diff --git a/fix-CVE-2024-42516.patch b/fix-CVE-2024-42516.patch deleted file mode 100644 index 19891cc0ea202751ced8b111825b79006dcc85df..0000000000000000000000000000000000000000 --- a/fix-CVE-2024-42516.patch +++ /dev/null @@ -1,303 +0,0 @@ -From a7a9d814c7c23e990283277230ddd5a9efec27c7 Mon Sep 17 00:00:00 2001 -From: Eric Covener -Date: Mon, 7 Jul 2025 11:59:38 +0000 -Subject: [PATCH] fix header merging - -Reviewed By: rpluem, jorton, ylavic - - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927039 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/http/http_filters.c | 248 +++++++++++++++++++----------------- - 1 file changed, 128 insertions(+), 120 deletions(-) - -diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c -index 60b44d78580..732fb8eb6a7 100644 ---- a/modules/http/http_filters.c -+++ b/modules/http/http_filters.c -@@ -1300,107 +1300,10 @@ typedef struct header_filter_ctx { - int headers_sent; - } header_filter_ctx; - --AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, -- apr_bucket_brigade *b) -+static void merge_response_headers(request_rec *r, const char **protocol) - { -- request_rec *r = f->r; -- conn_rec *c = r->connection; -- const char *clheader; -- int header_only = (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status)); -- const char *protocol = NULL; -- apr_bucket *e; -- apr_bucket_brigade *b2; -- header_struct h; -- header_filter_ctx *ctx = f->ctx; -- const char *ctype; -- ap_bucket_error *eb = NULL; -- apr_status_t rv = APR_SUCCESS; -- int recursive_error = 0; -- -- AP_DEBUG_ASSERT(!r->main); -- -- if (!ctx) { -- ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx)); -- } -- else if (ctx->headers_sent) { -- /* Eat body if response must not have one. */ -- if (header_only) { -- /* Still next filters may be waiting for EOS, so pass it (alone) -- * when encountered and be done with this filter. -- */ -- e = APR_BRIGADE_LAST(b); -- if (e != APR_BRIGADE_SENTINEL(b) && APR_BUCKET_IS_EOS(e)) { -- APR_BUCKET_REMOVE(e); -- apr_brigade_cleanup(b); -- APR_BRIGADE_INSERT_HEAD(b, e); -- ap_remove_output_filter(f); -- rv = ap_pass_brigade(f->next, b); -- } -- apr_brigade_cleanup(b); -- return rv; -- } -- } -- -- for (e = APR_BRIGADE_FIRST(b); -- e != APR_BRIGADE_SENTINEL(b); -- e = APR_BUCKET_NEXT(e)) -- { -- if (AP_BUCKET_IS_ERROR(e) && !eb) { -- eb = e->data; -- continue; -- } -- /* -- * If we see an EOC bucket it is a signal that we should get out -- * of the way doing nothing. -- */ -- if (AP_BUCKET_IS_EOC(e)) { -- ap_remove_output_filter(f); -- return ap_pass_brigade(f->next, b); -- } -- } -- -- if (!ctx->headers_sent && !check_headers(r)) { -- /* We may come back here from ap_die() below, -- * so clear anything from this response. -- */ -- apr_table_clear(r->headers_out); -- apr_table_clear(r->err_headers_out); -- r->content_type = r->content_encoding = NULL; -- r->content_languages = NULL; -- r->clength = r->chunked = 0; -- apr_brigade_cleanup(b); -- -- /* Don't recall ap_die() if we come back here (from its own internal -- * redirect or error response), otherwise we can end up in infinite -- * recursion; better fall through with 500, minimal headers and an -- * empty body (EOS only). -- */ -- if (!check_headers_recursion(r)) { -- ap_die(HTTP_INTERNAL_SERVER_ERROR, r); -- return AP_FILTER_ERROR; -- } -- r->status = HTTP_INTERNAL_SERVER_ERROR; -- e = ap_bucket_eoc_create(c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(b, e); -- e = apr_bucket_eos_create(c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(b, e); -- ap_set_content_length(r, 0); -- recursive_error = 1; -- } -- else if (eb) { -- int status; -- status = eb->status; -- apr_brigade_cleanup(b); -- ap_die(status, r); -- return AP_FILTER_ERROR; -- } -- -- if (r->assbackwards) { -- r->sent_bodyct = 1; -- ap_remove_output_filter(f); -- rv = ap_pass_brigade(f->next, b); -- goto out; -- } -+ const char *ctype = NULL; -+ const char *clheader = NULL; - - /* - * Now that we are ready to send a response, we need to combine the two -@@ -1430,6 +1333,9 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, - fixup_vary(r); - } - -+ /* determine the protocol and whether we should use keepalives. */ -+ basic_http_header_check(r, protocol); -+ ap_set_keepalive(r); - - /* - * Control cachability for non-cacheable responses if not already set by -@@ -1449,10 +1355,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, - apr_table_unset(r->headers_out, "ETag"); - } - -- /* determine the protocol and whether we should use keepalives. */ -- basic_http_header_check(r, &protocol); -- ap_set_keepalive(r); -- - /* 204/304 responses don't have content related headers */ - if (AP_STATUS_IS_HEADER_ONLY(r->status)) { - apr_table_unset(r->headers_out, "Transfer-Encoding"); -@@ -1513,30 +1415,136 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, - && !strcmp(clheader, "0")) { - apr_table_unset(r->headers_out, "Content-Length"); - } -+} - -- b2 = apr_brigade_create(r->pool, c->bucket_alloc); -- basic_http_header(r, b2, protocol); -- -- h.pool = r->pool; -- h.bb = b2; -+AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, -+ apr_bucket_brigade *b) -+{ -+ request_rec *r = f->r; -+ conn_rec *c = r->connection; -+ int header_only = (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status)); -+ apr_bucket *e; -+ apr_bucket_brigade *b2; -+ header_struct h; -+ header_filter_ctx *ctx = f->ctx; -+ ap_bucket_error *eb = NULL; -+ apr_status_t rv = APR_SUCCESS; -+ int recursive_error = 0; -+ const char *protocol; - -- send_all_header_fields(&h, r); -+ AP_DEBUG_ASSERT(!r->main); - -- terminate_header(b2); -+ if (!ctx) { -+ ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx)); -+ } -+ else if (ctx->headers_sent) { -+ /* Eat body if response must not have one. */ -+ if (header_only) { -+ /* Still next filters may be waiting for EOS, so pass it (alone) -+ * when encountered and be done with this filter. -+ */ -+ e = APR_BRIGADE_LAST(b); -+ if (e != APR_BRIGADE_SENTINEL(b) && APR_BUCKET_IS_EOS(e)) { -+ APR_BUCKET_REMOVE(e); -+ apr_brigade_cleanup(b); -+ APR_BRIGADE_INSERT_HEAD(b, e); -+ ap_remove_output_filter(f); -+ rv = ap_pass_brigade(f->next, b); -+ } -+ apr_brigade_cleanup(b); -+ return rv; -+ } -+ } - -- if (header_only) { -- e = APR_BRIGADE_LAST(b); -- if (e != APR_BRIGADE_SENTINEL(b) && APR_BUCKET_IS_EOS(e)) { -- APR_BUCKET_REMOVE(e); -- APR_BRIGADE_INSERT_TAIL(b2, e); -+ for (e = APR_BRIGADE_FIRST(b); -+ e != APR_BRIGADE_SENTINEL(b); -+ e = APR_BUCKET_NEXT(e)) -+ { -+ if (AP_BUCKET_IS_ERROR(e) && !eb) { -+ eb = e->data; -+ continue; -+ } -+ /* -+ * If we see an EOC bucket it is a signal that we should get out -+ * of the way doing nothing. -+ */ -+ if (AP_BUCKET_IS_EOC(e)) { - ap_remove_output_filter(f); -+ return ap_pass_brigade(f->next, b); -+ } -+ } -+ -+ if (!ctx->headers_sent) { -+ merge_response_headers(r, &protocol); -+ if (!check_headers(r)) { -+ /* We may come back here from ap_die() below, -+ * so clear anything from this response. -+ */ -+ apr_table_clear(r->headers_out); -+ apr_table_clear(r->err_headers_out); -+ r->content_type = r->content_encoding = NULL; -+ r->content_languages = NULL; -+ r->clength = r->chunked = 0; -+ apr_brigade_cleanup(b); -+ -+ /* Don't recall ap_die() if we come back here (from its own internal -+ * redirect or error response), otherwise we can end up in infinite -+ * recursion; better fall through with 500, minimal headers and an -+ * empty body (EOS only). -+ */ -+ if (!check_headers_recursion(r)) { -+ ap_die(HTTP_INTERNAL_SERVER_ERROR, r); -+ return AP_FILTER_ERROR; -+ } -+ r->status = HTTP_INTERNAL_SERVER_ERROR; -+ e = ap_bucket_eoc_create(c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(b, e); -+ e = apr_bucket_eos_create(c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(b, e); -+ ap_set_content_length(r, 0); -+ recursive_error = 1; -+ } -+ else if (eb) { -+ int status; -+ status = eb->status; -+ apr_brigade_cleanup(b); -+ ap_die(status, r); -+ return AP_FILTER_ERROR; - } -- apr_brigade_cleanup(b); - } - -- rv = ap_pass_brigade(f->next, b2); -- apr_brigade_cleanup(b2); -- ctx->headers_sent = 1; -+ if (r->assbackwards) { -+ r->sent_bodyct = 1; -+ ap_remove_output_filter(f); -+ rv = ap_pass_brigade(f->next, b); -+ goto out; -+ } -+ -+ if (!ctx->headers_sent) { -+ b2 = apr_brigade_create(r->pool, c->bucket_alloc); -+ basic_http_header(r, b2, protocol); -+ -+ h.pool = r->pool; -+ h.bb = b2; -+ -+ send_all_header_fields(&h, r); -+ -+ terminate_header(b2); -+ -+ if (header_only) { -+ e = APR_BRIGADE_LAST(b); -+ if (e != APR_BRIGADE_SENTINEL(b) && APR_BUCKET_IS_EOS(e)) { -+ APR_BUCKET_REMOVE(e); -+ APR_BRIGADE_INSERT_TAIL(b2, e); -+ ap_remove_output_filter(f); -+ } -+ apr_brigade_cleanup(b); -+ } -+ -+ rv = ap_pass_brigade(f->next, b2); -+ apr_brigade_cleanup(b2); -+ ctx->headers_sent = 1; -+ } - - if (rv != APR_SUCCESS || header_only) { - goto out; diff --git a/fix-CVE-2025-49812.patch b/fix-CVE-2025-49812.patch deleted file mode 100644 index 16bb79caea889d5fa5af71ae0a128e96dd756c0b..0000000000000000000000000000000000000000 --- a/fix-CVE-2025-49812.patch +++ /dev/null @@ -1,198 +0,0 @@ -From 87a7351c755c9ef8ab386e3090e44838c2a06d48 Mon Sep 17 00:00:00 2001 -From: Eric Covener -Date: Mon, 7 Jul 2025 12:09:30 +0000 -Subject: [PATCH] backport 1927037 from trunk - - remove antiquated 'SSLEngine optional' TLS upgrade - -Reviewed By: rpluem, jorton, covener - - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927045 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/ssl/ssl_engine_config.c | 6 ++- - modules/ssl/ssl_engine_init.c | 6 +-- - modules/ssl/ssl_engine_kernel.c | 86 --------------------------------- - modules/ssl/ssl_private.h | 1 - - 4 files changed, 7 insertions(+), 92 deletions(-) - -diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c -index 9af6f70fd03..d1f4fad8e23 100644 ---- a/modules/ssl/ssl_engine_config.c -+++ b/modules/ssl/ssl_engine_config.c -@@ -741,11 +741,13 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) - return NULL; - } - else if (!strcasecmp(arg, "Optional")) { -- sc->enabled = SSL_ENABLED_OPTIONAL; -+ sc->enabled = SSL_ENABLED_FALSE; -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server, APLOGNO(10510) -+ "'SSLEngine optional' is no longer supported"); - return NULL; - } - -- return "Argument must be On, Off, or Optional"; -+ return "Argument must be On or Off"; - } - - const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) -diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index f9eca79e462..94cc2772e01 100644 ---- a/modules/ssl/ssl_engine_init.c -+++ b/modules/ssl/ssl_engine_init.c -@@ -427,7 +427,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, - &ssl_module); - - sc = mySrvConfig(s); -- if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) { -+ if (sc->enabled == SSL_ENABLED_TRUE) { - if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) { - return rv; - } -@@ -2126,9 +2126,9 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s, - &ssl_module); - apr_status_t rv; - -- /* Initialize the server if SSL is enabled or optional. -+ /* Initialize the server if SSL is enabled. - */ -- if ((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) { -+ if (sc->enabled == SSL_ENABLED_TRUE) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914) - "Configuring server %s for SSL protocol", sc->vhost_id); - if ((rv = ssl_init_server_ctx(s, p, ptemp, sc, pphrases)) -diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c -index d912a874dd9..33aa1f71dc7 100644 ---- a/modules/ssl/ssl_engine_kernel.c -+++ b/modules/ssl/ssl_engine_kernel.c -@@ -38,59 +38,6 @@ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); - static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); - #endif - --#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols" --#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1" --#define CONNECTION_HEADER "Connection: Upgrade" -- --/* Perform an upgrade-to-TLS for the given request, per RFC 2817. */ --static apr_status_t upgrade_connection(request_rec *r) --{ -- struct conn_rec *conn = r->connection; -- apr_bucket_brigade *bb; -- SSLConnRec *sslconn; -- apr_status_t rv; -- SSL *ssl; -- -- ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02028) -- "upgrading connection to TLS"); -- -- bb = apr_brigade_create(r->pool, conn->bucket_alloc); -- -- rv = ap_fputs(conn->output_filters, bb, SWITCH_STATUS_LINE CRLF -- UPGRADE_HEADER CRLF CONNECTION_HEADER CRLF CRLF); -- if (rv == APR_SUCCESS) { -- APR_BRIGADE_INSERT_TAIL(bb, -- apr_bucket_flush_create(conn->bucket_alloc)); -- rv = ap_pass_brigade(conn->output_filters, bb); -- } -- -- if (rv) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02029) -- "failed to send 101 interim response for connection " -- "upgrade"); -- return rv; -- } -- -- ssl_init_ssl_connection(conn, r); -- -- sslconn = myConnConfig(conn); -- ssl = sslconn->ssl; -- -- /* Perform initial SSL handshake. */ -- SSL_set_accept_state(ssl); -- SSL_do_handshake(ssl); -- -- if (!SSL_is_init_finished(ssl)) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) -- "TLS upgrade handshake failed"); -- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); -- -- return APR_ECONNABORTED; -- } -- -- return APR_SUCCESS; --} -- - /* Perform a speculative (and non-blocking) read from the connection - * filters for the given request, to determine whether there is any - * pending data to read. Return non-zero if there is, else zero. */ -@@ -270,40 +217,17 @@ int ssl_hook_ReadReq(request_rec *r) - { - SSLSrvConfigRec *sc = mySrvConfig(r->server); - SSLConnRec *sslconn; -- const char *upgrade; - #ifdef HAVE_TLSEXT - const char *servername; - #endif - SSL *ssl; - -- /* Perform TLS upgrade here if "SSLEngine optional" is configured, -- * SSL is not already set up for this connection, and the client -- * has sent a suitable Upgrade header. */ -- if (sc->enabled == SSL_ENABLED_OPTIONAL && !myConnConfig(r->connection) -- && (upgrade = apr_table_get(r->headers_in, "Upgrade")) != NULL -- && ap_find_token(r->pool, upgrade, "TLS/1.0")) { -- if (upgrade_connection(r)) { -- return AP_FILTER_ERROR; -- } -- } -- - /* If we are on a slave connection, we do not expect to have an SSLConnRec, - * but our master connection might. */ - sslconn = myConnConfig(r->connection); - if (!(sslconn && sslconn->ssl) && r->connection->master) { - sslconn = myConnConfig(r->connection->master); - } -- -- /* If "SSLEngine optional" is configured, this is not an SSL -- * connection, and this isn't a subrequest, send an Upgrade -- * response header. Note this must happen before map_to_storage -- * and OPTIONS * request processing is completed. -- */ -- if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl) -- && !r->main) { -- apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); -- apr_table_mergen(r->headers_out, "Connection", "upgrade"); -- } - - if (!sslconn) { - return DECLINED; -@@ -1238,16 +1162,6 @@ int ssl_hook_Access(request_rec *r) - * Support for SSLRequireSSL directive - */ - if (dc->bSSLRequired && !ssl) { -- if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !r->connection->master) { -- /* This vhost was configured for optional SSL, just tell the -- * client that we need to upgrade. -- */ -- apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); -- apr_table_setn(r->err_headers_out, "Connection", "Upgrade"); -- -- return HTTP_UPGRADE_REQUIRED; -- } -- - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219) - "access to %s failed, reason: %s", - r->filename, "SSL connection required"); -diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h -index fb9edaa5eeb..794e51aa937 100644 ---- a/modules/ssl/ssl_private.h -+++ b/modules/ssl/ssl_private.h -@@ -526,7 +526,6 @@ typedef enum { - SSL_ENABLED_UNSET = UNSET, - SSL_ENABLED_FALSE = 0, - SSL_ENABLED_TRUE = 1, -- SSL_ENABLED_OPTIONAL = 3 - } ssl_enabled_t; - - /** diff --git a/fix-cve-2024-38472.patch b/fix-cve-2024-38472.patch deleted file mode 100644 index 0b7217644885e395f4b6011887bca5ec26ff6327..0000000000000000000000000000000000000000 --- a/fix-cve-2024-38472.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 7407cc4cf2041229f1642f66855d270dd268be75 Mon Sep 17 00:00:00 2001 -From: Yang_X_Y -Date: Fri, 2 Aug 2024 10:47:20 +0800 -Subject: [PATCH] fix-cve-2024-38472 - ---- - include/http_core.h | 3 ++ - include/httpd.h | 10 +++++ - server/core.c | 101 ++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 114 insertions(+) - -diff --git a/include/http_core.h b/include/http_core.h -index 948034f..9fb9f51 100644 ---- a/include/http_core.h -+++ b/include/http_core.h -@@ -756,6 +756,9 @@ typedef struct { - apr_size_t flush_max_threshold; - apr_int32_t flush_max_pipelined; - unsigned int strict_host_check; -+#ifdef WIN32 -+ apr_array_header_t *unc_list; -+#endif - } core_server_config; - - /* for AddOutputFiltersByType in core.c */ -diff --git a/include/httpd.h b/include/httpd.h -index 799cf97..1081846 100644 ---- a/include/httpd.h -+++ b/include/httpd.h -@@ -2656,6 +2656,16 @@ AP_DECLARE(const char *)ap_dir_fnmatch(ap_dir_match_t *w, const char *path, - */ - AP_DECLARE(int) ap_is_chunked(apr_pool_t *p, const char *line); - -+AP_DECLARE(apr_status_t) ap_filepath_merge(char **newpath, -+ const char *rootpath, -+ const char *addpath, -+ apr_int32_t flags, -+ apr_pool_t *p); -+ -+#ifdef WIN32 -+#define apr_filepath_merge ap_filepath_merge -+#endif -+ - #ifdef __cplusplus - } - #endif -diff --git a/server/core.c b/server/core.c -index f98ad9d..baadf95 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -4453,6 +4453,25 @@ static const char *set_merge_trailers(cmd_parms *cmd, void *dummy, int arg) - return NULL; - } - -+#ifdef WIN32 -+static const char *set_unc_list(cmd_parms *cmd, void *d_, int argc, char *const argv[]) -+{ -+ core_server_config *sconf = ap_get_core_module_config(cmd->server->module_config); -+ int i; -+ const char *err; -+ -+ if ((err = ap_check_cmd_context(cmd, NOT_IN_VIRTUALHOST)) != NULL) -+ return err; -+ -+ sconf->unc_list = apr_array_make(cmd->pool, argc, sizeof(char *)); -+ -+ for (i = 0; i < argc; i++) { -+ *(char **)apr_array_push(sconf->unc_list) = apr_pstrdup(cmd->pool, argv[i]); -+ } -+ -+ return NULL; -+} -+#endif - /* Note --- ErrorDocument will now work from .htaccess files. - * The AllowOverride of Fileinfo allows webmasters to turn it off - */ -@@ -4554,6 +4573,10 @@ AP_INIT_TAKE1("FlushMaxThreshold", set_flush_max_threshold, NULL, RSRC_CONF, - AP_INIT_TAKE1("FlushMaxPipelined", set_flush_max_pipelined, NULL, RSRC_CONF, - "Maximum number of pipelined responses (pending) above which they are " - "flushed to the network"), -+#ifdef WIN32 -+AP_INIT_TAKE_ARGV("UNCList", set_unc_list, NULL, RSRC_CONF, -+ "Controls what UNC hosts may be looked up"), -+#endif - - /* Old server config file commands */ - -@@ -5722,6 +5745,84 @@ AP_CORE_DECLARE(apr_status_t) ap_get_pollfd_from_conn(conn_rec *c, - return ap_run_get_pollfd_from_conn(c, pfd, ptimeout); - } - -+#ifdef WIN32 -+static apr_status_t check_unc(const char *path, apr_pool_t *p) -+{ -+ int i; -+ char *s, *teststring; -+ apr_status_t rv = APR_EACCES; -+ core_server_config *sconf = NULL; -+ -+ if (!ap_server_conf) { -+ return APR_SUCCESS; /* this early, if we have a UNC, it's specified by an admin */ -+ } -+ -+ if (!path || (path != ap_strstr_c(path, "\\\\") && -+ path != ap_strstr_c(path, "//"))) { -+ return APR_SUCCESS; /* not a UNC */ -+ } -+ -+ sconf = ap_get_core_module_config(ap_server_conf->module_config); -+ s = teststring = apr_pstrdup(p, path); -+ *s++ = '/'; -+ *s++ = '/'; -+ -+ ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, ap_server_conf, -+ "ap_filepath_merge: check converted path %s allowed %d", -+ teststring, -+ sconf->unc_list ? sconf->unc_list->nelts : 0); -+ -+ for (i = 0; sconf->unc_list && i < sconf->unc_list->nelts; i++) { -+ char *configured_unc = ((char **)sconf->unc_list->elts)[i]; -+ apr_uri_t uri; -+ if (APR_SUCCESS == apr_uri_parse(p, teststring, &uri) && -+ (uri.hostinfo == NULL || -+ !ap_cstr_casecmp(uri.hostinfo, configured_unc))) { -+ rv = APR_SUCCESS; -+ ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, ap_server_conf, -+ "ap_filepath_merge: match %s %s", -+ uri.hostinfo, configured_unc); -+ break; -+ } -+ else { -+ ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, ap_server_conf, -+ "ap_filepath_merge: no match %s %s", uri.hostinfo, -+ configured_unc); -+ } -+ } -+ if (rv != APR_SUCCESS) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, ap_server_conf, APLOGNO(10504) -+ "ap_filepath_merge: UNC path %s not allowed by UNCList", teststring); -+ } -+ -+ return rv; -+} -+#endif -+ -+AP_DECLARE(apr_status_t) ap_filepath_merge(char **newpath, -+ const char *rootpath, -+ const char *addpath, -+ apr_int32_t flags, -+ apr_pool_t *p) -+{ -+#ifdef WIN32 -+ apr_status_t rv; -+ -+ if (APR_SUCCESS != (rv = check_unc(rootpath, p))) { -+ return rv; -+ } -+ if (APR_SUCCESS != (rv = check_unc(addpath, p))) { -+ return rv; -+ } -+#undef apr_filepath_merge -+#endif -+ return apr_filepath_merge(newpath, rootpath, addpath, flags, p); -+#ifdef WIN32 -+#define apr_filepath_merge ap_filepath_merge -+#endif -+} -+ -+ - static void register_hooks(apr_pool_t *p) - { - errorlog_hash = apr_hash_make(p); --- -2.33.0 - diff --git a/fix-cve-2024-38475.patch b/fix-cve-2024-38475.patch deleted file mode 100644 index e5b6b1ea30ffc16cafdf1b181aca43a68e26953b..0000000000000000000000000000000000000000 --- a/fix-cve-2024-38475.patch +++ /dev/null @@ -1,353 +0,0 @@ -From f3ca642e89c355015e21275fd431ec6ab23d3cc3 Mon Sep 17 00:00:00 2001 -From: Yang_X_Y -Date: Fri, 2 Aug 2024 10:21:45 +0800 -Subject: [PATCH] fix-cve-2024-38475 - ---- - modules/mappers/mod_rewrite.c | 128 +++++++++++++++++++++++++++++----- - 1 file changed, 109 insertions(+), 19 deletions(-) - -diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c -index bbcc11b..9c9076e 100644 ---- a/modules/mappers/mod_rewrite.c -+++ b/modules/mappers/mod_rewrite.c -@@ -177,6 +177,8 @@ static const char* really_last_key = "rewrite_really_last"; - #define RULEFLAG_QSLAST (1<<19) - #define RULEFLAG_QSNONE (1<<20) /* programattic only */ - #define RULEFLAG_ESCAPECTLS (1<<21) -+#define RULEFLAG_UNSAFE_PREFIX_STAT (1<<22) -+#define RULEFLAG_UNSAFE_ALLOW3F (1<<23) - - /* return code of the rewrite rule - * the result may be escaped - or not -@@ -184,7 +186,7 @@ static const char* really_last_key = "rewrite_really_last"; - #define ACTION_NORMAL (1<<0) - #define ACTION_NOESCAPE (1<<1) - #define ACTION_STATUS (1<<2) -- -+#define ACTION_STATUS_SET (1<<3) - - #define MAPTYPE_TXT (1<<0) - #define MAPTYPE_DBM (1<<1) -@@ -208,6 +210,7 @@ static const char* really_last_key = "rewrite_really_last"; - #define OPTION_IGNORE_INHERIT (1<<8) - #define OPTION_IGNORE_CONTEXT_INFO (1<<9) - #define OPTION_LEGACY_PREFIX_DOCROOT (1<<10) -+#define OPTION_UNSAFE_PREFIX_STAT (1<<12) - - #ifndef RAND_MAX - #define RAND_MAX 32767 -@@ -301,6 +304,14 @@ typedef enum { - CONDPAT_AP_EXPR - } pattern_type; - -+typedef enum { -+ RULE_RC_NOMATCH = 0, /* the rule didn't match */ -+ RULE_RC_MATCH = 1, /* a matching rule w/ substitution */ -+ RULE_RC_NOSUB = 2, /* a matching rule w/ no substitution */ -+ RULE_RC_STATUS_SET = 3 /* a matching rule that has set an HTTP error -+ to be returned in r->status */ -+} rule_return_type; -+ - typedef struct { - char *input; /* Input string of RewriteCond */ - char *pattern; /* the RegExp pattern string */ -@@ -927,10 +938,16 @@ static void fully_qualify_uri(request_rec *r) - return; - } - -+static int startsWith(request_rec *r, const char *haystack, const char *needle) { -+ int rc = (ap_strstr_c(haystack, needle) == haystack); -+ rewritelog((r, 5, NULL, "prefix_stat startsWith(%s, %s) %d", haystack, needle, rc)); -+ return rc; -+} -+ - /* -- * stat() only the first segment of a path -+ * stat() only the first segment of a path, and only if it matches the output of the last matching rule - */ --static int prefix_stat(const char *path, apr_pool_t *pool) -+static int prefix_stat(request_rec *r, const char *path, apr_pool_t *pool, rewriterule_entry *lastsub) - { - const char *curpath = path; - const char *root; -@@ -964,10 +981,36 @@ static int prefix_stat(const char *path, apr_pool_t *pool) - apr_finfo_t sb; - - if (apr_stat(&sb, statpath, APR_FINFO_MIN, pool) == APR_SUCCESS) { -- return 1; -+ if (!lastsub) { -+ rewritelog((r, 3, NULL, "prefix_stat no lastsub subst prefix %s", statpath)); -+ return 1; -+ } -+ -+ rewritelog((r, 3, NULL, "prefix_stat compare statpath %s and lastsub output %s STATOK %d ", -+ statpath, lastsub->output, lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT)); -+ if (lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT) { -+ return 1; -+ } -+ else { -+ const char *docroot = ap_document_root(r); -+ const char *context_docroot = ap_context_document_root(r); -+ /* -+ * As an example, path (r->filename) is /var/foo/bar/baz.html -+ * even if the flag is not set, we can accept a rule that -+ * began with a literal /var (stapath), or if the entire path -+ * starts with the docroot or context document root -+ */ -+ if (startsWith(r, lastsub->output, statpath) || -+ startsWith(r, path, docroot) || -+ ((docroot != context_docroot) && -+ startsWith(r, path, context_docroot))) { -+ return 1; -+ } -+ } - } - } - -+ /* prefix will be added */ - return 0; - } - -@@ -3072,6 +3115,9 @@ static const char *cmd_rewriteoptions(cmd_parms *cmd, - else if (!strcasecmp(w, "legacyprefixdocroot")) { - options |= OPTION_LEGACY_PREFIX_DOCROOT; - } -+ else if (!strcasecmp(w, "UnsafePrefixStat")) { -+ options |= OPTION_UNSAFE_PREFIX_STAT; -+ } - else { - return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '", - w, "'", NULL); -@@ -3780,6 +3826,19 @@ static const char *cmd_rewriterule_setflag(apr_pool_t *p, void *_cfg, - ++error; - } - break; -+ -+ case 'u': -+ case 'U': -+ if (!strcasecmp(key, "nsafePrefixStat")){ -+ cfg->flags |= (RULEFLAG_UNSAFE_PREFIX_STAT); -+ } -+ else if(!strcasecmp(key, "nsafeAllow3F")) { -+ cfg->flags |= RULEFLAG_UNSAFE_ALLOW3F; -+ } -+ else { -+ ++error; -+ } -+ break; - default: - ++error; - break; -@@ -4138,7 +4197,8 @@ static APR_INLINE void force_type_handler(rewriterule_entry *p, - /* - * Apply a single RewriteRule - */ --static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) -+static rule_return_type apply_rewrite_rule(rewriterule_entry *p, -+ rewrite_ctx *ctx) - { - ap_regmatch_t regmatch[AP_MAX_REG_MATCH]; - apr_array_header_t *rewriteconds; -@@ -4189,7 +4249,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - rc = !ap_regexec(p->regexp, ctx->uri, AP_MAX_REG_MATCH, regmatch, 0); - if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) || - (!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) { -- return 0; -+ return RULE_RC_NOMATCH; - } - - /* It matched, wow! Now it's time to prepare the context structure for -@@ -4240,7 +4300,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - } - } - else if (!rc) { -- return 0; -+ return RULE_RC_NOMATCH; - } - - /* If some HTTP header was involved in the condition, remember it -@@ -4260,6 +4320,15 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - newuri = do_expand(p->output, ctx, p); - rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri, - newuri)); -+ if (!(p->flags & RULEFLAG_UNSAFE_ALLOW3F) && -+ ap_strcasestr(r->unparsed_uri, "%3f") && -+ ap_strchr_c(newuri, '?')) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() -+ "Unsafe URL with %%3f URL rewritten without " -+ "UnsafeAllow3F"); -+ r->status = HTTP_FORBIDDEN; -+ return RULE_RC_STATUS_SET; -+ } - } - - /* expand [E=var:val] and [CO=] */ -@@ -4277,7 +4346,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - r->status = p->forced_responsecode; - } - -- return 2; -+ return RULE_RC_NOSUB; - } - - /* Now adjust API's knowledge about r->filename and r->args */ -@@ -4329,7 +4398,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - r->filename)); - - r->filename = apr_pstrcat(r->pool, "proxy:", r->filename, NULL); -- return 1; -+ return RULE_RC_MATCH; - } - - /* If this rule is explicitly forced for HTTP redirection -@@ -4344,7 +4413,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - r->filename)); - - r->status = p->forced_responsecode; -- return 1; -+ return RULE_RC_MATCH; - } - - /* Special Rewriting Feature: Self-Reduction -@@ -4366,7 +4435,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - "with %s", p->forced_responsecode, r->filename)); - - r->status = p->forced_responsecode; -- return 1; -+ return RULE_RC_MATCH; - } - - /* Finally remember the forced mime-type */ -@@ -4375,7 +4444,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - /* Puuhhhhhhhh... WHAT COMPLICATED STUFF ;_) - * But now we're done for this particular rule. - */ -- return 1; -+ return RULE_RC_MATCH; - } - - /* -@@ -4383,13 +4452,13 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - * i.e. a list of rewrite rules - */ - static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules, -- char *perdir) -+ char *perdir, rewriterule_entry **lastsub) - { - rewriterule_entry *entries; - rewriterule_entry *p; - int i; - int changed; -- int rc; -+ rule_return_type rc; - int s; - rewrite_ctx *ctx; - int round = 1; -@@ -4397,6 +4466,7 @@ static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules, - ctx = apr_palloc(r->pool, sizeof(*ctx)); - ctx->perdir = perdir; - ctx->r = r; -+ *lastsub = NULL; - - /* - * Iterate over all existing rules -@@ -4424,7 +4494,12 @@ static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules, - ctx->vary = NULL; - rc = apply_rewrite_rule(p, ctx); - -- if (rc) { -+ if (rc != RULE_RC_NOMATCH) { -+ -+ if (!(p->flags & RULEFLAG_NOSUB)) { -+ rewritelog((r, 2, perdir, "setting lastsub to rule with output %s", p->output)); -+ *lastsub = p; -+ } - - /* Catch looping rules with pathinfo growing unbounded */ - if ( strlen( r->filename ) > 2*r->server->limit_req_line ) { -@@ -4451,10 +4526,15 @@ static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules, - return ACTION_STATUS; - } - -+ /* Error while evaluating rule, r->status set */ -+ if (RULE_RC_STATUS_SET == rc) { -+ return ACTION_STATUS_SET; -+ } -+ - /* - * Indicate a change if this was not a match-only rule. - */ -- if (rc != 2) { -+ if (rc != RULE_RC_NOSUB) { - changed = ((p->flags & RULEFLAG_NOESCAPE) - ? ACTION_NOESCAPE : ACTION_NORMAL); - } -@@ -4643,6 +4723,7 @@ static int hook_uri2file(request_rec *r) - int rulestatus; - void *skipdata; - const char *oargs; -+ rewriterule_entry *lastsub = NULL; - - /* - * retrieve the config structures -@@ -4754,7 +4835,7 @@ static int hook_uri2file(request_rec *r) - /* - * now apply the rules ... - */ -- rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL); -+ rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL, &lastsub); - apr_table_setn(r->notes, "mod_rewrite_rewritten", - apr_psprintf(r->pool,"%d",rulestatus)); - } -@@ -4792,6 +4873,9 @@ static int hook_uri2file(request_rec *r) - r->status = HTTP_OK; - return n; - } -+ else if (ACTION_STATUS_SET == rulestatus) { -+ return r->status; -+ } - - if (to_proxyreq) { - /* it should be go on as an internal proxy request */ -@@ -4936,7 +5020,9 @@ static int hook_uri2file(request_rec *r) - uri_reduced = apr_table_get(r->notes, "mod_rewrite_uri_reduced"); - } - -- if (!prefix_stat(r->filename, r->pool) || uri_reduced != NULL) { -+ if (!prefix_stat(r, r->filename, r->pool, -+ conf->options & OPTION_UNSAFE_PREFIX_STAT ? NULL : lastsub) -+ || uri_reduced != NULL) { - int res; - char *tmp = r->uri; - -@@ -4981,6 +5067,7 @@ static int hook_fixup(request_rec *r) - char *ofilename, *oargs; - int is_proxyreq; - void *skipdata; -+ rewriterule_entry *lastsub; - - dconf = (rewrite_perdir_conf *)ap_get_module_config(r->per_dir_config, - &rewrite_module); -@@ -5065,7 +5152,7 @@ static int hook_fixup(request_rec *r) - /* - * now apply the rules ... - */ -- rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory); -+ rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory, &lastsub); - if (rulestatus) { - unsigned skip_absolute = is_absolute_uri(r->filename, NULL); - int to_proxyreq = 0; -@@ -5094,6 +5181,9 @@ static int hook_fixup(request_rec *r) - r->status = HTTP_OK; - return n; - } -+ else if (ACTION_STATUS_SET == rulestatus) { -+ return r->status; -+ } - - if (to_proxyreq) { - /* it should go on as an internal proxy request */ --- -2.33.0 - diff --git a/fix-cve-2024-39573.patch b/fix-cve-2024-39573.patch deleted file mode 100644 index 416dac2483863f3165060b95e3d518494ab30a68..0000000000000000000000000000000000000000 --- a/fix-cve-2024-39573.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 17018252a1aab655c439d9cf6a8f7f959d183c09 Mon Sep 17 00:00:00 2001 -From: Yang_X_Y -Date: Fri, 2 Aug 2024 11:04:10 +0800 -Subject: [PATCH] fix-cve-2024-39573 - ---- - modules/mappers/mod_rewrite.c | 38 ++++++++++++++++++++++++----------- - 1 file changed, 26 insertions(+), 12 deletions(-) - -diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c -index 9c9076e..f5d53ea 100644 ---- a/modules/mappers/mod_rewrite.c -+++ b/modules/mappers/mod_rewrite.c -@@ -4349,6 +4349,32 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p, - return RULE_RC_NOSUB; - } - -+ /* Add the previously stripped per-directory location prefix, unless -+ * (1) it's an absolute URL path and -+ * (2) it's a full qualified URL -+ */ -+ if (!is_proxyreq && *newuri != '/' && !is_absolute_uri(newuri, NULL)) { -+ if (ctx->perdir) { -+ rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s", -+ newuri, ctx->perdir, newuri)); -+ -+ newuri = apr_pstrcat(r->pool, ctx->perdir, newuri, NULL); -+ } -+ else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) { -+ /* Not an absolute URI-path and the scheme (if any) is unknown, -+ * and it won't be passed to fully_qualify_uri() below either, -+ * so add an implicit '/' prefix. This avoids potentially a common -+ * rule like "RewriteRule ^/some/path(.*) $1" that is given a path -+ * like "/some/pathscheme:..." to produce the fully qualified URL -+ * "scheme:..." which could be misinterpreted later. -+ */ -+ rewritelog((r, 3, ctx->perdir, "add root prefix: %s -> /%s", -+ newuri, newuri)); -+ -+ newuri = apr_pstrcat(r->pool, "/", newuri, NULL); -+ } -+ } -+ - /* Now adjust API's knowledge about r->filename and r->args */ - r->filename = newuri; - -@@ -4358,18 +4384,6 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p, - - splitout_queryargs(r, p->flags); - -- /* Add the previously stripped per-directory location prefix, unless -- * (1) it's an absolute URL path and -- * (2) it's a full qualified URL -- */ -- if ( ctx->perdir && !is_proxyreq && *r->filename != '/' -- && !is_absolute_uri(r->filename, NULL)) { -- rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s", -- r->filename, ctx->perdir, r->filename)); -- -- r->filename = apr_pstrcat(r->pool, ctx->perdir, r->filename, NULL); -- } -- - /* If this rule is forced for proxy throughput - * (`RewriteRule ... ... [P]') then emulate mod_proxy's - * URL-to-filename handler to be sure mod_proxy is triggered --- -2.33.0 - diff --git a/httpd-2.4.43-gettid.patch b/httpd-2.4.43-gettid.patch deleted file mode 100644 index f80b3a79119d870a67d03107bf550bbb7e0a56f8..0000000000000000000000000000000000000000 --- a/httpd-2.4.43-gettid.patch +++ /dev/null @@ -1,93 +0,0 @@ -From d4e5b6e1e5585d341d1e51f1ddc637c099111076 Mon Sep 17 00:00:00 2001 -From: Joe Orton -Date: Tue, 7 Jul 2020 09:48:01 +0100 -Subject: [PATCH] Check and use gettid() directly with glibc 2.30+. - -* configure.in: Check for gettid() and define HAVE_SYS_GETTID if - gettid() is only usable via syscall(). - -* server/log.c (log_tid): Use gettid() directly if available. ---- - configure.in | 14 +++++++++----- - server/log.c | 8 ++++++-- - 2 files changed, 15 insertions(+), 7 deletions(-) - -diff --git a/configure.in b/configure.in -index 423d58d4b9a..60cbf7b7f81 100644 ---- httpd-2.4.43/configure.in.gettid -+++ httpd-2.4.43/configure.in -@@ -478,7 +500,8 @@ - timegm \ - getpgid \ - fopen64 \ --getloadavg -+getloadavg \ -+gettid - ) - - dnl confirm that a void pointer is large enough to store a long integer -@@ -489,16 +512,19 @@ - APR_ADDTO(HTTPD_LIBS, [-lselinux]) - ]) - --AC_CACHE_CHECK([for gettid()], ac_cv_gettid, -+if test $ac_cv_func_gettid = no; then -+ # On Linux before glibc 2.30, gettid() is only usable via syscall() -+ AC_CACHE_CHECK([for gettid() via syscall], ap_cv_gettid, - [AC_TRY_RUN(#define _GNU_SOURCE - #include - #include - #include - int main(int argc, char **argv) { - pid_t t = syscall(SYS_gettid); return t == -1 ? 1 : 0; }, --[ac_cv_gettid=yes], [ac_cv_gettid=no], [ac_cv_gettid=no])]) --if test "$ac_cv_gettid" = "yes"; then -- AC_DEFINE(HAVE_GETTID, 1, [Define if you have gettid()]) -+ [ap_cv_gettid=yes], [ap_cv_gettid=no], [ap_cv_gettid=no])]) -+ if test "$ap_cv_gettid" = "yes"; then -+ AC_DEFINE(HAVE_SYS_GETTID, 1, [Define if you have gettid() via syscall()]) -+ fi - fi - - dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs ---- httpd-2.4.43/server/log.c.gettid -+++ httpd-2.4.43/server/log.c -@@ -55,7 +55,7 @@ - #include "ap_mpm.h" - #include "ap_listen.h" - --#if HAVE_GETTID -+#if HAVE_SYS_GETTID - #include - #include - #endif -@@ -625,14 +625,18 @@ - #if APR_HAS_THREADS - int result; - #endif --#if HAVE_GETTID -+#if defined(HAVE_GETTID) || defined(HAVE_SYS_GETTID) - if (arg && *arg == 'g') { -+#ifdef HAVE_GETTID -+ pid_t tid = gettid(); -+#else - pid_t tid = syscall(SYS_gettid); -+#endif - if (tid == -1) - return 0; - return apr_snprintf(buf, buflen, "%"APR_PID_T_FMT, tid); - } --#endif -+#endif /* HAVE_GETTID || HAVE_SYS_GETTID */ - #if APR_HAS_THREADS - if (ap_mpm_query(AP_MPMQ_IS_THREADED, &result) == APR_SUCCESS - && result != AP_MPMQ_NOT_SUPPORTED) -@@ -966,7 +970,7 @@ - #if APR_HAS_THREADS - field_start = len; - len += cpystrn(buf + len, ":tid ", buflen - len); -- item_len = log_tid(info, NULL, buf + len, buflen - len); -+ item_len = log_tid(info, "g", buf + len, buflen - len); - if (!item_len) - len = field_start; - else diff --git a/httpd-2.4.43-r1861793+.patch b/httpd-2.4.43-r1861793+.patch deleted file mode 100644 index 08e96cb5abaa51ead6ef4548b997ee29a400b5c9..0000000000000000000000000000000000000000 --- a/httpd-2.4.43-r1861793+.patch +++ /dev/null @@ -1,271 +0,0 @@ -diff --git a/configure.in b/configure.in -index cb43246..0bb6b0d 100644 ---- httpd-2.4.43/configure.in.r1861793+ -+++ httpd-2.4.43/configure.in -@@ -465,6 +465,28 @@ - AC_SEARCH_LIBS(crypt, crypt) - CRYPT_LIBS="$LIBS" - APACHE_SUBST(CRYPT_LIBS) -+ -+if test "$ac_cv_search_crypt" != "no"; then -+ # Test crypt() with the SHA-512 test vector from https://akkadia.org/drepper/SHA-crypt.txt -+ AC_CACHE_CHECK([whether crypt() supports SHA-2], [ap_cv_crypt_sha2], [ -+ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ -+#include -+#include -+#include -+ -+#define PASSWD_0 "Hello world!" -+#define SALT_0 "\$6\$saltstring" -+#define EXPECT_0 "\$6\$saltstring\$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu" \ -+ "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1" -+]], [char *result = crypt(PASSWD_0, SALT_0); -+ if (!result) return 1; -+ if (strcmp(result, EXPECT_0)) return 2; -+])], [ap_cv_crypt_sha2=yes], [ap_cv_crypt_sha2=no])]) -+ if test "$ap_cv_crypt_sha2" = yes; then -+ AC_DEFINE([HAVE_CRYPT_SHA2], 1, [Define if crypt() supports SHA-2 hashes]) -+ fi -+fi -+ - LIBS="$saved_LIBS" - - dnl See Comment #Spoon ---- httpd-2.4.43/docs/man/htpasswd.1.r1861793+ -+++ httpd-2.4.43/docs/man/htpasswd.1 -@@ -27,16 +27,16 @@ - .SH "SYNOPSIS" - - .PP --\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR -+\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR - - .PP --\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR -+\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR - - .PP --\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR -+\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR - - .PP --\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR -+\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR - - - .SH "SUMMARY" -@@ -48,7 +48,7 @@ - Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&. - - .PP --\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&. -+\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&. - - .PP - This manual page only lists the command line arguments\&. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at http://httpd\&.apache\&.org/\&. -@@ -73,17 +73,26 @@ - \fB-m\fR - Use MD5 encryption for passwords\&. This is the default (since version 2\&.2\&.18)\&. - .TP -+\fB-2\fR -+Use SHA-256 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&. -+.TP -+\fB-5\fR -+Use SHA-512 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&. -+.TP - \fB-B\fR - Use bcrypt encryption for passwords\&. This is currently considered to be very secure\&. - .TP - \fB-C\fR - This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17)\&. - .TP -+\fB-r\fR -+This flag is only allowed in combination with \fB-2\fR or \fB-5\fR\&. It sets the number of hash rounds used for the SHA-2 algorithms (higher is more secure but slower; the default is 5,000)\&. -+.TP - \fB-d\fR - Use \fBcrypt()\fR encryption for passwords\&. This is not supported by the httpd server on Windows and Netware\&. This algorithm limits the password length to 8 characters\&. This algorithm is \fBinsecure\fR by today's standards\&. It used to be the default algorithm until version 2\&.2\&.17\&. - .TP - \fB-s\fR --Use SHA encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&. -+Use SHA-1 (160-bit) encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&. - .TP - \fB-p\fR - Use plaintext passwords\&. Though \fBhtpasswd\fR will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware\&. -@@ -152,10 +161,13 @@ - When using the \fBcrypt()\fR algorithm, note that only the first 8 characters of the password are used to form the password\&. If the supplied password is longer, the extra characters will be silently discarded\&. - - .PP --The SHA encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&. -+The SHA-1 encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&. -+ -+.PP -+The SHA-1 and \fBcrypt()\fR formats are insecure by today's standards\&. - - .PP --The SHA and \fBcrypt()\fR formats are insecure by today's standards\&. -+The SHA-2-based \fBcrypt()\fR formats (SHA-256 and SHA-512) are supported on most modern Unix systems, and follow the specification at https://www\&.akkadia\&.org/drepper/SHA-crypt\&.txt\&. - - .SH "RESTRICTIONS" - ---- httpd-2.4.43/support/htpasswd.c.r1861793+ -+++ httpd-2.4.43/support/htpasswd.c -@@ -109,17 +109,21 @@ - "for it." NL - " -i Read password from stdin without verification (for script usage)." NL - " -m Force MD5 encryption of the password (default)." NL -- " -B Force bcrypt encryption of the password (very secure)." NL -+ " -2 Force SHA-256 crypt() hash of the password (very secure)." NL -+ " -5 Force SHA-512 crypt() hash of the password (very secure)." NL -+ " -B Force bcrypt encryption of the password (very secure)." NL - " -C Set the computing time used for the bcrypt algorithm" NL - " (higher is more secure but slower, default: %d, valid: 4 to 17)." NL -+ " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL -+ " (higher is more secure but slower, default: 5000)." NL - " -d Force CRYPT encryption of the password (8 chars max, insecure)." NL -- " -s Force SHA encryption of the password (insecure)." NL -+ " -s Force SHA-1 encryption of the password (insecure)." NL - " -p Do not encrypt the password (plaintext, insecure)." NL - " -D Delete the specified user." NL - " -v Verify password for the specified user." NL - "On other systems than Windows and NetWare the '-p' flag will " - "probably not work." NL -- "The SHA algorithm does not use a salt and is less secure than the " -+ "The SHA-1 algorithm does not use a salt and is less secure than the " - "MD5 algorithm." NL, - BCRYPT_DEFAULT_COST - ); -@@ -178,7 +182,7 @@ - if (rv != APR_SUCCESS) - exit(ERR_SYNTAX); - -- while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) { -+ while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) { - switch (opt) { - case 'c': - *mask |= APHTP_NEWFILE; ---- httpd-2.4.43/support/passwd_common.c.r1861793+ -+++ httpd-2.4.43/support/passwd_common.c -@@ -179,16 +179,21 @@ - int mkhash(struct passwd_ctx *ctx) - { - char *pw; -- char salt[16]; -+ char salt[17]; - apr_status_t rv; - int ret = 0; - #if CRYPT_ALGO_SUPPORTED - char *cbuf; - #endif -+#ifdef HAVE_CRYPT_SHA2 -+ const char *setting; -+ char method; -+#endif - -- if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) { -+ if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT -+ && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) { - apr_file_printf(errfile, -- "Warning: Ignoring -C argument for this algorithm." NL); -+ "Warning: Ignoring -C/-r argument for this algorithm." NL); - } - - if (ctx->passwd == NULL) { -@@ -246,6 +251,34 @@ - break; - #endif /* CRYPT_ALGO_SUPPORTED */ - -+#ifdef HAVE_CRYPT_SHA2 -+ case ALG_CRYPT_SHA256: -+ case ALG_CRYPT_SHA512: -+ ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool); -+ if (ret != 0) -+ break; -+ -+ method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6'; -+ -+ if (ctx->cost) -+ setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s", -+ method, ctx->cost, salt); -+ else -+ setting = apr_psprintf(ctx->pool, "$%c$%s", -+ method, salt); -+ -+ cbuf = crypt(pw, setting); -+ if (cbuf == NULL) { -+ rv = APR_FROM_OS_ERROR(errno); -+ ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv); -+ ret = ERR_PWMISMATCH; -+ break; -+ } -+ -+ apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1); -+ break; -+#endif /* HAVE_CRYPT_SHA2 */ -+ - #if BCRYPT_ALGO_SUPPORTED - case ALG_BCRYPT: - rv = apr_generate_random_bytes((unsigned char*)salt, 16); -@@ -294,6 +327,19 @@ - case 's': - ctx->alg = ALG_APSHA; - break; -+#ifdef HAVE_CRYPT_SHA2 -+ case '2': -+ ctx->alg = ALG_CRYPT_SHA256; -+ break; -+ case '5': -+ ctx->alg = ALG_CRYPT_SHA512; -+ break; -+#else -+ case '2': -+ case '5': -+ ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform."; -+ return ERR_ALG_NOT_SUPP; -+#endif - case 'p': - ctx->alg = ALG_PLAIN; - #if !PLAIN_ALGO_SUPPORTED -@@ -324,11 +370,12 @@ - return ERR_ALG_NOT_SUPP; - #endif - break; -- case 'C': { -+ case 'C': -+ case 'r': { - char *endptr; - long num = strtol(opt_arg, &endptr, 10); - if (*endptr != '\0' || num <= 0) { -- ctx->errstr = "argument to -C must be a positive integer"; -+ ctx->errstr = "argument to -C/-r must be a positive integer"; - return ERR_SYNTAX; - } - ctx->cost = num; ---- httpd-2.4.43/support/passwd_common.h.r1861793+ -+++ httpd-2.4.43/support/passwd_common.h -@@ -28,6 +28,8 @@ - #include "apu_version.h" - #endif - -+#include "ap_config_auto.h" -+ - #define MAX_STRING_LEN 256 - - #define ALG_PLAIN 0 -@@ -35,6 +37,8 @@ - #define ALG_APMD5 2 - #define ALG_APSHA 3 - #define ALG_BCRYPT 4 -+#define ALG_CRYPT_SHA256 5 -+#define ALG_CRYPT_SHA512 6 - - #define BCRYPT_DEFAULT_COST 5 - -@@ -84,7 +88,7 @@ - apr_size_t out_len; - char *passwd; - int alg; -- int cost; -+ int cost; /* cost for bcrypt, rounds for SHA-2 */ - enum { - PW_PROMPT = 0, - PW_ARG, diff --git a/httpd-2.4.43-socket-activation.patch b/httpd-2.4.43-socket-activation.patch deleted file mode 100644 index bd2b423ffa3261e06bc332d6c6e7a1a57c1246dd..0000000000000000000000000000000000000000 --- a/httpd-2.4.43-socket-activation.patch +++ /dev/null @@ -1,300 +0,0 @@ -diff --git a/server/listen.c b/server/listen.c -index 5242c2a..e2e028a 100644 ---- a/server/listen.c -+++ b/server/listen.c -@@ -34,6 +34,10 @@ - #include - #endif - -+#ifdef HAVE_SYSTEMD -+#include -+#endif -+ - /* we know core's module_index is 0 */ - #undef APLOG_MODULE_INDEX - #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX -@@ -59,9 +63,12 @@ static int ap_listenbacklog; - static int ap_listencbratio; - static int send_buffer_size; - static int receive_buffer_size; -+#ifdef HAVE_SYSTEMD -+static int use_systemd = -1; -+#endif - - /* TODO: make_sock is just begging and screaming for APR abstraction */ --static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server) -+static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server, int do_bind_listen) - { - apr_socket_t *s = server->sd; - int one = 1; -@@ -94,20 +101,6 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server) - return stat; - } - --#if APR_HAVE_IPV6 -- if (server->bind_addr->family == APR_INET6) { -- stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting); -- if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) { -- ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069) -- "make_sock: for address %pI, apr_socket_opt_set: " -- "(IPV6_V6ONLY)", -- server->bind_addr); -- apr_socket_close(s); -- return stat; -- } -- } --#endif -- - /* - * To send data over high bandwidth-delay connections at full - * speed we must force the TCP window to open wide enough to keep the -@@ -169,21 +162,37 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server) - } - #endif - -- if ((stat = apr_socket_bind(s, server->bind_addr)) != APR_SUCCESS) { -- ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_CRIT, stat, p, APLOGNO(00072) -- "make_sock: could not bind to address %pI", -- server->bind_addr); -- apr_socket_close(s); -- return stat; -- } -+ if (do_bind_listen) { -+#if APR_HAVE_IPV6 -+ if (server->bind_addr->family == APR_INET6) { -+ stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting); -+ if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) { -+ ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069) -+ "make_sock: for address %pI, apr_socket_opt_set: " -+ "(IPV6_V6ONLY)", -+ server->bind_addr); -+ apr_socket_close(s); -+ return stat; -+ } -+ } -+#endif - -- if ((stat = apr_socket_listen(s, ap_listenbacklog)) != APR_SUCCESS) { -- ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_ERR, stat, p, APLOGNO(00073) -- "make_sock: unable to listen for connections " -- "on address %pI", -- server->bind_addr); -- apr_socket_close(s); -- return stat; -+ if ((stat = apr_socket_bind(s, server->bind_addr)) != APR_SUCCESS) { -+ ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_CRIT, stat, p, APLOGNO(00072) -+ "make_sock: could not bind to address %pI", -+ server->bind_addr); -+ apr_socket_close(s); -+ return stat; -+ } -+ -+ if ((stat = apr_socket_listen(s, ap_listenbacklog)) != APR_SUCCESS) { -+ ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_ERR, stat, p, APLOGNO(00073) -+ "make_sock: unable to listen for connections " -+ "on address %pI", -+ server->bind_addr); -+ apr_socket_close(s); -+ return stat; -+ } - } - - #ifdef WIN32 -@@ -315,6 +324,123 @@ static int find_listeners(ap_listen_rec **from, ap_listen_rec **to, - return found; - } - -+#ifdef HAVE_SYSTEMD -+ -+static int find_systemd_socket(process_rec * process, apr_port_t port) { -+ int fdcount, fd; -+ int sdc = sd_listen_fds(0); -+ -+ if (sdc < 0) { -+ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02486) -+ "find_systemd_socket: Error parsing enviroment, sd_listen_fds returned %d", -+ sdc); -+ return -1; -+ } -+ -+ if (sdc == 0) { -+ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02487) -+ "find_systemd_socket: At least one socket must be set."); -+ return -1; -+ } -+ -+ fdcount = atoi(getenv("LISTEN_FDS")); -+ for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + fdcount; fd++) { -+ if (sd_is_socket_inet(fd, 0, 0, -1, port) > 0) { -+ return fd; -+ } -+ } -+ -+ return -1; -+} -+ -+static apr_status_t alloc_systemd_listener(process_rec * process, -+ int fd, const char *proto, -+ ap_listen_rec **out_rec) -+{ -+ apr_status_t rv; -+ struct sockaddr sa; -+ socklen_t len = sizeof(struct sockaddr); -+ apr_os_sock_info_t si; -+ ap_listen_rec *rec; -+ *out_rec = NULL; -+ -+ memset(&si, 0, sizeof(si)); -+ -+ rv = getsockname(fd, &sa, &len); -+ -+ if (rv != 0) { -+ rv = apr_get_netos_error(); -+ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02489) -+ "getsockname on %d failed.", fd); -+ return rv; -+ } -+ -+ si.os_sock = &fd; -+ si.family = sa.sa_family; -+ si.local = &sa; -+ si.type = SOCK_STREAM; -+ si.protocol = APR_PROTO_TCP; -+ -+ rec = apr_palloc(process->pool, sizeof(ap_listen_rec)); -+ rec->active = 0; -+ rec->next = 0; -+ -+ -+ rv = apr_os_sock_make(&rec->sd, &si, process->pool); -+ if (rv != APR_SUCCESS) { -+ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02490) -+ "apr_os_sock_make on %d failed.", fd); -+ return rv; -+ } -+ -+ rv = apr_socket_addr_get(&rec->bind_addr, APR_LOCAL, rec->sd); -+ if (rv != APR_SUCCESS) { -+ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02491) -+ "apr_socket_addr_get on %d failed.", fd); -+ return rv; -+ } -+ -+ rec->protocol = apr_pstrdup(process->pool, proto); -+ -+ *out_rec = rec; -+ -+ return make_sock(process->pool, rec, 0); -+} -+ -+static const char *set_systemd_listener(process_rec *process, apr_port_t port, -+ const char *proto) -+{ -+ ap_listen_rec *last, *new; -+ apr_status_t rv; -+ int fd = find_systemd_socket(process, port); -+ if (fd < 0) { -+ return "Systemd socket activation is used, but this port is not " -+ "configured in systemd"; -+ } -+ -+ last = ap_listeners; -+ while (last && last->next) { -+ last = last->next; -+ } -+ -+ rv = alloc_systemd_listener(process, fd, proto, &new); -+ if (rv != APR_SUCCESS) { -+ return "Failed to setup socket passed by systemd using socket activation"; -+ } -+ -+ if (last == NULL) { -+ ap_listeners = last = new; -+ } -+ else { -+ last->next = new; -+ last = new; -+ } -+ -+ return NULL; -+} -+ -+#endif /* HAVE_SYSTEMD */ -+ - static const char *alloc_listener(process_rec *process, const char *addr, - apr_port_t port, const char* proto, - const char *scope_id, void *slave, -@@ -495,7 +621,7 @@ static int open_listeners(apr_pool_t *pool) - } - } - #endif -- if (make_sock(pool, lr) == APR_SUCCESS) { -+ if (make_sock(pool, lr, 1) == APR_SUCCESS) { - ++num_open; - } - else { -@@ -607,8 +733,28 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s) - } - } - -- if (open_listeners(s->process->pool)) { -- return 0; -+#ifdef HAVE_SYSTEMD -+ if (use_systemd) { -+ const char *userdata_key = "ap_open_systemd_listeners"; -+ void *data; -+ /* clear the enviroment on our second run -+ * so that none of our future children get confused. -+ */ -+ apr_pool_userdata_get(&data, userdata_key, s->process->pool); -+ if (!data) { -+ apr_pool_userdata_set((const void *)1, userdata_key, -+ apr_pool_cleanup_null, s->process->pool); -+ } -+ else { -+ sd_listen_fds(1); -+ } -+ } -+ else -+#endif -+ { -+ if (open_listeners(s->process->pool)) { -+ return 0; -+ } - } - - for (lr = ap_listeners; lr; lr = lr->next) { -@@ -698,7 +844,7 @@ AP_DECLARE(apr_status_t) ap_duplicate_listeners(apr_pool_t *p, server_rec *s, - duplr->bind_addr); - return stat; - } -- make_sock(p, duplr); -+ make_sock(p, duplr, 1); - #if AP_NONBLOCK_WHEN_MULTI_LISTEN - use_nonblock = (ap_listeners && ap_listeners->next); - stat = apr_socket_opt_set(duplr->sd, APR_SO_NONBLOCK, use_nonblock); -@@ -825,6 +971,11 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, - if (argc < 1 || argc > 2) { - return "Listen requires 1 or 2 arguments."; - } -+#ifdef HAVE_SYSTEMD -+ if (use_systemd == -1) { -+ use_systemd = sd_listen_fds(0) > 0; -+ } -+#endif - - rv = apr_parse_addr_port(&host, &scope_id, &port, argv[0], cmd->pool); - if (rv != APR_SUCCESS) { -@@ -856,6 +1007,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, - ap_str_tolower(proto); - } - -+#ifdef HAVE_SYSTEMD -+ if (use_systemd) { -+ return set_systemd_listener(cmd->server->process, port, proto); -+ } -+#endif -+ - return alloc_listener(cmd->server->process, host, port, proto, - scope_id, NULL, cmd->temp_pool); - } diff --git a/httpd-2.4.46-htcacheclean-dont-break.patch b/httpd-2.4.46-htcacheclean-dont-break.patch deleted file mode 100644 index e52318a7b4518e835b3807f9d1e35ba360486fa3..0000000000000000000000000000000000000000 --- a/httpd-2.4.46-htcacheclean-dont-break.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/support/htcacheclean.c b/support/htcacheclean.c -index 958ba6d..0a7fe3c 100644 ---- a/support/htcacheclean.c -+++ b/support/htcacheclean.c -@@ -557,8 +557,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round) - } - } - } -- -- break; - } - } - } diff --git a/httpd-2.4.48-r1828172+.patch b/httpd-2.4.48-r1828172+.patch deleted file mode 100644 index 37f1855bddc67a134afa26a593490d47dc1ca44d..0000000000000000000000000000000000000000 --- a/httpd-2.4.48-r1828172+.patch +++ /dev/null @@ -1,2371 +0,0 @@ - -https://github.com/apache/httpd/pull/209 - -diff --git a/modules/generators/cgi_common.h b/modules/generators/cgi_common.h -new file mode 100644 -index 0000000000..69df73ce68 ---- /dev/null -+++ b/modules/generators/cgi_common.h -@@ -0,0 +1,629 @@ -+/* Licensed to the Apache Software Foundation (ASF) under one or more -+ * contributor license agreements. See the NOTICE file distributed with -+ * this work for additional information regarding copyright ownership. -+ * The ASF licenses this file to You under the Apache License, Version 2.0 -+ * (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+#include "apr.h" -+#include "apr_strings.h" -+#include "apr_buckets.h" -+#include "apr_lib.h" -+#include "apr_poll.h" -+ -+#define APR_WANT_STRFUNC -+#define APR_WANT_MEMFUNC -+#include "apr_want.h" -+ -+#include "httpd.h" -+#include "util_filter.h" -+ -+static APR_OPTIONAL_FN_TYPE(ap_ssi_get_tag_and_value) *cgi_pfn_gtv; -+static APR_OPTIONAL_FN_TYPE(ap_ssi_parse_string) *cgi_pfn_ps; -+ -+/* These functions provided by mod_cgi.c/mod_cgid.c still. */ -+static int log_script(request_rec *r, cgi_server_conf * conf, int ret, -+ char *dbuf, const char *sbuf, apr_bucket_brigade *bb, -+ apr_file_t *script_err); -+static apr_status_t include_cgi(include_ctx_t *ctx, ap_filter_t *f, -+ apr_bucket_brigade *bb, char *s); -+static apr_status_t include_cmd(include_ctx_t *ctx, ap_filter_t *f, -+ apr_bucket_brigade *bb, const char *command); -+ -+/* Read and discard all output from the brigade. Note that with the -+ * CGI bucket, the brigade will become empty once the script's stdout -+ * is closed (or on error/timeout), but the stderr output may not have -+ * been entirely captured at this point. */ -+static void discard_script_output(apr_bucket_brigade *bb) -+{ -+ apr_bucket *e; -+ const char *buf; -+ apr_size_t len; -+ -+ for (e = APR_BRIGADE_FIRST(bb); -+ e != APR_BRIGADE_SENTINEL(bb) && !APR_BUCKET_IS_EOS(e); -+ e = APR_BRIGADE_FIRST(bb)) -+ { -+ if (apr_bucket_read(e, &buf, &len, APR_BLOCK_READ)) { -+ break; -+ } -+ apr_bucket_delete(e); -+ } -+} -+ -+static int log_scripterror(request_rec *r, cgi_server_conf *conf, int ret, -+ apr_status_t rv, const char *logno, -+ const char *error) -+{ -+ apr_file_t *f = NULL; -+ apr_finfo_t finfo; -+ char time_str[APR_CTIME_LEN]; -+ -+ /* Intentional no APLOGNO */ -+ /* Callee provides APLOGNO in error text */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, -+ "%sstderr from %s: %s", logno ? logno : "", r->filename, error); -+ -+ /* XXX Very expensive mainline case! Open, then getfileinfo! */ -+ if (!conf->logname || -+ ((apr_stat(&finfo, conf->logname, -+ APR_FINFO_SIZE, r->pool) == APR_SUCCESS) && -+ (finfo.size > conf->logbytes)) || -+ (apr_file_open(&f, conf->logname, -+ APR_APPEND|APR_WRITE|APR_CREATE, APR_OS_DEFAULT, -+ r->pool) != APR_SUCCESS)) { -+ return ret; -+ } -+ -+ /* "%% [Wed Jun 19 10:53:21 1996] GET /cgi-bin/printenv HTTP/1.0" */ -+ apr_ctime(time_str, apr_time_now()); -+ apr_file_printf(f, "%%%% [%s] %s %s%s%s %s\n", time_str, r->method, r->uri, -+ r->args ? "?" : "", r->args ? r->args : "", r->protocol); -+ /* "%% 500 /usr/local/apache/cgi-bin */ -+ apr_file_printf(f, "%%%% %d %s\n", ret, r->filename); -+ -+ apr_file_printf(f, "%%error\n%s\n", error); -+ -+ apr_file_close(f); -+ return ret; -+} -+ -+/* Soak up stderr from a script and redirect it to the error log. -+ */ -+static apr_status_t log_script_err(request_rec *r, apr_file_t *script_err) -+{ -+ char argsbuffer[HUGE_STRING_LEN]; -+ char *newline; -+ apr_status_t rv; -+ cgi_server_conf *conf = ap_get_module_config(r->server->module_config, &cgi_module); -+ -+ while ((rv = apr_file_gets(argsbuffer, HUGE_STRING_LEN, -+ script_err)) == APR_SUCCESS) { -+ -+ newline = strchr(argsbuffer, '\n'); -+ if (newline) { -+ char *prev = newline - 1; -+ if (prev >= argsbuffer && *prev == '\r') { -+ newline = prev; -+ } -+ -+ *newline = '\0'; -+ } -+ log_scripterror(r, conf, r->status, 0, APLOGNO(01215), argsbuffer); -+ } -+ -+ return rv; -+} -+ -+static apr_status_t cgi_handle_exec(include_ctx_t *ctx, ap_filter_t *f, -+ apr_bucket_brigade *bb) -+{ -+ char *tag = NULL; -+ char *tag_val = NULL; -+ request_rec *r = f->r; -+ char *file = r->filename; -+ char parsed_string[MAX_STRING_LEN]; -+ -+ if (!ctx->argc) { -+ ap_log_rerror(APLOG_MARK, -+ (ctx->flags & SSI_FLAG_PRINTING) -+ ? APLOG_ERR : APLOG_WARNING, -+ 0, r, APLOGNO(03195) -+ "missing argument for exec element in %s", r->filename); -+ } -+ -+ if (!(ctx->flags & SSI_FLAG_PRINTING)) { -+ return APR_SUCCESS; -+ } -+ -+ if (!ctx->argc) { -+ SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -+ return APR_SUCCESS; -+ } -+ -+ if (ctx->flags & SSI_FLAG_NO_EXEC) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01228) "exec used but not allowed " -+ "in %s", r->filename); -+ SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -+ return APR_SUCCESS; -+ } -+ -+ while (1) { -+ cgi_pfn_gtv(ctx, &tag, &tag_val, SSI_VALUE_DECODED); -+ if (!tag || !tag_val) { -+ break; -+ } -+ -+ if (!strcmp(tag, "cmd")) { -+ apr_status_t rv; -+ -+ cgi_pfn_ps(ctx, tag_val, parsed_string, sizeof(parsed_string), -+ SSI_EXPAND_LEAVE_NAME); -+ -+ rv = include_cmd(ctx, f, bb, parsed_string); -+ if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01229) "execution failure " -+ "for parameter \"%s\" to tag exec in file %s", -+ tag, r->filename); -+ SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -+ break; -+ } -+ } -+ else if (!strcmp(tag, "cgi")) { -+ apr_status_t rv; -+ -+ cgi_pfn_ps(ctx, tag_val, parsed_string, sizeof(parsed_string), -+ SSI_EXPAND_DROP_NAME); -+ -+ rv = include_cgi(ctx, f, bb, parsed_string); -+ if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01230) "invalid CGI ref " -+ "\"%s\" in %s", tag_val, file); -+ SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -+ break; -+ } -+ } -+ else { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01231) "unknown parameter " -+ "\"%s\" to tag exec in %s", tag, file); -+ SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -+ break; -+ } -+ } -+ -+ return APR_SUCCESS; -+} -+ -+/* Hook to register exec= handling with mod_include. */ -+static void cgi_optfns_retrieve(void) -+{ -+ APR_OPTIONAL_FN_TYPE(ap_register_include_handler) *cgi_pfn_reg_with_ssi; -+ -+ cgi_pfn_reg_with_ssi = APR_RETRIEVE_OPTIONAL_FN(ap_register_include_handler); -+ cgi_pfn_gtv = APR_RETRIEVE_OPTIONAL_FN(ap_ssi_get_tag_and_value); -+ cgi_pfn_ps = APR_RETRIEVE_OPTIONAL_FN(ap_ssi_parse_string); -+ -+ if (cgi_pfn_reg_with_ssi && cgi_pfn_gtv && cgi_pfn_ps) { -+ /* Required by mod_include filter. This is how mod_cgi registers -+ * with mod_include to provide processing of the exec directive. -+ */ -+ cgi_pfn_reg_with_ssi("exec", cgi_handle_exec); -+ } -+} -+ -+#ifdef WANT_CGI_BUCKET -+/* A CGI bucket type is needed to catch any output to stderr from the -+ * script; see PR 22030. */ -+static const apr_bucket_type_t bucket_type_cgi; -+ -+struct cgi_bucket_data { -+ apr_pollset_t *pollset; -+ request_rec *r; -+ apr_interval_time_t timeout; -+}; -+ -+/* Create a CGI bucket using pipes from script stdout 'out' -+ * and stderr 'err', for request 'r'. */ -+static apr_bucket *cgi_bucket_create(request_rec *r, -+ apr_interval_time_t timeout, -+ apr_file_t *out, apr_file_t *err, -+ apr_bucket_alloc_t *list) -+{ -+ apr_bucket *b = apr_bucket_alloc(sizeof(*b), list); -+ apr_status_t rv; -+ apr_pollfd_t fd; -+ struct cgi_bucket_data *data = apr_palloc(r->pool, sizeof *data); -+ -+ /* Disable APR timeout handling since we'll use poll() entirely. */ -+ apr_file_pipe_timeout_set(out, 0); -+ apr_file_pipe_timeout_set(err, 0); -+ -+ APR_BUCKET_INIT(b); -+ b->free = apr_bucket_free; -+ b->list = list; -+ b->type = &bucket_type_cgi; -+ b->length = (apr_size_t)(-1); -+ b->start = -1; -+ -+ /* Create the pollset */ -+ rv = apr_pollset_create(&data->pollset, 2, r->pool, 0); -+ if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01217) -+ "apr_pollset_create(); check system or user limits"); -+ return NULL; -+ } -+ -+ fd.desc_type = APR_POLL_FILE; -+ fd.reqevents = APR_POLLIN; -+ fd.p = r->pool; -+ fd.desc.f = out; /* script's stdout */ -+ fd.client_data = (void *)1; -+ rv = apr_pollset_add(data->pollset, &fd); -+ if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01218) -+ "apr_pollset_add(); check system or user limits"); -+ return NULL; -+ } -+ -+ fd.desc.f = err; /* script's stderr */ -+ fd.client_data = (void *)2; -+ rv = apr_pollset_add(data->pollset, &fd); -+ if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01219) -+ "apr_pollset_add(); check system or user limits"); -+ return NULL; -+ } -+ -+ data->r = r; -+ data->timeout = timeout; -+ b->data = data; -+ return b; -+} -+ -+/* Create a duplicate CGI bucket using given bucket data */ -+static apr_bucket *cgi_bucket_dup(struct cgi_bucket_data *data, -+ apr_bucket_alloc_t *list) -+{ -+ apr_bucket *b = apr_bucket_alloc(sizeof(*b), list); -+ APR_BUCKET_INIT(b); -+ b->free = apr_bucket_free; -+ b->list = list; -+ b->type = &bucket_type_cgi; -+ b->length = (apr_size_t)(-1); -+ b->start = -1; -+ b->data = data; -+ return b; -+} -+ -+/* Handle stdout from CGI child. Duplicate of logic from the _read -+ * method of the real APR pipe bucket implementation. */ -+static apr_status_t cgi_read_stdout(apr_bucket *a, apr_file_t *out, -+ const char **str, apr_size_t *len) -+{ -+ char *buf; -+ apr_status_t rv; -+ -+ *str = NULL; -+ *len = APR_BUCKET_BUFF_SIZE; -+ buf = apr_bucket_alloc(*len, a->list); /* XXX: check for failure? */ -+ -+ rv = apr_file_read(out, buf, len); -+ -+ if (rv != APR_SUCCESS && rv != APR_EOF) { -+ apr_bucket_free(buf); -+ return rv; -+ } -+ -+ if (*len > 0) { -+ struct cgi_bucket_data *data = a->data; -+ apr_bucket_heap *h; -+ -+ /* Change the current bucket to refer to what we read */ -+ a = apr_bucket_heap_make(a, buf, *len, apr_bucket_free); -+ h = a->data; -+ h->alloc_len = APR_BUCKET_BUFF_SIZE; /* note the real buffer size */ -+ *str = buf; -+ APR_BUCKET_INSERT_AFTER(a, cgi_bucket_dup(data, a->list)); -+ } -+ else { -+ apr_bucket_free(buf); -+ a = apr_bucket_immortal_make(a, "", 0); -+ *str = a->data; -+ } -+ return rv; -+} -+ -+/* Read method of CGI bucket: polls on stderr and stdout of the child, -+ * sending any stderr output immediately away to the error log. */ -+static apr_status_t cgi_bucket_read(apr_bucket *b, const char **str, -+ apr_size_t *len, apr_read_type_e block) -+{ -+ struct cgi_bucket_data *data = b->data; -+ apr_interval_time_t timeout = 0; -+ apr_status_t rv; -+ int gotdata = 0; -+ -+ if (block != APR_NONBLOCK_READ) { -+ timeout = data->timeout > 0 ? data->timeout : data->r->server->timeout; -+ } -+ -+ do { -+ const apr_pollfd_t *results; -+ apr_int32_t num; -+ -+ rv = apr_pollset_poll(data->pollset, timeout, &num, &results); -+ if (APR_STATUS_IS_TIMEUP(rv)) { -+ if (timeout) { -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, data->r, APLOGNO(01220) -+ "Timeout waiting for output from CGI script %s", -+ data->r->filename); -+ return rv; -+ } -+ else { -+ return APR_EAGAIN; -+ } -+ } -+ else if (APR_STATUS_IS_EINTR(rv)) { -+ continue; -+ } -+ else if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, data->r, APLOGNO(01221) -+ "poll failed waiting for CGI child"); -+ return rv; -+ } -+ -+ for (; num; num--, results++) { -+ if (results[0].client_data == (void *)1) { -+ /* stdout */ -+ rv = cgi_read_stdout(b, results[0].desc.f, str, len); -+ if (APR_STATUS_IS_EOF(rv)) { -+ rv = APR_SUCCESS; -+ } -+ gotdata = 1; -+ } else { -+ /* stderr */ -+ apr_status_t rv2 = log_script_err(data->r, results[0].desc.f); -+ if (APR_STATUS_IS_EOF(rv2)) { -+ apr_pollset_remove(data->pollset, &results[0]); -+ } -+ } -+ } -+ -+ } while (!gotdata); -+ -+ return rv; -+} -+ -+static const apr_bucket_type_t bucket_type_cgi = { -+ "CGI", 5, APR_BUCKET_DATA, -+ apr_bucket_destroy_noop, -+ cgi_bucket_read, -+ apr_bucket_setaside_notimpl, -+ apr_bucket_split_notimpl, -+ apr_bucket_copy_notimpl -+}; -+ -+#endif /* WANT_CGI_BUCKET */ -+ -+/* Handle the CGI response output, having set up the brigade with the -+ * CGI or PIPE bucket as appropriate. */ -+static int cgi_handle_response(request_rec *r, int nph, apr_bucket_brigade *bb, -+ apr_interval_time_t timeout, cgi_server_conf *conf, -+ char *logdata, apr_file_t *script_err) -+{ -+ apr_status_t rv; -+ -+ /* Handle script return... */ -+ if (!nph) { -+ const char *location; -+ char sbuf[MAX_STRING_LEN]; -+ int ret; -+ -+ if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -+ APLOG_MODULE_INDEX))) -+ { -+ /* In the case of a timeout reading script output, clear -+ * the brigade to avoid a second attempt to read the -+ * output. */ -+ if (ret == HTTP_GATEWAY_TIME_OUT) { -+ apr_brigade_cleanup(bb); -+ } -+ -+ ret = log_script(r, conf, ret, logdata, sbuf, bb, script_err); -+ -+ /* -+ * ret could be HTTP_NOT_MODIFIED in the case that the CGI script -+ * does not set an explicit status and ap_meets_conditions, which -+ * is called by ap_scan_script_header_err_brigade, detects that -+ * the conditions of the requests are met and the response is -+ * not modified. -+ * In this case set r->status and return OK in order to prevent -+ * running through the error processing stack as this would -+ * break with mod_cache, if the conditions had been set by -+ * mod_cache itself to validate a stale entity. -+ * BTW: We circumvent the error processing stack anyway if the -+ * CGI script set an explicit status code (whatever it is) and -+ * the only possible values for ret here are: -+ * -+ * HTTP_NOT_MODIFIED (set by ap_meets_conditions) -+ * HTTP_PRECONDITION_FAILED (set by ap_meets_conditions) -+ * HTTP_INTERNAL_SERVER_ERROR (if something went wrong during the -+ * processing of the response of the CGI script, e.g broken headers -+ * or a crashed CGI process). -+ */ -+ if (ret == HTTP_NOT_MODIFIED) { -+ r->status = ret; -+ return OK; -+ } -+ -+ return ret; -+ } -+ -+ location = apr_table_get(r->headers_out, "Location"); -+ -+ if (location && r->status == 200) { -+ /* For a redirect whether internal or not, discard any -+ * remaining stdout from the script, and log any remaining -+ * stderr output, as normal. */ -+ discard_script_output(bb); -+ apr_brigade_destroy(bb); -+ -+ if (script_err) { -+ apr_file_pipe_timeout_set(script_err, timeout); -+ log_script_err(r, script_err); -+ } -+ } -+ -+ if (location && location[0] == '/' && r->status == 200) { -+ /* This redirect needs to be a GET no matter what the original -+ * method was. -+ */ -+ r->method = "GET"; -+ r->method_number = M_GET; -+ -+ /* We already read the message body (if any), so don't allow -+ * the redirected request to think it has one. We can ignore -+ * Transfer-Encoding, since we used REQUEST_CHUNKED_ERROR. -+ */ -+ apr_table_unset(r->headers_in, "Content-Length"); -+ -+ ap_internal_redirect_handler(location, r); -+ return OK; -+ } -+ else if (location && r->status == 200) { -+ /* XXX: Note that if a script wants to produce its own Redirect -+ * body, it now has to explicitly *say* "Status: 302" -+ */ -+ discard_script_output(bb); -+ apr_brigade_destroy(bb); -+ return HTTP_MOVED_TEMPORARILY; -+ } -+ -+ rv = ap_pass_brigade(r->output_filters, bb); -+ } -+ else /* nph */ { -+ struct ap_filter_t *cur; -+ -+ /* get rid of all filters up through protocol... since we -+ * haven't parsed off the headers, there is no way they can -+ * work -+ */ -+ -+ cur = r->proto_output_filters; -+ while (cur && cur->frec->ftype < AP_FTYPE_CONNECTION) { -+ cur = cur->next; -+ } -+ r->output_filters = r->proto_output_filters = cur; -+ -+ rv = ap_pass_brigade(r->output_filters, bb); -+ } -+ -+ /* don't soak up script output if errors occurred writing it -+ * out... otherwise, we prolong the life of the script when the -+ * connection drops or we stopped sending output for some other -+ * reason */ -+ if (script_err && rv == APR_SUCCESS && !r->connection->aborted) { -+ apr_file_pipe_timeout_set(script_err, timeout); -+ log_script_err(r, script_err); -+ } -+ -+ if (script_err) apr_file_close(script_err); -+ -+ return OK; /* NOT r->status, even if it has changed. */ -+} -+ -+/* Read the request body and write it to fd 'script_out', using 'bb' -+ * as temporary bucket brigade. If 'logbuf' is non-NULL, the first -+ * logbufbytes of stdout are stored in logbuf. */ -+static apr_status_t cgi_handle_request(request_rec *r, apr_file_t *script_out, -+ apr_bucket_brigade *bb, -+ char *logbuf, apr_size_t logbufbytes) -+{ -+ int seen_eos = 0; -+ int child_stopped_reading = 0; -+ apr_status_t rv; -+ int dbpos = 0; -+ -+ do { -+ apr_bucket *bucket; -+ -+ rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, -+ APR_BLOCK_READ, HUGE_STRING_LEN); -+ -+ if (rv != APR_SUCCESS) { -+ return rv; -+ } -+ -+ for (bucket = APR_BRIGADE_FIRST(bb); -+ bucket != APR_BRIGADE_SENTINEL(bb); -+ bucket = APR_BUCKET_NEXT(bucket)) -+ { -+ const char *data; -+ apr_size_t len; -+ -+ if (APR_BUCKET_IS_EOS(bucket)) { -+ seen_eos = 1; -+ break; -+ } -+ -+ /* We can't do much with this. */ -+ if (APR_BUCKET_IS_FLUSH(bucket)) { -+ continue; -+ } -+ -+ /* If the child stopped, we still must read to EOS. */ -+ if (child_stopped_reading) { -+ continue; -+ } -+ -+ /* read */ -+ rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ); -+ if (rv) { -+ return rv; -+ } -+ -+ if (logbufbytes && dbpos < logbufbytes) { -+ int cursize; -+ -+ if ((dbpos + len) > logbufbytes) { -+ cursize = logbufbytes - dbpos; -+ } -+ else { -+ cursize = len; -+ } -+ memcpy(logbuf + dbpos, data, cursize); -+ dbpos += cursize; -+ } -+ -+ /* Keep writing data to the child until done or too much time -+ * elapses with no progress or an error occurs. -+ */ -+ rv = apr_file_write_full(script_out, data, len, NULL); -+ -+ if (rv != APR_SUCCESS) { -+ /* silly script stopped reading, soak up remaining message */ -+ child_stopped_reading = 1; -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02651) -+ "Error writing request body to script %s", -+ r->filename); -+ } -+ } -+ apr_brigade_cleanup(bb); -+ } -+ while (!seen_eos); -+ -+ if (logbuf) { -+ logbuf[dbpos] = '\0'; -+ } -+ -+ return APR_SUCCESS; -+} -diff --git a/modules/generators/config5.m4 b/modules/generators/config5.m4 -index bf295217e0..086355353b 100644 ---- a/modules/generators/config5.m4 -+++ b/modules/generators/config5.m4 -@@ -78,4 +78,15 @@ fi - - APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current]) - -+AC_ARG_ENABLE(cgid-fdpassing, -+ [APACHE_HELP_STRING(--enable-cgid-fdpassing,Enable experimental mod_cgid support for fd passing)], -+ [if test "$enableval" = "yes"; then -+ AC_CHECK_DECL(CMSG_DATA, -+ [AC_DEFINE([HAVE_CGID_FDPASSING], 1, [Enable FD passing support in mod_cgid])], -+ [AC_MSG_ERROR([cannot support mod_cgid fd-passing on this system])], [ -+#include -+#include ]) -+ fi -+]) -+ - APACHE_MODPATH_FINISH -diff --git a/modules/generators/mod_cgi.c b/modules/generators/mod_cgi.c -index 7e4b126c10..421124a0cb 100644 ---- a/modules/generators/mod_cgi.c -+++ b/modules/generators/mod_cgi.c -@@ -61,9 +61,6 @@ - - module AP_MODULE_DECLARE_DATA cgi_module; - --static APR_OPTIONAL_FN_TYPE(ap_register_include_handler) *cgi_pfn_reg_with_ssi; --static APR_OPTIONAL_FN_TYPE(ap_ssi_get_tag_and_value) *cgi_pfn_gtv; --static APR_OPTIONAL_FN_TYPE(ap_ssi_parse_string) *cgi_pfn_ps; - static APR_OPTIONAL_FN_TYPE(ap_cgi_build_command) *cgi_build_command; - - /* Read and discard the data in the brigade produced by a CGI script */ -@@ -92,6 +89,15 @@ typedef struct { - apr_size_t bufbytes; - } cgi_server_conf; - -+typedef struct { -+ apr_interval_time_t timeout; -+} cgi_dirconf; -+ -+#if APR_FILES_AS_SOCKETS -+#define WANT_CGI_BUCKET -+#endif -+#include "cgi_common.h" -+ - static void *create_cgi_config(apr_pool_t *p, server_rec *s) - { - cgi_server_conf *c = -@@ -112,6 +118,12 @@ static void *merge_cgi_config(apr_pool_t *p, void *basev, void *overridesv) - return overrides->logname ? overrides : base; - } - -+static void *create_cgi_dirconf(apr_pool_t *p, char *dummy) -+{ -+ cgi_dirconf *c = (cgi_dirconf *) apr_pcalloc(p, sizeof(cgi_dirconf)); -+ return c; -+} -+ - static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) - { - server_rec *s = cmd->server; -@@ -150,6 +162,17 @@ static const char *set_scriptlog_buffer(cmd_parms *cmd, void *dummy, - return NULL; - } - -+static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg) -+{ -+ cgi_dirconf *dc = dummy; -+ -+ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { -+ return "CGIScriptTimeout has wrong format"; -+ } -+ -+ return NULL; -+} -+ - static const command_rec cgi_cmds[] = - { - AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF, -@@ -158,67 +181,12 @@ AP_INIT_TAKE1("ScriptLogLength", set_scriptlog_length, NULL, RSRC_CONF, - "the maximum length (in bytes) of the script debug log"), - AP_INIT_TAKE1("ScriptLogBuffer", set_scriptlog_buffer, NULL, RSRC_CONF, - "the maximum size (in bytes) to record of a POST request"), -+AP_INIT_TAKE1("CGIScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF, -+ "The amount of time to wait between successful reads from " -+ "the CGI script, in seconds."), - {NULL} - }; - --static int log_scripterror(request_rec *r, cgi_server_conf * conf, int ret, -- apr_status_t rv, char *logno, char *error) --{ -- apr_file_t *f = NULL; -- apr_finfo_t finfo; -- char time_str[APR_CTIME_LEN]; -- int log_flags = rv ? APLOG_ERR : APLOG_ERR; -- -- /* Intentional no APLOGNO */ -- /* Callee provides APLOGNO in error text */ -- ap_log_rerror(APLOG_MARK, log_flags, rv, r, -- "%s%s: %s", logno ? logno : "", error, r->filename); -- -- /* XXX Very expensive mainline case! Open, then getfileinfo! */ -- if (!conf->logname || -- ((apr_stat(&finfo, conf->logname, -- APR_FINFO_SIZE, r->pool) == APR_SUCCESS) && -- (finfo.size > conf->logbytes)) || -- (apr_file_open(&f, conf->logname, -- APR_APPEND|APR_WRITE|APR_CREATE, APR_OS_DEFAULT, -- r->pool) != APR_SUCCESS)) { -- return ret; -- } -- -- /* "%% [Wed Jun 19 10:53:21 1996] GET /cgi-bin/printenv HTTP/1.0" */ -- apr_ctime(time_str, apr_time_now()); -- apr_file_printf(f, "%%%% [%s] %s %s%s%s %s\n", time_str, r->method, r->uri, -- r->args ? "?" : "", r->args ? r->args : "", r->protocol); -- /* "%% 500 /usr/local/apache/cgi-bin */ -- apr_file_printf(f, "%%%% %d %s\n", ret, r->filename); -- -- apr_file_printf(f, "%%error\n%s\n", error); -- -- apr_file_close(f); -- return ret; --} -- --/* Soak up stderr from a script and redirect it to the error log. -- */ --static apr_status_t log_script_err(request_rec *r, apr_file_t *script_err) --{ -- char argsbuffer[HUGE_STRING_LEN]; -- char *newline; -- apr_status_t rv; -- cgi_server_conf *conf = ap_get_module_config(r->server->module_config, &cgi_module); -- -- while ((rv = apr_file_gets(argsbuffer, HUGE_STRING_LEN, -- script_err)) == APR_SUCCESS) { -- newline = strchr(argsbuffer, '\n'); -- if (newline) { -- *newline = '\0'; -- } -- log_scripterror(r, conf, r->status, 0, APLOGNO(01215), argsbuffer); -- } -- -- return rv; --} -- - static int log_script(request_rec *r, cgi_server_conf * conf, int ret, - char *dbuf, const char *sbuf, apr_bucket_brigade *bb, - apr_file_t *script_err) -@@ -466,23 +434,26 @@ static apr_status_t run_cgi_child(apr_file_t **script_out, - apr_filepath_name_get(r->filename)); - } - else { -+ cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module); -+ apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout; -+ - apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT); - - *script_in = procnew->out; - if (!*script_in) - return APR_EBADF; -- apr_file_pipe_timeout_set(*script_in, r->server->timeout); -+ apr_file_pipe_timeout_set(*script_in, timeout); - - if (e_info->prog_type == RUN_AS_CGI) { - *script_out = procnew->in; - if (!*script_out) - return APR_EBADF; -- apr_file_pipe_timeout_set(*script_out, r->server->timeout); -+ apr_file_pipe_timeout_set(*script_out, timeout); - - *script_err = procnew->err; - if (!*script_err) - return APR_EBADF; -- apr_file_pipe_timeout_set(*script_err, r->server->timeout); -+ apr_file_pipe_timeout_set(*script_err, timeout); - } - } - } -@@ -536,234 +507,30 @@ static apr_status_t default_build_command(const char **cmd, const char ***argv, - return APR_SUCCESS; - } - --static void discard_script_output(apr_bucket_brigade *bb) --{ -- apr_bucket *e; -- const char *buf; -- apr_size_t len; -- -- for (e = APR_BRIGADE_FIRST(bb); -- e != APR_BRIGADE_SENTINEL(bb) && !APR_BUCKET_IS_EOS(e); -- e = APR_BRIGADE_FIRST(bb)) -- { -- if (apr_bucket_read(e, &buf, &len, APR_BLOCK_READ)) { -- break; -- } -- apr_bucket_delete(e); -- } --} -- --#if APR_FILES_AS_SOCKETS -- --/* A CGI bucket type is needed to catch any output to stderr from the -- * script; see PR 22030. */ --static const apr_bucket_type_t bucket_type_cgi; -- --struct cgi_bucket_data { -- apr_pollset_t *pollset; -- request_rec *r; --}; -- --/* Create a CGI bucket using pipes from script stdout 'out' -- * and stderr 'err', for request 'r'. */ --static apr_bucket *cgi_bucket_create(request_rec *r, -- apr_file_t *out, apr_file_t *err, -- apr_bucket_alloc_t *list) --{ -- apr_bucket *b = apr_bucket_alloc(sizeof(*b), list); -- apr_status_t rv; -- apr_pollfd_t fd; -- struct cgi_bucket_data *data = apr_palloc(r->pool, sizeof *data); -- -- APR_BUCKET_INIT(b); -- b->free = apr_bucket_free; -- b->list = list; -- b->type = &bucket_type_cgi; -- b->length = (apr_size_t)(-1); -- b->start = -1; -- -- /* Create the pollset */ -- rv = apr_pollset_create(&data->pollset, 2, r->pool, 0); -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01217) -- "apr_pollset_create(); check system or user limits"); -- return NULL; -- } -- -- fd.desc_type = APR_POLL_FILE; -- fd.reqevents = APR_POLLIN; -- fd.p = r->pool; -- fd.desc.f = out; /* script's stdout */ -- fd.client_data = (void *)1; -- rv = apr_pollset_add(data->pollset, &fd); -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01218) -- "apr_pollset_add(); check system or user limits"); -- return NULL; -- } -- -- fd.desc.f = err; /* script's stderr */ -- fd.client_data = (void *)2; -- rv = apr_pollset_add(data->pollset, &fd); -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01219) -- "apr_pollset_add(); check system or user limits"); -- return NULL; -- } -- -- data->r = r; -- b->data = data; -- return b; --} -- --/* Create a duplicate CGI bucket using given bucket data */ --static apr_bucket *cgi_bucket_dup(struct cgi_bucket_data *data, -- apr_bucket_alloc_t *list) --{ -- apr_bucket *b = apr_bucket_alloc(sizeof(*b), list); -- APR_BUCKET_INIT(b); -- b->free = apr_bucket_free; -- b->list = list; -- b->type = &bucket_type_cgi; -- b->length = (apr_size_t)(-1); -- b->start = -1; -- b->data = data; -- return b; --} -- --/* Handle stdout from CGI child. Duplicate of logic from the _read -- * method of the real APR pipe bucket implementation. */ --static apr_status_t cgi_read_stdout(apr_bucket *a, apr_file_t *out, -- const char **str, apr_size_t *len) --{ -- char *buf; -- apr_status_t rv; -- -- *str = NULL; -- *len = APR_BUCKET_BUFF_SIZE; -- buf = apr_bucket_alloc(*len, a->list); /* XXX: check for failure? */ -- -- rv = apr_file_read(out, buf, len); -- -- if (rv != APR_SUCCESS && rv != APR_EOF) { -- apr_bucket_free(buf); -- return rv; -- } -- -- if (*len > 0) { -- struct cgi_bucket_data *data = a->data; -- apr_bucket_heap *h; -- -- /* Change the current bucket to refer to what we read */ -- a = apr_bucket_heap_make(a, buf, *len, apr_bucket_free); -- h = a->data; -- h->alloc_len = APR_BUCKET_BUFF_SIZE; /* note the real buffer size */ -- *str = buf; -- APR_BUCKET_INSERT_AFTER(a, cgi_bucket_dup(data, a->list)); -- } -- else { -- apr_bucket_free(buf); -- a = apr_bucket_immortal_make(a, "", 0); -- *str = a->data; -- } -- return rv; --} -- --/* Read method of CGI bucket: polls on stderr and stdout of the child, -- * sending any stderr output immediately away to the error log. */ --static apr_status_t cgi_bucket_read(apr_bucket *b, const char **str, -- apr_size_t *len, apr_read_type_e block) --{ -- struct cgi_bucket_data *data = b->data; -- apr_interval_time_t timeout; -- apr_status_t rv; -- int gotdata = 0; -- -- timeout = block == APR_NONBLOCK_READ ? 0 : data->r->server->timeout; -- -- do { -- const apr_pollfd_t *results; -- apr_int32_t num; -- -- rv = apr_pollset_poll(data->pollset, timeout, &num, &results); -- if (APR_STATUS_IS_TIMEUP(rv)) { -- if (timeout) { -- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, data->r, APLOGNO(01220) -- "Timeout waiting for output from CGI script %s", -- data->r->filename); -- return rv; -- } -- else { -- return APR_EAGAIN; -- } -- } -- else if (APR_STATUS_IS_EINTR(rv)) { -- continue; -- } -- else if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, data->r, APLOGNO(01221) -- "poll failed waiting for CGI child"); -- return rv; -- } -- -- for (; num; num--, results++) { -- if (results[0].client_data == (void *)1) { -- /* stdout */ -- rv = cgi_read_stdout(b, results[0].desc.f, str, len); -- if (APR_STATUS_IS_EOF(rv)) { -- rv = APR_SUCCESS; -- } -- gotdata = 1; -- } else { -- /* stderr */ -- apr_status_t rv2 = log_script_err(data->r, results[0].desc.f); -- if (APR_STATUS_IS_EOF(rv2)) { -- apr_pollset_remove(data->pollset, &results[0]); -- } -- } -- } -- -- } while (!gotdata); -- -- return rv; --} -- --static const apr_bucket_type_t bucket_type_cgi = { -- "CGI", 5, APR_BUCKET_DATA, -- apr_bucket_destroy_noop, -- cgi_bucket_read, -- apr_bucket_setaside_notimpl, -- apr_bucket_split_notimpl, -- apr_bucket_copy_notimpl --}; -- --#endif -- - static int cgi_handler(request_rec *r) - { - int nph; -- apr_size_t dbpos = 0; -+ apr_size_t dbufsize; - const char *argv0; - const char *command; - const char **argv; - char *dbuf = NULL; - apr_file_t *script_out = NULL, *script_in = NULL, *script_err = NULL; -- apr_bucket_brigade *bb; -+ conn_rec *c = r->connection; -+ apr_bucket_brigade *bb = apr_brigade_create(r->pool, c->bucket_alloc); - apr_bucket *b; - int is_included; -- int seen_eos, child_stopped_reading; - apr_pool_t *p; - cgi_server_conf *conf; - apr_status_t rv; - cgi_exec_info_t e_info; -- conn_rec *c; -+ cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module); -+ apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout; - - if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) { - return DECLINED; - } - -- c = r->connection; -- - is_included = !strcmp(r->protocol, "INCLUDED"); - - p = r->main ? r->main->pool : r->pool; -@@ -832,83 +599,24 @@ static int cgi_handler(request_rec *r) - return HTTP_INTERNAL_SERVER_ERROR; - } - -- /* Transfer any put/post args, CERN style... -- * Note that we already ignore SIGPIPE in the core server. -- */ -- bb = apr_brigade_create(r->pool, c->bucket_alloc); -- seen_eos = 0; -- child_stopped_reading = 0; -+ /* Buffer for logging script stdout. */ - if (conf->logname) { -- dbuf = apr_palloc(r->pool, conf->bufbytes + 1); -- dbpos = 0; -+ dbufsize = conf->bufbytes; -+ dbuf = apr_palloc(r->pool, dbufsize + 1); - } -- do { -- apr_bucket *bucket; -- -- rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, -- APR_BLOCK_READ, HUGE_STRING_LEN); -- -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01225) -- "Error reading request entity data"); -- return ap_map_http_request_error(rv, HTTP_BAD_REQUEST); -- } -- -- for (bucket = APR_BRIGADE_FIRST(bb); -- bucket != APR_BRIGADE_SENTINEL(bb); -- bucket = APR_BUCKET_NEXT(bucket)) -- { -- const char *data; -- apr_size_t len; -- -- if (APR_BUCKET_IS_EOS(bucket)) { -- seen_eos = 1; -- break; -- } -- -- /* We can't do much with this. */ -- if (APR_BUCKET_IS_FLUSH(bucket)) { -- continue; -- } -- -- /* If the child stopped, we still must read to EOS. */ -- if (child_stopped_reading) { -- continue; -- } -- -- /* read */ -- apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ); -- -- if (conf->logname && dbpos < conf->bufbytes) { -- int cursize; -- -- if ((dbpos + len) > conf->bufbytes) { -- cursize = conf->bufbytes - dbpos; -- } -- else { -- cursize = len; -- } -- memcpy(dbuf + dbpos, data, cursize); -- dbpos += cursize; -- } -- -- /* Keep writing data to the child until done or too much time -- * elapses with no progress or an error occurs. -- */ -- rv = apr_file_write_full(script_out, data, len, NULL); -- -- if (rv != APR_SUCCESS) { -- /* silly script stopped reading, soak up remaining message */ -- child_stopped_reading = 1; -- } -- } -- apr_brigade_cleanup(bb); -+ else { -+ dbufsize = 0; -+ dbuf = NULL; - } -- while (!seen_eos); - -- if (conf->logname) { -- dbuf[dbpos] = '\0'; -+ /* Read the request body. */ -+ rv = cgi_handle_request(r, script_out, bb, dbuf, dbufsize); -+ if (rv) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01225) -+ "Error reading request entity data"); -+ return ap_map_http_request_error(rv, HTTP_BAD_REQUEST); - } -+ - /* Is this flush really needed? */ - apr_file_flush(script_out); - apr_file_close(script_out); -@@ -916,10 +624,7 @@ static int cgi_handler(request_rec *r) - AP_DEBUG_ASSERT(script_in != NULL); - - #if APR_FILES_AS_SOCKETS -- apr_file_pipe_timeout_set(script_in, 0); -- apr_file_pipe_timeout_set(script_err, 0); -- -- b = cgi_bucket_create(r, script_in, script_err, c->bucket_alloc); -+ b = cgi_bucket_create(r, dc->timeout, script_in, script_err, c->bucket_alloc); - if (b == NULL) - return HTTP_INTERNAL_SERVER_ERROR; - #else -@@ -929,111 +634,7 @@ static int cgi_handler(request_rec *r) - b = apr_bucket_eos_create(c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, b); - -- /* Handle script return... */ -- if (!nph) { -- const char *location; -- char sbuf[MAX_STRING_LEN]; -- int ret; -- -- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -- APLOG_MODULE_INDEX))) -- { -- ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err); -- -- /* -- * ret could be HTTP_NOT_MODIFIED in the case that the CGI script -- * does not set an explicit status and ap_meets_conditions, which -- * is called by ap_scan_script_header_err_brigade, detects that -- * the conditions of the requests are met and the response is -- * not modified. -- * In this case set r->status and return OK in order to prevent -- * running through the error processing stack as this would -- * break with mod_cache, if the conditions had been set by -- * mod_cache itself to validate a stale entity. -- * BTW: We circumvent the error processing stack anyway if the -- * CGI script set an explicit status code (whatever it is) and -- * the only possible values for ret here are: -- * -- * HTTP_NOT_MODIFIED (set by ap_meets_conditions) -- * HTTP_PRECONDITION_FAILED (set by ap_meets_conditions) -- * HTTP_INTERNAL_SERVER_ERROR (if something went wrong during the -- * processing of the response of the CGI script, e.g broken headers -- * or a crashed CGI process). -- */ -- if (ret == HTTP_NOT_MODIFIED) { -- r->status = ret; -- return OK; -- } -- -- return ret; -- } -- -- location = apr_table_get(r->headers_out, "Location"); -- -- if (location && r->status == 200) { -- /* For a redirect whether internal or not, discard any -- * remaining stdout from the script, and log any remaining -- * stderr output, as normal. */ -- discard_script_output(bb); -- apr_brigade_destroy(bb); -- apr_file_pipe_timeout_set(script_err, r->server->timeout); -- log_script_err(r, script_err); -- } -- -- if (location && location[0] == '/' && r->status == 200) { -- /* This redirect needs to be a GET no matter what the original -- * method was. -- */ -- r->method = "GET"; -- r->method_number = M_GET; -- -- /* We already read the message body (if any), so don't allow -- * the redirected request to think it has one. We can ignore -- * Transfer-Encoding, since we used REQUEST_CHUNKED_ERROR. -- */ -- apr_table_unset(r->headers_in, "Content-Length"); -- -- ap_internal_redirect_handler(location, r); -- return OK; -- } -- else if (location && r->status == 200) { -- /* XXX: Note that if a script wants to produce its own Redirect -- * body, it now has to explicitly *say* "Status: 302" -- */ -- return HTTP_MOVED_TEMPORARILY; -- } -- -- rv = ap_pass_brigade(r->output_filters, bb); -- } -- else /* nph */ { -- struct ap_filter_t *cur; -- -- /* get rid of all filters up through protocol... since we -- * haven't parsed off the headers, there is no way they can -- * work -- */ -- -- cur = r->proto_output_filters; -- while (cur && cur->frec->ftype < AP_FTYPE_CONNECTION) { -- cur = cur->next; -- } -- r->output_filters = r->proto_output_filters = cur; -- -- rv = ap_pass_brigade(r->output_filters, bb); -- } -- -- /* don't soak up script output if errors occurred writing it -- * out... otherwise, we prolong the life of the script when the -- * connection drops or we stopped sending output for some other -- * reason */ -- if (rv == APR_SUCCESS && !r->connection->aborted) { -- apr_file_pipe_timeout_set(script_err, r->server->timeout); -- log_script_err(r, script_err); -- } -- -- apr_file_close(script_err); -- -- return OK; /* NOT r->status, even if it has changed. */ -+ return cgi_handle_response(r, nph, bb, timeout, conf, dbuf, script_err); - } - - /*============================================================================ -@@ -1147,107 +748,9 @@ static apr_status_t include_cmd(include_ctx_t *ctx, ap_filter_t *f, - return APR_SUCCESS; - } - --static apr_status_t handle_exec(include_ctx_t *ctx, ap_filter_t *f, -- apr_bucket_brigade *bb) --{ -- char *tag = NULL; -- char *tag_val = NULL; -- request_rec *r = f->r; -- char *file = r->filename; -- char parsed_string[MAX_STRING_LEN]; -- -- if (!ctx->argc) { -- ap_log_rerror(APLOG_MARK, -- (ctx->flags & SSI_FLAG_PRINTING) -- ? APLOG_ERR : APLOG_WARNING, -- 0, r, APLOGNO(03195) -- "missing argument for exec element in %s", r->filename); -- } -- -- if (!(ctx->flags & SSI_FLAG_PRINTING)) { -- return APR_SUCCESS; -- } -- -- if (!ctx->argc) { -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- return APR_SUCCESS; -- } -- -- if (ctx->flags & SSI_FLAG_NO_EXEC) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01228) "exec used but not allowed " -- "in %s", r->filename); -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- return APR_SUCCESS; -- } -- -- while (1) { -- cgi_pfn_gtv(ctx, &tag, &tag_val, SSI_VALUE_DECODED); -- if (!tag || !tag_val) { -- break; -- } -- -- if (!strcmp(tag, "cmd")) { -- apr_status_t rv; -- -- cgi_pfn_ps(ctx, tag_val, parsed_string, sizeof(parsed_string), -- SSI_EXPAND_LEAVE_NAME); -- -- rv = include_cmd(ctx, f, bb, parsed_string); -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01229) "execution failure " -- "for parameter \"%s\" to tag exec in file %s", -- tag, r->filename); -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- break; -- } -- } -- else if (!strcmp(tag, "cgi")) { -- apr_status_t rv; -- -- cgi_pfn_ps(ctx, tag_val, parsed_string, sizeof(parsed_string), -- SSI_EXPAND_DROP_NAME); -- -- rv = include_cgi(ctx, f, bb, parsed_string); -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01230) "invalid CGI ref " -- "\"%s\" in %s", tag_val, file); -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- break; -- } -- } -- else { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01231) "unknown parameter " -- "\"%s\" to tag exec in %s", tag, file); -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- break; -- } -- } -- -- return APR_SUCCESS; --} -- -- --/*============================================================================ -- *============================================================================ -- * This is the end of the cgi filter code moved from mod_include. -- *============================================================================ -- *============================================================================*/ -- -- - static int cgi_post_config(apr_pool_t *p, apr_pool_t *plog, - apr_pool_t *ptemp, server_rec *s) - { -- cgi_pfn_reg_with_ssi = APR_RETRIEVE_OPTIONAL_FN(ap_register_include_handler); -- cgi_pfn_gtv = APR_RETRIEVE_OPTIONAL_FN(ap_ssi_get_tag_and_value); -- cgi_pfn_ps = APR_RETRIEVE_OPTIONAL_FN(ap_ssi_parse_string); -- -- if ((cgi_pfn_reg_with_ssi) && (cgi_pfn_gtv) && (cgi_pfn_ps)) { -- /* Required by mod_include filter. This is how mod_cgi registers -- * with mod_include to provide processing of the exec directive. -- */ -- cgi_pfn_reg_with_ssi("exec", handle_exec); -- } -- - /* This is the means by which unusual (non-unix) os's may find alternate - * means to run a given command (e.g. shebang/registry parsing on Win32) - */ -@@ -1263,12 +766,13 @@ static void register_hooks(apr_pool_t *p) - static const char * const aszPre[] = { "mod_include.c", NULL }; - ap_hook_handler(cgi_handler, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_post_config(cgi_post_config, aszPre, NULL, APR_HOOK_REALLY_FIRST); -+ ap_hook_optional_fn_retrieve(cgi_optfns_retrieve, NULL, NULL, APR_HOOK_MIDDLE); - } - - AP_DECLARE_MODULE(cgi) = - { - STANDARD20_MODULE_STUFF, -- NULL, /* dir config creater */ -+ create_cgi_dirconf, /* dir config creater */ - NULL, /* dir merger --- default is to override */ - create_cgi_config, /* server config */ - merge_cgi_config, /* merge server config */ -diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c -index 2258a683b7..dddfb25254 100644 ---- a/modules/generators/mod_cgid.c -+++ b/modules/generators/mod_cgid.c -@@ -80,11 +80,6 @@ module AP_MODULE_DECLARE_DATA cgid_module; - - static int cgid_start(apr_pool_t *p, server_rec *main_server, apr_proc_t *procnew); - static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server); --static int handle_exec(include_ctx_t *ctx, ap_filter_t *f, apr_bucket_brigade *bb); -- --static APR_OPTIONAL_FN_TYPE(ap_register_include_handler) *cgid_pfn_reg_with_ssi; --static APR_OPTIONAL_FN_TYPE(ap_ssi_get_tag_and_value) *cgid_pfn_gtv; --static APR_OPTIONAL_FN_TYPE(ap_ssi_parse_string) *cgid_pfn_ps; - - static apr_pool_t *pcgi = NULL; - static pid_t daemon_pid; -@@ -220,6 +215,15 @@ typedef struct { - #endif - } cgid_req_t; - -+#define cgi_server_conf cgid_server_conf -+#define cgi_module cgid_module -+ -+#ifdef HAVE_CGID_FDPASSING -+/* Pull in CGI bucket implementation. */ -+#define WANT_CGI_BUCKET -+#endif -+#include "cgi_common.h" -+ - /* This routine is called to create the argument list to be passed - * to the CGI script. When suexec is enabled, the suexec path, user, and - * group are the first three arguments to be passed; if not, all three -@@ -342,15 +346,19 @@ static apr_status_t close_unix_socket(void *thefd) - return close(fd); - } - --/* deal with incomplete reads and signals -- * assume you really have to read buf_size bytes -- */ --static apr_status_t sock_read(int fd, void *vbuf, size_t buf_size) -+/* Read from the socket dealing with incomplete messages and signals. -+ * Returns 0 on success or errno on failure. Stderr fd passed as -+ * auxiliary data from other end is written to *errfd, or else stderr -+ * fileno if not present. */ -+static apr_status_t sock_readhdr(int fd, int *errfd, void *vbuf, size_t buf_size) - { -- char *buf = vbuf; - int rc; -+#ifndef HAVE_CGID_FDPASSING -+ char *buf = vbuf; - size_t bytes_read = 0; - -+ if (errfd) *errfd = 0; -+ - do { - do { - rc = read(fd, buf + bytes_read, buf_size - bytes_read); -@@ -365,9 +373,60 @@ static apr_status_t sock_read(int fd, void *vbuf, size_t buf_size) - } - } while (bytes_read < buf_size); - -+ -+#else /* with FD passing */ -+ struct msghdr msg = {0}; -+ struct iovec vec = {vbuf, buf_size}; -+ struct cmsghdr *cmsg; -+ union { /* union to ensure alignment */ -+ struct cmsghdr cm; -+ char buf[CMSG_SPACE(sizeof(int))]; -+ } u; -+ -+ msg.msg_iov = &vec; -+ msg.msg_iovlen = 1; -+ -+ if (errfd) { -+ msg.msg_control = u.buf; -+ msg.msg_controllen = sizeof(u.buf); -+ *errfd = 0; -+ } -+ -+ /* use MSG_WAITALL to skip loop on truncated reads */ -+ do { -+ rc = recvmsg(fd, &msg, MSG_WAITALL); -+ } while (rc < 0 && errno == EINTR); -+ -+ if (rc == 0) { -+ return ECONNRESET; -+ } -+ else if (rc < 0) { -+ return errno; -+ } -+ else if (rc != buf_size) { -+ /* MSG_WAITALL should ensure the recvmsg blocks until the -+ * entire length is read, but let's be paranoid. */ -+ return APR_INCOMPLETE; -+ } -+ -+ if (errfd -+ && (cmsg = CMSG_FIRSTHDR(&msg)) != NULL -+ && cmsg->cmsg_len == CMSG_LEN(sizeof(*errfd)) -+ && cmsg->cmsg_level == SOL_SOCKET -+ && cmsg->cmsg_type == SCM_RIGHTS) { -+ *errfd = *((int *) CMSG_DATA(cmsg)); -+ } -+#endif -+ - return APR_SUCCESS; - } - -+/* As sock_readhdr but without auxiliary fd passing. */ -+static apr_status_t sock_read(int fd, void *vbuf, size_t buf_size) -+{ -+ return sock_readhdr(fd, NULL, vbuf, buf_size); -+} -+ - /* deal with signals - */ - static apr_status_t sock_write(int fd, const void *buf, size_t buf_size) -@@ -384,7 +443,7 @@ static apr_status_t sock_write(int fd, const void *buf, size_t buf_size) - return APR_SUCCESS; - } - --static apr_status_t sock_writev(int fd, request_rec *r, int count, ...) -+static apr_status_t sock_writev(int fd, int auxfd, request_rec *r, int count, ...) - { - va_list ap; - int rc; -@@ -399,9 +458,39 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...) - } - va_end(ap); - -+#ifndef HAVE_CGID_FDPASSING - do { - rc = writev(fd, vec, count); - } while (rc < 0 && errno == EINTR); -+#else -+ { -+ struct msghdr msg = { 0 }; -+ struct cmsghdr *cmsg; -+ union { /* union for alignment */ -+ char buf[CMSG_SPACE(sizeof(int))]; -+ struct cmsghdr align; -+ } u; -+ -+ msg.msg_iov = vec; -+ msg.msg_iovlen = count; -+ -+ if (auxfd) { -+ msg.msg_control = u.buf; -+ msg.msg_controllen = sizeof(u.buf); -+ -+ cmsg = CMSG_FIRSTHDR(&msg); -+ cmsg->cmsg_level = SOL_SOCKET; -+ cmsg->cmsg_type = SCM_RIGHTS; -+ cmsg->cmsg_len = CMSG_LEN(sizeof(int)); -+ *((int *) CMSG_DATA(cmsg)) = auxfd; -+ } -+ -+ do { -+ rc = sendmsg(fd, &msg, 0); -+ } while (rc < 0 && errno == EINTR); -+ } -+#endif -+ - if (rc < 0) { - return errno; - } -@@ -410,7 +499,7 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...) - } - - static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, -- cgid_req_t *req) -+ int *errfd, cgid_req_t *req) - { - int i; - char **environ; -@@ -421,7 +510,7 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, - r->server = apr_pcalloc(r->pool, sizeof(server_rec)); - - /* read the request header */ -- stat = sock_read(fd, req, sizeof(*req)); -+ stat = sock_readhdr(fd, errfd, req, sizeof(*req)); - if (stat != APR_SUCCESS) { - return stat; - } -@@ -431,6 +520,14 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, - return APR_SUCCESS; - } - -+ /* Sanity check the structure received. */ -+ if (req->env_count < 0 || req->uri_len == 0 -+ || req->filename_len > APR_PATH_MAX || req->filename_len == 0 -+ || req->argv0_len > APR_PATH_MAX || req->argv0_len == 0 -+ || req->loglevel > APLOG_TRACE8) { -+ return APR_EINVAL; -+ } -+ - /* handle module indexes and such */ - rconf = (void **)ap_create_request_config(r->pool); - -@@ -479,14 +576,15 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, - return APR_SUCCESS; - } - --static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env, -- int req_type) -+static apr_status_t send_req(int fd, apr_file_t *errpipe, request_rec *r, -+ const char *argv0, char **env, int req_type) - { - int i; - cgid_req_t req = {0}; - apr_status_t stat; - ap_unix_identity_t * ugid = ap_run_get_suexec_identity(r); - core_dir_config *core_conf = ap_get_core_module_config(r->per_dir_config); -+ int errfd; - - - if (ugid == NULL) { -@@ -507,16 +605,21 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env, - req.args_len = r->args ? strlen(r->args) : 0; - req.loglevel = r->server->log.level; - -+ if (errpipe) -+ apr_os_file_get(&errfd, errpipe); -+ else -+ errfd = 0; -+ - /* Write the request header */ - if (req.args_len) { -- stat = sock_writev(fd, r, 5, -+ stat = sock_writev(fd, errfd, r, 5, - &req, sizeof(req), - r->filename, req.filename_len, - argv0, req.argv0_len, - r->uri, req.uri_len, - r->args, req.args_len); - } else { -- stat = sock_writev(fd, r, 4, -+ stat = sock_writev(fd, errfd, r, 4, - &req, sizeof(req), - r->filename, req.filename_len, - argv0, req.argv0_len, -@@ -531,7 +634,7 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env, - for (i = 0; i < req.env_count; i++) { - apr_size_t curlen = strlen(env[i]); - -- if ((stat = sock_writev(fd, r, 2, &curlen, sizeof(curlen), -+ if ((stat = sock_writev(fd, 0, r, 2, &curlen, sizeof(curlen), - env[i], curlen)) != APR_SUCCESS) { - return stat; - } -@@ -582,20 +685,34 @@ static void daemon_signal_handler(int sig) - } - } - -+/* Callback executed in the forked child process if exec of the CGI -+ * script fails. For the fd-passing case, output to stderr goes to -+ * the client (request handling thread) and is logged via -+ * ap_log_rerror there. For the non-fd-passing case, the "fake" -+ * request_rec passed via userdata is used to log. */ - static void cgid_child_errfn(apr_pool_t *pool, apr_status_t err, - const char *description) - { -- request_rec *r; - void *vr; - - apr_pool_userdata_get(&vr, ERRFN_USERDATA_KEY, pool); -- r = vr; -- -- /* sure we got r, but don't call ap_log_rerror() because we don't -- * have r->headers_in and possibly other storage referenced by -- * ap_log_rerror() -- */ -- ap_log_error(APLOG_MARK, APLOG_ERR, err, r->server, APLOGNO(01241) "%s", description); -+ if (vr) { -+ request_rec *r = vr; -+ -+ /* sure we got r, but don't call ap_log_rerror() because we don't -+ * have r->headers_in and possibly other storage referenced by -+ * ap_log_rerror() -+ */ -+ ap_log_error(APLOG_MARK, APLOG_ERR, err, r->server, APLOGNO(01241) "%s", description); -+ } -+ else { -+ const char *logstr; -+ -+ logstr = apr_psprintf(pool, APLOGNO(01241) "error spawning CGI child: %s (%pm)\n", -+ description, &err); -+ fputs(logstr, stderr); -+ fflush(stderr); -+ } - } - - static int cgid_server(void *data) -@@ -670,7 +787,7 @@ static int cgid_server(void *data) - } - - while (!daemon_should_exit) { -- int errfileno = STDERR_FILENO; -+ int errfileno; - char *argv0 = NULL; - char **env = NULL; - const char * const *argv; -@@ -710,7 +827,7 @@ static int cgid_server(void *data) - r = apr_pcalloc(ptrans, sizeof(request_rec)); - procnew = apr_pcalloc(ptrans, sizeof(*procnew)); - r->pool = ptrans; -- stat = get_req(sd2, r, &argv0, &env, &cgid_req); -+ stat = get_req(sd2, r, &argv0, &env, &errfileno, &cgid_req); - if (stat != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, stat, - main_server, APLOGNO(01248) -@@ -742,6 +859,16 @@ static int cgid_server(void *data) - continue; - } - -+ if (errfileno == 0) { -+ errfileno = STDERR_FILENO; -+ } -+ else { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, main_server, -+ "using passed fd %d as stderr", errfileno); -+ /* Limit the received fd lifetime to pool lifetime */ -+ apr_pool_cleanup_register(ptrans, (void *)((long)errfileno), -+ close_unix_socket, close_unix_socket); -+ } - apr_os_file_put(&r->server->error_log, &errfileno, 0, r->pool); - apr_os_file_put(&inout, &sd2, 0, r->pool); - -@@ -801,7 +928,10 @@ static int cgid_server(void *data) - close(sd2); - } - else { -- apr_pool_userdata_set(r, ERRFN_USERDATA_KEY, apr_pool_cleanup_null, ptrans); -+ if (errfileno == STDERR_FILENO) { -+ /* Used by cgid_child_errfn without fd-passing. */ -+ apr_pool_userdata_set(r, ERRFN_USERDATA_KEY, apr_pool_cleanup_null, ptrans); -+ } - - argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args); - -@@ -946,16 +1076,6 @@ static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, - if (ret != OK ) { - return ret; - } -- cgid_pfn_reg_with_ssi = APR_RETRIEVE_OPTIONAL_FN(ap_register_include_handler); -- cgid_pfn_gtv = APR_RETRIEVE_OPTIONAL_FN(ap_ssi_get_tag_and_value); -- cgid_pfn_ps = APR_RETRIEVE_OPTIONAL_FN(ap_ssi_parse_string); -- -- if ((cgid_pfn_reg_with_ssi) && (cgid_pfn_gtv) && (cgid_pfn_ps)) { -- /* Required by mod_include filter. This is how mod_cgid registers -- * with mod_include to provide processing of the exec directive. -- */ -- cgid_pfn_reg_with_ssi("exec", handle_exec); -- } - } - return ret; - } -@@ -1066,41 +1186,6 @@ static const command_rec cgid_cmds[] = - {NULL} - }; - --static int log_scripterror(request_rec *r, cgid_server_conf * conf, int ret, -- apr_status_t rv, char *error) --{ -- apr_file_t *f = NULL; -- struct stat finfo; -- char time_str[APR_CTIME_LEN]; -- int log_flags = rv ? APLOG_ERR : APLOG_ERR; -- -- /* Intentional no APLOGNO */ -- /* Callee provides APLOGNO in error text */ -- ap_log_rerror(APLOG_MARK, log_flags, rv, r, -- "%s: %s", error, r->filename); -- -- /* XXX Very expensive mainline case! Open, then getfileinfo! */ -- if (!conf->logname || -- ((stat(conf->logname, &finfo) == 0) -- && (finfo.st_size > conf->logbytes)) || -- (apr_file_open(&f, conf->logname, -- APR_APPEND|APR_WRITE|APR_CREATE, APR_OS_DEFAULT, r->pool) != APR_SUCCESS)) { -- return ret; -- } -- -- /* "%% [Wed Jun 19 10:53:21 1996] GET /cgid-bin/printenv HTTP/1.0" */ -- apr_ctime(time_str, apr_time_now()); -- apr_file_printf(f, "%%%% [%s] %s %s%s%s %s\n", time_str, r->method, r->uri, -- r->args ? "?" : "", r->args ? r->args : "", r->protocol); -- /* "%% 500 /usr/local/apache/cgid-bin */ -- apr_file_printf(f, "%%%% %d %s\n", ret, r->filename); -- -- apr_file_printf(f, "%%error\n%s\n", error); -- -- apr_file_close(f); -- return ret; --} -- - static int log_script(request_rec *r, cgid_server_conf * conf, int ret, - char *dbuf, const char *sbuf, apr_bucket_brigade *bb, - apr_file_t *script_err) -@@ -1221,7 +1306,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r, - ++connect_tries; - if ((sd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { - return log_scripterror(r, conf, HTTP_INTERNAL_SERVER_ERROR, errno, -- APLOGNO(01255) "unable to create socket to cgi daemon"); -+ APLOGNO(01255), "unable to create socket to cgi daemon"); - } - if (connect(sd, (struct sockaddr *)server_addr, server_addr_len) < 0) { - /* Save errno for later */ -@@ -1242,7 +1327,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r, - } - else { - close(sd); -- return log_scripterror(r, conf, HTTP_SERVICE_UNAVAILABLE, errno, APLOGNO(01257) -+ return log_scripterror(r, conf, HTTP_SERVICE_UNAVAILABLE, errno, APLOGNO(01257), - "unable to connect to cgi daemon after multiple tries"); - } - } -@@ -1258,13 +1343,15 @@ static int connect_to_daemon(int *sdptr, request_rec *r, - if (connect_errno == ENOENT && - apr_time_sec(apr_time_now() - ap_scoreboard_image->global->restart_time) > - DEFAULT_CONNECT_STARTUP_DELAY) { -- return log_scripterror(r, conf, HTTP_SERVICE_UNAVAILABLE, connect_errno, -- apr_pstrcat(r->pool, APLOGNO(02833) "ScriptSock ", sockname, " does not exist", NULL)); -+ return log_scripterror(r, conf, HTTP_SERVICE_UNAVAILABLE, connect_errno, -+ APLOGNO(02833), -+ apr_pstrcat(r->pool, -+ "ScriptSock ", sockname, " does not exist", NULL)); - } - - /* gotta try again, but make sure the cgid daemon is still around */ - if (connect_errno != ENOENT && kill(daemon_pid, 0) != 0) { -- return log_scripterror(r, conf, HTTP_SERVICE_UNAVAILABLE, connect_errno, APLOGNO(01258) -+ return log_scripterror(r, conf, HTTP_SERVICE_UNAVAILABLE, connect_errno, APLOGNO(01258), - "cgid daemon is gone; is Apache terminating?"); - } - } -@@ -1272,23 +1359,6 @@ static int connect_to_daemon(int *sdptr, request_rec *r, - return OK; - } - --static void discard_script_output(apr_bucket_brigade *bb) --{ -- apr_bucket *e; -- const char *buf; -- apr_size_t len; -- -- for (e = APR_BRIGADE_FIRST(bb); -- e != APR_BRIGADE_SENTINEL(bb) && !APR_BUCKET_IS_EOS(e); -- e = APR_BRIGADE_FIRST(bb)) -- { -- if (apr_bucket_read(e, &buf, &len, APR_BLOCK_READ)) { -- break; -- } -- apr_bucket_delete(e); -- } --} -- - /**************************************************************** - * - * Actual cgid handling... -@@ -1374,7 +1444,9 @@ static apr_status_t get_cgi_pid(request_rec *r, cgid_server_conf *conf, pid_t * - return stat; - } - -- if (pid == 0) { -+ /* Don't accept zero as a pid here, calling kill(0, SIGTERM) etc -+ * later is unpleasant. */ -+ if (*pid == 0) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01261) - "daemon couldn't find CGI process for connection %lu", - r->connection->id); -@@ -1393,19 +1465,21 @@ static apr_status_t cleanup_script(void *vptr) - - static int cgid_handler(request_rec *r) - { -- int retval, nph, dbpos; -+ conn_rec *c = r->connection; -+ int retval, nph; - char *argv0, *dbuf; -- apr_bucket_brigade *bb; -+ apr_size_t dbufsize; -+ apr_bucket_brigade *bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); - apr_bucket *b; - cgid_server_conf *conf; - int is_included; -- int seen_eos, child_stopped_reading; - int sd; - char **env; -- apr_file_t *tempsock; -+ apr_file_t *tempsock, *script_err, *errpipe_out; - struct cleanup_script_info *info; - apr_status_t rv; - cgid_dirconf *dc; -+ apr_interval_time_t timeout; - - if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) { - return DECLINED; -@@ -1414,7 +1488,7 @@ static int cgid_handler(request_rec *r) - conf = ap_get_module_config(r->server->module_config, &cgid_module); - dc = ap_get_module_config(r->per_dir_config, &cgid_module); - -- -+ timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout; - is_included = !strcmp(r->protocol, "INCLUDED"); - - if ((argv0 = strrchr(r->filename, '/')) != NULL) { -@@ -1429,12 +1503,12 @@ static int cgid_handler(request_rec *r) - argv0 = r->filename; - - if (!(ap_allow_options(r) & OPT_EXECCGI) && !is_scriptaliased(r)) { -- return log_scripterror(r, conf, HTTP_FORBIDDEN, 0, APLOGNO(01262) -+ return log_scripterror(r, conf, HTTP_FORBIDDEN, 0, APLOGNO(01262), - "Options ExecCGI is off in this directory"); - } - - if (nph && is_included) { -- return log_scripterror(r, conf, HTTP_FORBIDDEN, 0, APLOGNO(01263) -+ return log_scripterror(r, conf, HTTP_FORBIDDEN, 0, APLOGNO(01263), - "attempt to include NPH CGI script"); - } - -@@ -1443,12 +1517,12 @@ static int cgid_handler(request_rec *r) - #error at mod_cgi.c for required code in this path. - #else - if (r->finfo.filetype == APR_NOFILE) { -- return log_scripterror(r, conf, HTTP_NOT_FOUND, 0, APLOGNO(01264) -+ return log_scripterror(r, conf, HTTP_NOT_FOUND, 0, APLOGNO(01264), - "script not found or unable to stat"); - } - #endif - if (r->finfo.filetype == APR_DIR) { -- return log_scripterror(r, conf, HTTP_FORBIDDEN, 0, APLOGNO(01265) -+ return log_scripterror(r, conf, HTTP_FORBIDDEN, 0, APLOGNO(01265), - "attempt to invoke directory as script"); - } - -@@ -1456,7 +1530,7 @@ static int cgid_handler(request_rec *r) - r->path_info && *r->path_info) - { - /* default to accept */ -- return log_scripterror(r, conf, HTTP_NOT_FOUND, 0, APLOGNO(01266) -+ return log_scripterror(r, conf, HTTP_NOT_FOUND, 0, APLOGNO(01266), - "AcceptPathInfo off disallows user's path"); - } - /* -@@ -1467,6 +1541,17 @@ static int cgid_handler(request_rec *r) - } - */ - -+#ifdef HAVE_CGID_FDPASSING -+ rv = apr_file_pipe_create(&script_err, &errpipe_out, r->pool); -+ if (rv) { -+ return log_scripterror(r, conf, HTTP_SERVICE_UNAVAILABLE, rv, APLOGNO(10176), -+ "could not create pipe for stderr"); -+ } -+#else -+ script_err = NULL; -+ errpipe_out = NULL; -+#endif -+ - /* - * httpd core function used to add common environment variables like - * DOCUMENT_ROOT. -@@ -1479,24 +1564,28 @@ static int cgid_handler(request_rec *r) - return retval; - } - -- rv = send_req(sd, r, argv0, env, CGI_REQ); -+ rv = send_req(sd, errpipe_out, r, argv0, env, CGI_REQ); - if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01268) -- "write to cgi daemon process"); -+ return log_scripterror(r, conf, HTTP_SERVICE_UNAVAILABLE, rv, APLOGNO(10245), -+ "could not send request to cgi daemon"); - } - -+ /* The write-end of the pipe is only used by the server, so close -+ * it here. */ -+ if (errpipe_out) apr_file_close(errpipe_out); -+ - info = apr_palloc(r->pool, sizeof(struct cleanup_script_info)); - info->conf = conf; - info->r = r; - rv = get_cgi_pid(r, conf, &(info->pid)); - -- if (APR_SUCCESS == rv){ -+ if (rv == APR_SUCCESS) { - apr_pool_cleanup_register(r->pool, info, -- cleanup_script, -- apr_pool_cleanup_null); -+ cleanup_script, apr_pool_cleanup_null); - } - else { -- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "error determining cgi PID"); -+ return log_scripterror(r, conf, HTTP_SERVICE_UNAVAILABLE, rv, APLOGNO(10246), -+ "failed reading PID from cgi daemon"); - } - - /* We are putting the socket discriptor into an apr_file_t so that we can -@@ -1506,95 +1595,25 @@ static int cgid_handler(request_rec *r) - */ - - apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); -- if (dc->timeout > 0) { -- apr_file_pipe_timeout_set(tempsock, dc->timeout); -- } -- else { -- apr_file_pipe_timeout_set(tempsock, r->server->timeout); -- } -+ apr_file_pipe_timeout_set(tempsock, timeout); - apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); - -- /* Transfer any put/post args, CERN style... -- * Note that we already ignore SIGPIPE in the core server. -- */ -- bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); -- seen_eos = 0; -- child_stopped_reading = 0; -- dbuf = NULL; -- dbpos = 0; -+ /* Buffer for logging script stdout. */ - if (conf->logname) { -- dbuf = apr_palloc(r->pool, conf->bufbytes + 1); -+ dbufsize = conf->bufbytes; -+ dbuf = apr_palloc(r->pool, dbufsize + 1); - } -- do { -- apr_bucket *bucket; -- -- rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, -- APR_BLOCK_READ, HUGE_STRING_LEN); -- -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01270) -- "Error reading request entity data"); -- return ap_map_http_request_error(rv, HTTP_BAD_REQUEST); -- } -- -- for (bucket = APR_BRIGADE_FIRST(bb); -- bucket != APR_BRIGADE_SENTINEL(bb); -- bucket = APR_BUCKET_NEXT(bucket)) -- { -- const char *data; -- apr_size_t len; -- -- if (APR_BUCKET_IS_EOS(bucket)) { -- seen_eos = 1; -- break; -- } -- -- /* We can't do much with this. */ -- if (APR_BUCKET_IS_FLUSH(bucket)) { -- continue; -- } -- -- /* If the child stopped, we still must read to EOS. */ -- if (child_stopped_reading) { -- continue; -- } -- -- /* read */ -- apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ); -- -- if (conf->logname && dbpos < conf->bufbytes) { -- int cursize; -- -- if ((dbpos + len) > conf->bufbytes) { -- cursize = conf->bufbytes - dbpos; -- } -- else { -- cursize = len; -- } -- memcpy(dbuf + dbpos, data, cursize); -- dbpos += cursize; -- } -- -- /* Keep writing data to the child until done or too much time -- * elapses with no progress or an error occurs. -- */ -- rv = apr_file_write_full(tempsock, data, len, NULL); -- -- if (rv != APR_SUCCESS) { -- /* silly script stopped reading, soak up remaining message */ -- child_stopped_reading = 1; -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02651) -- "Error writing request body to script %s", -- r->filename); -- -- } -- } -- apr_brigade_cleanup(bb); -+ else { -+ dbuf = NULL; -+ dbufsize = 0; - } -- while (!seen_eos); - -- if (conf->logname) { -- dbuf[dbpos] = '\0'; -+ /* Read the request body. */ -+ rv = cgi_handle_request(r, tempsock, bb, dbuf, dbufsize); -+ if (rv) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01270) -+ "Error reading request entity data"); -+ return ap_map_http_request_error(rv, HTTP_BAD_REQUEST); - } - - /* we're done writing, or maybe we didn't write at all; -@@ -1603,125 +1622,22 @@ static int cgid_handler(request_rec *r) - */ - shutdown(sd, 1); - -- /* Handle script return... */ -- if (!nph) { -- conn_rec *c = r->connection; -- const char *location; -- char sbuf[MAX_STRING_LEN]; -- int ret; -- -- bb = apr_brigade_create(r->pool, c->bucket_alloc); -- b = apr_bucket_pipe_create(tempsock, c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(bb, b); -- b = apr_bucket_eos_create(c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(bb, b); -- -- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -- APLOG_MODULE_INDEX))) -- { -- ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL); -- -- /* -- * ret could be HTTP_NOT_MODIFIED in the case that the CGI script -- * does not set an explicit status and ap_meets_conditions, which -- * is called by ap_scan_script_header_err_brigade, detects that -- * the conditions of the requests are met and the response is -- * not modified. -- * In this case set r->status and return OK in order to prevent -- * running through the error processing stack as this would -- * break with mod_cache, if the conditions had been set by -- * mod_cache itself to validate a stale entity. -- * BTW: We circumvent the error processing stack anyway if the -- * CGI script set an explicit status code (whatever it is) and -- * the only possible values for ret here are: -- * -- * HTTP_NOT_MODIFIED (set by ap_meets_conditions) -- * HTTP_PRECONDITION_FAILED (set by ap_meets_conditions) -- * HTTP_INTERNAL_SERVER_ERROR (if something went wrong during the -- * processing of the response of the CGI script, e.g broken headers -- * or a crashed CGI process). -- */ -- if (ret == HTTP_NOT_MODIFIED) { -- r->status = ret; -- return OK; -- } -- -- return ret; -- } -- -- location = apr_table_get(r->headers_out, "Location"); -- -- if (location && location[0] == '/' && r->status == 200) { -- -- /* Soak up all the script output */ -- discard_script_output(bb); -- apr_brigade_destroy(bb); -- /* This redirect needs to be a GET no matter what the original -- * method was. -- */ -- r->method = "GET"; -- r->method_number = M_GET; -- -- /* We already read the message body (if any), so don't allow -- * the redirected request to think it has one. We can ignore -- * Transfer-Encoding, since we used REQUEST_CHUNKED_ERROR. -- */ -- apr_table_unset(r->headers_in, "Content-Length"); -- -- ap_internal_redirect_handler(location, r); -- return OK; -- } -- else if (location && r->status == 200) { -- /* XXX: Note that if a script wants to produce its own Redirect -- * body, it now has to explicitly *say* "Status: 302" -- */ -- discard_script_output(bb); -- apr_brigade_destroy(bb); -- return HTTP_MOVED_TEMPORARILY; -- } -- -- rv = ap_pass_brigade(r->output_filters, bb); -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, rv, r, -- "Failed to flush CGI output to client"); -- } -- } -- -- if (nph) { -- conn_rec *c = r->connection; -- struct ap_filter_t *cur; -- -- /* get rid of all filters up through protocol... since we -- * haven't parsed off the headers, there is no way they can -- * work -- */ -- -- cur = r->proto_output_filters; -- while (cur && cur->frec->ftype < AP_FTYPE_CONNECTION) { -- cur = cur->next; -- } -- r->output_filters = r->proto_output_filters = cur; -- -- bb = apr_brigade_create(r->pool, c->bucket_alloc); -- b = apr_bucket_pipe_create(tempsock, c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(bb, b); -- b = apr_bucket_eos_create(c->bucket_alloc); -- APR_BRIGADE_INSERT_TAIL(bb, b); -- ap_pass_brigade(r->output_filters, bb); -- } -+ bb = apr_brigade_create(r->pool, c->bucket_alloc); -+#ifdef HAVE_CGID_FDPASSING -+ b = cgi_bucket_create(r, dc->timeout, tempsock, script_err, c->bucket_alloc); -+ if (b == NULL) -+ return HTTP_INTERNAL_SERVER_ERROR; /* should call log_scripterror() w/ _UNAVAILABLE? */ -+#else -+ b = apr_bucket_pipe_create(tempsock, c->bucket_alloc); -+#endif -+ APR_BRIGADE_INSERT_TAIL(bb, b); -+ b = apr_bucket_eos_create(c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(bb, b); - -- return OK; /* NOT r->status, even if it has changed. */ -+ return cgi_handle_response(r, nph, bb, timeout, conf, dbuf, script_err); - } - -- -- -- --/*============================================================================ -- *============================================================================ -- * This is the beginning of the cgi filter code moved from mod_include. This -- * is the code required to handle the "exec" SSI directive. -- *============================================================================ -- *============================================================================*/ -+/* Handling include= for mod_include. */ - static apr_status_t include_cgi(include_ctx_t *ctx, ap_filter_t *f, - apr_bucket_brigade *bb, char *s) - { -@@ -1806,7 +1722,7 @@ static void add_ssi_vars(request_rec *r) - } - - static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, -- apr_bucket_brigade *bb, char *command) -+ apr_bucket_brigade *bb, const char *command) - { - char **env; - int sd; -@@ -1827,7 +1743,7 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, - return retval; - } - -- send_req(sd, r, command, env, SSI_REQ); -+ send_req(sd, NULL, r, command, env, SSI_REQ); - - info = apr_palloc(r->pool, sizeof(struct cleanup_script_info)); - info->conf = conf; -@@ -1872,91 +1788,6 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, - return APR_SUCCESS; - } - --static apr_status_t handle_exec(include_ctx_t *ctx, ap_filter_t *f, -- apr_bucket_brigade *bb) --{ -- char *tag = NULL; -- char *tag_val = NULL; -- request_rec *r = f->r; -- char *file = r->filename; -- char parsed_string[MAX_STRING_LEN]; -- -- if (!ctx->argc) { -- ap_log_rerror(APLOG_MARK, -- (ctx->flags & SSI_FLAG_PRINTING) -- ? APLOG_ERR : APLOG_WARNING, -- 0, r, APLOGNO(03196) -- "missing argument for exec element in %s", r->filename); -- } -- -- if (!(ctx->flags & SSI_FLAG_PRINTING)) { -- return APR_SUCCESS; -- } -- -- if (!ctx->argc) { -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- return APR_SUCCESS; -- } -- -- if (ctx->flags & SSI_FLAG_NO_EXEC) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01271) "exec used but not allowed " -- "in %s", r->filename); -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- return APR_SUCCESS; -- } -- -- while (1) { -- cgid_pfn_gtv(ctx, &tag, &tag_val, SSI_VALUE_DECODED); -- if (!tag || !tag_val) { -- break; -- } -- -- if (!strcmp(tag, "cmd")) { -- apr_status_t rv; -- -- cgid_pfn_ps(ctx, tag_val, parsed_string, sizeof(parsed_string), -- SSI_EXPAND_LEAVE_NAME); -- -- rv = include_cmd(ctx, f, bb, parsed_string); -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01272) -- "execution failure for parameter \"%s\" " -- "to tag exec in file %s", tag, r->filename); -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- break; -- } -- } -- else if (!strcmp(tag, "cgi")) { -- apr_status_t rv; -- -- cgid_pfn_ps(ctx, tag_val, parsed_string, sizeof(parsed_string), -- SSI_EXPAND_DROP_NAME); -- -- rv = include_cgi(ctx, f, bb, parsed_string); -- if (rv != APR_SUCCESS) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01273) "invalid CGI ref " -- "\"%s\" in %s", tag_val, file); -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- break; -- } -- } -- else { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01274) "unknown parameter " -- "\"%s\" to tag exec in %s", tag, file); -- SSI_CREATE_ERROR_BUCKET(ctx, f, bb); -- break; -- } -- } -- -- return APR_SUCCESS; --} --/*============================================================================ -- *============================================================================ -- * This is the end of the cgi filter code moved from mod_include. -- *============================================================================ -- *============================================================================*/ -- -- - static void register_hook(apr_pool_t *p) - { - static const char * const aszPre[] = { "mod_include.c", NULL }; -@@ -1964,6 +1795,7 @@ static void register_hook(apr_pool_t *p) - ap_hook_pre_config(cgid_pre_config, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_post_config(cgid_init, aszPre, NULL, APR_HOOK_MIDDLE); - ap_hook_handler(cgid_handler, NULL, NULL, APR_HOOK_MIDDLE); -+ ap_hook_optional_fn_retrieve(cgi_optfns_retrieve, NULL, NULL, APR_HOOK_MIDDLE); - } - - AP_DECLARE_MODULE(cgid) = { diff --git a/httpd-2.4.51-r1894152.patch b/httpd-2.4.51-r1894152.patch deleted file mode 100644 index 95f5081ab01c908be9f25d605c40e1d0e3f8de5f..0000000000000000000000000000000000000000 --- a/httpd-2.4.51-r1894152.patch +++ /dev/null @@ -1,36 +0,0 @@ -# ./pullrev.sh 1894152 -http://svn.apache.org/viewvc?view=revision&revision=1894152 - ---- httpd-2.4.51/modules/filters/mod_deflate.c.r1894152 -+++ httpd-2.4.51/modules/filters/mod_deflate.c -@@ -835,6 +835,7 @@ - while (!APR_BRIGADE_EMPTY(bb)) - { - apr_bucket *b; -+ apr_status_t rv; - - /* - * Optimization: If we are a HEAD request and bytes_sent is not zero -@@ -914,8 +915,6 @@ - } - - if (APR_BUCKET_IS_FLUSH(e)) { -- apr_status_t rv; -- - /* flush the remaining data from the zlib buffers */ - zRC = flush_libz_buffer(ctx, c, f->c->bucket_alloc, deflate, - Z_SYNC_FLUSH, NO_UPDATE_CRC); -@@ -947,7 +946,12 @@ - } - - /* read */ -- apr_bucket_read(e, &data, &len, APR_BLOCK_READ); -+ rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ); -+ if (rv) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10298) -+ "failed reading from %s bucket", e->type->name); -+ return rv; -+ } - if (!len) { - apr_bucket_delete(e); - continue; diff --git a/httpd-2.4.54-selinux.patch b/httpd-2.4.54-selinux.patch deleted file mode 100644 index dd352fe49dab8e48a175fe73dd71b83a7d20a27d..0000000000000000000000000000000000000000 --- a/httpd-2.4.54-selinux.patch +++ /dev/null @@ -1,60 +0,0 @@ -diff --git a/configure.in b/configure.in -index 74015ca..8c0ee10 100644 ---- a/configure.in -+++ b/configure.in -@@ -508,6 +508,11 @@ getloadavg - dnl confirm that a void pointer is large enough to store a long integer - APACHE_CHECK_VOID_PTR_LEN - -+AC_CHECK_LIB(selinux, is_selinux_enabled, [ -+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) -+ APR_ADDTO(HTTPD_LIBS, [-lselinux]) -+]) -+ - if test $ac_cv_func_gettid = no; then - # On Linux before glibc 2.30, gettid() is only usable via syscall() - AC_CACHE_CHECK([for gettid() via syscall], ap_cv_gettid, -diff --git a/server/core.c b/server/core.c -index a6fa2fb..cf4cba4 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -65,6 +65,10 @@ - #include - #endif - -+#ifdef HAVE_SELINUX -+#include -+#endif -+ - /* LimitRequestBody handling */ - #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ -@@ -5150,6 +5154,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte - } - #endif - -+#ifdef HAVE_SELINUX -+ { -+ static int already_warned = 0; -+ int is_enabled = is_selinux_enabled() > 0; -+ -+ if (is_enabled && !already_warned) { -+ security_context_t con; -+ -+ if (getcon(&con) == 0) { -+ -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, -+ "SELinux policy enabled; " -+ "httpd running as context %s", con); -+ -+ already_warned = 1; -+ -+ freecon(con); -+ } -+ } -+ } -+#endif -+ - return OK; - } - diff --git a/httpd-2.4.43-mod_systemd.patch b/httpd-2.4.64-mod_systemd.patch similarity index 78% rename from httpd-2.4.43-mod_systemd.patch rename to httpd-2.4.64-mod_systemd.patch index 8d7922e74143b60ec855fa083307c8ff30d7d6cf..cad4a01f6feb375ed749ce163124301435f36601 100644 --- a/httpd-2.4.43-mod_systemd.patch +++ b/httpd-2.4.64-mod_systemd.patch @@ -1,10 +1,12 @@ More verbose startup logging for mod_systemd. ---- httpd-2.4.43/modules/arch/unix/mod_systemd.c.mod_systemd -+++ httpd-2.4.43/modules/arch/unix/mod_systemd.c -@@ -29,11 +29,14 @@ - #include "mpm_common.h" +diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c +index 22482fd..b46d3ef 100644 +--- a/modules/arch/unix/mod_systemd.c ++++ b/modules/arch/unix/mod_systemd.c +@@ -34,11 +34,14 @@ + #endif #include "systemd/sd-daemon.h" +#include "systemd/sd-journal.h" @@ -18,9 +20,9 @@ More verbose startup logging for mod_systemd. static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) { -@@ -44,6 +47,20 @@ - return OK; +@@ -63,6 +66,20 @@ static void log_selinux_context(void) } + #endif +static char *dump_listener(ap_listen_rec *lr, apr_pool_t *p) +{ @@ -39,21 +41,17 @@ More verbose startup logging for mod_systemd. /* Report the service is ready in post_config, which could be during * startup or after a reload. The server could still hit a fatal * startup error after this point during ap_run_mpm(), so this is -@@ -51,19 +68,51 @@ - * the TCP ports so new connections will not be rejected. There will - * always be a possible async failure event simultaneous to the - * service reporting "ready", so this should be good enough. */ --static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog, -+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog, +@@ -73,23 +90,52 @@ static void log_selinux_context(void) + static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server) { + ap_listen_rec *lr; + apr_size_t plen = sizeof describe_listeners; + char *p = describe_listeners; + -+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) -+ return OK; -+ + if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) + return OK; + + for (lr = ap_listeners; lr; lr = lr->next) { + char *s = dump_listener(lr, ptemp); + @@ -74,6 +72,10 @@ More verbose startup logging for mod_systemd. + } + } + + #ifdef HAVE_SELINUX + log_selinux_context(); + #endif + sd_notify(0, "READY=1\n" "STATUS=Configuration loaded.\n"); + diff --git a/httpd-2.4.64-r1927270.patch b/httpd-2.4.64-r1927270.patch new file mode 100644 index 0000000000000000000000000000000000000000..21b2b9dcb49d6d1fc24275606084d0a4de345916 --- /dev/null +++ b/httpd-2.4.64-r1927270.patch @@ -0,0 +1,25 @@ +From 6e59b124221014bd1c23053e9bb63fb3362387d9 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Wed, 16 Jul 2025 17:33:21 +0000 +Subject: [PATCH] rc already is set by result of expression eval + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927270 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/mappers/mod_rewrite.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c +index a6c35a0be1f..a71110bc76e 100644 +--- a/modules/mappers/mod_rewrite.c ++++ b/modules/mappers/mod_rewrite.c +@@ -4283,9 +4283,6 @@ static cond_return_type apply_rewrite_cond(rewritecond_entry *p, rewrite_ctx *ct + p->pattern - p->pskip, err); + rc = COND_RC_NOMATCH; + } +- else { +- rc = COND_RC_MATCH; +- } + /* update briRC backref info */ + if (rc && !(p->flags & CONDFLAG_NOTMATCH)) { + ctx->briRC.source = source; + diff --git a/httpd-2.4.53-separate-systemd-fns.patch b/httpd-2.4.64-separate-systemd-fns.patch similarity index 34% rename from httpd-2.4.53-separate-systemd-fns.patch rename to httpd-2.4.64-separate-systemd-fns.patch index 88b99ffb53d6aa86e78a322f310b7077c6fa0caa..6947ee6d448cec96e86fa74385231e60bee5c7e8 100644 --- a/httpd-2.4.53-separate-systemd-fns.patch +++ b/httpd-2.4.64-separate-systemd-fns.patch @@ -10,102 +10,36 @@ index 05abe18..97484c9 100644 AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported]) fi fi -diff --git a/include/ap_listen.h b/include/ap_listen.h -index 58c2574..d5ed968 100644 ---- a/include/ap_listen.h -+++ b/include/ap_listen.h -@@ -29,6 +29,7 @@ - #include "apr_network_io.h" - #include "httpd.h" - #include "http_config.h" -+#include "apr_optional.h" - - #ifdef __cplusplus - extern "C" { -@@ -143,6 +144,15 @@ AP_DECLARE_NONSTD(const char *) ap_set_receive_buffer_size(cmd_parms *cmd, - void *dummy, - const char *arg); - -+#ifdef HAVE_SYSTEMD -+APR_DECLARE_OPTIONAL_FN(int, -+ ap_find_systemd_socket, (process_rec *, apr_port_t)); -+ -+APR_DECLARE_OPTIONAL_FN(int, -+ ap_systemd_listen_fds, (int)); -+#endif -+ -+ - #define LISTEN_COMMANDS \ - AP_INIT_TAKE1("ListenBacklog", ap_set_listenbacklog, NULL, RSRC_CONF, \ - "Maximum length of the queue of pending connections, as used by listen(2)"), \ diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c -index eda1272..fc059fc 100644 +index af68249..7232a45 100644 --- a/modules/arch/unix/mod_systemd.c +++ b/modules/arch/unix/mod_systemd.c -@@ -35,6 +35,15 @@ +@@ -40,6 +40,9 @@ #include #endif -+APR_DECLARE_OPTIONAL_FN(int, -+ ap_find_systemd_socket, (process_rec *, apr_port_t)); -+ -+APR_DECLARE_OPTIONAL_FN(int, -+ ap_systemd_listen_fds, (int)); -+ +APR_DECLARE_OPTIONAL_FN(int, + ap_systemd_journal_stream_fd, (const char *, int, int)); + static char describe_listeners[30]; static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, -@@ -145,8 +154,47 @@ static int systemd_monitor(apr_pool_t *p, server_rec *s) - return DECLINED; +@@ -217,10 +220,15 @@ static int ap_systemd_listen_fds(int unset_environment){ + return sd_listen_fds(unset_environment); } -+static int ap_find_systemd_socket(process_rec * process, apr_port_t port) { -+ int fdcount, fd; -+ int sdc = sd_listen_fds(0); -+ -+ if (sdc < 0) { -+ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02486) -+ "find_systemd_socket: Error parsing enviroment, sd_listen_fds returned %d", -+ sdc); -+ return -1; -+ } -+ -+ if (sdc == 0) { -+ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02487) -+ "find_systemd_socket: At least one socket must be set."); -+ return -1; -+ } -+ -+ fdcount = atoi(getenv("LISTEN_FDS")); -+ for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + fdcount; fd++) { -+ if (sd_is_socket_inet(fd, 0, 0, -1, port) > 0) { -+ return fd; -+ } -+ } -+ -+ return -1; -+} -+ -+static int ap_systemd_listen_fds(int unset_environment){ -+ return sd_listen_fds(unset_environment); -+} -+ +static int ap_systemd_journal_stream_fd(const char *identifier, int priority, int level_prefix){ + return sd_journal_stream_fd("httpd", priority, 0); +} + static void systemd_register_hooks(apr_pool_t *p) { -+ APR_REGISTER_OPTIONAL_FN(ap_systemd_listen_fds); -+ APR_REGISTER_OPTIONAL_FN(ap_find_systemd_socket); + APR_REGISTER_OPTIONAL_FN(ap_systemd_listen_fds); + APR_REGISTER_OPTIONAL_FN(ap_find_systemd_socket); + APR_REGISTER_OPTIONAL_FN(ap_systemd_journal_stream_fd); -+ + /* Enable ap_extended_status. */ ap_hook_pre_config(systemd_pre_config, NULL, NULL, APR_HOOK_LAST); - /* Signal service is ready. */ diff --git a/modules/loggers/config.m4 b/modules/loggers/config.m4 index 0848d2e..8af2299 100644 --- a/modules/loggers/config.m4 @@ -119,7 +53,7 @@ index 0848d2e..8af2299 100644 APACHE_MODULE(log_debug, configurable debug logging, , , most) APACHE_MODULE(log_forensic, forensic logging) diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c -index 0b11f60..c3f0a51 100644 +index 694f447..a65b982 100644 --- a/modules/loggers/mod_log_config.c +++ b/modules/loggers/mod_log_config.c @@ -172,10 +172,6 @@ @@ -165,122 +99,3 @@ index 877a593..bd52a98 100644 #endif /* MOD_LOG_CONFIG */ /** @} */ -diff --git a/server/listen.c b/server/listen.c -index e2e028a..5d1c0e1 100644 ---- a/server/listen.c -+++ b/server/listen.c -@@ -34,10 +34,6 @@ - #include - #endif - --#ifdef HAVE_SYSTEMD --#include --#endif -- - /* we know core's module_index is 0 */ - #undef APLOG_MODULE_INDEX - #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX -@@ -325,34 +321,6 @@ static int find_listeners(ap_listen_rec **from, ap_listen_rec **to, - } - - #ifdef HAVE_SYSTEMD -- --static int find_systemd_socket(process_rec * process, apr_port_t port) { -- int fdcount, fd; -- int sdc = sd_listen_fds(0); -- -- if (sdc < 0) { -- ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02486) -- "find_systemd_socket: Error parsing enviroment, sd_listen_fds returned %d", -- sdc); -- return -1; -- } -- -- if (sdc == 0) { -- ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02487) -- "find_systemd_socket: At least one socket must be set."); -- return -1; -- } -- -- fdcount = atoi(getenv("LISTEN_FDS")); -- for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + fdcount; fd++) { -- if (sd_is_socket_inet(fd, 0, 0, -1, port) > 0) { -- return fd; -- } -- } -- -- return -1; --} -- - static apr_status_t alloc_systemd_listener(process_rec * process, - int fd, const char *proto, - ap_listen_rec **out_rec) -@@ -412,6 +380,14 @@ static const char *set_systemd_listener(process_rec *process, apr_port_t port, - { - ap_listen_rec *last, *new; - apr_status_t rv; -+ APR_OPTIONAL_FN_TYPE(ap_find_systemd_socket) *find_systemd_socket; -+ -+ find_systemd_socket = APR_RETRIEVE_OPTIONAL_FN(ap_find_systemd_socket); -+ -+ if (!find_systemd_socket) -+ return "Systemd socket activation is used, but mod_systemd is probably " -+ "not loaded"; -+ - int fd = find_systemd_socket(process, port); - if (fd < 0) { - return "Systemd socket activation is used, but this port is not " -@@ -438,7 +414,6 @@ static const char *set_systemd_listener(process_rec *process, apr_port_t port, - - return NULL; - } -- - #endif /* HAVE_SYSTEMD */ - - static const char *alloc_listener(process_rec *process, const char *addr, -@@ -707,6 +682,9 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s) - int num_listeners = 0; - const char* proto; - int found; -+#ifdef HAVE_SYSTEMD -+ APR_OPTIONAL_FN_TYPE(ap_systemd_listen_fds) *systemd_listen_fds; -+#endif - - for (ls = s; ls; ls = ls->next) { - proto = ap_get_server_protocol(ls); -@@ -746,7 +724,10 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s) - apr_pool_cleanup_null, s->process->pool); - } - else { -- sd_listen_fds(1); -+ systemd_listen_fds = APR_RETRIEVE_OPTIONAL_FN(ap_systemd_listen_fds); -+ if (systemd_listen_fds != NULL) { -+ systemd_listen_fds(1); -+ } - } - } - else -@@ -963,6 +944,9 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, - apr_port_t port; - apr_status_t rv; - const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); -+#ifdef HAVE_SYSTEMD -+ APR_OPTIONAL_FN_TYPE(ap_systemd_listen_fds) *systemd_listen_fds; -+#endif - - if (err != NULL) { - return err; -@@ -973,7 +957,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, - } - #ifdef HAVE_SYSTEMD - if (use_systemd == -1) { -- use_systemd = sd_listen_fds(0) > 0; -+ systemd_listen_fds = APR_RETRIEVE_OPTIONAL_FN(ap_systemd_listen_fds); -+ if (systemd_listen_fds != NULL) { -+ use_systemd = systemd_listen_fds(0) > 0; -+ } else { -+ use_systemd = 0; -+ } - } - #endif - diff --git a/httpd-2.4.43-sslprotdefault.patch b/httpd-2.4.64-sslprotdefault.patch similarity index 84% rename from httpd-2.4.43-sslprotdefault.patch rename to httpd-2.4.64-sslprotdefault.patch index d0898239dc52ffb5d8d7cac5607be514007c4411..6d979354bd56e4424ab7ab7153add35600c19aea 100644 --- a/httpd-2.4.43-sslprotdefault.patch +++ b/httpd-2.4.64-sslprotdefault.patch @@ -1,8 +1,8 @@ diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c -index 27e7a53..b53f3f8 100644 +index 8fae1f8..c5dce7f 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c -@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) +@@ -127,7 +127,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) mctx->ticket_key = NULL; #endif @@ -11,7 +11,7 @@ index 27e7a53..b53f3f8 100644 mctx->protocol_set = 0; mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; -@@ -263,6 +263,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, +@@ -268,6 +268,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, if (add->protocol_set) { mrg->protocol_set = 1; mrg->protocol = add->protocol; @@ -19,20 +19,19 @@ index 27e7a53..b53f3f8 100644 } else { mrg->protocol_set = base->protocol_set; - diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index bfad47a..b0fcf81 100644 +index 4e265b3..2fbd076 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c -@@ -577,6 +577,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, +@@ -638,6 +638,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL; char *cp; int protocol = mctx->protocol; + int protocol_set = mctx->protocol_set; SSLSrvConfigRec *sc = mySrvConfig(s); #if OPENSSL_VERSION_NUMBER >= 0x10100000L - int prot; -@@ -586,12 +587,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + /* default is highest supported version, will be overridden below */ +@@ -652,12 +653,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, * Create the new per-server SSL context */ if (protocol == SSL_PROTOCOL_NONE) { @@ -56,7 +55,7 @@ index bfad47a..b0fcf81 100644 #ifndef OPENSSL_NO_SSL3 (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), #endif -@@ -604,7 +611,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, +@@ -670,7 +677,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, #endif #endif NULL); @@ -66,7 +65,7 @@ index bfad47a..b0fcf81 100644 ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, "Creating new SSL context (protocols: %s)", cp); -@@ -705,13 +713,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, +@@ -776,13 +784,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, prot = SSL3_VERSION; #endif } else { @@ -88,7 +87,7 @@ index bfad47a..b0fcf81 100644 /* Next we scan for the minimal protocol version we should provide, * but we do not allow holes between max and min */ -@@ -731,7 +741,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, +@@ -806,7 +816,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, prot = SSL3_VERSION; } #endif diff --git a/httpd-2.4.62.tar.bz2 b/httpd-2.4.64.tar.bz2 similarity index 48% rename from httpd-2.4.62.tar.bz2 rename to httpd-2.4.64.tar.bz2 index fa3f2c8eae9c4fb2bb5ecc2568dadce757a509f3..55fbcf3c35660d18e55aa3c7922b7b5e3d05b367 100644 Binary files a/httpd-2.4.62.tar.bz2 and b/httpd-2.4.64.tar.bz2 differ diff --git a/httpd.spec b/httpd.spec index c4a919c9116e35f60cc5a2e2f7927dd41aaa4679..fe42e09fa0965cc68b8bba93baa8c5a71da78f64 100644 --- a/httpd.spec +++ b/httpd.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 1 %define contentdir %{_datadir}/%{name} %define docroot /var/www %define suexec_caller apache @@ -14,7 +14,7 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.62 +Version: 2.4.64 Release: %{anolis_release}%{?dist} License: ASL 2.0 URL: https://httpd.apache.org/ @@ -66,37 +66,21 @@ Patch0001: httpd-2.4.43-apxs.patch Patch0002: httpd-2.4.43-deplibs.patch Patch0003: httpd-2.4.53-detect-systemd.patch Patch0004: httpd-2.4.48-r1842929+.patch -Patch0005: httpd-2.4.43-mod_systemd.patch +Patch0005: httpd-2.4.64-mod_systemd.patch Patch0006: httpd-2.4.53-export.patch Patch0007: httpd-2.4.43-corelimit.patch -Patch0008: httpd-2.4.54-selinux.patch -#Patch0009: httpd-2.4.43-gettid.patch Patch0010: httpd-2.4.54-icons.patch Patch0011: httpd-2.4.43-cachehardmax.patch -Patch0012: httpd-2.4.43-socket-activation.patch Patch0013: httpd-2.4.43-sslciphdefault.patch -Patch0014: httpd-2.4.43-sslprotdefault.patch -#Patch0015: httpd-2.4.43-r1861793+.patch -#Patch0016: httpd-2.4.48-r1828172+.patch +Patch0014: httpd-2.4.64-sslprotdefault.patch Patch0017: httpd-2.4.43-logjournal.patch -Patch0018: httpd-2.4.53-separate-systemd-fns.patch +Patch0018: httpd-2.4.64-separate-systemd-fns.patch Patch0019: httpd-2.4.43-enable-sslv3.patch -#Patch0021: httpd-2.4.46-htcacheclean-dont-break.patch -#Patch0022: httpd-2.4.51-r1894152.patch +Patch0023: httpd-2.4.64-r1927270.patch # modify for anolis Patch1000: 1000-httpd-anolis-rebrand.patch -#https://github.com/apache/httpd/commit/1feb5e04a4f7b5f3f13cd40f9635144319dcf24a -#Patch1001: fix-cve-2024-38475.patch -#https://github.com/apache/httpd/commit/12542a80324b69ad6a1a489e1b697398551a5fe0 -#Patch1002: fix-cve-2024-38472.patch -#https://github.com/apache/httpd/commit/9494aa8d52e3c263bc0413b77ac8a73b0d524388 -#Patch1003: fix-cve-2024-39573.patch -# https://github.com/apache/httpd/commit/a7a9d814c7c23e990283277230ddd5a9efec27c7 -Patch1004: fix-CVE-2024-42516.patch -# https://github.com/apache/httpd/commit/87a7351c755c9ef8ab386e3090e44838c2a06d48 -Patch1005: fix-CVE-2025-49812.patch BuildRequires: gcc > 12.0 BuildRequires: autoconf @@ -112,6 +96,8 @@ BuildRequires: lua-devel BuildRequires: brotli-devel BuildRequires: apr-devel >= 1.5.0 BuildRequires: apr-util-devel >= 1.5.0 +BuildRequires: openldap-devel +BuildRequires: libxcrypt-devel %if %{with pcre2} BuildRequires: pcre2-devel %endif @@ -177,7 +163,7 @@ BuildRequires: openssl-devel Requires(pre): %{name}-filesystem Requires: %{name} = 0:%{version}-%{release} Requires: %{name}-mmn = %{mmnisa} -Requires: sscg >= 2.2.0, /usr/bin/hostname +Requires: sscg >= 3.0.3, /usr/bin/hostname Conflicts: openssl-libs < 1:1.0.1h Conflicts: mod_nss @@ -769,6 +755,14 @@ exit $rv %changelog +* Fri Aug 22 2025 wenxin - 2.4.64-1 +- update to 2.4.64 to fix cves +- fix CVE-2024-43204 +- fix CVE-2024-47252 +- fix CVE-2025-49630 +- fix CVE-2025-53020 +- Removed redundant patch files now included in the upgraded version + * Thu Aug 14 2025 wenxin - 2.4.62-3 - Add patch to fix CVE-2024-42516, CVE-2925-49812