From 077732b61649caa74ce7029a11ecb0fae3e7f963 Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Thu, 13 Oct 2022 16:07:06 +0800 Subject: [PATCH] sync patches from upstream --- ...1589986-r1589995-r1633528-from-trunk.patch | 62 +++++++++++++++++++ ...equests-to-well-known-acme-challenge.patch | 39 ++++++++++++ httpd.spec | 13 +++- 3 files changed, 112 insertions(+), 2 deletions(-) create mode 100644 backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch create mode 100644 backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch diff --git a/backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch b/backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch new file mode 100644 index 0000000..cfb8a2e --- /dev/null +++ b/backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch @@ -0,0 +1,62 @@ +From 73ce13be5aa9ae5414772bc6a8a2f7de8dd2db34 Mon Sep 17 00:00:00 2001 +From: Christophe Jaillet +Date: Sat, 19 Feb 2022 13:47:02 UTC +Subject: [PATCH] Merge r1589986 r1589995 r1633528 from trunk + + *) Add teh ldap function to the expression API, allowing LDAP filters + and distinguished names based on expressions to be escaped correctly + to guard against LDAP injection. + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/73ce13be5aa9ae5414772bc6a8a2f7de8dd2db34 + +--- + server/util_expr_eval.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c +index 2e031d0..7e9b380 100644 +--- a/server/util_expr_eval.c ++++ b/server/util_expr_eval.c +@@ -32,6 +32,10 @@ + #include "apr_fnmatch.h" + #include "apr_base64.h" + #include "apr_sha1.h" ++#include "apr_version.h" ++#if APR_VERSION_AT_LEAST(1,5,0) ++#include "apr_escape.h" ++#endif + + #include /* for INT_MAX */ + +@@ -1087,9 +1091,16 @@ static const char *sha1_func(ap_expr_eval_ctx_t *ctx, const void *data, + static const char *md5_func(ap_expr_eval_ctx_t *ctx, const void *data, + const char *arg) + { +- return ap_md5(ctx->p, (const unsigned char *)arg); ++ return ap_md5(ctx->p, (const unsigned char *)arg); + } + ++#if APR_VERSION_AT_LEAST(1,6,0) ++static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *date, ++ const char *arg) ++{ ++ return apr_pescape_ldap(ctx->p, arg, ARP_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL); ++} ++#endif + + #define MAX_FILE_SIZE 10*1024*1024 + static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data, +@@ -1667,6 +1678,9 @@ static const struct expr_provider_single string_func_providers[] = { + { unbase64_func, "unbase64", NULL, 0 }, + { sha1_func, "sha1", NULL, 0 }, + { md5_func, "md5", NULL, 0 }, ++#if APR_VERSION_AT_LEAST(1,6,0) ++ { ldap_func, "ldap", NULL, 0 }, ++#endif + { NULL, NULL, NULL} + }; + +-- +2.23.0 + diff --git a/backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch b/backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch new file mode 100644 index 0000000..061a558 --- /dev/null +++ b/backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch @@ -0,0 +1,39 @@ +From 960d719aa31c35a8aac99b1fa413df7a91085bbd Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Tue, 8 Feb 2022 12:28:37 UTC +Subject: [PATCH] mod_md do not interfere with requests to well known acme challenge +resources if challenge type 'http-01' is not configure for a domain. +Fixes . + +git-svn-id:https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1897865 + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/960d719aa31c35a8aac99b1fa413df7a91085bbd.patch + +--- + modules/md/mod_md.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c +index 8b379eb..7d011a0 100644 +--- a/modules/md/mod_md.c ++++ b/modules/md/mod_md.c +@@ -1348,6 +1348,15 @@ static int md_http_challenge_pr(request_rec *r) + name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1; + reg = sc && sc->mc? sc->mc->reg : NULL; + ++ if (md && md->ca_challenges ++ && md_array_str_index(md->ca_challenges, MD_AUTHZ_CHA_HTTP_01, 0, 1) < 0) { ++ /* The MD this challenge is for does not allow http-01 challanges, ++ * we have to decline. See #279 for a setup example where this ++ * is necessary. ++ */ ++ return DECLINED; ++ } ++ + if (strlen(name) && !ap_strchr_c(name, '/') && reg) { + md_store_t *store = md_reg_store_get(reg); + +-- +2.23.0 + diff --git a/httpd.spec b/httpd.spec index c2fac04..5b3d479 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.51 -Release: 11 +Release: 12 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -93,6 +93,8 @@ Patch39: backport-fix-setting-and-comparison-of-IPs-fields.patch Patch40: backport-make-ap_escape_quotes-work-correctly.patch Patch41: backport-Handle-children-killed-pathologically.patch Patch42: backport-fix-numeric-check-for-HeartbeatMaxServers.patch +Patch43: backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch +Patch44: backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -525,6 +527,13 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Oct 13 2022 chengyechun - 2.4.51-12 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:mod_md:do not interface with requests if challenge type http-01 + add the ldap function to the expression API + * Wed Sep 7 2022 chengyechun - 2.4.51-11 - Type:bugfix - ID:NA @@ -542,7 +551,7 @@ exit $rv mod_heartmonitor:fix setting and comparison of IPs fields core:make ap_escape_quotes() work correctly -* Wed Jun 27 2022 chengyechun - 2.4.51-9 +* Wed Jul 27 2022 chengyechun - 2.4.51-9 - Type:bugfix - ID:NA - SUG:NA -- Gitee