diff --git a/backport-001-CVE-2021-44224.patch b/backport-001-CVE-2021-44224.patch deleted file mode 100644 index 65c1e927d902d5c5a9f9bcb01fec7c5b83e319ac..0000000000000000000000000000000000000000 --- a/backport-001-CVE-2021-44224.patch +++ /dev/null @@ -1,275 +0,0 @@ -From a962ba73047b5478d702c8ad09fd1a167e1d3736 Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Tue, 14 Dec 2021 15:35:56 +0000 -Subject: [PATCH] Merge r1895914, r1895921 from trunk: - - *) http: Enforce that fully qualified uri-paths not to be forward-proxied - have an http(s) scheme, and that the ones to be forward proxied have a - hostname, per HTTP specifications. - trunk patch: http://svn.apache.org/r1895914 - http://svn.apache.org/r1895921 - 2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/286.patch - backport PR: https://github.com/apache/httpd/pull/286 - +1: ylavic, minfrin, gbechis - - -mod_proxy: Detect unix: scheme syntax errors at load time. - -* modules/proxy/mod_proxy.c(add_pass, add_member, set_proxy_param, - proxysection): - Check return value of ap_proxy_de_socketfy(). - -* modules/proxy/proxy_util.c(ap_proxy_get_worker_ex): - Check return value of ap_proxy_de_socketfy(). - - - -http: Enforce that fully qualified uri-paths not to be forward-proxied - have an http(s) scheme, and that the ones to be forward proxied have a - hostname, per HTTP specifications. - -The early checks avoid failing the request later on and thus save cycles -for those invalid cases. - - -Submitted by: ylavic -Reviewed by: ylavic, minfrin, gbechis -Closes #286 - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1895955 13f79535-47bb-0310-9956-ffa450edef68 ---- - include/ap_mmn.h | 3 ++- - include/http_protocol.h | 7 ++++++ - modules/http/http_request.c | 2 +- - modules/http2/h2_request.c | 2 +- - modules/proxy/mod_proxy.c | 44 ++++++++++++++++++++++++++----------- - modules/proxy/proxy_util.c | 3 +++ - server/protocol.c | 23 ++++++++++++++++++- - 7 files changed, 71 insertions(+), 17 deletions(-) - -diff --git a/include/ap_mmn.h b/include/ap_mmn.h -index fe24261ee87..90ff1a86a6f 100644 ---- a/include/ap_mmn.h -+++ b/include/ap_mmn.h -@@ -586,6 +586,7 @@ - * 20120211.117 (2.4.50-dev) Add ap_pre_connection - * 20120211.118 (2.4.51-dev) Add ap_unescape_url_ex() and deprecate - * AP_NORMALIZE_DROP_PARAMETERS -+ * 20120211.121 (2.4.51-dev) Add ap_post_read_request() - * - */ - -diff --git a/include/http_protocol.h b/include/http_protocol.h -index 9ccac893fcb..20bd2022266 100644 ---- a/include/http_protocol.h -+++ b/include/http_protocol.h -@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(request_rec *r); - AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, - apr_bucket_brigade *bb); - -+/** -+ * Run post_read_request hook and validate. -+ * @param r The current request -+ * @return OK or HTTP_... -+ */ -+AP_DECLARE(int) ap_post_read_request(request_rec *r); -+ - /* Finish up stuff after a request */ - - /** -diff --git a/modules/http/http_request.c b/modules/http/http_request.c -index c9ae5af2864..d59cfe25999 100644 ---- a/modules/http/http_request.c -+++ b/modules/http/http_request.c -@@ -680,7 +680,7 @@ static request_rec *internal_internal_redirect(const char *new_uri, - * to do their thing on internal redirects as well. Perhaps this is a - * misnamed function. - */ -- if ((access_status = ap_run_post_read_request(new))) { -+ if ((access_status = ap_post_read_request(new))) { - ap_die(access_status, new); - return NULL; - } -diff --git a/modules/http2/h2_request.c b/modules/http2/h2_request.c -index 7c4fb95ea48..9ff6feb675f 100644 ---- a/modules/http2/h2_request.c -+++ b/modules/http2/h2_request.c -@@ -370,7 +370,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c) - ap_add_input_filter_handle(ap_http_input_filter_handle, - NULL, r, r->connection); - -- if ((access_status = ap_run_post_read_request(r))) { -+ if ((access_status = ap_post_read_request(r))) { - /* Request check post hooks failed. An example of this would be a - * request for a vhost where h2 is disabled --> 421. - */ -diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c -index 3fb84c85935..85d7ce2e6c1 100644 ---- a/modules/proxy/mod_proxy.c -+++ b/modules/proxy/mod_proxy.c -@@ -775,13 +775,13 @@ static int proxy_detect(request_rec *r) - - /* Ick... msvc (perhaps others) promotes ternary short results to int */ - -- if (conf->req && r->parsed_uri.scheme) { -+ if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) { - /* but it might be something vhosted */ -- if (!(r->parsed_uri.hostname -- && !ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) -- && ap_matches_request_vhost(r, r->parsed_uri.hostname, -- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port -- : ap_default_port(r))))) { -+ if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 -+ || !ap_matches_request_vhost(r, r->parsed_uri.hostname, -+ (apr_port_t)(r->parsed_uri.port_str -+ ? r->parsed_uri.port -+ : ap_default_port(r)))) { - r->proxyreq = PROXYREQ_PROXY; - r->uri = r->unparsed_uri; - r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL); -@@ -2007,6 +2007,7 @@ static const char * - struct proxy_alias *new; - char *f = cmd->path; - char *r = NULL; -+ const char *real; - char *word; - apr_table_t *params = apr_table_make(cmd->pool, 5); - const apr_array_header_t *arr; -@@ -2093,6 +2094,10 @@ static const char * - if (r == NULL) { - return "ProxyPass|ProxyPassMatch needs a path when not defined in a location"; - } -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) { -+ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL"; -+ } -+ - - /* if per directory, save away the single alias */ - if (cmd->path) { -@@ -2109,7 +2114,7 @@ static const char * - } - - new->fake = apr_pstrdup(cmd->pool, f); -- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r)); -+ new->real = apr_pstrdup(cmd->pool, real); - new->flags = flags; - if (worker_type & AP_PROXY_WORKER_IS_MATCH) { - new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED); -@@ -2635,6 +2640,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) - proxy_worker *worker; - char *path = cmd->path; - char *name = NULL; -+ const char *real; - char *word; - apr_table_t *params = apr_table_make(cmd->pool, 5); - const apr_array_header_t *arr; -@@ -2675,6 +2681,9 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) - return "BalancerMember must define balancer name when outside section"; - if (!name) - return "BalancerMember must define remote proxy server"; -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { -+ return "BalancerMember uses an invalid \"unix:\" URL"; -+ } - - ap_str_tolower(path); /* lowercase scheme://hostname */ - -@@ -2687,8 +2696,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) - } - - /* Try to find existing worker */ -- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, -- ap_proxy_de_socketfy(cmd->temp_pool, name)); -+ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real); - if (!worker) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147) - "Defining worker '%s' for balancer '%s'", -@@ -2785,9 +2793,14 @@ static const char * - } - } - else { -+ const char *real; -+ -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { -+ return "ProxySet uses an invalid \"unix:\" URL"; -+ } -+ - worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, conf, -- ap_proxy_de_socketfy(cmd->temp_pool, name), -- worker_type); -+ real, worker_type); - if (!worker) { - if (in_proxy_section) { - err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, -@@ -2930,9 +2943,14 @@ static const char *proxysection(cmd_parms *cmd, void *mconfig, const char *arg) - } - } - else { -+ const char *real; -+ -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) { -+ return " uses an invalid \"unix:\" URL"; -+ } -+ - worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, sconf, -- ap_proxy_de_socketfy(cmd->temp_pool, conf->p), -- worker_type); -+ real, worker_type); - if (!worker) { - err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, sconf, - conf->p, worker_type); -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index a3cf5460487..b4f6dcfadc6 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -1742,6 +1742,9 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p, - } - - url = ap_proxy_de_socketfy(p, url); -+ if (!url) { -+ return NULL; -+ } - - c = ap_strchr_c(url, ':'); - if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') { -diff --git a/server/protocol.c b/server/protocol.c -index 3d74c5b3058..2214f72b5a4 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -1548,7 +1548,7 @@ request_rec *ap_read_request(conn_rec *conn) - /* we may have switched to another server */ - apply_server_config(r); - -- if ((access_status = ap_run_post_read_request(r))) { -+ if ((access_status = ap_post_read_request(r))) { - goto die; - } - -@@ -1603,6 +1603,27 @@ request_rec *ap_read_request(conn_rec *conn) - return NULL; - } - -+AP_DECLARE(int) ap_post_read_request(request_rec *r) -+{ -+ int status; -+ -+ if ((status = ap_run_post_read_request(r))) { -+ return status; -+ } -+ -+ /* Enforce http(s) only scheme for non-forward-proxy requests */ -+ if (!r->proxyreq -+ && r->parsed_uri.scheme -+ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0 -+ || (r->parsed_uri.scheme[4] != '\0' -+ && (apr_tolower(r->parsed_uri.scheme[4]) != 's' -+ || r->parsed_uri.scheme[5] != '\0')))) { -+ return HTTP_BAD_REQUEST; -+ } -+ -+ return OK; -+} -+ - /* if a request with a body creates a subrequest, remove original request's - * input headers which pertain to the body which has already been read. - * out-of-line helper function for ap_set_sub_req_protocol. diff --git a/backport-001-CVE-2022-23943.patch b/backport-001-CVE-2022-23943.patch deleted file mode 100644 index 5556e8bed26fbc0af6c0d3d293128ae49356f9ed..0000000000000000000000000000000000000000 --- a/backport-001-CVE-2022-23943.patch +++ /dev/null @@ -1,358 +0,0 @@ -From 943f57b336f264d77e5b780c82ab73daf3d14deb Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Mon, 7 Mar 2022 14:52:42 +0000 -Subject: [PATCH] mod_sed: use size_t to allow for larger buffer sizes and - unsigned arithmetics. - -Let's switch to apr_size_t buffers and get rid of the ints. - - -Merge r1898690 from trunk. -Submitted by: rpluem -Reviewed by: rpluem, covener, ylavic - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898695 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/filters/libsed.h | 12 +++--- - modules/filters/mod_sed.c | 10 ++--- - modules/filters/sed1.c | 79 +++++++++++++++++++++++---------------- - 3 files changed, 58 insertions(+), 43 deletions(-) - -diff --git a/modules/filters/libsed.h b/modules/filters/libsed.h -index 76cbc0ce8ad..0256b1ea831 100644 ---- a/modules/filters/libsed.h -+++ b/modules/filters/libsed.h -@@ -60,7 +60,7 @@ struct sed_label_s { - }; - - typedef apr_status_t (sed_err_fn_t)(void *data, const char *error); --typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, int sz); -+typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, apr_size_t sz); - - typedef struct sed_commands_s sed_commands_t; - #define NWFILES 11 /* 10 plus one for standard output */ -@@ -69,7 +69,7 @@ struct sed_commands_s { - sed_err_fn_t *errfn; - void *data; - -- unsigned lsize; -+ apr_size_t lsize; - char *linebuf; - char *lbend; - const char *saveq; -@@ -116,15 +116,15 @@ struct sed_eval_s { - apr_int64_t lnum; - void *fout; - -- unsigned lsize; -+ apr_size_t lsize; - char *linebuf; - char *lspend; - -- unsigned hsize; -+ apr_size_t hsize; - char *holdbuf; - char *hspend; - -- unsigned gsize; -+ apr_size_t gsize; - char *genbuf; - char *lcomend; - -@@ -160,7 +160,7 @@ apr_status_t sed_init_eval(sed_eval_t *eval, sed_commands_t *commands, - sed_err_fn_t *errfn, void *data, - sed_write_fn_t *writefn, apr_pool_t *p); - apr_status_t sed_reset_eval(sed_eval_t *eval, sed_commands_t *commands, sed_err_fn_t *errfn, void *data); --apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout); -+apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout); - apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout); - apr_status_t sed_finalize_eval(sed_eval_t *eval, void *f); - void sed_destroy_eval(sed_eval_t *eval); -diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c -index 9b408029a86..7092dd5e7f1 100644 ---- a/modules/filters/mod_sed.c -+++ b/modules/filters/mod_sed.c -@@ -51,7 +51,7 @@ typedef struct sed_filter_ctxt - apr_bucket_brigade *bbinp; - char *outbuf; - char *curoutbuf; -- int bufsize; -+ apr_size_t bufsize; - apr_pool_t *tpool; - int numbuckets; - } sed_filter_ctxt; -@@ -100,7 +100,7 @@ static void alloc_outbuf(sed_filter_ctxt* ctx) - /* append_bucket - * Allocate a new bucket from buf and sz and append to ctx->bb - */ --static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz) -+static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, apr_size_t sz) - { - apr_status_t status = APR_SUCCESS; - apr_bucket *b; -@@ -133,7 +133,7 @@ static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz) - */ - static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx) - { -- int size = ctx->curoutbuf - ctx->outbuf; -+ apr_size_t size = ctx->curoutbuf - ctx->outbuf; - char *out; - apr_status_t status = APR_SUCCESS; - if ((ctx->outbuf == NULL) || (size <=0)) -@@ -147,12 +147,12 @@ static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx) - /* This is a call back function. When libsed wants to generate the output, - * this function will be invoked. - */ --static apr_status_t sed_write_output(void *dummy, char *buf, int sz) -+static apr_status_t sed_write_output(void *dummy, char *buf, apr_size_t sz) - { - /* dummy is basically filter context. Context is passed during invocation - * of sed_eval_buffer - */ -- int remainbytes = 0; -+ apr_size_t remainbytes = 0; - apr_status_t status = APR_SUCCESS; - sed_filter_ctxt *ctx = (sed_filter_ctxt *) dummy; - if (ctx->outbuf == NULL) { -diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c -index be035067885..67a8d06515e 100644 ---- a/modules/filters/sed1.c -+++ b/modules/filters/sed1.c -@@ -71,7 +71,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2); - static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - step_vars_storage *step_vars); --static apr_status_t wline(sed_eval_t *eval, char *buf, int sz); -+static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz); - static apr_status_t arout(sed_eval_t *eval); - - static void eval_errf(sed_eval_t *eval, const char *fmt, ...) -@@ -92,11 +92,11 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...) - * grow_buffer - */ - static void grow_buffer(apr_pool_t *pool, char **buffer, -- char **spend, unsigned int *cursize, -- unsigned int newsize) -+ char **spend, apr_size_t *cursize, -+ apr_size_t newsize) - { - char* newbuffer = NULL; -- int spendsize = 0; -+ apr_size_t spendsize = 0; - if (*cursize >= newsize) - return; - /* Avoid number of times realloc is called. It could cause huge memory -@@ -124,7 +124,7 @@ static void grow_buffer(apr_pool_t *pool, char **buffer, - /* - * grow_line_buffer - */ --static void grow_line_buffer(sed_eval_t *eval, int newsize) -+static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize) - { - grow_buffer(eval->pool, &eval->linebuf, &eval->lspend, - &eval->lsize, newsize); -@@ -133,7 +133,7 @@ static void grow_line_buffer(sed_eval_t *eval, int newsize) - /* - * grow_hold_buffer - */ --static void grow_hold_buffer(sed_eval_t *eval, int newsize) -+static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize) - { - grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend, - &eval->hsize, newsize); -@@ -142,7 +142,7 @@ static void grow_hold_buffer(sed_eval_t *eval, int newsize) - /* - * grow_gen_buffer - */ --static void grow_gen_buffer(sed_eval_t *eval, int newsize, -+static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize, - char **gspend) - { - if (gspend == NULL) { -@@ -156,9 +156,9 @@ static void grow_gen_buffer(sed_eval_t *eval, int newsize, - /* - * appendmem_to_linebuf - */ --static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len) -+static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len) - { -- unsigned int reqsize = (eval->lspend - eval->linebuf) + len; -+ apr_size_t reqsize = (eval->lspend - eval->linebuf) + len; - if (eval->lsize < reqsize) { - grow_line_buffer(eval, reqsize); - } -@@ -169,21 +169,36 @@ static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len) - /* - * append_to_linebuf - */ --static void append_to_linebuf(sed_eval_t *eval, const char* sz) -+static void append_to_linebuf(sed_eval_t *eval, const char* sz, -+ step_vars_storage *step_vars) - { -- int len = strlen(sz); -+ apr_size_t len = strlen(sz); -+ char *old_linebuf = eval->linebuf; - /* Copy string including null character */ - appendmem_to_linebuf(eval, sz, len + 1); - --eval->lspend; /* lspend will now point to NULL character */ -+ /* Sync step_vars after a possible linebuf expansion */ -+ if (step_vars && old_linebuf != eval->linebuf) { -+ if (step_vars->loc1) { -+ step_vars->loc1 = step_vars->loc1 - old_linebuf + eval->linebuf; -+ } -+ if (step_vars->loc2) { -+ step_vars->loc2 = step_vars->loc2 - old_linebuf + eval->linebuf; -+ } -+ if (step_vars->locs) { -+ step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf; -+ } -+ } - } - - /* - * copy_to_linebuf - */ --static void copy_to_linebuf(sed_eval_t *eval, const char* sz) -+static void copy_to_linebuf(sed_eval_t *eval, const char* sz, -+ step_vars_storage *step_vars) - { - eval->lspend = eval->linebuf; -- append_to_linebuf(eval, sz); -+ append_to_linebuf(eval, sz, step_vars); - } - - /* -@@ -191,8 +206,8 @@ static void copy_to_linebuf(sed_eval_t *eval, const char* sz) - */ - static void append_to_holdbuf(sed_eval_t *eval, const char* sz) - { -- int len = strlen(sz); -- unsigned int reqsize = (eval->hspend - eval->holdbuf) + len + 1; -+ apr_size_t len = strlen(sz); -+ apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1; - if (eval->hsize <= reqsize) { - grow_hold_buffer(eval, reqsize); - } -@@ -215,8 +230,8 @@ static void copy_to_holdbuf(sed_eval_t *eval, const char* sz) - */ - static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend) - { -- int len = strlen(sz); -- unsigned int reqsize = (*gspend - eval->genbuf) + len + 1; -+ apr_size_t len = strlen(sz); -+ apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1; - if (eval->gsize < reqsize) { - grow_gen_buffer(eval, reqsize, gspend); - } -@@ -230,8 +245,8 @@ static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend) - */ - static void copy_to_genbuf(sed_eval_t *eval, const char* sz) - { -- int len = strlen(sz); -- unsigned int reqsize = len + 1; -+ apr_size_t len = strlen(sz); -+ apr_size_t reqsize = len + 1; - if (eval->gsize < reqsize) { - grow_gen_buffer(eval, reqsize, NULL); - } -@@ -353,7 +368,7 @@ apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout) - /* - * sed_eval_buffer - */ --apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout) -+apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout) - { - apr_status_t rv; - -@@ -383,7 +398,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void - - while (bufsz) { - char *n; -- int llen; -+ apr_size_t llen; - - n = memchr(buf, '\n', bufsz); - if (n == NULL) -@@ -442,7 +457,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout) - * buffer is not a newline. - */ - /* Assure space for NULL */ -- append_to_linebuf(eval, ""); -+ append_to_linebuf(eval, "", NULL); - } - - *eval->lspend = '\0'; -@@ -666,7 +681,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - lp = step_vars->loc2; - step_vars->loc2 = sp - eval->genbuf + eval->linebuf; - append_to_genbuf(eval, lp, &sp); -- copy_to_linebuf(eval, eval->genbuf); -+ copy_to_linebuf(eval, eval->genbuf, step_vars); - return rv; - } - -@@ -676,8 +691,8 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2) - { - char *sp = asp; -- int n = al2 - al1; -- unsigned int reqsize = (sp - eval->genbuf) + n + 1; -+ apr_size_t n = al2 - al1; -+ apr_size_t reqsize = (sp - eval->genbuf) + n + 1; - - if (eval->gsize < reqsize) { - grow_gen_buffer(eval, reqsize, &sp); -@@ -735,7 +750,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - } - - p1++; -- copy_to_linebuf(eval, p1); -+ copy_to_linebuf(eval, p1, step_vars); - eval->jflag++; - break; - -@@ -745,12 +760,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - break; - - case GCOM: -- copy_to_linebuf(eval, eval->holdbuf); -+ copy_to_linebuf(eval, eval->holdbuf, step_vars); - break; - - case CGCOM: -- append_to_linebuf(eval, "\n"); -- append_to_linebuf(eval, eval->holdbuf); -+ append_to_linebuf(eval, "\n", step_vars); -+ append_to_linebuf(eval, eval->holdbuf, step_vars); - break; - - case HCOM: -@@ -881,7 +896,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - if (rv != APR_SUCCESS) - return rv; - } -- append_to_linebuf(eval, "\n"); -+ append_to_linebuf(eval, "\n", step_vars); - eval->pending = ipc->next; - break; - -@@ -956,7 +971,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - - case XCOM: - copy_to_genbuf(eval, eval->linebuf); -- copy_to_linebuf(eval, eval->holdbuf); -+ copy_to_linebuf(eval, eval->holdbuf, step_vars); - copy_to_holdbuf(eval, eval->genbuf); - break; - -@@ -1013,7 +1028,7 @@ static apr_status_t arout(sed_eval_t *eval) - /* - * wline - */ --static apr_status_t wline(sed_eval_t *eval, char *buf, int sz) -+static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz) - { - apr_status_t rv = APR_SUCCESS; - rv = eval->writefn(eval->fout, buf, sz); - diff --git a/backport-002-CVE-2021-44224.patch b/backport-002-CVE-2021-44224.patch deleted file mode 100644 index e815bbb5383f6417a1975f11e8f0fde4d2dd2651..0000000000000000000000000000000000000000 --- a/backport-002-CVE-2021-44224.patch +++ /dev/null @@ -1,104 +0,0 @@ -From a0521d289ae14e4ac004811dc1ef91b3e118a2f6 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 16 Dec 2021 11:23:49 +0000 -Subject: [PATCH] Merge of r1895981,r1895986 from trunk: - - *) mod_proxy: Don't prevent forwarding URIs w/ no hostname. - (fix for r1895955 already in 2.4.x) - - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896044 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/proxy/mod_proxy.c | 5 +++-- - modules/proxy/mod_proxy.h | 1 + - modules/proxy/proxy_util.c | 22 ++++++++++++---------- - 3 files changed, 16 insertions(+), 12 deletions(-) - -diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c -index 85d7ce2e6c1..f8a4db68892 100644 ---- a/modules/proxy/mod_proxy.c -+++ b/modules/proxy/mod_proxy.c -@@ -775,9 +775,10 @@ static int proxy_detect(request_rec *r) - - /* Ick... msvc (perhaps others) promotes ternary short results to int */ - -- if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) { -+ if (conf->req && r->parsed_uri.scheme) { - /* but it might be something vhosted */ -- if (ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 -+ if (!r->parsed_uri.hostname -+ || ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 - || !ap_matches_request_vhost(r, r->parsed_uri.hostname, - (apr_port_t)(r->parsed_uri.port_str - ? r->parsed_uri.port -diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h -index 35acc49a4a3..be5b3a85394 100644 ---- a/modules/proxy/mod_proxy.h -+++ b/modules/proxy/mod_proxy.h -@@ -750,6 +750,7 @@ PROXY_DECLARE(int) ap_proxy_worker_can_upgrade(apr_pool_t *p, - #define AP_PROXY_WORKER_IS_PREFIX (1u << 0) - #define AP_PROXY_WORKER_IS_MATCH (1u << 1) - #define AP_PROXY_WORKER_IS_MALLOCED (1u << 2) -+#define AP_PROXY_WORKER_NO_UDS (1u << 3) - - /** - * Get the worker from proxy configuration, looking for either PREFIXED or -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index b4f6dcfadc6..8cb315d9103 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -1741,9 +1741,11 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p, - return NULL; - } - -- url = ap_proxy_de_socketfy(p, url); -- if (!url) { -- return NULL; -+ if (!(mask & AP_PROXY_WORKER_NO_UDS)) { -+ url = ap_proxy_de_socketfy(p, url); -+ if (!url) { -+ return NULL; -+ } - } - - c = ap_strchr_c(url, ':'); -@@ -2326,22 +2328,22 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, - - access_status = proxy_run_pre_request(worker, balancer, r, conf, url); - if (access_status == DECLINED && *balancer == NULL) { -- *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url); -+ const int forward = (r->proxyreq == PROXYREQ_PROXY); -+ *worker = ap_proxy_get_worker_ex(r->pool, NULL, conf, *url, -+ forward ? AP_PROXY_WORKER_NO_UDS : 0); - if (*worker) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, - "%s: found worker %s for %s", - (*worker)->s->scheme, (*worker)->s->name, *url); -- *balancer = NULL; -- if (!fix_uds_filename(r, url)) { -+ if (!forward && !fix_uds_filename(r, url)) { - return HTTP_INTERNAL_SERVER_ERROR; - } - access_status = OK; - } -- else if (r->proxyreq == PROXYREQ_PROXY) { -+ else if (forward) { - if (conf->forward) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, - "*: found forward proxy worker for %s", *url); -- *balancer = NULL; - *worker = conf->forward; - access_status = OK; - /* -@@ -2355,8 +2357,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, - else if (r->proxyreq == PROXYREQ_REVERSE) { - if (conf->reverse) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, -- "*: using default reverse proxy worker for %s (no keepalive)", *url); -- *balancer = NULL; -+ "*: using default reverse proxy worker for %s " -+ "(no keepalive)", *url); - *worker = conf->reverse; - access_status = OK; - /* diff --git a/backport-002-CVE-2022-23943.patch b/backport-002-CVE-2022-23943.patch deleted file mode 100644 index 3f4fa1137a2afb336bc1dccfcedc2ec1b0cdb377..0000000000000000000000000000000000000000 --- a/backport-002-CVE-2022-23943.patch +++ /dev/null @@ -1,61 +0,0 @@ -From e266bd09c313a668d7cca17a8b096d189148be49 Mon Sep 17 00:00:00 2001 -From: Ruediger Pluem -Date: Wed, 9 Mar 2022 07:41:40 +0000 -Subject: [PATCH] Merge r1898735 from trunk: - -* Improve the logic flow - -Reviewed by: rpluem, covener, ylavic - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898772 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/filters/mod_sed.c | 30 +++++++++++++++++++----------- - 1 file changed, 19 insertions(+), 11 deletions(-) - -diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c -index 7092dd5e7f1..4bdb4ce33ae 100644 ---- a/modules/filters/mod_sed.c -+++ b/modules/filters/mod_sed.c -@@ -168,21 +168,29 @@ static apr_status_t sed_write_output(void *dummy, char *buf, apr_size_t sz) - } - /* buffer is now full */ - status = append_bucket(ctx, ctx->outbuf, ctx->bufsize); -- /* old buffer is now used so allocate new buffer */ -- alloc_outbuf(ctx); -- /* if size is bigger than the allocated buffer directly add to output -- * brigade */ -- if ((status == APR_SUCCESS) && (sz >= ctx->bufsize)) { -- char* newbuf = apr_pmemdup(ctx->tpool, buf, sz); -- status = append_bucket(ctx, newbuf, sz); -- /* pool might get clear after append_bucket */ -- if (ctx->outbuf == NULL) { -+ if (status == APR_SUCCESS) { -+ /* if size is bigger than the allocated buffer directly add to output -+ * brigade */ -+ if (sz >= ctx->bufsize) { -+ char* newbuf = apr_pmemdup(ctx->tpool, buf, sz); -+ status = append_bucket(ctx, newbuf, sz); -+ if (status == APR_SUCCESS) { -+ /* old buffer is now used so allocate new buffer */ -+ alloc_outbuf(ctx); -+ } -+ else { -+ clear_ctxpool(ctx); -+ } -+ } -+ else { -+ /* old buffer is now used so allocate new buffer */ - alloc_outbuf(ctx); -+ memcpy(ctx->curoutbuf, buf, sz); -+ ctx->curoutbuf += sz; - } - } - else { -- memcpy(ctx->curoutbuf, buf, sz); -- ctx->curoutbuf += sz; -+ clear_ctxpool(ctx); - } - } - else { - diff --git a/backport-CVE-2006-20001.patch b/backport-CVE-2006-20001.patch deleted file mode 100644 index fb6688e48588e99df2dc7afd2916eb422c6e4f8b..0000000000000000000000000000000000000000 --- a/backport-CVE-2006-20001.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b00b92bb9d1497414abf6ca1b679bcc8ad32a443 Mon Sep 17 00:00:00 2001 -From: notroj -Date: Mon, 9 Jan 2023 08:07:58 PM GMT+0800 -Subject: [PATCH] modules/dav/main/util(dav_process_if_header):Fix error - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/b00b92bb9d1497414abf6ca1b679bcc8ad32a443 - ---- - modules/dav/main/util.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c -index 08ebe27..2a2c7aa 100644 ---- a/modules/dav/main/util.c -+++ b/modules/dav/main/util.c -@@ -756,8 +756,14 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) - "for the same state."); - } - condition = DAV_IF_COND_NOT; -+ list += 2; -+ } -+ else { -+ return dav_new_error(r->pool, HTTP_BAD_REQUEST, -+ DAV_ERR_IF_UNK_CHAR, 0, -+ "Invaild \"If:\" header: " -+ "Unexpected character in List"); - } -- list += 2; - break; - - case ' ': --- -2.23.0 - diff --git a/backport-CVE-2021-44790.patch b/backport-CVE-2021-44790.patch deleted file mode 100644 index 46f715cf5f203332d2fd01a26f37124c4897a195..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-44790.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 07b9768cef6a224d256358c404c6ed5622d8acce Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 16 Dec 2021 11:15:47 +0000 -Subject: [PATCH] Merge r1895970 from trunk: - - *) mod_lua: Improve error handling - - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896039 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/lua/lua_request.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c -index 67ff432e51f..493b2bb431c 100644 ---- a/modules/lua/lua_request.c -+++ b/modules/lua/lua_request.c -@@ -410,6 +410,7 @@ static int req_parsebody(lua_State *L) - if (end == NULL) break; - key = (char *) apr_pcalloc(r->pool, 256); - filename = (char *) apr_pcalloc(r->pool, 256); -+ if (end - crlf <= 8) break; - vlen = end - crlf - 8; - buffer = (char *) apr_pcalloc(r->pool, vlen+1); - memcpy(buffer, crlf + 4, vlen); diff --git a/backport-CVE-2022-22719.patch b/backport-CVE-2022-22719.patch deleted file mode 100644 index 4e710225b48684bbb42f179538eb7c8346644ec5..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-22719.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 1b96582269d9ec7c82ee0fea1f67934e4b8176ad Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Mon, 7 Mar 2022 14:51:19 +0000 -Subject: [PATCH] mod_lua: Error out if lua_read_body() or lua_write_body() - fail. - -Otherwise r:requestbody() or r:parsebody() failures might go unnoticed for -the user. - - -Merge r1898689 from trunk. -Submitted by: rpluem -Reviewed by: rpluem, covener, ylavic - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898694 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/lua/lua_request.c | 33 ++++++++++++++++++++------------- - 1 file changed, 20 insertions(+), 13 deletions(-) - -diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c -index 493b2bb431c..1eab7b6a47b 100644 ---- a/modules/lua/lua_request.c -+++ b/modules/lua/lua_request.c -@@ -235,14 +235,16 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size, - { - int rc = OK; - -+ *rbuf = NULL; -+ *size = 0; -+ - if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) { - return (rc); - } - if (ap_should_client_block(r)) { - - /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ -- char argsbuffer[HUGE_STRING_LEN]; -- apr_off_t rsize, len_read, rpos = 0; -+ apr_off_t len_read, rpos = 0; - apr_off_t length = r->remaining; - /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ - -@@ -250,18 +252,18 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size, - return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */ - } - *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1)); -- *size = length; -- while ((len_read = ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) { -- if ((rpos + len_read) > length) { -- rsize = length - rpos; -- } -- else { -- rsize = len_read; -- } -- -- memcpy((char *) *rbuf + rpos, argsbuffer, (size_t) rsize); -- rpos += rsize; -+ while ((rpos < length) -+ && (len_read = ap_get_client_block(r, (char *) *rbuf + rpos, -+ length - rpos)) > 0) { -+ rpos += len_read; -+ } -+ if (len_read < 0) { -+ return APR_EINCOMPLETE; - } -+ *size = rpos; -+ } -+ else { -+ rc = DONE; - } - - return (rc); -@@ -278,6 +280,8 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t * - { - apr_status_t rc = OK; - -+ *size = 0; -+ - if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) - return rc; - if (ap_should_client_block(r)) { -@@ -303,6 +307,9 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t * - rpos += rsize; - } - } -+ else { -+ rc = DONE; -+ } - - return rc; - } - diff --git a/backport-CVE-2022-22720.patch b/backport-CVE-2022-22720.patch deleted file mode 100644 index 30351108e38b6e41f48a104bef8d0ad14c36140c..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-22720.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 19aa2d83b379719420f3a178413325156d7a62f3 Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Mon, 7 Mar 2022 14:46:08 +0000 -Subject: [PATCH] core: Simpler connection close logic if discarding the - request body fails. - -If ap_discard_request_body() sets AP_CONN_CLOSE by itself it simplifies and -allows to consolidate end_output_stream() and error_output_stream(). - - -Merge r1898683 from trunk. -Submitted by: ylavic, rpluem -Reviewed by: ylavic, rpluem, covener - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898692 13f79535-47bb-0310-9956-ffa450edef68 ---- - changes-entries/discard_body.diff | 2 + - modules/http/http_filters.c | 69 ++++++++++++++++--------------- - server/protocol.c | 14 +++++-- - 3 files changed, 48 insertions(+), 37 deletions(-) - create mode 100644 changes-entries/discard_body.diff - -diff --git a/changes-entries/discard_body.diff b/changes-entries/discard_body.diff -new file mode 100644 -index 00000000000..6b467ac5ee3 ---- /dev/null -+++ b/changes-entries/discard_body.diff -@@ -0,0 +1,2 @@ -+ *) core: Simpler connection close logic if discarding the request body fails. -+ [Yann Ylavic, Ruediger Pluem] -\ No newline at end of file -diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c -index d9b36212155..43e8c6dd5d5 100644 ---- a/modules/http/http_filters.c -+++ b/modules/http/http_filters.c -@@ -1598,9 +1598,9 @@ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status) - */ - AP_DECLARE(int) ap_discard_request_body(request_rec *r) - { -+ int rc = OK; -+ conn_rec *c = r->connection; - apr_bucket_brigade *bb; -- int seen_eos; -- apr_status_t rv; - - /* Sometimes we'll get in a state where the input handling has - * detected an error where we want to drop the connection, so if -@@ -1609,54 +1609,57 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r) - * - * This function is also a no-op on a subrequest. - */ -- if (r->main || r->connection->keepalive == AP_CONN_CLOSE || -- ap_status_drops_connection(r->status)) { -+ if (r->main || c->keepalive == AP_CONN_CLOSE) { -+ return OK; -+ } -+ if (ap_status_drops_connection(r->status)) { -+ c->keepalive = AP_CONN_CLOSE; - return OK; - } - - bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); -- seen_eos = 0; -- do { -- apr_bucket *bucket; -+ for (;;) { -+ apr_status_t rv; - - rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, - APR_BLOCK_READ, HUGE_STRING_LEN); -- - if (rv != APR_SUCCESS) { -- apr_brigade_destroy(bb); -- return ap_map_http_request_error(rv, HTTP_BAD_REQUEST); -+ rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST); -+ goto cleanup; - } - -- for (bucket = APR_BRIGADE_FIRST(bb); -- bucket != APR_BRIGADE_SENTINEL(bb); -- bucket = APR_BUCKET_NEXT(bucket)) -- { -- const char *data; -- apr_size_t len; -+ while (!APR_BRIGADE_EMPTY(bb)) { -+ apr_bucket *b = APR_BRIGADE_FIRST(bb); - -- if (APR_BUCKET_IS_EOS(bucket)) { -- seen_eos = 1; -- break; -- } -- -- /* These are metadata buckets. */ -- if (bucket->length == 0) { -- continue; -+ if (APR_BUCKET_IS_EOS(b)) { -+ goto cleanup; - } - -- /* We MUST read because in case we have an unknown-length -- * bucket or one that morphs, we want to exhaust it. -+ /* There is no need to read empty or metadata buckets or -+ * buckets of known length, but we MUST read buckets of -+ * unknown length in order to exhaust them. - */ -- rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ); -- if (rv != APR_SUCCESS) { -- apr_brigade_destroy(bb); -- return HTTP_BAD_REQUEST; -+ if (b->length == (apr_size_t)-1) { -+ apr_size_t len; -+ const char *data; -+ -+ rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ); -+ if (rv != APR_SUCCESS) { -+ rc = HTTP_BAD_REQUEST; -+ goto cleanup; -+ } - } -+ -+ apr_bucket_delete(b); - } -- apr_brigade_cleanup(bb); -- } while (!seen_eos); -+ } - -- return OK; -+cleanup: -+ apr_brigade_cleanup(bb); -+ if (rc != OK) { -+ c->keepalive = AP_CONN_CLOSE; -+ } -+ return rc; - } - - /* Here we deal with getting the request message body from the client. -diff --git a/server/protocol.c b/server/protocol.c -index 2214f72b5a4..298f61e1fb8 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -1687,23 +1687,29 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew, - rnew->main = (request_rec *) r; - } - --static void end_output_stream(request_rec *r) -+static void end_output_stream(request_rec *r, int status) - { - conn_rec *c = r->connection; - apr_bucket_brigade *bb; - apr_bucket *b; - - bb = apr_brigade_create(r->pool, c->bucket_alloc); -+ if (status != OK) { -+ b = ap_bucket_error_create(status, NULL, r->pool, c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(bb, b); -+ } - b = apr_bucket_eos_create(c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, b); -+ - ap_pass_brigade(r->output_filters, bb); -+ apr_brigade_cleanup(bb); - } - - AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub) - { - /* tell the filter chain there is no more content coming */ - if (!sub->eos_sent) { -- end_output_stream(sub); -+ end_output_stream(sub, OK); - } - } - -@@ -1714,11 +1720,11 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub) - */ - AP_DECLARE(void) ap_finalize_request_protocol(request_rec *r) - { -- (void) ap_discard_request_body(r); -+ int status = ap_discard_request_body(r); - - /* tell the filter chain there is no more content coming */ - if (!r->eos_sent) { -- end_output_stream(r); -+ end_output_stream(r, status); - } - } - \ No newline at end of file diff --git a/backport-CVE-2022-22721.patch b/backport-CVE-2022-22721.patch deleted file mode 100644 index df904a25e9dc56a4af75dae041a4d5e5c9047a56..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-22721.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 5a72f0fe6f2f8ce35c45242e99a421dc19251ab5 Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Mon, 7 Mar 2022 14:48:54 +0000 -Subject: [PATCH] core: Make sure and check that LimitXMLRequestBody fits in - system memory. - -LimitXMLRequestBody can not exceed the size needed to ap_escape_html2() the -body without failing to allocate memory, so enforce this at load time based -on APR_SIZE_MAX, and make sure that ap_escape_html2() is within the bounds. - -Document the limits for LimitXMLRequestBody in our docs. - - -Merge r1898686 from trunk. -Submitted by: ylavic, rpluem -Reviewed by: ylavic, covener, rpluem - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898693 13f79535-47bb-0310-9956-ffa450edef68 ---- - changes-entries/AP_MAX_LIMIT_XML_BODY.diff | 2 ++ - server/core.c | 9 +++++++++ - server/util.c | 8 ++++++-- - server/util_xml.c | 2 +- - 4 files changed, 27 insertions(+), 6 deletions(-) - create mode 100644 changes-entries/AP_MAX_LIMIT_XML_BODY.diff - -diff --git a/changes-entries/AP_MAX_LIMIT_XML_BODY.diff b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff -new file mode 100644 -index 00000000000..07fef3c624c ---- /dev/null -+++ b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff -@@ -0,0 +1,2 @@ -+ *) core: Make sure and check that LimitXMLRequestBody fits in system memory. -+ [Ruediger Pluem, Yann Ylavic] -\ No newline at end of file -diff --git a/server/core.c b/server/core.c -index 798212b4808..090e3976421 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -72,6 +72,8 @@ - /* LimitXMLRequestBody handling */ - #define AP_LIMIT_UNSET ((long) -1) - #define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000) -+/* Hard limit for ap_escape_html2() */ -+#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1)) - - #define AP_MIN_SENDFILE_BYTES (256) - -@@ -3761,6 +3763,11 @@ static const char *set_limit_xml_req_body(cmd_parms *cmd, void *conf_, - if (conf->limit_xml_body < 0) - return "LimitXMLRequestBody requires a non-negative integer."; - -+ /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */ -+ if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY) -+ return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed " -+ "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY); -+ - return NULL; - } - -@@ -3849,6 +3856,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_body(const request_rec *r) - conf = ap_get_core_module_config(r->per_dir_config); - if (conf->limit_xml_body == AP_LIMIT_UNSET) - return AP_DEFAULT_LIMIT_XML_BODY; -+ if (conf->limit_xml_body == 0) -+ return AP_MAX_LIMIT_XML_BODY; - - return (apr_size_t)conf->limit_xml_body; - } -diff --git a/server/util.c b/server/util.c -index 6cfe0035c49..604be1a1ce3 100644 ---- a/server/util.c -+++ b/server/util.c -@@ -2142,11 +2142,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(apr_pool_t *p, const char *buffer) - - AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) - { -- int i, j; -+ apr_size_t i, j; - char *x; - - /* first, count the number of extra characters */ -- for (i = 0, j = 0; s[i] != '\0'; i++) -+ for (i = 0, j = 0; s[i] != '\0'; i++) { -+ if (i + j > APR_SIZE_MAX - 6) { -+ abort(); -+ } - if (s[i] == '<' || s[i] == '>') - j += 3; - else if (s[i] == '&') -@@ -2155,6 +2158,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) - j += 5; - else if (toasc && !apr_isascii(s[i])) - j += 5; -+ } - - if (j == 0) - return apr_pstrmemdup(p, s, i); -diff --git a/server/util_xml.c b/server/util_xml.c -index 4845194656e..22806fa8a40 100644 ---- a/server/util_xml.c -+++ b/server/util_xml.c -@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(request_rec * r, apr_xml_doc **pdoc) - } - - total_read += len; -- if (limit_xml_body && total_read > limit_xml_body) { -+ if (total_read > limit_xml_body) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539) - "XML request body is larger than the configured " - "limit of %lu", (unsigned long)limit_xml_body); - diff --git a/backport-CVE-2022-26377.patch b/backport-CVE-2022-26377.patch deleted file mode 100644 index 5bebf983d4b4d39f93051b668fea30740e56220f..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-26377.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f7f15f3d8bfe3032926c8c39eb8434529f680bd4 Mon Sep 17 00:00:00 2001 -From: ylavic -Date: Wed Jun 1 13:48:21 2022 UTC -Subject: [PATCH] mod_proxy_ajp: T-E has precedence over C-L. - ---- - modules/proxy/mod_proxy_ajp.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c -index e2992fc..a77a86b 100644 ---- a/modules/proxy/mod_proxy_ajp.c -+++ b/modules/proxy/mod_proxy_ajp.c -@@ -246,9 +246,18 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, - /* read the first block of data */ - input_brigade = apr_brigade_create(p, r->connection->bucket_alloc); - tenc = apr_table_get(r->headers_in, "Transfer-Encoding"); -- if (tenc && (ap_cstr_casecmp(tenc, "chunked") == 0)) { -- /* The AJP protocol does not want body data yet */ -- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870) "request is chunked"); -+ if (tenc) { -+ if (ap_cstr_casecmp(tenc, "chunked") == 0) { -+ /* The AJP protocol does not want body data yet */ -+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870) -+ "request is chunked"); -+ } -+ else { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396) -+ "%s Transfer-Encoding is not supported", -+ tenc); -+ return HTTP_INTERNAL_SERVER_ERROR; -+ } - } else { - /* Get client provided Content-Length header */ - content_length = get_content_length(r); --- -1.8.3.1 - diff --git a/backport-CVE-2022-28330.patch b/backport-CVE-2022-28330.patch deleted file mode 100644 index 77fc8f42d0c2e6aa4a4f49d2fb1b211cb4e9cf90..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-28330.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 258698607821acfda8f90d9d17e44d18c30f8d77 Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed, 1 Jun 2022 12:37:44 UTC -Subject: [PATCH] mod_isapi:use consistent filename - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/258698607821acfda8f90d9d17e44d18c30f8d77 - ---- - modules/arch/win32/mod_isapi.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/modules/arch/win32/mod_isapi.c b/modules/arch/win32/mod_isapi.c -index 5592a57..a9816e5 100644 ---- a/modules/arch/win32/mod_isapi.c -+++ b/modules/arch/win32/mod_isapi.c -@@ -976,11 +976,11 @@ static int APR_THREAD_FUNC regfnServerSupportFunction(isapi_cid *cid, - return 0; - } - -- len = (apr_uint32_t)strlen(r->filename); -+ len = (apr_uint32_t)strlen(subreq->filename); - - if ((subreq->finfo.filetype == APR_DIR) - && (!subreq->path_info) -- && (file[len - 1] != '/')) -+ && (subreq->filename[len - 1] != '/')) - file = apr_pstrcat(cid->r->pool, subreq->filename, "/", NULL); - else - file = apr_pstrcat(cid->r->pool, subreq->filename, --- -2.23.0 - diff --git a/backport-CVE-2022-28614.patch b/backport-CVE-2022-28614.patch deleted file mode 100644 index 3f782cee759944701673a365dd5dd1fa929900a4..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-28614.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 8c14927162cf3b4f810683e1c5505e9ef9e1f123 Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 07:51:04 2022 UTC -Subject: [PATCH] handle large writes in ap_rputs - ---- - include/http_protocol.h | 22 +++++++++++++++++++++- - server/protocol.c | 3 +++ - 2 files changed, 24 insertions(+), 1 deletion(-) - -diff --git a/include/http_protocol.h b/include/http_protocol.h -index 20bd202..94c481e 100644 ---- a/include/http_protocol.h -+++ b/include/http_protocol.h -@@ -475,7 +475,27 @@ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r); - */ - static APR_INLINE int ap_rputs(const char *str, request_rec *r) - { -- return ap_rwrite(str, (int)strlen(str), r); -+ apr_size_t len; -+ -+ len = strlen(str); -+ -+ for (;;) { -+ if (len <= INT_MAX) { -+ return ap_rwrite(str, (int)len, r); -+ } -+ else { -+ int rc; -+ -+ rc = ap_rwrite(str, INT_MAX, r); -+ if (rc < 0) { -+ return rc; -+ } -+ else { -+ str += INT_MAX; -+ len -= INT_MAX; -+ } -+ } -+ } - } - - /** -diff --git a/server/protocol.c b/server/protocol.c -index 298f61e..7adc7f7 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -2128,6 +2128,9 @@ AP_DECLARE(int) ap_rputc(int c, request_rec *r) - - AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r) - { -+ if (nbyte < 0) -+ return -1; -+ - if (r->connection->aborted) - return -1; - --- -1.8.3.1 - diff --git a/backport-CVE-2022-28615.patch b/backport-CVE-2022-28615.patch deleted file mode 100644 index cf371ade824e96d2ebecc7be66f103370ae174ae..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-28615.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 929c7156cefdd2f74f83dcab2b15b2d09e80ec82 Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 12:20:56 2022 UTC -Subject: [PATCH] ap_strcasecmp_match/ap_strcmp_match:fix types - ---- - server/util.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/server/util.c b/server/util.c -index 633648c..09ac0c5 100644 ---- a/server/util.c -+++ b/server/util.c -@@ -185,7 +185,7 @@ AP_DECLARE(char *) ap_ht_time(apr_pool_t *p, apr_time_t t, const char *fmt, - */ - AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected) - { -- int x, y; -+ apr_size_t x, y; - - for (x = 0, y = 0; expected[y]; ++y, ++x) { - if (expected[y] == '*') { -@@ -209,7 +209,7 @@ AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected) - - AP_DECLARE(int) ap_strcasecmp_match(const char *str, const char *expected) - { -- int x, y; -+ apr_size_t x, y; - - for (x = 0, y = 0; expected[y]; ++y, ++x) { - if (!str[x] && expected[y] != '*') --- -1.8.3.1 - diff --git a/backport-CVE-2022-29404.patch b/backport-CVE-2022-29404.patch deleted file mode 100644 index 33633d4c18801c0c15ad5f3c8cf24996dfe4b723..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-29404.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 92499e20034485c5e2d29cb85940e309573d976e Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 12:30:46 2022 UTC -Subject: [PATCH] use a liberal default limit for LimitRequestBody of 1GB - ---- - modules/http/http_filters.c | 8 +++++++- - modules/proxy/proxy_util.c | 13 ------------- - server/core.c | 2 +- - 3 files changed, 8 insertions(+), 15 deletions(-) - -diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c -index 3e02da8..c3eab95 100644 ---- a/modules/http/http_filters.c -+++ b/modules/http/http_filters.c -@@ -1700,7 +1700,8 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy) - { - const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding"); - const char *lenp = apr_table_get(r->headers_in, "Content-Length"); -- -+ apr_off_t limit_req_body = ap_get_limit_req_body(r); -+ - r->read_body = read_policy; - r->read_chunked = 0; - r->remaining = 0; -@@ -1735,6 +1736,11 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy) - return HTTP_REQUEST_ENTITY_TOO_LARGE; - } - -+ if (limit_req_body > 0 && (r->remaining > limit_req_body)) { -+ /* will be logged when the body is discarded */ -+ return HTTP_REQUEST_ENTITY_TOO_LARGE; -+ } -+ - #ifdef AP_DEBUG - { - /* Make sure ap_getline() didn't leave any droppings. */ -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index 4f1610f..04733f2 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -4249,12 +4249,10 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r, - apr_bucket *e; - apr_off_t bytes, fsize = 0; - apr_file_t *tmpfile = NULL; -- apr_off_t limit; - - *bytes_spooled = 0; - body_brigade = apr_brigade_create(p, bucket_alloc); - -- limit = ap_get_limit_req_body(r); - - do { - if (APR_BRIGADE_EMPTY(input_brigade)) { -@@ -4273,17 +4271,6 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r, - apr_brigade_length(input_brigade, 1, &bytes); - - if (*bytes_spooled + bytes > max_mem_spool) { -- /* -- * LimitRequestBody does not affect Proxy requests (Should it?). -- * Let it take effect if we decide to store the body in a -- * temporary file on disk. -- */ -- if (limit && (*bytes_spooled + bytes > limit)) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088) -- "Request body is larger than the configured " -- "limit of %" APR_OFF_T_FMT, limit); -- return HTTP_REQUEST_ENTITY_TOO_LARGE; -- } - /* can't spool any more in memory; write latest brigade to disk */ - if (tmpfile == NULL) { - const char *temp_dir; -diff --git a/server/core.c b/server/core.c -index 957eeff..515047b 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -71,7 +71,7 @@ - - /* LimitRequestBody handling */ - #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) --#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -+#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ - - /* LimitXMLRequestBody handling */ - #define AP_LIMIT_UNSET ((long) -1) --- -1.8.3.1 - diff --git a/backport-CVE-2022-30522.patch b/backport-CVE-2022-30522.patch deleted file mode 100644 index b5f4c3a8332a963df162ec7165af4d521cab75fa..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-30522.patch +++ /dev/null @@ -1,408 +0,0 @@ -From 65b8fb947b144556c7ad1cf7ddc3941010ad77ba Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 12:40:09 2022 UTC -Subject: [PATCH] limit mod_sed memory use - ---- - modules/filters/sed1.c | 156 +++++++++++++++++++++++++++++++++++-------------- - 1 file changed, 113 insertions(+), 43 deletions(-) - -diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c -index 67a8d06..a08068e 100644 ---- a/modules/filters/sed1.c -+++ b/modules/filters/sed1.c -@@ -87,18 +87,20 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...) - } - - #define INIT_BUF_SIZE 1024 -+#define MAX_BUF_SIZE 1024*8192 - - /* - * grow_buffer - */ --static void grow_buffer(apr_pool_t *pool, char **buffer, -+static apr_status_t grow_buffer(apr_pool_t *pool, char **buffer, - char **spend, apr_size_t *cursize, - apr_size_t newsize) - { - char* newbuffer = NULL; - apr_size_t spendsize = 0; -- if (*cursize >= newsize) -- return; -+ if (*cursize >= newsize) { -+ return APR_SUCCESS; -+ } - /* Avoid number of times realloc is called. It could cause huge memory - * requirement if line size is huge e.g 2 MB */ - if (newsize < *cursize * 2) { -@@ -107,6 +109,9 @@ static void grow_buffer(apr_pool_t *pool, char **buffer, - - /* Align it to 4 KB boundary */ - newsize = (newsize + ((1 << 12) - 1)) & ~((1 << 12) - 1); -+ if (newsize > MAX_BUF_SIZE) { -+ return APR_ENOMEM; -+ } - newbuffer = apr_pcalloc(pool, newsize); - if (*spend && *buffer && (*cursize > 0)) { - spendsize = *spend - *buffer; -@@ -119,63 +124,77 @@ static void grow_buffer(apr_pool_t *pool, char **buffer, - if (spend != buffer) { - *spend = *buffer + spendsize; - } -+ return APR_SUCCESS; - } - - /* - * grow_line_buffer - */ --static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize) -+static apr_status_t grow_line_buffer(sed_eval_t *eval, apr_size_t newsize) - { -- grow_buffer(eval->pool, &eval->linebuf, &eval->lspend, -+ return grow_buffer(eval->pool, &eval->linebuf, &eval->lspend, - &eval->lsize, newsize); - } - - /* - * grow_hold_buffer - */ --static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize) -+static apr_status_t grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize) - { -- grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend, -+ return grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend, - &eval->hsize, newsize); - } - - /* - * grow_gen_buffer - */ --static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize, -+static apr_status_t grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize, - char **gspend) - { -+ apr_status_t rc = 0; - if (gspend == NULL) { - gspend = &eval->genbuf; - } -- grow_buffer(eval->pool, &eval->genbuf, gspend, -+ rc = grow_buffer(eval->pool, &eval->genbuf, gspend, - &eval->gsize, newsize); -- eval->lcomend = &eval->genbuf[71]; -+ if (rc == APR_SUCCESS) { -+ eval->lcomend = &eval->genbuf[71]; -+ } -+ return rc; - } - - /* - * appendmem_to_linebuf - */ --static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len) -+static apr_status_t appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len) - { -+ apr_status_t rc = 0; - apr_size_t reqsize = (eval->lspend - eval->linebuf) + len; - if (eval->lsize < reqsize) { -- grow_line_buffer(eval, reqsize); -+ rc = grow_line_buffer(eval, reqsize); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - memcpy(eval->lspend, sz, len); - eval->lspend += len; -+ return APR_SUCCESS; - } - - /* - * append_to_linebuf - */ --static void append_to_linebuf(sed_eval_t *eval, const char* sz, -+static apr_status_t append_to_linebuf(sed_eval_t *eval, const char* sz, - step_vars_storage *step_vars) - { - apr_size_t len = strlen(sz); - char *old_linebuf = eval->linebuf; -+ apr_status_t rc = 0; - /* Copy string including null character */ -- appendmem_to_linebuf(eval, sz, len + 1); -+ rc = appendmem_to_linebuf(eval, sz, len + 1); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - --eval->lspend; /* lspend will now point to NULL character */ - /* Sync step_vars after a possible linebuf expansion */ - if (step_vars && old_linebuf != eval->linebuf) { -@@ -189,68 +208,84 @@ static void append_to_linebuf(sed_eval_t *eval, const char* sz, - step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf; - } - } -+ return APR_SUCCESS; - } - - /* - * copy_to_linebuf - */ --static void copy_to_linebuf(sed_eval_t *eval, const char* sz, -+static apr_status_t copy_to_linebuf(sed_eval_t *eval, const char* sz, - step_vars_storage *step_vars) - { - eval->lspend = eval->linebuf; -- append_to_linebuf(eval, sz, step_vars); -+ return append_to_linebuf(eval, sz, step_vars); - } - - /* - * append_to_holdbuf - */ --static void append_to_holdbuf(sed_eval_t *eval, const char* sz) -+static apr_status_t append_to_holdbuf(sed_eval_t *eval, const char* sz) - { - apr_size_t len = strlen(sz); - apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1; -+ apr_status_t rc = 0; - if (eval->hsize <= reqsize) { -- grow_hold_buffer(eval, reqsize); -+ rc = grow_hold_buffer(eval, reqsize); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - memcpy(eval->hspend, sz, len + 1); - /* hspend will now point to NULL character */ - eval->hspend += len; -+ return APR_SUCCESS; - } - - /* - * copy_to_holdbuf - */ --static void copy_to_holdbuf(sed_eval_t *eval, const char* sz) -+static apr_status_t copy_to_holdbuf(sed_eval_t *eval, const char* sz) - { - eval->hspend = eval->holdbuf; -- append_to_holdbuf(eval, sz); -+ return append_to_holdbuf(eval, sz); - } - - /* - * append_to_genbuf - */ --static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend) -+static apr_status_t append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend) - { - apr_size_t len = strlen(sz); - apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1; -+ apr_status_t rc = 0; - if (eval->gsize < reqsize) { -- grow_gen_buffer(eval, reqsize, gspend); -+ rc = grow_gen_buffer(eval, reqsize, gspend); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - memcpy(*gspend, sz, len + 1); - /* *gspend will now point to NULL character */ - *gspend += len; -+ return APR_SUCCESS; - } - - /* - * copy_to_genbuf - */ --static void copy_to_genbuf(sed_eval_t *eval, const char* sz) -+static apr_status_t copy_to_genbuf(sed_eval_t *eval, const char* sz) - { - apr_size_t len = strlen(sz); - apr_size_t reqsize = len + 1; -+ apr_status_t rc = APR_SUCCESS; - if (eval->gsize < reqsize) { -- grow_gen_buffer(eval, reqsize, NULL); -+ rc = grow_gen_buffer(eval, reqsize, NULL); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - memcpy(eval->genbuf, sz, len + 1); -+ return rc; - } - - /* -@@ -397,6 +432,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz - } - - while (bufsz) { -+ apr_status_t rc = 0; - char *n; - apr_size_t llen; - -@@ -411,7 +447,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz - break; - } - -- appendmem_to_linebuf(eval, buf, llen + 1); -+ rc = appendmem_to_linebuf(eval, buf, llen + 1); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - --eval->lspend; - /* replace new line character with NULL */ - *eval->lspend = '\0'; -@@ -426,7 +465,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz - - /* Save the leftovers for later */ - if (bufsz) { -- appendmem_to_linebuf(eval, buf, bufsz); -+ apr_status_t rc = appendmem_to_linebuf(eval, buf, bufsz); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - - return APR_SUCCESS; -@@ -448,6 +490,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout) - /* Process leftovers */ - if (eval->lspend > eval->linebuf) { - apr_status_t rv; -+ apr_status_t rc = 0; - - if (eval->lreadyflag) { - eval->lreadyflag = 0; -@@ -457,7 +500,10 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout) - * buffer is not a newline. - */ - /* Assure space for NULL */ -- append_to_linebuf(eval, "", NULL); -+ rc = append_to_linebuf(eval, "", NULL); -+ if (rc != APR_SUCCESS) { -+ return rc; -+ } - } - - *eval->lspend = '\0'; -@@ -655,11 +701,15 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - sp = eval->genbuf; - rp = rhsbuf; - sp = place(eval, sp, lp, step_vars->loc1); -+ if (sp == NULL) { -+ return APR_EGENERAL; -+ } - while ((c = *rp++) != 0) { - if (c == '&') { - sp = place(eval, sp, step_vars->loc1, step_vars->loc2); -- if (sp == NULL) -+ if (sp == NULL) { - return APR_EGENERAL; -+ } - } - else if (c == '\\') { - c = *rp++; -@@ -675,13 +725,19 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n, - *sp++ = c; - if (sp >= eval->genbuf + eval->gsize) { - /* expand genbuf and set the sp appropriately */ -- grow_gen_buffer(eval, eval->gsize + 1024, &sp); -+ rv = grow_gen_buffer(eval, eval->gsize + 1024, &sp); -+ if (rv != APR_SUCCESS) { -+ return rv; -+ } - } - } - lp = step_vars->loc2; - step_vars->loc2 = sp - eval->genbuf + eval->linebuf; -- append_to_genbuf(eval, lp, &sp); -- copy_to_linebuf(eval, eval->genbuf, step_vars); -+ rv = append_to_genbuf(eval, lp, &sp); -+ if (rv != APR_SUCCESS) { -+ return rv; -+ } -+ rv = copy_to_linebuf(eval, eval->genbuf, step_vars); - return rv; - } - -@@ -695,7 +751,10 @@ static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2) - apr_size_t reqsize = (sp - eval->genbuf) + n + 1; - - if (eval->gsize < reqsize) { -- grow_gen_buffer(eval, reqsize, &sp); -+ apr_status_t rc = grow_gen_buffer(eval, reqsize, &sp); -+ if (rc != APR_SUCCESS) { -+ return NULL; -+ } - } - memcpy(sp, al1, n); - return sp + n; -@@ -750,7 +809,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - } - - p1++; -- copy_to_linebuf(eval, p1, step_vars); -+ rv = copy_to_linebuf(eval, p1, step_vars); -+ if (rv != APR_SUCCESS) return rv; - eval->jflag++; - break; - -@@ -760,21 +820,27 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - break; - - case GCOM: -- copy_to_linebuf(eval, eval->holdbuf, step_vars); -+ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars); -+ if (rv != APR_SUCCESS) return rv; - break; - - case CGCOM: -- append_to_linebuf(eval, "\n", step_vars); -- append_to_linebuf(eval, eval->holdbuf, step_vars); -+ rv = append_to_linebuf(eval, "\n", step_vars); -+ if (rv != APR_SUCCESS) return rv; -+ rv = append_to_linebuf(eval, eval->holdbuf, step_vars); -+ if (rv != APR_SUCCESS) return rv; - break; - - case HCOM: -- copy_to_holdbuf(eval, eval->linebuf); -+ rv = copy_to_holdbuf(eval, eval->linebuf); -+ if (rv != APR_SUCCESS) return rv; - break; - - case CHCOM: -- append_to_holdbuf(eval, "\n"); -- append_to_holdbuf(eval, eval->linebuf); -+ rv = append_to_holdbuf(eval, "\n"); -+ if (rv != APR_SUCCESS) return rv; -+ rv = append_to_holdbuf(eval, eval->linebuf); -+ if (rv != APR_SUCCESS) return rv; - break; - - case ICOM: -@@ -896,7 +962,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - if (rv != APR_SUCCESS) - return rv; - } -- append_to_linebuf(eval, "\n", step_vars); -+ rv = append_to_linebuf(eval, "\n", step_vars); -+ if (rv != APR_SUCCESS) return rv; - eval->pending = ipc->next; - break; - -@@ -970,9 +1037,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc, - break; - - case XCOM: -- copy_to_genbuf(eval, eval->linebuf); -- copy_to_linebuf(eval, eval->holdbuf, step_vars); -- copy_to_holdbuf(eval, eval->genbuf); -+ rv = copy_to_genbuf(eval, eval->linebuf); -+ if (rv != APR_SUCCESS) return rv; -+ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars); -+ if (rv != APR_SUCCESS) return rv; -+ rv = copy_to_holdbuf(eval, eval->genbuf); -+ if (rv != APR_SUCCESS) return rv; - break; - - case YCOM: --- -1.8.3.1 - diff --git a/backport-CVE-2022-30556.patch b/backport-CVE-2022-30556.patch deleted file mode 100644 index 4d54d14906b678392732944cf7a0282b56d18398..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-30556.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 11a3fcbf9e64239d8fe8402d941bbdcbc4532c88 Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 12:36:13 2022 UTC -Subject: [PATCH] use filters consistently - ---- - modules/lua/lua_request.c | 145 +++++++++++++++++----------------------------- - 1 file changed, 54 insertions(+), 91 deletions(-) - -diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c -index 1eab7b6..a7e501b 100644 ---- a/modules/lua/lua_request.c -+++ b/modules/lua/lua_request.c -@@ -2227,23 +2227,20 @@ static int lua_websocket_greet(lua_State *L) - return 0; - } - --static apr_status_t lua_websocket_readbytes(conn_rec* c, char* buffer, -- apr_off_t len) -+static apr_status_t lua_websocket_readbytes(conn_rec* c, -+ apr_bucket_brigade *brigade, -+ char* buffer, apr_off_t len) - { -- apr_bucket_brigade *brigade = apr_brigade_create(c->pool, c->bucket_alloc); -+ apr_size_t delivered; - apr_status_t rv; -+ - rv = ap_get_brigade(c->input_filters, brigade, AP_MODE_READBYTES, - APR_BLOCK_READ, len); - if (rv == APR_SUCCESS) { -- if (!APR_BRIGADE_EMPTY(brigade)) { -- apr_bucket* bucket = APR_BRIGADE_FIRST(brigade); -- const char* data = NULL; -- apr_size_t data_length = 0; -- rv = apr_bucket_read(bucket, &data, &data_length, APR_BLOCK_READ); -- if (rv == APR_SUCCESS) { -- memcpy(buffer, data, len); -- } -- apr_bucket_delete(bucket); -+ delivered = len; -+ rv = apr_brigade_flatten(brigade, buffer, &delivered); -+ if ((rv == APR_SUCCESS) && (delivered < len)) { -+ rv = APR_INCOMPLETE; - } - } - apr_brigade_cleanup(brigade); -@@ -2273,35 +2270,29 @@ static int lua_websocket_peek(lua_State *L) - - static int lua_websocket_read(lua_State *L) - { -- apr_socket_t *sock; - apr_status_t rv; - int do_read = 1; - int n = 0; -- apr_size_t len = 1; - apr_size_t plen = 0; - unsigned short payload_short = 0; - apr_uint64_t payload_long = 0; - unsigned char *mask_bytes; - char byte; -- int plaintext; -- - -- request_rec *r = ap_lua_check_request_rec(L, 1); -- plaintext = ap_lua_ssl_is_https(r->connection) ? 0 : 1; -+ apr_bucket_brigade *brigade; -+ conn_rec* c; - -+ request_rec *r = ap_lua_check_request_rec(L, 1); -+ c = r->connection; - - mask_bytes = apr_pcalloc(r->pool, 4); -- sock = ap_get_conn_socket(r->connection); -+ -+ brigade = apr_brigade_create(r->pool, c->bucket_alloc); - - while (do_read) { - do_read = 0; - /* Get opcode and FIN bit */ -- if (plaintext) { -- rv = apr_socket_recv(sock, &byte, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, &byte, 1); -- } -+ rv = lua_websocket_readbytes(c, brigade, &byte, 1); - if (rv == APR_SUCCESS) { - unsigned char ubyte, fin, opcode, mask, payload; - ubyte = (unsigned char)byte; -@@ -2311,12 +2302,7 @@ static int lua_websocket_read(lua_State *L) - opcode = ubyte & 0xf; - - /* Get the payload length and mask bit */ -- if (plaintext) { -- rv = apr_socket_recv(sock, &byte, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, &byte, 1); -- } -+ rv = lua_websocket_readbytes(c, brigade, &byte, 1); - if (rv == APR_SUCCESS) { - ubyte = (unsigned char)byte; - /* Mask is the first bit */ -@@ -2327,40 +2313,25 @@ static int lua_websocket_read(lua_State *L) - - /* Extended payload? */ - if (payload == 126) { -- len = 2; -- if (plaintext) { -- /* XXX: apr_socket_recv does not receive len bits, only up to len bits! */ -- rv = apr_socket_recv(sock, (char*) &payload_short, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, -- (char*) &payload_short, 2); -- } -- payload_short = ntohs(payload_short); -- -- if (rv == APR_SUCCESS) { -- plen = payload_short; -- } -- else { -+ rv = lua_websocket_readbytes(c, brigade, -+ (char*) &payload_short, 2); -+ -+ if (rv != APR_SUCCESS) { - return 0; - } -+ -+ plen = ntohs(payload_short); - } - /* Super duper extended payload? */ - if (payload == 127) { -- len = 8; -- if (plaintext) { -- rv = apr_socket_recv(sock, (char*) &payload_long, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, -- (char*) &payload_long, 8); -- } -- if (rv == APR_SUCCESS) { -- plen = ap_ntoh64(&payload_long); -- } -- else { -+ rv = lua_websocket_readbytes(c, brigade, -+ (char*) &payload_long, 8); -+ -+ if (rv != APR_SUCCESS) { - return 0; - } -+ -+ plen = ap_ntoh64(&payload_long); - } - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03210) - "Websocket: Reading %" APR_SIZE_T_FMT " (%s) bytes, masking is %s. %s", -@@ -2369,46 +2340,27 @@ static int lua_websocket_read(lua_State *L) - mask ? "on" : "off", - fin ? "This is a final frame" : "more to follow"); - if (mask) { -- len = 4; -- if (plaintext) { -- rv = apr_socket_recv(sock, (char*) mask_bytes, &len); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, -- (char*) mask_bytes, 4); -- } -+ rv = lua_websocket_readbytes(c, brigade, -+ (char*) mask_bytes, 4); -+ - if (rv != APR_SUCCESS) { - return 0; - } - } - if (plen < (HUGE_STRING_LEN*1024) && plen > 0) { - apr_size_t remaining = plen; -- apr_size_t received; -- apr_off_t at = 0; - char *buffer = apr_palloc(r->pool, plen+1); - buffer[plen] = 0; - -- if (plaintext) { -- while (remaining > 0) { -- received = remaining; -- rv = apr_socket_recv(sock, buffer+at, &received); -- if (received > 0 ) { -- remaining -= received; -- at += received; -- } -- } -- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, -- "Websocket: Frame contained %" APR_OFF_T_FMT " bytes, pushed to Lua stack", -- at); -- } -- else { -- rv = lua_websocket_readbytes(r->connection, buffer, -- remaining); -- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, -- "Websocket: SSL Frame contained %" APR_SIZE_T_FMT " bytes, "\ -- "pushed to Lua stack", -- remaining); -+ rv = lua_websocket_readbytes(c, brigade, buffer, remaining); -+ -+ if (rv != APR_SUCCESS) { -+ return 0; - } -+ -+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, -+ "Websocket: Frame contained %" APR_SIZE_T_FMT \ -+ " bytes, pushed to Lua stack", remaining); - if (mask) { - for (n = 0; n < plen; n++) { - buffer[n] ^= mask_bytes[n%4]; -@@ -2420,14 +2372,25 @@ static int lua_websocket_read(lua_State *L) - return 2; - } - -- - /* Decide if we need to react to the opcode or not */ - if (opcode == 0x09) { /* ping */ - char frame[2]; -- plen = 2; -+ apr_bucket *b; -+ - frame[0] = 0x8A; - frame[1] = 0; -- apr_socket_send(sock, frame, &plen); /* Pong! */ -+ -+ /* Pong! */ -+ b = apr_bucket_transient_create(frame, 2, c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(brigade, b); -+ -+ rv = ap_pass_brigade(c->output_filters, brigade); -+ apr_brigade_cleanup(brigade); -+ -+ if (rv != APR_SUCCESS) { -+ return 0; -+ } -+ - do_read = 1; - } - } --- -1.8.3.1 - diff --git a/backport-CVE-2022-31813.patch b/backport-CVE-2022-31813.patch deleted file mode 100644 index 962dd6bd57d36fdcdf5edef0b07de7bea583c0a4..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-31813.patch +++ /dev/null @@ -1,243 +0,0 @@ -From 956f708b094698ac9ad570d640d4f30eb0df7305 Mon Sep 17 00:00:00 2001 -From: icing -Date: Wed Jun 1 07:51:04 2022 UTC -Subject: [PATCH] mod_proxy: ap_proxy_create_hdrbrgd() to clear hop-by-hop first and fixup last. - ---- - modules/proxy/proxy_util.c | 155 +++++++++++++++++++++++---------------------- - 1 file changed, 78 insertions(+), 77 deletions(-) - -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index d578452..4f1610f 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -3849,12 +3849,14 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - char **old_cl_val, - char **old_te_val) - { -+ int rc = OK; - conn_rec *c = r->connection; - int counter; - char *buf; -+ apr_table_t *saved_headers_in = r->headers_in; -+ const char *saved_host = apr_table_get(saved_headers_in, "Host"); - const apr_array_header_t *headers_in_array; - const apr_table_entry_t *headers_in; -- apr_table_t *saved_headers_in; - apr_bucket *e; - int do_100_continue; - conn_rec *origin = p_conn->connection; -@@ -3890,6 +3892,52 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - ap_xlate_proto_to_ascii(buf, strlen(buf)); - e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(header_brigade, e); -+ -+ /* -+ * Make a copy on r->headers_in for the request we make to the backend, -+ * modify the copy in place according to our configuration and connection -+ * handling, use it to fill in the forwarded headers' brigade, and finally -+ * restore the saved/original ones in r->headers_in. -+ * -+ * Note: We need to take r->pool for apr_table_copy as the key / value -+ * pairs in r->headers_in have been created out of r->pool and -+ * p might be (and actually is) a longer living pool. -+ * This would trigger the bad pool ancestry abort in apr_table_copy if -+ * apr is compiled with APR_POOL_DEBUG. -+ * -+ * icing: if p indeed lives longer than r->pool, we should allocate -+ * all new header values from r->pool as well and avoid leakage. -+ */ -+ r->headers_in = apr_table_copy(r->pool, saved_headers_in); -+ -+ /* Return the original Transfer-Encoding and/or Content-Length values -+ * then drop the headers, they must be set by the proxy handler based -+ * on the actual body being forwarded. -+ */ -+ if ((*old_te_val = (char *)apr_table_get(r->headers_in, -+ "Transfer-Encoding"))) { -+ apr_table_unset(r->headers_in, "Transfer-Encoding"); -+ } -+ if ((*old_cl_val = (char *)apr_table_get(r->headers_in, -+ "Content-Length"))) { -+ apr_table_unset(r->headers_in, "Content-Length"); -+ } -+ -+ /* Clear out hop-by-hop request headers not to forward */ -+ if (ap_proxy_clear_connection(r, r->headers_in) < 0) { -+ rc = HTTP_BAD_REQUEST; -+ goto cleanup; -+ } -+ -+ /* RFC2616 13.5.1 says we should strip these */ -+ apr_table_unset(r->headers_in, "Keep-Alive"); -+ apr_table_unset(r->headers_in, "Upgrade"); -+ apr_table_unset(r->headers_in, "Trailer"); -+ apr_table_unset(r->headers_in, "TE"); -+ -+ /* We used to send `Host: ` always first, so let's keep it that -+ * way. No telling which legacy backend is relying no this. -+ */ - if (dconf->preserve_host == 0) { - if (ap_strchr_c(uri->hostname, ':')) { /* if literal IPv6 address */ - if (uri->port_str && uri->port != DEFAULT_HTTP_PORT) { -@@ -3911,7 +3959,7 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - /* don't want to use r->hostname, as the incoming header might have a - * port attached - */ -- const char* hostname = apr_table_get(r->headers_in,"Host"); -+ const char* hostname = saved_host; - if (!hostname) { - hostname = r->server->server_hostname; - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01092) -@@ -3925,22 +3973,8 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - ap_xlate_proto_to_ascii(buf, strlen(buf)); - e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(header_brigade, e); -- -- /* -- * Save the original headers in here and restore them when leaving, since -- * we will apply proxy purpose only modifications (eg. clearing hop-by-hop -- * headers, add Via or X-Forwarded-* or Expect...), whereas the originals -- * will be needed later to prepare the correct response and logging. -- * -- * Note: We need to take r->pool for apr_table_copy as the key / value -- * pairs in r->headers_in have been created out of r->pool and -- * p might be (and actually is) a longer living pool. -- * This would trigger the bad pool ancestry abort in apr_table_copy if -- * apr is compiled with APR_POOL_DEBUG. -- */ -- saved_headers_in = r->headers_in; -- r->headers_in = apr_table_copy(r->pool, saved_headers_in); -- -+ apr_table_unset(r->headers_in, "Host"); -+ - /* handle Via */ - if (conf->viaopt == via_block) { - /* Block all outgoing Via: headers */ -@@ -4006,8 +4040,6 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - */ - if (dconf->add_forwarded_headers) { - if (PROXYREQ_REVERSE == r->proxyreq) { -- const char *buf; -- - /* Add X-Forwarded-For: so that the upstream has a chance to - * determine, where the original request came from. - */ -@@ -4017,8 +4049,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - /* Add X-Forwarded-Host: so that upstream knows what the - * original request hostname was. - */ -- if ((buf = apr_table_get(r->headers_in, "Host"))) { -- apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf); -+ if (saved_host) { -+ apr_table_mergen(r->headers_in, "X-Forwarded-Host", -+ saved_host); - } - - /* Add X-Forwarded-Server: so that upstream knows what the -@@ -4029,67 +4062,37 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - r->server->server_hostname); - } - } -+ -+ /* Do we want to strip Proxy-Authorization ? -+ * If we haven't used it, then NO -+ * If we have used it then MAYBE: RFC2616 says we MAY propagate it. -+ * So let's make it configurable by env. -+ */ -+ if (r->user != NULL /* we've authenticated */ -+ && !apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) { -+ apr_table_unset(r->headers_in, "Proxy-Authorization"); -+ } - -- proxy_run_fixups(r); -- if (ap_proxy_clear_connection(r, r->headers_in) < 0) { -- return HTTP_BAD_REQUEST; -+ /* for sub-requests, ignore freshness/expiry headers */ -+ if (r->main) { -+ apr_table_unset(r->headers_in, "If-Match"); -+ apr_table_unset(r->headers_in, "If-Modified-Since"); -+ apr_table_unset(r->headers_in, "If-Range"); -+ apr_table_unset(r->headers_in, "If-Unmodified-Since"); -+ apr_table_unset(r->headers_in, "If-None-Match"); - } -+ -+ /* run hook to fixup the request we are about to send */ -+ proxy_run_fixups(r); - - /* send request headers */ - headers_in_array = apr_table_elts(r->headers_in); - headers_in = (const apr_table_entry_t *) headers_in_array->elts; - for (counter = 0; counter < headers_in_array->nelts; counter++) { - if (headers_in[counter].key == NULL -- || headers_in[counter].val == NULL -- -- /* Already sent */ -- || !ap_cstr_casecmp(headers_in[counter].key, "Host") -- -- /* Clear out hop-by-hop request headers not to send -- * RFC2616 13.5.1 says we should strip these headers -- */ -- || !ap_cstr_casecmp(headers_in[counter].key, "Keep-Alive") -- || !ap_cstr_casecmp(headers_in[counter].key, "TE") -- || !ap_cstr_casecmp(headers_in[counter].key, "Trailer") -- || !ap_cstr_casecmp(headers_in[counter].key, "Upgrade") -- -- ) { -+ || headers_in[counter].val == NULL) { - continue; - } -- /* Do we want to strip Proxy-Authorization ? -- * If we haven't used it, then NO -- * If we have used it then MAYBE: RFC2616 says we MAY propagate it. -- * So let's make it configurable by env. -- */ -- if (!ap_cstr_casecmp(headers_in[counter].key,"Proxy-Authorization")) { -- if (r->user != NULL) { /* we've authenticated */ -- if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) { -- continue; -- } -- } -- } -- -- /* Skip Transfer-Encoding and Content-Length for now. -- */ -- if (!ap_cstr_casecmp(headers_in[counter].key, "Transfer-Encoding")) { -- *old_te_val = headers_in[counter].val; -- continue; -- } -- if (!ap_cstr_casecmp(headers_in[counter].key, "Content-Length")) { -- *old_cl_val = headers_in[counter].val; -- continue; -- } -- -- /* for sub-requests, ignore freshness/expiry headers */ -- if (r->main) { -- if ( !ap_cstr_casecmp(headers_in[counter].key, "If-Match") -- || !ap_cstr_casecmp(headers_in[counter].key, "If-Modified-Since") -- || !ap_cstr_casecmp(headers_in[counter].key, "If-Range") -- || !ap_cstr_casecmp(headers_in[counter].key, "If-Unmodified-Since") -- || !ap_cstr_casecmp(headers_in[counter].key, "If-None-Match")) { -- continue; -- } -- } - - buf = apr_pstrcat(p, headers_in[counter].key, ": ", - headers_in[counter].val, CRLF, -@@ -4099,11 +4102,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - APR_BRIGADE_INSERT_TAIL(header_brigade, e); - } - -- /* Restore the original headers in (see comment above), -- * we won't modify them anymore. -- */ -+cleanup: - r->headers_in = saved_headers_in; -- return OK; -+ return rc; - } - - PROXY_DECLARE(int) ap_proxy_prefetch_input(request_rec *r, --- -1.8.3.1 - diff --git a/backport-CVE-2022-36760.patch b/backport-CVE-2022-36760.patch deleted file mode 100644 index 3964d3b66ce6c24d099beff8604cc634dd3c49cd..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-36760.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 5efc9507c487c37dfe2a279a4a0335cad701cd5f Mon Sep 17 00:00:00 2001 -From: Eric Covener -Date: Tue, 10 Jan 2023 09:19:03 PM GMT+0800 -Subject: [PATCH] mod_proxy_ajp:cleanup on error - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/5efc9507c487c37dfe2a279a4a0335cad701cd5f - ---- - modules/proxy/mod_proxy_ajp.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c -index a77a86b..89da918 100644 ---- a/modules/proxy/mod_proxy_ajp.c -+++ b/modules/proxy/mod_proxy_ajp.c -@@ -256,6 +256,8 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396) - "%s Transfer-Encoding is not supported", - tenc); -+ /* We had a failure : Close connection to backend */ -+ conn->close = 1; - return HTTP_INTERNAL_SERVER_ERROR; - } - } else { --- -2.23.0 - diff --git a/backport-CVE-2022-37436.patch b/backport-CVE-2022-37436.patch deleted file mode 100644 index f73a40d16c3acaa3b414a7c5a1f1620400554b34..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-37436.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 2192bd4200083a0d20bf601c2fc9d635e7e4dbfc Mon Sep 17 00:00:00 2001 -From: Eric Covener -Date: Tue, 10 Jan 2023 09:18:42 PM GMT+0800 -Subject: [PATCH] mod_proxy_http:fail on bad header - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/2192bd4200083a0d20bf601c2fc9d635e7e4dbfc - ---- - modules/proxy/mod_proxy_http.c | 46 ++++++++++++++++++++-------------- - server/protocol.c | 2 ++ - 2 files changed, 29 insertions(+), 19 deletions(-) - -diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c -index 3e5c056..2c374e7 100644 ---- a/modules/proxy/mod_proxy_http.c -+++ b/modules/proxy/mod_proxy_http.c -@@ -792,7 +792,7 @@ static void process_proxy_header(request_rec *r, proxy_dir_conf *c, - * any sense at all, since we depend on buffer still containing - * what was read by ap_getline() upon return. - */ --static void ap_proxy_read_headers(request_rec *r, request_rec *rr, -+static apr_status_t ap_proxy_read_headers(request_rec *r, request_rec *rr, - char *buffer, int size, - conn_rec *c, int *pread_len) - { -@@ -824,19 +824,26 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, - rc = ap_proxygetline(tmp_bb, buffer, size, rr, - AP_GETLINE_FOLD | AP_GETLINE_NOSPC_EOL, &len); - -- if (len <= 0) -- break; - -- if (APR_STATUS_IS_ENOSPC(rc)) { -- /* The header could not fit in the provided buffer, warn. -- * XXX: falls through with the truncated header, 5xx instead? -- */ -- int trunc = (len > 128 ? 128 : len) / 2; -- ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124) -- "header size is over the limit allowed by " -- "ResponseFieldSize (%d bytes). " -- "Bad response header: '%.*s[...]%s'", -- size, trunc, buffer, buffer + len - trunc); -+ if (rc != APR_SUCCESS) { -+ if (APR_STATUS_IS_ENOSPC(rc)) { -+ int trunc = (len > 128 ? 128 : len) / 2; -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124) -+ "header size is over the limit allowed by " -+ "ResponseFieldSize (%d bytes). " -+ "Bad response header: '%.*s[...]%s'", -+ size, trunc, buffer, buffer + len - trunc); -+ } -+ else { -+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10404) -+ "Error reading headers from backend"); -+ } -+ r->headers_out = NULL; -+ return rc; -+ } -+ -+ if (len <= 0) { -+ break; - } - else { - ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, "%s", buffer); -@@ -859,7 +866,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, - if (psc->badopt == bad_error) { - /* Nope, it wasn't even an extra HTTP header. Give up. */ - r->headers_out = NULL; -- return; -+ return APR_EINVAL; - } - else if (psc->badopt == bad_body) { - /* if we've already started loading headers_out, then -@@ -873,13 +880,13 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, - "in headers returned by %s (%s)", - r->uri, r->method); - *pread_len = len; -- return; -+ return APR_SUCCESS; - } - else { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01099) - "No HTTP headers returned by %s (%s)", - r->uri, r->method); -- return; -+ return APR_SUCCESS; - } - } - } -@@ -909,6 +916,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, - process_proxy_header(r, dconf, buffer, value); - saw_headers = 1; - } -+ return APR_SUCCESS; - } - - -@@ -1207,10 +1215,10 @@ int ap_proxy_http_process_response(proxy_http_req_t *req) - "Set-Cookie", NULL); - - /* shove the headers direct into r->headers_out */ -- ap_proxy_read_headers(r, backend->r, buffer, response_field_size, -- origin, &pread_len); -+ rc = ap_proxy_read_headers(r, backend->r, buffer, response_field_size, -+ origin, &pread_len); - -- if (r->headers_out == NULL) { -+ if (rc != APR_SUCCESS || r->headers_out == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01106) - "bad HTTP/%d.%d header returned by %s (%s)", - major, minor, r->uri, r->method); -diff --git a/server/protocol.c b/server/protocol.c -index 7adc7f7..fa9f3f8 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -508,6 +508,8 @@ cleanup: - /* PR#43039: We shouldn't accept NULL bytes within the line */ - bytes_handled = strlen(*s); - if (bytes_handled < *read) { -+ ap_log_data(APLOG_MARK, APLOG_DEBUG, ap_server_conf, -+ "NULL bytes in headers", *s, *read, 0); - *read = bytes_handled; - if (rv == APR_SUCCESS) { - rv = APR_EINVAL; --- -2.23.0 - diff --git a/backport-CVE-2023-25690.patch b/backport-CVE-2023-25690.patch deleted file mode 100644 index 067c8f6b9977a676808ac7a2684e728bea438fb0..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-25690.patch +++ /dev/null @@ -1,205 +0,0 @@ -From d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51 Mon Sep 17 00:00:00 2001 -From: covener -Date: Mon, 6 Mar 2023 4:27:31 AM GMT+0800 -Subject: [PATCH] don't forward invalid query strings - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51 - ---- - modules/http2/mod_proxy_http2.c | 14 ++++++++++++++ - modules/mappers/mod_rewrite.c | 22 ++++++++++++++++++++++ - modules/proxy/mod_proxy_ajp.c | 14 ++++++++++++++ - modules/proxy/mod_proxy_balancer.c | 14 ++++++++++++++ - modules/proxy/mod_proxy_http.c | 14 ++++++++++++++ - modules/proxy/mod_proxy_wstunnel.c | 14 ++++++++++++++ - 6 files changed, 92 insertions(+) - -diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c -index 4ea4fb9..d8a77c8 100644 ---- a/modules/http2/mod_proxy_http2.c -+++ b/modules/http2/mod_proxy_http2.c -@@ -154,10 +154,24 @@ static int proxy_http2_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, (int)strlen(url), - enc_path, 0, r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - break; - case PROXYREQ_PROXY: -diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c -index 80fbc9e..7faaeb7 100644 ---- a/modules/mappers/mod_rewrite.c -+++ b/modules/mappers/mod_rewrite.c -@@ -4703,6 +4703,17 @@ static int hook_uri2file(request_rec *r) - unsigned skip; - apr_size_t flen; - -+ if (r->args && *(ap_scan_vchar_obstext(r->args))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410) -+ "Rewritten query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } -+ - if (ACTION_STATUS == rulestatus) { - int n = r->status; - -@@ -4987,6 +4998,17 @@ static int hook_fixup(request_rec *r) - if (rulestatus) { - unsigned skip; - -+ if (r->args && *(ap_scan_vchar_obstext(r->args))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411) -+ "Rewritten query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } -+ - if (ACTION_STATUS == rulestatus) { - int n = r->status; - -diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c -index 89da918..ba41fbd 100644 ---- a/modules/proxy/mod_proxy_ajp.c -+++ b/modules/proxy/mod_proxy_ajp.c -@@ -65,10 +65,24 @@ static int proxy_ajp_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, - r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406) -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - if (path == NULL) - return HTTP_BAD_REQUEST; -diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c -index db46952..c8bba0f 100644 ---- a/modules/proxy/mod_proxy_balancer.c -+++ b/modules/proxy/mod_proxy_balancer.c -@@ -102,10 +102,24 @@ static int proxy_balancer_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, - r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407) -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - if (path == NULL) - return HTTP_BAD_REQUEST; -diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c -index 2e739c0..09269b2 100644 ---- a/modules/proxy/mod_proxy_http.c -+++ b/modules/proxy/mod_proxy_http.c -@@ -121,10 +121,24 @@ static int proxy_http_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, strlen(url), - enc_path, 0, r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408) -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - break; - case PROXYREQ_PROXY: -diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c -index bcbba42..e2fcba2 100644 ---- a/modules/proxy/mod_proxy_wstunnel.c -+++ b/modules/proxy/mod_proxy_wstunnel.c -@@ -110,10 +110,24 @@ static int proxy_wstunnel_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, - r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409) -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - if (path == NULL) - return HTTP_BAD_REQUEST; --- -2.27.0 - diff --git a/backport-CVE-2023-27522.patch b/backport-CVE-2023-27522.patch deleted file mode 100644 index b9a6ea6be397e1f850255ce7d0a0776549639df5..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-27522.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 0df5879df8f16b4101ea2365672178b4ae899e9e Mon Sep 17 00:00:00 2001 -From: ylavic -Date: Thu, 2 Mar 2023 11:10:54 PM GMT+0800 -Subject: [PATCH] mod_proxy_uwsgi:Stricter backend HTTP response parsing/validation - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/0df5879df8f16b4101ea2365672178b4ae899e9e - ---- - modules/proxy/mod_proxy_uwsgi.c | 49 +++++++++++++++++++++++---------- - 1 file changed, 35 insertions(+), 14 deletions(-) - -diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c -index 4d7589c..cc21e38 100644 ---- a/modules/proxy/mod_proxy_uwsgi.c -+++ b/modules/proxy/mod_proxy_uwsgi.c -@@ -307,18 +307,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, - pass_bb = apr_brigade_create(r->pool, c->bucket_alloc); - - len = ap_getline(buffer, sizeof(buffer), rp, 1); -- - if (len <= 0) { -- /* oops */ -+ /* invalid or empty */ - return HTTP_INTERNAL_SERVER_ERROR; - } -- - backend->worker->s->read += len; -- -- if (len >= sizeof(buffer) - 1) { -- /* oops */ -+ if ((apr_size_t)len >= sizeof(buffer)) { -+ /* too long */ - return HTTP_INTERNAL_SERVER_ERROR; - } -+ - /* Position of http status code */ - if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) { - status_start = 9; -@@ -327,8 +325,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, - status_start = 7; - } - else { -- /* oops */ -- return HTTP_INTERNAL_SERVER_ERROR; -+ /* not HTTP */ -+ return HTTP_BAD_GATEWAY; - } - status_end = status_start + 3; - -@@ -348,21 +346,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, - } - r->status_line = apr_pstrdup(r->pool, &buffer[status_start]); - -- /* start parsing headers */ -+ /* parse headers */ - while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) { -+ if ((apr_size_t)len >= sizeof(buffer)) { -+ /* too long */ -+ len = -1; -+ break; -+ } - value = strchr(buffer, ':'); -- /* invalid header skip */ -- if (!value) -- continue; -- *value = '\0'; -- ++value; -+ if (!value) { -+ /* invalid header */ -+ len = -1; -+ break; -+ } -+ *value++ = '\0'; -+ if (*ap_scan_http_token(buffer)) { -+ /* invalid name */ -+ len = -1; -+ break; -+ } - while (apr_isspace(*value)) - ++value; - for (end = &value[strlen(value) - 1]; - end > value && apr_isspace(*end); --end) - *end = '\0'; -+ if (*ap_scan_http_field_content(value)) { -+ /* invalid value */ -+ len = -1; -+ break; -+ } - apr_table_add(r->headers_out, buffer, value); - } -+ if (len < 0) { -+ /* Reset headers, but not to NULL because things below the chain expect -+ * this to be non NULL e.g. the ap_content_length_filter. -+ */ -+ r->headers_out = apr_table_make(r->pool, 1); -+ return HTTP_BAD_GATEWAY; -+ } - - if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { - ap_set_content_type(r, apr_pstrdup(r->pool, buf)); --- -2.27.0 - diff --git a/backport-Handle-children-killed-pathologically.patch b/backport-Handle-children-killed-pathologically.patch deleted file mode 100644 index 2096d4d29aa3c9ef8943462de61a75d235771873..0000000000000000000000000000000000000000 --- a/backport-Handle-children-killed-pathologically.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 5f33010a643ac7c67b7733484797d41366e328ecdb Mon Sep 17 00:00:00 2001 -From: icing -Date: Tue, 30 Aug 2022 14:47:19 +0800 -Subject: [PATCH] Handle children killed pathologically - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/5f3010a643ac7c67b733484797d41366e328ecdb - ---- - server/mpm/event/event.c | 26 +++++++++++++++++++++++--- - server/mpm/worker/worker.c | 26 +++++++++++++++++++++++--- - 2 files changed, 46 insertions(+), 6 deletions(-) - -diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c -index dddff35..5969c88 100644 ---- a/server/mpm/event/event.c -+++ b/server/mpm/event/event.c -@@ -2983,6 +2983,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets) - - static void server_main_loop(int remaining_children_to_start, int num_buckets) - { -+ int successive_kills = 0; - int child_slot; - apr_exit_why_e exitwhy; - int status, processed_status; -@@ -3072,11 +3073,30 @@ static void server_main_loop(int remaining_children_to_start, int num_buckets) - /* Don't perform idle maintenance when a child dies, - * only do it when there's a timeout. Remember only a - * finite number of children can die, and it's pretty -- * pathological for a lot to die suddenly. -+ * pathological for a lot to die suddenly. If a child is -+ * killed by a signal (faulting) we want to restart it ASAP -+ * though, up to 3 successive faults or we stop this until -+ * a timeout happens again (to avoid the flood of fork()ed -+ * process that keep being killed early). - */ -- continue; -+ if (child_slot < 0 || !APR_PROC_CHECK_SIGNALED(exitwhy)) { -+ continue; -+ } -+ if (++successive_kills >= 3) { -+ if (successive_kills % 10 == 3) { -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, -+ ap_server_conf, APLOGNO(10392) -+ "children are killed successively!"); -+ } -+ continue; -+ } -+ ++remaining_children_to_start; -+ } -+ else { -+ successive_kills = 0; - } -- else if (remaining_children_to_start) { -+ -+ if (remaining_children_to_start) { - /* we hit a 1 second timeout in which none of the previous - * generation of children needed to be reaped... so assume - * they're all done, and pick up the slack if any is left. -diff --git a/server/mpm/worker/worker.c b/server/mpm/worker/worker.c -index bd56f61..30d5aeb 100644 ---- a/server/mpm/worker/worker.c -+++ b/server/mpm/worker/worker.c -@@ -1569,6 +1569,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets) - - static void server_main_loop(int remaining_children_to_start, int num_buckets) - { -+ int successive_kills = 0; - ap_generation_t old_gen; - int child_slot; - apr_exit_why_e exitwhy; -@@ -1663,11 +1664,30 @@ static void server_main_loop(int remaining_children_to_start, int num_buckets) - /* Don't perform idle maintenance when a child dies, - * only do it when there's a timeout. Remember only a - * finite number of children can die, and it's pretty -- * pathological for a lot to die suddenly. -+ * pathological for a lot to die suddenly. If a child is -+ * killed by a signal (faulting) we want to restart if ASAP -+ * though, up to 3 successive faults or we stop this until -+ * a timeout happens again (to avoid the flood of fork()ed -+ * processes that keep being killed early). - */ -- continue; -+ if (child_slot < 0 || !APR_PROC_CHECK_SIGNALED(exitwhy)) { -+ continue; -+ } -+ if (++successive_kills >= 3) { -+ if (successive_kills % 10 == 3) { -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, -+ ap_server_conf, APLOGNO(10392) -+ "children are killed successively!"); -+ } -+ continue; -+ } -+ ++remaining_children_to_start; -+ } -+ else { -+ successive_kills = 0; - } -- else if (remaining_children_to_start) { -+ -+ if (remaining_children_to_start) { - /* we hit a 1 second timeout in which none of the previous - * generation of children needed to be reaped... so assume - * they're all done, and pick up the slack if any is left. --- -2.23.0 - diff --git a/backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch b/backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch deleted file mode 100644 index a08eb83c75f370e6ed800c617e270936e47426ee..0000000000000000000000000000000000000000 --- a/backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0befd97dfe19e23921b4cc5412d6177f2cab6aac Mon Sep 17 00:00:00 2001 -From: jimjag -Date: Tue May 17 18:14:29 2022 UTC -Subject: [PATCH] mod_session:Harden mod_session and avoid overflow of large session - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/0befd97dfe19e23921b4cc5412d6177f2cab6aac - ---- - modules/session/mod_session.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c -index ec4ac2e..fa8d406 100644 ---- a/modules/session/mod_session.c -+++ b/modules/session/mod_session.c -@@ -317,7 +317,8 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z, - - static int identity_count(void *v, const char *key, const char *val) - { -- int *count = v; -+ apr_size_t *count = v; -+ - *count += strlen(key) * 3 + strlen(val) * 3 + 2; - return 1; - } -@@ -325,7 +326,8 @@ static int identity_count(void *v, const char *key, const char *val) - static int identity_concat(void *v, const char *key, const char *val) - { - char *slider = v; -- int length = strlen(slider); -+ apr_size_t length = strlen(slider); -+ - slider += length; - if (length) { - *slider = '&'; -@@ -355,7 +357,8 @@ static int identity_concat(void *v, const char *key, const char *val) - static apr_status_t session_identity_encode(request_rec * r, session_rec * z) - { - char *buffer = NULL; -- int length = 0; -+ apr_size_t length = 0; -+ - if (z->expiry) { - char *expiry = apr_psprintf(z->pool, "%" APR_INT64_T_FMT, z->expiry); - apr_table_setn(z->entries, SESSION_EXPIRY, expiry); --- -2.23.0 - diff --git a/backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch b/backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch deleted file mode 100644 index 553a5d4660904f0c697835c7a49223727ee04084..0000000000000000000000000000000000000000 --- a/backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 73ce13be5aa9ae541472bc6a8a2f7de8dd2db34 Mon Sep 17 00:00:00 2001 -From: Christophe Jaillet -Date: Sat, 19 Feb 2022 13:47:02 UTC -Subject: [PATCH] Merge r1589986 r1589985 r1633528 from trunk - - *) Add the ldap function to the expression API, allowing ldap filters - and distinguished names based on expression to be excaped correctly - to guared against LDAP injection. - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/73ce13be5aa9ae5414772bc6a8a2f7de8dd2db34 - ---- - server/util_expr_eval.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c -index 2e031d0..75295ba 100644 ---- a/server/util_expr_eval.c -+++ b/server/util_expr_eval.c -@@ -32,6 +32,10 @@ - #include "apr_fnmatch.h" - #include "apr_base64.h" - #include "apr_sha1.h" -+#include "apr_version.h" -+#if APR_VERSION_AT_LEAST(1,5,0) -+#include "apr_escape.h" -+#endif - - #include /* for INT_MAX */ - -@@ -1087,9 +1091,16 @@ static const char *sha1_func(ap_expr_eval_ctx_t *ctx, const void *data, - static const char *md5_func(ap_expr_eval_ctx_t *ctx, const void *data, - const char *arg) - { -- return ap_md5(ctx->p, (const unsigned char *)arg); -+ return ap_md5(ctx->p, (const unsigned char *)arg); - } - -+#if APR_VERSION_AT_LEAST(1,6,0) -+static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data, -+ const char *arg) -+{ -+ return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL); -+} -+#endif - - #define MAX_FILE_SIZE 10*1024*1024 - static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data, -@@ -1667,6 +1678,9 @@ static const struct expr_provider_single string_func_providers[] = { - { unbase64_func, "unbase64", NULL, 0 }, - { sha1_func, "sha1", NULL, 0 }, - { md5_func, "md5", NULL, 0 }, -+#if APR_VERSION_AT_LEAST(1,6,0) -+ { ldap_func, "ldap", NULL, 0 }, -+#endif - { NULL, NULL, NULL} - }; - --- -2.23.0 - diff --git a/backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch b/backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch deleted file mode 100644 index fad6c647fc62228ac8015e27d0ae7a7b93bb729e..0000000000000000000000000000000000000000 --- a/backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 296a99c3102e4dd91153a8fb732275b804f001fc Mon Sep 17 00:00:00 2001 -From: Eric Covener -Date: Mon, 23 Jan 2023 04:59:22 PM GMT+0800 -Subject: [PATCH] Report an error if the AJP backend sends an invalid number of headers - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/296a99c3102e4dd91153a8fb732275b804f001fc - ---- - modules/proxy/ajp_header.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c -index b4dc47c..a09a2e4 100644 ---- a/modules/proxy/ajp_header.c -+++ b/modules/proxy/ajp_header.c -@@ -584,8 +584,15 @@ static apr_status_t ajp_unmarshal_response(ajp_msg_t *msg, - r->headers_out = save_table; - } - else { -- r->headers_out = NULL; -+ /* -+ * Reset headers, but not to NULL because things below the chain expect -+ * this to be non NULL e.g. the ap_content_length_filter. -+ */ -+ r->headers_out = apr_table_make(r->pool, 1); - num_headers = 0; -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10405) -+ "ajp_unmarshal_response: Bad number of headers"); -+ return rc; - } - - ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, --- -2.27.0 - diff --git a/backport-Switch-from-PCRE-to-PCRE2.patch b/backport-Switch-from-PCRE-to-PCRE2.patch deleted file mode 100644 index 5cb4bcbd836a2efcbfe559078687b966ffbc179a..0000000000000000000000000000000000000000 --- a/backport-Switch-from-PCRE-to-PCRE2.patch +++ /dev/null @@ -1,313 +0,0 @@ -From 12cfcf08fffc6e4ec597e0396016d09afdb89fa8 Mon Sep 17 00:00:00 2001 -From: wrowe, Petr Pisar -Date: Fri, DEC 9 19:06:06 2016 UTC -Subject: [PATCH] backport Switch from PCRE to PCRE2 - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/12cfcf08fffc6e4ec597e0396016d09afdb89fa8 - ---- - configure.in | 26 +++++----- - server/util_pcre.c | 140 +++++++++++++++++++++++++++++++++++++++-------------- - 2 files changed, 118 insertions(+), 48 deletions(-) - -diff --git a/configure.in b/configure.in -index 916377b..db7edc3 100644 ---- a/configure.in -+++ b/configure.in -@@ -214,29 +214,33 @@ fi - - AC_ARG_WITH(pcre, - APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library)) -- --AC_PATH_PROG(PCRE_CONFIG, pcre-config, false) --if test -d "$with_pcre" && test -x "$with_pcre/bin/pcre-config"; then -- PCRE_CONFIG=$with_pcre/bin/pcre-config --elif test -x "$with_pcre"; then -- PCRE_CONFIG=$with_pcre -+if test "x$with_pcre" = "x" || test "$with_pcre" = "yes"; then -+ with_pcre="$PATH" -+else if which $with_pcre 2>/dev/null; then :; else -+ with_pcre="$with_pcre/bin:$with_pcre" -+fi - fi -+AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config], -+ [`which $with_pcre 2>/dev/null`], $with_pcre) - --if test "$PCRE_CONFIG" != "false"; then -+if test "x$PCRE_CONFIG" != "x"; then - if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else -- AC_MSG_ERROR([Did not find pcre-config script at $PCRE_CONFIG]) -+ AC_MSG_ERROR([Did not find working script at $PCRE_CONFIG]) - fi - case `$PCRE_CONFIG --version` in -+ [1[0-9].*]) -+ AC_DEFINE(HAVE_PCRE2, 1, [Detected PCRE2]) -+ ;; - [[1-5].*]) -- AC_MSG_ERROR([Need at least pcre version 6.0]) -+ AC_MSG_ERROR([Need at least pcre version 6.7]) - ;; - esac - AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) - APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) -- APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) -+ APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`]) - APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) - else -- AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) -+ AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/]) - fi - APACHE_SUBST(PCRE_LIBS) - -diff --git a/server/util_pcre.c b/server/util_pcre.c -index 78fc983..0fdf5f9 100644 ---- a/server/util_pcre.c -+++ b/server/util_pcre.c -@@ -55,10 +55,18 @@ POSSIBILITY OF SUCH DAMAGE. - #include "httpd.h" - #include "apr_strings.h" - #include "apr_tables.h" -+ -+#ifdef HAVE_PCRE2 -+#define PCRE2_CODE_UNIT_WIDTH 8 -+#include "pcre2.h" -+#define PCREn(x) PCRE2_ ## x -+#else - #include "pcre.h" -+#define PCREn(x) PCRE_ ## x -+#endif - - /* PCRE_DUPNAMES is only present since version 6.7 of PCRE */ --#ifndef PCRE_DUPNAMES -+#if !defined(PCRE_DUPNAMES) && !defined(HAVE_PCRE2) - #error PCRE Version 6.7 or later required! - #else - -@@ -115,7 +123,11 @@ AP_DECLARE(apr_size_t) ap_regerror(int errcode, const ap_regex_t *preg, - - AP_DECLARE(void) ap_regfree(ap_regex_t *preg) - { -+#ifdef HAVE_PCRE2 -+ pcre2_code_free(preg->re_pcre); -+#else - (pcre_free)(preg->re_pcre); -+#endif - } - - -@@ -168,25 +180,37 @@ AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name) - */ - AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags) - { -+#ifdef HAVE_PCRE2 -+ uint32_t capcount; -+ size_t erroffset; -+#else - const char *errorptr; - int erroffset; -+#endif - int errcode = 0; -- int options = PCRE_DUPNAMES; -+ int options = PCREn(DUPNAMES); - - if ((cflags & AP_REG_NO_DEFAULT) == 0) - cflags |= default_cflags; - - if ((cflags & AP_REG_ICASE) != 0) -- options |= PCRE_CASELESS; -+ options |= PCREn(CASELESS); - if ((cflags & AP_REG_NEWLINE) != 0) -- options |= PCRE_MULTILINE; -+ options |= PCREn(MULTILINE); - if ((cflags & AP_REG_DOTALL) != 0) -- options |= PCRE_DOTALL; -+ options |= PCREn(DOTALL); - if ((cflags & AP_REG_DOLLAR_ENDONLY) != 0) -- options |= PCRE_DOLLAR_ENDONLY; -+ options |= PCREn(DOLLAR_ENDONLY); -+ -+#ifdef HAVE_PCRE2 -+ preg->re_pcre = pcre2_compile((const unsigned char *)pattern, -+ PCRE2_ZERO_TERMINATED, options, &errcode, -+ &erroffset, NULL); -+#else -+ preg->re_pcre = pcre_compile2(pattern, options, &errcode, -+ &errorptr, &erroffset, NULL); -+#endif - -- preg->re_pcre = -- pcre_compile2(pattern, options, &errcode, &errorptr, &erroffset, NULL); - preg->re_erroffset = erroffset; - - if (preg->re_pcre == NULL) { -@@ -199,8 +223,14 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags) - return AP_REG_INVARG; - } - -+#ifdef HAVE_PCRE2 -+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre, -+ PCRE2_INFO_CAPTURECOUNT, &capcount); -+ preg->re_nsub = capcount; -+#else - pcre_fullinfo((const pcre *)preg->re_pcre, NULL, - PCRE_INFO_CAPTURECOUNT, &(preg->re_nsub)); -+#endif - return 0; - } - -@@ -232,17 +262,29 @@ AP_DECLARE(int) ap_regexec_len(const ap_regex_t *preg, const char *buff, - { - int rc; - int options = 0; -- int *ovector = NULL; -+#ifdef HAVE_PCRE2 -+ pcre2_match_data *matchdata; -+ size_t *ovector; -+#else - int small_ovector[POSIX_MALLOC_THRESHOLD * 3]; - int allocated_ovector = 0; -+ int *ovector = NULL; -+#endif - - if ((eflags & AP_REG_NOTBOL) != 0) -- options |= PCRE_NOTBOL; -+ options |= PCREn(NOTBOL); - if ((eflags & AP_REG_NOTEOL) != 0) -- options |= PCRE_NOTEOL; -- -- ((ap_regex_t *)preg)->re_erroffset = (apr_size_t)(-1); /* Only has meaning after compile */ -- -+ options |= PCREn(NOTEOL); -+ -+#ifdef HAVE_PCRE2 -+ matchdata = pcre2_match_data_create(nmatch, NULL); -+ if (matchdata == NULL) -+ return AP_REG_ESPACE; -+ ovector = pcre2_get_ovector_pointer(matchdata); -+ rc = pcre2_match((const pcre2_code *)preg->re_pcre, -+ (const unsigned char *)buff, len, -+ 0, options, matchdata, NULL); -+#else - if (nmatch > 0) { - if (nmatch <= POSIX_MALLOC_THRESHOLD) { - ovector = &(small_ovector[0]); -@@ -257,49 +299,62 @@ AP_DECLARE(int) ap_regexec_len(const ap_regex_t *preg, const char *buff, - - rc = pcre_exec((const pcre *)preg->re_pcre, NULL, buff, (int)len, - 0, options, ovector, nmatch * 3); -+#endif - - if (rc == 0) - rc = nmatch; /* All captured slots were filled in */ - - if (rc >= 0) { - apr_size_t i; -- for (i = 0; i < (apr_size_t)rc; i++) { -+ apr_size_t nlim = (apr_size_t)rc < nmatch ? (apr_size_t)rc : nmatch; -+ for (i = 0; i < nlim; i++) { - pmatch[i].rm_so = ovector[i * 2]; - pmatch[i].rm_eo = ovector[i * 2 + 1]; - } -- if (allocated_ovector) -- free(ovector); - for (; i < nmatch; i++) - pmatch[i].rm_so = pmatch[i].rm_eo = -1; -+ } -+ -+#ifdef HAVE_PCRE2 -+ pcre2_match_data_free(matchdata); -+#else -+ if (allocated_ovector) -+ free(ovector); -+#endif -+ if (rc >= 0) { - return 0; - } - - else { -- if (allocated_ovector) -- free(ovector); -+#ifdef HAVE_PCRE2 -+ if (rc <= PCRE2_ERROR_UTF8_ERR1 && rc >= PCRE2_ERROR_UTF8_ERR21) -+ return AP_REG_INVARG; -+#endif - switch (rc) { -- case PCRE_ERROR_NOMATCH: -+ case PCREn(ERROR_NOMATCH): - return AP_REG_NOMATCH; -- case PCRE_ERROR_NULL: -+ case PCREn(ERROR_NULL): - return AP_REG_INVARG; -- case PCRE_ERROR_BADOPTION: -+ case PCREn(ERROR_BADOPTION): - return AP_REG_INVARG; -- case PCRE_ERROR_BADMAGIC: -+ case PCREn(ERROR_BADMAGIC): - return AP_REG_INVARG; -- case PCRE_ERROR_UNKNOWN_NODE: -- return AP_REG_ASSERT; -- case PCRE_ERROR_NOMEMORY: -+ case PCREn(ERROR_NOMEMORY): - return AP_REG_ESPACE; --#ifdef PCRE_ERROR_MATCHLIMIT -- case PCRE_ERROR_MATCHLIMIT: -+#if defined(HAVE_PCRE2) || defined(PCRE_ERROR_MATCHLIMIT) -+ case PCREn(ERROR_MATCHLIMIT): - return AP_REG_ESPACE; - #endif --#ifdef PCRE_ERROR_BADUTF8 -- case PCRE_ERROR_BADUTF8: -+#if defined(PCRE_ERROR_UNKNOWN_NODE) -+ case PCRE_ERROR_UNKNOWN_NODE: -+ return AP_REG_ASSERT; -+#endif -+#if defined(PCRE_ERROR_BADUTF8) -+ case PCREn(ERROR_BADUTF8): - return AP_REG_INVARG; - #endif --#ifdef PCRE_ERROR_BADUTF8_OFFSET -- case PCRE_ERROR_BADUTF8_OFFSET: -+#if defined(PCRE_ERROR_BADUTF8_OFFSET) -+ case PCREn(ERROR_BADUTF8_OFFSET): - return AP_REG_INVARG; - #endif - default: -@@ -312,18 +367,29 @@ AP_DECLARE(int) ap_regname(const ap_regex_t *preg, - apr_array_header_t *names, const char *prefix, - int upper) - { -+ char *nametable; -+#ifdef HAVE_PCRE2 -+ uint32_t namecount; -+ uint32_t nameentrysize; -+ uint32_t i; -+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre, -+ PCRE2_INFO_NAMECOUNT, &namecount); -+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre, -+ PCRE2_INFO_NAMEENTRYSIZE, &nameentrysize); -+ pcre2_pattern_info((const pcre2_code *)preg->re_pcre, -+ PCRE2_INFO_NAMETABLE, &nametable); -+#else - int namecount; - int nameentrysize; - int i; -- char *nametable; - - pcre_fullinfo((const pcre *)preg->re_pcre, NULL, -- PCRE_INFO_NAMECOUNT, &namecount); -+ PCRE_INFO_NAMECOUNT, &namecount); - pcre_fullinfo((const pcre *)preg->re_pcre, NULL, -- PCRE_INFO_NAMEENTRYSIZE, &nameentrysize); -+ PCRE_INFO_NAMEENTRYSIZE, &nameentrysize); - pcre_fullinfo((const pcre *)preg->re_pcre, NULL, -- PCRE_INFO_NAMETABLE, &nametable); -- -+ PCRE_INFO_NAMETABLE, &nametable); -+#endif - for (i = 0; i < namecount; i++) { - const char *offset = nametable + i * nameentrysize; - int capture = ((offset[0] << 8) + offset[1]); --- -1.8.3.1 - diff --git a/backport-avoid-delimiting-the-query-with-a-backreference.patch b/backport-avoid-delimiting-the-query-with-a-backreference.patch deleted file mode 100644 index 293efa91eac4dc44101acaed6955c24dde07560c..0000000000000000000000000000000000000000 --- a/backport-avoid-delimiting-the-query-with-a-backreference.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 9282a06e55cb142666d6ed565c9031e728b7d537 Mon Sep 17 00:00:00 2001 -From: Eric Covener -Date: Mon, 6 Mar 2023 04:31:19 AM GMT+0800 -Subject: [PATCH] avoid delimiting the query with a backreference - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/9282a06e55cb142666d6ed565c9031e728b7d537 - ---- - modules/mappers/mod_rewrite.c | 44 +++++++++++++++++++++++++---------- - 1 file changed, 32 insertions(+), 12 deletions(-) - -diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c -index 7faaeb7..e539a44 100644 ---- a/modules/mappers/mod_rewrite.c -+++ b/modules/mappers/mod_rewrite.c -@@ -167,6 +167,7 @@ static const char* really_last_key = "rewrite_really_last"; - #define RULEFLAG_END (1<<17) - #define RULEFLAG_ESCAPENOPLUS (1<<18) - #define RULEFLAG_QSLAST (1<<19) -+#define RULEFLAG_QSNONE (1<<20) /* programattic only */ - - /* return code of the rewrite rule - * the result may be escaped - or not -@@ -763,11 +764,19 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme) - * split out a QUERY_STRING part from - * the current URI string - */ --static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard, -- int qslast) -+static void splitout_queryargs(request_rec *r, int flags) - { - char *q; - int split, skip; -+ int qsappend = flags & RULEFLAG_QSAPPEND; -+ int qsdiscard = flags & RULEFLAG_QSDISCARD; -+ int qslast = flags & RULEFLAG_QSLAST; -+ -+ if (flags & RULEFLAG_QSNONE) { -+ rewritelog((r, 2, NULL, "discarding query string, no parse from substitution")); -+ r->args = NULL; -+ return; -+ } - - /* don't touch, unless it's a scheme for which a query string makes sense. - * See RFC 1738 and RFC 2368. -@@ -792,7 +801,7 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard, - olduri = apr_pstrdup(r->pool, r->filename); - *q++ = '\0'; - if (qsappend) { -- if (*q) { -+ if (*q) { - r->args = apr_pstrcat(r->pool, q, "&" , r->args, NULL); - } - } -@@ -800,7 +809,7 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard, - r->args = apr_pstrdup(r->pool, q); - } - -- if (r->args) { -+ if (r->args) { - len = strlen(r->args); - - if (!len) { -@@ -2735,7 +2744,8 @@ static apr_status_t rewritelock_remove(void *data) - * XXX: what an inclined parser. Seems we have to leave it so - * for backwards compat. *sigh* - */ --static int parseargline(char *str, char **a1, char **a2, char **a3) -+static char *parseargline(apr_pool_t *p, char *str, char **a1, -+ char **a2, char **a2_end, char **a3) - { - char quote; - -@@ -2786,8 +2796,10 @@ static int parseargline(char *str, char **a1, char **a2, char **a3) - - if (!*str) { - *a3 = NULL; /* 3rd argument is optional */ -+ *a2_end = str; - return 0; - } -+ *a2_end = str; - *str++ = '\0'; - - while (apr_isspace(*str)) { -@@ -3327,7 +3339,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf, - rewrite_server_conf *sconf; - rewritecond_entry *newcond; - ap_regex_t *regexp; -- char *a1 = NULL, *a2 = NULL, *a3 = NULL; -+ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL; - const char *err; - - sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module); -@@ -3345,7 +3357,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf, - * of the argument line. So we can use a1 .. a3 without - * copying them again. - */ -- if (parseargline(str, &a1, &a2, &a3)) { -+ if ((err = parseargline(cmd->pool, str, &a1, &a2, &a2_end, &a3))) { - return apr_pstrcat(cmd->pool, "RewriteCond: bad argument line '", str, - "'", NULL); - } -@@ -3753,7 +3765,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf, - rewrite_server_conf *sconf; - rewriterule_entry *newrule; - ap_regex_t *regexp; -- char *a1 = NULL, *a2 = NULL, *a3 = NULL; -+ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL; - const char *err; - - sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module); -@@ -3767,7 +3779,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf, - } - - /* parse the argument line ourself */ -- if (parseargline(str, &a1, &a2, &a3)) { -+ if ((err = parseargline(cmd->pool, str, &a1, &a2, &a2_end, &a3))) { - return apr_pstrcat(cmd->pool, "RewriteRule: bad argument line '", str, - "'", NULL); - } -@@ -3814,6 +3826,16 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf, - newrule->flags |= RULEFLAG_NOSUB; - } - -+ if (*(a2_end-1) == '?') { -+ /* a literal ? at the end of the unsubstituted rewrite rule */ -+ newrule->flags |= RULEFLAG_QSNONE; -+ } -+ else if (newrule->flags & RULEFLAG_QSDISCARD) { -+ if (NULL == ap_strchr(newrule->output, '?')) { -+ newrule->flags |= RULEFLAG_QSNONE; -+ } -+ } -+ - /* now, if the server or per-dir config holds an - * array of RewriteCond entries, we take it for us - * and clear the array -@@ -4219,9 +4241,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) - r->path_info = NULL; - } - -- splitout_queryargs(r, p->flags & RULEFLAG_QSAPPEND, -- p->flags & RULEFLAG_QSDISCARD, -- p->flags & RULEFLAG_QSLAST); -+ splitout_queryargs(r, p->flags); - - /* Add the previously stripped per-directory location prefix, unless - * (1) it's an absolute URL path and --- -2.27.0 - diff --git a/backport-fix-error-HeartbeatMaxServers-default-value.patch b/backport-fix-error-HeartbeatMaxServers-default-value.patch deleted file mode 100644 index eb5b75f0bb6c0624142cbf1671cae644c5f537c5..0000000000000000000000000000000000000000 --- a/backport-fix-error-HeartbeatMaxServers-default-value.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b64b0488b12dc81df972bff4747d9b9c68fbad3f Mon Sep 17 00:00:00 2001 -From: jimjag -Date: Mon May 9 2022 17:54:42 UTC -Subject: [PATCH] mod_heartmonitor:fix error HeartbeatMaxServers default value - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/b64b0488b12dc81df972bff4747d9b9c68fbad3f - ---- - modules/cluster/mod_heartmonitor.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/cluster/mod_heartmonitor.c b/modules/cluster/mod_heartmonitor.c -index 2e8d12d..bfda7f8 100644 ---- a/modules/cluster/mod_heartmonitor.c -+++ b/modules/cluster/mod_heartmonitor.c -@@ -39,7 +39,7 @@ - - static const ap_slotmem_provider_t *storage = NULL; - static ap_slotmem_instance_t *slotmem = NULL; --static int maxworkers = 0; -+static int maxworkers = 10; - - module AP_MODULE_DECLARE_DATA heartmonitor_module; - --- -2.23.0 - diff --git a/backport-fix-lua-request-with-cast-first.patch b/backport-fix-lua-request-with-cast-first.patch deleted file mode 100644 index 69b8c46a1d3518bea82f70fb8a56afbb19f371d2..0000000000000000000000000000000000000000 --- a/backport-fix-lua-request-with-cast-first.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 1a09953b2439f94714feb03358b793ccbae8a2ca Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed Jun 1 12:31:19 2022 UTC -Subject: [PATCH] lua_request:fix lua request with cast first - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/1a09953b2439f94714feb03358b793ccbae8a2ca - ---- - modules/lua/lua_request.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c -index a7e501b..1ba6a2f 100644 ---- a/modules/lua/lua_request.c -+++ b/modules/lua/lua_request.c -@@ -251,7 +251,7 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size, - if (maxsize != 0 && length > maxsize) { - return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */ - } -- *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1)); -+ *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length) + 1); - while ((rpos < length) - && (len_read = ap_get_client_block(r, (char *) *rbuf + rpos, - length - rpos)) > 0) { --- -2.23.0 - diff --git a/backport-fix-missing-APLOGNO.patch b/backport-fix-missing-APLOGNO.patch deleted file mode 100644 index 24e03b63c8088dc50275b367e8fe373d2e3f47e0..0000000000000000000000000000000000000000 --- a/backport-fix-missing-APLOGNO.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 1061b64bb7da5339b037f936169a088150427bd1 Mon Sep 17 00:00:00 2001 -From: Ruediger Pluem -Date: Mon, 6 Mar 2023 05:25:17 PM GMT+0800 -Subject: [PATCH] modules/http2/mod_proxy_http2.c: Fix missing APLOGNO - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/1061b64bb7da5339b037f936169a088150427bd1 - ---- - modules/http2/mod_proxy_http2.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c -index d8a77c8..753f7f4 100644 ---- a/modules/http2/mod_proxy_http2.c -+++ b/modules/http2/mod_proxy_http2.c -@@ -167,7 +167,7 @@ static int proxy_http2_canon(request_rec *r, char *url) - * We have a raw control character or a ' ' in r->args. - * Correct encoding was missed. - */ -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412) - "To be forwarded query string contains control " - "characters or spaces"); - return HTTP_FORBIDDEN; --- -2.27.0 - diff --git a/backport-fix-setting-and-comparison-of-IPs-fields.patch b/backport-fix-setting-and-comparison-of-IPs-fields.patch deleted file mode 100644 index f63808e7d03f4439ddf213bd11723043c9346507..0000000000000000000000000000000000000000 --- a/backport-fix-setting-and-comparison-of-IPs-fields.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 1fa621fafde4cc73bdc887b94c0a8b7dade2162b Mon Sep 17 00:00:00 2001 -From: icing -Date: Tue May 17 13:32:43 2022 UTC -Subject: [PATCH] mod_heartmonitor:fix setting and comparsion of IPs fields - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/1fa621fafde4cc73bdc887b94c0a8b7dade2162b - ---- - modules/cluster/mod_heartmonitor.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/modules/cluster/mod_heartmonitor.c b/modules/cluster/mod_heartmonitor.c -index bfda7f8..30db11a 100644 ---- a/modules/cluster/mod_heartmonitor.c -+++ b/modules/cluster/mod_heartmonitor.c -@@ -171,7 +171,7 @@ static apr_status_t hm_update(void* mem, void *data, apr_pool_t *p) - hm_slot_server_t *old = (hm_slot_server_t *) mem; - hm_slot_server_ctx_t *s = (hm_slot_server_ctx_t *) data; - hm_server_t *new = s->s; -- if (strncmp(old->ip, new->ip, MAXIPSIZE)==0) { -+ if (strcmp(old->ip, new->ip)==0) { - s->found = 1; - old->busy = new->busy; - old->ready = new->ready; -@@ -185,7 +185,7 @@ static apr_status_t hm_readid(void* mem, void *data, apr_pool_t *p) - hm_slot_server_t *old = (hm_slot_server_t *) mem; - hm_slot_server_ctx_t *s = (hm_slot_server_ctx_t *) data; - hm_server_t *new = s->s; -- if (strncmp(old->ip, new->ip, MAXIPSIZE)==0) { -+ if (strcmp(old->ip, new->ip)==0) { - s->found = 1; - s->item_id = old->id; - } -@@ -202,7 +202,8 @@ static apr_status_t hm_slotmem_update_stat(hm_server_t *s, apr_pool_t *pool) - if (!ctx.found) { - unsigned int i; - hm_slot_server_t hmserver; -- memcpy(hmserver.ip, s->ip, MAXIPSIZE); -+ memset(&hmserver, 0, sizeof(hmserver)); -+ apr_cpystrn(hmserver.ip, s->ip, sizeof(hmserver.ip)); - hmserver.busy = s->busy; - hmserver.ready = s->ready; - hmserver.seen = s->seen; --- -2.23.0 - diff --git a/backport-handled-a-negative-value-when-parsing-the-config.patch b/backport-handled-a-negative-value-when-parsing-the-config.patch deleted file mode 100644 index 2558dec20ef7df83c831de25b592a91415d390fe..0000000000000000000000000000000000000000 --- a/backport-handled-a-negative-value-when-parsing-the-config.patch +++ /dev/null @@ -1,38 +0,0 @@ -From b2d18fb704c64ce7767e07fe546eecec98c91b50 Mon Sep 17 00:00:00 2001 -From: Eirc Covener -Date: Fri, 27 Jan 2023 08:58:03 PM GMT+0800 -Subject: [PATCH] mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to - allow connections of any age to be reused. Up to now, a negative value - was handled as an error when parsing the configuration file - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/b2d18fb704c64ce7767e07fe546eecec98c91b50 - ---- - modules/ldap/util_ldap.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c -index 4d92ec9..14b774a 100644 ---- a/modules/ldap/util_ldap.c -+++ b/modules/ldap/util_ldap.c -@@ -2752,12 +2752,14 @@ static const char *util_ldap_set_conn_ttl(cmd_parms *cmd, - void *dummy, - const char *val) - { -- apr_interval_time_t timeout; -+ apr_interval_time_t timeout = -1; - util_ldap_state_t *st = - (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config, - &ldap_module); - -- if (ap_timeout_parameter_parse(val, &timeout, "s") != APR_SUCCESS) { -+ /* Negative values mean AP_LDAP_CONNPOOL_INFINITE */ -+ if (val[0] != '-' && -+ ap_timeout_parameter_parse(val, &timeout, "s") != APR_SUCCESS) { - return "LDAPConnectionPoolTTL has wrong format"; - } - --- -2.27.0 - diff --git a/backport-httpd-2.4.25-selinux.patch b/backport-httpd-2.4.25-selinux.patch index fa4614a91f76ed599091d5d9686d0da2cf47e853..0db1e45f30cbca10a7331389056b37a05afb0954 100644 --- a/backport-httpd-2.4.25-selinux.patch +++ b/backport-httpd-2.4.25-selinux.patch @@ -1,11 +1,8 @@ - -Log the SELinux context at startup. - -Upstream-Status: unlikely to be any interest in this upstream - ---- httpd-2.4.1/configure.in.selinux -+++ httpd-2.4.1/configure.in -@@ -458,6 +458,11 @@ fopen64 +diff --git a/configure.in b/configure.in +index c5896c1..96cd4a6 100644 +--- a/configure.in ++++ b/configure.in +@@ -508,6 +508,11 @@ getloadavg dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -17,9 +14,11 @@ Upstream-Status: unlikely to be any interest in this upstream AC_CACHE_CHECK([for gettid()], ac_cv_gettid, [AC_TRY_RUN(#define _GNU_SOURCE #include ---- httpd-2.4.1/server/core.c.selinux -+++ httpd-2.4.1/server/core.c -@@ -58,6 +58,10 @@ +diff --git a/server/core.c b/server/core.c +index 4da7209..515047b 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -65,6 +65,10 @@ #include #endif @@ -29,8 +28,8 @@ Upstream-Status: unlikely to be any interest in this upstream + /* LimitRequestBody handling */ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t * + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ +@@ -5126,6 +5130,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } #endif @@ -59,3 +58,6 @@ Upstream-Status: unlikely to be any interest in this upstream return OK; } +-- +2.27.0 + diff --git a/backport-httpd-2.4.43-detect-systemd.patch b/backport-httpd-2.4.53-detect-systemd.patch similarity index 76% rename from backport-httpd-2.4.43-detect-systemd.patch rename to backport-httpd-2.4.53-detect-systemd.patch index 540687fabbb7b3bf145cf48dd969e52b4be5982c..d501b06ceae9dcbbfa93c76a887b45a87efb0743 100644 --- a/backport-httpd-2.4.43-detect-systemd.patch +++ b/backport-httpd-2.4.53-detect-systemd.patch @@ -1,5 +1,5 @@ diff --git a/Makefile.in b/Makefile.in -index 0b088ac..9eeb5c7 100644 +index a2e9c82..bd8045c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test @@ -12,10 +12,10 @@ index 0b088ac..9eeb5c7 100644 PROGRAM_DEPENDENCIES = \ server/libmain.la \ diff --git a/acinclude.m4 b/acinclude.m4 -index 2a7e5d1..eb28321 100644 +index 97484c9..05abe18 100644 --- a/acinclude.m4 +++ b/acinclude.m4 -@@ -624,6 +624,7 @@ case $host in +@@ -631,6 +631,7 @@ case $host in if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then AC_MSG_WARN([Your system does not support systemd.]) else @@ -24,18 +24,18 @@ index 2a7e5d1..eb28321 100644 fi fi diff --git a/configure.in b/configure.in -index 3618a5a..74a782b 100644 +index cf437fe..521fc45 100644 --- a/configure.in +++ b/configure.in -@@ -234,6 +234,7 @@ if test "$PCRE_CONFIG" != "false"; then +@@ -239,6 +239,7 @@ if test "x$PCRE_CONFIG" != "x"; then AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) - APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) + APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`]) + APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) else - AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) + AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/]) fi -@@ -710,6 +711,7 @@ APACHE_SUBST(OS_DIR) +@@ -734,6 +735,7 @@ APACHE_SUBST(OS_DIR) APACHE_SUBST(BUILTIN_LIBS) APACHE_SUBST(SHLIBPATH_VAR) APACHE_SUBST(OS_SPECIFIC_VARS) diff --git a/backport-make-ap_escape_quotes-work-correctly.patch b/backport-make-ap_escape_quotes-work-correctly.patch deleted file mode 100644 index 03eb2d5f5e101ded190e2d1bc84c720c67c0d959..0000000000000000000000000000000000000000 --- a/backport-make-ap_escape_quotes-work-correctly.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 229dc3a47e0858a0b6772fa878a60f09ee5293 Mon Sep 17 00:00:00 2001 -From: ylavic -Date: Tue May 24 08:55:16 2022 -Subject: [PATCH] core:make ap_escape_quotes work correctly - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/229dc3ac47e0858a0b67227fa878a60f09ee5293 - ---- - server/util.c | 29 ++++++++++++++++++++++++----- - 1 file changed, 24 insertions(+), 5 deletions(-) - -diff --git a/server/util.c b/server/util.c -index 09ac0c5..1e006a3 100644 ---- a/server/util.c -+++ b/server/util.c -@@ -2535,7 +2535,7 @@ AP_DECLARE(void) ap_content_type_tolower(char *str) - */ - AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring) - { -- int newlen = 0; -+ apr_size_t size, extra = 0; - const char *inchr = instring; - char *outchr, *outstring; - -@@ -2544,9 +2544,8 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring) - * string up by an extra byte each time we find an unescaped ". - */ - while (*inchr != '\0') { -- newlen++; - if (*inchr == '"') { -- newlen++; -+ extra++; - } - /* - * If we find a slosh, and it's not the last byte in the string, -@@ -2554,11 +2553,31 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring) - */ - if ((*inchr == '\\') && (inchr[1] != '\0')) { - inchr++; -- newlen++; - } - inchr++; - } -- outstring = apr_palloc(p, newlen + 1); -+ if (!extra) { -+ return apr_pstrdup(p, instring); -+ } -+ -+ /* How large will the string become, once we escaped all the quotes? -+ * The tricky cases are -+ * - an `instring` that is already longer than `ptrdiff_t` -+ * can hold (which is an undefined case in C, as C defines ptrdiff_t as -+ * a signed difference between pointers into the same array and one index -+ * beyond). -+ * - an `instring` that, including the `extra` chars we want to add, becomes -+ * even larger than apr_size_t can handle. -+ * Since thsi function was nto designed to ever return NULL for failure, we -+ * can only trigger a hard assertion failure. It seems more a programming -+ * mistake (or failure to verify the input causing this) that leads to this -+ * situation. -+ */ -+ ap_assert(inchr - instring > 0); -+ size = ((apr_size_t)(inchr - instring)) + 1; -+ ap_assert(size + extra > size); -+ -+ outstring = apr_palloc(p, size + extra); - inchr = instring; - outchr = outstring; - /* --- -2.23.0 - diff --git a/backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch b/backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch deleted file mode 100644 index 32ccca01cbe9329ee374e35c518274320c17e1cd..0000000000000000000000000000000000000000 --- a/backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 960d719aa31c35a8aac99b1fa413df7a91085bbd Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Tue, 8 Feb 2022 12:28:37 UTC -Subject: [PATCH] mod_md do not interfere with requests to well known acme challenge -resources if challenge type 'http-01' is not configure for a domain. -Fixex . - -git-svn-id:https://svn.apache.org/repos/afs/httpd/httpd/branches/2.4.x@1897865 - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/960d719aa31c35a8aac99b1fa413df7a91085bbd - ---- - modules/md/mod_md.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c -index 8b379eb..c929168 100644 ---- a/modules/md/mod_md.c -+++ b/modules/md/mod_md.c -@@ -1347,6 +1347,15 @@ static int md_http_challenge_pr(request_rec *r) - md = md_get_by_domain(sc->mc->mds, r->hostname); - name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1; - reg = sc && sc->mc? sc->mc->reg : NULL; -+ -+ if (md && md->ca_challenges -+ && md_array_str_index(md->ca_challenges, MD_AUTHZ_CHA_HTTP_01, 0, 1) < 0) { -+ /* The MD this chanllenge is for dose nto allow http-01 challanges, -+ * we have to decline. See #279 for a setup example where this -+ * is necessary. -+ */ -+ return DECLINED; -+ } - - if (strlen(name) && !ap_strchr_c(name, '/') && reg) { - md_store_t *store = md_reg_store_get(reg); --- -2.23.0 - diff --git a/backport-open-the-lock-database-read-only-when-possible.patch b/backport-open-the-lock-database-read-only-when-possible.patch deleted file mode 100644 index 605052b15d6124edb4bfbaa150c0ad897ce85ae7..0000000000000000000000000000000000000000 --- a/backport-open-the-lock-database-read-only-when-possible.patch +++ /dev/null @@ -1,39 +0,0 @@ -From ddfd4663dcd327963124b03567dbd1f0880d67f4 Mon Sep 17 00:00:00 2001 -From: covener -Date: Wed, 30 Nov 2022 2:24:32 AM GMT+0800 -Subject: [PATCH] mod_dav:open the lock database read only when possible - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/ddfd4663dcd327963124b03567dbd1f0880d67f4 - ---- - modules/dav/main/mod_dav.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c -index 2cbfc06..76d9a51 100644 ---- a/modules/dav/main/mod_dav.c -+++ b/modules/dav/main/mod_dav.c -@@ -1405,8 +1405,7 @@ static dav_error *dav_gen_supported_live_props(request_rec *r, - dav_error *err; - - /* open lock database, to report on supported lock properties */ -- /* ### should open read-only */ -- if ((err = dav_open_lockdb(r, 0, &lockdb)) != NULL) { -+ if ((err = dav_open_lockdb(r, 1, &lockdb)) != NULL) { - return dav_push_error(r->pool, err->status, 0, - "The lock database could not be opened, " - "preventing the reporting of supported lock " -@@ -2171,8 +2170,7 @@ static int dav_method_propfind(request_rec *r) - apr_pool_create(&ctx.scratchpool, r->pool); - apr_pool_tag(ctx.scratchpool, "mod_dav-scratch"); - -- /* ### should open read-only */ -- if ((err = dav_open_lockdb(r, 0, &ctx.w.lockdb)) != NULL) { -+ if ((err = dav_open_lockdb(r, 1, &ctx.w.lockdb)) != NULL) { - err = dav_push_error(r->pool, err->status, 0, - "The lock database could not be opened, " - "preventing access to the various lock " --- -2.27.0 - diff --git a/httpd-2.4.51.tar.bz2 b/httpd-2.4.57.tar.bz2 similarity index 49% rename from httpd-2.4.51.tar.bz2 rename to httpd-2.4.57.tar.bz2 index 352555ae60dc9f47f869edb840c47a76127f4147..19f1a43f8f161b06a3c9866f2466ba6762156504 100644 Binary files a/httpd-2.4.51.tar.bz2 and b/httpd-2.4.57.tar.bz2 differ diff --git a/httpd.spec b/httpd.spec index 8ae5ce6061463f05aebc13444fd7d473d2e101ff..9cb2f5f3034b44371ad3bbc19b67ed85f3833bcd 100644 --- a/httpd.spec +++ b/httpd.spec @@ -7,8 +7,8 @@ Name: httpd Summary: Apache HTTP Server -Version: 2.4.51 -Release: 16 +Version: 2.4.57 +Release: 1 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -54,7 +54,7 @@ Patch0: backport-httpd-2.4.1-apctl.patch Patch1: backport-httpd-2.4.9-apxs.patch Patch2: backport-httpd-2.4.1-deplibs.patch Patch3: backport-httpd-2.4.3-apctl-systemd.patch -Patch4: backport-httpd-2.4.43-detect-systemd.patch +Patch4: backport-httpd-2.4.53-detect-systemd.patch Patch5: backport-httpd-2.4.33-export.patch Patch6: backport-httpd-2.4.1-corelimit.patch Patch7: backport-httpd-2.4.25-selinux.patch @@ -69,41 +69,6 @@ Patch15: backport-httpd-2.4.43-gettid.patch Patch16: backport-httpd-2.4.43-r1861793+.patch Patch17: backport-httpd-2.4.48-r1828172+.patch Patch18: backport-httpd-2.4.46-htcacheclean-dont-break.patch -Patch19: backport-CVE-2022-22719.patch -Patch20: backport-CVE-2022-22720.patch -Patch21: backport-CVE-2022-22721.patch -Patch22: backport-001-CVE-2022-23943.patch -Patch23: backport-002-CVE-2022-23943.patch -Patch24: backport-CVE-2021-44790.patch -Patch25: backport-001-CVE-2021-44224.patch -Patch26: backport-002-CVE-2021-44224.patch -Patch27: backport-Switch-from-PCRE-to-PCRE2.patch -Patch28: backport-CVE-2022-28615.patch -Patch29: backport-CVE-2022-31813.patch -Patch30: backport-CVE-2022-28614.patch -Patch31: backport-CVE-2022-29404.patch -Patch32: backport-CVE-2022-26377.patch -Patch33: backport-CVE-2022-30522.patch -Patch34: backport-CVE-2022-30556.patch -Patch35: backport-CVE-2022-28330.patch -Patch36: backport-fix-error-HeartbeatMaxServers-default-value.patch -Patch37: backport-fix-setting-and-comparison-of-IPs-fields.patch -Patch38: backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch -Patch39: backport-make-ap_escape_quotes-work-correctly.patch -Patch40: backport-fix-lua-request-with-cast-first.patch -Patch41: backport-Handle-children-killed-pathologically.patch -Patch42: backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch -Patch43: backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch -Patch44: backport-CVE-2022-36760.patch -Patch45: backport-CVE-2006-20001.patch -Patch46: backport-CVE-2022-37436.patch -Patch47: backport-open-the-lock-database-read-only-when-possible.patch -Patch48: backport-CVE-2023-27522.patch -Patch49: backport-CVE-2023-25690.patch -Patch50: backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch -Patch51: backport-handled-a-negative-value-when-parsing-the-config.patch -Patch52: backport-avoid-delimiting-the-query-with-a-backreference.patch -Patch53: backport-fix-missing-APLOGNO.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -536,6 +501,9 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Mon Aug 28 2023 Funda Wang - 2.4.57-1 +- 2.4.57 + * Fri Apr 14 2023 chengyechun - 2.4.51-16 - Type:bugfix - ID: