packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to httpd-2.4.55

Browse Source
This commit is contained in:
chengyechun 2023-02-01 18:04:51 +08:00
parent 7957bd91cb
commit 20b80f986a
33 changed files with 270 additions and 2864 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

275
backport-001-CVE-2021-44224.patch
View File

@ -1,275 +0,0 @@
From a962ba73047b5478d702c8ad09fd1a167e1d3736 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 14 Dec 2021 15:35:56 +0000
Subject: [PATCH] Merge r1895914, r1895921 from trunk:
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
trunk patch: http://svn.apache.org/r1895914
http://svn.apache.org/r1895921
2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/286.patch
backport PR: https://github.com/apache/httpd/pull/286
+1: ylavic, minfrin, gbechis
mod_proxy: Detect unix: scheme syntax errors at load time.
* modules/proxy/mod_proxy.c(add_pass, add_member, set_proxy_param,
proxysection):
Check return value of ap_proxy_de_socketfy().
* modules/proxy/proxy_util.c(ap_proxy_get_worker_ex):
Check return value of ap_proxy_de_socketfy().
http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
The early checks avoid failing the request later on and thus save cycles
for those invalid cases.
Submitted by: ylavic
Reviewed by: ylavic, minfrin, gbechis
Closes #286
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1895955 13f79535-47bb-0310-9956-ffa450edef68
---
include/ap_mmn.h | 3 ++-
include/http_protocol.h | 7 ++++++
modules/http/http_request.c | 2 +-
modules/http2/h2_request.c | 2 +-
modules/proxy/mod_proxy.c | 44 ++++++++++++++++++++++++++-----------
modules/proxy/proxy_util.c | 3 +++
server/protocol.c | 23 ++++++++++++++++++-
7 files changed, 71 insertions(+), 17 deletions(-)
diff --git a/include/ap_mmn.h b/include/ap_mmn.h
index fe24261ee87..90ff1a86a6f 100644
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@@ -586,6 +586,7 @@
* 20120211.117 (2.4.50-dev) Add ap_pre_connection
* 20120211.118 (2.4.51-dev) Add ap_unescape_url_ex() and deprecate
* AP_NORMALIZE_DROP_PARAMETERS
+ * 20120211.121 (2.4.51-dev) Add ap_post_read_request()
*
*/
diff --git a/include/http_protocol.h b/include/http_protocol.h
index 9ccac893fcb..20bd2022266 100644
--- a/include/http_protocol.h
+++ b/include/http_protocol.h
@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(request_rec *r);
AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
apr_bucket_brigade *bb);
+/**
+ * Run post_read_request hook and validate.
+ * @param r The current request
+ * @return OK or HTTP_...
+ */
+AP_DECLARE(int) ap_post_read_request(request_rec *r);
+
/* Finish up stuff after a request */
/**
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
index c9ae5af2864..d59cfe25999 100644
--- a/modules/http/http_request.c
+++ b/modules/http/http_request.c
@@ -680,7 +680,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
* to do their thing on internal redirects as well. Perhaps this is a
* misnamed function.
*/
- if ((access_status = ap_run_post_read_request(new))) {
+ if ((access_status = ap_post_read_request(new))) {
ap_die(access_status, new);
return NULL;
}
diff --git a/modules/http2/h2_request.c b/modules/http2/h2_request.c
index 7c4fb95ea48..9ff6feb675f 100644
--- a/modules/http2/h2_request.c
+++ b/modules/http2/h2_request.c
@@ -370,7 +370,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c)
ap_add_input_filter_handle(ap_http_input_filter_handle,
NULL, r, r->connection);
- if ((access_status = ap_run_post_read_request(r))) {
+ if ((access_status = ap_post_read_request(r))) {
/* Request check post hooks failed. An example of this would be a
* request for a vhost where h2 is disabled --> 421.
*/
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 3fb84c85935..85d7ce2e6c1 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -775,13 +775,13 @@ static int proxy_detect(request_rec *r)
/* Ick... msvc (perhaps others) promotes ternary short results to int */
- if (conf->req && r->parsed_uri.scheme) {
+ if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) {
/* but it might be something vhosted */
- if (!(r->parsed_uri.hostname
- && !ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r))
- && ap_matches_request_vhost(r, r->parsed_uri.hostname,
- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port
- : ap_default_port(r))))) {
+ if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
+ || !ap_matches_request_vhost(r, r->parsed_uri.hostname,
+ (apr_port_t)(r->parsed_uri.port_str
+ ? r->parsed_uri.port
+ : ap_default_port(r)))) {
r->proxyreq = PROXYREQ_PROXY;
r->uri = r->unparsed_uri;
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
@@ -2007,6 +2007,7 @@ static const char *
struct proxy_alias *new;
char *f = cmd->path;
char *r = NULL;
+ const char *real;
char *word;
apr_table_t *params = apr_table_make(cmd->pool, 5);
const apr_array_header_t *arr;
@@ -2093,6 +2094,10 @@ static const char *
if (r == NULL) {
return "ProxyPass|ProxyPassMatch needs a path when not defined in a location";
}
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) {
+ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL";
+ }
+
/* if per directory, save away the single alias */
if (cmd->path) {
@@ -2109,7 +2114,7 @@ static const char *
}
new->fake = apr_pstrdup(cmd->pool, f);
- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r));
+ new->real = apr_pstrdup(cmd->pool, real);
new->flags = flags;
if (worker_type & AP_PROXY_WORKER_IS_MATCH) {
new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED);
@@ -2635,6 +2640,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
proxy_worker *worker;
char *path = cmd->path;
char *name = NULL;
+ const char *real;
char *word;
apr_table_t *params = apr_table_make(cmd->pool, 5);
const apr_array_header_t *arr;
@@ -2675,6 +2681,9 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
return "BalancerMember must define balancer name when outside <Proxy > section";
if (!name)
return "BalancerMember must define remote proxy server";
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
+ return "BalancerMember uses an invalid \"unix:\" URL";
+ }
ap_str_tolower(path); /* lowercase scheme://hostname */
@@ -2687,8 +2696,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
}
/* Try to find existing worker */
- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf,
- ap_proxy_de_socketfy(cmd->temp_pool, name));
+ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real);
if (!worker) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147)
"Defining worker '%s' for balancer '%s'",
@@ -2785,9 +2793,14 @@ static const char *
}
}
else {
+ const char *real;
+
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
+ return "ProxySet uses an invalid \"unix:\" URL";
+ }
+
worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, conf,
- ap_proxy_de_socketfy(cmd->temp_pool, name),
- worker_type);
+ real, worker_type);
if (!worker) {
if (in_proxy_section) {
err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL,
@@ -2930,9 +2943,14 @@ static const char *proxysection(cmd_parms *cmd, void *mconfig, const char *arg)
}
}
else {
+ const char *real;
+
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) {
+ return "<Proxy/ProxyMatch > uses an invalid \"unix:\" URL";
+ }
+
worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, sconf,
- ap_proxy_de_socketfy(cmd->temp_pool, conf->p),
- worker_type);
+ real, worker_type);
if (!worker) {
err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, sconf,
conf->p, worker_type);
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index a3cf5460487..b4f6dcfadc6 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -1742,6 +1742,9 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p,
}
url = ap_proxy_de_socketfy(p, url);
+ if (!url) {
+ return NULL;
+ }
c = ap_strchr_c(url, ':');
if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') {
diff --git a/server/protocol.c b/server/protocol.c
index 3d74c5b3058..2214f72b5a4 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -1548,7 +1548,7 @@ request_rec *ap_read_request(conn_rec *conn)
/* we may have switched to another server */
apply_server_config(r);
- if ((access_status = ap_run_post_read_request(r))) {
+ if ((access_status = ap_post_read_request(r))) {
goto die;
}
@@ -1603,6 +1603,27 @@ request_rec *ap_read_request(conn_rec *conn)
return NULL;
}
+AP_DECLARE(int) ap_post_read_request(request_rec *r)
+{
+ int status;
+
+ if ((status = ap_run_post_read_request(r))) {
+ return status;
+ }
+
+ /* Enforce http(s) only scheme for non-forward-proxy requests */
+ if (!r->proxyreq
+ && r->parsed_uri.scheme
+ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
+ || (r->parsed_uri.scheme[4] != '\0'
+ && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
+ || r->parsed_uri.scheme[5] != '\0')))) {
+ return HTTP_BAD_REQUEST;
+ }
+
+ return OK;
+}
+
/* if a request with a body creates a subrequest, remove original request's
* input headers which pertain to the body which has already been read.
* out-of-line helper function for ap_set_sub_req_protocol.

358
backport-001-CVE-2022-23943.patch
View File

@ -1,358 +0,0 @@
From 943f57b336f264d77e5b780c82ab73daf3d14deb Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 7 Mar 2022 14:52:42 +0000
Subject: [PATCH] mod_sed: use size_t to allow for larger buffer sizes and
unsigned arithmetics.
Let's switch to apr_size_t buffers and get rid of the ints.
Merge r1898690 from trunk.
Submitted by: rpluem
Reviewed by: rpluem, covener, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898695 13f79535-47bb-0310-9956-ffa450edef68
---
modules/filters/libsed.h | 12 +++---
modules/filters/mod_sed.c | 10 ++---
modules/filters/sed1.c | 79 +++++++++++++++++++++++----------------
3 files changed, 58 insertions(+), 43 deletions(-)
diff --git a/modules/filters/libsed.h b/modules/filters/libsed.h
index 76cbc0ce8ad..0256b1ea831 100644
--- a/modules/filters/libsed.h
+++ b/modules/filters/libsed.h
@@ -60,7 +60,7 @@ struct sed_label_s {
};
typedef apr_status_t (sed_err_fn_t)(void *data, const char *error);
-typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, int sz);
+typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, apr_size_t sz);
typedef struct sed_commands_s sed_commands_t;
#define NWFILES 11 /* 10 plus one for standard output */
@@ -69,7 +69,7 @@ struct sed_commands_s {
sed_err_fn_t *errfn;
void *data;
- unsigned lsize;
+ apr_size_t lsize;
char *linebuf;
char *lbend;
const char *saveq;
@@ -116,15 +116,15 @@ struct sed_eval_s {
apr_int64_t lnum;
void *fout;
- unsigned lsize;
+ apr_size_t lsize;
char *linebuf;
char *lspend;
- unsigned hsize;
+ apr_size_t hsize;
char *holdbuf;
char *hspend;
- unsigned gsize;
+ apr_size_t gsize;
char *genbuf;
char *lcomend;
@@ -160,7 +160,7 @@ apr_status_t sed_init_eval(sed_eval_t *eval, sed_commands_t *commands,
sed_err_fn_t *errfn, void *data,
sed_write_fn_t *writefn, apr_pool_t *p);
apr_status_t sed_reset_eval(sed_eval_t *eval, sed_commands_t *commands, sed_err_fn_t *errfn, void *data);
-apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout);
+apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout);
apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout);
apr_status_t sed_finalize_eval(sed_eval_t *eval, void *f);
void sed_destroy_eval(sed_eval_t *eval);
diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c
index 9b408029a86..7092dd5e7f1 100644
--- a/modules/filters/mod_sed.c
+++ b/modules/filters/mod_sed.c
@@ -51,7 +51,7 @@ typedef struct sed_filter_ctxt
apr_bucket_brigade *bbinp;
char *outbuf;
char *curoutbuf;
- int bufsize;
+ apr_size_t bufsize;
apr_pool_t *tpool;
int numbuckets;
} sed_filter_ctxt;
@@ -100,7 +100,7 @@ static void alloc_outbuf(sed_filter_ctxt* ctx)
/* append_bucket
* Allocate a new bucket from buf and sz and append to ctx->bb
*/
-static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz)
+static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, apr_size_t sz)
{
apr_status_t status = APR_SUCCESS;
apr_bucket *b;
@@ -133,7 +133,7 @@ static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz)
*/
static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx)
{
- int size = ctx->curoutbuf - ctx->outbuf;
+ apr_size_t size = ctx->curoutbuf - ctx->outbuf;
char *out;
apr_status_t status = APR_SUCCESS;
if ((ctx->outbuf == NULL) || (size <=0))
@@ -147,12 +147,12 @@ static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx)
/* This is a call back function. When libsed wants to generate the output,
* this function will be invoked.
*/
-static apr_status_t sed_write_output(void *dummy, char *buf, int sz)
+static apr_status_t sed_write_output(void *dummy, char *buf, apr_size_t sz)
{
/* dummy is basically filter context. Context is passed during invocation
* of sed_eval_buffer
*/
- int remainbytes = 0;
+ apr_size_t remainbytes = 0;
apr_status_t status = APR_SUCCESS;
sed_filter_ctxt *ctx = (sed_filter_ctxt *) dummy;
if (ctx->outbuf == NULL) {
diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c
index be035067885..67a8d06515e 100644
--- a/modules/filters/sed1.c
+++ b/modules/filters/sed1.c
@@ -71,7 +71,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2);
static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
step_vars_storage *step_vars);
-static apr_status_t wline(sed_eval_t *eval, char *buf, int sz);
+static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz);
static apr_status_t arout(sed_eval_t *eval);
static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
@@ -92,11 +92,11 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
* grow_buffer
*/
static void grow_buffer(apr_pool_t *pool, char **buffer,
- char **spend, unsigned int *cursize,
- unsigned int newsize)
+ char **spend, apr_size_t *cursize,
+ apr_size_t newsize)
{
char* newbuffer = NULL;
- int spendsize = 0;
+ apr_size_t spendsize = 0;
if (*cursize >= newsize)
return;
/* Avoid number of times realloc is called. It could cause huge memory
@@ -124,7 +124,7 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
/*
* grow_line_buffer
*/
-static void grow_line_buffer(sed_eval_t *eval, int newsize)
+static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
{
grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
&eval->lsize, newsize);
@@ -133,7 +133,7 @@ static void grow_line_buffer(sed_eval_t *eval, int newsize)
/*
* grow_hold_buffer
*/
-static void grow_hold_buffer(sed_eval_t *eval, int newsize)
+static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
{
grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
&eval->hsize, newsize);
@@ -142,7 +142,7 @@ static void grow_hold_buffer(sed_eval_t *eval, int newsize)
/*
* grow_gen_buffer
*/
-static void grow_gen_buffer(sed_eval_t *eval, int newsize,
+static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
char **gspend)
{
if (gspend == NULL) {
@@ -156,9 +156,9 @@ static void grow_gen_buffer(sed_eval_t *eval, int newsize,
/*
* appendmem_to_linebuf
*/
-static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len)
+static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
{
- unsigned int reqsize = (eval->lspend - eval->linebuf) + len;
+ apr_size_t reqsize = (eval->lspend - eval->linebuf) + len;
if (eval->lsize < reqsize) {
grow_line_buffer(eval, reqsize);
}
@@ -169,21 +169,36 @@ static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len)
/*
* append_to_linebuf
*/
-static void append_to_linebuf(sed_eval_t *eval, const char* sz)
+static void append_to_linebuf(sed_eval_t *eval, const char* sz,
+ step_vars_storage *step_vars)
{
- int len = strlen(sz);
+ apr_size_t len = strlen(sz);
+ char *old_linebuf = eval->linebuf;
/* Copy string including null character */
appendmem_to_linebuf(eval, sz, len + 1);
--eval->lspend; /* lspend will now point to NULL character */
+ /* Sync step_vars after a possible linebuf expansion */
+ if (step_vars && old_linebuf != eval->linebuf) {
+ if (step_vars->loc1) {
+ step_vars->loc1 = step_vars->loc1 - old_linebuf + eval->linebuf;
+ }
+ if (step_vars->loc2) {
+ step_vars->loc2 = step_vars->loc2 - old_linebuf + eval->linebuf;
+ }
+ if (step_vars->locs) {
+ step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf;
+ }
+ }
}
/*
* copy_to_linebuf
*/
-static void copy_to_linebuf(sed_eval_t *eval, const char* sz)
+static void copy_to_linebuf(sed_eval_t *eval, const char* sz,
+ step_vars_storage *step_vars)
{
eval->lspend = eval->linebuf;
- append_to_linebuf(eval, sz);
+ append_to_linebuf(eval, sz, step_vars);
}
/*
@@ -191,8 +206,8 @@ static void copy_to_linebuf(sed_eval_t *eval, const char* sz)
*/
static void append_to_holdbuf(sed_eval_t *eval, const char* sz)
{
- int len = strlen(sz);
- unsigned int reqsize = (eval->hspend - eval->holdbuf) + len + 1;
+ apr_size_t len = strlen(sz);
+ apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1;
if (eval->hsize <= reqsize) {
grow_hold_buffer(eval, reqsize);
}
@@ -215,8 +230,8 @@ static void copy_to_holdbuf(sed_eval_t *eval, const char* sz)
*/
static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
{
- int len = strlen(sz);
- unsigned int reqsize = (*gspend - eval->genbuf) + len + 1;
+ apr_size_t len = strlen(sz);
+ apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1;
if (eval->gsize < reqsize) {
grow_gen_buffer(eval, reqsize, gspend);
}
@@ -230,8 +245,8 @@ static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
*/
static void copy_to_genbuf(sed_eval_t *eval, const char* sz)
{
- int len = strlen(sz);
- unsigned int reqsize = len + 1;
+ apr_size_t len = strlen(sz);
+ apr_size_t reqsize = len + 1;
if (eval->gsize < reqsize) {
grow_gen_buffer(eval, reqsize, NULL);
}
@@ -353,7 +368,7 @@ apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout)
/*
* sed_eval_buffer
*/
-apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout)
+apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout)
{
apr_status_t rv;
@@ -383,7 +398,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void
while (bufsz) {
char *n;
- int llen;
+ apr_size_t llen;
n = memchr(buf, '\n', bufsz);
if (n == NULL)
@@ -442,7 +457,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
* buffer is not a newline.
*/
/* Assure space for NULL */
- append_to_linebuf(eval, "");
+ append_to_linebuf(eval, "", NULL);
}
*eval->lspend = '\0';
@@ -666,7 +681,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
lp = step_vars->loc2;
step_vars->loc2 = sp - eval->genbuf + eval->linebuf;
append_to_genbuf(eval, lp, &sp);
- copy_to_linebuf(eval, eval->genbuf);
+ copy_to_linebuf(eval, eval->genbuf, step_vars);
return rv;
}
@@ -676,8 +691,8 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2)
{
char *sp = asp;
- int n = al2 - al1;
- unsigned int reqsize = (sp - eval->genbuf) + n + 1;
+ apr_size_t n = al2 - al1;
+ apr_size_t reqsize = (sp - eval->genbuf) + n + 1;
if (eval->gsize < reqsize) {
grow_gen_buffer(eval, reqsize, &sp);
@@ -735,7 +750,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
}
p1++;
- copy_to_linebuf(eval, p1);
+ copy_to_linebuf(eval, p1, step_vars);
eval->jflag++;
break;
@@ -745,12 +760,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
break;
case GCOM:
- copy_to_linebuf(eval, eval->holdbuf);
+ copy_to_linebuf(eval, eval->holdbuf, step_vars);
break;
case CGCOM:
- append_to_linebuf(eval, "\n");
- append_to_linebuf(eval, eval->holdbuf);
+ append_to_linebuf(eval, "\n", step_vars);
+ append_to_linebuf(eval, eval->holdbuf, step_vars);
break;
case HCOM:
@@ -881,7 +896,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
if (rv != APR_SUCCESS)
return rv;
}
- append_to_linebuf(eval, "\n");
+ append_to_linebuf(eval, "\n", step_vars);
eval->pending = ipc->next;
break;
@@ -956,7 +971,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
case XCOM:
copy_to_genbuf(eval, eval->linebuf);
- copy_to_linebuf(eval, eval->holdbuf);
+ copy_to_linebuf(eval, eval->holdbuf, step_vars);
copy_to_holdbuf(eval, eval->genbuf);
break;
@@ -1013,7 +1028,7 @@ static apr_status_t arout(sed_eval_t *eval)
/*
* wline
*/
-static apr_status_t wline(sed_eval_t *eval, char *buf, int sz)
+static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz)
{
apr_status_t rv = APR_SUCCESS;
rv = eval->writefn(eval->fout, buf, sz);

104
backport-002-CVE-2021-44224.patch
View File

@ -1,104 +0,0 @@
From a0521d289ae14e4ac004811dc1ef91b3e118a2f6 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Thu, 16 Dec 2021 11:23:49 +0000
Subject: [PATCH] Merge of r1895981,r1895986 from trunk:
*) mod_proxy: Don't prevent forwarding URIs w/ no hostname.
(fix for r1895955 already in 2.4.x)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896044 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/mod_proxy.c | 5 +++--
modules/proxy/mod_proxy.h | 1 +
modules/proxy/proxy_util.c | 22 ++++++++++++----------
3 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 85d7ce2e6c1..f8a4db68892 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -775,9 +775,10 @@ static int proxy_detect(request_rec *r)
/* Ick... msvc (perhaps others) promotes ternary short results to int */
- if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) {
+ if (conf->req && r->parsed_uri.scheme) {
/* but it might be something vhosted */
- if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
+ if (!r->parsed_uri.hostname
+ || ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
|| !ap_matches_request_vhost(r, r->parsed_uri.hostname,
(apr_port_t)(r->parsed_uri.port_str
? r->parsed_uri.port
diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
index 35acc49a4a3..be5b3a85394 100644
--- a/modules/proxy/mod_proxy.h
+++ b/modules/proxy/mod_proxy.h
@@ -750,6 +750,7 @@ PROXY_DECLARE(int) ap_proxy_worker_can_upgrade(apr_pool_t *p,
#define AP_PROXY_WORKER_IS_PREFIX (1u << 0)
#define AP_PROXY_WORKER_IS_MATCH (1u << 1)
#define AP_PROXY_WORKER_IS_MALLOCED (1u << 2)
+#define AP_PROXY_WORKER_NO_UDS (1u << 3)
/**
* Get the worker from proxy configuration, looking for either PREFIXED or
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index b4f6dcfadc6..8cb315d9103 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -1741,9 +1741,11 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p,
return NULL;
}
- url = ap_proxy_de_socketfy(p, url);
- if (!url) {
- return NULL;
+ if (!(mask & AP_PROXY_WORKER_NO_UDS)) {
+ url = ap_proxy_de_socketfy(p, url);
+ if (!url) {
+ return NULL;
+ }
}
c = ap_strchr_c(url, ':');
@@ -2326,22 +2328,22 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
access_status = proxy_run_pre_request(worker, balancer, r, conf, url);
if (access_status == DECLINED && *balancer == NULL) {
- *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url);
+ const int forward = (r->proxyreq == PROXYREQ_PROXY);
+ *worker = ap_proxy_get_worker_ex(r->pool, NULL, conf, *url,
+ forward ? AP_PROXY_WORKER_NO_UDS : 0);
if (*worker) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"%s: found worker %s for %s",
(*worker)->s->scheme, (*worker)->s->name, *url);
- *balancer = NULL;
- if (!fix_uds_filename(r, url)) {
+ if (!forward && !fix_uds_filename(r, url)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
access_status = OK;
}
- else if (r->proxyreq == PROXYREQ_PROXY) {
+ else if (forward) {
if (conf->forward) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"*: found forward proxy worker for %s", *url);
- *balancer = NULL;
*worker = conf->forward;
access_status = OK;
/*
@@ -2355,8 +2357,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
else if (r->proxyreq == PROXYREQ_REVERSE) {
if (conf->reverse) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
- "*: using default reverse proxy worker for %s (no keepalive)", *url);
- *balancer = NULL;
+ "*: using default reverse proxy worker for %s "
+ "(no keepalive)", *url);
*worker = conf->reverse;
access_status = OK;
/*

61
backport-002-CVE-2022-23943.patch
View File

@ -1,61 +0,0 @@
From e266bd09c313a668d7cca17a8b096d189148be49 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <rpluem@apache.org>
Date: Wed, 9 Mar 2022 07:41:40 +0000
Subject: [PATCH] Merge r1898735 from trunk:
* Improve the logic flow
Reviewed by: rpluem, covener, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898772 13f79535-47bb-0310-9956-ffa450edef68
---
modules/filters/mod_sed.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c
index 7092dd5e7f1..4bdb4ce33ae 100644
--- a/modules/filters/mod_sed.c
+++ b/modules/filters/mod_sed.c
@@ -168,21 +168,29 @@ static apr_status_t sed_write_output(void *dummy, char *buf, apr_size_t sz)
}
/* buffer is now full */
status = append_bucket(ctx, ctx->outbuf, ctx->bufsize);
- /* old buffer is now used so allocate new buffer */
- alloc_outbuf(ctx);
- /* if size is bigger than the allocated buffer directly add to output
- * brigade */
- if ((status == APR_SUCCESS) && (sz >= ctx->bufsize)) {
- char* newbuf = apr_pmemdup(ctx->tpool, buf, sz);
- status = append_bucket(ctx, newbuf, sz);
- /* pool might get clear after append_bucket */
- if (ctx->outbuf == NULL) {
+ if (status == APR_SUCCESS) {
+ /* if size is bigger than the allocated buffer directly add to output
+ * brigade */
+ if (sz >= ctx->bufsize) {
+ char* newbuf = apr_pmemdup(ctx->tpool, buf, sz);
+ status = append_bucket(ctx, newbuf, sz);
+ if (status == APR_SUCCESS) {
+ /* old buffer is now used so allocate new buffer */
+ alloc_outbuf(ctx);
+ }
+ else {
+ clear_ctxpool(ctx);
+ }
+ }
+ else {
+ /* old buffer is now used so allocate new buffer */
alloc_outbuf(ctx);
+ memcpy(ctx->curoutbuf, buf, sz);
+ ctx->curoutbuf += sz;
}
}
else {
- memcpy(ctx->curoutbuf, buf, sz);
- ctx->curoutbuf += sz;
+ clear_ctxpool(ctx);
}
}
else {

26
backport-CVE-2021-44790.patch
View File

@ -1,26 +0,0 @@
From 07b9768cef6a224d256358c404c6ed5622d8acce Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Thu, 16 Dec 2021 11:15:47 +0000
Subject: [PATCH] Merge r1895970 from trunk:
*) mod_lua: Improve error handling
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896039 13f79535-47bb-0310-9956-ffa450edef68
---
modules/lua/lua_request.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
index 67ff432e51f..493b2bb431c 100644
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -410,6 +410,7 @@ static int req_parsebody(lua_State *L)
if (end == NULL) break;
key = (char *) apr_pcalloc(r->pool, 256);
filename = (char *) apr_pcalloc(r->pool, 256);
+ if (end - crlf <= 8) break;
vlen = end - crlf - 8;
buffer = (char *) apr_pcalloc(r->pool, vlen+1);
memcpy(buffer, crlf + 4, vlen);

93
backport-CVE-2022-22719.patch
View File

@ -1,93 +0,0 @@
From 1b96582269d9ec7c82ee0fea1f67934e4b8176ad Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 7 Mar 2022 14:51:19 +0000
Subject: [PATCH] mod_lua: Error out if lua_read_body() or lua_write_body()
fail.
Otherwise r:requestbody() or r:parsebody() failures might go unnoticed for
the user.
Merge r1898689 from trunk.
Submitted by: rpluem
Reviewed by: rpluem, covener, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898694 13f79535-47bb-0310-9956-ffa450edef68
---
modules/lua/lua_request.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
index 493b2bb431c..1eab7b6a47b 100644
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -235,14 +235,16 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
{
int rc = OK;
+ *rbuf = NULL;
+ *size = 0;
+
if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) {
return (rc);
}
if (ap_should_client_block(r)) {
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
- char argsbuffer[HUGE_STRING_LEN];
- apr_off_t rsize, len_read, rpos = 0;
+ apr_off_t len_read, rpos = 0;
apr_off_t length = r->remaining;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
@@ -250,18 +252,18 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */
}
*rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1));
- *size = length;
- while ((len_read = ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) {
- if ((rpos + len_read) > length) {
- rsize = length - rpos;
- }
- else {
- rsize = len_read;
- }
-
- memcpy((char *) *rbuf + rpos, argsbuffer, (size_t) rsize);
- rpos += rsize;
+ while ((rpos < length)
+ && (len_read = ap_get_client_block(r, (char *) *rbuf + rpos,
+ length - rpos)) > 0) {
+ rpos += len_read;
+ }
+ if (len_read < 0) {
+ return APR_EINCOMPLETE;
}
+ *size = rpos;
+ }
+ else {
+ rc = DONE;
}
return (rc);
@@ -278,6 +280,8 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t *
{
apr_status_t rc = OK;
+ *size = 0;
+
if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
return rc;
if (ap_should_client_block(r)) {
@@ -303,6 +307,9 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t *
rpos += rsize;
}
}
+ else {
+ rc = DONE;
+ }
return rc;
}

187
backport-CVE-2022-22720.patch
View File

@ -1,187 +0,0 @@
From 19aa2d83b379719420f3a178413325156d7a62f3 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 7 Mar 2022 14:46:08 +0000
Subject: [PATCH] core: Simpler connection close logic if discarding the
request body fails.
If ap_discard_request_body() sets AP_CONN_CLOSE by itself it simplifies and
allows to consolidate end_output_stream() and error_output_stream().
Merge r1898683 from trunk.
Submitted by: ylavic, rpluem
Reviewed by: ylavic, rpluem, covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898692 13f79535-47bb-0310-9956-ffa450edef68
---
changes-entries/discard_body.diff | 2 +
modules/http/http_filters.c | 69 ++++++++++++++++---------------
server/protocol.c | 14 +++++--
3 files changed, 48 insertions(+), 37 deletions(-)
create mode 100644 changes-entries/discard_body.diff
diff --git a/changes-entries/discard_body.diff b/changes-entries/discard_body.diff
new file mode 100644
index 00000000000..6b467ac5ee3
--- /dev/null
+++ b/changes-entries/discard_body.diff
@@ -0,0 +1,2 @@
+ *) core: Simpler connection close logic if discarding the request body fails.
+ [Yann Ylavic, Ruediger Pluem]
\ No newline at end of file
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index d9b36212155..43e8c6dd5d5 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -1598,9 +1598,9 @@ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status)
*/
AP_DECLARE(int) ap_discard_request_body(request_rec *r)
{
+ int rc = OK;
+ conn_rec *c = r->connection;
apr_bucket_brigade *bb;
- int seen_eos;
- apr_status_t rv;
/* Sometimes we'll get in a state where the input handling has
* detected an error where we want to drop the connection, so if
@@ -1609,54 +1609,57 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r)
*
* This function is also a no-op on a subrequest.
*/
- if (r->main || r->connection->keepalive == AP_CONN_CLOSE ||
- ap_status_drops_connection(r->status)) {
+ if (r->main || c->keepalive == AP_CONN_CLOSE) {
+ return OK;
+ }
+ if (ap_status_drops_connection(r->status)) {
+ c->keepalive = AP_CONN_CLOSE;
return OK;
}
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
- seen_eos = 0;
- do {
- apr_bucket *bucket;
+ for (;;) {
+ apr_status_t rv;
rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
APR_BLOCK_READ, HUGE_STRING_LEN);
-
if (rv != APR_SUCCESS) {
- apr_brigade_destroy(bb);
- return ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
+ rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
+ goto cleanup;
}
- for (bucket = APR_BRIGADE_FIRST(bb);
- bucket != APR_BRIGADE_SENTINEL(bb);
- bucket = APR_BUCKET_NEXT(bucket))
- {
- const char *data;
- apr_size_t len;
+ while (!APR_BRIGADE_EMPTY(bb)) {
+ apr_bucket *b = APR_BRIGADE_FIRST(bb);
- if (APR_BUCKET_IS_EOS(bucket)) {
- seen_eos = 1;
- break;
- }
-
- /* These are metadata buckets. */
- if (bucket->length == 0) {
- continue;
+ if (APR_BUCKET_IS_EOS(b)) {
+ goto cleanup;
}
- /* We MUST read because in case we have an unknown-length
- * bucket or one that morphs, we want to exhaust it.
+ /* There is no need to read empty or metadata buckets or
+ * buckets of known length, but we MUST read buckets of
+ * unknown length in order to exhaust them.
*/
- rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);
- if (rv != APR_SUCCESS) {
- apr_brigade_destroy(bb);
- return HTTP_BAD_REQUEST;
+ if (b->length == (apr_size_t)-1) {
+ apr_size_t len;
+ const char *data;
+
+ rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ);
+ if (rv != APR_SUCCESS) {
+ rc = HTTP_BAD_REQUEST;
+ goto cleanup;
+ }
}
+
+ apr_bucket_delete(b);
}
- apr_brigade_cleanup(bb);
- } while (!seen_eos);
+ }
- return OK;
+cleanup:
+ apr_brigade_cleanup(bb);
+ if (rc != OK) {
+ c->keepalive = AP_CONN_CLOSE;
+ }
+ return rc;
}
/* Here we deal with getting the request message body from the client.
diff --git a/server/protocol.c b/server/protocol.c
index 2214f72b5a4..298f61e1fb8 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -1687,23 +1687,29 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,
rnew->main = (request_rec *) r;
}
-static void end_output_stream(request_rec *r)
+static void end_output_stream(request_rec *r, int status)
{
conn_rec *c = r->connection;
apr_bucket_brigade *bb;
apr_bucket *b;
bb = apr_brigade_create(r->pool, c->bucket_alloc);
+ if (status != OK) {
+ b = ap_bucket_error_create(status, NULL, r->pool, c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, b);
+ }
b = apr_bucket_eos_create(c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, b);
+
ap_pass_brigade(r->output_filters, bb);
+ apr_brigade_cleanup(bb);
}
AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
{
/* tell the filter chain there is no more content coming */
if (!sub->eos_sent) {
- end_output_stream(sub);
+ end_output_stream(sub, OK);
}
}
@@ -1714,11 +1720,11 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
*/
AP_DECLARE(void) ap_finalize_request_protocol(request_rec *r)
{
- (void) ap_discard_request_body(r);
+ int status = ap_discard_request_body(r);
/* tell the filter chain there is no more content coming */
if (!r->eos_sent) {
- end_output_stream(r);
+ end_output_stream(r, status);
}
}

113
backport-CVE-2022-22721.patch
View File

@ -1,113 +0,0 @@
From 5a72f0fe6f2f8ce35c45242e99a421dc19251ab5 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 7 Mar 2022 14:48:54 +0000
Subject: [PATCH] core: Make sure and check that LimitXMLRequestBody fits in
system memory.
LimitXMLRequestBody can not exceed the size needed to ap_escape_html2() the
body without failing to allocate memory, so enforce this at load time based
on APR_SIZE_MAX, and make sure that ap_escape_html2() is within the bounds.
Document the limits for LimitXMLRequestBody in our docs.
Merge r1898686 from trunk.
Submitted by: ylavic, rpluem
Reviewed by: ylavic, covener, rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898693 13f79535-47bb-0310-9956-ffa450edef68
---
changes-entries/AP_MAX_LIMIT_XML_BODY.diff | 2 ++
server/core.c | 9 +++++++++
server/util.c | 8 ++++++--
server/util_xml.c | 2 +-
4 files changed, 27 insertions(+), 6 deletions(-)
create mode 100644 changes-entries/AP_MAX_LIMIT_XML_BODY.diff
diff --git a/changes-entries/AP_MAX_LIMIT_XML_BODY.diff b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
new file mode 100644
index 00000000000..07fef3c624c
--- /dev/null
+++ b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
@@ -0,0 +1,2 @@
+ *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
+ [Ruediger Pluem, Yann Ylavic]
\ No newline at end of file
diff --git a/server/core.c b/server/core.c
index 798212b4808..090e3976421 100644
--- a/server/core.c
+++ b/server/core.c
@@ -72,6 +72,8 @@
/* LimitXMLRequestBody handling */
#define AP_LIMIT_UNSET ((long) -1)
#define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000)
+/* Hard limit for ap_escape_html2() */
+#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1))
#define AP_MIN_SENDFILE_BYTES (256)
@@ -3761,6 +3763,11 @@ static const char *set_limit_xml_req_body(cmd_parms *cmd, void *conf_,
if (conf->limit_xml_body < 0)
return "LimitXMLRequestBody requires a non-negative integer.";
+ /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */
+ if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY)
+ return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed "
+ "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY);
+
return NULL;
}
@@ -3849,6 +3856,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_body(const request_rec *r)
conf = ap_get_core_module_config(r->per_dir_config);
if (conf->limit_xml_body == AP_LIMIT_UNSET)
return AP_DEFAULT_LIMIT_XML_BODY;
+ if (conf->limit_xml_body == 0)
+ return AP_MAX_LIMIT_XML_BODY;
return (apr_size_t)conf->limit_xml_body;
}
diff --git a/server/util.c b/server/util.c
index 6cfe0035c49..604be1a1ce3 100644
--- a/server/util.c
+++ b/server/util.c
@@ -2142,11 +2142,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(apr_pool_t *p, const char *buffer)
AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
{
- int i, j;
+ apr_size_t i, j;
char *x;
/* first, count the number of extra characters */
- for (i = 0, j = 0; s[i] != '\0'; i++)
+ for (i = 0, j = 0; s[i] != '\0'; i++) {
+ if (i + j > APR_SIZE_MAX - 6) {
+ abort();
+ }
if (s[i] == '<' || s[i] == '>')
j += 3;
else if (s[i] == '&')
@@ -2155,6 +2158,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
j += 5;
else if (toasc && !apr_isascii(s[i]))
j += 5;
+ }
if (j == 0)
return apr_pstrmemdup(p, s, i);
diff --git a/server/util_xml.c b/server/util_xml.c
index 4845194656e..22806fa8a40 100644
--- a/server/util_xml.c
+++ b/server/util_xml.c
@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(request_rec * r, apr_xml_doc **pdoc)
}
total_read += len;
- if (limit_xml_body && total_read > limit_xml_body) {
+ if (total_read > limit_xml_body) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539)
"XML request body is larger than the configured "
"limit of %lu", (unsigned long)limit_xml_body);

38
backport-CVE-2022-26377.patch
View File

@ -1,38 +0,0 @@
From f7f15f3d8bfe3032926c8c39eb8434529f680bd4 Mon Sep 17 00:00:00 2001
From: ylavic <ylavic@apache.org>
Date: Wed Jun 1 13:48:21 2022 UTC
Subject: [PATCH] mod_proxy_ajp: T-E has precedence over C-L.
---
modules/proxy/mod_proxy_ajp.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
index e2992fc..a77a86b 100644
--- a/modules/proxy/mod_proxy_ajp.c
+++ b/modules/proxy/mod_proxy_ajp.c
@@ -246,9 +246,18 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
/* read the first block of data */
input_brigade = apr_brigade_create(p, r->connection->bucket_alloc);
tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
- if (tenc && (ap_cstr_casecmp(tenc, "chunked") == 0)) {
- /* The AJP protocol does not want body data yet */
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870) "request is chunked");
+ if (tenc) {
+ if (ap_cstr_casecmp(tenc, "chunked") == 0) {
+ /* The AJP protocol does not want body data yet */
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870)
+ "request is chunked");
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396)
+ "%s Transfer-Encoding is not supported",
+ tenc);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
} else {
/* Get client provided Content-Length header */
content_length = get_content_length(r);
--
1.8.3.1

33
backport-CVE-2022-28330.patch
View File

@ -1,33 +0,0 @@
From 258698607821acfda8f90d9d17e44d18c30f8d77 Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Wed, 1 Ju0 2022 12:37:44 UTC
Subject: [PATCH] mod_isapi:use consistent filename
Conflict:NA
Reference:https://github.com/apache/httpd/commit/258698607821acfda8f90d9d17e44d18c30f8d77
---
modules/arch/win32/mod_isapi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/arch/win32/mod_isapi.c b/modules/arch/win32/mod_isapi.c
index 5592a57..a9816e5 100644
--- a/modules/arch/win32/mod_isapi.c
+++ b/modules/arch/win32/mod_isapi.c
@@ -976,11 +976,11 @@ static int APR_THREAD_FUNC regfnServerSupportFunction(isapi_cid *cid,
return 0;
}
- len = (apr_uint32_t)strlen(r->filename);
+ len = (apr_uint32_t)strlen(subreq->filename);
if ((subreq->finfo.filetype == APR_DIR)
&& (!subreq->path_info)
- && (file[len - 1] != '/'))
+ && (subreq->filename[len - 1] != '/'))
file = apr_pstrcat(cid->r->pool, subreq->filename, "/", NULL);
else
file = apr_pstrcat(cid->r->pool, subreq->filename,
--
2.23.0

60
backport-CVE-2022-28614.patch
View File

@ -1,60 +0,0 @@
From 8c14927162cf3b4f810683e1c5505e9ef9e1f123 Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Wed Jun 1 07:51:04 2022 UTC
Subject: [PATCH] handle large writes in ap_rputs
---
include/http_protocol.h | 22 +++++++++++++++++++++-
server/protocol.c | 3 +++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/include/http_protocol.h b/include/http_protocol.h
index 20bd202..94c481e 100644
--- a/include/http_protocol.h
+++ b/include/http_protocol.h
@@ -475,7 +475,27 @@ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r);
*/
static APR_INLINE int ap_rputs(const char *str, request_rec *r)
{
- return ap_rwrite(str, (int)strlen(str), r);
+ apr_size_t len;
+
+ len = strlen(str);
+
+ for (;;) {
+ if (len <= INT_MAX) {
+ return ap_rwrite(str, (int)len, r);
+ }
+ else {
+ int rc;
+
+ rc = ap_rwrite(str, INT_MAX, r);
+ if (rc < 0) {
+ return rc;
+ }
+ else {
+ str += INT_MAX;
+ len -= INT_MAX;
+ }
+ }
+ }
}
/**
diff --git a/server/protocol.c b/server/protocol.c
index 298f61e..7adc7f7 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -2128,6 +2128,9 @@ AP_DECLARE(int) ap_rputc(int c, request_rec *r)
AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r)
{
+ if (nbyte < 0)
+ return -1;
+
if (r->connection->aborted)
return -1;
--
1.8.3.1

34
backport-CVE-2022-28615.patch
View File

@ -1,34 +0,0 @@
From 929c7156cefdd2f74f83dcab2b15b2d09e80ec82 Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Wed Jun 1 12:20:56 2022 UTC
Subject: [PATCH] ap_strcasecmp_match/ap_strcmp_match:fix types
---
server/util.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/util.c b/server/util.c
index 633648c..09ac0c5 100644
--- a/server/util.c
+++ b/server/util.c
@@ -185,7 +185,7 @@ AP_DECLARE(char *) ap_ht_time(apr_pool_t *p, apr_time_t t, const char *fmt,
*/
AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected)
{
- int x, y;
+ apr_size_t x, y;
for (x = 0, y = 0; expected[y]; ++y, ++x) {
if (expected[y] == '*') {
@@ -209,7 +209,7 @@ AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected)
AP_DECLARE(int) ap_strcasecmp_match(const char *str, const char *expected)
{
- int x, y;
+ apr_size_t x, y;
for (x = 0, y = 0; expected[y]; ++y, ++x) {
if (!str[x] && expected[y] != '*')
--
1.8.3.1

88
backport-CVE-2022-29404.patch
View File

@ -1,88 +0,0 @@
From 92499e20034485c5e2d29cb85940e309573d976e Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Wed Jun 1 12:30:46 2022 UTC
Subject: [PATCH] use a liberal default limit for LimitRequestBody of 1GB
---
modules/http/http_filters.c | 8 +++++++-
modules/proxy/proxy_util.c | 13 -------------
server/core.c | 2 +-
3 files changed, 8 insertions(+), 15 deletions(-)
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 3e02da8..c3eab95 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -1700,7 +1700,8 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
{
const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
const char *lenp = apr_table_get(r->headers_in, "Content-Length");
-
+ apr_off_t limit_req_body = ap_get_limit_req_body(r);
+
r->read_body = read_policy;
r->read_chunked = 0;
r->remaining = 0;
@@ -1735,6 +1736,11 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
return HTTP_REQUEST_ENTITY_TOO_LARGE;
}
+ if (limit_req_body > 0 && (r->remaining > limit_req_body)) {
+ /* will be logged when the body is discarded */
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+
#ifdef AP_DEBUG
{
/* Make sure ap_getline() didn't leave any droppings. */
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index 4f1610f..04733f2 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -4249,12 +4249,10 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
apr_bucket *e;
apr_off_t bytes, fsize = 0;
apr_file_t *tmpfile = NULL;
- apr_off_t limit;
*bytes_spooled = 0;
body_brigade = apr_brigade_create(p, bucket_alloc);
- limit = ap_get_limit_req_body(r);
do {
if (APR_BRIGADE_EMPTY(input_brigade)) {
@@ -4273,17 +4271,6 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
apr_brigade_length(input_brigade, 1, &bytes);
if (*bytes_spooled + bytes > max_mem_spool) {
- /*
- * LimitRequestBody does not affect Proxy requests (Should it?).
- * Let it take effect if we decide to store the body in a
- * temporary file on disk.
- */
- if (limit && (*bytes_spooled + bytes > limit)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088)
- "Request body is larger than the configured "
- "limit of %" APR_OFF_T_FMT, limit);
- return HTTP_REQUEST_ENTITY_TOO_LARGE;
- }
/* can't spool any more in memory; write latest brigade to disk */
if (tmpfile == NULL) {
const char *temp_dir;
diff --git a/server/core.c b/server/core.c
index 957eeff..515047b 100644
--- a/server/core.c
+++ b/server/core.c
@@ -71,7 +71,7 @@
/* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
-#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
+#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
/* LimitXMLRequestBody handling */
#define AP_LIMIT_UNSET ((long) -1)
--
1.8.3.1

408
backport-CVE-2022-30522.patch
View File

@ -1,408 +0,0 @@
From 65b8fb947b144556c7ad1cf7ddc3941010ad77ba Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Wed Jun 1 12:40:09 2022 UTC
Subject: [PATCH] limit mod_sed memory use
---
modules/filters/sed1.c | 156 +++++++++++++++++++++++++++++++++++--------------
1 file changed, 113 insertions(+), 43 deletions(-)
diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c
index 67a8d06..a08068e 100644
--- a/modules/filters/sed1.c
+++ b/modules/filters/sed1.c
@@ -87,18 +87,20 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
}
#define INIT_BUF_SIZE 1024
+#define MAX_BUF_SIZE 1024*8192
/*
* grow_buffer
*/
-static void grow_buffer(apr_pool_t *pool, char **buffer,
+static apr_status_t grow_buffer(apr_pool_t *pool, char **buffer,
char **spend, apr_size_t *cursize,
apr_size_t newsize)
{
char* newbuffer = NULL;
apr_size_t spendsize = 0;
- if (*cursize >= newsize)
- return;
+ if (*cursize >= newsize) {
+ return APR_SUCCESS;
+ }
/* Avoid number of times realloc is called. It could cause huge memory
* requirement if line size is huge e.g 2 MB */
if (newsize < *cursize * 2) {
@@ -107,6 +109,9 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
/* Align it to 4 KB boundary */
newsize = (newsize + ((1 << 12) - 1)) & ~((1 << 12) - 1);
+ if (newsize > MAX_BUF_SIZE) {
+ return APR_ENOMEM;
+ }
newbuffer = apr_pcalloc(pool, newsize);
if (*spend && *buffer && (*cursize > 0)) {
spendsize = *spend - *buffer;
@@ -119,63 +124,77 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
if (spend != buffer) {
*spend = *buffer + spendsize;
}
+ return APR_SUCCESS;
}
/*
* grow_line_buffer
*/
-static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
+static apr_status_t grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
{
- grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
+ return grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
&eval->lsize, newsize);
}
/*
* grow_hold_buffer
*/
-static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
+static apr_status_t grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
{
- grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
+ return grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
&eval->hsize, newsize);
}
/*
* grow_gen_buffer
*/
-static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
+static apr_status_t grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
char **gspend)
{
+ apr_status_t rc = 0;
if (gspend == NULL) {
gspend = &eval->genbuf;
}
- grow_buffer(eval->pool, &eval->genbuf, gspend,
+ rc = grow_buffer(eval->pool, &eval->genbuf, gspend,
&eval->gsize, newsize);
- eval->lcomend = &eval->genbuf[71];
+ if (rc == APR_SUCCESS) {
+ eval->lcomend = &eval->genbuf[71];
+ }
+ return rc;
}
/*
* appendmem_to_linebuf
*/
-static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
+static apr_status_t appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
{
+ apr_status_t rc = 0;
apr_size_t reqsize = (eval->lspend - eval->linebuf) + len;
if (eval->lsize < reqsize) {
- grow_line_buffer(eval, reqsize);
+ rc = grow_line_buffer(eval, reqsize);
+ if (rc != APR_SUCCESS) {
+ return rc;
+ }
}
memcpy(eval->lspend, sz, len);
eval->lspend += len;
+ return APR_SUCCESS;
}
/*
* append_to_linebuf
*/
-static void append_to_linebuf(sed_eval_t *eval, const char* sz,
+static apr_status_t append_to_linebuf(sed_eval_t *eval, const char* sz,
step_vars_storage *step_vars)
{
apr_size_t len = strlen(sz);
char *old_linebuf = eval->linebuf;
+ apr_status_t rc = 0;
/* Copy string including null character */
- appendmem_to_linebuf(eval, sz, len + 1);
+ rc = appendmem_to_linebuf(eval, sz, len + 1);
+ if (rc != APR_SUCCESS) {
+ return rc;
+ }
--eval->lspend; /* lspend will now point to NULL character */
/* Sync step_vars after a possible linebuf expansion */
if (step_vars && old_linebuf != eval->linebuf) {
@@ -189,68 +208,84 @@ static void append_to_linebuf(sed_eval_t *eval, const char* sz,
step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf;
}
}
+ return APR_SUCCESS;
}
/*
* copy_to_linebuf
*/
-static void copy_to_linebuf(sed_eval_t *eval, const char* sz,
+static apr_status_t copy_to_linebuf(sed_eval_t *eval, const char* sz,
step_vars_storage *step_vars)
{
eval->lspend = eval->linebuf;
- append_to_linebuf(eval, sz, step_vars);
+ return append_to_linebuf(eval, sz, step_vars);
}
/*
* append_to_holdbuf
*/
-static void append_to_holdbuf(sed_eval_t *eval, const char* sz)
+static apr_status_t append_to_holdbuf(sed_eval_t *eval, const char* sz)
{
apr_size_t len = strlen(sz);
apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1;
+ apr_status_t rc = 0;
if (eval->hsize <= reqsize) {
- grow_hold_buffer(eval, reqsize);
+ rc = grow_hold_buffer(eval, reqsize);
+ if (rc != APR_SUCCESS) {
+ return rc;
+ }
}
memcpy(eval->hspend, sz, len + 1);
/* hspend will now point to NULL character */
eval->hspend += len;
+ return APR_SUCCESS;
}
/*
* copy_to_holdbuf
*/
-static void copy_to_holdbuf(sed_eval_t *eval, const char* sz)
+static apr_status_t copy_to_holdbuf(sed_eval_t *eval, const char* sz)
{
eval->hspend = eval->holdbuf;
- append_to_holdbuf(eval, sz);
+ return append_to_holdbuf(eval, sz);
}
/*
* append_to_genbuf
*/
-static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
+static apr_status_t append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
{
apr_size_t len = strlen(sz);
apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1;
+ apr_status_t rc = 0;
if (eval->gsize < reqsize) {
- grow_gen_buffer(eval, reqsize, gspend);
+ rc = grow_gen_buffer(eval, reqsize, gspend);
+ if (rc != APR_SUCCESS) {
+ return rc;
+ }
}
memcpy(*gspend, sz, len + 1);
/* *gspend will now point to NULL character */
*gspend += len;
+ return APR_SUCCESS;
}
/*
* copy_to_genbuf
*/
-static void copy_to_genbuf(sed_eval_t *eval, const char* sz)
+static apr_status_t copy_to_genbuf(sed_eval_t *eval, const char* sz)
{
apr_size_t len = strlen(sz);
apr_size_t reqsize = len + 1;
+ apr_status_t rc = APR_SUCCESS;
if (eval->gsize < reqsize) {
- grow_gen_buffer(eval, reqsize, NULL);
+ rc = grow_gen_buffer(eval, reqsize, NULL);
+ if (rc != APR_SUCCESS) {
+ return rc;
+ }
}
memcpy(eval->genbuf, sz, len + 1);
+ return rc;
}
/*
@@ -397,6 +432,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
}
while (bufsz) {
+ apr_status_t rc = 0;
char *n;
apr_size_t llen;
@@ -411,7 +447,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
break;
}
- appendmem_to_linebuf(eval, buf, llen + 1);
+ rc = appendmem_to_linebuf(eval, buf, llen + 1);
+ if (rc != APR_SUCCESS) {
+ return rc;
+ }
--eval->lspend;
/* replace new line character with NULL */
*eval->lspend = '\0';
@@ -426,7 +465,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
/* Save the leftovers for later */
if (bufsz) {
- appendmem_to_linebuf(eval, buf, bufsz);
+ apr_status_t rc = appendmem_to_linebuf(eval, buf, bufsz);
+ if (rc != APR_SUCCESS) {
+ return rc;
+ }
}
return APR_SUCCESS;
@@ -448,6 +490,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
/* Process leftovers */
if (eval->lspend > eval->linebuf) {
apr_status_t rv;
+ apr_status_t rc = 0;
if (eval->lreadyflag) {
eval->lreadyflag = 0;
@@ -457,7 +500,10 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
* buffer is not a newline.
*/
/* Assure space for NULL */
- append_to_linebuf(eval, "", NULL);
+ rc = append_to_linebuf(eval, "", NULL);
+ if (rc != APR_SUCCESS) {
+ return rc;
+ }
}
*eval->lspend = '\0';
@@ -655,11 +701,15 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
sp = eval->genbuf;
rp = rhsbuf;
sp = place(eval, sp, lp, step_vars->loc1);
+ if (sp == NULL) {
+ return APR_EGENERAL;
+ }
while ((c = *rp++) != 0) {
if (c == '&') {
sp = place(eval, sp, step_vars->loc1, step_vars->loc2);
- if (sp == NULL)
+ if (sp == NULL) {
return APR_EGENERAL;
+ }
}
else if (c == '\\') {
c = *rp++;
@@ -675,13 +725,19 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
*sp++ = c;
if (sp >= eval->genbuf + eval->gsize) {
/* expand genbuf and set the sp appropriately */
- grow_gen_buffer(eval, eval->gsize + 1024, &sp);
+ rv = grow_gen_buffer(eval, eval->gsize + 1024, &sp);
+ if (rv != APR_SUCCESS) {
+ return rv;
+ }
}
}
lp = step_vars->loc2;
step_vars->loc2 = sp - eval->genbuf + eval->linebuf;
- append_to_genbuf(eval, lp, &sp);
- copy_to_linebuf(eval, eval->genbuf, step_vars);
+ rv = append_to_genbuf(eval, lp, &sp);
+ if (rv != APR_SUCCESS) {
+ return rv;
+ }
+ rv = copy_to_linebuf(eval, eval->genbuf, step_vars);
return rv;
}
@@ -695,7 +751,10 @@ static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2)
apr_size_t reqsize = (sp - eval->genbuf) + n + 1;
if (eval->gsize < reqsize) {
- grow_gen_buffer(eval, reqsize, &sp);
+ apr_status_t rc = grow_gen_buffer(eval, reqsize, &sp);
+ if (rc != APR_SUCCESS) {
+ return NULL;
+ }
}
memcpy(sp, al1, n);
return sp + n;
@@ -750,7 +809,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
}
p1++;
- copy_to_linebuf(eval, p1, step_vars);
+ rv = copy_to_linebuf(eval, p1, step_vars);
+ if (rv != APR_SUCCESS) return rv;
eval->jflag++;
break;
@@ -760,21 +820,27 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
break;
case GCOM:
- copy_to_linebuf(eval, eval->holdbuf, step_vars);
+ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars);
+ if (rv != APR_SUCCESS) return rv;
break;
case CGCOM:
- append_to_linebuf(eval, "\n", step_vars);
- append_to_linebuf(eval, eval->holdbuf, step_vars);
+ rv = append_to_linebuf(eval, "\n", step_vars);
+ if (rv != APR_SUCCESS) return rv;
+ rv = append_to_linebuf(eval, eval->holdbuf, step_vars);
+ if (rv != APR_SUCCESS) return rv;
break;
case HCOM:
- copy_to_holdbuf(eval, eval->linebuf);
+ rv = copy_to_holdbuf(eval, eval->linebuf);
+ if (rv != APR_SUCCESS) return rv;
break;
case CHCOM:
- append_to_holdbuf(eval, "\n");
- append_to_holdbuf(eval, eval->linebuf);
+ rv = append_to_holdbuf(eval, "\n");
+ if (rv != APR_SUCCESS) return rv;
+ rv = append_to_holdbuf(eval, eval->linebuf);
+ if (rv != APR_SUCCESS) return rv;
break;
case ICOM:
@@ -896,7 +962,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
if (rv != APR_SUCCESS)
return rv;
}
- append_to_linebuf(eval, "\n", step_vars);
+ rv = append_to_linebuf(eval, "\n", step_vars);
+ if (rv != APR_SUCCESS) return rv;
eval->pending = ipc->next;
break;
@@ -970,9 +1037,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
break;
case XCOM:
- copy_to_genbuf(eval, eval->linebuf);
- copy_to_linebuf(eval, eval->holdbuf, step_vars);
- copy_to_holdbuf(eval, eval->genbuf);
+ rv = copy_to_genbuf(eval, eval->linebuf);
+ if (rv != APR_SUCCESS) return rv;
+ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars);
+ if (rv != APR_SUCCESS) return rv;
+ rv = copy_to_holdbuf(eval, eval->genbuf);
+ if (rv != APR_SUCCESS) return rv;
break;
case YCOM:
--
1.8.3.1

246
backport-CVE-2022-30556.patch
View File

@ -1,246 +0,0 @@
From 11a3fcbf9e64239d8fe8402d941bbdcbc4532c88 Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Wed Jun 1 12:36:13 2022 UTC
Subject: [PATCH] use filters consistently
---
modules/lua/lua_request.c | 145 +++++++++++++++++-----------------------------
1 file changed, 54 insertions(+), 91 deletions(-)
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
index 1eab7b6..a7e501b 100644
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -2227,23 +2227,20 @@ static int lua_websocket_greet(lua_State *L)
return 0;
}
-static apr_status_t lua_websocket_readbytes(conn_rec* c, char* buffer,
- apr_off_t len)
+static apr_status_t lua_websocket_readbytes(conn_rec* c,
+ apr_bucket_brigade *brigade,
+ char* buffer, apr_off_t len)
{
- apr_bucket_brigade *brigade = apr_brigade_create(c->pool, c->bucket_alloc);
+ apr_size_t delivered;
apr_status_t rv;
+
rv = ap_get_brigade(c->input_filters, brigade, AP_MODE_READBYTES,
APR_BLOCK_READ, len);
if (rv == APR_SUCCESS) {
- if (!APR_BRIGADE_EMPTY(brigade)) {
- apr_bucket* bucket = APR_BRIGADE_FIRST(brigade);
- const char* data = NULL;
- apr_size_t data_length = 0;
- rv = apr_bucket_read(bucket, &data, &data_length, APR_BLOCK_READ);
- if (rv == APR_SUCCESS) {
- memcpy(buffer, data, len);
- }
- apr_bucket_delete(bucket);
+ delivered = len;
+ rv = apr_brigade_flatten(brigade, buffer, &delivered);
+ if ((rv == APR_SUCCESS) && (delivered < len)) {
+ rv = APR_INCOMPLETE;
}
}
apr_brigade_cleanup(brigade);
@@ -2273,35 +2270,29 @@ static int lua_websocket_peek(lua_State *L)
static int lua_websocket_read(lua_State *L)
{
- apr_socket_t *sock;
apr_status_t rv;
int do_read = 1;
int n = 0;
- apr_size_t len = 1;
apr_size_t plen = 0;
unsigned short payload_short = 0;
apr_uint64_t payload_long = 0;
unsigned char *mask_bytes;
char byte;
- int plaintext;
-
- request_rec *r = ap_lua_check_request_rec(L, 1);
- plaintext = ap_lua_ssl_is_https(r->connection) ? 0 : 1;
+ apr_bucket_brigade *brigade;
+ conn_rec* c;
+ request_rec *r = ap_lua_check_request_rec(L, 1);
+ c = r->connection;
mask_bytes = apr_pcalloc(r->pool, 4);
- sock = ap_get_conn_socket(r->connection);
+
+ brigade = apr_brigade_create(r->pool, c->bucket_alloc);
while (do_read) {
do_read = 0;
/* Get opcode and FIN bit */
- if (plaintext) {
- rv = apr_socket_recv(sock, &byte, &len);
- }
- else {
- rv = lua_websocket_readbytes(r->connection, &byte, 1);
- }
+ rv = lua_websocket_readbytes(c, brigade, &byte, 1);
if (rv == APR_SUCCESS) {
unsigned char ubyte, fin, opcode, mask, payload;
ubyte = (unsigned char)byte;
@@ -2311,12 +2302,7 @@ static int lua_websocket_read(lua_State *L)
opcode = ubyte & 0xf;
/* Get the payload length and mask bit */
- if (plaintext) {
- rv = apr_socket_recv(sock, &byte, &len);
- }
- else {
- rv = lua_websocket_readbytes(r->connection, &byte, 1);
- }
+ rv = lua_websocket_readbytes(c, brigade, &byte, 1);
if (rv == APR_SUCCESS) {
ubyte = (unsigned char)byte;
/* Mask is the first bit */
@@ -2327,40 +2313,25 @@ static int lua_websocket_read(lua_State *L)
/* Extended payload? */
if (payload == 126) {
- len = 2;
- if (plaintext) {
- /* XXX: apr_socket_recv does not receive len bits, only up to len bits! */
- rv = apr_socket_recv(sock, (char*) &payload_short, &len);
- }
- else {
- rv = lua_websocket_readbytes(r->connection,
- (char*) &payload_short, 2);
- }
- payload_short = ntohs(payload_short);
-
- if (rv == APR_SUCCESS) {
- plen = payload_short;
- }
- else {
+ rv = lua_websocket_readbytes(c, brigade,
+ (char*) &payload_short, 2);
+
+ if (rv != APR_SUCCESS) {
return 0;
}
+
+ plen = ntohs(payload_short);
}
/* Super duper extended payload? */
if (payload == 127) {
- len = 8;
- if (plaintext) {
- rv = apr_socket_recv(sock, (char*) &payload_long, &len);
- }
- else {
- rv = lua_websocket_readbytes(r->connection,
- (char*) &payload_long, 8);
- }
- if (rv == APR_SUCCESS) {
- plen = ap_ntoh64(&payload_long);
- }
- else {
+ rv = lua_websocket_readbytes(c, brigade,
+ (char*) &payload_long, 8);
+
+ if (rv != APR_SUCCESS) {
return 0;
}
+
+ plen = ap_ntoh64(&payload_long);
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03210)
"Websocket: Reading %" APR_SIZE_T_FMT " (%s) bytes, masking is %s. %s",
@@ -2369,46 +2340,27 @@ static int lua_websocket_read(lua_State *L)
mask ? "on" : "off",
fin ? "This is a final frame" : "more to follow");
if (mask) {
- len = 4;
- if (plaintext) {
- rv = apr_socket_recv(sock, (char*) mask_bytes, &len);
- }
- else {
- rv = lua_websocket_readbytes(r->connection,
- (char*) mask_bytes, 4);
- }
+ rv = lua_websocket_readbytes(c, brigade,
+ (char*) mask_bytes, 4);
+
if (rv != APR_SUCCESS) {
return 0;
}
}
if (plen < (HUGE_STRING_LEN*1024) && plen > 0) {
apr_size_t remaining = plen;
- apr_size_t received;
- apr_off_t at = 0;
char *buffer = apr_palloc(r->pool, plen+1);
buffer[plen] = 0;
- if (plaintext) {
- while (remaining > 0) {
- received = remaining;
- rv = apr_socket_recv(sock, buffer+at, &received);
- if (received > 0 ) {
- remaining -= received;
- at += received;
- }
- }
- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
- "Websocket: Frame contained %" APR_OFF_T_FMT " bytes, pushed to Lua stack",
- at);
- }
- else {
- rv = lua_websocket_readbytes(r->connection, buffer,
- remaining);
- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
- "Websocket: SSL Frame contained %" APR_SIZE_T_FMT " bytes, "\
- "pushed to Lua stack",
- remaining);
+ rv = lua_websocket_readbytes(c, brigade, buffer, remaining);
+
+ if (rv != APR_SUCCESS) {
+ return 0;
}
+
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
+ "Websocket: Frame contained %" APR_SIZE_T_FMT \
+ " bytes, pushed to Lua stack", remaining);
if (mask) {
for (n = 0; n < plen; n++) {
buffer[n] ^= mask_bytes[n%4];
@@ -2420,14 +2372,25 @@ static int lua_websocket_read(lua_State *L)
return 2;
}
-
/* Decide if we need to react to the opcode or not */
if (opcode == 0x09) { /* ping */
char frame[2];
- plen = 2;
+ apr_bucket *b;
+
frame[0] = 0x8A;
frame[1] = 0;
- apr_socket_send(sock, frame, &plen); /* Pong! */
+
+ /* Pong! */
+ b = apr_bucket_transient_create(frame, 2, c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(brigade, b);
+
+ rv = ap_pass_brigade(c->output_filters, brigade);
+ apr_brigade_cleanup(brigade);
+
+ if (rv != APR_SUCCESS) {
+ return 0;
+ }
+
do_read = 1;
}
}
--
1.8.3.1

243
backport-CVE-2022-31813.patch
View File

@ -1,243 +0,0 @@
From 956f708b094698ac9ad570d640d4f30eb0df7305 Mon Sep 17 00:00:00 2001
From: icing <icing@apache.org>
Date: Wed Jun 1 07:51:04 2022 UTC
Subject: [PATCH] mod_proxy: ap_proxy_create_hdrbrgd() to clear hop-by-hop first and fixup last.
---
modules/proxy/proxy_util.c | 155 +++++++++++++++++++++++----------------------
1 file changed, 78 insertions(+), 77 deletions(-)
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index d578452..4f1610f 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -3849,12 +3849,14 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
char **old_cl_val,
char **old_te_val)
{
+ int rc = OK;
conn_rec *c = r->connection;
int counter;
char *buf;
+ apr_table_t *saved_headers_in = r->headers_in;
+ const char *saved_host = apr_table_get(saved_headers_in, "Host");
const apr_array_header_t *headers_in_array;
const apr_table_entry_t *headers_in;
- apr_table_t *saved_headers_in;
apr_bucket *e;
int do_100_continue;
conn_rec *origin = p_conn->connection;
@@ -3890,6 +3892,52 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
ap_xlate_proto_to_ascii(buf, strlen(buf));
e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(header_brigade, e);
+
+ /*
+ * Make a copy on r->headers_in for the request we make to the backend,
+ * modify the copy in place according to our configuration and connection
+ * handling, use it to fill in the forwarded headers' brigade, and finally
+ * restore the saved/original ones in r->headers_in.
+ *
+ * Note: We need to take r->pool for apr_table_copy as the key / value
+ * pairs in r->headers_in have been created out of r->pool and
+ * p might be (and actually is) a longer living pool.
+ * This would trigger the bad pool ancestry abort in apr_table_copy if
+ * apr is compiled with APR_POOL_DEBUG.
+ *
+ * icing: if p indeed lives longer than r->pool, we should allocate
+ * all new header values from r->pool as well and avoid leakage.
+ */
+ r->headers_in = apr_table_copy(r->pool, saved_headers_in);
+
+ /* Return the original Transfer-Encoding and/or Content-Length values
+ * then drop the headers, they must be set by the proxy handler based
+ * on the actual body being forwarded.
+ */
+ if ((*old_te_val = (char *)apr_table_get(r->headers_in,
+ "Transfer-Encoding"))) {
+ apr_table_unset(r->headers_in, "Transfer-Encoding");
+ }
+ if ((*old_cl_val = (char *)apr_table_get(r->headers_in,
+ "Content-Length"))) {
+ apr_table_unset(r->headers_in, "Content-Length");
+ }
+
+ /* Clear out hop-by-hop request headers not to forward */
+ if (ap_proxy_clear_connection(r, r->headers_in) < 0) {
+ rc = HTTP_BAD_REQUEST;
+ goto cleanup;
+ }
+
+ /* RFC2616 13.5.1 says we should strip these */
+ apr_table_unset(r->headers_in, "Keep-Alive");
+ apr_table_unset(r->headers_in, "Upgrade");
+ apr_table_unset(r->headers_in, "Trailer");
+ apr_table_unset(r->headers_in, "TE");
+
+ /* We used to send `Host: ` always first, so let's keep it that
+ * way. No telling which legacy backend is relying no this.
+ */
if (dconf->preserve_host == 0) {
if (ap_strchr_c(uri->hostname, ':')) { /* if literal IPv6 address */
if (uri->port_str && uri->port != DEFAULT_HTTP_PORT) {
@@ -3911,7 +3959,7 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
/* don't want to use r->hostname, as the incoming header might have a
* port attached
*/
- const char* hostname = apr_table_get(r->headers_in,"Host");
+ const char* hostname = saved_host;
if (!hostname) {
hostname = r->server->server_hostname;
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01092)
@@ -3925,22 +3973,8 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
ap_xlate_proto_to_ascii(buf, strlen(buf));
e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(header_brigade, e);
-
- /*
- * Save the original headers in here and restore them when leaving, since
- * we will apply proxy purpose only modifications (eg. clearing hop-by-hop
- * headers, add Via or X-Forwarded-* or Expect...), whereas the originals
- * will be needed later to prepare the correct response and logging.
- *
- * Note: We need to take r->pool for apr_table_copy as the key / value
- * pairs in r->headers_in have been created out of r->pool and
- * p might be (and actually is) a longer living pool.
- * This would trigger the bad pool ancestry abort in apr_table_copy if
- * apr is compiled with APR_POOL_DEBUG.
- */
- saved_headers_in = r->headers_in;
- r->headers_in = apr_table_copy(r->pool, saved_headers_in);
-
+ apr_table_unset(r->headers_in, "Host");
+
/* handle Via */
if (conf->viaopt == via_block) {
/* Block all outgoing Via: headers */
@@ -4006,8 +4040,6 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
*/
if (dconf->add_forwarded_headers) {
if (PROXYREQ_REVERSE == r->proxyreq) {
- const char *buf;
-
/* Add X-Forwarded-For: so that the upstream has a chance to
* determine, where the original request came from.
*/
@@ -4017,8 +4049,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
/* Add X-Forwarded-Host: so that upstream knows what the
* original request hostname was.
*/
- if ((buf = apr_table_get(r->headers_in, "Host"))) {
- apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf);
+ if (saved_host) {
+ apr_table_mergen(r->headers_in, "X-Forwarded-Host",
+ saved_host);
}
/* Add X-Forwarded-Server: so that upstream knows what the
@@ -4029,67 +4062,37 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
r->server->server_hostname);
}
}
+
+ /* Do we want to strip Proxy-Authorization ?
+ * If we haven't used it, then NO
+ * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
+ * So let's make it configurable by env.
+ */
+ if (r->user != NULL /* we've authenticated */
+ && !apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) {
+ apr_table_unset(r->headers_in, "Proxy-Authorization");
+ }
- proxy_run_fixups(r);
- if (ap_proxy_clear_connection(r, r->headers_in) < 0) {
- return HTTP_BAD_REQUEST;
+ /* for sub-requests, ignore freshness/expiry headers */
+ if (r->main) {
+ apr_table_unset(r->headers_in, "If-Match");
+ apr_table_unset(r->headers_in, "If-Modified-Since");
+ apr_table_unset(r->headers_in, "If-Range");
+ apr_table_unset(r->headers_in, "If-Unmodified-Since");
+ apr_table_unset(r->headers_in, "If-None-Match");
}
+
+ /* run hook to fixup the request we are about to send */
+ proxy_run_fixups(r);
/* send request headers */
headers_in_array = apr_table_elts(r->headers_in);
headers_in = (const apr_table_entry_t *) headers_in_array->elts;
for (counter = 0; counter < headers_in_array->nelts; counter++) {
if (headers_in[counter].key == NULL
- || headers_in[counter].val == NULL
-
- /* Already sent */
- || !ap_cstr_casecmp(headers_in[counter].key, "Host")
-
- /* Clear out hop-by-hop request headers not to send
- * RFC2616 13.5.1 says we should strip these headers
- */
- || !ap_cstr_casecmp(headers_in[counter].key, "Keep-Alive")
- || !ap_cstr_casecmp(headers_in[counter].key, "TE")
- || !ap_cstr_casecmp(headers_in[counter].key, "Trailer")
- || !ap_cstr_casecmp(headers_in[counter].key, "Upgrade")
-
- ) {
+ || headers_in[counter].val == NULL) {
continue;
}
- /* Do we want to strip Proxy-Authorization ?
- * If we haven't used it, then NO
- * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
- * So let's make it configurable by env.
- */
- if (!ap_cstr_casecmp(headers_in[counter].key,"Proxy-Authorization")) {
- if (r->user != NULL) { /* we've authenticated */
- if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) {
- continue;
- }
- }
- }
-
- /* Skip Transfer-Encoding and Content-Length for now.
- */
- if (!ap_cstr_casecmp(headers_in[counter].key, "Transfer-Encoding")) {
- *old_te_val = headers_in[counter].val;
- continue;
- }
- if (!ap_cstr_casecmp(headers_in[counter].key, "Content-Length")) {
- *old_cl_val = headers_in[counter].val;
- continue;
- }
-
- /* for sub-requests, ignore freshness/expiry headers */
- if (r->main) {
- if ( !ap_cstr_casecmp(headers_in[counter].key, "If-Match")
- || !ap_cstr_casecmp(headers_in[counter].key, "If-Modified-Since")
- || !ap_cstr_casecmp(headers_in[counter].key, "If-Range")
- || !ap_cstr_casecmp(headers_in[counter].key, "If-Unmodified-Since")
- || !ap_cstr_casecmp(headers_in[counter].key, "If-None-Match")) {
- continue;
- }
- }
buf = apr_pstrcat(p, headers_in[counter].key, ": ",
headers_in[counter].val, CRLF,
@@ -4099,11 +4102,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
APR_BRIGADE_INSERT_TAIL(header_brigade, e);
}
- /* Restore the original headers in (see comment above),
- * we won't modify them anymore.
- */
+cleanup:
r->headers_in = saved_headers_in;
- return OK;
+ return rc;
}
PROXY_DECLARE(int) ap_proxy_prefetch_input(request_rec *r,
--
1.8.3.1

313
backport-Switch-from-PCRE-to-PCRE2.patch
View File

@ -1,313 +0,0 @@
From 12cfcf08fffc6e4ec597e0396016d09afdb89fa8 Mon Sep 17 00:00:00 2001
From: wrowe, Petr Pisar<ppisar@redhat.com>
Date: Fri, DEC 9 19:06:06 2016 UTC
Subject: [PATCH] backport Switch from PCRE to PCRE2
Conflict:NA
Reference:https://github.com/apache/httpd/commit/12cfcf08fffc6e4ec597e0396016d09afdb89fa8
---
configure.in | 26 +++++-----
server/util_pcre.c | 140 +++++++++++++++++++++++++++++++++++++++--------------
2 files changed, 118 insertions(+), 48 deletions(-)
diff --git a/configure.in b/configure.in
index 916377b..db7edc3 100644
--- a/configure.in
+++ b/configure.in
@@ -214,29 +214,33 @@ fi
AC_ARG_WITH(pcre,
APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library))
-
-AC_PATH_PROG(PCRE_CONFIG, pcre-config, false)
-if test -d "$with_pcre" && test -x "$with_pcre/bin/pcre-config"; then
- PCRE_CONFIG=$with_pcre/bin/pcre-config
-elif test -x "$with_pcre"; then
- PCRE_CONFIG=$with_pcre
+if test "x$with_pcre" = "x" || test "$with_pcre" = "yes"; then
+ with_pcre="$PATH"
+else if which $with_pcre 2>/dev/null; then :; else
+ with_pcre="$with_pcre/bin:$with_pcre"
+fi
fi
+AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config],
+ [`which $with_pcre 2>/dev/null`], $with_pcre)
-if test "$PCRE_CONFIG" != "false"; then
+if test "x$PCRE_CONFIG" != "x"; then
if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else
- AC_MSG_ERROR([Did not find pcre-config script at $PCRE_CONFIG])
+ AC_MSG_ERROR([Did not find working script at $PCRE_CONFIG])
fi
case `$PCRE_CONFIG --version` in
+ [1[0-9].*])
+ AC_DEFINE(HAVE_PCRE2, 1, [Detected PCRE2])
+ ;;
[[1-5].*])
- AC_MSG_ERROR([Need at least pcre version 6.0])
+ AC_MSG_ERROR([Need at least pcre version 6.7])
;;
esac
AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG])
APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`])
- APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`])
+ APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`])
APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)])
else
- AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/])
+ AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/])
fi
APACHE_SUBST(PCRE_LIBS)
diff --git a/server/util_pcre.c b/server/util_pcre.c
index 78fc983..0fdf5f9 100644
--- a/server/util_pcre.c
+++ b/server/util_pcre.c
@@ -55,10 +55,18 @@ POSSIBILITY OF SUCH DAMAGE.
#include "httpd.h"
#include "apr_strings.h"
#include "apr_tables.h"
+
+#ifdef HAVE_PCRE2
+#define PCRE2_CODE_UNIT_WIDTH 8
+#include "pcre2.h"
+#define PCREn(x) PCRE2_ ## x
+#else
#include "pcre.h"
+#define PCREn(x) PCRE_ ## x
+#endif
/* PCRE_DUPNAMES is only present since version 6.7 of PCRE */
-#ifndef PCRE_DUPNAMES
+#if !defined(PCRE_DUPNAMES) && !defined(HAVE_PCRE2)
#error PCRE Version 6.7 or later required!
#else
@@ -115,7 +123,11 @@ AP_DECLARE(apr_size_t) ap_regerror(int errcode, const ap_regex_t *preg,
AP_DECLARE(void) ap_regfree(ap_regex_t *preg)
{
+#ifdef HAVE_PCRE2
+ pcre2_code_free(preg->re_pcre);
+#else
(pcre_free)(preg->re_pcre);
+#endif
}
@@ -168,25 +180,37 @@ AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name)
*/
AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags)
{
+#ifdef HAVE_PCRE2
+ uint32_t capcount;
+ size_t erroffset;
+#else
const char *errorptr;
int erroffset;
+#endif
int errcode = 0;
- int options = PCRE_DUPNAMES;
+ int options = PCREn(DUPNAMES);
if ((cflags & AP_REG_NO_DEFAULT) == 0)
cflags |= default_cflags;
if ((cflags & AP_REG_ICASE) != 0)
- options |= PCRE_CASELESS;
+ options |= PCREn(CASELESS);
if ((cflags & AP_REG_NEWLINE) != 0)
- options |= PCRE_MULTILINE;
+ options |= PCREn(MULTILINE);
if ((cflags & AP_REG_DOTALL) != 0)
- options |= PCRE_DOTALL;
+ options |= PCREn(DOTALL);
if ((cflags & AP_REG_DOLLAR_ENDONLY) != 0)
- options |= PCRE_DOLLAR_ENDONLY;
+ options |= PCREn(DOLLAR_ENDONLY);
+
+#ifdef HAVE_PCRE2
+ preg->re_pcre = pcre2_compile((const unsigned char *)pattern,
+ PCRE2_ZERO_TERMINATED, options, &errcode,
+ &erroffset, NULL);
+#else
+ preg->re_pcre = pcre_compile2(pattern, options, &errcode,
+ &errorptr, &erroffset, NULL);
+#endif
- preg->re_pcre =
- pcre_compile2(pattern, options, &errcode, &errorptr, &erroffset, NULL);
preg->re_erroffset = erroffset;
if (preg->re_pcre == NULL) {
@@ -199,8 +223,14 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags)
return AP_REG_INVARG;
}
+#ifdef HAVE_PCRE2
+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre,
+ PCRE2_INFO_CAPTURECOUNT, &capcount);
+ preg->re_nsub = capcount;
+#else
pcre_fullinfo((const pcre *)preg->re_pcre, NULL,
PCRE_INFO_CAPTURECOUNT, &(preg->re_nsub));
+#endif
return 0;
}
@@ -232,17 +262,29 @@ AP_DECLARE(int) ap_regexec_len(const ap_regex_t *preg, const char *buff,
{
int rc;
int options = 0;
- int *ovector = NULL;
+#ifdef HAVE_PCRE2
+ pcre2_match_data *matchdata;
+ size_t *ovector;
+#else
int small_ovector[POSIX_MALLOC_THRESHOLD * 3];
int allocated_ovector = 0;
+ int *ovector = NULL;
+#endif
if ((eflags & AP_REG_NOTBOL) != 0)
- options |= PCRE_NOTBOL;
+ options |= PCREn(NOTBOL);
if ((eflags & AP_REG_NOTEOL) != 0)
- options |= PCRE_NOTEOL;
-
- ((ap_regex_t *)preg)->re_erroffset = (apr_size_t)(-1); /* Only has meaning after compile */
-
+ options |= PCREn(NOTEOL);
+
+#ifdef HAVE_PCRE2
+ matchdata = pcre2_match_data_create(nmatch, NULL);
+ if (matchdata == NULL)
+ return AP_REG_ESPACE;
+ ovector = pcre2_get_ovector_pointer(matchdata);
+ rc = pcre2_match((const pcre2_code *)preg->re_pcre,
+ (const unsigned char *)buff, len,
+ 0, options, matchdata, NULL);
+#else
if (nmatch > 0) {
if (nmatch <= POSIX_MALLOC_THRESHOLD) {
ovector = &(small_ovector[0]);
@@ -257,49 +299,62 @@ AP_DECLARE(int) ap_regexec_len(const ap_regex_t *preg, const char *buff,
rc = pcre_exec((const pcre *)preg->re_pcre, NULL, buff, (int)len,
0, options, ovector, nmatch * 3);
+#endif
if (rc == 0)
rc = nmatch; /* All captured slots were filled in */
if (rc >= 0) {
apr_size_t i;
- for (i = 0; i < (apr_size_t)rc; i++) {
+ apr_size_t nlim = (apr_size_t)rc < nmatch ? (apr_size_t)rc : nmatch;
+ for (i = 0; i < nlim; i++) {
pmatch[i].rm_so = ovector[i * 2];
pmatch[i].rm_eo = ovector[i * 2 + 1];
}
- if (allocated_ovector)
- free(ovector);
for (; i < nmatch; i++)
pmatch[i].rm_so = pmatch[i].rm_eo = -1;
+ }
+
+#ifdef HAVE_PCRE2
+ pcre2_match_data_free(matchdata);
+#else
+ if (allocated_ovector)
+ free(ovector);
+#endif
+ if (rc >= 0) {
return 0;
}
else {
- if (allocated_ovector)
- free(ovector);
+#ifdef HAVE_PCRE2
+ if (rc <= PCRE2_ERROR_UTF8_ERR1 && rc >= PCRE2_ERROR_UTF8_ERR21)
+ return AP_REG_INVARG;
+#endif
switch (rc) {
- case PCRE_ERROR_NOMATCH:
+ case PCREn(ERROR_NOMATCH):
return AP_REG_NOMATCH;
- case PCRE_ERROR_NULL:
+ case PCREn(ERROR_NULL):
return AP_REG_INVARG;
- case PCRE_ERROR_BADOPTION:
+ case PCREn(ERROR_BADOPTION):
return AP_REG_INVARG;
- case PCRE_ERROR_BADMAGIC:
+ case PCREn(ERROR_BADMAGIC):
return AP_REG_INVARG;
- case PCRE_ERROR_UNKNOWN_NODE:
- return AP_REG_ASSERT;
- case PCRE_ERROR_NOMEMORY:
+ case PCREn(ERROR_NOMEMORY):
return AP_REG_ESPACE;
-#ifdef PCRE_ERROR_MATCHLIMIT
- case PCRE_ERROR_MATCHLIMIT:
+#if defined(HAVE_PCRE2) || defined(PCRE_ERROR_MATCHLIMIT)
+ case PCREn(ERROR_MATCHLIMIT):
return AP_REG_ESPACE;
#endif
-#ifdef PCRE_ERROR_BADUTF8
- case PCRE_ERROR_BADUTF8:
+#if defined(PCRE_ERROR_UNKNOWN_NODE)
+ case PCRE_ERROR_UNKNOWN_NODE:
+ return AP_REG_ASSERT;
+#endif
+#if defined(PCRE_ERROR_BADUTF8)
+ case PCREn(ERROR_BADUTF8):
return AP_REG_INVARG;
#endif
-#ifdef PCRE_ERROR_BADUTF8_OFFSET
- case PCRE_ERROR_BADUTF8_OFFSET:
+#if defined(PCRE_ERROR_BADUTF8_OFFSET)
+ case PCREn(ERROR_BADUTF8_OFFSET):
return AP_REG_INVARG;
#endif
default:
@@ -312,18 +367,29 @@ AP_DECLARE(int) ap_regname(const ap_regex_t *preg,
apr_array_header_t *names, const char *prefix,
int upper)
{
+ char *nametable;
+#ifdef HAVE_PCRE2
+ uint32_t namecount;
+ uint32_t nameentrysize;
+ uint32_t i;
+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre,
+ PCRE2_INFO_NAMECOUNT, &namecount);
+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre,
+ PCRE2_INFO_NAMEENTRYSIZE, &nameentrysize);
+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre,
+ PCRE2_INFO_NAMETABLE, &nametable);
+#else
int namecount;
int nameentrysize;
int i;
- char *nametable;
pcre_fullinfo((const pcre *)preg->re_pcre, NULL,
- PCRE_INFO_NAMECOUNT, &namecount);
+ PCRE_INFO_NAMECOUNT, &namecount);
pcre_fullinfo((const pcre *)preg->re_pcre, NULL,
- PCRE_INFO_NAMEENTRYSIZE, &nameentrysize);
+ PCRE_INFO_NAMEENTRYSIZE, &nameentrysize);
pcre_fullinfo((const pcre *)preg->re_pcre, NULL,
- PCRE_INFO_NAMETABLE, &nametable);
-
+ PCRE_INFO_NAMETABLE, &nametable);
+#endif
for (i = 0; i < namecount; i++) {
const char *offset = nametable + i * nameentrysize;
int capture = ((offset[0] << 8) + offset[1]);
--
1.8.3.1

26
backport-httpd-2.4.2-icons.patch
View File

@ -1,26 +0,0 @@
- Fix config for /icons/ dir to allow symlink to poweredby.png.
- Avoid using coredump GIF for a directory called "core"
Upstream-Status: vendor specific patch
--- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.icons
+++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in
@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver
Alias /icons/ "@exp_iconsdir@/"
<Directory "@exp_iconsdir@">
- Options Indexes MultiViews
+ Options Indexes MultiViews FollowSymlinks
AllowOverride None
Require all granted
</Directory>
@@ -53,7 +53,7 @@ AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
-AddIcon /icons/bomb.gif core
+AddIcon /icons/bomb.gif core.
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README

28
backport-httpd-2.4.25-selinux.patch
View File

@ -1,11 +1,8 @@
diff --git a/configure.in b/configure.in
Log the SELinux context at startup. index c5896c1..96cd4a6 100644
--- a/configure.in
Upstream-Status: unlikely to be any interest in this upstream +++ b/configure.in
@@ -508,6 +508,11 @@ getloadavg
--- httpd-2.4.1/configure.in.selinux
+++ httpd-2.4.1/configure.in
@@ -458,6 +458,11 @@ fopen64
dnl confirm that a void pointer is large enough to store a long integer dnl confirm that a void pointer is large enough to store a long integer
APACHE_CHECK_VOID_PTR_LEN APACHE_CHECK_VOID_PTR_LEN
@ -17,9 +14,11 @@ Upstream-Status: unlikely to be any interest in this upstream
AC_CACHE_CHECK([for gettid()], ac_cv_gettid, AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
[AC_TRY_RUN(#define _GNU_SOURCE [AC_TRY_RUN(#define _GNU_SOURCE
#include <unistd.h> #include <unistd.h>
--- httpd-2.4.1/server/core.c.selinux diff --git a/server/core.c b/server/core.c
+++ httpd-2.4.1/server/core.c index 4da7209..515047b 100644
@@ -58,6 +58,10 @@ --- a/server/core.c
+++ b/server/core.c
@@ -65,6 +65,10 @@
#include <unistd.h> #include <unistd.h>
#endif #endif
@ -29,8 +28,8 @@ Upstream-Status: unlikely to be any interest in this upstream
+ +
/* LimitRequestBody handling */ /* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t * @@ -5126,6 +5130,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
} }
#endif #endif
@ -59,3 +58,6 @@ Upstream-Status: unlikely to be any interest in this upstream
return OK; return OK;
} }
--
2.27.0

20
backport-httpd-2.4.33-export.patch
View File

@ -1,20 +0,0 @@
There is no need to "suck in" the apr/apr-util symbols when using
a shared libapr{,util}, it just bloats the symbol table; so don't.
Upstream-HEAD: needed
Upstream-2.0: omit
Upstream-Status: EXPORT_DIRS change is conditional on using shared apr
--- httpd-2.4.33/server/Makefile.in.export
+++ httpd-2.4.33/server/Makefile.in
@@ -60,9 +60,6 @@
ls $$dir/*.h ; \
done; \
echo "$(top_srcdir)/server/mpm_fdqueue.h"; \
- for dir in $(EXPORT_DIRS_APR); do \
- ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \
- done; \
) | sed -e s,//,/,g | sort -u > $@
exports.c: export_files

53
backport-httpd-2.4.34-sslprotdefault.patch
View File

@ -1,53 +0,0 @@
https://bugzilla.redhat.com/show_bug.cgi?id=1618371
--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslprotdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
@@ -119,7 +119,7 @@
mctx->ticket_key = NULL;
#endif
- mctx->protocol = SSL_PROTOCOL_DEFAULT;
+ mctx->protocol = SSL_PROTOCOL_NONE;
mctx->protocol_set = 0;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
--- httpd-2.4.34/modules/ssl/ssl_engine_init.c.sslprotdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_init.c
@@ -555,9 +555,8 @@
* Create the new per-server SSL context
*/
if (protocol == SSL_PROTOCOL_NONE) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
- "No SSL protocols available [hint: SSLProtocol]");
- return ssl_die(s);
+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
+ "Using OpenSSL/system default SSL/TLS protocols");
}
cp = apr_pstrcat(p,
@@ -673,14 +672,8 @@
} else if (protocol & SSL_PROTOCOL_SSLV3) {
prot = SSL3_VERSION;
#endif
- } else {
- SSL_CTX_free(ctx);
- mctx->ssl_ctx = NULL;
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
- "No SSL protocols available [hint: SSLProtocol]");
- return ssl_die(s);
}
- SSL_CTX_set_max_proto_version(ctx, prot);
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
/* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */
@@ -700,7 +693,7 @@
prot = SSL3_VERSION;
}
#endif
- SSL_CTX_set_min_proto_version(ctx, prot);
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE

16
backport-httpd-2.4.4-cachehardmax.patch → backport-httpd-2.4.43-cachehardmax.patch
View File

@ -1,8 +1,8 @@
diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h
index eec38f3..1a2d5ee 100644 index 6b92151..4c42a8e 100644
--- a/modules/cache/cache_util.h --- a/modules/cache/cache_util.h
+++ b/modules/cache/cache_util.h +++ b/modules/cache/cache_util.h
@@ -194,6 +194,9 @@ typedef struct { @@ -195,6 +195,9 @@ typedef struct {
unsigned int store_nostore_set:1; unsigned int store_nostore_set:1;
unsigned int enable_set:1; unsigned int enable_set:1;
unsigned int disable_set:1; unsigned int disable_set:1;
@ -13,10 +13,10 @@ index eec38f3..1a2d5ee 100644
/* A linked-list of authn providers. */ /* A linked-list of authn providers. */
diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c
index 4f2d3e0..30c88f4 100644 index 3b9aa4f..8268503 100644
--- a/modules/cache/mod_cache.c --- a/modules/cache/mod_cache.c
+++ b/modules/cache/mod_cache.c +++ b/modules/cache/mod_cache.c
@@ -1299,6 +1299,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in) @@ -1455,6 +1455,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in)
exp = date + dconf->defex; exp = date + dconf->defex;
} }
} }
@ -28,7 +28,7 @@ index 4f2d3e0..30c88f4 100644
info->expire = exp; info->expire = exp;
/* We found a stale entry which wasn't really stale. */ /* We found a stale entry which wasn't really stale. */
@@ -1717,7 +1722,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy) @@ -1954,7 +1959,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy)
/* array of providers for this URL space */ /* array of providers for this URL space */
dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable)); dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable));
@ -39,7 +39,7 @@ index 4f2d3e0..30c88f4 100644
return dconf; return dconf;
} }
@@ -1767,7 +1774,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) { @@ -2004,7 +2011,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) {
new->enable_set = add->enable_set || base->enable_set; new->enable_set = add->enable_set || base->enable_set;
new->disable = (add->disable_set == 0) ? base->disable : add->disable; new->disable = (add->disable_set == 0) ? base->disable : add->disable;
new->disable_set = add->disable_set || base->disable_set; new->disable_set = add->disable_set || base->disable_set;
@ -51,7 +51,7 @@ index 4f2d3e0..30c88f4 100644
return new; return new;
} }
@@ -2096,12 +2106,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy, @@ -2332,12 +2342,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy,
} }
static const char *set_cache_maxex(cmd_parms *parms, void *dummy, static const char *set_cache_maxex(cmd_parms *parms, void *dummy,
@ -71,7 +71,7 @@ index 4f2d3e0..30c88f4 100644
return NULL; return NULL;
} }
@@ -2309,7 +2325,7 @@ static const command_rec cache_cmds[] = @@ -2545,7 +2561,7 @@ static const command_rec cache_cmds[] =
"caching is enabled"), "caching is enabled"),
AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF, AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF,
"A partial URL prefix below which caching is disabled"), "A partial URL prefix below which caching is disabled"),

16
backport-httpd-2.4.1-corelimit.patch → backport-httpd-2.4.43-corelimit.patch
View File

@ -1,13 +1,8 @@
diff --git a/server/core.c b/server/core.c
Bump up the core size limit if CoreDumpDirectory is index 79b2a82..dc0f17a 100644
configured. --- a/server/core.c
+++ b/server/core.c
Upstream-Status: Was discussed but there are competing desires; @@ -4996,6 +4996,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
there are portability oddities here too.
--- httpd-2.4.1/server/core.c.corelimit
+++ httpd-2.4.1/server/core.c
@@ -4433,6 +4433,25 @@ static int core_post_config(apr_pool_t *
} }
apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper, apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper,
apr_pool_cleanup_null); apr_pool_cleanup_null);
@ -32,4 +27,3 @@ Upstream-Status: Was discussed but there are competing desires;
+ +
return OK; return OK;
} }

12
backport-httpd-2.4.34-enable-sslv3.patch → backport-httpd-2.4.43-enable-sslv3.patch
View File

@ -1,23 +1,23 @@
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 517ce30..075f7e1 100644 index 979489c..3d6443b 100644
--- a/modules/ssl/ssl_engine_config.c --- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c
@@ -1474,6 +1474,10 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, @@ -1485,6 +1485,10 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
#endif #endif
else if (strcEQ(w, "all")) { else if (strcEQ(w, "all")) {
thisopt = SSL_PROTOCOL_ALL; thisopt = SSL_PROTOCOL_ALL;
+#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3
+ // by default, ALL kw doesn't turn on SSLv3 + /* by default, ALL kw doesn't turn on SSLv3 */
+ thisopt &= ~SSL_PROTOCOL_SSLV3; + thisopt &= ~SSL_PROTOCOL_SSLV3;
+#endif +#endif
} }
else { else {
return apr_pstrcat(parms->temp_pool, return apr_pstrcat(parms->temp_pool,
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 60df45f..f6645c2 100644 index b0fcf81..ab6f263 100644
--- a/modules/ssl/ssl_engine_init.c --- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c
@@ -537,6 +537,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, @@ -568,6 +568,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
} }
#endif #endif
@ -46,7 +46,7 @@ index 60df45f..f6645c2 100644
static apr_status_t ssl_init_ctx_protocol(server_rec *s, static apr_status_t ssl_init_ctx_protocol(server_rec *s,
apr_pool_t *p, apr_pool_t *p,
apr_pool_t *ptemp, apr_pool_t *ptemp,
@@ -695,9 +719,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, @@ -735,9 +757,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
} }
if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {
prot = TLS1_VERSION; prot = TLS1_VERSION;

3
backport-httpd-2.4.17-socket-activation.patch → backport-httpd-2.4.43-socket-activation.patch
View File

@ -1,5 +1,5 @@
diff --git a/server/listen.c b/server/listen.c diff --git a/server/listen.c b/server/listen.c
index a8e9e6f..1a6c1d3 100644 index 5242c2a..e2e028a 100644
--- a/server/listen.c --- a/server/listen.c
+++ b/server/listen.c +++ b/server/listen.c
@@ -34,6 +34,10 @@ @@ -34,6 +34,10 @@
@ -297,4 +297,3 @@ index a8e9e6f..1a6c1d3 100644
+ +
return alloc_listener(cmd->server->process, host, port, proto, NULL); return alloc_listener(cmd->server->process, host, port, proto, NULL);
} }

15
backport-httpd-2.4.34-sslciphdefault.patch → backport-httpd-2.4.43-sslciphdefault.patch
View File

@ -1,11 +1,8 @@
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
https://bugzilla.redhat.com/show_bug.cgi?id=1109119 index 97778a8..27e7a53 100644
--- a/modules/ssl/ssl_engine_config.c
Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. +++ b/modules/ssl/ssl_engine_config.c
@@ -778,9 +778,11 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
--- httpd-2.4.34/modules/ssl/ssl_engine_config.c.sslciphdefault
+++ httpd-2.4.34/modules/ssl/ssl_engine_config.c
@@ -774,9 +774,11 @@
} }
if (!strcmp("SSL", arg1)) { if (!strcmp("SSL", arg1)) {
@ -19,7 +16,7 @@ Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
dc->szCipherSuite = arg2; dc->szCipherSuite = arg2;
} }
else { else {
@@ -1540,8 +1542,10 @@ @@ -1544,8 +1546,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
} }
if (!strcmp("SSL", arg1)) { if (!strcmp("SSL", arg1)) {

99
backport-httpd-2.4.43-sslprotdefault.patch Normal file
View File

@ -0,0 +1,99 @@
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 27e7a53..b53f3f8 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->ticket_key = NULL;
#endif
- mctx->protocol = SSL_PROTOCOL_DEFAULT;
+ mctx->protocol = SSL_PROTOCOL_NONE;
mctx->protocol_set = 0;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
@@ -263,6 +263,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
if (add->protocol_set) {
mrg->protocol_set = 1;
mrg->protocol = add->protocol;
+ mrg->protocol_set = 1;
}
else {
mrg->protocol_set = base->protocol_set;
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index bfad47a..b0fcf81 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -577,6 +577,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL;
char *cp;
int protocol = mctx->protocol;
+ int protocol_set = mctx->protocol_set;
SSLSrvConfigRec *sc = mySrvConfig(s);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
int prot;
@@ -586,12 +587,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
* Create the new per-server SSL context
*/
if (protocol == SSL_PROTOCOL_NONE) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
- "No SSL protocols available [hint: SSLProtocol]");
- return ssl_die(s);
- }
+ if (protocol_set) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
+ "No SSL protocols available [hint: SSLProtocol]");
+ return ssl_die(s);
+ }
- cp = apr_pstrcat(p,
+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
+ "Using OpenSSL/system default SSL/TLS protocols");
+ cp = "default";
+ }
+ else {
+ cp = apr_pstrcat(p,
#ifndef OPENSSL_NO_SSL3
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
#endif
@@ -604,7 +611,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
#endif
#endif
NULL);
- cp[strlen(cp)-2] = NUL;
+ cp[strlen(cp)-2] = NUL;
+ }
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
"Creating new SSL context (protocols: %s)", cp);
@@ -705,13 +713,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
prot = SSL3_VERSION;
#endif
} else {
- SSL_CTX_free(ctx);
- mctx->ssl_ctx = NULL;
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
- "No SSL protocols available [hint: SSLProtocol]");
- return ssl_die(s);
+ if (protocol_set) {
+ SSL_CTX_free(ctx);
+ mctx->ssl_ctx = NULL;
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378)
+ "No SSL protocols available [hint: SSLProtocol]");
+ return ssl_die(s);
+ }
}
- SSL_CTX_set_max_proto_version(ctx, prot);
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot);
/* Next we scan for the minimal protocol version we should provide,
* but we do not allow holes between max and min */
@@ -731,7 +741,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
prot = SSL3_VERSION;
}
#endif
- SSL_CTX_set_min_proto_version(ctx, prot);
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot);
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE

16
backport-httpd-2.4.43-detect-systemd.patch → backport-httpd-2.4.53-detect-systemd.patch
View File

@ -1,5 +1,5 @@
diff --git a/Makefile.in b/Makefile.in diff --git a/Makefile.in b/Makefile.in
index 0b088ac..9eeb5c7 100644 index a2e9c82..bd8045c 100644
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test @@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test
@ -12,10 +12,10 @@ index 0b088ac..9eeb5c7 100644
PROGRAM_DEPENDENCIES = \ PROGRAM_DEPENDENCIES = \
server/libmain.la \ server/libmain.la \
diff --git a/acinclude.m4 b/acinclude.m4 diff --git a/acinclude.m4 b/acinclude.m4
index 2a7e5d1..eb28321 100644 index 97484c9..05abe18 100644
--- a/acinclude.m4 --- a/acinclude.m4
+++ b/acinclude.m4 +++ b/acinclude.m4
@@ -624,6 +624,7 @@ case $host in @@ -631,6 +631,7 @@ case $host in
if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
AC_MSG_WARN([Your system does not support systemd.]) AC_MSG_WARN([Your system does not support systemd.])
else else
@ -24,18 +24,18 @@ index 2a7e5d1..eb28321 100644
fi fi
fi fi
diff --git a/configure.in b/configure.in diff --git a/configure.in b/configure.in
index 3618a5a..74a782b 100644 index cf437fe..521fc45 100644
--- a/configure.in --- a/configure.in
+++ b/configure.in +++ b/configure.in
@@ -234,6 +234,7 @@ if test "$PCRE_CONFIG" != "false"; then @@ -239,6 +239,7 @@ if test "x$PCRE_CONFIG" != "x"; then
AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG])
APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`])
APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`])
+ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) + APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)])
else else
AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/])
fi fi
@@ -710,6 +711,7 @@ APACHE_SUBST(OS_DIR) @@ -734,6 +735,7 @@ APACHE_SUBST(OS_DIR)
APACHE_SUBST(BUILTIN_LIBS) APACHE_SUBST(BUILTIN_LIBS)
APACHE_SUBST(SHLIBPATH_VAR) APACHE_SUBST(SHLIBPATH_VAR)
APACHE_SUBST(OS_SPECIFIC_VARS) APACHE_SUBST(OS_SPECIFIC_VARS)

56
backport-httpd-2.4.53-export.patch Normal file
View File

@ -0,0 +1,56 @@
diff --git a/Makefile.in b/Makefile.in
index bd8045c..d6733a5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test
PROGRAM_NAME = $(progname)
PROGRAM_SOURCES = modules.c
-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS)
+PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) \
+ $(PROGRAM_LDDEPS) \
+ $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS)
PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c
+PROGRAM_LDDEPS = \
+ $(BUILTIN_LIBS) \
+ $(MPM_LIB) \
+ -Wl,--whole-archive,server/.libs/libmain.a,--no-whole-archive \
+ os/$(OS_DIR)/libos.la
PROGRAM_DEPENDENCIES = \
server/libmain.la \
$(BUILTIN_LIBS) \
diff --git a/server/Makefile.in b/server/Makefile.in
index 8111877..f00bb3f 100644
--- a/server/Makefile.in
+++ b/server/Makefile.in
@@ -12,7 +12,7 @@ LTLIBRARY_SOURCES = \
connection.c listen.c util_mutex.c \
mpm_common.c mpm_unix.c mpm_fdqueue.c \
util_charset.c util_cookies.c util_debug.c util_xml.c \
- util_filter.c util_pcre.c util_regex.c exports.c \
+ util_filter.c util_pcre.c util_regex.c \
scoreboard.c error_bucket.c protocol.c core.c request.c ssl.c provider.c \
eoc_bucket.c eor_bucket.c core_filters.c \
util_expr_parse.c util_expr_scan.c util_expr_eval.c
diff --git a/server/main.c b/server/main.c
index 7da7aa2..e63d2eb 100644
--- a/server/main.c
+++ b/server/main.c
@@ -857,17 +857,3 @@ int main(int argc, const char * const argv[])
return !OK;
}
-#ifdef AP_USING_AUTOCONF
-/* This ugly little hack pulls any function referenced in exports.c into
- * the web server. exports.c is generated during the build, and it
- * has all of the APR functions specified by the apr/apr.exports and
- * apr-util/aprutil.exports files.
- */
-const void *ap_suck_in_APR(void);
-const void *ap_suck_in_APR(void)
-{
- extern const void *ap_ugly_hack;
-
- return ap_ugly_hack;
-}
-#endif

49
backport-httpd-2.4.54-icons.patch Normal file
View File

@ -0,0 +1,49 @@
diff --git a/docs/conf/extra/httpd-autoindex.conf.in b/docs/conf/extra/httpd-autoindex.conf.in
index 51b02ed..93a2b87 100644
--- a/docs/conf/extra/httpd-autoindex.conf.in
+++ b/docs/conf/extra/httpd-autoindex.conf.in
@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable VersionSort
Alias /icons/ "@exp_iconsdir@/"
<Directory "@exp_iconsdir@">
- Options Indexes MultiViews
+ Options Indexes MultiViews FollowSymlinks
AllowOverride None
Require all granted
</Directory>
@@ -37,6 +37,7 @@ AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
+AddIconByType /icons/bomb.gif application/x-coredump
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
@@ -53,7 +54,6 @@ AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
-AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
diff --git a/docs/conf/magic b/docs/conf/magic
index bc891d9..9a41b44 100644
--- a/docs/conf/magic
+++ b/docs/conf/magic
@@ -383,3 +383,15 @@
4 string moov video/quicktime
4 string mdat video/quicktime
+
+#------------------------------------------------------------------------------
+# application/x-coredump for LE/BE ELF
+#
+0 string \177ELF
+>5 byte 1
+>16 leshort 4 application/x-coredump
+
+0 string \177ELF
+>5 byte 2
+>16 beshort 4 application/x-coredump
+

BIN
httpd-2.4.51.tar.bz2
View File

Binary file not shown.

BIN
httpd-2.4.55.tar.bz2 Normal file
View File

Binary file not shown.

45
httpd.spec
View File

@ -7,8 +7,8 @@
Name: httpd Name: httpd
Summary: Apache HTTP Server Summary: Apache HTTP Server
Version: 2.4.51 Version: 2.4.55
Release: 9 Release: 1
License: ASL 2.0 License: ASL 2.0
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -54,38 +54,21 @@ Patch0: backport-httpd-2.4.1-apctl.patch
Patch1: backport-httpd-2.4.9-apxs.patch Patch1: backport-httpd-2.4.9-apxs.patch
Patch2: backport-httpd-2.4.1-deplibs.patch Patch2: backport-httpd-2.4.1-deplibs.patch
Patch3: backport-httpd-2.4.3-apctl-systemd.patch Patch3: backport-httpd-2.4.3-apctl-systemd.patch
Patch4: backport-httpd-2.4.43-detect-systemd.patch Patch4: backport-httpd-2.4.53-detect-systemd.patch
Patch5: backport-httpd-2.4.33-export.patch Patch5: backport-httpd-2.4.53-export.patch
Patch6: backport-httpd-2.4.1-corelimit.patch Patch6: backport-httpd-2.4.43-corelimit.patch
Patch7: backport-httpd-2.4.25-selinux.patch Patch7: backport-httpd-2.4.25-selinux.patch
Patch8: backport-httpd-2.4.2-icons.patch Patch8: backport-httpd-2.4.54-icons.patch
Patch9: backport-httpd-2.4.4-cachehardmax.patch Patch9: backport-httpd-2.4.43-cachehardmax.patch
Patch10: backport-httpd-2.4.17-socket-activation.patch Patch10: backport-httpd-2.4.43-socket-activation.patch
Patch11: backport-httpd-2.4.34-sslciphdefault.patch Patch11: backport-httpd-2.4.43-sslciphdefault.patch
Patch12: backport-httpd-2.4.34-sslprotdefault.patch Patch12: backport-httpd-2.4.43-sslprotdefault.patch
Patch13: backport-httpd-2.4.34-enable-sslv3.patch Patch13: backport-httpd-2.4.43-enable-sslv3.patch
Patch14: backport-layout_add_openEuler.patch Patch14: backport-layout_add_openEuler.patch
Patch15: backport-httpd-2.4.43-gettid.patch Patch15: backport-httpd-2.4.43-gettid.patch
Patch16: backport-httpd-2.4.43-r1861793+.patch Patch16: backport-httpd-2.4.43-r1861793+.patch
Patch17: backport-httpd-2.4.48-r1828172+.patch Patch17: backport-httpd-2.4.48-r1828172+.patch
Patch18: backport-httpd-2.4.46-htcacheclean-dont-break.patch Patch18: backport-httpd-2.4.46-htcacheclean-dont-break.patch
Patch19: backport-CVE-2022-22719.patch
Patch20: backport-CVE-2022-22720.patch
Patch21: backport-CVE-2022-22721.patch
Patch22: backport-001-CVE-2022-23943.patch
Patch23: backport-002-CVE-2022-23943.patch
Patch24: backport-CVE-2021-44790.patch
Patch25: backport-001-CVE-2021-44224.patch
Patch26: backport-002-CVE-2021-44224.patch
Patch27: backport-CVE-2022-28615.patch
Patch28: backport-CVE-2022-31813.patch
Patch29: backport-CVE-2022-28614.patch
Patch30: backport-CVE-2022-29404.patch
Patch31: backport-CVE-2022-26377.patch
Patch32: backport-CVE-2022-30522.patch
Patch33: backport-CVE-2022-30556.patch
Patch34: backport-Switch-from-PCRE-to-PCRE2.patch
Patch35: backport-CVE-2022-28330.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -518,6 +501,12 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Wed Feb 1 2023 chengyechun <chengyechun1@huawei.com> - 2.4.55-1
- Type:enhancement
- ID:NA
- SUG:restart
- DESC:update to httpd-2.4.55
* Thu Dec 15 2022 chengyechun <chengyechun1@huawei.com> - 2.4.51-9 * Thu Dec 15 2022 chengyechun <chengyechun1@huawei.com> - 2.4.51-9
- Type:bugfix - Type:bugfix
- ID: - ID: