From 85df7f0c5a4e533e719f3277ec7bc595a6a868de Mon Sep 17 00:00:00 2001 From: chengyechun Date: Fri, 14 Apr 2023 10:07:19 +0800 Subject: [PATCH] sync some patches from upstream --- ...d-sends-an-invalid-number-of-headers.patch | 36 +++++ ...iting-the-query-with-a-backreference.patch | 152 ++++++++++++++++++ backport-fix-missing-APLOGNO.patch | 28 ++++ ...gative-value-when-parsing-the-config.patch | 38 +++++ httpd.spec | 15 +- 5 files changed, 268 insertions(+), 1 deletion(-) create mode 100644 backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch create mode 100644 backport-avoid-delimiting-the-query-with-a-backreference.patch create mode 100644 backport-fix-missing-APLOGNO.patch create mode 100644 backport-handled-a-negative-value-when-parsing-the-config.patch diff --git a/backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch b/backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch new file mode 100644 index 0000000..fad6c64 --- /dev/null +++ b/backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch @@ -0,0 +1,36 @@ +From 296a99c3102e4dd91153a8fb732275b804f001fc Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 23 Jan 2023 04:59:22 PM GMT+0800 +Subject: [PATCH] Report an error if the AJP backend sends an invalid number of headers + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/296a99c3102e4dd91153a8fb732275b804f001fc + +--- + modules/proxy/ajp_header.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c +index b4dc47c..a09a2e4 100644 +--- a/modules/proxy/ajp_header.c ++++ b/modules/proxy/ajp_header.c +@@ -584,8 +584,15 @@ static apr_status_t ajp_unmarshal_response(ajp_msg_t *msg, + r->headers_out = save_table; + } + else { +- r->headers_out = NULL; ++ /* ++ * Reset headers, but not to NULL because things below the chain expect ++ * this to be non NULL e.g. the ap_content_length_filter. ++ */ ++ r->headers_out = apr_table_make(r->pool, 1); + num_headers = 0; ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10405) ++ "ajp_unmarshal_response: Bad number of headers"); ++ return rc; + } + + ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, +-- +2.27.0 + diff --git a/backport-avoid-delimiting-the-query-with-a-backreference.patch b/backport-avoid-delimiting-the-query-with-a-backreference.patch new file mode 100644 index 0000000..293efa9 --- /dev/null +++ b/backport-avoid-delimiting-the-query-with-a-backreference.patch @@ -0,0 +1,152 @@ +From 9282a06e55cb142666d6ed565c9031e728b7d537 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 6 Mar 2023 04:31:19 AM GMT+0800 +Subject: [PATCH] avoid delimiting the query with a backreference + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/9282a06e55cb142666d6ed565c9031e728b7d537 + +--- + modules/mappers/mod_rewrite.c | 44 +++++++++++++++++++++++++---------- + 1 file changed, 32 insertions(+), 12 deletions(-) + +diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c +index 7faaeb7..e539a44 100644 +--- a/modules/mappers/mod_rewrite.c ++++ b/modules/mappers/mod_rewrite.c +@@ -167,6 +167,7 @@ static const char* really_last_key = "rewrite_really_last"; + #define RULEFLAG_END (1<<17) + #define RULEFLAG_ESCAPENOPLUS (1<<18) + #define RULEFLAG_QSLAST (1<<19) ++#define RULEFLAG_QSNONE (1<<20) /* programattic only */ + + /* return code of the rewrite rule + * the result may be escaped - or not +@@ -763,11 +764,19 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme) + * split out a QUERY_STRING part from + * the current URI string + */ +-static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard, +- int qslast) ++static void splitout_queryargs(request_rec *r, int flags) + { + char *q; + int split, skip; ++ int qsappend = flags & RULEFLAG_QSAPPEND; ++ int qsdiscard = flags & RULEFLAG_QSDISCARD; ++ int qslast = flags & RULEFLAG_QSLAST; ++ ++ if (flags & RULEFLAG_QSNONE) { ++ rewritelog((r, 2, NULL, "discarding query string, no parse from substitution")); ++ r->args = NULL; ++ return; ++ } + + /* don't touch, unless it's a scheme for which a query string makes sense. + * See RFC 1738 and RFC 2368. +@@ -792,7 +801,7 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard, + olduri = apr_pstrdup(r->pool, r->filename); + *q++ = '\0'; + if (qsappend) { +- if (*q) { ++ if (*q) { + r->args = apr_pstrcat(r->pool, q, "&" , r->args, NULL); + } + } +@@ -800,7 +809,7 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard, + r->args = apr_pstrdup(r->pool, q); + } + +- if (r->args) { ++ if (r->args) { + len = strlen(r->args); + + if (!len) { +@@ -2735,7 +2744,8 @@ static apr_status_t rewritelock_remove(void *data) + * XXX: what an inclined parser. Seems we have to leave it so + * for backwards compat. *sigh* + */ +-static int parseargline(char *str, char **a1, char **a2, char **a3) ++static char *parseargline(apr_pool_t *p, char *str, char **a1, ++ char **a2, char **a2_end, char **a3) + { + char quote; + +@@ -2786,8 +2796,10 @@ static int parseargline(char *str, char **a1, char **a2, char **a3) + + if (!*str) { + *a3 = NULL; /* 3rd argument is optional */ ++ *a2_end = str; + return 0; + } ++ *a2_end = str; + *str++ = '\0'; + + while (apr_isspace(*str)) { +@@ -3327,7 +3339,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf, + rewrite_server_conf *sconf; + rewritecond_entry *newcond; + ap_regex_t *regexp; +- char *a1 = NULL, *a2 = NULL, *a3 = NULL; ++ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL; + const char *err; + + sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module); +@@ -3345,7 +3357,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf, + * of the argument line. So we can use a1 .. a3 without + * copying them again. + */ +- if (parseargline(str, &a1, &a2, &a3)) { ++ if ((err = parseargline(cmd->pool, str, &a1, &a2, &a2_end, &a3))) { + return apr_pstrcat(cmd->pool, "RewriteCond: bad argument line '", str, + "'", NULL); + } +@@ -3753,7 +3765,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf, + rewrite_server_conf *sconf; + rewriterule_entry *newrule; + ap_regex_t *regexp; +- char *a1 = NULL, *a2 = NULL, *a3 = NULL; ++ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL; + const char *err; + + sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module); +@@ -3767,7 +3779,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf, + } + + /* parse the argument line ourself */ +- if (parseargline(str, &a1, &a2, &a3)) { ++ if ((err = parseargline(cmd->pool, str, &a1, &a2, &a2_end, &a3))) { + return apr_pstrcat(cmd->pool, "RewriteRule: bad argument line '", str, + "'", NULL); + } +@@ -3814,6 +3826,16 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf, + newrule->flags |= RULEFLAG_NOSUB; + } + ++ if (*(a2_end-1) == '?') { ++ /* a literal ? at the end of the unsubstituted rewrite rule */ ++ newrule->flags |= RULEFLAG_QSNONE; ++ } ++ else if (newrule->flags & RULEFLAG_QSDISCARD) { ++ if (NULL == ap_strchr(newrule->output, '?')) { ++ newrule->flags |= RULEFLAG_QSNONE; ++ } ++ } ++ + /* now, if the server or per-dir config holds an + * array of RewriteCond entries, we take it for us + * and clear the array +@@ -4219,9 +4241,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) + r->path_info = NULL; + } + +- splitout_queryargs(r, p->flags & RULEFLAG_QSAPPEND, +- p->flags & RULEFLAG_QSDISCARD, +- p->flags & RULEFLAG_QSLAST); ++ splitout_queryargs(r, p->flags); + + /* Add the previously stripped per-directory location prefix, unless + * (1) it's an absolute URL path and +-- +2.27.0 + diff --git a/backport-fix-missing-APLOGNO.patch b/backport-fix-missing-APLOGNO.patch new file mode 100644 index 0000000..24e03b6 --- /dev/null +++ b/backport-fix-missing-APLOGNO.patch @@ -0,0 +1,28 @@ +From 1061b64bb7da5339b037f936169a088150427bd1 Mon Sep 17 00:00:00 2001 +From: Ruediger Pluem +Date: Mon, 6 Mar 2023 05:25:17 PM GMT+0800 +Subject: [PATCH] modules/http2/mod_proxy_http2.c: Fix missing APLOGNO + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/1061b64bb7da5339b037f936169a088150427bd1 + +--- + modules/http2/mod_proxy_http2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c +index d8a77c8..753f7f4 100644 +--- a/modules/http2/mod_proxy_http2.c ++++ b/modules/http2/mod_proxy_http2.c +@@ -167,7 +167,7 @@ static int proxy_http2_canon(request_rec *r, char *url) + * We have a raw control character or a ' ' in r->args. + * Correct encoding was missed. + */ +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412) + "To be forwarded query string contains control " + "characters or spaces"); + return HTTP_FORBIDDEN; +-- +2.27.0 + diff --git a/backport-handled-a-negative-value-when-parsing-the-config.patch b/backport-handled-a-negative-value-when-parsing-the-config.patch new file mode 100644 index 0000000..2558dec --- /dev/null +++ b/backport-handled-a-negative-value-when-parsing-the-config.patch @@ -0,0 +1,38 @@ +From b2d18fb704c64ce7767e07fe546eecec98c91b50 Mon Sep 17 00:00:00 2001 +From: Eirc Covener +Date: Fri, 27 Jan 2023 08:58:03 PM GMT+0800 +Subject: [PATCH] mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to + allow connections of any age to be reused. Up to now, a negative value + was handled as an error when parsing the configuration file + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/b2d18fb704c64ce7767e07fe546eecec98c91b50 + +--- + modules/ldap/util_ldap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c +index 4d92ec9..14b774a 100644 +--- a/modules/ldap/util_ldap.c ++++ b/modules/ldap/util_ldap.c +@@ -2752,12 +2752,14 @@ static const char *util_ldap_set_conn_ttl(cmd_parms *cmd, + void *dummy, + const char *val) + { +- apr_interval_time_t timeout; ++ apr_interval_time_t timeout = -1; + util_ldap_state_t *st = + (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, + &ldap_module); + +- if (ap_timeout_parameter_parse(val, &timeout, "s") != APR_SUCCESS) { ++ /* Negative values mean AP_LDAP_CONNPOOL_INFINITE */ ++ if (val[0] != '-' && ++ ap_timeout_parameter_parse(val, &timeout, "s") != APR_SUCCESS) { + return "LDAPConnectionPoolTTL has wrong format"; + } + +-- +2.27.0 + diff --git a/httpd.spec b/httpd.spec index f863094..36927b4 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.51 -Release: 15 +Release: 16 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -100,6 +100,10 @@ Patch46: backport-CVE-2022-37436.patch Patch47: backport-open-the-lock-database-read-only-when-possible.patch Patch48: backport-CVE-2023-27522.patch Patch49: backport-CVE-2023-25690.patch +Patch50: backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch +Patch51: backport-handled-a-negative-value-when-parsing-the-config.patch +Patch52: backport-avoid-delimiting-the-query-with-a-backreference.patch +Patch53: backport-fix-missing-APLOGNO.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -536,6 +540,15 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Fri Apr 14 2023 chengyechun - 2.4.51-16 +- Type:bugfix +- ID: +- SUG:restart +- DESC:Report an error if the AJP backend sends an invalid number of headers + handled a negative value when parsing the config + avoid delimiting the query with a backreference + fix missing APLOGNO + * Thu Mar 9 2023 chengyechun - 2.4.51-15 - Type:CVE - ID:CVE-2023-27522, CVE-2023-25690 -- Gitee