diff --git a/backport-Temporarily-add-back-the-query-string-to-the-URL.patch b/backport-Temporarily-add-back-the-query-string-to-the-URL.patch new file mode 100644 index 0000000000000000000000000000000000000000..5c708251253563a95bef839937d67daa608a7545 --- /dev/null +++ b/backport-Temporarily-add-back-the-query-string-to-the-URL.patch @@ -0,0 +1,58 @@ +From f82a9e886f42db063fb87c2973b33a88320ae65b Mon Sep 17 00:00:00 2001 +From: Ruediger Pluem +Date: Wed, 4 Jun 2025 07:36:11 +0000 +Subject: [PATCH] Merge r1925109 from trunk: + +* Temporarily add back the query string to the URL as it might contain the + routing information for sticky sessions. + +PR: 69443 + +Reviewed by: rpluem, covener, ylavic + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1926107 13f79535-47bb-0310-9956-ffa450edef68 +--- + changes-entries/pr69443.txt | 3 +++ + modules/proxy/mod_proxy_balancer.c | 14 +++++++++++++- + 2 files changed, 16 insertions(+), 1 deletions(-) + create mode 100644 changes-entries/pr69443.txt + +diff --git a/changes-entries/pr69443.txt b/changes-entries/pr69443.txt +new file mode 100644 +index 00000000000..97de7693937 +--- /dev/null ++++ b/changes-entries/pr69443.txt +@@ -0,0 +1,3 @@ ++ *) mod_proxy_balancer: Fix a regression that caused stickysession keys no ++ longer be recognized if they are provided as query parameter in the URL. ++ PR 69443 [Ruediger Pluem] +diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c +index 140366e6d52..daec21ad6c3 100644 +--- a/modules/proxy/mod_proxy_balancer.c ++++ b/modules/proxy/mod_proxy_balancer.c +@@ -276,11 +276,23 @@ static proxy_worker *find_session_route(proxy_balancer *balancer, + char **url) + { + proxy_worker *worker = NULL; ++ char *url_with_qs; + + if (!*balancer->s->sticky) + return NULL; ++ /* ++ * The route might be contained in the query string and *url is not ++ * supposed to contain the query string. Hence add it temporarily if ++ * present. ++ */ ++ if (r->args) { ++ url_with_qs = apr_pstrcat(r->pool, *url, "?", r->args, NULL); ++ } ++ else { ++ url_with_qs = *url; ++ } + /* Try to find the sticky route inside url */ +- *route = get_path_param(r->pool, *url, balancer->s->sticky_path, balancer->s->scolonsep); ++ *route = get_path_param(r->pool, url_with_qs, balancer->s->sticky_path, balancer->s->scolonsep); + if (*route) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01159) + "Found value %s for stickysession %s", diff --git a/backport-avoid-ap_set_content_type-when-processing.patch b/backport-avoid-ap_set_content_type-when-processing.patch new file mode 100644 index 0000000000000000000000000000000000000000..aff1753a0d23c0038705227be868b66bfc5b52f5 --- /dev/null +++ b/backport-avoid-ap_set_content_type-when-processing.patch @@ -0,0 +1,76 @@ +From 6764774d51f3dcb07e79779c64a463d3c112b53f Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Tue, 10 Jun 2025 10:58:15 +0000 +Subject: [PATCH] avoid ap_set_content_type when processing a _Request_Header + set|edit|unset Content-Type. + +identified by ylavic + + +Merges r1820750 from trunk +Submitted by: covener +Reviewed by: covener, rpluem, jorton + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1926323 13f79535-47bb-0310-9956-ffa450edef68 +--- + CHANGES | 4 +++++ + modules/metadata/mod_headers.c | 12 +++++++++--- + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/CHANGES b/CHANGES +index b7bd6055425..8fac45be5c5 100644 +@@ -6,6 +6,10 @@ Changes with Apache 2.4.59 + *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis] + + Changes with Apache 2.4.58 ++ *) mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could ++ inadvertently modify the Content-Type _response_ header. Applies to ++ Content-Type only and likely to only affect static file responses. ++ [Eric Covener] + + *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126: + SSL routines::unexpected eof while reading" when using +diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c +index 4838bd6cd0d..57da3fc538d 100644 +--- a/modules/metadata/mod_headers.c ++++ b/modules/metadata/mod_headers.c +@@ -782,14 +782,16 @@ static int do_headers_fixup(request_rec *r, apr_table_t *headers, + } + break; + case hdr_set: +- if (!ap_cstr_casecmp(hdr->header, "Content-Type")) { ++ if (r->headers_in != headers && ++ !ap_cstr_casecmp(hdr->header, "Content-Type")) { + ap_set_content_type_ex(r, process_tags(hdr, r), 1); + } + apr_table_setn(headers, hdr->header, process_tags(hdr, r)); + break; + case hdr_setifempty: + if (NULL == apr_table_get(headers, hdr->header)) { +- if (!ap_cstr_casecmp(hdr->header, "Content-Type")) { ++ if (r->headers_in != headers && ++ !ap_cstr_casecmp(hdr->header, "Content-Type")) { + ap_set_content_type_ex(r, process_tags(hdr, r), 1); + } + apr_table_setn(headers, hdr->header, process_tags(hdr, r)); +@@ -797,6 +799,10 @@ static int do_headers_fixup(request_rec *r, apr_table_t *headers, + break; + case hdr_unset: + apr_table_unset(headers, hdr->header); ++ if (r->headers_in != headers && ++ !ap_cstr_casecmp(hdr->header, "Content-Type")) { ++ ap_set_content_type(r, NULL); ++ } + break; + case hdr_echo: + v.r = r; +@@ -809,7 +815,7 @@ static int do_headers_fixup(request_rec *r, apr_table_t *headers, + const char *repl = process_regexp(hdr, r->content_type, r); + if (repl == NULL) + return 0; +- ap_set_content_type_ex(r, repl, 1); ++ if (r->headers_in != headers) ap_set_content_type_ex(r, repl, 1); + } + if (apr_table_get(headers, hdr->header)) { + edit_do ed; diff --git a/backport-mod_lua-Fix-memory-handling-in-output-filters.patch b/backport-mod_lua-Fix-memory-handling-in-output-filters.patch new file mode 100644 index 0000000000000000000000000000000000000000..cafb63923356d7fab571482449b63427e2b58df8 --- /dev/null +++ b/backport-mod_lua-Fix-memory-handling-in-output-filters.patch @@ -0,0 +1,69 @@ +From 3dec975c92ed1e2d5e60c88bbc331edd37ab49d7 Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Mon, 2 Jun 2025 14:48:53 +0000 +Subject: [PATCH] Merge r1924095 from trunk: + +mod_lua: Fix memory handling in output filters. + +* modules/lua/mod_lua.c (lua_output_filter_handle): Fix brigade + iteration to use constant memory. + +Submitted by: G.Grandes +PR: 69590 +Github: closes #517 +Reviewed by: jorton, rpluem, covener + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1926063 13f79535-47bb-0310-9956-ffa450edef68 +--- + changes-entries/pr69590.txt | 2 ++ + modules/lua/mod_lua.c | 13 ++++++++----- + 2 files changed, 10 insertions(+), 5 deletions(-) + create mode 100644 changes-entries/pr69590.txt + +diff --git a/changes-entries/pr69590.txt b/changes-entries/pr69590.txt +new file mode 100644 +index 00000000000..ebf3f1a5b04 +--- /dev/null ++++ b/changes-entries/pr69590.txt +@@ -0,0 +1,2 @@ ++ *) mod_lua: Fix memory handling in LuaOutputFilter. PR 69590. ++ [Guillermo Grandes ] +diff --git a/modules/lua/mod_lua.c b/modules/lua/mod_lua.c +index ed5c839fe9a..793466ba688 100644 +--- a/modules/lua/mod_lua.c ++++ b/modules/lua/mod_lua.c +@@ -473,14 +473,16 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade + L = ctx->L; + /* While the Lua function is still yielding, pass in buckets to the coroutine */ + if (!ctx->broken) { +- for (pbktIn = APR_BRIGADE_FIRST(pbbIn); +- pbktIn != APR_BRIGADE_SENTINEL(pbbIn); +- pbktIn = APR_BUCKET_NEXT(pbktIn)) +- { ++ while (!APR_BRIGADE_EMPTY(pbbIn)) { + const char *data; + apr_size_t len; + apr_bucket *pbktOut; + ++ pbktIn = APR_BRIGADE_FIRST(pbbIn); ++ if (APR_BUCKET_IS_EOS(pbktIn)) { ++ break; ++ } ++ + /* read the bucket */ + apr_bucket_read(pbktIn,&data,&len,APR_BLOCK_READ); + +@@ -514,10 +516,11 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade + lua_tostring(L, -1)); + return HTTP_INTERNAL_SERVER_ERROR; + } ++ apr_bucket_delete(pbktIn); + } + /* If we've safely reached the end, do a final call to Lua to allow for any + finishing moves by the script, such as appending a tail. */ +- if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(pbbIn))) { ++ if (!APR_BRIGADE_EMPTY(pbbIn) && APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(pbbIn))) { + apr_bucket *pbktEOS; + lua_pushnil(L); + lua_setglobal(L, "bucket"); diff --git a/backport-set_cookie_name-ensure-correct-format.patch b/backport-set_cookie_name-ensure-correct-format.patch new file mode 100644 index 0000000000000000000000000000000000000000..f154b490be23aa9133972e3a09881d3e183d8542 --- /dev/null +++ b/backport-set_cookie_name-ensure-correct-format.patch @@ -0,0 +1,78 @@ +From c4218c88fe078570e7439c652a21f4773a432a76 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Tue, 10 Jun 2025 11:00:37 +0000 +Subject: [PATCH] mod_session_dbd: set_cookie_name: ensure correct format + +If args is an empty string, apr_strtok will return NULL and *last will never get set which results in a SIGSEGV in apr_isspace check + +Submitted by: Thomas Meyer + +Github: closes #503 + + +Follow-up to r1922931. + +In set_cookie_name() and set_cookie_name2(), now that the empty 'name' argument is explicitly handled, the error message in check_string() can be simplified because the cookie name can't be empty anymore when this function is called. + + +Add a change entry to give credits to the author. + + +Merges r1922931, r1926188, r1926189 trunk +Submitted by: covener, jailletc36, jailletc36 +Reviewed by: jailletc36, rpluem, ylavic + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1926325 13f79535-47bb-0310-9956-ffa450edef68 +--- + changes-entries/SessionDBDCookieName.txt | 3 +++ + modules/session/mod_session_dbd.c | 12 +++++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + create mode 100644 changes-entries/SessionDBDCookieName.txt + +diff --git a/changes-entries/SessionDBDCookieName.txt b/changes-entries/SessionDBDCookieName.txt +new file mode 100644 +index 00000000000..76c0aa110a0 +--- /dev/null ++++ b/changes-entries/SessionDBDCookieName.txt +@@ -0,0 +1,3 @@ ++ *) mod_session_dbd: ensure format used with SessionDBDCookieName and ++ SessionDBDCookieName2 are correct. ++ Github #503 [Thomas Meyer ] +diff --git a/modules/session/mod_session_dbd.c b/modules/session/mod_session_dbd.c +index f683da2172f..65af9370f99 100644 +--- a/modules/session/mod_session_dbd.c ++++ b/modules/session/mod_session_dbd.c +@@ -537,7 +537,7 @@ static const char *check_string(cmd_parms * cmd, const char *string) + { + if (APR_SUCCESS != ap_cookie_check_string(string)) { + return apr_pstrcat(cmd->pool, cmd->directive->directive, +- " cannot be empty, or contain '=', ';' or '&'.", ++ " cannot contain '=', ';' or '&'.", + NULL); + } + return NULL; +@@ -571,6 +571,11 @@ static const char *set_cookie_name(cmd_parms * cmd, void *config, const char *ar + char *line = apr_pstrdup(cmd->pool, args); + session_dbd_dir_conf *conf = (session_dbd_dir_conf *) config; + char *cookie = apr_strtok(line, " \t", &last); ++ if (!cookie) { ++ return apr_pstrcat(cmd->pool, cmd->directive->directive, ++ " requires at least one argument!", ++ NULL); ++ } + conf->name = cookie; + conf->name_set = 1; + while (apr_isspace(*last)) { +@@ -586,6 +591,11 @@ static const char *set_cookie_name2(cmd_parms * cmd, void *config, const char *a + char *line = apr_pstrdup(cmd->pool, args); + session_dbd_dir_conf *conf = (session_dbd_dir_conf *) config; + char *cookie = apr_strtok(line, " \t", &last); ++ if (!cookie) { ++ return apr_pstrcat(cmd->pool, cmd->directive->directive, ++ " requires at least one argument!", ++ NULL); ++ } + conf->name2 = cookie; + conf->name2_set = 1; + while (apr_isspace(*last)) { diff --git a/httpd.spec b/httpd.spec index 88d8d832cb6b331b83a262c014874945310e6e58..7a6fdf4537826c518bd5c1f99319f4882189c7bc 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.58 -Release: 9 +Release: 10 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -94,6 +94,10 @@ Patch40: backport-Fix-the-handling-of-the-stickysession-configuration-p Patch41: backport-Fix-possible-crash-on-error-path.patch Patch42: backport-Check-SSL_CTX_new-return-value.patch Patch43: backport-Report-invalid-Options-argument-when-parsing-AllowOverride-directives.patch +Patch40: backport-avoid-ap_set_content_type-when-processing.patch +Patch41: backport-set_cookie_name-ensure-correct-format.patch +Patch42: backport-mod_lua-Fix-memory-handling-in-output-filters.patch +Patch43: backport-Temporarily-add-back-the-query-string-to-the-URL.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -531,6 +535,15 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Jul 30 2025 andy - 2.4.58-10 +- Type:NA +- CVE:NA +- SUG:NA +- DESC:avoid ap_set_content_type when processing a _Request_Header set|edit|unset Content-Type + set_cookie_name: ensure correct format + mod_lua: Fix memory handling in output filter + Temporarily add back the query string to the URL as it might contain the routing information for sticky sessions + * Wed Apr 16 2025 xingwei - 2.4.58-9 - Type:bugfix - CVE:NA