pkgs/raven
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

httpd: update to 2.4.59

Browse Source
This commit is contained in:
Raven 2024-04-09 09:30:55 +06:00
parent b40eafce97
commit a0bd9ee321
8 changed files with 830 additions and 492 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

271
modular/httpd/httpd-2.4.43-r1861793+.patch
View File

@ -1,271 +0,0 @@
diff --git a/configure.in b/configure.in
index cb43246..0bb6b0d 100644
--- httpd-2.4.43/configure.in.r1861793+
+++ httpd-2.4.43/configure.in
@@ -465,6 +465,28 @@
AC_SEARCH_LIBS(crypt, crypt)
CRYPT_LIBS="$LIBS"
APACHE_SUBST(CRYPT_LIBS)
+
+if test "$ac_cv_search_crypt" != "no"; then
+ # Test crypt() with the SHA-512 test vector from https://akkadia.org/drepper/SHA-crypt.txt
+ AC_CACHE_CHECK([whether crypt() supports SHA-2], [ap_cv_crypt_sha2], [
+ AC_RUN_IFELSE([AC_LANG_PROGRAM([[
+#include <crypt.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define PASSWD_0 "Hello world!"
+#define SALT_0 "\$6\$saltstring"
+#define EXPECT_0 "\$6\$saltstring\$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu" \
+ "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"
+]], [char *result = crypt(PASSWD_0, SALT_0);
+ if (!result) return 1;
+ if (strcmp(result, EXPECT_0)) return 2;
+])], [ap_cv_crypt_sha2=yes], [ap_cv_crypt_sha2=no])])
+ if test "$ap_cv_crypt_sha2" = yes; then
+ AC_DEFINE([HAVE_CRYPT_SHA2], 1, [Define if crypt() supports SHA-2 hashes])
+ fi
+fi
+
LIBS="$saved_LIBS"
dnl See Comment #Spoon
--- httpd-2.4.43/docs/man/htpasswd.1.r1861793+
+++ httpd-2.4.43/docs/man/htpasswd.1
@@ -27,16 +27,16 @@
.SH "SYNOPSIS"
.PP
-\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
+\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
+\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
.SH "SUMMARY"
@@ -48,7 +48,7 @@
Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&.
.PP
-\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
+\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
.PP
This manual page only lists the command line arguments\&. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at http://httpd\&.apache\&.org/\&.
@@ -73,17 +73,26 @@
\fB-m\fR
Use MD5 encryption for passwords\&. This is the default (since version 2\&.2\&.18)\&.
.TP
+\fB-2\fR
+Use SHA-256 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
+\fB-5\fR
+Use SHA-512 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
\fB-B\fR
Use bcrypt encryption for passwords\&. This is currently considered to be very secure\&.
.TP
\fB-C\fR
This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17)\&.
.TP
+\fB-r\fR
+This flag is only allowed in combination with \fB-2\fR or \fB-5\fR\&. It sets the number of hash rounds used for the SHA-2 algorithms (higher is more secure but slower; the default is 5,000)\&.
+.TP
\fB-d\fR
Use \fBcrypt()\fR encryption for passwords\&. This is not supported by the httpd server on Windows and Netware\&. This algorithm limits the password length to 8 characters\&. This algorithm is \fBinsecure\fR by today's standards\&. It used to be the default algorithm until version 2\&.2\&.17\&.
.TP
\fB-s\fR
-Use SHA encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
+Use SHA-1 (160-bit) encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
.TP
\fB-p\fR
Use plaintext passwords\&. Though \fBhtpasswd\fR will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware\&.
@@ -152,10 +161,13 @@
When using the \fBcrypt()\fR algorithm, note that only the first 8 characters of the password are used to form the password\&. If the supplied password is longer, the extra characters will be silently discarded\&.
.PP
-The SHA encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
+The SHA-1 encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
+
+.PP
+The SHA-1 and \fBcrypt()\fR formats are insecure by today's standards\&.
.PP
-The SHA and \fBcrypt()\fR formats are insecure by today's standards\&.
+The SHA-2-based \fBcrypt()\fR formats (SHA-256 and SHA-512) are supported on most modern Unix systems, and follow the specification at https://www\&.akkadia\&.org/drepper/SHA-crypt\&.txt\&.
.SH "RESTRICTIONS"
--- httpd-2.4.43/support/htpasswd.c.r1861793+
+++ httpd-2.4.43/support/htpasswd.c
@@ -109,17 +109,21 @@
"for it." NL
" -i Read password from stdin without verification (for script usage)." NL
" -m Force MD5 encryption of the password (default)." NL
- " -B Force bcrypt encryption of the password (very secure)." NL
+ " -2 Force SHA-256 crypt() hash of the password (very secure)." NL
+ " -5 Force SHA-512 crypt() hash of the password (very secure)." NL
+ " -B Force bcrypt encryption of the password (very secure)." NL
" -C Set the computing time used for the bcrypt algorithm" NL
" (higher is more secure but slower, default: %d, valid: 4 to 17)." NL
+ " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL
+ " (higher is more secure but slower, default: 5000)." NL
" -d Force CRYPT encryption of the password (8 chars max, insecure)." NL
- " -s Force SHA encryption of the password (insecure)." NL
+ " -s Force SHA-1 encryption of the password (insecure)." NL
" -p Do not encrypt the password (plaintext, insecure)." NL
" -D Delete the specified user." NL
" -v Verify password for the specified user." NL
"On other systems than Windows and NetWare the '-p' flag will "
"probably not work." NL
- "The SHA algorithm does not use a salt and is less secure than the "
+ "The SHA-1 algorithm does not use a salt and is less secure than the "
"MD5 algorithm." NL,
BCRYPT_DEFAULT_COST
);
@@ -178,7 +182,7 @@
if (rv != APR_SUCCESS)
exit(ERR_SYNTAX);
- while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) {
+ while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) {
switch (opt) {
case 'c':
*mask |= APHTP_NEWFILE;
--- httpd-2.4.43/support/passwd_common.c.r1861793+
+++ httpd-2.4.43/support/passwd_common.c
@@ -179,16 +179,21 @@
int mkhash(struct passwd_ctx *ctx)
{
char *pw;
- char salt[16];
+ char salt[17];
apr_status_t rv;
int ret = 0;
#if CRYPT_ALGO_SUPPORTED
char *cbuf;
#endif
+#ifdef HAVE_CRYPT_SHA2
+ const char *setting;
+ char method;
+#endif
- if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) {
+ if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT
+ && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) {
apr_file_printf(errfile,
- "Warning: Ignoring -C argument for this algorithm." NL);
+ "Warning: Ignoring -C/-r argument for this algorithm." NL);
}
if (ctx->passwd == NULL) {
@@ -246,6 +251,34 @@
break;
#endif /* CRYPT_ALGO_SUPPORTED */
+#ifdef HAVE_CRYPT_SHA2
+ case ALG_CRYPT_SHA256:
+ case ALG_CRYPT_SHA512:
+ ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool);
+ if (ret != 0)
+ break;
+
+ method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6';
+
+ if (ctx->cost)
+ setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s",
+ method, ctx->cost, salt);
+ else
+ setting = apr_psprintf(ctx->pool, "$%c$%s",
+ method, salt);
+
+ cbuf = crypt(pw, setting);
+ if (cbuf == NULL) {
+ rv = APR_FROM_OS_ERROR(errno);
+ ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv);
+ ret = ERR_PWMISMATCH;
+ break;
+ }
+
+ apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1);
+ break;
+#endif /* HAVE_CRYPT_SHA2 */
+
#if BCRYPT_ALGO_SUPPORTED
case ALG_BCRYPT:
rv = apr_generate_random_bytes((unsigned char*)salt, 16);
@@ -294,6 +327,19 @@
case 's':
ctx->alg = ALG_APSHA;
break;
+#ifdef HAVE_CRYPT_SHA2
+ case '2':
+ ctx->alg = ALG_CRYPT_SHA256;
+ break;
+ case '5':
+ ctx->alg = ALG_CRYPT_SHA512;
+ break;
+#else
+ case '2':
+ case '5':
+ ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform.";
+ return ERR_ALG_NOT_SUPP;
+#endif
case 'p':
ctx->alg = ALG_PLAIN;
#if !PLAIN_ALGO_SUPPORTED
@@ -324,11 +370,12 @@
return ERR_ALG_NOT_SUPP;
#endif
break;
- case 'C': {
+ case 'C':
+ case 'r': {
char *endptr;
long num = strtol(opt_arg, &endptr, 10);
if (*endptr != '\0' || num <= 0) {
- ctx->errstr = "argument to -C must be a positive integer";
+ ctx->errstr = "argument to -C/-r must be a positive integer";
return ERR_SYNTAX;
}
ctx->cost = num;
--- httpd-2.4.43/support/passwd_common.h.r1861793+
+++ httpd-2.4.43/support/passwd_common.h
@@ -28,6 +28,8 @@
#include "apu_version.h"
#endif
+#include "ap_config_auto.h"
+
#define MAX_STRING_LEN 256
#define ALG_PLAIN 0
@@ -35,6 +37,8 @@
#define ALG_APMD5 2
#define ALG_APSHA 3
#define ALG_BCRYPT 4
+#define ALG_CRYPT_SHA256 5
+#define ALG_CRYPT_SHA512 6
#define BCRYPT_DEFAULT_COST 5
@@ -84,7 +88,7 @@
apr_size_t out_len;
char *passwd;
int alg;
- int cost;
+ int cost; /* cost for bcrypt, rounds for SHA-2 */
enum {
PW_PROMPT = 0,
PW_ARG,

13
modular/httpd/httpd-2.4.46-htcacheclean-dont-break.patch
View File

@ -1,13 +0,0 @@
diff --git a/support/htcacheclean.c b/support/htcacheclean.c
index 958ba6d..0a7fe3c 100644
--- a/support/htcacheclean.c
+++ b/support/htcacheclean.c
@@ -557,8 +557,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round)
}
}
}
-
- break;
}
}
}

100
modular/httpd/httpd-2.4.54-selinux.patch
View File

@ -1,24 +1,25 @@
Upstream-Status: in trunk not in 2.4.x
diff --git a/configure.in b/configure.in
index 74015ca..8c0ee10 100644
--- a/configure.in
+++ b/configure.in
@@ -508,6 +508,11 @@ getloadavg
dnl confirm that a void pointer is large enough to store a long integer
APACHE_CHECK_VOID_PTR_LEN
+AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(HTTPD_LIBS, [-lselinux])
+])
+
AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
[AC_TRY_RUN(#define _GNU_SOURCE
#include <unistd.h>
diff --git a/server/core.c b/server/core.c
index a6fa2fb..cf4cba4 100644
--- a/server/core.c
+++ b/server/core.c
@@ -65,6 +65,10 @@
--- httpd-2.4.54/modules/arch/unix/config5.m4.selinux
+++ httpd-2.4.54/modules/arch/unix/config5.m4
@@ -23,6 +23,11 @@
AC_MSG_WARN([Your system does not support systemd.])
enable_systemd="no"
else
+ AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+ ])
+
APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
fi
])
--- httpd-2.4.54/modules/arch/unix/mod_systemd.c.selinux
+++ httpd-2.4.54/modules/arch/unix/mod_systemd.c
@@ -35,6 +35,10 @@
#include <unistd.h>
#endif
@ -26,35 +27,38 @@ index a6fa2fb..cf4cba4 100644
+#include <selinux/selinux.h>
+#endif
+
/* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
@@ -5150,6 +5154,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
}
#endif
APR_DECLARE_OPTIONAL_FN(int,
ap_find_systemd_socket, (process_rec *, apr_port_t));
+#ifdef HAVE_SELINUX
+ {
+ static int already_warned = 0;
+ int is_enabled = is_selinux_enabled() > 0;
+
+ if (is_enabled && !already_warned) {
+ security_context_t con;
+
+ if (getcon(&con) == 0) {
+
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+
+ already_warned = 1;
+
+ freecon(con);
+ }
+ }
+ }
+#endif
+
return OK;
@@ -70,6 +74,20 @@
return apr_psprintf(p, "%s port %u", addr, sa->port);
}
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+ char *con;
+
+ if (is_selinux_enabled() && getcon(&con) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+ freecon(con);
+ }
+}
+#endif
+
/* Report the service is ready in post_config, which could be during
* startup or after a reload. The server could still hit a fatal
* startup error after this point during ap_run_mpm(), so this is
@@ -87,6 +105,10 @@
if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
return OK;
+#ifdef HAVE_SELINUX
+ log_selinux_context();
+#endif
+
for (lr = ap_listeners; lr; lr = lr->next) {
char *s = dump_listener(lr, ptemp);

383
modular/httpd/httpd-2.4.58-r1912477+.patch Normal file
View File

@ -0,0 +1,383 @@
# ./pullrev.sh 1912477 1912571 1912718 1913654 1914438
http://svn.apache.org/viewvc?view=revision&revision=1912477
http://svn.apache.org/viewvc?view=revision&revision=1912571
http://svn.apache.org/viewvc?view=revision&revision=1912718
http://svn.apache.org/viewvc?view=revision&revision=1913654
http://svn.apache.org/viewvc?view=revision&revision=1914438
Upstream-Status: in trunk, not proposed for 2.4.x
--- httpd-2.4.58/modules/dav/fs/config6.m4.r1912477+
+++ httpd-2.4.58/modules/dav/fs/config6.m4
@@ -20,4 +20,10 @@
APACHE_MODULE(dav_fs, DAV provider for the filesystem. --enable-dav also enables mod_dav_fs., $dav_fs_objects, , $dav_fs_enable,,dav)
+if test "x$enable_dav_fs" = "xshared"; then
+ # The only symbol which needs to be exported is the module
+ # structure, so ask libtool to hide everything else:
+ APR_ADDTO(MOD_DAV_FS_LDADD, [-export-symbols-regex dav_fs_module])
+fi
+
APACHE_MODPATH_FINISH
--- httpd-2.4.58/modules/dav/fs/dbm.c.r1912477+
+++ httpd-2.4.58/modules/dav/fs/dbm.c
@@ -47,6 +47,10 @@
#include "http_log.h"
#include "http_main.h" /* for ap_server_conf */
+#ifndef DEFAULT_PROPDB_DBM_TYPE
+#define DEFAULT_PROPDB_DBM_TYPE "default"
+#endif
+
APLOG_USE_MODULE(dav_fs);
struct dav_db {
@@ -100,7 +104,7 @@
/* There might not be a <db> if we had problems creating it. */
if (db == NULL) {
errcode = 1;
- errstr = "Could not open property database.";
+ errstr = "Could not open database.";
if (APR_STATUS_IS_EDSOOPEN(status))
ap_log_error(APLOG_MARK, APLOG_CRIT, status, ap_server_conf, APLOGNO(00576)
"The DBM driver could not be loaded");
@@ -129,10 +133,10 @@
/* dav_dbm_open_direct: Opens a *dbm database specified by path.
* ro = boolean read-only flag.
*/
-dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, int ro,
- dav_db **pdb)
+dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname,
+ const char *dbmtype, int ro, dav_db **pdb)
{
-#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7)
+#if APR_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7)
const apr_dbm_driver_t *driver;
const apu_err_t *err;
#endif
@@ -141,13 +145,13 @@
*pdb = NULL;
-#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7)
- if ((status = apr_dbm_get_driver(&driver, NULL, &err, p)) != APR_SUCCESS) {
+#if APR_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7)
+ if ((status = apr_dbm_get_driver(&driver, dbmtype, &err, p)) != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf, APLOGNO(10289)
- "mod_dav_fs: The DBM library '%s' could not be loaded: %s",
- err->reason, err->msg);
+ "mod_dav_fs: The DBM library '%s' for '%s' could not be loaded: %s",
+ err->reason, dbmtype, err->msg);
return dav_new_error(p, HTTP_INTERNAL_SERVER_ERROR, 1, status,
- "Could not load library for property database.");
+ "Could not load library for database.");
}
if ((status = apr_dbm_open2(&file, driver, pathname,
ro ? APR_DBM_READONLY : APR_DBM_RWCREATE,
@@ -156,7 +160,7 @@
return dav_fs_dbm_error(NULL, p, status);
}
#else
- if ((status = apr_dbm_open(&file, pathname,
+ if ((status = apr_dbm_open_ex(&file, dbmtype, pathname,
ro ? APR_DBM_READONLY : APR_DBM_RWCREATE,
APR_OS_DEFAULT, p))
!= APR_SUCCESS
@@ -206,7 +210,7 @@
/* ### do we need to deal with the umask? */
- return dav_dbm_open_direct(p, pathname, ro, pdb);
+ return dav_dbm_open_direct(p, pathname, DEFAULT_PROPDB_DBM_TYPE, ro, pdb);
}
void dav_dbm_close(dav_db *db)
--- httpd-2.4.58/modules/dav/fs/lock.c.r1912477+
+++ httpd-2.4.58/modules/dav/fs/lock.c
@@ -181,8 +181,7 @@
{
request_rec *r; /* for accessing the uuid state */
apr_pool_t *pool; /* a pool to use */
- const char *lockdb_path; /* where is the lock database? */
-
+ const dav_fs_server_conf *conf; /* lock database config & metadata */
int opened; /* we opened the database */
dav_db *db; /* if non-NULL, the lock database */
};
@@ -292,6 +291,19 @@
return dav_compare_locktoken(lt1, lt2);
}
+static apr_status_t dav_fs_lockdb_cleanup(void *data)
+{
+ dav_lockdb *lockdb = data;
+
+ apr_global_mutex_unlock(lockdb->info->conf->lockdb_mutex);
+
+ if (lockdb->info->db) {
+ dav_dbm_close(lockdb->info->db);
+ }
+
+ return APR_SUCCESS;
+}
+
/*
** dav_fs_really_open_lockdb:
**
@@ -300,15 +312,27 @@
static dav_error * dav_fs_really_open_lockdb(dav_lockdb *lockdb)
{
dav_error *err;
+ apr_status_t rv;
if (lockdb->info->opened)
return NULL;
+ rv = apr_global_mutex_lock(lockdb->info->conf->lockdb_mutex);
+ if (rv) {
+ return dav_new_error(lockdb->info->pool,
+ HTTP_INTERNAL_SERVER_ERROR,
+ DAV_ERR_LOCK_OPENDB, rv,
+ "Could not lock mutex for lock database.");
+ }
+
err = dav_dbm_open_direct(lockdb->info->pool,
- lockdb->info->lockdb_path,
+ lockdb->info->conf->lockdb_path,
+ lockdb->info->conf->lockdb_type,
lockdb->ro,
&lockdb->info->db);
if (err != NULL) {
+ apr_global_mutex_unlock(lockdb->info->conf->lockdb_mutex);
+
return dav_push_error(lockdb->info->pool,
HTTP_INTERNAL_SERVER_ERROR,
DAV_ERR_LOCK_OPENDB,
@@ -316,6 +340,10 @@
err);
}
+ apr_pool_cleanup_register(lockdb->info->pool, lockdb,
+ dav_fs_lockdb_cleanup,
+ dav_fs_lockdb_cleanup);
+
/* all right. it is opened now. */
lockdb->info->opened = 1;
@@ -341,9 +369,9 @@
comb->pub.info = &comb->priv;
comb->priv.r = r;
comb->priv.pool = r->pool;
-
- comb->priv.lockdb_path = dav_get_lockdb_path(r);
- if (comb->priv.lockdb_path == NULL) {
+ comb->priv.conf = dav_fs_get_server_conf(r);
+
+ if (comb->priv.conf == NULL || comb->priv.conf->lockdb_path == NULL) {
return dav_new_error(r->pool, HTTP_INTERNAL_SERVER_ERROR,
DAV_ERR_LOCK_NO_DB, 0,
"A lock database was not specified with the "
@@ -369,8 +397,8 @@
*/
static void dav_fs_close_lockdb(dav_lockdb *lockdb)
{
- if (lockdb->info->db != NULL)
- dav_dbm_close(lockdb->info->db);
+ apr_pool_cleanup_run(lockdb->info->pool, lockdb,
+ dav_fs_lockdb_cleanup);
}
/*
--- httpd-2.4.58/modules/dav/fs/mod_dav_fs.c.r1912477+
+++ httpd-2.4.58/modules/dav/fs/mod_dav_fs.c
@@ -14,31 +14,35 @@
* limitations under the License.
*/
+#if !defined(_MSC_VER) && !defined(NETWARE)
+#include "ap_config_auto.h"
+#endif
+
#include "httpd.h"
#include "http_config.h"
+#include "http_core.h"
+#include "http_log.h"
#include "apr_strings.h"
#include "mod_dav.h"
#include "repos.h"
-/* per-server configuration */
-typedef struct {
- const char *lockdb_path;
-
-} dav_fs_server_conf;
-
extern module AP_MODULE_DECLARE_DATA dav_fs_module;
#ifndef DEFAULT_DAV_LOCKDB
#define DEFAULT_DAV_LOCKDB "davlockdb"
#endif
+#ifndef DEFAULT_DAV_LOCKDB_TYPE
+#define DEFAULT_DAV_LOCKDB_TYPE "default"
+#endif
-const char *dav_get_lockdb_path(const request_rec *r)
-{
- dav_fs_server_conf *conf;
+static const char dav_fs_mutexid[] = "dav_fs-lockdb";
- conf = ap_get_module_config(r->server->module_config, &dav_fs_module);
- return conf->lockdb_path;
+static apr_global_mutex_t *dav_fs_lockdb_mutex;
+
+const dav_fs_server_conf *dav_fs_get_server_conf(const request_rec *r)
+{
+ return ap_get_module_config(r->server->module_config, &dav_fs_module);
}
static void *dav_fs_create_server_config(apr_pool_t *p, server_rec *s)
@@ -57,15 +61,50 @@
newconf->lockdb_path =
child->lockdb_path ? child->lockdb_path : parent->lockdb_path;
+ newconf->lockdb_type =
+ child->lockdb_type ? child->lockdb_type : parent->lockdb_type;
return newconf;
}
+static int dav_fs_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp)
+{
+ if (ap_mutex_register(pconf, dav_fs_mutexid, NULL, APR_LOCK_DEFAULT, 0))
+ return !OK;
+ return OK;
+}
+
+static void dav_fs_child_init(apr_pool_t *p, server_rec *s)
+{
+ apr_status_t rv;
+
+ rv = apr_global_mutex_child_init(&dav_fs_lockdb_mutex,
+ apr_global_mutex_lockfile(dav_fs_lockdb_mutex),
+ p);
+ if (rv) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
+ APLOGNO(10488) "child init failed for mutex");
+ }
+}
+
static apr_status_t dav_fs_post_config(apr_pool_t *p, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *base_server)
{
server_rec *s;
+ apr_status_t rv;
+ /* Ignore first pass through the config. */
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+ return OK;
+
+ rv = ap_global_mutex_create(&dav_fs_lockdb_mutex, NULL, dav_fs_mutexid, NULL,
+ base_server, p, 0);
+ if (rv) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, base_server,
+ APLOGNO(10489) "could not create lock mutex");
+ return !OK;
+ }
+
for (s = base_server; s; s = s->next) {
dav_fs_server_conf *conf;
@@ -74,6 +113,13 @@
if (!conf->lockdb_path) {
conf->lockdb_path = ap_state_dir_relative(p, DEFAULT_DAV_LOCKDB);
}
+ if (!conf->lockdb_type) {
+ conf->lockdb_type = DEFAULT_DAV_LOCKDB_TYPE;
+ }
+
+ /* Mutex is common across all vhosts, but could have one per
+ * vhost if required. */
+ conf->lockdb_mutex = dav_fs_lockdb_mutex;
}
return OK;
@@ -98,19 +144,36 @@
return NULL;
}
+/*
+ * Command handler for the DAVLockDBType directive, which is TAKE1
+ */
+static const char *dav_fs_cmd_davlockdbtype(cmd_parms *cmd, void *config,
+ const char *arg1)
+{
+ dav_fs_server_conf *conf = ap_get_module_config(cmd->server->module_config,
+ &dav_fs_module);
+ conf->lockdb_type = arg1;
+
+ return NULL;
+}
+
static const command_rec dav_fs_cmds[] =
{
/* per server */
AP_INIT_TAKE1("DAVLockDB", dav_fs_cmd_davlockdb, NULL, RSRC_CONF,
"specify a lock database"),
+ AP_INIT_TAKE1("DAVLockDBType", dav_fs_cmd_davlockdbtype, NULL, RSRC_CONF,
+ "specify a lock database DBM type"),
{ NULL }
};
static void register_hooks(apr_pool_t *p)
{
+ ap_hook_pre_config(dav_fs_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(dav_fs_post_config, NULL, NULL, APR_HOOK_MIDDLE);
-
+ ap_hook_child_init(dav_fs_child_init, NULL, NULL, APR_HOOK_MIDDLE);
+
dav_hook_gather_propsets(dav_fs_gather_propsets, NULL, NULL,
APR_HOOK_MIDDLE);
dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE);
--- httpd-2.4.58/modules/dav/fs/repos.h.r1912477+
+++ httpd-2.4.58/modules/dav/fs/repos.h
@@ -25,6 +25,8 @@
#ifndef _DAV_FS_REPOS_H_
#define _DAV_FS_REPOS_H_
+#include "util_mutex.h"
+
/* the subdirectory to hold all DAV-related information for a directory */
#define DAV_FS_STATE_DIR ".DAV"
#define DAV_FS_STATE_FILE_FOR_DIR ".state_for_dir"
@@ -53,8 +55,8 @@
/* DBM functions used by the repository and locking providers */
extern const dav_hooks_db dav_hooks_db_dbm;
-dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, int ro,
- dav_db **pdb);
+dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname,
+ const char *dbmtype, int ro, dav_db **pdb);
void dav_dbm_get_statefiles(apr_pool_t *p, const char *fname,
const char **state1, const char **state2);
dav_error * dav_dbm_delete(dav_db *db, apr_datum_t key);
@@ -64,8 +66,15 @@
int dav_dbm_exists(dav_db *db, apr_datum_t key);
void dav_dbm_close(dav_db *db);
-/* where is the lock database located? */
-const char *dav_get_lockdb_path(const request_rec *r);
+/* Per-server configuration. */
+typedef struct {
+ const char *lockdb_path;
+ const char *lockdb_type;
+ apr_global_mutex_t *lockdb_mutex;
+} dav_fs_server_conf;
+
+/* Returns server configuration for the request. */
+const dav_fs_server_conf *dav_fs_get_server_conf(const request_rec *r);
const dav_hooks_locks *dav_fs_get_lock_hooks(request_rec *r);
const dav_hooks_propdb *dav_fs_get_propdb_hooks(request_rec *r);

221
modular/httpd/httpd-2.4.58-r1914365.patch Normal file
View File

@ -0,0 +1,221 @@
# ./pullrev.sh 1914365
http://svn.apache.org/viewvc?view=revision&revision=1914365
Upstream-Status: in trunk, not proposed for 2.4.x
--- httpd-2.4.58/modules/ssl/ssl_engine_init.c.r1914365
+++ httpd-2.4.58/modules/ssl/ssl_engine_init.c
@@ -1421,8 +1421,10 @@
if (cert) {
if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137)
- "Failed to configure engine certificate %s, check %s",
- key_id, certfile);
+ "Failed to configure certificate %s from %s, check %s",
+ key_id, mc->szCryptoDevice ?
+ mc->szCryptoDevice : "provider",
+ certfile);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return APR_EGENERAL;
}
@@ -1433,8 +1435,9 @@
if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130)
- "Failed to configure private key %s from engine",
- keyfile);
+ "Failed to configure private key %s from %s",
+ keyfile, mc->szCryptoDevice ?
+ mc->szCryptoDevice : "provider");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return APR_EGENERAL;
}
--- httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c.r1914365
+++ httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c
@@ -31,6 +31,9 @@
#include "ssl_private.h"
#include <openssl/ui.h>
+#if MODSSL_HAVE_OPENSSL_STORE
+#include <openssl/store.h>
+#endif
typedef struct {
server_rec *s;
@@ -608,7 +611,7 @@
return (len);
}
-#if MODSSL_HAVE_ENGINE_API
+#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE
/* OpenSSL UI implementation for passphrase entry; largely duplicated
* from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be
@@ -826,13 +829,14 @@
}
#endif
-
-apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
+#if MODSSL_HAVE_ENGINE_API
+static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *p,
const char *vhostid,
- const char *certid, const char *keyid,
- X509 **pubkey, EVP_PKEY **privkey)
+ const char *certid,
+ const char *keyid,
+ X509 **pubkey,
+ EVP_PKEY **privkey)
{
-#if MODSSL_HAVE_ENGINE_API
const char *c, *scheme;
ENGINE *e;
UI_METHOD *ui_method = get_passphrase_ui(p);
@@ -906,6 +910,118 @@
ENGINE_free(e);
return APR_SUCCESS;
+}
+#endif
+
+#if MODSSL_HAVE_OPENSSL_STORE
+static OSSL_STORE_INFO *modssl_load_store_uri(server_rec *s, apr_pool_t *p,
+ const char *vhostid,
+ const char *uri, int info_type)
+{
+ OSSL_STORE_CTX *sctx;
+ UI_METHOD *ui_method = get_passphrase_ui(p);
+ pphrase_cb_arg_t ppcb;
+ OSSL_STORE_INFO *info = NULL;
+
+ memset(&ppcb, 0, sizeof ppcb);
+ ppcb.s = s;
+ ppcb.p = p;
+ ppcb.bPassPhraseDialogOnce = TRUE;
+ ppcb.key_id = vhostid;
+ ppcb.pkey_file = uri;
+
+ sctx = OSSL_STORE_open(uri, ui_method, &ppcb, NULL, NULL);
+ if (!sctx) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10491)
+ "Init: OSSL_STORE_open failed for PKCS#11 URI `%s'",
+ uri);
+ return NULL;
+ }
+
+ while (!OSSL_STORE_eof(sctx)) {
+ info = OSSL_STORE_load(sctx);
+ if (!info)
+ break;
+
+ if (OSSL_STORE_INFO_get_type(info) == info_type)
+ break;
+
+ OSSL_STORE_INFO_free(info);
+ info = NULL;
+ }
+
+ OSSL_STORE_close(sctx);
+
+ return info;
+}
+
+static apr_status_t modssl_load_keypair_store(server_rec *s, apr_pool_t *p,
+ const char *vhostid,
+ const char *certid,
+ const char *keyid,
+ X509 **pubkey,
+ EVP_PKEY **privkey)
+{
+ OSSL_STORE_INFO *info = NULL;
+
+ *privkey = NULL;
+ *pubkey = NULL;
+
+ info = modssl_load_store_uri(s, p, vhostid, keyid, OSSL_STORE_INFO_PKEY);
+ if (!info) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10492)
+ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'",
+ keyid);
+ return ssl_die(s);
+ }
+
+ *privkey = OSSL_STORE_INFO_get1_PKEY(info);
+ OSSL_STORE_INFO_free(info);
+ if (!*privkey) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10493)
+ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'",
+ keyid);
+ return ssl_die(s);
+ }
+
+ if (certid) {
+ info = modssl_load_store_uri(s, p, vhostid, certid, OSSL_STORE_INFO_CERT);
+ if (!info) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10494)
+ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'",
+ keyid);
+ return ssl_die(s);
+ }
+
+ *pubkey = OSSL_STORE_INFO_get1_CERT(info);
+ OSSL_STORE_INFO_free(info);
+ if (!*pubkey) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10495)
+ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'",
+ certid);
+ return ssl_die(s);
+ }
+ }
+
+ return APR_SUCCESS;
+}
+#endif
+
+apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
+ const char *vhostid,
+ const char *certid, const char *keyid,
+ X509 **pubkey, EVP_PKEY **privkey)
+{
+#if MODSSL_HAVE_OPENSSL_STORE
+ SSLModConfigRec *mc = myModConfig(s);
+
+ if (!mc->szCryptoDevice)
+ return modssl_load_keypair_store(s, p, vhostid, certid, keyid,
+ pubkey, privkey);
+#endif
+#if MODSSL_HAVE_ENGINE_API
+ return modssl_load_keypair_engine(s, p, vhostid, certid, keyid,
+ pubkey, privkey);
#else
return APR_ENOTIMPL;
#endif
--- httpd-2.4.58/modules/ssl/ssl_private.h.r1914365
+++ httpd-2.4.58/modules/ssl/ssl_private.h
@@ -118,6 +118,15 @@
#define MODSSL_HAVE_ENGINE_API 0
#endif
+/* Use OpenSSL 3.x STORE for loading URI keys and certificates starting with
+ * OpenSSL 3.0
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+#define MODSSL_HAVE_OPENSSL_STORE 1
+#else
+#define MODSSL_HAVE_OPENSSL_STORE 0
+#endif
+
#if (OPENSSL_VERSION_NUMBER < 0x0090801f)
#error mod_ssl requires OpenSSL 0.9.8a or later
#endif
--- httpd-2.4.58/modules/ssl/ssl_util.c.r1914365
+++ httpd-2.4.58/modules/ssl/ssl_util.c
@@ -476,7 +476,7 @@
int modssl_is_engine_id(const char *name)
{
-#if MODSSL_HAVE_ENGINE_API
+#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE
/* ### Can handle any other special ENGINE key names here? */
return strncmp(name, "pkcs11:", 7) == 0;
#else

14
modular/httpd/httpd-2.4.59-gettid.patch Normal file
View File

@ -0,0 +1,14 @@
Upstream-Status: not pushed upstream
--- httpd-2.4.54/server/log.c.gettid
+++ httpd-2.4.54/server/log.c
@@ -968,7 +972,7 @@
#if APR_HAS_THREADS
field_start = len;
len += cpystrn(buf + len, ":tid ", buflen - len);
- item_len = log_tid(info, NULL, buf + len, buflen - len);
+ item_len = log_tid(info, "g", buf + len, buflen - len);
if (!item_len)
len = field_start;
else

290
modular/httpd/httpd-2.4.48-r1828172+.patch → modular/httpd/httpd-2.4.59-unifycgid.patch
View File

@ -1,12 +1,41 @@
https://github.com/apache/httpd/pull/209
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index ddacd4af19..6d4379d165 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -48,11 +48,11 @@ jobs:
- name: Shared MPMs, all-modules
config: --enable-mods-shared=reallyall --enable-mpms-shared=all
# -------------------------------------------------------------------------
- - name: Event MPM, all-modules, mod_cgid only
- config: --enable-mods-shared=reallyall --with-mpm=event --disable-cgi
+ - name: Event MPM, all-modules, mod_cgid fdpassing
+ config: --enable-mods-shared=reallyall --with-mpm=event --disable-cgi --enable-cgid-fdpassing
# -------------------------------------------------------------------------
- - name: Event MPM, all-modules, no CMSG_DATA
- config: --enable-mods-shared=reallyall --with-mpm=event ac_cv_have_decl_CMSG_DATA=no
+ - name: Event MPM, all-modules, mod_cgid w/o fdpassing
+ config: --enable-mods-shared=reallyall --with-mpm=event --disable-cgi
# -------------------------------------------------------------------------
- name: Default, all-modules + install
config: --enable-mods-shared=reallyall
diff --git a/changes-entries/pr54221.txt b/changes-entries/pr54221.txt
new file mode 100644
index 0000000000..62b75ea4dd
--- /dev/null
+++ b/changes-entries/pr54221.txt
@@ -0,0 +1,3 @@
+ *) mod_cgid: Optional support for file descriptor passing, fixing
+ error log handling (configure --enable-cgid-fdpassing) on Unix
+ platforms. PR 54221. [Joe Orton]
diff --git a/modules/generators/cgi_common.h b/modules/generators/cgi_common.h
new file mode 100644
index 0000000000..69df73ce68
index 0000000000..66f9418f21
--- /dev/null
+++ b/modules/generators/cgi_common.h
@@ -0,0 +1,629 @@
@@ -0,0 +1,639 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
@ -35,6 +64,7 @@ index 0000000000..69df73ce68
+
+#include "httpd.h"
+#include "util_filter.h"
+#include "util_script.h"
+
+static APR_OPTIONAL_FN_TYPE(ap_ssi_get_tag_and_value) *cgi_pfn_gtv;
+static APR_OPTIONAL_FN_TYPE(ap_ssi_parse_string) *cgi_pfn_ps;
@ -437,9 +467,18 @@ index 0000000000..69df73ce68
+ char sbuf[MAX_STRING_LEN];
+ int ret;
+
+ if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
+ APLOG_MODULE_INDEX)))
+ {
+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
+ APLOG_MODULE_INDEX);
+
+ /* xCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
+ if (ret != OK) {
+ /* In the case of a timeout reading script output, clear
+ * the brigade to avoid a second attempt to read the
+ * output. */
@ -657,10 +696,18 @@ index bf295217e0..086355353b 100644
+
APACHE_MODPATH_FINISH
diff --git a/modules/generators/mod_cgi.c b/modules/generators/mod_cgi.c
index 7e4b126c10..421124a0cb 100644
index 1f7778617e..3799b06ce3 100644
--- a/modules/generators/mod_cgi.c
+++ b/modules/generators/mod_cgi.c
@@ -61,9 +61,6 @@
@@ -48,7 +48,6 @@
#include "http_protocol.h"
#include "http_main.h"
#include "http_log.h"
-#include "util_script.h"
#include "ap_mpm.h"
#include "mod_core.h"
#include "mod_cgi.h"
@@ -61,9 +60,6 @@
module AP_MODULE_DECLARE_DATA cgi_module;
@ -670,14 +717,10 @@ index 7e4b126c10..421124a0cb 100644
static APR_OPTIONAL_FN_TYPE(ap_cgi_build_command) *cgi_build_command;
/* Read and discard the data in the brigade produced by a CGI script */
@@ -92,6 +89,15 @@ typedef struct {
apr_size_t bufbytes;
} cgi_server_conf;
@@ -96,6 +92,11 @@ typedef struct {
apr_interval_time_t timeout;
} cgi_dirconf;
+typedef struct {
+ apr_interval_time_t timeout;
+} cgi_dirconf;
+
+#if APR_FILES_AS_SOCKETS
+#define WANT_CGI_BUCKET
+#endif
@ -686,44 +729,7 @@ index 7e4b126c10..421124a0cb 100644
static void *create_cgi_config(apr_pool_t *p, server_rec *s)
{
cgi_server_conf *c =
@@ -112,6 +118,12 @@ static void *merge_cgi_config(apr_pool_t *p, void *basev, void *overridesv)
return overrides->logname ? overrides : base;
}
+static void *create_cgi_dirconf(apr_pool_t *p, char *dummy)
+{
+ cgi_dirconf *c = (cgi_dirconf *) apr_pcalloc(p, sizeof(cgi_dirconf));
+ return c;
+}
+
static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg)
{
server_rec *s = cmd->server;
@@ -150,6 +162,17 @@ static const char *set_scriptlog_buffer(cmd_parms *cmd, void *dummy,
return NULL;
}
+static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg)
+{
+ cgi_dirconf *dc = dummy;
+
+ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) {
+ return "CGIScriptTimeout has wrong format";
+ }
+
+ return NULL;
+}
+
static const command_rec cgi_cmds[] =
{
AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF,
@@ -158,67 +181,12 @@ AP_INIT_TAKE1("ScriptLogLength", set_scriptlog_length, NULL, RSRC_CONF,
"the maximum length (in bytes) of the script debug log"),
AP_INIT_TAKE1("ScriptLogBuffer", set_scriptlog_buffer, NULL, RSRC_CONF,
"the maximum size (in bytes) to record of a POST request"),
+AP_INIT_TAKE1("CGIScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF,
+ "The amount of time to wait between successful reads from "
+ "the CGI script, in seconds."),
@@ -185,64 +186,6 @@ AP_INIT_TAKE1("CGIScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_C
{NULL}
};
@ -788,37 +794,7 @@ index 7e4b126c10..421124a0cb 100644
static int log_script(request_rec *r, cgi_server_conf * conf, int ret,
char *dbuf, const char *sbuf, apr_bucket_brigade *bb,
apr_file_t *script_err)
@@ -466,23 +434,26 @@ static apr_status_t run_cgi_child(apr_file_t **script_out,
apr_filepath_name_get(r->filename));
}
else {
+ cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module);
+ apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout;
+
apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT);
*script_in = procnew->out;
if (!*script_in)
return APR_EBADF;
- apr_file_pipe_timeout_set(*script_in, r->server->timeout);
+ apr_file_pipe_timeout_set(*script_in, timeout);
if (e_info->prog_type == RUN_AS_CGI) {
*script_out = procnew->in;
if (!*script_out)
return APR_EBADF;
- apr_file_pipe_timeout_set(*script_out, r->server->timeout);
+ apr_file_pipe_timeout_set(*script_out, timeout);
*script_err = procnew->err;
if (!*script_err)
return APR_EBADF;
- apr_file_pipe_timeout_set(*script_err, r->server->timeout);
+ apr_file_pipe_timeout_set(*script_err, timeout);
}
}
}
@@ -536,234 +507,30 @@ static apr_status_t default_build_command(const char **cmd, const char ***argv,
@@ -563,230 +506,23 @@ static apr_status_t default_build_command(const char **cmd, const char ***argv,
return APR_SUCCESS;
}
@ -961,11 +937,14 @@ index 7e4b126c10..421124a0cb 100644
- apr_size_t *len, apr_read_type_e block)
-{
- struct cgi_bucket_data *data = b->data;
- apr_interval_time_t timeout;
- apr_interval_time_t timeout = 0;
- apr_status_t rv;
- int gotdata = 0;
- cgi_dirconf *dc = ap_get_module_config(data->r->per_dir_config, &cgi_module);
-
- timeout = block == APR_NONBLOCK_READ ? 0 : data->r->server->timeout;
- if (block != APR_NONBLOCK_READ) {
- timeout = dc->timeout > 0 ? dc->timeout : data->r->server->timeout;
- }
-
- do {
- const apr_pollfd_t *results;
@ -1046,10 +1025,10 @@ index 7e4b126c10..421124a0cb 100644
apr_status_t rv;
cgi_exec_info_t e_info;
- conn_rec *c;
+ cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module);
+ apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout;
cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module);
apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout;
if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) {
@@ -794,8 +530,6 @@ static int cgi_handler(request_rec *r)
return DECLINED;
}
@ -1058,7 +1037,7 @@ index 7e4b126c10..421124a0cb 100644
is_included = !strcmp(r->protocol, "INCLUDED");
p = r->main ? r->main->pool : r->pool;
@@ -832,83 +599,24 @@ static int cgi_handler(request_rec *r)
@@ -864,83 +598,24 @@ static int cgi_handler(request_rec *r)
return HTTP_INTERNAL_SERVER_ERROR;
}
@ -1155,7 +1134,7 @@ index 7e4b126c10..421124a0cb 100644
/* Is this flush really needed? */
apr_file_flush(script_out);
apr_file_close(script_out);
@@ -916,10 +624,7 @@ static int cgi_handler(request_rec *r)
@@ -948,10 +623,7 @@ static int cgi_handler(request_rec *r)
AP_DEBUG_ASSERT(script_in != NULL);
#if APR_FILES_AS_SOCKETS
@ -1167,7 +1146,7 @@ index 7e4b126c10..421124a0cb 100644
if (b == NULL)
return HTTP_INTERNAL_SERVER_ERROR;
#else
@@ -929,111 +634,7 @@ static int cgi_handler(request_rec *r)
@@ -961,120 +633,7 @@ static int cgi_handler(request_rec *r)
b = apr_bucket_eos_create(c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, b);
@ -1177,9 +1156,18 @@ index 7e4b126c10..421124a0cb 100644
- char sbuf[MAX_STRING_LEN];
- int ret;
-
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX)))
- {
- ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX);
-
- /* xCGI has its own body framing mechanism which we don't
- * match against any provided Content-Length, so let the
- * core determine C-L vs T-E based on what's actually sent.
- */
- if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
- apr_table_unset(r->headers_out, "Content-Length");
- apr_table_unset(r->headers_out, "Transfer-Encoding");
-
- if (ret != OK) {
- ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err);
-
- /*
@ -1218,7 +1206,7 @@ index 7e4b126c10..421124a0cb 100644
- * stderr output, as normal. */
- discard_script_output(bb);
- apr_brigade_destroy(bb);
- apr_file_pipe_timeout_set(script_err, r->server->timeout);
- apr_file_pipe_timeout_set(script_err, timeout);
- log_script_err(r, script_err);
- }
-
@ -1269,7 +1257,7 @@ index 7e4b126c10..421124a0cb 100644
- * connection drops or we stopped sending output for some other
- * reason */
- if (rv == APR_SUCCESS && !r->connection->aborted) {
- apr_file_pipe_timeout_set(script_err, r->server->timeout);
- apr_file_pipe_timeout_set(script_err, timeout);
- log_script_err(r, script_err);
- }
-
@ -1280,7 +1268,7 @@ index 7e4b126c10..421124a0cb 100644
}
/*============================================================================
@@ -1147,107 +748,9 @@ static apr_status_t include_cmd(include_ctx_t *ctx, ap_filter_t *f,
@@ -1188,107 +747,9 @@ static apr_status_t include_cmd(include_ctx_t *ctx, ap_filter_t *f,
return APR_SUCCESS;
}
@ -1388,7 +1376,7 @@ index 7e4b126c10..421124a0cb 100644
/* This is the means by which unusual (non-unix) os's may find alternate
* means to run a given command (e.g. shebang/registry parsing on Win32)
*/
@@ -1263,12 +766,13 @@ static void register_hooks(apr_pool_t *p)
@@ -1304,6 +765,7 @@ static void register_hooks(apr_pool_t *p)
static const char * const aszPre[] = { "mod_include.c", NULL };
ap_hook_handler(cgi_handler, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(cgi_post_config, aszPre, NULL, APR_HOOK_REALLY_FIRST);
@ -1396,18 +1384,19 @@ index 7e4b126c10..421124a0cb 100644
}
AP_DECLARE_MODULE(cgi) =
{
STANDARD20_MODULE_STUFF,
- NULL, /* dir config creater */
+ create_cgi_dirconf, /* dir config creater */
NULL, /* dir merger --- default is to override */
create_cgi_config, /* server config */
merge_cgi_config, /* merge server config */
diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
index 2258a683b7..dddfb25254 100644
index 4bab59f932..1d55b8dc48 100644
--- a/modules/generators/mod_cgid.c
+++ b/modules/generators/mod_cgid.c
@@ -80,11 +80,6 @@ module AP_MODULE_DECLARE_DATA cgid_module;
@@ -57,7 +57,6 @@
#include "http_protocol.h"
#include "http_main.h"
#include "http_log.h"
-#include "util_script.h"
#include "ap_mpm.h"
#include "mpm_common.h"
#include "mod_suexec.h"
@@ -80,11 +79,6 @@ module AP_MODULE_DECLARE_DATA cgid_module;
static int cgid_start(apr_pool_t *p, server_rec *main_server, apr_proc_t *procnew);
static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server);
@ -1419,7 +1408,7 @@ index 2258a683b7..dddfb25254 100644
static apr_pool_t *pcgi = NULL;
static pid_t daemon_pid;
@@ -220,6 +215,15 @@ typedef struct {
@@ -220,6 +214,15 @@ typedef struct {
#endif
} cgid_req_t;
@ -1435,7 +1424,7 @@ index 2258a683b7..dddfb25254 100644
/* This routine is called to create the argument list to be passed
* to the CGI script. When suexec is enabled, the suexec path, user, and
* group are the first three arguments to be passed; if not, all three
@@ -342,15 +346,19 @@ static apr_status_t close_unix_socket(void *thefd)
@@ -342,15 +345,19 @@ static apr_status_t close_unix_socket(void *thefd)
return close(fd);
}
@ -1460,7 +1449,7 @@ index 2258a683b7..dddfb25254 100644
do {
do {
rc = read(fd, buf + bytes_read, buf_size - bytes_read);
@@ -365,9 +373,60 @@ static apr_status_t sock_read(int fd, void *vbuf, size_t buf_size)
@@ -365,9 +372,60 @@ static apr_status_t sock_read(int fd, void *vbuf, size_t buf_size)
}
} while (bytes_read < buf_size);
@ -1521,7 +1510,7 @@ index 2258a683b7..dddfb25254 100644
/* deal with signals
*/
static apr_status_t sock_write(int fd, const void *buf, size_t buf_size)
@@ -384,7 +443,7 @@ static apr_status_t sock_write(int fd, const void *buf, size_t buf_size)
@@ -384,7 +442,7 @@ static apr_status_t sock_write(int fd, const void *buf, size_t buf_size)
return APR_SUCCESS;
}
@ -1530,7 +1519,7 @@ index 2258a683b7..dddfb25254 100644
{
va_list ap;
int rc;
@@ -399,9 +458,39 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...)
@@ -399,9 +457,39 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...)
}
va_end(ap);
@ -1570,7 +1559,7 @@ index 2258a683b7..dddfb25254 100644
if (rc < 0) {
return errno;
}
@@ -410,7 +499,7 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...)
@@ -410,7 +498,7 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...)
}
static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
@ -1579,7 +1568,7 @@ index 2258a683b7..dddfb25254 100644
{
int i;
char **environ;
@@ -421,7 +510,7 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
@@ -421,7 +509,7 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
r->server = apr_pcalloc(r->pool, sizeof(server_rec));
/* read the request header */
@ -1588,7 +1577,7 @@ index 2258a683b7..dddfb25254 100644
if (stat != APR_SUCCESS) {
return stat;
}
@@ -431,6 +520,14 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
@@ -431,6 +519,14 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
return APR_SUCCESS;
}
@ -1603,7 +1592,7 @@ index 2258a683b7..dddfb25254 100644
/* handle module indexes and such */
rconf = (void **)ap_create_request_config(r->pool);
@@ -479,14 +576,15 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
@@ -479,14 +575,15 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
return APR_SUCCESS;
}
@ -1621,7 +1610,7 @@ index 2258a683b7..dddfb25254 100644
if (ugid == NULL) {
@@ -507,16 +605,21 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env,
@@ -507,16 +604,21 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env,
req.args_len = r->args ? strlen(r->args) : 0;
req.loglevel = r->server->log.level;
@ -1645,7 +1634,7 @@ index 2258a683b7..dddfb25254 100644
&req, sizeof(req),
r->filename, req.filename_len,
argv0, req.argv0_len,
@@ -531,7 +634,7 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env,
@@ -531,7 +633,7 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env,
for (i = 0; i < req.env_count; i++) {
apr_size_t curlen = strlen(env[i]);
@ -1654,7 +1643,7 @@ index 2258a683b7..dddfb25254 100644
env[i], curlen)) != APR_SUCCESS) {
return stat;
}
@@ -582,20 +685,34 @@ static void daemon_signal_handler(int sig)
@@ -582,20 +684,34 @@ static void daemon_signal_handler(int sig)
}
}
@ -1697,7 +1686,7 @@ index 2258a683b7..dddfb25254 100644
}
static int cgid_server(void *data)
@@ -670,7 +787,7 @@ static int cgid_server(void *data)
@@ -670,7 +786,7 @@ static int cgid_server(void *data)
}
while (!daemon_should_exit) {
@ -1706,7 +1695,7 @@ index 2258a683b7..dddfb25254 100644
char *argv0 = NULL;
char **env = NULL;
const char * const *argv;
@@ -710,7 +827,7 @@ static int cgid_server(void *data)
@@ -710,7 +826,7 @@ static int cgid_server(void *data)
r = apr_pcalloc(ptrans, sizeof(request_rec));
procnew = apr_pcalloc(ptrans, sizeof(*procnew));
r->pool = ptrans;
@ -1715,7 +1704,7 @@ index 2258a683b7..dddfb25254 100644
if (stat != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, stat,
main_server, APLOGNO(01248)
@@ -742,6 +859,16 @@ static int cgid_server(void *data)
@@ -742,6 +858,16 @@ static int cgid_server(void *data)
continue;
}
@ -1732,7 +1721,7 @@ index 2258a683b7..dddfb25254 100644
apr_os_file_put(&r->server->error_log, &errfileno, 0, r->pool);
apr_os_file_put(&inout, &sd2, 0, r->pool);
@@ -801,7 +928,10 @@ static int cgid_server(void *data)
@@ -801,7 +927,10 @@ static int cgid_server(void *data)
close(sd2);
}
else {
@ -1744,7 +1733,7 @@ index 2258a683b7..dddfb25254 100644
argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args);
@@ -946,16 +1076,6 @@ static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp,
@@ -946,16 +1075,6 @@ static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp,
if (ret != OK ) {
return ret;
}
@ -1761,7 +1750,7 @@ index 2258a683b7..dddfb25254 100644
}
return ret;
}
@@ -1066,41 +1186,6 @@ static const command_rec cgid_cmds[] =
@@ -1066,41 +1185,6 @@ static const command_rec cgid_cmds[] =
{NULL}
};
@ -1803,7 +1792,7 @@ index 2258a683b7..dddfb25254 100644
static int log_script(request_rec *r, cgid_server_conf * conf, int ret,
char *dbuf, const char *sbuf, apr_bucket_brigade *bb,
apr_file_t *script_err)
@@ -1221,7 +1306,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
@@ -1221,7 +1305,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
++connect_tries;
if ((sd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
return log_scripterror(r, conf, HTTP_INTERNAL_SERVER_ERROR, errno,
@ -1812,7 +1801,7 @@ index 2258a683b7..dddfb25254 100644
}
if (connect(sd, (struct sockaddr *)server_addr, server_addr_len) < 0) {
/* Save errno for later */
@@ -1242,7 +1327,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
@@ -1242,7 +1326,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
}
else {
close(sd);
@ -1821,7 +1810,7 @@ index 2258a683b7..dddfb25254 100644
"unable to connect to cgi daemon after multiple tries");
}
}
@@ -1258,13 +1343,15 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
@@ -1258,13 +1342,15 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
if (connect_errno == ENOENT &&
apr_time_sec(apr_time_now() - ap_scoreboard_image->global->restart_time) >
DEFAULT_CONNECT_STARTUP_DELAY) {
@ -1840,7 +1829,7 @@ index 2258a683b7..dddfb25254 100644
"cgid daemon is gone; is Apache terminating?");
}
}
@@ -1272,23 +1359,6 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
@@ -1272,23 +1358,6 @@ static int connect_to_daemon(int *sdptr, request_rec *r,
return OK;
}
@ -1864,7 +1853,7 @@ index 2258a683b7..dddfb25254 100644
/****************************************************************
*
* Actual cgid handling...
@@ -1374,7 +1444,9 @@ static apr_status_t get_cgi_pid(request_rec *r, cgid_server_conf *conf, pid_t *
@@ -1374,7 +1443,9 @@ static apr_status_t get_cgi_pid(request_rec *r, cgid_server_conf *conf, pid_t *
return stat;
}
@ -1875,7 +1864,7 @@ index 2258a683b7..dddfb25254 100644
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01261)
"daemon couldn't find CGI process for connection %lu",
r->connection->id);
@@ -1393,19 +1465,21 @@ static apr_status_t cleanup_script(void *vptr)
@@ -1393,19 +1464,21 @@ static apr_status_t cleanup_script(void *vptr)
static int cgid_handler(request_rec *r)
{
@ -1901,7 +1890,7 @@ index 2258a683b7..dddfb25254 100644
if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) {
return DECLINED;
@@ -1414,7 +1488,7 @@ static int cgid_handler(request_rec *r)
@@ -1414,7 +1487,7 @@ static int cgid_handler(request_rec *r)
conf = ap_get_module_config(r->server->module_config, &cgid_module);
dc = ap_get_module_config(r->per_dir_config, &cgid_module);
@ -1910,7 +1899,7 @@ index 2258a683b7..dddfb25254 100644
is_included = !strcmp(r->protocol, "INCLUDED");
if ((argv0 = strrchr(r->filename, '/')) != NULL) {
@@ -1429,12 +1503,12 @@ static int cgid_handler(request_rec *r)
@@ -1429,12 +1502,12 @@ static int cgid_handler(request_rec *r)
argv0 = r->filename;
if (!(ap_allow_options(r) & OPT_EXECCGI) && !is_scriptaliased(r)) {
@ -1925,7 +1914,7 @@ index 2258a683b7..dddfb25254 100644
"attempt to include NPH CGI script");
}
@@ -1443,12 +1517,12 @@ static int cgid_handler(request_rec *r)
@@ -1443,12 +1516,12 @@ static int cgid_handler(request_rec *r)
#error at mod_cgi.c for required code in this path.
#else
if (r->finfo.filetype == APR_NOFILE) {
@ -1940,7 +1929,7 @@ index 2258a683b7..dddfb25254 100644
"attempt to invoke directory as script");
}
@@ -1456,7 +1530,7 @@ static int cgid_handler(request_rec *r)
@@ -1456,7 +1529,7 @@ static int cgid_handler(request_rec *r)
r->path_info && *r->path_info)
{
/* default to accept */
@ -1949,7 +1938,7 @@ index 2258a683b7..dddfb25254 100644
"AcceptPathInfo off disallows user's path");
}
/*
@@ -1467,6 +1541,17 @@ static int cgid_handler(request_rec *r)
@@ -1467,6 +1540,17 @@ static int cgid_handler(request_rec *r)
}
*/
@ -1967,7 +1956,7 @@ index 2258a683b7..dddfb25254 100644
/*
* httpd core function used to add common environment variables like
* DOCUMENT_ROOT.
@@ -1479,24 +1564,28 @@ static int cgid_handler(request_rec *r)
@@ -1479,24 +1563,28 @@ static int cgid_handler(request_rec *r)
return retval;
}
@ -2003,7 +1992,7 @@ index 2258a683b7..dddfb25254 100644
}
/* We are putting the socket discriptor into an apr_file_t so that we can
@@ -1506,95 +1595,25 @@ static int cgid_handler(request_rec *r)
@@ -1506,95 +1594,25 @@ static int cgid_handler(request_rec *r)
*/
apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
@ -2112,7 +2101,7 @@ index 2258a683b7..dddfb25254 100644
}
/* we're done writing, or maybe we didn't write at all;
@@ -1603,125 +1622,22 @@ static int cgid_handler(request_rec *r)
@@ -1603,134 +1621,22 @@ static int cgid_handler(request_rec *r)
*/
shutdown(sd, 1);
@ -2129,9 +2118,18 @@ index 2258a683b7..dddfb25254 100644
- b = apr_bucket_eos_create(c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(bb, b);
-
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX)))
- {
- ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX);
-
- /* xCGI has its own body framing mechanism which we don't
- * match against any provided Content-Length, so let the
- * core determine C-L vs T-E based on what's actually sent.
- */
- if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
- apr_table_unset(r->headers_out, "Content-Length");
- apr_table_unset(r->headers_out, "Transfer-Encoding");
-
- if (ret != OK) {
- ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL);
-
- /*
@ -2251,7 +2249,7 @@ index 2258a683b7..dddfb25254 100644
static apr_status_t include_cgi(include_ctx_t *ctx, ap_filter_t *f,
apr_bucket_brigade *bb, char *s)
{
@@ -1806,7 +1722,7 @@ static void add_ssi_vars(request_rec *r)
@@ -1815,7 +1721,7 @@ static void add_ssi_vars(request_rec *r)
}
static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
@ -2260,7 +2258,7 @@ index 2258a683b7..dddfb25254 100644
{
char **env;
int sd;
@@ -1827,7 +1743,7 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
@@ -1836,7 +1742,7 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
return retval;
}
@ -2269,7 +2267,7 @@ index 2258a683b7..dddfb25254 100644
info = apr_palloc(r->pool, sizeof(struct cleanup_script_info));
info->conf = conf;
@@ -1872,91 +1788,6 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
@@ -1881,91 +1787,6 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
return APR_SUCCESS;
}
@ -2361,7 +2359,7 @@ index 2258a683b7..dddfb25254 100644
static void register_hook(apr_pool_t *p)
{
static const char * const aszPre[] = { "mod_include.c", NULL };
@@ -1964,6 +1795,7 @@ static void register_hook(apr_pool_t *p)
@@ -1973,6 +1794,7 @@ static void register_hook(apr_pool_t *p)
ap_hook_pre_config(cgid_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(cgid_init, aszPre, NULL, APR_HOOK_MIDDLE);
ap_hook_handler(cgid_handler, NULL, NULL, APR_HOOK_MIDDLE);

30
modular/httpd/httpd.spec
View File

@ -40,8 +40,8 @@ ModularityLabel: %{name}:raven:%{version}:%{release}
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.58
Release: 2%{?dist}
Version: 2.4.59
Release: 1%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@ -100,24 +100,23 @@ Patch21: httpd-2.4.48-r1842929+.patch
Patch22: httpd-2.4.43-mod_systemd.patch
Patch23: httpd-2.4.53-export.patch
Patch24: httpd-2.4.43-corelimit.patch
Patch25: httpd-2.4.54-selinux.patch
Patch26: httpd-2.4.43-gettid.patch
Patch26: httpd-2.4.59-gettid.patch
Patch27: httpd-2.4.43-icons.patch
Patch30: httpd-2.4.43-cachehardmax.patch
Patch31: httpd-2.4.43-sslmultiproxy.patch
Patch34: httpd-2.4.43-socket-activation.patch
Patch38: httpd-2.4.43-sslciphdefault.patch
Patch39: httpd-2.4.43-sslprotdefault.patch
Patch41: httpd-2.4.43-r1861793+.patch
Patch42: httpd-2.4.48-r1828172+.patch
Patch42: httpd-2.4.59-unifycgid.patch
Patch45: httpd-2.4.43-logjournal.patch
Patch46: httpd-2.4.54-separate-systemd-fns.patch
Patch49: httpd-2.4.54-selinux.patch
Patch50: httpd-2.4.58-r1912477+.patch
Patch51: httpd-2.4.58-r1914365.patch
# Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch60: httpd-2.4.43-enable-sslv3.patch
Patch63: httpd-2.4.46-htcacheclean-dont-break.patch
Patch65: httpd-2.4.51-r1894152.patch
# Security fixes
@ -314,8 +313,7 @@ top of libnghttp2 for httpd 2.4 servers.
%patch22 -p1 -b .mod_systemd
%patch23 -p1 -b .export
%patch24 -p1 -b .corelimit
%patch25 -p1 -b .selinux
%if 0%{?rhel} > 8
%if 0%{?rhel} >= 8
# too new for el7
%patch26 -p1 -b .gettid
%endif
@ -325,14 +323,15 @@ top of libnghttp2 for httpd 2.4 servers.
%patch34 -p1 -b .socketactivation
%patch38 -p1 -b .sslciphdefault
%patch39 -p1 -b .sslprotdefault
%patch41 -p1 -b .r1861793+
%patch42 -p1 -b .r1828172+
%patch42 -p1 -b .unifycgid
%patch45 -p1 -b .logjournal
%patch46 -p1 -b .separatesystemd
%patch49 -p1 -b .selinux
%patch50 -p1 -b .r1912477
%patch51 -p1 -b .r1914365
%patch60 -p1 -b .enable-sslv3
%patch63 -p1 -b .htcacheclean
%patch65 -p1 -b .r1894152
#patch100 -p1 -b .cp-suexec
#patch101 -p1 -b .revert-systemd-linking
@ -917,6 +916,9 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Mon Apr 8 2024 Raven <raven@sysadmins.ws> - 2.4.59-1
- update to 2.4.59
* Sat Nov 4 2023 Raven <raven@sysadmins.ws> - 2.4.58-2
- use OOMPolicy=continue for RHEL >= 9