv(sock, &byte, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, &byte, 1); -- } -+ rv = lua_websocket_readbytes(c, brigade, &byte, 1); - if (rv == APR_SUCCESS) { - unsigned char ubyte, fin, opcode, mask, payload; - ubyte = (unsigned char)byte; -@@ -2311,12 +2302,7 @@ static int lua_websocket_read(lua_State *L) - opcode = ubyte & 0xf; - - /* Get the payload length and mask bit */ -- if (plaintext) { -- rv = apr_socket_recv(sock, &byte, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, &byte, 1); -- } -+ rv = lua_websocket_readbytes(c, brigade, &byte, 1); - if (rv == APR_SUCCESS) { - ubyte = (unsigned char)byte; - /* Mask is the first bit */ -@@ -2327,40 +2313,25 @@ static int lua_websocket_read(lua_State *L) - - /* Extended payload? */ - if (payload == 126) { -- len = 2; -- if (plaintext) { -- /* XXX: apr_socket_recv does not receive len bits, only up to len bits! */ -- rv = apr_socket_recv(sock, (char*) &payload_short, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, -- (char*) &payload_short, 2); -- } -- payload_short = ntohs(payload_short); -- -- if (rv == APR_SUCCESS) { -- plen = payload_short; -- } -- else { -+ rv = lua_websocket_readbytes(c, brigade, -+ (char*) &payload_short, 2); -+ -+ if (rv != APR_SUCCESS) { - return 0; - } -+ -+ plen = ntohs(payload_short); - } - /* Super duper extended payload? */ - if (payload == 127) { -- len = 8; -- if (plaintext) { -- rv = apr_socket_recv(sock, (char*) &payload_long, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, -- (char*) &payload_long, 8); -- } -- if (rv == APR_SUCCESS) { -- plen = ap_ntoh64(&payload_long); -- } -- else { -+ rv = lua_websocket_readbytes(c, brigade, -+ (char*) &payload_long, 8); -+ -+ if (rv != APR_SUCCESS) { - return 0; - } -+ -+ plen = ap_ntoh64(&payload_long); - } - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03210) - "Websocket: Reading %" APR_SIZE_T_FMT " (%s) bytes, masking is %s. %s", -@@ -2369,46 +2340,27 @@ static int lua_websocket_read(lua_State *L) - mask ? "on" : "off", - fin ? "This is a final frame" : "more to follow"); - if (mask) { -- len = 4; -- if (plaintext) { -- rv = apr_socket_recv(sock, (char*) mask_bytes, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, -- (char*) mask_bytes, 4); -- } -+ rv = lua_websocket_readbytes(c, brigade, -+ (char*) mask_bytes, 4); -+ - if (rv != APR_SUCCESS) { - return 0; - } - } - if (plen < (HUGE_STRING_LEN*1024) && plen > 0) { - apr_size_t remaining = plen; -- apr_size_t received; -- apr_off_t at = 0; - char *buffer = apr_palloc(r->pool, plen+1); - buffer[plen] = 0; - -- if (plaintext) { -- while (remaining > 0) { -- received = remaining; -- rv = apr_socket_recv(sock, buffer+at, &received); -- if (received > 0 ) { -- remaining -= received; -- at += received; -- } -- } -- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, -- "Websocket: Frame contained %" APR_OFF_T_FMT " bytes, pushed to Lua stack", -- at); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, buffer, -- remaining); -- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, -- "Websocket: SSL Frame contained %" APR_SIZE_T_FMT " bytes, "\ -- "pushed to Lua stack", -- remaining); -+ rv = lua_websocket_readbytes(c, brigade, buffer, remaining); -+ -+ if (rv != APR_SUCCESS) { -+ return 0; - } -+ -+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, -+ "Websocket: Frame contained %" APR_SIZE_T_FMT \ -+ " bytes, pushed to Lua stack", remaining); - if (mask) { - for (n = 0; n < plen; n++) { - buffer[n] ^= mask_bytes[n%4]; -@@ -2420,14 +2372,25 @@ static int lua_websocket_read(lua_State *L) - return 2; - } - -- - /* Decide if we need to react to the opcode or not */ - if (opcode == 0x09) { /* ping */ - char frame[2]; -- plen = 2; -+ apr_bucket *b; -+ - frame[0] = 0x8A; - frame[1] = 0; -- apr_socket_send(sock, frame, &plen); /* Pong! */ -+ -+ /* Pong! */ -+ b = apr_bucket_transient_create(frame, 2, c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(brigade, b); -+ -+ rv = ap_pass_brigade(c->output_filters, brigade); -+ apr_brigade_cleanup(brigade); -+ -+ if (rv != APR_SUCCESS) { -+ return 0; -+ } -+ - do_read = 1; - } - } --- -1.8.3.1 - diff --git a/backport-CVE-2022-31813.patch b/backport-CVE-2022-31813.patch deleted file mode 100644 index 962dd6b..0000000 --- a/backport-CVE-2022-31813.patch +++ /dev/null @@ -1,243 +0,0 @@ -From 956f708b094698ac9ad570d640d4f30eb0df7305 Mon Sep 17 00:00:00 2001 -From: icing -Date: Wed Jun 1 07:51:04 2022 UTC -Subject: [PATCH] mod_proxy: ap_proxy_create_hdrbrgd() to clear hop-by-hop first and fixup last. - ---- - modules/proxy/proxy_util.c | 155 +++++++++++++++++++++++---------------------- - 1 file changed, 78 insertions(+), 77 deletions(-) - -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index d578452..4f1610f 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -3849,12 +3849,14 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - char **old_cl_val, - char **old_te_val) - { -+ int rc = OK; - conn_rec *c = r->connection; - int counter; - char *buf; -+ apr_table_t *saved_headers_in = r->headers_in; -+ const char *saved_host = apr_table_get(saved_headers_in, "Host"); - const apr_array_header_t *headers_in_array; - const apr_table_entry_t *headers_in; -- apr_table_t *saved_headers_in; - apr_bucket *e; - int do_100_continue; - conn_rec *origin = p_conn->connection; -@@ -3890,6 +3892,52 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - ap_xlate_proto_to_ascii(buf, strlen(buf)); - e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(header_brigade, e); -+ -+ /* -+ * Make a copy on r->headers_in for the request we make to the backend, -+ * modify the copy in place according to our configuration and connection -+ * handling, use it to fill in the forwarded headers' brigade, and finally -+ * restore the saved/original ones in r->headers_in. -+ * -+ * Note: We need to take r->pool for apr_table_copy as the key / value -+ * pairs in r->headers_in have been created out of r->pool and -+ * p might be (and actually is) a longer living pool. -+ * This would trigger the bad pool ancestry abort in apr_table_copy if -+ * apr is compiled with APR_POOL_DEBUG. -+ * -+ * icing: if p indeed lives longer than r->pool, we should allocate -+ * all new header values from r->pool as well and avoid leakage. -+ */ -+ r->headers_in = apr_table_copy(r->pool, saved_headers_in); -+ -+ /* Return the original Transfer-Encoding and/or Content-Length values -+ * then drop the headers, they must be set by the proxy handler based -+ * on the actual body being forwarded. -+ */ -+ if ((*old_te_val = (char *)apr_table_get(r->headers_in, -+ "Transfer-Encoding"))) { -+ apr_table_unset(r->headers_in, "Transfer-Encoding"); -+ } -+ if ((*old_cl_val = (char *)apr_table_get(r->headers_in, -+ "Content-Length"))) { -+ apr_table_unset(r->headers_in, "Content-Length"); -+ } -+ -+ /* Clear out hop-by-hop request headers not to forward */ -+ if (ap_proxy_clear_connection(r, r->headers_in) < 0) { -+ rc = HTTP_BAD_REQUEST; -+ goto cleanup; -+ } -+ -+ /* RFC2616 13.5.1 says we should strip these */ -+ apr_table_unset(r->headers_in, "Keep-Alive"); -+ apr_table_unset(r->headers_in, "Upgrade"); -+ apr_table_unset(r->headers_in, "Trailer"); -+ apr_table_unset(r->headers_in, "TE"); -+ -+ /* We used to send `Host: ` always first, so let's keep it that -+ * way. No telling which legacy backend is relying no this. -+ */ - if (dconf->preserve_host == 0) { - if (ap_strchr_c(uri->hostname, ':')) { /* if literal IPv6 address */ - if (uri->port_str && uri->port != DEFAULT_HTTP_PORT) { -@@ -3911,7 +3959,7 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - /* don't want to use r->hostname, as the incoming header might have a - * port attached - */ -- const char* hostname = apr_table_get(r->headers_in,"Host"); -+ const char* hostname = saved_host; - if (!hostname) { - hostname = r->server->server_hostname; - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01092) -@@ -3925,22 +3973,8 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - ap_xlate_proto_to_ascii(buf, strlen(buf)); - e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(header_brigade, e); -- -- /* -- * Save the original headers in here and restore them when leaving, since -- * we will apply proxy purpose only modifications (eg. clearing hop-by-hop -- * headers, add Via or X-Forwarded-* or Expect...), whereas the originals -- * will be needed later to prepare the correct response and logging. -- * -- * Note: We need to take r->pool for apr_table_copy as the key / value -- * pairs in r->headers_in have been created out of r->pool and -- * p might be (and actually is) a longer living pool. -- * This would trigger the bad pool ancestry abort in apr_table_copy if -- * apr is compiled with APR_POOL_DEBUG. -- */ -- saved_headers_in = r->headers_in; -- r->headers_in = apr_table_copy(r->pool, saved_headers_in); -- -+ apr_table_unset(r->headers_in, "Host"); -+ - /* handle Via */ - if (conf->viaopt == via_block) { - /* Block all outgoing Via: headers */ -@@ -4006,8 +4040,6 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - */ - if (dconf->add_forwarded_headers) { - if (PROXYREQ_REVERSE == r->proxyreq) { -- const char *buf; -- - /* Add X-Forwarded-For: so that the upstream has a chance to - * determine, where the original request came from. - */ -@@ -4017,8 +4049,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - /* Add X-Forwarded-Host: so that upstream knows what the - * original request hostname was. - */ -- if ((buf = apr_table_get(r->headers_in, "Host"))) { -- apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf); -+ if (saved_host) { -+ apr_table_mergen(r->headers_in, "X-Forwarded-Host", -+ saved_host); - } - - /* Add X-Forwarded-Server: so that upstream knows what the -@@ -4029,67 +4062,37 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - r->server->server_hostname); - } - } -+ -+ /* Do we want to strip Proxy-Authorization ? -+ * If we haven't used it, then NO -+ * If we have used it then MAYBE: RFC2616 says we MAY propagate it. -+ * So let's make it configurable by env. -+ */ -+ if (r->user != NULL /* we've authenticated */ -+ && !apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) { -+ apr_table_unset(r->headers_in, "Proxy-Authorization"); -+ } - -- proxy_run_fixups(r); -- if (ap_proxy_clear_connection(r, r->headers_in) < 0) { -- return HTTP_BAD_REQUEST; -+ /* for sub-requests, ignore freshness/expiry headers */ -+ if (r->main) { -+ apr_table_unset(r->headers_in, "If-Match"); -+ apr_table_unset(r->headers_in, "If-Modified-Since"); -+ apr_table_unset(r->headers_in, "If-Range"); -+ apr_table_unset(r->headers_in, "If-Unmodified-Since"); -+ apr_table_unset(r->headers_in, "If-None-Match"); - } -+ -+ /* run hook to fixup the request we are about to send */ -+ proxy_run_fixups(r); - - /* send request headers */ - headers_in_array = apr_table_elts(r->headers_in); - headers_in = (const apr_table_entry_t *) headers_in_array->elts; - for (counter = 0; counter < headers_in_array->nelts; counter++) { - if (headers_in[counter].key == NULL -- || headers_in[counter].val == NULL -- -- /* Already sent */ -- || !ap_cstr_casecmp(headers_in[counter].key, "Host") -- -- /* Clear out hop-by-hop request headers not to send -- * RFC2616 13.5.1 says we should strip these headers -- */ -- || !ap_cstr_casecmp(headers_in[counter].key, "Keep-Alive") -- || !ap_cstr_casecmp(headers_in[counter].key, "TE") -- || !ap_cstr_casecmp(headers_in[counter].key, "Trailer") -- || !ap_cstr_casecmp(headers_in[counter].key, "Upgrade") -- -- ) { -+ || headers_in[counter].val == NULL) { - continue; - } -- /* Do we want to strip Proxy-Authorization ? -- * If we haven't used it, then NO -- * If we have used it then MAYBE: RFC2616 says we MAY propagate it. -- * So let's make it configurable by env. -- */ -- if (!ap_cstr_casecmp(headers_in[counter].key,"Proxy-Authorization")) { -- if (r->user != NULL) { /* we've authenticated */ -- if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) { -- continue; -- } -- } -- } -- -- /* Skip Transfer-Encoding and Content-Length for now. -- */ -- if (!ap_cstr_casecmp(headers_in[counter].key, "Transfer-Encoding")) { -- *old_te_val = headers_in[counter].val; -- continue; -- } -- if (!ap_cstr_casecmp(headers_in[counter].key, "Content-Length")) { -- *old_cl_val = headers_in[counter].val; -- continue; -- } -- -- /* for sub-requests, ignore freshness/expiry headers */ -- if (r->main) { -- if ( !ap_cstr_casecmp(headers_in[counter].key, "If-Match") -- || !ap_cstr_casecmp(headers_in[counter].key, "If-Modified-Since") -- || !ap_cstr_casecmp(headers_in[counter].key, "If-Range") -- || !ap_cstr_casecmp(headers_in[counter].key, "If-Unmodified-Since") -- || !ap_cstr_casecmp(headers_in[counter].key, "If-None-Match")) { -- continue; -- } -- } - - buf = apr_pstrcat(p, headers_in[counter].key, ": ", - headers_in[counter].val, CRLF, -@@ -4099,11 +4102,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - APR_BRIGADE_INSERT_TAIL(header_brigade, e); - } - -- /* Restore the original headers in (see comment above), -- * we won't modify them anymore. -- */ -+cleanup: - r->headers_in = saved_headers_in; -- return OK; -+ return rc; - } - - PROXY_DECLARE(int) ap_proxy_prefetch_input(request_rec *r, --- -1.8.3.1 - diff --git a/backport-Switch-from-PCRE-to-PCRE2.patch b/backport-Switch-from-PCRE-to-PCRE2.patch deleted file mode 100644 index 5cb4bcb..0000000 --- a/backport-Switch-from-PCRE-to-PCRE2.patch +++ /dev/null @@ -1,313 +0,0 @@ -From 12cfcf08fffc6e4ec597e0396016d09afdb89fa8 Mon Sep 17 00:00:00 2001 -From: wrowe, Petr Pisar -Date: Fri, DEC 9 19:06:06 2016 UTC -Subject: [PATCH] backport Switch from PCRE to PCRE2 - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/12cfcf08fffc6e4ec597e0396016d09afdb89fa8 - ---- - configure.in | 26 +++++----- - server/util_pcre.c | 140 +++++++++++++++++++++++++++++++++++++++-------------- - 2 files changed, 118 insertions(+), 48 deletions(-) - -diff --git a/configure.in b/configure.in -index 916377b..db7edc3 100644 ---- a/configure.in -+++ b/configure.in -@@ -214,29 +214,33 @@ fi - - AC_ARG_WITH(pcre, - APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library)) -- --AC_PATH_PROG(PCRE_CONFIG, pcre-config, false) --if test -d "$with_pcre" && test -x "$with_pcre/bin/pcre-config"; then -- PCRE_CONFIG=$with_pcre/bin/pcre-config --elif test -x "$with_pcre"; then -- PCRE_CONFIG=$with_pcre -+if test "x$with_pcre" = "x" || test "$with_pcre" = "yes"; then -+ with_pcre="$PATH" -+else if which $with_pcre 2>/dev/null; then :; else -+ with_pcre="$with_pcre/bin:$with_pcre" -+fi - fi -+AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config], -+ [`which $with_pcre 2>/dev/null`], $with_pcre) - --if test "$PCRE_CONFIG" != "false"; then -+if test "x$PCRE_CONFIG" != "x"; then - if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else -- AC_MSG_ERROR([Did not find pcre-config script at $PCRE_CONFIG]) -+ AC_MSG_ERROR([Did not find working script at $PCRE_CONFIG]) - fi - case `$PCRE_CONFIG --version` in -+ [1[0-9].*]) -+ AC_DEFINE(HAVE_PCRE2, 1, [Detected PCRE2]) -+ ;; - [[1-5].*]) -- AC_MSG_ERROR([Need at least pcre version 6.0]) -+ AC_MSG_ERROR([Need at least pcre version 6.7]) - ;; - esac - AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) - APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) -- APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) -+ APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`]) - APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) - else -- AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) -+ AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/]) - fi - APACHE_SUBST(PCRE_LIBS) - -diff --git a/server/util_pcre.c b/server/util_pcre.c -index 78fc983..0fdf5f9 100644 ---- a/server/util_pcre.c -+++ b/server/util_pcre.c -@@ -55,10 +55,18 @@ POSSIBILITY OF SUCH DAMAGE. - #include "httpd.h" - #include "apr_strings.h" - #include "apr_tables.h" -+ -+#ifdef HAVE_PCRE2 -+#define PCRE2_CODE_UNIT_WIDTH 8 -+#include "pcre2.h" -+#define PCREn(x) PCRE2_ ## x -+#else - #include "pcre.h" -+#define PCREn(x) PCRE_ ## x -+#endif - - /* PCRE_DUPNAMES is only present since version 6.7 of PCRE */ --#ifndef PCRE_DUPNAMES -+#if !defined(PCRE_DUPNAMES) && !defined(HAVE_PCRE2) - #error PCRE Version 6.7 or later required! - #else - -@@ -115,7 +123,11 @@ AP_DECLARE(apr_size_t) ap_regerror(int errcode, const ap_regex_t *preg, - - AP_DECLARE(void) ap_regfree(ap_regex_t *preg) - { -+#ifdef HAVE_PCRE2 -+ pcre2_code_free(preg->re_pcre); -+#else - (pcre_free)(preg->re_pcre); -+#endif - } - - -@@ -168,25 +180,37 @@ AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name) - */ - AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags) - { -+#ifdef HAVE_PCRE2 -+ uint32_t capcount; -+ size_t erroffset; -+#else - const char *errorptr; - int erroffset; -+#endif - int errcode = 0; -- int options = PCRE_DUPNAMES; -+ int options = PCREn(DUPNAMES); - - if ((cflags & AP_REG_NO_DEFAULT) == 0) - cflags |= default_cflags; - - if ((cflags & AP_REG_ICASE) != 0) -- options |= PCRE_CASELESS; -+ options |= PCREn(CASELESS); - if ((cflags & AP_REG_NEWLINE) != 0) -- options |= PCRE_MULTILINE; -+ options |= PCREn(MULTILINE); - if ((cflags & AP_REG_DOTALL) != 0) -- options |= PCRE_DOTALL; -+ options |= PCREn(DOTALL); - if ((cflags & AP_REG_DOLLAR_ENDONLY) != 0) -- options |= PCRE_DOLLAR_ENDONLY; -+ options |= PCREn(DOLLAR_ENDONLY); -+ -+#ifdef HAVE_PCRE2 -+ preg->re_pcre = pcre2_compile((const unsigned char *)pattern, -+ PCRE2_ZERO_TERMINATED, options, &errcode, -+ &erroffset, NULL); -+#else -+ preg->re_pcre = pcre_compile2(pattern, options, &errcode, -+ &errorptr, &erroffset, NULL); -+#endif - -- preg->re_pcre = -- pcre_compile2(pattern, options, &errcode, &errorptr, &erroffset, NULL); - preg->re_erroffset = erroffset; - - if (preg->re_pcre == NULL) { -@@ -199,8 +223,14 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags) - return AP_REG_INVARG; - } - -+#ifdef HAVE_PCRE2 -+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre, -+ PCRE2_INFO_CAPTURECOUNT, &capcount); -+ preg->re_nsub = capcount; -+#else - pcre_fullinfo((const pcre *)preg->re_pcre, NULL, - PCRE_INFO_CAPTURECOUNT, &(preg->re_nsub)); -+#endif - return 0; - } - -@@ -232,17 +262,29 @@ AP_DECLARE(int) ap_regexec_len(const ap_regex_t *preg, const char *buff, - { - int rc; - int options = 0; -- int *ovector = NULL; -+#ifdef HAVE_PCRE2 -+ pcre2_match_data *matchdata; -+ size_t *ovector; -+#else - int small_ovector[POSIX_MALLOC_THRESHOLD * 3]; - int allocated_ovector = 0; -+ int *ovector = NULL; -+#endif - - if ((eflags & AP_REG_NOTBOL) != 0) -- options |= PCRE_NOTBOL; -+ options |= PCREn(NOTBOL); - if ((eflags & AP_REG_NOTEOL) != 0) -- options |= PCRE_NOTEOL; -- -- ((ap_regex_t *)preg)->re_erroffset = (apr_size_t)(-1); /* Only has meaning after compile */ -- -+ options |= PCREn(NOTEOL); -+ -+#ifdef HAVE_PCRE2 -+ matchdata = pcre2_match_data_create(nmatch, NULL); -+ if (matchdata == NULL) -+ return AP_REG_ESPACE; -+ ovector = pcre2_get_ovector_pointer(matchdata); -+ rc = pcre2_match((const pcre2_code *)preg->re_pcre, -+ (const unsigned char *)buff, len, -+ 0, options, matchdata, NULL); -+#else - if (nmatch > 0) { - if (nmatch <= POSIX_MALLOC_THRESHOLD) { - ovector = &(small_ovector[0]); -@@ -257,49 +299,62 @@ AP_DECLARE(int) ap_regexec_len(const ap_regex_t *preg, const char *buff, - - rc = pcre_exec((const pcre *)preg->re_pcre, NULL, buff, (int)len, - 0, options, ovector, nmatch * 3); -+#endif - - if (rc == 0) - rc = nmatch; /* All captured slots were filled in */ - - if (rc >= 0) { - apr_size_t i; -- for (i = 0; i < (apr_size_t)rc; i++) { -+ apr_size_t nlim = (apr_size_t)rc < nmatch ? (apr_size_t)rc : nmatch; -+ for (i = 0; i < nlim; i++) { - pmatch[i].rm_so = ovector[i * 2]; - pmatch[i].rm_eo = ovector[i * 2 + 1]; - } -- if (allocated_ovector) -- free(ovector); - for (; i < nmatch; i++) - pmatch[i].rm_so = pmatch[i].rm_eo = -1; -+ } -+ -+#ifdef HAVE_PCRE2 -+ pcre2_match_data_free(matchdata); -+#else -+ if (allocated_ovector) -+ free(ovector); -+#endif -+ if (rc >= 0) { - return 0; - } - - else { -- if (allocated_ovector) -- free(ovector); -+#ifdef HAVE_PCRE2 -+ if (rc <= PCRE2_ERROR_UTF8_ERR1 && rc >= PCRE2_ERROR_UTF8_ERR21) -+ return AP_REG_INVARG; -+#endif - switch (rc) { -- case PCRE_ERROR_NOMATCH: -+ case PCREn(ERROR_NOMATCH): - return AP_REG_NOMATCH; -- case PCRE_ERROR_NULL: -+ case PCREn(ERROR_NULL): - return AP_REG_INVARG; -- case PCRE_ERROR_BADOPTION: -+ case PCREn(ERROR_BADOPTION): - return AP_REG_INVARG; -- case PCRE_ERROR_BADMAGIC: -+ case PCREn(ERROR_BADMAGIC): - return AP_REG_INVARG; -- case PCRE_ERROR_UNKNOWN_NODE: -- return AP_REG_ASSERT; -- case PCRE_ERROR_NOMEMORY: -+ case PCREn(ERROR_NOMEMORY): - return AP_REG_ESPACE; --#ifdef PCRE_ERROR_MATCHLIMIT -- case PCRE_ERROR_MATCHLIMIT: -+#if defined(HAVE_PCRE2) || defined(PCRE_ERROR_MATCHLIMIT) -+ case PCREn(ERROR_MATCHLIMIT): - return AP_REG_ESPACE; - #endif --#ifdef PCRE_ERROR_BADUTF8 -- case PCRE_ERROR_BADUTF8: -+#if defined(PCRE_ERROR_UNKNOWN_NODE) -+ case PCRE_ERROR_UNKNOWN_NODE: -+ return AP_REG_ASSERT; -+#endif -+#if defined(PCRE_ERROR_BADUTF8) -+ case PCREn(ERROR_BADUTF8): - return AP_REG_INVARG; - #endif --#ifdef PCRE_ERROR_BADUTF8_OFFSET -- case PCRE_ERROR_BADUTF8_OFFSET: -+#if defined(PCRE_ERROR_BADUTF8_OFFSET) -+ case PCREn(ERROR_BADUTF8_OFFSET): - return AP_REG_INVARG; - #endif - default: -@@ -312,18 +367,29 @@ AP_DECLARE(int) ap_regname(const ap_regex_t *preg, - apr_array_header_t *names, const char *prefix, - int upper) - { -+ char *nametable; -+#ifdef HAVE_PCRE2 -+ uint32_t namecount; -+ uint32_t nameentrysize; -+ uint32_t i; -+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre, -+ PCRE2_INFO_NAMECOUNT, &namecount); -+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre, -+ PCRE2_INFO_NAMEENTRYSIZE, &nameentrysize); -+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre, -+ PCRE2_INFO_NAMETABLE, &nametable); -+#else - int namecount; - int nameentrysize; - int i; -- char *nametable; - - pcre_fullinfo((const pcre *)preg->re_pcre, NULL, -- PCRE_INFO_NAMECOUNT, &namecount); -+ PCRE_INFO_NAMECOUNT, &namecount); - pcre_fullinfo((const pcre *)preg->re_pcre, NULL, -- PCRE_INFO_NAMEENTRYSIZE, &nameentrysize); -+ PCRE_INFO_NAMEENTRYSIZE, &nameentrysize); - pcre_fullinfo((const pcre *)preg->re_pcre, NULL, -- PCRE_INFO_NAMETABLE, &nametable); -- -+ PCRE_INFO_NAMETABLE, &nametable); -+#endif - for (i = 0; i < namecount; i++) { - const char *offset = nametable + i * nameentrysize; - int capture = ((offset[0] << 8) + offset[1]); --- -1.8.3.1 - diff --git a/backport-httpd-2.4.2-icons.patch b/backport-httpd-2.4.2-icons.patch deleted file mode 100644 index 1341999..0000000 --- a/backport-httpd-2.4.2-icons.patch +++ /dev/null @@ -1,26 +0,0 @@ - -- Fix config for /icons/ dir to allow symlink to poweredby.png. -- Avoid using coredump GIF for a directory called "core" - -Upstream-Status: vendor specific patch - ---- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.icons -+++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in -@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver - Alias /icons/ "@exp_iconsdir@/" - - -- Options Indexes MultiViews -+ Options Indexes MultiViews FollowSymlinks - AllowOverride None - Require all granted - -@@ -53,7 +53,7 @@ AddIcon /icons/dvi.gif .dvi - AddIcon /icons/uuencoded.gif .uu - AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl - AddIcon /icons/tex.gif .tex --AddIcon /icons/bomb.gif core -+AddIcon /icons/bomb.gif core. - - AddIcon /icons/back.gif .. - AddIcon /icons/hand.right.gif README diff --git a/backport-httpd-2.4.25-selinux.patch b/backport-httpd-2.4.25-selinux.patch index fa4614a..0db1e45 100644 --- a/backport-httpd-2.4.25-selinux.patch +++ b/backport-httpd-2.4.25-selinux.patch @@ -1,11 +1,8 @@ - -Log the SELinux context at startup. - -Upstream-Status: unlikely to be any interest in this upstream - ---- httpd-2.4.1/configure.in.selinux -+++ httpd-2.4.1/configure.in -@@ -458,6 +458,11 @@ fopen64 +diff --git a/configure.in b/configure.in +index c5896c1..96cd4a6 100644 +--- a/configure.in ++++ b/configure.in +@@ -508,6 +508,11 @@ getloadavg dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -17,9 +14,11 @@ Upstream-Status: unlikely to be any interest in this upstream AC_CACHE_CHECK([for gettid()], ac_cv_gettid, [AC_TRY_RUN(#define _GNU_SOURCE #include ---- httpd-2.4.1/server/core.c.selinux -+++ httpd-2.4.1/server/core.c -@@ -58,6 +58,10 @@ +diff --git a/server/core.c b/server/core.c +index 4da7209..515047b 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -65,6 +65,10 @@ #include #endif @@ -29,8 +28,8 @@ Upstream-Status: unlikely to be any interest in this upstream + /* LimitRequestBody handling */ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t * + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ +@@ -5126,6 +5130,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } #endif @@ -59,3 +58,6 @@ Upstream-Status: unlikely to be any interest in this upstream return OK; } +-- +2.27.0 + diff --git a/backport-httpd-2.4.33-export.patch b/backport-httpd-2.4.33-export.patch deleted file mode 100644 index 9adf398..0000000 --- a/backport-httpd-2.4.33-export.patch +++ /dev/null @@ -1,20 +0,0 @@ - -There is no need to "suck in" the apr/apr-util symbols when using -a shared libapr{,util}, it just bloats the symbol table; so don't. - -Upstream-HEAD: needed -Upstream-2.0: omit -Upstream-Status: EXPORT_DIRS change is conditional on using shared apr - ---- httpd-2.4.33/server/Makefile.in.export -+++ httpd-2.4.33/server/Makefile.in -@@ -60,9 +60,6 @@ - ls $$dir/*.h ; \ - done; \ - echo "$(top_srcdir)/server/mpm_fdqueue.h"; \ -- for dir in $(EXPORT_DIRS_APR); do \ -- ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \ -- done; \ - ) | sed -e s,//,/,g | sort -u > $@ - - exports.c: export_files diff --git a/backport-httpd-2.4.34-sslprotdefault.patch b/backport-httpd-2.4.34-sslprotdefault.patch deleted file mode 100644 index 65f8d40..0000000 --- a/backport-httpd-2.4.34-sslprotdefault.patch +++ /dev/null @@ -1,53 +0,0 @@ - -https://bugzilla.redhat.com/show_bug.cgi?id=1618371 - ---- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslprotdefault -+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c -@@ -119,7 +119,7 @@ - mctx->ticket_key = NULL; - #endif - -- mctx->protocol = SSL_PROTOCOL_DEFAULT; -+ mctx->protocol = SSL_PROTOCOL_NONE; - mctx->protocol_set = 0; - - mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; ---- httpd-2.4.34/modules/ssl/ssl_engine_init.c.sslprotdefault -+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c -@@ -555,9 +555,8 @@ - * Create the new per-server SSL context - */ - if (protocol == SSL_PROTOCOL_NONE) { -- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231) -- "No SSL protocols available [hint: SSLProtocol]"); -- return ssl_die(s); -+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, -+ "Using OpenSSL/system default SSL/TLS protocols"); - } - - cp = apr_pstrcat(p, -@@ -673,14 +672,8 @@ - } else if (protocol & SSL_PROTOCOL_SSLV3) { - prot = SSL3_VERSION; - #endif -- } else { -- SSL_CTX_free(ctx); -- mctx->ssl_ctx = NULL; -- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) -- "No SSL protocols available [hint: SSLProtocol]"); -- return ssl_die(s); - } -- SSL_CTX_set_max_proto_version(ctx, prot); -+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot); - - /* Next we scan for the minimal protocol version we should provide, - * but we do not allow holes between max and min */ -@@ -700,7 +693,7 @@ - prot = SSL3_VERSION; - } - #endif -- SSL_CTX_set_min_proto_version(ctx, prot); -+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot); - #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ - - #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE diff --git a/backport-httpd-2.4.4-cachehardmax.patch b/backport-httpd-2.4.43-cachehardmax.patch similarity index 86% rename from backport-httpd-2.4.4-cachehardmax.patch rename to backport-httpd-2.4.43-cachehardmax.patch index de360ce..755f822 100644 --- a/backport-httpd-2.4.4-cachehardmax.patch +++ b/backport-httpd-2.4.43-cachehardmax.patch @@ -1,8 +1,8 @@ diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h -index eec38f3..1a2d5ee 100644 +index 6b92151..4c42a8e 100644 --- a/modules/cache/cache_util.h +++ b/modules/cache/cache_util.h -@@ -194,6 +194,9 @@ typedef struct { +@@ -195,6 +195,9 @@ typedef struct { unsigned int store_nostore_set:1; unsigned int enable_set:1; unsigned int disable_set:1; @@ -13,10 +13,10 @@ index eec38f3..1a2d5ee 100644 /* A linked-list of authn providers. */ diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c -index 4f2d3e0..30c88f4 100644 +index 3b9aa4f..8268503 100644 --- a/modules/cache/mod_cache.c +++ b/modules/cache/mod_cache.c -@@ -1299,6 +1299,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in) +@@ -1455,6 +1455,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in) exp = date + dconf->defex; } } @@ -28,7 +28,7 @@ index 4f2d3e0..30c88f4 100644 info->expire = exp; /* We found a stale entry which wasn't really stale. */ -@@ -1717,7 +1722,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy) +@@ -1954,7 +1959,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy) /* array of providers for this URL space */ dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable)); @@ -39,7 +39,7 @@ index 4f2d3e0..30c88f4 100644 return dconf; } -@@ -1767,7 +1774,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) { +@@ -2004,7 +2011,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) { new->enable_set = add->enable_set || base->enable_set; new->disable = (add->disable_set == 0) ? base->disable : add->disable; new->disable_set = add->disable_set || base->disable_set; @@ -51,7 +51,7 @@ index 4f2d3e0..30c88f4 100644 return new; } -@@ -2096,12 +2106,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy, +@@ -2332,12 +2342,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy, } static const char *set_cache_maxex(cmd_parms *parms, void *dummy, @@ -71,7 +71,7 @@ index 4f2d3e0..30c88f4 100644 return NULL; } -@@ -2309,7 +2325,7 @@ static const command_rec cache_cmds[] = +@@ -2545,7 +2561,7 @@ static const command_rec cache_cmds[] = "caching is enabled"), AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF, "A partial URL prefix below which caching is disabled"), diff --git a/backport-httpd-2.4.1-corelimit.patch b/backport-httpd-2.4.43-corelimit.patch similarity index 72% rename from backport-httpd-2.4.1-corelimit.patch rename to backport-httpd-2.4.43-corelimit.patch index 96f8486..48267a9 100644 --- a/backport-httpd-2.4.1-corelimit.patch +++ b/backport-httpd-2.4.43-corelimit.patch @@ -1,13 +1,8 @@ - -Bump up the core size limit if CoreDumpDirectory is -configured. - -Upstream-Status: Was discussed but there are competing desires; - there are portability oddities here too. - ---- httpd-2.4.1/server/core.c.corelimit -+++ httpd-2.4.1/server/core.c -@@ -4433,6 +4433,25 @@ static int core_post_config(apr_pool_t * +diff --git a/server/core.c b/server/core.c +index 79b2a82..dc0f17a 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -4996,6 +4996,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper, apr_pool_cleanup_null); @@ -32,4 +27,3 @@ Upstream-Status: Was discussed but there are competing desires; + return OK; } - diff --git a/backport-httpd-2.4.34-enable-sslv3.patch b/backport-httpd-2.4.43-enable-sslv3.patch similarity index 87% rename from backport-httpd-2.4.34-enable-sslv3.patch rename to backport-httpd-2.4.43-enable-sslv3.patch index 6de40a5..2861605 100644 --- a/backport-httpd-2.4.34-enable-sslv3.patch +++ b/backport-httpd-2.4.43-enable-sslv3.patch @@ -1,23 +1,23 @@ diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c -index 517ce30..075f7e1 100644 +index 979489c..3d6443b 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c -@@ -1474,6 +1474,10 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, +@@ -1485,6 +1485,10 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, #endif else if (strcEQ(w, "all")) { thisopt = SSL_PROTOCOL_ALL; +#ifndef OPENSSL_NO_SSL3 -+ // by default, ALL kw doesn't turn on SSLv3 ++ /* by default, ALL kw doesn't turn on SSLv3 */ + thisopt &= ~SSL_PROTOCOL_SSLV3; +#endif } else { return apr_pstrcat(parms->temp_pool, diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index 60df45f..f6645c2 100644 +index b0fcf81..ab6f263 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c -@@ -537,6 +537,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, +@@ -568,6 +568,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, } #endif @@ -46,7 +46,7 @@ index 60df45f..f6645c2 100644 static apr_status_t ssl_init_ctx_protocol(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, -@@ -695,9 +719,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, +@@ -735,9 +757,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, } if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { prot = TLS1_VERSION; diff --git a/backport-httpd-2.4.17-socket-activation.patch b/backport-httpd-2.4.43-socket-activation.patch similarity index 99% rename from backport-httpd-2.4.17-socket-activation.patch rename to backport-httpd-2.4.43-socket-activation.patch index dbdd80c..dd875c6 100644 --- a/backport-httpd-2.4.17-socket-activation.patch +++ b/backport-httpd-2.4.43-socket-activation.patch @@ -1,5 +1,5 @@ diff --git a/server/listen.c b/server/listen.c -index a8e9e6f..1a6c1d3 100644 +index 5242c2a..e2e028a 100644 --- a/server/listen.c +++ b/server/listen.c @@ -34,6 +34,10 @@ @@ -297,4 +297,3 @@ index a8e9e6f..1a6c1d3 100644 + return alloc_listener(cmd->server->process, host, port, proto, NULL); } - diff --git a/backport-httpd-2.4.34-sslciphdefault.patch b/backport-httpd-2.4.43-sslciphdefault.patch similarity index 75% rename from backport-httpd-2.4.34-sslciphdefault.patch rename to backport-httpd-2.4.43-sslciphdefault.patch index 6060f24..85ae568 100644 --- a/backport-httpd-2.4.34-sslciphdefault.patch +++ b/backport-httpd-2.4.43-sslciphdefault.patch @@ -1,11 +1,8 @@ - -https://bugzilla.redhat.com/show_bug.cgi?id=1109119 - -Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. - ---- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslciphdefault -+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c -@@ -774,9 +774,11 @@ +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 97778a8..27e7a53 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -778,9 +778,11 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, } if (!strcmp("SSL", arg1)) { @@ -19,7 +16,7 @@ Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. dc->szCipherSuite = arg2; } else { -@@ -1540,8 +1542,10 @@ +@@ -1544,8 +1546,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd, } if (!strcmp("SSL", arg1)) { diff --git a/backport-httpd-2.4.43-sslprotdefault.patch b/backport-httpd-2.4.43-sslprotdefault.patch new file mode 100644 index 0000000..b9ca049 --- /dev/null +++ b/backport-httpd-2.4.43-sslprotdefault.patch @@ -0,0 +1,99 @@ +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 27e7a53..b53f3f8 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) + mctx->ticket_key = NULL; + #endif + +- mctx->protocol = SSL_PROTOCOL_DEFAULT; ++ mctx->protocol = SSL_PROTOCOL_NONE; + mctx->protocol_set = 0; + + mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; +@@ -263,6 +263,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, + if (add->protocol_set) { + mrg->protocol_set = 1; + mrg->protocol = add->protocol; ++ mrg->protocol_set = 1; + } + else { + mrg->protocol_set = base->protocol_set; + +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index bfad47a..b0fcf81 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -577,6 +577,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL; + char *cp; + int protocol = mctx->protocol; ++ int protocol_set = mctx->protocol_set; + SSLSrvConfigRec *sc = mySrvConfig(s); + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + int prot; +@@ -586,12 +587,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + * Create the new per-server SSL context + */ + if (protocol == SSL_PROTOCOL_NONE) { +- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231) +- "No SSL protocols available [hint: SSLProtocol]"); +- return ssl_die(s); +- } ++ if (protocol_set) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231) ++ "No SSL protocols available [hint: SSLProtocol]"); ++ return ssl_die(s); ++ } + +- cp = apr_pstrcat(p, ++ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, ++ "Using OpenSSL/system default SSL/TLS protocols"); ++ cp = "default"; ++ } ++ else { ++ cp = apr_pstrcat(p, + #ifndef OPENSSL_NO_SSL3 + (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), + #endif +@@ -604,7 +611,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + #endif + #endif + NULL); +- cp[strlen(cp)-2] = NUL; ++ cp[strlen(cp)-2] = NUL; ++ } + + ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, + "Creating new SSL context (protocols: %s)", cp); +@@ -705,13 +713,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + prot = SSL3_VERSION; + #endif + } else { +- SSL_CTX_free(ctx); +- mctx->ssl_ctx = NULL; +- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) +- "No SSL protocols available [hint: SSLProtocol]"); +- return ssl_die(s); ++ if (protocol_set) { ++ SSL_CTX_free(ctx); ++ mctx->ssl_ctx = NULL; ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) ++ "No SSL protocols available [hint: SSLProtocol]"); ++ return ssl_die(s); ++ } + } +- SSL_CTX_set_max_proto_version(ctx, prot); ++ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot); + + /* Next we scan for the minimal protocol version we should provide, + * but we do not allow holes between max and min */ +@@ -731,7 +741,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + prot = SSL3_VERSION; + } + #endif +- SSL_CTX_set_min_proto_version(ctx, prot); ++ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot); + #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ + + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE diff --git a/backport-httpd-2.4.43-detect-systemd.patch b/backport-httpd-2.4.53-detect-systemd.patch similarity index 76% rename from backport-httpd-2.4.43-detect-systemd.patch rename to backport-httpd-2.4.53-detect-systemd.patch index 540687f..d501b06 100644 --- a/backport-httpd-2.4.43-detect-systemd.patch +++ b/backport-httpd-2.4.53-detect-systemd.patch @@ -1,5 +1,5 @@ diff --git a/Makefile.in b/Makefile.in -index 0b088ac..9eeb5c7 100644 +index a2e9c82..bd8045c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test @@ -12,10 +12,10 @@ index 0b088ac..9eeb5c7 100644 PROGRAM_DEPENDENCIES = \ server/libmain.la \ diff --git a/acinclude.m4 b/acinclude.m4 -index 2a7e5d1..eb28321 100644 +index 97484c9..05abe18 100644 --- a/acinclude.m4 +++ b/acinclude.m4 -@@ -624,6 +624,7 @@ case $host in +@@ -631,6 +631,7 @@ case $host in if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then AC_MSG_WARN([Your system does not support systemd.]) else @@ -24,18 +24,18 @@ index 2a7e5d1..eb28321 100644 fi fi diff --git a/configure.in b/configure.in -index 3618a5a..74a782b 100644 +index cf437fe..521fc45 100644 --- a/configure.in +++ b/configure.in -@@ -234,6 +234,7 @@ if test "$PCRE_CONFIG" != "false"; then +@@ -239,6 +239,7 @@ if test "x$PCRE_CONFIG" != "x"; then AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) - APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) + APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`]) + APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) else - AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) + AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/]) fi -@@ -710,6 +711,7 @@ APACHE_SUBST(OS_DIR) +@@ -734,6 +735,7 @@ APACHE_SUBST(OS_DIR) APACHE_SUBST(BUILTIN_LIBS) APACHE_SUBST(SHLIBPATH_VAR) APACHE_SUBST(OS_SPECIFIC_VARS) diff --git a/backport-httpd-2.4.53-export.patch b/backport-httpd-2.4.53-export.patch new file mode 100644 index 0000000..d240360 --- /dev/null +++ b/backport-httpd-2.4.53-export.patch @@ -0,0 +1,56 @@ +diff --git a/Makefile.in b/Makefile.in +index bd8045c..d6733a5 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test + + PROGRAM_NAME = $(progname) + PROGRAM_SOURCES = modules.c +-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) ++PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) \ ++ $(PROGRAM_LDDEPS) \ ++ $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) + PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c ++PROGRAM_LDDEPS = \ ++ $(BUILTIN_LIBS) \ ++ $(MPM_LIB) \ ++ -Wl,--whole-archive,server/.libs/libmain.a,--no-whole-archive \ ++ os/$(OS_DIR)/libos.la + PROGRAM_DEPENDENCIES = \ + server/libmain.la \ + $(BUILTIN_LIBS) \ +diff --git a/server/Makefile.in b/server/Makefile.in +index 8111877..f00bb3f 100644 +--- a/server/Makefile.in ++++ b/server/Makefile.in +@@ -12,7 +12,7 @@ LTLIBRARY_SOURCES = \ + connection.c listen.c util_mutex.c \ + mpm_common.c mpm_unix.c mpm_fdqueue.c \ + util_charset.c util_cookies.c util_debug.c util_xml.c \ +- util_filter.c util_pcre.c util_regex.c exports.c \ ++ util_filter.c util_pcre.c util_regex.c \ + scoreboard.c error_bucket.c protocol.c core.c request.c ssl.c provider.c \ + eoc_bucket.c eor_bucket.c core_filters.c \ + util_expr_parse.c util_expr_scan.c util_expr_eval.c +diff --git a/server/main.c b/server/main.c +index 7da7aa2..e63d2eb 100644 +--- a/server/main.c ++++ b/server/main.c +@@ -857,17 +857,3 @@ int main(int argc, const char * const argv[]) + return !OK; + } + +-#ifdef AP_USING_AUTOCONF +-/* This ugly little hack pulls any function referenced in exports.c into +- * the web server. exports.c is generated during the build, and it +- * has all of the APR functions specified by the apr/apr.exports and +- * apr-util/aprutil.exports files. +- */ +-const void *ap_suck_in_APR(void); +-const void *ap_suck_in_APR(void) +-{ +- extern const void *ap_ugly_hack; +- +- return ap_ugly_hack; +-} +-#endif diff --git a/backport-httpd-2.4.54-icons.patch b/backport-httpd-2.4.54-icons.patch new file mode 100644 index 0000000..efc0c4d --- /dev/null +++ b/backport-httpd-2.4.54-icons.patch @@ -0,0 +1,49 @@ +diff --git a/docs/conf/extra/httpd-autoindex.conf.in b/docs/conf/extra/httpd-autoindex.conf.in +index 51b02ed..93a2b87 100644 +--- a/docs/conf/extra/httpd-autoindex.conf.in ++++ b/docs/conf/extra/httpd-autoindex.conf.in +@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable VersionSort + Alias /icons/ "@exp_iconsdir@/" + + +- Options Indexes MultiViews ++ Options Indexes MultiViews FollowSymlinks + AllowOverride None + Require all granted + +@@ -37,6 +37,7 @@ AddIconByType (TXT,/icons/text.gif) text/* + AddIconByType (IMG,/icons/image2.gif) image/* + AddIconByType (SND,/icons/sound2.gif) audio/* + AddIconByType (VID,/icons/movie.gif) video/* ++AddIconByType /icons/bomb.gif application/x-coredump + + AddIcon /icons/binary.gif .bin .exe + AddIcon /icons/binhex.gif .hqx +@@ -53,7 +54,6 @@ AddIcon /icons/dvi.gif .dvi + AddIcon /icons/uuencoded.gif .uu + AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl + AddIcon /icons/tex.gif .tex +-AddIcon /icons/bomb.gif core + + AddIcon /icons/back.gif .. + AddIcon /icons/hand.right.gif README +diff --git a/docs/conf/magic b/docs/conf/magic +index bc891d9..9a41b44 100644 +--- a/docs/conf/magic ++++ b/docs/conf/magic +@@ -383,3 +383,15 @@ + 4 string moov video/quicktime + 4 string mdat video/quicktime + ++ ++#------------------------------------------------------------------------------ ++# application/x-coredump for LE/BE ELF ++# ++0 string \177ELF ++>5 byte 1 ++>16 leshort 4 application/x-coredump ++ ++0 string \177ELF ++>5 byte 2 ++>16 beshort 4 application/x-coredump ++ diff --git a/httpd-2.4.51.tar.bz2 b/httpd-2.4.51.tar.bz2 deleted file mode 100644 index 352555a..0000000 Binary files a/httpd-2.4.51.tar.bz2 and /dev/null differ diff --git a/httpd-2.4.55.tar.bz2 b/httpd-2.4.55.tar.bz2 new file mode 100644 index 0000000..c4b735c Binary files /dev/null and b/httpd-2.4.55.tar.bz2 differ diff --git a/httpd.spec b/httpd.spec index 953bea4..f7ea8ff 100644 --- a/httpd.spec +++ b/httpd.spec @@ -7,8 +7,8 @@ Name: httpd Summary: Apache HTTP Server -Version: 2.4.51 -Release: 9 +Version: 2.4.55 +Release: 1 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -54,38 +54,21 @@ Patch0: backport-httpd-2.4.1-apctl.patch Patch1: backport-httpd-2.4.9-apxs.patch Patch2: backport-httpd-2.4.1-deplibs.patch Patch3: backport-httpd-2.4.3-apctl-systemd.patch -Patch4: backport-httpd-2.4.43-detect-systemd.patch -Patch5: backport-httpd-2.4.33-export.patch -Patch6: backport-httpd-2.4.1-corelimit.patch +Patch4: backport-httpd-2.4.53-detect-systemd.patch +Patch5: backport-httpd-2.4.53-export.patch +Patch6: backport-httpd-2.4.43-corelimit.patch Patch7: backport-httpd-2.4.25-selinux.patch -Patch8: backport-httpd-2.4.2-icons.patch -Patch9: backport-httpd-2.4.4-cachehardmax.patch -Patch10: backport-httpd-2.4.17-socket-activation.patch -Patch11: backport-httpd-2.4.34-sslciphdefault.patch -Patch12: backport-httpd-2.4.34-sslprotdefault.patch -Patch13: backport-httpd-2.4.34-enable-sslv3.patch +Patch8: backport-httpd-2.4.54-icons.patch +Patch9: backport-httpd-2.4.43-cachehardmax.patch +Patch10: backport-httpd-2.4.43-socket-activation.patch +Patch11: backport-httpd-2.4.43-sslciphdefault.patch +Patch12: backport-httpd-2.4.43-sslprotdefault.patch +Patch13: backport-httpd-2.4.43-enable-sslv3.patch Patch14: backport-layout_add_openEuler.patch Patch15: backport-httpd-2.4.43-gettid.patch Patch16: backport-httpd-2.4.43-r1861793+.patch Patch17: backport-httpd-2.4.48-r1828172+.patch Patch18: backport-httpd-2.4.46-htcacheclean-dont-break.patch -Patch19: backport-CVE-2022-22719.patch -Patch20: backport-CVE-2022-22720.patch -Patch21: backport-CVE-2022-22721.patch -Patch22: backport-001-CVE-2022-23943.patch -Patch23: backport-002-CVE-2022-23943.patch -Patch24: backport-CVE-2021-44790.patch -Patch25: backport-001-CVE-2021-44224.patch -Patch26: backport-002-CVE-2021-44224.patch -Patch27: backport-CVE-2022-28615.patch -Patch28: backport-CVE-2022-31813.patch -Patch29: backport-CVE-2022-28614.patch -Patch30: backport-CVE-2022-29404.patch -Patch31: backport-CVE-2022-26377.patch -Patch32: backport-CVE-2022-30522.patch -Patch33: backport-CVE-2022-30556.patch -Patch34: backport-Switch-from-PCRE-to-PCRE2.patch -Patch35: backport-CVE-2022-28330.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -518,6 +501,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Feb 1 2023 chengyechun - 2.4.55-1 +- Type:enhancement +- ID:NA +- SUG:restart +- DESC:update to httpd-2.4.55 + * Thu Dec 15 2022 chengyechun - 2.4.51-9 - Type:bugfix - ID: