From a0bd9ee321208aefd6cbc74c7d6bf7fd8534c3e9 Mon Sep 17 00:00:00 2001 From: Raven Date: Tue, 9 Apr 2024 09:30:55 +0600 Subject: [PATCH] httpd: update to 2.4.59 --- modular/httpd/httpd-2.4.43-r1861793+.patch | 271 ------------- ...httpd-2.4.46-htcacheclean-dont-break.patch | 13 - modular/httpd/httpd-2.4.54-selinux.patch | 100 ++--- modular/httpd/httpd-2.4.58-r1912477+.patch | 383 ++++++++++++++++++ modular/httpd/httpd-2.4.58-r1914365.patch | 221 ++++++++++ modular/httpd/httpd-2.4.59-gettid.patch | 14 + ...72+.patch => httpd-2.4.59-unifycgid.patch} | 290 +++++++------ modular/httpd/httpd.spec | 30 +- 8 files changed, 830 insertions(+), 492 deletions(-) delete mode 100644 modular/httpd/httpd-2.4.43-r1861793+.patch delete mode 100644 modular/httpd/httpd-2.4.46-htcacheclean-dont-break.patch create mode 100644 modular/httpd/httpd-2.4.58-r1912477+.patch create mode 100644 modular/httpd/httpd-2.4.58-r1914365.patch create mode 100644 modular/httpd/httpd-2.4.59-gettid.patch rename modular/httpd/{httpd-2.4.48-r1828172+.patch => httpd-2.4.59-unifycgid.patch} (91%) diff --git a/modular/httpd/httpd-2.4.43-r1861793+.patch b/modular/httpd/httpd-2.4.43-r1861793+.patch deleted file mode 100644 index 08e96cb..0000000 --- a/modular/httpd/httpd-2.4.43-r1861793+.patch +++ /dev/null @@ -1,271 +0,0 @@ -diff --git a/configure.in b/configure.in -index cb43246..0bb6b0d 100644 ---- httpd-2.4.43/configure.in.r1861793+ -+++ httpd-2.4.43/configure.in -@@ -465,6 +465,28 @@ - AC_SEARCH_LIBS(crypt, crypt) - CRYPT_LIBS="$LIBS" - APACHE_SUBST(CRYPT_LIBS) -+ -+if test "$ac_cv_search_crypt" != "no"; then -+ # Test crypt() with the SHA-512 test vector from https://akkadia.org/drepper/SHA-crypt.txt -+ AC_CACHE_CHECK([whether crypt() supports SHA-2], [ap_cv_crypt_sha2], [ -+ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ -+#include -+#include -+#include -+ -+#define PASSWD_0 "Hello world!" -+#define SALT_0 "\$6\$saltstring" -+#define EXPECT_0 "\$6\$saltstring\$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu" \ -+ "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1" -+]], [char *result = crypt(PASSWD_0, SALT_0); -+ if (!result) return 1; -+ if (strcmp(result, EXPECT_0)) return 2; -+])], [ap_cv_crypt_sha2=yes], [ap_cv_crypt_sha2=no])]) -+ if test "$ap_cv_crypt_sha2" = yes; then -+ AC_DEFINE([HAVE_CRYPT_SHA2], 1, [Define if crypt() supports SHA-2 hashes]) -+ fi -+fi -+ - LIBS="$saved_LIBS" - - dnl See Comment #Spoon ---- httpd-2.4.43/docs/man/htpasswd.1.r1861793+ -+++ httpd-2.4.43/docs/man/htpasswd.1 -@@ -27,16 +27,16 @@ - .SH "SYNOPSIS" - - .PP --\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR -+\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR - - .PP --\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR -+\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR - - .PP --\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR -+\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR - - .PP --\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR -+\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR - - - .SH "SUMMARY" -@@ -48,7 +48,7 @@ - Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&. - - .PP --\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&. -+\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&. - - .PP - This manual page only lists the command line arguments\&. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at http://httpd\&.apache\&.org/\&. -@@ -73,17 +73,26 @@ - \fB-m\fR - Use MD5 encryption for passwords\&. This is the default (since version 2\&.2\&.18)\&. - .TP -+\fB-2\fR -+Use SHA-256 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&. -+.TP -+\fB-5\fR -+Use SHA-512 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&. -+.TP - \fB-B\fR - Use bcrypt encryption for passwords\&. This is currently considered to be very secure\&. - .TP - \fB-C\fR - This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17)\&. - .TP -+\fB-r\fR -+This flag is only allowed in combination with \fB-2\fR or \fB-5\fR\&. It sets the number of hash rounds used for the SHA-2 algorithms (higher is more secure but slower; the default is 5,000)\&. -+.TP - \fB-d\fR - Use \fBcrypt()\fR encryption for passwords\&. This is not supported by the httpd server on Windows and Netware\&. This algorithm limits the password length to 8 characters\&. This algorithm is \fBinsecure\fR by today's standards\&. It used to be the default algorithm until version 2\&.2\&.17\&. - .TP - \fB-s\fR --Use SHA encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&. -+Use SHA-1 (160-bit) encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&. - .TP - \fB-p\fR - Use plaintext passwords\&. Though \fBhtpasswd\fR will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware\&. -@@ -152,10 +161,13 @@ - When using the \fBcrypt()\fR algorithm, note that only the first 8 characters of the password are used to form the password\&. If the supplied password is longer, the extra characters will be silently discarded\&. - - .PP --The SHA encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&. -+The SHA-1 encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&. -+ -+.PP -+The SHA-1 and \fBcrypt()\fR formats are insecure by today's standards\&. - - .PP --The SHA and \fBcrypt()\fR formats are insecure by today's standards\&. -+The SHA-2-based \fBcrypt()\fR formats (SHA-256 and SHA-512) are supported on most modern Unix systems, and follow the specification at https://www\&.akkadia\&.org/drepper/SHA-crypt\&.txt\&. - - .SH "RESTRICTIONS" - ---- httpd-2.4.43/support/htpasswd.c.r1861793+ -+++ httpd-2.4.43/support/htpasswd.c -@@ -109,17 +109,21 @@ - "for it." NL - " -i Read password from stdin without verification (for script usage)." NL - " -m Force MD5 encryption of the password (default)." NL -- " -B Force bcrypt encryption of the password (very secure)." NL -+ " -2 Force SHA-256 crypt() hash of the password (very secure)." NL -+ " -5 Force SHA-512 crypt() hash of the password (very secure)." NL -+ " -B Force bcrypt encryption of the password (very secure)." NL - " -C Set the computing time used for the bcrypt algorithm" NL - " (higher is more secure but slower, default: %d, valid: 4 to 17)." NL -+ " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL -+ " (higher is more secure but slower, default: 5000)." NL - " -d Force CRYPT encryption of the password (8 chars max, insecure)." NL -- " -s Force SHA encryption of the password (insecure)." NL -+ " -s Force SHA-1 encryption of the password (insecure)." NL - " -p Do not encrypt the password (plaintext, insecure)." NL - " -D Delete the specified user." NL - " -v Verify password for the specified user." NL - "On other systems than Windows and NetWare the '-p' flag will " - "probably not work." NL -- "The SHA algorithm does not use a salt and is less secure than the " -+ "The SHA-1 algorithm does not use a salt and is less secure than the " - "MD5 algorithm." NL, - BCRYPT_DEFAULT_COST - ); -@@ -178,7 +182,7 @@ - if (rv != APR_SUCCESS) - exit(ERR_SYNTAX); - -- while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) { -+ while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) { - switch (opt) { - case 'c': - *mask |= APHTP_NEWFILE; ---- httpd-2.4.43/support/passwd_common.c.r1861793+ -+++ httpd-2.4.43/support/passwd_common.c -@@ -179,16 +179,21 @@ - int mkhash(struct passwd_ctx *ctx) - { - char *pw; -- char salt[16]; -+ char salt[17]; - apr_status_t rv; - int ret = 0; - #if CRYPT_ALGO_SUPPORTED - char *cbuf; - #endif -+#ifdef HAVE_CRYPT_SHA2 -+ const char *setting; -+ char method; -+#endif - -- if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) { -+ if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT -+ && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) { - apr_file_printf(errfile, -- "Warning: Ignoring -C argument for this algorithm." NL); -+ "Warning: Ignoring -C/-r argument for this algorithm." NL); - } - - if (ctx->passwd == NULL) { -@@ -246,6 +251,34 @@ - break; - #endif /* CRYPT_ALGO_SUPPORTED */ - -+#ifdef HAVE_CRYPT_SHA2 -+ case ALG_CRYPT_SHA256: -+ case ALG_CRYPT_SHA512: -+ ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool); -+ if (ret != 0) -+ break; -+ -+ method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6'; -+ -+ if (ctx->cost) -+ setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s", -+ method, ctx->cost, salt); -+ else -+ setting = apr_psprintf(ctx->pool, "$%c$%s", -+ method, salt); -+ -+ cbuf = crypt(pw, setting); -+ if (cbuf == NULL) { -+ rv = APR_FROM_OS_ERROR(errno); -+ ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv); -+ ret = ERR_PWMISMATCH; -+ break; -+ } -+ -+ apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1); -+ break; -+#endif /* HAVE_CRYPT_SHA2 */ -+ - #if BCRYPT_ALGO_SUPPORTED - case ALG_BCRYPT: - rv = apr_generate_random_bytes((unsigned char*)salt, 16); -@@ -294,6 +327,19 @@ - case 's': - ctx->alg = ALG_APSHA; - break; -+#ifdef HAVE_CRYPT_SHA2 -+ case '2': -+ ctx->alg = ALG_CRYPT_SHA256; -+ break; -+ case '5': -+ ctx->alg = ALG_CRYPT_SHA512; -+ break; -+#else -+ case '2': -+ case '5': -+ ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform."; -+ return ERR_ALG_NOT_SUPP; -+#endif - case 'p': - ctx->alg = ALG_PLAIN; - #if !PLAIN_ALGO_SUPPORTED -@@ -324,11 +370,12 @@ - return ERR_ALG_NOT_SUPP; - #endif - break; -- case 'C': { -+ case 'C': -+ case 'r': { - char *endptr; - long num = strtol(opt_arg, &endptr, 10); - if (*endptr != '\0' || num <= 0) { -- ctx->errstr = "argument to -C must be a positive integer"; -+ ctx->errstr = "argument to -C/-r must be a positive integer"; - return ERR_SYNTAX; - } - ctx->cost = num; ---- httpd-2.4.43/support/passwd_common.h.r1861793+ -+++ httpd-2.4.43/support/passwd_common.h -@@ -28,6 +28,8 @@ - #include "apu_version.h" - #endif - -+#include "ap_config_auto.h" -+ - #define MAX_STRING_LEN 256 - - #define ALG_PLAIN 0 -@@ -35,6 +37,8 @@ - #define ALG_APMD5 2 - #define ALG_APSHA 3 - #define ALG_BCRYPT 4 -+#define ALG_CRYPT_SHA256 5 -+#define ALG_CRYPT_SHA512 6 - - #define BCRYPT_DEFAULT_COST 5 - -@@ -84,7 +88,7 @@ - apr_size_t out_len; - char *passwd; - int alg; -- int cost; -+ int cost; /* cost for bcrypt, rounds for SHA-2 */ - enum { - PW_PROMPT = 0, - PW_ARG, diff --git a/modular/httpd/httpd-2.4.46-htcacheclean-dont-break.patch b/modular/httpd/httpd-2.4.46-htcacheclean-dont-break.patch deleted file mode 100644 index e52318a..0000000 --- a/modular/httpd/httpd-2.4.46-htcacheclean-dont-break.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/support/htcacheclean.c b/support/htcacheclean.c -index 958ba6d..0a7fe3c 100644 ---- a/support/htcacheclean.c -+++ b/support/htcacheclean.c -@@ -557,8 +557,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round) - } - } - } -- -- break; - } - } - } diff --git a/modular/httpd/httpd-2.4.54-selinux.patch b/modular/httpd/httpd-2.4.54-selinux.patch index 3868b3b..661b983 100644 --- a/modular/httpd/httpd-2.4.54-selinux.patch +++ b/modular/httpd/httpd-2.4.54-selinux.patch @@ -1,24 +1,25 @@ + +Upstream-Status: in trunk not in 2.4.x + diff --git a/configure.in b/configure.in index 74015ca..8c0ee10 100644 ---- a/configure.in -+++ b/configure.in -@@ -508,6 +508,11 @@ getloadavg - dnl confirm that a void pointer is large enough to store a long integer - APACHE_CHECK_VOID_PTR_LEN - -+AC_CHECK_LIB(selinux, is_selinux_enabled, [ -+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) -+ APR_ADDTO(HTTPD_LIBS, [-lselinux]) -+]) -+ - AC_CACHE_CHECK([for gettid()], ac_cv_gettid, - [AC_TRY_RUN(#define _GNU_SOURCE - #include -diff --git a/server/core.c b/server/core.c -index a6fa2fb..cf4cba4 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -65,6 +65,10 @@ +--- httpd-2.4.54/modules/arch/unix/config5.m4.selinux ++++ httpd-2.4.54/modules/arch/unix/config5.m4 +@@ -23,6 +23,11 @@ + AC_MSG_WARN([Your system does not support systemd.]) + enable_systemd="no" + else ++ AC_CHECK_LIB(selinux, is_selinux_enabled, [ ++ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) ++ APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux]) ++ ]) ++ + APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS]) + fi + ]) +--- httpd-2.4.54/modules/arch/unix/mod_systemd.c.selinux ++++ httpd-2.4.54/modules/arch/unix/mod_systemd.c +@@ -35,6 +35,10 @@ #include #endif @@ -26,35 +27,38 @@ index a6fa2fb..cf4cba4 100644 +#include +#endif + - /* LimitRequestBody handling */ - #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ -@@ -5150,6 +5154,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte - } - #endif + APR_DECLARE_OPTIONAL_FN(int, + ap_find_systemd_socket, (process_rec *, apr_port_t)); -+#ifdef HAVE_SELINUX -+ { -+ static int already_warned = 0; -+ int is_enabled = is_selinux_enabled() > 0; -+ -+ if (is_enabled && !already_warned) { -+ security_context_t con; -+ -+ if (getcon(&con) == 0) { -+ -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, -+ "SELinux policy enabled; " -+ "httpd running as context %s", con); -+ -+ already_warned = 1; -+ -+ freecon(con); -+ } -+ } -+ } -+#endif -+ - return OK; +@@ -70,6 +74,20 @@ + return apr_psprintf(p, "%s port %u", addr, sa->port); } ++#ifdef HAVE_SELINUX ++static void log_selinux_context(void) ++{ ++ char *con; ++ ++ if (is_selinux_enabled() && getcon(&con) == 0) { ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "SELinux policy enabled; " ++ "httpd running as context %s", con); ++ freecon(con); ++ } ++} ++#endif ++ + /* Report the service is ready in post_config, which could be during + * startup or after a reload. The server could still hit a fatal + * startup error after this point during ap_run_mpm(), so this is +@@ -87,6 +105,10 @@ + if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) + return OK; + ++#ifdef HAVE_SELINUX ++ log_selinux_context(); ++#endif ++ + for (lr = ap_listeners; lr; lr = lr->next) { + char *s = dump_listener(lr, ptemp); + diff --git a/modular/httpd/httpd-2.4.58-r1912477+.patch b/modular/httpd/httpd-2.4.58-r1912477+.patch new file mode 100644 index 0000000..eb3deff --- /dev/null +++ b/modular/httpd/httpd-2.4.58-r1912477+.patch @@ -0,0 +1,383 @@ +# ./pullrev.sh 1912477 1912571 1912718 1913654 1914438 +http://svn.apache.org/viewvc?view=revision&revision=1912477 +http://svn.apache.org/viewvc?view=revision&revision=1912571 +http://svn.apache.org/viewvc?view=revision&revision=1912718 +http://svn.apache.org/viewvc?view=revision&revision=1913654 +http://svn.apache.org/viewvc?view=revision&revision=1914438 + +Upstream-Status: in trunk, not proposed for 2.4.x + +--- httpd-2.4.58/modules/dav/fs/config6.m4.r1912477+ ++++ httpd-2.4.58/modules/dav/fs/config6.m4 +@@ -20,4 +20,10 @@ + + APACHE_MODULE(dav_fs, DAV provider for the filesystem. --enable-dav also enables mod_dav_fs., $dav_fs_objects, , $dav_fs_enable,,dav) + ++if test "x$enable_dav_fs" = "xshared"; then ++ # The only symbol which needs to be exported is the module ++ # structure, so ask libtool to hide everything else: ++ APR_ADDTO(MOD_DAV_FS_LDADD, [-export-symbols-regex dav_fs_module]) ++fi ++ + APACHE_MODPATH_FINISH +--- httpd-2.4.58/modules/dav/fs/dbm.c.r1912477+ ++++ httpd-2.4.58/modules/dav/fs/dbm.c +@@ -47,6 +47,10 @@ + #include "http_log.h" + #include "http_main.h" /* for ap_server_conf */ + ++#ifndef DEFAULT_PROPDB_DBM_TYPE ++#define DEFAULT_PROPDB_DBM_TYPE "default" ++#endif ++ + APLOG_USE_MODULE(dav_fs); + + struct dav_db { +@@ -100,7 +104,7 @@ + /* There might not be a if we had problems creating it. */ + if (db == NULL) { + errcode = 1; +- errstr = "Could not open property database."; ++ errstr = "Could not open database."; + if (APR_STATUS_IS_EDSOOPEN(status)) + ap_log_error(APLOG_MARK, APLOG_CRIT, status, ap_server_conf, APLOGNO(00576) + "The DBM driver could not be loaded"); +@@ -129,10 +133,10 @@ + /* dav_dbm_open_direct: Opens a *dbm database specified by path. + * ro = boolean read-only flag. + */ +-dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, int ro, +- dav_db **pdb) ++dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, ++ const char *dbmtype, int ro, dav_db **pdb) + { +-#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) ++#if APR_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) + const apr_dbm_driver_t *driver; + const apu_err_t *err; + #endif +@@ -141,13 +145,13 @@ + + *pdb = NULL; + +-#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) +- if ((status = apr_dbm_get_driver(&driver, NULL, &err, p)) != APR_SUCCESS) { ++#if APR_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) ++ if ((status = apr_dbm_get_driver(&driver, dbmtype, &err, p)) != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf, APLOGNO(10289) +- "mod_dav_fs: The DBM library '%s' could not be loaded: %s", +- err->reason, err->msg); ++ "mod_dav_fs: The DBM library '%s' for '%s' could not be loaded: %s", ++ err->reason, dbmtype, err->msg); + return dav_new_error(p, HTTP_INTERNAL_SERVER_ERROR, 1, status, +- "Could not load library for property database."); ++ "Could not load library for database."); + } + if ((status = apr_dbm_open2(&file, driver, pathname, + ro ? APR_DBM_READONLY : APR_DBM_RWCREATE, +@@ -156,7 +160,7 @@ + return dav_fs_dbm_error(NULL, p, status); + } + #else +- if ((status = apr_dbm_open(&file, pathname, ++ if ((status = apr_dbm_open_ex(&file, dbmtype, pathname, + ro ? APR_DBM_READONLY : APR_DBM_RWCREATE, + APR_OS_DEFAULT, p)) + != APR_SUCCESS +@@ -206,7 +210,7 @@ + + /* ### do we need to deal with the umask? */ + +- return dav_dbm_open_direct(p, pathname, ro, pdb); ++ return dav_dbm_open_direct(p, pathname, DEFAULT_PROPDB_DBM_TYPE, ro, pdb); + } + + void dav_dbm_close(dav_db *db) +--- httpd-2.4.58/modules/dav/fs/lock.c.r1912477+ ++++ httpd-2.4.58/modules/dav/fs/lock.c +@@ -181,8 +181,7 @@ + { + request_rec *r; /* for accessing the uuid state */ + apr_pool_t *pool; /* a pool to use */ +- const char *lockdb_path; /* where is the lock database? */ +- ++ const dav_fs_server_conf *conf; /* lock database config & metadata */ + int opened; /* we opened the database */ + dav_db *db; /* if non-NULL, the lock database */ + }; +@@ -292,6 +291,19 @@ + return dav_compare_locktoken(lt1, lt2); + } + ++static apr_status_t dav_fs_lockdb_cleanup(void *data) ++{ ++ dav_lockdb *lockdb = data; ++ ++ apr_global_mutex_unlock(lockdb->info->conf->lockdb_mutex); ++ ++ if (lockdb->info->db) { ++ dav_dbm_close(lockdb->info->db); ++ } ++ ++ return APR_SUCCESS; ++} ++ + /* + ** dav_fs_really_open_lockdb: + ** +@@ -300,15 +312,27 @@ + static dav_error * dav_fs_really_open_lockdb(dav_lockdb *lockdb) + { + dav_error *err; ++ apr_status_t rv; + + if (lockdb->info->opened) + return NULL; + ++ rv = apr_global_mutex_lock(lockdb->info->conf->lockdb_mutex); ++ if (rv) { ++ return dav_new_error(lockdb->info->pool, ++ HTTP_INTERNAL_SERVER_ERROR, ++ DAV_ERR_LOCK_OPENDB, rv, ++ "Could not lock mutex for lock database."); ++ } ++ + err = dav_dbm_open_direct(lockdb->info->pool, +- lockdb->info->lockdb_path, ++ lockdb->info->conf->lockdb_path, ++ lockdb->info->conf->lockdb_type, + lockdb->ro, + &lockdb->info->db); + if (err != NULL) { ++ apr_global_mutex_unlock(lockdb->info->conf->lockdb_mutex); ++ + return dav_push_error(lockdb->info->pool, + HTTP_INTERNAL_SERVER_ERROR, + DAV_ERR_LOCK_OPENDB, +@@ -316,6 +340,10 @@ + err); + } + ++ apr_pool_cleanup_register(lockdb->info->pool, lockdb, ++ dav_fs_lockdb_cleanup, ++ dav_fs_lockdb_cleanup); ++ + /* all right. it is opened now. */ + lockdb->info->opened = 1; + +@@ -341,9 +369,9 @@ + comb->pub.info = &comb->priv; + comb->priv.r = r; + comb->priv.pool = r->pool; +- +- comb->priv.lockdb_path = dav_get_lockdb_path(r); +- if (comb->priv.lockdb_path == NULL) { ++ comb->priv.conf = dav_fs_get_server_conf(r); ++ ++ if (comb->priv.conf == NULL || comb->priv.conf->lockdb_path == NULL) { + return dav_new_error(r->pool, HTTP_INTERNAL_SERVER_ERROR, + DAV_ERR_LOCK_NO_DB, 0, + "A lock database was not specified with the " +@@ -369,8 +397,8 @@ + */ + static void dav_fs_close_lockdb(dav_lockdb *lockdb) + { +- if (lockdb->info->db != NULL) +- dav_dbm_close(lockdb->info->db); ++ apr_pool_cleanup_run(lockdb->info->pool, lockdb, ++ dav_fs_lockdb_cleanup); + } + + /* +--- httpd-2.4.58/modules/dav/fs/mod_dav_fs.c.r1912477+ ++++ httpd-2.4.58/modules/dav/fs/mod_dav_fs.c +@@ -14,31 +14,35 @@ + * limitations under the License. + */ + ++#if !defined(_MSC_VER) && !defined(NETWARE) ++#include "ap_config_auto.h" ++#endif ++ + #include "httpd.h" + #include "http_config.h" ++#include "http_core.h" ++#include "http_log.h" + #include "apr_strings.h" + + #include "mod_dav.h" + #include "repos.h" + +-/* per-server configuration */ +-typedef struct { +- const char *lockdb_path; +- +-} dav_fs_server_conf; +- + extern module AP_MODULE_DECLARE_DATA dav_fs_module; + + #ifndef DEFAULT_DAV_LOCKDB + #define DEFAULT_DAV_LOCKDB "davlockdb" + #endif ++#ifndef DEFAULT_DAV_LOCKDB_TYPE ++#define DEFAULT_DAV_LOCKDB_TYPE "default" ++#endif + +-const char *dav_get_lockdb_path(const request_rec *r) +-{ +- dav_fs_server_conf *conf; ++static const char dav_fs_mutexid[] = "dav_fs-lockdb"; + +- conf = ap_get_module_config(r->server->module_config, &dav_fs_module); +- return conf->lockdb_path; ++static apr_global_mutex_t *dav_fs_lockdb_mutex; ++ ++const dav_fs_server_conf *dav_fs_get_server_conf(const request_rec *r) ++{ ++ return ap_get_module_config(r->server->module_config, &dav_fs_module); + } + + static void *dav_fs_create_server_config(apr_pool_t *p, server_rec *s) +@@ -57,15 +61,50 @@ + + newconf->lockdb_path = + child->lockdb_path ? child->lockdb_path : parent->lockdb_path; ++ newconf->lockdb_type = ++ child->lockdb_type ? child->lockdb_type : parent->lockdb_type; + + return newconf; + } + ++static int dav_fs_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) ++{ ++ if (ap_mutex_register(pconf, dav_fs_mutexid, NULL, APR_LOCK_DEFAULT, 0)) ++ return !OK; ++ return OK; ++} ++ ++static void dav_fs_child_init(apr_pool_t *p, server_rec *s) ++{ ++ apr_status_t rv; ++ ++ rv = apr_global_mutex_child_init(&dav_fs_lockdb_mutex, ++ apr_global_mutex_lockfile(dav_fs_lockdb_mutex), ++ p); ++ if (rv) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, ++ APLOGNO(10488) "child init failed for mutex"); ++ } ++} ++ + static apr_status_t dav_fs_post_config(apr_pool_t *p, apr_pool_t *plog, + apr_pool_t *ptemp, server_rec *base_server) + { + server_rec *s; ++ apr_status_t rv; + ++ /* Ignore first pass through the config. */ ++ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) ++ return OK; ++ ++ rv = ap_global_mutex_create(&dav_fs_lockdb_mutex, NULL, dav_fs_mutexid, NULL, ++ base_server, p, 0); ++ if (rv) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, rv, base_server, ++ APLOGNO(10489) "could not create lock mutex"); ++ return !OK; ++ } ++ + for (s = base_server; s; s = s->next) { + dav_fs_server_conf *conf; + +@@ -74,6 +113,13 @@ + if (!conf->lockdb_path) { + conf->lockdb_path = ap_state_dir_relative(p, DEFAULT_DAV_LOCKDB); + } ++ if (!conf->lockdb_type) { ++ conf->lockdb_type = DEFAULT_DAV_LOCKDB_TYPE; ++ } ++ ++ /* Mutex is common across all vhosts, but could have one per ++ * vhost if required. */ ++ conf->lockdb_mutex = dav_fs_lockdb_mutex; + } + + return OK; +@@ -98,19 +144,36 @@ + return NULL; + } + ++/* ++ * Command handler for the DAVLockDBType directive, which is TAKE1 ++ */ ++static const char *dav_fs_cmd_davlockdbtype(cmd_parms *cmd, void *config, ++ const char *arg1) ++{ ++ dav_fs_server_conf *conf = ap_get_module_config(cmd->server->module_config, ++ &dav_fs_module); ++ conf->lockdb_type = arg1; ++ ++ return NULL; ++} ++ + static const command_rec dav_fs_cmds[] = + { + /* per server */ + AP_INIT_TAKE1("DAVLockDB", dav_fs_cmd_davlockdb, NULL, RSRC_CONF, + "specify a lock database"), ++ AP_INIT_TAKE1("DAVLockDBType", dav_fs_cmd_davlockdbtype, NULL, RSRC_CONF, ++ "specify a lock database DBM type"), + + { NULL } + }; + + static void register_hooks(apr_pool_t *p) + { ++ ap_hook_pre_config(dav_fs_pre_config, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_post_config(dav_fs_post_config, NULL, NULL, APR_HOOK_MIDDLE); +- ++ ap_hook_child_init(dav_fs_child_init, NULL, NULL, APR_HOOK_MIDDLE); ++ + dav_hook_gather_propsets(dav_fs_gather_propsets, NULL, NULL, + APR_HOOK_MIDDLE); + dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE); +--- httpd-2.4.58/modules/dav/fs/repos.h.r1912477+ ++++ httpd-2.4.58/modules/dav/fs/repos.h +@@ -25,6 +25,8 @@ + #ifndef _DAV_FS_REPOS_H_ + #define _DAV_FS_REPOS_H_ + ++#include "util_mutex.h" ++ + /* the subdirectory to hold all DAV-related information for a directory */ + #define DAV_FS_STATE_DIR ".DAV" + #define DAV_FS_STATE_FILE_FOR_DIR ".state_for_dir" +@@ -53,8 +55,8 @@ + /* DBM functions used by the repository and locking providers */ + extern const dav_hooks_db dav_hooks_db_dbm; + +-dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, int ro, +- dav_db **pdb); ++dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, ++ const char *dbmtype, int ro, dav_db **pdb); + void dav_dbm_get_statefiles(apr_pool_t *p, const char *fname, + const char **state1, const char **state2); + dav_error * dav_dbm_delete(dav_db *db, apr_datum_t key); +@@ -64,8 +66,15 @@ + int dav_dbm_exists(dav_db *db, apr_datum_t key); + void dav_dbm_close(dav_db *db); + +-/* where is the lock database located? */ +-const char *dav_get_lockdb_path(const request_rec *r); ++/* Per-server configuration. */ ++typedef struct { ++ const char *lockdb_path; ++ const char *lockdb_type; ++ apr_global_mutex_t *lockdb_mutex; ++} dav_fs_server_conf; ++ ++/* Returns server configuration for the request. */ ++const dav_fs_server_conf *dav_fs_get_server_conf(const request_rec *r); + + const dav_hooks_locks *dav_fs_get_lock_hooks(request_rec *r); + const dav_hooks_propdb *dav_fs_get_propdb_hooks(request_rec *r); diff --git a/modular/httpd/httpd-2.4.58-r1914365.patch b/modular/httpd/httpd-2.4.58-r1914365.patch new file mode 100644 index 0000000..8512de3 --- /dev/null +++ b/modular/httpd/httpd-2.4.58-r1914365.patch @@ -0,0 +1,221 @@ +# ./pullrev.sh 1914365 +http://svn.apache.org/viewvc?view=revision&revision=1914365 + +Upstream-Status: in trunk, not proposed for 2.4.x + +--- httpd-2.4.58/modules/ssl/ssl_engine_init.c.r1914365 ++++ httpd-2.4.58/modules/ssl/ssl_engine_init.c +@@ -1421,8 +1421,10 @@ + if (cert) { + if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137) +- "Failed to configure engine certificate %s, check %s", +- key_id, certfile); ++ "Failed to configure certificate %s from %s, check %s", ++ key_id, mc->szCryptoDevice ? ++ mc->szCryptoDevice : "provider", ++ certfile); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + return APR_EGENERAL; + } +@@ -1433,8 +1435,9 @@ + + if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130) +- "Failed to configure private key %s from engine", +- keyfile); ++ "Failed to configure private key %s from %s", ++ keyfile, mc->szCryptoDevice ? ++ mc->szCryptoDevice : "provider"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + return APR_EGENERAL; + } +--- httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c.r1914365 ++++ httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c +@@ -31,6 +31,9 @@ + #include "ssl_private.h" + + #include ++#if MODSSL_HAVE_OPENSSL_STORE ++#include ++#endif + + typedef struct { + server_rec *s; +@@ -608,7 +611,7 @@ + return (len); + } + +-#if MODSSL_HAVE_ENGINE_API ++#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE + + /* OpenSSL UI implementation for passphrase entry; largely duplicated + * from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be +@@ -826,13 +829,14 @@ + } + #endif + +- +-apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, ++#if MODSSL_HAVE_ENGINE_API ++static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *p, + const char *vhostid, +- const char *certid, const char *keyid, +- X509 **pubkey, EVP_PKEY **privkey) ++ const char *certid, ++ const char *keyid, ++ X509 **pubkey, ++ EVP_PKEY **privkey) + { +-#if MODSSL_HAVE_ENGINE_API + const char *c, *scheme; + ENGINE *e; + UI_METHOD *ui_method = get_passphrase_ui(p); +@@ -906,6 +910,118 @@ + ENGINE_free(e); + + return APR_SUCCESS; ++} ++#endif ++ ++#if MODSSL_HAVE_OPENSSL_STORE ++static OSSL_STORE_INFO *modssl_load_store_uri(server_rec *s, apr_pool_t *p, ++ const char *vhostid, ++ const char *uri, int info_type) ++{ ++ OSSL_STORE_CTX *sctx; ++ UI_METHOD *ui_method = get_passphrase_ui(p); ++ pphrase_cb_arg_t ppcb; ++ OSSL_STORE_INFO *info = NULL; ++ ++ memset(&ppcb, 0, sizeof ppcb); ++ ppcb.s = s; ++ ppcb.p = p; ++ ppcb.bPassPhraseDialogOnce = TRUE; ++ ppcb.key_id = vhostid; ++ ppcb.pkey_file = uri; ++ ++ sctx = OSSL_STORE_open(uri, ui_method, &ppcb, NULL, NULL); ++ if (!sctx) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10491) ++ "Init: OSSL_STORE_open failed for PKCS#11 URI `%s'", ++ uri); ++ return NULL; ++ } ++ ++ while (!OSSL_STORE_eof(sctx)) { ++ info = OSSL_STORE_load(sctx); ++ if (!info) ++ break; ++ ++ if (OSSL_STORE_INFO_get_type(info) == info_type) ++ break; ++ ++ OSSL_STORE_INFO_free(info); ++ info = NULL; ++ } ++ ++ OSSL_STORE_close(sctx); ++ ++ return info; ++} ++ ++static apr_status_t modssl_load_keypair_store(server_rec *s, apr_pool_t *p, ++ const char *vhostid, ++ const char *certid, ++ const char *keyid, ++ X509 **pubkey, ++ EVP_PKEY **privkey) ++{ ++ OSSL_STORE_INFO *info = NULL; ++ ++ *privkey = NULL; ++ *pubkey = NULL; ++ ++ info = modssl_load_store_uri(s, p, vhostid, keyid, OSSL_STORE_INFO_PKEY); ++ if (!info) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10492) ++ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'", ++ keyid); ++ return ssl_die(s); ++ } ++ ++ *privkey = OSSL_STORE_INFO_get1_PKEY(info); ++ OSSL_STORE_INFO_free(info); ++ if (!*privkey) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10493) ++ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'", ++ keyid); ++ return ssl_die(s); ++ } ++ ++ if (certid) { ++ info = modssl_load_store_uri(s, p, vhostid, certid, OSSL_STORE_INFO_CERT); ++ if (!info) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10494) ++ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'", ++ keyid); ++ return ssl_die(s); ++ } ++ ++ *pubkey = OSSL_STORE_INFO_get1_CERT(info); ++ OSSL_STORE_INFO_free(info); ++ if (!*pubkey) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10495) ++ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'", ++ certid); ++ return ssl_die(s); ++ } ++ } ++ ++ return APR_SUCCESS; ++} ++#endif ++ ++apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, ++ const char *vhostid, ++ const char *certid, const char *keyid, ++ X509 **pubkey, EVP_PKEY **privkey) ++{ ++#if MODSSL_HAVE_OPENSSL_STORE ++ SSLModConfigRec *mc = myModConfig(s); ++ ++ if (!mc->szCryptoDevice) ++ return modssl_load_keypair_store(s, p, vhostid, certid, keyid, ++ pubkey, privkey); ++#endif ++#if MODSSL_HAVE_ENGINE_API ++ return modssl_load_keypair_engine(s, p, vhostid, certid, keyid, ++ pubkey, privkey); + #else + return APR_ENOTIMPL; + #endif +--- httpd-2.4.58/modules/ssl/ssl_private.h.r1914365 ++++ httpd-2.4.58/modules/ssl/ssl_private.h +@@ -118,6 +118,15 @@ + #define MODSSL_HAVE_ENGINE_API 0 + #endif + ++/* Use OpenSSL 3.x STORE for loading URI keys and certificates starting with ++ * OpenSSL 3.0 ++ */ ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++#define MODSSL_HAVE_OPENSSL_STORE 1 ++#else ++#define MODSSL_HAVE_OPENSSL_STORE 0 ++#endif ++ + #if (OPENSSL_VERSION_NUMBER < 0x0090801f) + #error mod_ssl requires OpenSSL 0.9.8a or later + #endif +--- httpd-2.4.58/modules/ssl/ssl_util.c.r1914365 ++++ httpd-2.4.58/modules/ssl/ssl_util.c +@@ -476,7 +476,7 @@ + + int modssl_is_engine_id(const char *name) + { +-#if MODSSL_HAVE_ENGINE_API ++#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE + /* ### Can handle any other special ENGINE key names here? */ + return strncmp(name, "pkcs11:", 7) == 0; + #else diff --git a/modular/httpd/httpd-2.4.59-gettid.patch b/modular/httpd/httpd-2.4.59-gettid.patch new file mode 100644 index 0000000..4857e37 --- /dev/null +++ b/modular/httpd/httpd-2.4.59-gettid.patch @@ -0,0 +1,14 @@ + +Upstream-Status: not pushed upstream + +--- httpd-2.4.54/server/log.c.gettid ++++ httpd-2.4.54/server/log.c +@@ -968,7 +972,7 @@ + #if APR_HAS_THREADS + field_start = len; + len += cpystrn(buf + len, ":tid ", buflen - len); +- item_len = log_tid(info, NULL, buf + len, buflen - len); ++ item_len = log_tid(info, "g", buf + len, buflen - len); + if (!item_len) + len = field_start; + else diff --git a/modular/httpd/httpd-2.4.48-r1828172+.patch b/modular/httpd/httpd-2.4.59-unifycgid.patch similarity index 91% rename from modular/httpd/httpd-2.4.48-r1828172+.patch rename to modular/httpd/httpd-2.4.59-unifycgid.patch index 37f1855..54216e0 100644 --- a/modular/httpd/httpd-2.4.48-r1828172+.patch +++ b/modular/httpd/httpd-2.4.59-unifycgid.patch @@ -1,12 +1,41 @@ https://github.com/apache/httpd/pull/209 +diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml +index ddacd4af19..6d4379d165 100644 +--- a/.github/workflows/linux.yml ++++ b/.github/workflows/linux.yml +@@ -48,11 +48,11 @@ jobs: + - name: Shared MPMs, all-modules + config: --enable-mods-shared=reallyall --enable-mpms-shared=all + # ------------------------------------------------------------------------- +- - name: Event MPM, all-modules, mod_cgid only +- config: --enable-mods-shared=reallyall --with-mpm=event --disable-cgi ++ - name: Event MPM, all-modules, mod_cgid fdpassing ++ config: --enable-mods-shared=reallyall --with-mpm=event --disable-cgi --enable-cgid-fdpassing + # ------------------------------------------------------------------------- +- - name: Event MPM, all-modules, no CMSG_DATA +- config: --enable-mods-shared=reallyall --with-mpm=event ac_cv_have_decl_CMSG_DATA=no ++ - name: Event MPM, all-modules, mod_cgid w/o fdpassing ++ config: --enable-mods-shared=reallyall --with-mpm=event --disable-cgi + # ------------------------------------------------------------------------- + - name: Default, all-modules + install + config: --enable-mods-shared=reallyall +diff --git a/changes-entries/pr54221.txt b/changes-entries/pr54221.txt +new file mode 100644 +index 0000000000..62b75ea4dd +--- /dev/null ++++ b/changes-entries/pr54221.txt +@@ -0,0 +1,3 @@ ++ *) mod_cgid: Optional support for file descriptor passing, fixing ++ error log handling (configure --enable-cgid-fdpassing) on Unix ++ platforms. PR 54221. [Joe Orton] diff --git a/modules/generators/cgi_common.h b/modules/generators/cgi_common.h new file mode 100644 -index 0000000000..69df73ce68 +index 0000000000..66f9418f21 --- /dev/null +++ b/modules/generators/cgi_common.h -@@ -0,0 +1,629 @@ +@@ -0,0 +1,639 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. @@ -35,6 +64,7 @@ index 0000000000..69df73ce68 + +#include "httpd.h" +#include "util_filter.h" ++#include "util_script.h" + +static APR_OPTIONAL_FN_TYPE(ap_ssi_get_tag_and_value) *cgi_pfn_gtv; +static APR_OPTIONAL_FN_TYPE(ap_ssi_parse_string) *cgi_pfn_ps; @@ -437,9 +467,18 @@ index 0000000000..69df73ce68 + char sbuf[MAX_STRING_LEN]; + int ret; + -+ if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -+ APLOG_MODULE_INDEX))) -+ { ++ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, ++ APLOG_MODULE_INDEX); ++ ++ /* xCGI has its own body framing mechanism which we don't ++ * match against any provided Content-Length, so let the ++ * core determine C-L vs T-E based on what's actually sent. ++ */ ++ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) ++ apr_table_unset(r->headers_out, "Content-Length"); ++ apr_table_unset(r->headers_out, "Transfer-Encoding"); ++ ++ if (ret != OK) { + /* In the case of a timeout reading script output, clear + * the brigade to avoid a second attempt to read the + * output. */ @@ -657,10 +696,18 @@ index bf295217e0..086355353b 100644 + APACHE_MODPATH_FINISH diff --git a/modules/generators/mod_cgi.c b/modules/generators/mod_cgi.c -index 7e4b126c10..421124a0cb 100644 +index 1f7778617e..3799b06ce3 100644 --- a/modules/generators/mod_cgi.c +++ b/modules/generators/mod_cgi.c -@@ -61,9 +61,6 @@ +@@ -48,7 +48,6 @@ + #include "http_protocol.h" + #include "http_main.h" + #include "http_log.h" +-#include "util_script.h" + #include "ap_mpm.h" + #include "mod_core.h" + #include "mod_cgi.h" +@@ -61,9 +60,6 @@ module AP_MODULE_DECLARE_DATA cgi_module; @@ -670,14 +717,10 @@ index 7e4b126c10..421124a0cb 100644 static APR_OPTIONAL_FN_TYPE(ap_cgi_build_command) *cgi_build_command; /* Read and discard the data in the brigade produced by a CGI script */ -@@ -92,6 +89,15 @@ typedef struct { - apr_size_t bufbytes; - } cgi_server_conf; +@@ -96,6 +92,11 @@ typedef struct { + apr_interval_time_t timeout; + } cgi_dirconf; -+typedef struct { -+ apr_interval_time_t timeout; -+} cgi_dirconf; -+ +#if APR_FILES_AS_SOCKETS +#define WANT_CGI_BUCKET +#endif @@ -686,44 +729,7 @@ index 7e4b126c10..421124a0cb 100644 static void *create_cgi_config(apr_pool_t *p, server_rec *s) { cgi_server_conf *c = -@@ -112,6 +118,12 @@ static void *merge_cgi_config(apr_pool_t *p, void *basev, void *overridesv) - return overrides->logname ? overrides : base; - } - -+static void *create_cgi_dirconf(apr_pool_t *p, char *dummy) -+{ -+ cgi_dirconf *c = (cgi_dirconf *) apr_pcalloc(p, sizeof(cgi_dirconf)); -+ return c; -+} -+ - static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) - { - server_rec *s = cmd->server; -@@ -150,6 +162,17 @@ static const char *set_scriptlog_buffer(cmd_parms *cmd, void *dummy, - return NULL; - } - -+static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg) -+{ -+ cgi_dirconf *dc = dummy; -+ -+ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { -+ return "CGIScriptTimeout has wrong format"; -+ } -+ -+ return NULL; -+} -+ - static const command_rec cgi_cmds[] = - { - AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF, -@@ -158,67 +181,12 @@ AP_INIT_TAKE1("ScriptLogLength", set_scriptlog_length, NULL, RSRC_CONF, - "the maximum length (in bytes) of the script debug log"), - AP_INIT_TAKE1("ScriptLogBuffer", set_scriptlog_buffer, NULL, RSRC_CONF, - "the maximum size (in bytes) to record of a POST request"), -+AP_INIT_TAKE1("CGIScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF, -+ "The amount of time to wait between successful reads from " -+ "the CGI script, in seconds."), +@@ -185,64 +186,6 @@ AP_INIT_TAKE1("CGIScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_C {NULL} }; @@ -788,37 +794,7 @@ index 7e4b126c10..421124a0cb 100644 static int log_script(request_rec *r, cgi_server_conf * conf, int ret, char *dbuf, const char *sbuf, apr_bucket_brigade *bb, apr_file_t *script_err) -@@ -466,23 +434,26 @@ static apr_status_t run_cgi_child(apr_file_t **script_out, - apr_filepath_name_get(r->filename)); - } - else { -+ cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module); -+ apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout; -+ - apr_pool_note_subprocess(p, procnew, APR_KILL_AFTER_TIMEOUT); - - *script_in = procnew->out; - if (!*script_in) - return APR_EBADF; -- apr_file_pipe_timeout_set(*script_in, r->server->timeout); -+ apr_file_pipe_timeout_set(*script_in, timeout); - - if (e_info->prog_type == RUN_AS_CGI) { - *script_out = procnew->in; - if (!*script_out) - return APR_EBADF; -- apr_file_pipe_timeout_set(*script_out, r->server->timeout); -+ apr_file_pipe_timeout_set(*script_out, timeout); - - *script_err = procnew->err; - if (!*script_err) - return APR_EBADF; -- apr_file_pipe_timeout_set(*script_err, r->server->timeout); -+ apr_file_pipe_timeout_set(*script_err, timeout); - } - } - } -@@ -536,234 +507,30 @@ static apr_status_t default_build_command(const char **cmd, const char ***argv, +@@ -563,230 +506,23 @@ static apr_status_t default_build_command(const char **cmd, const char ***argv, return APR_SUCCESS; } @@ -961,11 +937,14 @@ index 7e4b126c10..421124a0cb 100644 - apr_size_t *len, apr_read_type_e block) -{ - struct cgi_bucket_data *data = b->data; -- apr_interval_time_t timeout; +- apr_interval_time_t timeout = 0; - apr_status_t rv; - int gotdata = 0; +- cgi_dirconf *dc = ap_get_module_config(data->r->per_dir_config, &cgi_module); - -- timeout = block == APR_NONBLOCK_READ ? 0 : data->r->server->timeout; +- if (block != APR_NONBLOCK_READ) { +- timeout = dc->timeout > 0 ? dc->timeout : data->r->server->timeout; +- } - - do { - const apr_pollfd_t *results; @@ -1046,10 +1025,10 @@ index 7e4b126c10..421124a0cb 100644 apr_status_t rv; cgi_exec_info_t e_info; - conn_rec *c; -+ cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module); -+ apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout; + cgi_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgi_module); + apr_interval_time_t timeout = dc->timeout > 0 ? dc->timeout : r->server->timeout; - if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) { +@@ -794,8 +530,6 @@ static int cgi_handler(request_rec *r) return DECLINED; } @@ -1058,7 +1037,7 @@ index 7e4b126c10..421124a0cb 100644 is_included = !strcmp(r->protocol, "INCLUDED"); p = r->main ? r->main->pool : r->pool; -@@ -832,83 +599,24 @@ static int cgi_handler(request_rec *r) +@@ -864,83 +598,24 @@ static int cgi_handler(request_rec *r) return HTTP_INTERNAL_SERVER_ERROR; } @@ -1155,7 +1134,7 @@ index 7e4b126c10..421124a0cb 100644 /* Is this flush really needed? */ apr_file_flush(script_out); apr_file_close(script_out); -@@ -916,10 +624,7 @@ static int cgi_handler(request_rec *r) +@@ -948,10 +623,7 @@ static int cgi_handler(request_rec *r) AP_DEBUG_ASSERT(script_in != NULL); #if APR_FILES_AS_SOCKETS @@ -1167,7 +1146,7 @@ index 7e4b126c10..421124a0cb 100644 if (b == NULL) return HTTP_INTERNAL_SERVER_ERROR; #else -@@ -929,111 +634,7 @@ static int cgi_handler(request_rec *r) +@@ -961,120 +633,7 @@ static int cgi_handler(request_rec *r) b = apr_bucket_eos_create(c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, b); @@ -1177,9 +1156,18 @@ index 7e4b126c10..421124a0cb 100644 - char sbuf[MAX_STRING_LEN]; - int ret; - -- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -- APLOG_MODULE_INDEX))) -- { +- ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, +- APLOG_MODULE_INDEX); +- +- /* xCGI has its own body framing mechanism which we don't +- * match against any provided Content-Length, so let the +- * core determine C-L vs T-E based on what's actually sent. +- */ +- if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) +- apr_table_unset(r->headers_out, "Content-Length"); +- apr_table_unset(r->headers_out, "Transfer-Encoding"); +- +- if (ret != OK) { - ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err); - - /* @@ -1218,7 +1206,7 @@ index 7e4b126c10..421124a0cb 100644 - * stderr output, as normal. */ - discard_script_output(bb); - apr_brigade_destroy(bb); -- apr_file_pipe_timeout_set(script_err, r->server->timeout); +- apr_file_pipe_timeout_set(script_err, timeout); - log_script_err(r, script_err); - } - @@ -1269,7 +1257,7 @@ index 7e4b126c10..421124a0cb 100644 - * connection drops or we stopped sending output for some other - * reason */ - if (rv == APR_SUCCESS && !r->connection->aborted) { -- apr_file_pipe_timeout_set(script_err, r->server->timeout); +- apr_file_pipe_timeout_set(script_err, timeout); - log_script_err(r, script_err); - } - @@ -1280,7 +1268,7 @@ index 7e4b126c10..421124a0cb 100644 } /*============================================================================ -@@ -1147,107 +748,9 @@ static apr_status_t include_cmd(include_ctx_t *ctx, ap_filter_t *f, +@@ -1188,107 +747,9 @@ static apr_status_t include_cmd(include_ctx_t *ctx, ap_filter_t *f, return APR_SUCCESS; } @@ -1388,7 +1376,7 @@ index 7e4b126c10..421124a0cb 100644 /* This is the means by which unusual (non-unix) os's may find alternate * means to run a given command (e.g. shebang/registry parsing on Win32) */ -@@ -1263,12 +766,13 @@ static void register_hooks(apr_pool_t *p) +@@ -1304,6 +765,7 @@ static void register_hooks(apr_pool_t *p) static const char * const aszPre[] = { "mod_include.c", NULL }; ap_hook_handler(cgi_handler, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_post_config(cgi_post_config, aszPre, NULL, APR_HOOK_REALLY_FIRST); @@ -1396,18 +1384,19 @@ index 7e4b126c10..421124a0cb 100644 } AP_DECLARE_MODULE(cgi) = - { - STANDARD20_MODULE_STUFF, -- NULL, /* dir config creater */ -+ create_cgi_dirconf, /* dir config creater */ - NULL, /* dir merger --- default is to override */ - create_cgi_config, /* server config */ - merge_cgi_config, /* merge server config */ diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c -index 2258a683b7..dddfb25254 100644 +index 4bab59f932..1d55b8dc48 100644 --- a/modules/generators/mod_cgid.c +++ b/modules/generators/mod_cgid.c -@@ -80,11 +80,6 @@ module AP_MODULE_DECLARE_DATA cgid_module; +@@ -57,7 +57,6 @@ + #include "http_protocol.h" + #include "http_main.h" + #include "http_log.h" +-#include "util_script.h" + #include "ap_mpm.h" + #include "mpm_common.h" + #include "mod_suexec.h" +@@ -80,11 +79,6 @@ module AP_MODULE_DECLARE_DATA cgid_module; static int cgid_start(apr_pool_t *p, server_rec *main_server, apr_proc_t *procnew); static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server); @@ -1419,7 +1408,7 @@ index 2258a683b7..dddfb25254 100644 static apr_pool_t *pcgi = NULL; static pid_t daemon_pid; -@@ -220,6 +215,15 @@ typedef struct { +@@ -220,6 +214,15 @@ typedef struct { #endif } cgid_req_t; @@ -1435,7 +1424,7 @@ index 2258a683b7..dddfb25254 100644 /* This routine is called to create the argument list to be passed * to the CGI script. When suexec is enabled, the suexec path, user, and * group are the first three arguments to be passed; if not, all three -@@ -342,15 +346,19 @@ static apr_status_t close_unix_socket(void *thefd) +@@ -342,15 +345,19 @@ static apr_status_t close_unix_socket(void *thefd) return close(fd); } @@ -1460,7 +1449,7 @@ index 2258a683b7..dddfb25254 100644 do { do { rc = read(fd, buf + bytes_read, buf_size - bytes_read); -@@ -365,9 +373,60 @@ static apr_status_t sock_read(int fd, void *vbuf, size_t buf_size) +@@ -365,9 +372,60 @@ static apr_status_t sock_read(int fd, void *vbuf, size_t buf_size) } } while (bytes_read < buf_size); @@ -1521,7 +1510,7 @@ index 2258a683b7..dddfb25254 100644 /* deal with signals */ static apr_status_t sock_write(int fd, const void *buf, size_t buf_size) -@@ -384,7 +443,7 @@ static apr_status_t sock_write(int fd, const void *buf, size_t buf_size) +@@ -384,7 +442,7 @@ static apr_status_t sock_write(int fd, const void *buf, size_t buf_size) return APR_SUCCESS; } @@ -1530,7 +1519,7 @@ index 2258a683b7..dddfb25254 100644 { va_list ap; int rc; -@@ -399,9 +458,39 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...) +@@ -399,9 +457,39 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...) } va_end(ap); @@ -1570,7 +1559,7 @@ index 2258a683b7..dddfb25254 100644 if (rc < 0) { return errno; } -@@ -410,7 +499,7 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...) +@@ -410,7 +498,7 @@ static apr_status_t sock_writev(int fd, request_rec *r, int count, ...) } static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, @@ -1579,7 +1568,7 @@ index 2258a683b7..dddfb25254 100644 { int i; char **environ; -@@ -421,7 +510,7 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, +@@ -421,7 +509,7 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, r->server = apr_pcalloc(r->pool, sizeof(server_rec)); /* read the request header */ @@ -1588,7 +1577,7 @@ index 2258a683b7..dddfb25254 100644 if (stat != APR_SUCCESS) { return stat; } -@@ -431,6 +520,14 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, +@@ -431,6 +519,14 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, return APR_SUCCESS; } @@ -1603,7 +1592,7 @@ index 2258a683b7..dddfb25254 100644 /* handle module indexes and such */ rconf = (void **)ap_create_request_config(r->pool); -@@ -479,14 +576,15 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, +@@ -479,14 +575,15 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, return APR_SUCCESS; } @@ -1621,7 +1610,7 @@ index 2258a683b7..dddfb25254 100644 if (ugid == NULL) { -@@ -507,16 +605,21 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env, +@@ -507,16 +604,21 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env, req.args_len = r->args ? strlen(r->args) : 0; req.loglevel = r->server->log.level; @@ -1645,7 +1634,7 @@ index 2258a683b7..dddfb25254 100644 &req, sizeof(req), r->filename, req.filename_len, argv0, req.argv0_len, -@@ -531,7 +634,7 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env, +@@ -531,7 +633,7 @@ static apr_status_t send_req(int fd, request_rec *r, char *argv0, char **env, for (i = 0; i < req.env_count; i++) { apr_size_t curlen = strlen(env[i]); @@ -1654,7 +1643,7 @@ index 2258a683b7..dddfb25254 100644 env[i], curlen)) != APR_SUCCESS) { return stat; } -@@ -582,20 +685,34 @@ static void daemon_signal_handler(int sig) +@@ -582,20 +684,34 @@ static void daemon_signal_handler(int sig) } } @@ -1697,7 +1686,7 @@ index 2258a683b7..dddfb25254 100644 } static int cgid_server(void *data) -@@ -670,7 +787,7 @@ static int cgid_server(void *data) +@@ -670,7 +786,7 @@ static int cgid_server(void *data) } while (!daemon_should_exit) { @@ -1706,7 +1695,7 @@ index 2258a683b7..dddfb25254 100644 char *argv0 = NULL; char **env = NULL; const char * const *argv; -@@ -710,7 +827,7 @@ static int cgid_server(void *data) +@@ -710,7 +826,7 @@ static int cgid_server(void *data) r = apr_pcalloc(ptrans, sizeof(request_rec)); procnew = apr_pcalloc(ptrans, sizeof(*procnew)); r->pool = ptrans; @@ -1715,7 +1704,7 @@ index 2258a683b7..dddfb25254 100644 if (stat != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_ERR, stat, main_server, APLOGNO(01248) -@@ -742,6 +859,16 @@ static int cgid_server(void *data) +@@ -742,6 +858,16 @@ static int cgid_server(void *data) continue; } @@ -1732,7 +1721,7 @@ index 2258a683b7..dddfb25254 100644 apr_os_file_put(&r->server->error_log, &errfileno, 0, r->pool); apr_os_file_put(&inout, &sd2, 0, r->pool); -@@ -801,7 +928,10 @@ static int cgid_server(void *data) +@@ -801,7 +927,10 @@ static int cgid_server(void *data) close(sd2); } else { @@ -1744,7 +1733,7 @@ index 2258a683b7..dddfb25254 100644 argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args); -@@ -946,16 +1076,6 @@ static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, +@@ -946,16 +1075,6 @@ static int cgid_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, if (ret != OK ) { return ret; } @@ -1761,7 +1750,7 @@ index 2258a683b7..dddfb25254 100644 } return ret; } -@@ -1066,41 +1186,6 @@ static const command_rec cgid_cmds[] = +@@ -1066,41 +1185,6 @@ static const command_rec cgid_cmds[] = {NULL} }; @@ -1803,7 +1792,7 @@ index 2258a683b7..dddfb25254 100644 static int log_script(request_rec *r, cgid_server_conf * conf, int ret, char *dbuf, const char *sbuf, apr_bucket_brigade *bb, apr_file_t *script_err) -@@ -1221,7 +1306,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r, +@@ -1221,7 +1305,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r, ++connect_tries; if ((sd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { return log_scripterror(r, conf, HTTP_INTERNAL_SERVER_ERROR, errno, @@ -1812,7 +1801,7 @@ index 2258a683b7..dddfb25254 100644 } if (connect(sd, (struct sockaddr *)server_addr, server_addr_len) < 0) { /* Save errno for later */ -@@ -1242,7 +1327,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r, +@@ -1242,7 +1326,7 @@ static int connect_to_daemon(int *sdptr, request_rec *r, } else { close(sd); @@ -1821,7 +1810,7 @@ index 2258a683b7..dddfb25254 100644 "unable to connect to cgi daemon after multiple tries"); } } -@@ -1258,13 +1343,15 @@ static int connect_to_daemon(int *sdptr, request_rec *r, +@@ -1258,13 +1342,15 @@ static int connect_to_daemon(int *sdptr, request_rec *r, if (connect_errno == ENOENT && apr_time_sec(apr_time_now() - ap_scoreboard_image->global->restart_time) > DEFAULT_CONNECT_STARTUP_DELAY) { @@ -1840,7 +1829,7 @@ index 2258a683b7..dddfb25254 100644 "cgid daemon is gone; is Apache terminating?"); } } -@@ -1272,23 +1359,6 @@ static int connect_to_daemon(int *sdptr, request_rec *r, +@@ -1272,23 +1358,6 @@ static int connect_to_daemon(int *sdptr, request_rec *r, return OK; } @@ -1864,7 +1853,7 @@ index 2258a683b7..dddfb25254 100644 /**************************************************************** * * Actual cgid handling... -@@ -1374,7 +1444,9 @@ static apr_status_t get_cgi_pid(request_rec *r, cgid_server_conf *conf, pid_t * +@@ -1374,7 +1443,9 @@ static apr_status_t get_cgi_pid(request_rec *r, cgid_server_conf *conf, pid_t * return stat; } @@ -1875,7 +1864,7 @@ index 2258a683b7..dddfb25254 100644 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01261) "daemon couldn't find CGI process for connection %lu", r->connection->id); -@@ -1393,19 +1465,21 @@ static apr_status_t cleanup_script(void *vptr) +@@ -1393,19 +1464,21 @@ static apr_status_t cleanup_script(void *vptr) static int cgid_handler(request_rec *r) { @@ -1901,7 +1890,7 @@ index 2258a683b7..dddfb25254 100644 if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) { return DECLINED; -@@ -1414,7 +1488,7 @@ static int cgid_handler(request_rec *r) +@@ -1414,7 +1487,7 @@ static int cgid_handler(request_rec *r) conf = ap_get_module_config(r->server->module_config, &cgid_module); dc = ap_get_module_config(r->per_dir_config, &cgid_module); @@ -1910,7 +1899,7 @@ index 2258a683b7..dddfb25254 100644 is_included = !strcmp(r->protocol, "INCLUDED"); if ((argv0 = strrchr(r->filename, '/')) != NULL) { -@@ -1429,12 +1503,12 @@ static int cgid_handler(request_rec *r) +@@ -1429,12 +1502,12 @@ static int cgid_handler(request_rec *r) argv0 = r->filename; if (!(ap_allow_options(r) & OPT_EXECCGI) && !is_scriptaliased(r)) { @@ -1925,7 +1914,7 @@ index 2258a683b7..dddfb25254 100644 "attempt to include NPH CGI script"); } -@@ -1443,12 +1517,12 @@ static int cgid_handler(request_rec *r) +@@ -1443,12 +1516,12 @@ static int cgid_handler(request_rec *r) #error at mod_cgi.c for required code in this path. #else if (r->finfo.filetype == APR_NOFILE) { @@ -1940,7 +1929,7 @@ index 2258a683b7..dddfb25254 100644 "attempt to invoke directory as script"); } -@@ -1456,7 +1530,7 @@ static int cgid_handler(request_rec *r) +@@ -1456,7 +1529,7 @@ static int cgid_handler(request_rec *r) r->path_info && *r->path_info) { /* default to accept */ @@ -1949,7 +1938,7 @@ index 2258a683b7..dddfb25254 100644 "AcceptPathInfo off disallows user's path"); } /* -@@ -1467,6 +1541,17 @@ static int cgid_handler(request_rec *r) +@@ -1467,6 +1540,17 @@ static int cgid_handler(request_rec *r) } */ @@ -1967,7 +1956,7 @@ index 2258a683b7..dddfb25254 100644 /* * httpd core function used to add common environment variables like * DOCUMENT_ROOT. -@@ -1479,24 +1564,28 @@ static int cgid_handler(request_rec *r) +@@ -1479,24 +1563,28 @@ static int cgid_handler(request_rec *r) return retval; } @@ -2003,7 +1992,7 @@ index 2258a683b7..dddfb25254 100644 } /* We are putting the socket discriptor into an apr_file_t so that we can -@@ -1506,95 +1595,25 @@ static int cgid_handler(request_rec *r) +@@ -1506,95 +1594,25 @@ static int cgid_handler(request_rec *r) */ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); @@ -2112,7 +2101,7 @@ index 2258a683b7..dddfb25254 100644 } /* we're done writing, or maybe we didn't write at all; -@@ -1603,125 +1622,22 @@ static int cgid_handler(request_rec *r) +@@ -1603,134 +1621,22 @@ static int cgid_handler(request_rec *r) */ shutdown(sd, 1); @@ -2129,9 +2118,18 @@ index 2258a683b7..dddfb25254 100644 - b = apr_bucket_eos_create(c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, b); - -- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -- APLOG_MODULE_INDEX))) -- { +- ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, +- APLOG_MODULE_INDEX); +- +- /* xCGI has its own body framing mechanism which we don't +- * match against any provided Content-Length, so let the +- * core determine C-L vs T-E based on what's actually sent. +- */ +- if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) +- apr_table_unset(r->headers_out, "Content-Length"); +- apr_table_unset(r->headers_out, "Transfer-Encoding"); +- +- if (ret != OK) { - ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL); - - /* @@ -2251,7 +2249,7 @@ index 2258a683b7..dddfb25254 100644 static apr_status_t include_cgi(include_ctx_t *ctx, ap_filter_t *f, apr_bucket_brigade *bb, char *s) { -@@ -1806,7 +1722,7 @@ static void add_ssi_vars(request_rec *r) +@@ -1815,7 +1721,7 @@ static void add_ssi_vars(request_rec *r) } static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, @@ -2260,7 +2258,7 @@ index 2258a683b7..dddfb25254 100644 { char **env; int sd; -@@ -1827,7 +1743,7 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, +@@ -1836,7 +1742,7 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, return retval; } @@ -2269,7 +2267,7 @@ index 2258a683b7..dddfb25254 100644 info = apr_palloc(r->pool, sizeof(struct cleanup_script_info)); info->conf = conf; -@@ -1872,91 +1788,6 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, +@@ -1881,91 +1787,6 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, return APR_SUCCESS; } @@ -2361,7 +2359,7 @@ index 2258a683b7..dddfb25254 100644 static void register_hook(apr_pool_t *p) { static const char * const aszPre[] = { "mod_include.c", NULL }; -@@ -1964,6 +1795,7 @@ static void register_hook(apr_pool_t *p) +@@ -1973,6 +1794,7 @@ static void register_hook(apr_pool_t *p) ap_hook_pre_config(cgid_pre_config, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_post_config(cgid_init, aszPre, NULL, APR_HOOK_MIDDLE); ap_hook_handler(cgid_handler, NULL, NULL, APR_HOOK_MIDDLE); diff --git a/modular/httpd/httpd.spec b/modular/httpd/httpd.spec index 936225e..d2f8922 100644 --- a/modular/httpd/httpd.spec +++ b/modular/httpd/httpd.spec @@ -40,8 +40,8 @@ ModularityLabel: %{name}:raven:%{version}:%{release} Summary: Apache HTTP Server Name: httpd -Version: 2.4.58 -Release: 2%{?dist} +Version: 2.4.59 +Release: 1%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -100,24 +100,23 @@ Patch21: httpd-2.4.48-r1842929+.patch Patch22: httpd-2.4.43-mod_systemd.patch Patch23: httpd-2.4.53-export.patch Patch24: httpd-2.4.43-corelimit.patch -Patch25: httpd-2.4.54-selinux.patch -Patch26: httpd-2.4.43-gettid.patch +Patch26: httpd-2.4.59-gettid.patch Patch27: httpd-2.4.43-icons.patch Patch30: httpd-2.4.43-cachehardmax.patch Patch31: httpd-2.4.43-sslmultiproxy.patch Patch34: httpd-2.4.43-socket-activation.patch Patch38: httpd-2.4.43-sslciphdefault.patch Patch39: httpd-2.4.43-sslprotdefault.patch -Patch41: httpd-2.4.43-r1861793+.patch -Patch42: httpd-2.4.48-r1828172+.patch +Patch42: httpd-2.4.59-unifycgid.patch Patch45: httpd-2.4.43-logjournal.patch Patch46: httpd-2.4.54-separate-systemd-fns.patch +Patch49: httpd-2.4.54-selinux.patch +Patch50: httpd-2.4.58-r1912477+.patch +Patch51: httpd-2.4.58-r1914365.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 Patch60: httpd-2.4.43-enable-sslv3.patch -Patch63: httpd-2.4.46-htcacheclean-dont-break.patch -Patch65: httpd-2.4.51-r1894152.patch # Security fixes @@ -314,8 +313,7 @@ top of libnghttp2 for httpd 2.4 servers. %patch22 -p1 -b .mod_systemd %patch23 -p1 -b .export %patch24 -p1 -b .corelimit -%patch25 -p1 -b .selinux -%if 0%{?rhel} > 8 +%if 0%{?rhel} >= 8 # too new for el7 %patch26 -p1 -b .gettid %endif @@ -325,14 +323,15 @@ top of libnghttp2 for httpd 2.4 servers. %patch34 -p1 -b .socketactivation %patch38 -p1 -b .sslciphdefault %patch39 -p1 -b .sslprotdefault -%patch41 -p1 -b .r1861793+ -%patch42 -p1 -b .r1828172+ +%patch42 -p1 -b .unifycgid %patch45 -p1 -b .logjournal %patch46 -p1 -b .separatesystemd +%patch49 -p1 -b .selinux + +%patch50 -p1 -b .r1912477 +%patch51 -p1 -b .r1914365 %patch60 -p1 -b .enable-sslv3 -%patch63 -p1 -b .htcacheclean -%patch65 -p1 -b .r1894152 #patch100 -p1 -b .cp-suexec #patch101 -p1 -b .revert-systemd-linking @@ -917,6 +916,9 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Mon Apr 8 2024 Raven - 2.4.59-1 +- update to 2.4.59 + * Sat Nov 4 2023 Raven - 2.4.58-2 - use OOMPolicy=continue for RHEL >= 9