From 538ad5ff5545063c27738747e2ce8e079f2d561b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 2 Jun 2021 18:50:42 +0200 Subject: [PATCH] new version 2.4.48 Resolves: #1952817 - rebase to 2.4.48 --- .gitignore | 1 + httpd-2.4.43-r1870095+.patch | 115 ----------- httpd-2.4.43-sslcoalesce.patch | 192 ------------------ httpd-2.4.46-lua-resume.patch | 119 ----------- ...-export.patch => httpd-2.4.48-export.patch | 6 +- ...> httpd-2.4.48-proxy-ws-idle-timeout.patch | 95 ++++----- ...929+.patch => httpd-2.4.48-r1842929+.patch | 27 +-- httpd.spec | 20 +- sources | 4 +- 9 files changed, 65 insertions(+), 514 deletions(-) delete mode 100644 httpd-2.4.43-r1870095+.patch delete mode 100644 httpd-2.4.43-sslcoalesce.patch delete mode 100644 httpd-2.4.46-lua-resume.patch rename httpd-2.4.43-export.patch => httpd-2.4.48-export.patch (93%) rename httpd-2.4.46-proxy-ws-idle-timeout.patch => httpd-2.4.48-proxy-ws-idle-timeout.patch (68%) rename httpd-2.4.43-r1842929+.patch => httpd-2.4.48-r1842929+.patch (91%) diff --git a/.gitignore b/.gitignore index 09a5a07..ea4148c 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ x86_64 /httpd-2.4.43.tar.bz2.asc /KEYS /httpd-2.4.46.tar.bz2.asc +/httpd-2.4.48.tar.bz2.asc diff --git a/httpd-2.4.43-r1870095+.patch b/httpd-2.4.43-r1870095+.patch deleted file mode 100644 index 3fc8dfb..0000000 --- a/httpd-2.4.43-r1870095+.patch +++ /dev/null @@ -1,115 +0,0 @@ -diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c -index cbab6a3..765aa4b 100644 ---- a/modules/ssl/ssl_engine_kernel.c -+++ b/modules/ssl/ssl_engine_kernel.c -@@ -114,6 +114,45 @@ static int has_buffered_data(request_rec *r) - return result; - } - -+/* If a renegotiation is required for the location, and the request -+ * includes a message body (and the client has not requested a "100 -+ * Continue" response), then the client will be streaming the request -+ * body over the wire already. In that case, it is not possible to -+ * stop and perform a new SSL handshake immediately; once the SSL -+ * library moves to the "accept" state, it will reject the SSL packets -+ * which the client is sending for the request body. -+ * -+ * To allow authentication to complete in the hook, the solution used -+ * here is to fill a (bounded) buffer with the request body, and then -+ * to reinject that request body later. -+ * -+ * This function is called to fill the renegotiation buffer for the -+ * location as required, or fail. Returns zero on success or HTTP_ -+ * error code on failure. -+ */ -+static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc) -+{ -+ int rv; -+ apr_size_t rsize; -+ -+ /* ### this is HTTP/1.1 specific, special case for protocol? */ -+ if (r->expecting_100 || !ap_request_has_body(r)) { -+ return 0; -+ } -+ -+ rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE : dc->nRenegBufferSize; -+ if (rsize > 0) { -+ /* Fill the I/O buffer with the request body if possible. */ -+ rv = ssl_io_buffer_fill(r, rsize); -+ } -+ else { -+ /* If the reneg buffer size is set to zero, just fail. */ -+ rv = HTTP_REQUEST_ENTITY_TOO_LARGE; -+ } -+ -+ return rv; -+} -+ - #ifdef HAVE_TLSEXT - static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2) - { -@@ -814,41 +853,14 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo - } - } - -- /* If a renegotiation is now required for this location, and the -- * request includes a message body (and the client has not -- * requested a "100 Continue" response), then the client will be -- * streaming the request body over the wire already. In that -- * case, it is not possible to stop and perform a new SSL -- * handshake immediately; once the SSL library moves to the -- * "accept" state, it will reject the SSL packets which the client -- * is sending for the request body. -- * -- * To allow authentication to complete in this auth hook, the -- * solution used here is to fill a (bounded) buffer with the -- * request body, and then to reinject that request body later. -- */ -- if (renegotiate && !renegotiate_quick -- && !r->expecting_100 -- && ap_request_has_body(r)) { -- int rv; -- apr_size_t rsize; -- -- rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE : -- dc->nRenegBufferSize; -- if (rsize > 0) { -- /* Fill the I/O buffer with the request body if possible. */ -- rv = ssl_io_buffer_fill(r, rsize); -- } -- else { -- /* If the reneg buffer size is set to zero, just fail. */ -- rv = HTTP_REQUEST_ENTITY_TOO_LARGE; -- } -- -- if (rv) { -+ /* Fill reneg buffer if required. */ -+ if (renegotiate && !renegotiate_quick) { -+ rc = fill_reneg_buffer(r, dc); -+ if (rc) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02257) - "could not buffer message body to allow " - "SSL renegotiation to proceed"); -- return rv; -+ return rc; - } - } - -@@ -1132,6 +1144,17 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon - } - } - -+ /* Fill reneg buffer if required. */ -+ if (change_vmode) { -+ rc = fill_reneg_buffer(r, dc); -+ if (rc) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10228) -+ "could not buffer message body to allow " -+ "TLS Post-Handshake Authentication to proceed"); -+ return rc; -+ } -+ } -+ - if (change_vmode) { - char peekbuf[1]; - diff --git a/httpd-2.4.43-sslcoalesce.patch b/httpd-2.4.43-sslcoalesce.patch deleted file mode 100644 index ef1f728..0000000 --- a/httpd-2.4.43-sslcoalesce.patch +++ /dev/null @@ -1,192 +0,0 @@ - -http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?r1=1836237&r2=1836236&pathrev=1836237&view=patch -http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?r1=1873985&r2=1876037&view=patch - ---- httpd-2.4.43/modules/ssl/ssl_engine_io.c.sslcoalesce -+++ httpd-2.4.43/modules/ssl/ssl_engine_io.c -@@ -1585,18 +1585,32 @@ - } - - --/* ssl_io_filter_output() produces one SSL/TLS message per bucket -+/* ssl_io_filter_output() produces one SSL/TLS record per bucket - * passed down the output filter stack. This results in a high -- * overhead (network packets) for any output comprising many small -- * buckets. SSI page applied through the HTTP chunk filter, for -- * example, may produce many brigades containing small buckets - -- * [chunk-size CRLF] [chunk-data] [CRLF]. -+ * overhead (more network packets & TLS processing) for any output -+ * comprising many small buckets. SSI output passed through the HTTP -+ * chunk filter, for example, may produce many brigades containing -+ * small buckets - [chunk-size CRLF] [chunk-data] [CRLF]. - * -- * The coalescing filter merges many small buckets into larger buckets -- * where possible, allowing the SSL I/O output filter to handle them -- * more efficiently. */ -+ * Sending HTTP response headers as a separate TLS record to the -+ * response body also reveals information to a network observer (the -+ * size of headers) which can be significant. -+ * -+ * The coalescing filter merges data buckets with the aim of producing -+ * fewer, larger TLS records - without copying/buffering all content -+ * and introducing unnecessary overhead. -+ * -+ * ### This buffering could be probably be done more comprehensively -+ * ### in ssl_io_filter_output itself. -+ * -+ * ### Another possible performance optimisation in particular for the -+ * ### [HEAP] [FILE] HTTP response case is using a brigade rather than -+ * ### a char array to buffer; using apr_brigade_write() to append -+ * ### will use already-allocated memory from the HEAP, reducing # of -+ * ### copies. -+ */ - --#define COALESCE_BYTES (2048) -+#define COALESCE_BYTES (AP_IOBUFSIZE) - - struct coalesce_ctx { - char buffer[COALESCE_BYTES]; -@@ -1609,11 +1623,12 @@ - apr_bucket *e, *upto; - apr_size_t bytes = 0; - struct coalesce_ctx *ctx = f->ctx; -+ apr_size_t buffered = ctx ? ctx->bytes : 0; /* space used on entry */ - unsigned count = 0; - - /* The brigade consists of zero-or-more small data buckets which -- * can be coalesced (the prefix), followed by the remainder of the -- * brigade. -+ * can be coalesced (referred to as the "prefix"), followed by the -+ * remainder of the brigade. - * - * Find the last bucket - if any - of that prefix. count gives - * the number of buckets in the prefix. The "prefix" must contain -@@ -1628,24 +1643,97 @@ - e != APR_BRIGADE_SENTINEL(bb) - && !APR_BUCKET_IS_METADATA(e) - && e->length != (apr_size_t)-1 -- && e->length < COALESCE_BYTES -- && (bytes + e->length) < COALESCE_BYTES -- && (ctx == NULL -- || bytes + ctx->bytes + e->length < COALESCE_BYTES); -+ && e->length <= COALESCE_BYTES -+ && (buffered + bytes + e->length) <= COALESCE_BYTES; - e = APR_BUCKET_NEXT(e)) { -- if (e->length) count++; /* don't count zero-length buckets */ -- bytes += e->length; -+ /* don't count zero-length buckets */ -+ if (e->length) { -+ bytes += e->length; -+ count++; -+ } - } -+ -+ /* If there is room remaining and the next bucket is a data -+ * bucket, try to include it in the prefix to coalesce. For a -+ * typical [HEAP] [FILE] HTTP response brigade, this handles -+ * merging the headers and the start of the body into a single TLS -+ * record. */ -+ if (bytes + buffered > 0 -+ && bytes + buffered < COALESCE_BYTES -+ && e != APR_BRIGADE_SENTINEL(bb) -+ && !APR_BUCKET_IS_METADATA(e)) { -+ apr_status_t rv = APR_SUCCESS; -+ -+ /* For an indeterminate length bucket (PIPE/CGI/...), try a -+ * non-blocking read to have it morph into a HEAP. If the -+ * read fails with EAGAIN, it is harmless to try a split -+ * anyway, split is ENOTIMPL for most PIPE-like buckets. */ -+ if (e->length == (apr_size_t)-1) { -+ const char *discard; -+ apr_size_t ignore; -+ -+ rv = apr_bucket_read(e, &discard, &ignore, APR_NONBLOCK_READ); -+ if (rv != APR_SUCCESS && !APR_STATUS_IS_EAGAIN(rv)) { -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10232) -+ "coalesce failed to read from %s bucket", -+ e->type->name); -+ return AP_FILTER_ERROR; -+ } -+ } -+ -+ if (rv == APR_SUCCESS) { -+ /* If the read above made the bucket morph, it may now fit -+ * entirely within the buffer. Otherwise, split it so it does -+ * fit. */ -+ if (e->length > COALESCE_BYTES -+ || e->length + buffered + bytes > COALESCE_BYTES) { -+ rv = apr_bucket_split(e, COALESCE_BYTES - (buffered + bytes)); -+ } -+ -+ if (rv == APR_SUCCESS && e->length == 0) { -+ /* As above, don't count in the prefix if the bucket is -+ * now zero-length. */ -+ } -+ else if (rv == APR_SUCCESS) { -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c, -+ "coalesce: adding %" APR_SIZE_T_FMT " bytes " -+ "from split %s bucket, total %" APR_SIZE_T_FMT, -+ e->length, e->type->name, bytes + buffered); -+ -+ count++; -+ bytes += e->length; -+ e = APR_BUCKET_NEXT(e); -+ } -+ else if (rv != APR_ENOTIMPL) { -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10233) -+ "coalesce: failed to split data bucket"); -+ return AP_FILTER_ERROR; -+ } -+ } -+ } -+ - upto = e; - -- /* Coalesce the prefix, if: -- * a) more than one bucket is found to coalesce, or -- * b) the brigade contains only a single data bucket, or -- * c) the data bucket is not last but we have buffered data already. -+ /* Coalesce the prefix, if any of the following are true: -+ * -+ * a) the prefix is more than one bucket -+ * OR -+ * b) the prefix is the entire brigade, which is a single bucket -+ * AND the prefix length is smaller than the buffer size, -+ * OR -+ * c) the prefix is a single bucket -+ * AND there is buffered data from a previous pass. -+ * -+ * The aim with (b) is to buffer a small bucket so it can be -+ * coalesced with future invocations of this filter. e.g. three -+ * calls each with a single 100 byte HEAP bucket should get -+ * coalesced together. But an invocation with a 8192 byte HEAP -+ * should pass through untouched. - */ - if (bytes > 0 - && (count > 1 -- || (upto == APR_BRIGADE_SENTINEL(bb)) -+ || (upto == APR_BRIGADE_SENTINEL(bb) -+ && bytes < COALESCE_BYTES) - || (ctx && ctx->bytes > 0))) { - /* If coalescing some bytes, ensure a context has been - * created. */ -@@ -1656,7 +1744,8 @@ - - ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c, - "coalesce: have %" APR_SIZE_T_FMT " bytes, " -- "adding %" APR_SIZE_T_FMT " more", ctx->bytes, bytes); -+ "adding %" APR_SIZE_T_FMT " more (buckets=%u)", -+ ctx->bytes, bytes, count); - - /* Iterate through the prefix segment. For non-fatal errors - * in this loop it is safe to break out and fall back to the -@@ -1671,7 +1760,8 @@ - if (APR_BUCKET_IS_METADATA(e) - || e->length == (apr_size_t)-1) { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(02012) -- "unexpected bucket type during coalesce"); -+ "unexpected %s bucket during coalesce", -+ e->type->name); - break; /* non-fatal error; break out */ - } - diff --git a/httpd-2.4.46-lua-resume.patch b/httpd-2.4.46-lua-resume.patch deleted file mode 100644 index 1a22008..0000000 --- a/httpd-2.4.46-lua-resume.patch +++ /dev/null @@ -1,119 +0,0 @@ -diff --git a/modules/lua/config.m4 b/modules/lua/config.m4 -index 29fd563..abeba1c 100644 ---- a/modules/lua/config.m4 -+++ b/modules/lua/config.m4 -@@ -34,7 +34,7 @@ AC_DEFUN([CHECK_LUA_PATH], [dnl - fi - ]) - --dnl Check for Lua 5.3/5.2/5.1 Libraries -+dnl Check for Lua Libraries - dnl CHECK_LUA(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND]) - dnl Sets: - dnl LUA_CFLAGS -@@ -44,7 +44,7 @@ AC_DEFUN([CHECK_LUA], - - AC_ARG_WITH( - lua, -- [AC_HELP_STRING([--with-lua=PATH],[Path to the Lua 5.3/5.2/5.1 prefix])], -+ [AC_HELP_STRING([--with-lua=PATH],[Path to the Lua installation prefix])], - lua_path="$withval", - :) - -diff --git a/modules/lua/mod_lua.c b/modules/lua/mod_lua.c -index 05f1e44..18b628c 100644 ---- a/modules/lua/mod_lua.c -+++ b/modules/lua/mod_lua.c -@@ -342,7 +342,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil - { - apr_pool_t *pool; - ap_lua_vm_spec *spec; -- int n, rc; -+ int n, rc, nres; - lua_State *L; - lua_filter_ctx *ctx; - ap_lua_server_cfg *server_cfg = ap_get_module_config(r->server->module_config, -@@ -410,7 +410,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil - /* If a Lua filter is interested in filtering a request, it must first do a yield, - * otherwise we'll assume that it's not interested and pretend we didn't find it. - */ -- rc = lua_resume(L, 1); -+ rc = lua_resume(L, 1, &nres); - if (rc == LUA_YIELD) { - if (f->frec->providers == NULL) { - /* Not wired by mod_filter */ -@@ -432,7 +432,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil - static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade *pbbIn) - { - request_rec *r = f->r; -- int rc; -+ int rc, nres; - lua_State *L; - lua_filter_ctx* ctx; - conn_rec *c = r->connection; -@@ -492,7 +492,7 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade - lua_setglobal(L, "bucket"); - - /* If Lua yielded, it means we have something to pass on */ -- if (lua_resume(L, 0) == LUA_YIELD) { -+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) { - size_t olen; - const char* output = lua_tolstring(L, 1, &olen); - if (olen > 0) { -@@ -524,7 +524,7 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade - apr_bucket *pbktEOS; - lua_pushnil(L); - lua_setglobal(L, "bucket"); -- if (lua_resume(L, 0) == LUA_YIELD) { -+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) { - apr_bucket *pbktOut; - size_t olen; - const char* output = lua_tolstring(L, 1, &olen); -@@ -558,7 +558,7 @@ static apr_status_t lua_input_filter_handle(ap_filter_t *f, - apr_off_t nBytes) - { - request_rec *r = f->r; -- int rc, lastCall = 0; -+ int rc, lastCall = 0, nres; - lua_State *L; - lua_filter_ctx* ctx; - conn_rec *c = r->connection; -@@ -621,7 +621,7 @@ static apr_status_t lua_input_filter_handle(ap_filter_t *f, - lua_setglobal(L, "bucket"); - - /* If Lua yielded, it means we have something to pass on */ -- if (lua_resume(L, 0) == LUA_YIELD) { -+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) { - size_t olen; - const char* output = lua_tolstring(L, 1, &olen); - pbktOut = apr_bucket_heap_create(output, olen, 0, c->bucket_alloc); -@@ -643,7 +643,7 @@ static apr_status_t lua_input_filter_handle(ap_filter_t *f, - apr_bucket *pbktEOS = apr_bucket_eos_create(c->bucket_alloc); - lua_pushnil(L); - lua_setglobal(L, "bucket"); -- if (lua_resume(L, 0) == LUA_YIELD) { -+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) { - apr_bucket *pbktOut; - size_t olen; - const char* output = lua_tolstring(L, 1, &olen); -diff --git a/modules/lua/mod_lua.h b/modules/lua/mod_lua.h -index 0e49cdc..72b4de7 100644 ---- a/modules/lua/mod_lua.h -+++ b/modules/lua/mod_lua.h -@@ -48,7 +48,15 @@ - #if LUA_VERSION_NUM > 501 - /* Load mode for lua_load() */ - #define lua_load(a,b,c,d) lua_load(a,b,c,d,NULL) --#define lua_resume(a,b) lua_resume(a, NULL, b) -+ -+#if LUA_VERSION_NUM > 503 -+#define lua_resume(a,b,c) lua_resume(a, NULL, b, c) -+#else -+/* ### For version < 5.4, assume that exactly one stack item is on the -+ * stack, which is what the code did before but seems dubious. */ -+#define lua_resume(a,b,c) (*(c) = 1, lua_resume(a, NULL, b)) -+#endif -+ - #define luaL_setfuncs_compat(a,b) luaL_setfuncs(a,b,0) - #else - #define lua_rawlen(L,i) lua_objlen(L, (i)) diff --git a/httpd-2.4.43-export.patch b/httpd-2.4.48-export.patch similarity index 93% rename from httpd-2.4.43-export.patch rename to httpd-2.4.48-export.patch index 0d9fd72..439f768 100644 --- a/httpd-2.4.43-export.patch +++ b/httpd-2.4.48-export.patch @@ -6,7 +6,7 @@ to do so indirectly. Upstream: https://svn.apache.org/r1861685 (as new default-off configure option) diff --git a/Makefile.in b/Makefile.in -index 9eeb5c7..8746a10 100644 +index 40c7076..ac98e5f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test @@ -27,7 +27,7 @@ index 9eeb5c7..8746a10 100644 server/libmain.la \ $(BUILTIN_LIBS) \ diff --git a/server/Makefile.in b/server/Makefile.in -index 1fa3344..116850b 100644 +index 8111877..f00bb3f 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -12,7 +12,7 @@ LTLIBRARY_SOURCES = \ @@ -36,7 +36,7 @@ index 1fa3344..116850b 100644 util_charset.c util_cookies.c util_debug.c util_xml.c \ - util_filter.c util_pcre.c util_regex.c exports.c \ + util_filter.c util_pcre.c util_regex.c \ - scoreboard.c error_bucket.c protocol.c core.c request.c provider.c \ + scoreboard.c error_bucket.c protocol.c core.c request.c ssl.c provider.c \ eoc_bucket.c eor_bucket.c core_filters.c \ util_expr_parse.c util_expr_scan.c util_expr_eval.c diff --git a/server/main.c b/server/main.c diff --git a/httpd-2.4.46-proxy-ws-idle-timeout.patch b/httpd-2.4.48-proxy-ws-idle-timeout.patch similarity index 68% rename from httpd-2.4.46-proxy-ws-idle-timeout.patch rename to httpd-2.4.48-proxy-ws-idle-timeout.patch index e9f9d40..d04dc68 100644 --- a/httpd-2.4.46-proxy-ws-idle-timeout.patch +++ b/httpd-2.4.48-proxy-ws-idle-timeout.patch @@ -1,25 +1,20 @@ diff --git a/docs/manual/mod/mod_proxy_wstunnel.html.en b/docs/manual/mod/mod_proxy_wstunnel.html.en -index 7506ccb..8867578 100644 +index 9f2c120..61ff7de 100644 --- a/docs/manual/mod/mod_proxy_wstunnel.html.en +++ b/docs/manual/mod/mod_proxy_wstunnel.html.en -@@ -60,14 +60,33 @@ NONE means you bypass the check for the header but still upgrade to WebSocket. - ANY means that Upgrade will read in the request headers and use - in the response Upgrade

- --
Support Apache!

Directives

--

This module provides no -- directives.

-+

Directives

-+

Bugfix checklist

See also

+@@ -108,6 +109,23 @@ in the response Upgrade

+ WebSocket requests as in httpd 2.4.46 and earlier.

-+
top
+
++ +

ProxyWebsocketIdleTimeout Directive

+ + @@ -40,21 +35,18 @@ index 7506ccb..8867578 100644

Available Languages:  en  | diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c -index fb53fe6..73da758 100644 +index bcbba42..c29ded1 100644 --- a/modules/proxy/mod_proxy_wstunnel.c +++ b/modules/proxy/mod_proxy_wstunnel.c -@@ -18,6 +18,10 @@ - - module AP_MODULE_DECLARE_DATA proxy_wstunnel_module; - -+typedef struct { +@@ -22,6 +22,7 @@ module AP_MODULE_DECLARE_DATA proxy_wstunnel_module; + typedef struct { + unsigned int fallback_to_proxy_http :1, + fallback_to_proxy_http_set :1; + apr_time_t idle_timeout; -+} proxyws_dir_conf; -+ - /* - * Canonicalise http-like URLs. - * scheme is the scheme for the URL -@@ -111,6 +115,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r, + } proxyws_dir_conf; + + static int can_fallback_to_proxy_http; +@@ -152,6 +153,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r, conn_rec *c = r->connection; apr_socket_t *sock = conn->sock; conn_rec *backconn = conn->connection; @@ -63,7 +55,7 @@ index fb53fe6..73da758 100644 char *buf; apr_bucket_brigade *header_brigade; apr_bucket *e; -@@ -188,10 +194,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r, +@@ -229,10 +232,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r, c->keepalive = AP_CONN_CLOSE; do { /* Loop until done (one side closes the connection, or an error) */ @@ -78,7 +70,7 @@ index fb53fe6..73da758 100644 } ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02444) "error apr_poll()"); return HTTP_INTERNAL_SERVER_ERROR; -@@ -366,6 +375,38 @@ cleanup: +@@ -418,11 +424,26 @@ cleanup: return status; } @@ -96,37 +88,22 @@ index fb53fe6..73da758 100644 + return NULL; +} + -+static void *create_proxyws_dir_config(apr_pool_t *p, char *dummy) -+{ -+ proxyws_dir_conf *new = -+ (proxyws_dir_conf *) apr_pcalloc(p, sizeof(proxyws_dir_conf)); -+ + static void *create_proxyws_dir_config(apr_pool_t *p, char *dummy) + { + proxyws_dir_conf *new = + (proxyws_dir_conf *) apr_pcalloc(p, sizeof(proxyws_dir_conf)); + + new->idle_timeout = -1; /* no timeout */ -+ -+ return (void *) new; -+} -+ -+static const command_rec ws_proxy_cmds[] = -+{ + new->fallback_to_proxy_http = 1; + + return (void *) new; +@@ -465,7 +486,8 @@ static const command_rec ws_proxy_cmds[] = + proxyws_fallback_to_proxy_http, NULL, RSRC_CONF|ACCESS_CONF, + "whether to let mod_proxy_http handle the upgrade and tunneling, " + "On by default"), +- + AP_INIT_TAKE1("ProxyWebsocketIdleTimeout", proxyws_set_idle, NULL, RSRC_CONF|ACCESS_CONF, + "timeout for activity in either direction, unlimited by default."), -+ -+ {NULL} -+}; -+ - static void ap_proxy_http_register_hook(apr_pool_t *p) - { - proxy_hook_scheme_handler(proxy_wstunnel_handler, NULL, NULL, APR_HOOK_FIRST); -@@ -374,10 +415,10 @@ static void ap_proxy_http_register_hook(apr_pool_t *p) - - AP_DECLARE_MODULE(proxy_wstunnel) = { - STANDARD20_MODULE_STUFF, -- NULL, /* create per-directory config structure */ -+ create_proxyws_dir_config, /* create per-directory config structure */ - NULL, /* merge per-directory config structures */ - NULL, /* create per-server config structure */ - NULL, /* merge per-server config structures */ -- NULL, /* command apr_table_t */ -+ ws_proxy_cmds, /* command apr_table_t */ - ap_proxy_http_register_hook /* register hooks */ + {NULL} }; + diff --git a/httpd-2.4.43-r1842929+.patch b/httpd-2.4.48-r1842929+.patch similarity index 91% rename from httpd-2.4.43-r1842929+.patch rename to httpd-2.4.48-r1842929+.patch index b926195..f83a21d 100644 --- a/httpd-2.4.43-r1842929+.patch +++ b/httpd-2.4.48-r1842929+.patch @@ -1,8 +1,8 @@ diff --git a/Makefile.in b/Makefile.in -index 06b8c5a..9eeb5c7 100644 +index 6747aea..40c7076 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -213,6 +213,7 @@ install-cgi: +@@ -233,6 +233,7 @@ install-cgi: install-other: @test -d $(DESTDIR)$(logfiledir) || $(MKINSTALLDIRS) $(DESTDIR)$(logfiledir) @test -d $(DESTDIR)$(runtimedir) || $(MKINSTALLDIRS) $(DESTDIR)$(runtimedir) @@ -11,7 +11,7 @@ index 06b8c5a..9eeb5c7 100644 file=apachecore.$$ext; \ if test -f $$file; then \ diff --git a/acinclude.m4 b/acinclude.m4 -index 95232f5..5d9d669 100644 +index b6ef442..98f1441 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -45,6 +45,7 @@ AC_DEFUN([APACHE_GEN_CONFIG_VARS],[ @@ -22,7 +22,7 @@ index 95232f5..5d9d669 100644 APACHE_SUBST(other_targets) APACHE_SUBST(progname) APACHE_SUBST(prefix) -@@ -688,6 +689,7 @@ AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[ +@@ -665,6 +666,7 @@ AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[ APACHE_SUBST_EXPANDED_ARG(runtimedir) APACHE_SUBST_EXPANDED_ARG(logfiledir) APACHE_SUBST_EXPANDED_ARG(proxycachedir) @@ -31,7 +31,7 @@ index 95232f5..5d9d669 100644 dnl diff --git a/configure.in b/configure.in -index a63eada..c8f9aa2 100644 +index 37346b2..f303784 100644 --- a/configure.in +++ b/configure.in @@ -41,7 +41,7 @@ dnl Something seems broken here. @@ -56,7 +56,7 @@ index 2b4a70c..e076f41 100644 #endif /* AP_CONFIG_LAYOUT_H */ diff --git a/include/http_config.h b/include/http_config.h -index f9c2d77..c229bc9 100644 +index 77657ae..384a90f 100644 --- a/include/http_config.h +++ b/include/http_config.h @@ -757,6 +757,14 @@ AP_DECLARE(char *) ap_server_root_relative(apr_pool_t *p, const char *fname); @@ -124,10 +124,10 @@ index addfd7e..2389f8f 100644 APR_HOOK_MIDDLE); dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE); diff --git a/server/core.c b/server/core.c -index 3db9d61..79b2a82 100644 +index d135764..c2176b9 100644 --- a/server/core.c +++ b/server/core.c -@@ -129,6 +129,8 @@ AP_DECLARE_DATA int ap_main_state = AP_SQ_MS_INITIAL_STARTUP; +@@ -142,6 +142,8 @@ AP_DECLARE_DATA int ap_main_state = AP_SQ_MS_INITIAL_STARTUP; AP_DECLARE_DATA int ap_run_mode = AP_SQ_RM_UNKNOWN; AP_DECLARE_DATA int ap_config_generation = 0; @@ -136,7 +136,7 @@ index 3db9d61..79b2a82 100644 static void *create_core_dir_config(apr_pool_t *a, char *dir) { core_dir_config *conf; -@@ -1409,12 +1411,15 @@ AP_DECLARE(const char *) ap_resolve_env(apr_pool_t *p, const char * word) +@@ -1444,13 +1446,16 @@ AP_DECLARE(const char *) ap_resolve_env(apr_pool_t *p, const char * word) return res_buf; } @@ -147,6 +147,7 @@ index 3db9d61..79b2a82 100644 ap_server_config_defines = saved_server_config_defines; saved_server_config_defines = NULL; server_config_defined_vars = NULL; + ap_runtime_dir = NULL; - return OK; + core_state_dir = NULL; + @@ -154,7 +155,7 @@ index 3db9d61..79b2a82 100644 } /* -@@ -3120,6 +3125,24 @@ static const char *set_runtime_dir(cmd_parms *cmd, void *dummy, const char *arg) +@@ -3220,6 +3225,24 @@ static const char *set_runtime_dir(cmd_parms *cmd, void *dummy, const char *arg) return NULL; } @@ -179,7 +180,7 @@ index 3db9d61..79b2a82 100644 static const char *set_timeout(cmd_parms *cmd, void *dummy, const char *arg) { const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT); -@@ -4414,6 +4437,8 @@ AP_INIT_TAKE1("ServerRoot", set_server_root, NULL, RSRC_CONF | EXEC_ON_READ, +@@ -4521,6 +4544,8 @@ AP_INIT_TAKE1("ServerRoot", set_server_root, NULL, RSRC_CONF | EXEC_ON_READ, "Common directory of server-related files (logs, confs, etc.)"), AP_INIT_TAKE1("DefaultRuntimeDir", set_runtime_dir, NULL, RSRC_CONF | EXEC_ON_READ, "Common directory for run-time files (shared memory, locks, etc.)"), @@ -188,7 +189,7 @@ index 3db9d61..79b2a82 100644 AP_INIT_TAKE1("ErrorLog", set_server_string_slot, (void *)APR_OFFSETOF(server_rec, error_fname), RSRC_CONF, "The filename of the error log"), -@@ -4941,8 +4966,7 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem +@@ -5055,8 +5080,7 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem if (!saved_server_config_defines) init_config_defines(pconf); @@ -198,7 +199,7 @@ index 3db9d61..79b2a82 100644 ap_regcomp_set_default_cflags(AP_REG_DEFAULT); -@@ -5170,6 +5194,27 @@ AP_DECLARE(int) ap_state_query(int query) +@@ -5303,6 +5327,27 @@ AP_DECLARE(int) ap_state_query(int query) } } diff --git a/httpd.spec b/httpd.spec index 1713f77..e45e680 100644 --- a/httpd.spec +++ b/httpd.spec @@ -12,8 +12,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.46 -Release: 15%{?dist} +Version: 2.4.48 +Release: 1%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -68,9 +68,9 @@ Patch3: httpd-2.4.43-deplibs.patch # Needed for socket activation and mod_systemd patch Patch19: httpd-2.4.43-detect-systemd.patch # Features/functional changes -Patch21: httpd-2.4.43-r1842929+.patch +Patch21: httpd-2.4.48-r1842929+.patch Patch22: httpd-2.4.43-mod_systemd.patch -Patch23: httpd-2.4.43-export.patch +Patch23: httpd-2.4.48-export.patch Patch24: httpd-2.4.43-corelimit.patch Patch25: httpd-2.4.43-selinux.patch Patch26: httpd-2.4.43-gettid.patch @@ -83,10 +83,8 @@ Patch39: httpd-2.4.43-sslprotdefault.patch Patch40: httpd-2.4.43-r1861269.patch Patch41: httpd-2.4.43-r1861793+.patch Patch42: httpd-2.4.43-r1828172+.patch -Patch43: httpd-2.4.43-sslcoalesce.patch -Patch44: httpd-2.4.46-lua-resume.patch Patch45: httpd-2.4.43-logjournal.patch -Patch46: httpd-2.4.46-proxy-ws-idle-timeout.patch +Patch46: httpd-2.4.48-proxy-ws-idle-timeout.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1949969 Patch47: httpd-2.4.43-pr37355.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1949606 @@ -96,7 +94,6 @@ Patch48: httpd-2.4.46-freebind.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 Patch60: httpd-2.4.43-enable-sslv3.patch -Patch62: httpd-2.4.43-r1870095+.patch Patch63: httpd-2.4.46-htcacheclean-dont-break.patch # Security fixes @@ -242,15 +239,12 @@ written in the Lua programming language. %patch40 -p1 -b .r1861269 %patch41 -p1 -b .r1861793+ %patch42 -p1 -b .r1828172+ -%patch43 -p1 -b .sslcoalesce -%patch44 -p1 -b .luaresume %patch45 -p1 -b .logjournal %patch46 -p1 -b .proxy-ws-idle-timeout %patch47 -p1 -b .pr37355 %patch48 -p1 -b .freebind %patch60 -p1 -b .enable-sslv3 -%patch62 -p1 -b .r1870095 %patch63 -p1 -b .htcacheclean-dont-break # Patch in the vendor string @@ -793,6 +787,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Jun 02 2021 Luboš Uhliarik - 2.4.48-1 +- new version 2.4.48 +- Resolves: #1952817 - rebase to 2.4.48 + * Wed May 26 2021 Luboš Uhliarik - 2.4.46-15 - Resolves: #1949606 - RFE: httpd, add IP_FREEBIND support for Listen diff --git a/sources b/sources index 1212cee..5e6cb0c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (httpd-2.4.46.tar.bz2) = 5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 -SHA512 (httpd-2.4.46.tar.bz2.asc) = 1f54c20d1aeedb7c745eb72acd79e1ed61d547b22c3dbe53cd3274ed3d897543cd8c49181d4b15d79c12755746cf0a2464d620f69e254ac3f998760133094df0 +SHA512 (httpd-2.4.48.tar.bz2) = 6c250626f1e7d10428a92d984fd48ff841effcc8705f7816ab71b681bbd51d0012ad158dcd13763fe7d630311f2de258b27574603140d648be42796ab8326724 +SHA512 (httpd-2.4.48.tar.bz2.asc) = 9f125de75107b04dd01f71e9e233b1602658b49e38371931b98dc1092be8df05cf7243b5564fa2f56f46544bef61a54a721dee5ca17ce823a2302a7c3698a195 SHA512 (KEYS) = 7ab66c64eaa4a152e88a913993c8ea0d9c46fd5865788e7b32a9619784d245cef8bddd9700368e3d63ce88ed94df8933e5892878523dc0fce697331136bb829e

Description:Sets the maximum amount of time to wait for data on the websockets tunnel