rpms/httpd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS httpd-2.4.62-4.el9

Browse Source
This commit is contained in:
eabdullin 2025-03-11 07:27:08 +00:00
parent 072cea8e4f
commit 90fb9bb3bb
4 changed files with 355 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
SOURCES/httpd-2.4.62-engine-fallback.patch Normal file
View File

@ -0,0 +1,64 @@
Index: modules/ssl/ssl_engine_pphrase.c
===================================================================
--- modules/ssl/ssl_engine_pphrase.c (revision 1920590)
+++ modules/ssl/ssl_engine_pphrase.c (working copy)
@@ -806,6 +806,9 @@
return APR_SUCCESS;
}
+/* Tries to load the key and optionally certificate via the ENGINE
+ * API. Returns APR_ENOTIMPL if the keypair could not be loaded via an
+ * ENGINE implementation. */
static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
apr_pool_t *ptemp,
const char *vhostid,
@@ -831,7 +834,7 @@
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
"Init: Unrecognized private key identifier `%s'",
keyid);
- return ssl_die(s);
+ return APR_ENOTIMPL;
}
scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
@@ -839,8 +842,8 @@
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
"Init: Failed to load engine for private key %s",
keyid);
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- return ssl_die(s);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s);
+ return APR_ENOTIMPL;
}
if (!ENGINE_init(e)) {
@@ -996,15 +999,21 @@
X509 **pubkey, EVP_PKEY **privkey)
{
#if MODSSL_HAVE_ENGINE_API
- SSLModConfigRec *mc = myModConfig(s);
+ apr_status_t rv;
- /* For OpenSSL 3.x, use the STORE-based API if either ENGINE
- * support was not present compile-time, or if it's built but
- * SSLCryptoDevice is not configured. */
- if (mc->szCryptoDevice)
- return modssl_load_keypair_engine(s, pconf, ptemp,
- vhostid, certid, keyid,
- pubkey, privkey);
+ rv = modssl_load_keypair_engine(s, pconf, ptemp,
+ vhostid, certid, keyid,
+ pubkey, privkey);
+ if (rv == APR_SUCCESS) {
+ return rv;
+ }
+ /* If STORE support is not present, all errors are fatal here; if
+ * STORE is present and the ENGINE could not be loaded, ignore the
+ * error and fall through to try loading via the STORE API. */
+ else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) {
+ return ssl_die(s);
+ }
+
#endif
#if MODSSL_HAVE_OPENSSL_STORE
return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,

133
SOURCES/httpd-2.4.62-r1921299.patch Normal file
View File

@ -0,0 +1,133 @@
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 53fb1e9..f735c50 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4477,20 +4477,6 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
* ourself).
*/
if (p->flags & RULEFLAG_PROXY) {
- /* For rules evaluated in server context, the mod_proxy fixup
- * hook can be relied upon to escape the URI as and when
- * necessary, since it occurs later. If in directory context,
- * the ordering of the fixup hooks is forced such that
- * mod_proxy comes first, so the URI must be escaped here
- * instead. See PR 39746, 46428, and other headaches. */
- if (ctx->perdir && (p->flags & RULEFLAG_NOESCAPE) == 0) {
- char *old_filename = r->filename;
-
- r->filename = ap_escape_uri(r->pool, r->filename);
- rewritelog((r, 2, ctx->perdir, "escaped URI in per-dir context "
- "for proxy, %s -> %s", old_filename, r->filename));
- }
-
fully_qualify_uri(r);
rewritelog((r, 2, ctx->perdir, "forcing proxy-throughput with %s",
@@ -5013,7 +4999,7 @@ static int hook_uri2file(request_rec *r)
}
if ((r->args != NULL)
&& ((r->proxyreq == PROXYREQ_PROXY)
- || (rulestatus == ACTION_NOESCAPE))) {
+ || apr_table_get(r->notes, "proxy-nocanon"))) {
/* see proxy_http:proxy_http_canon() */
r->filename = apr_pstrcat(r->pool, r->filename,
"?", r->args, NULL);
@@ -5304,13 +5290,28 @@ static int hook_fixup(request_rec *r)
if (to_proxyreq) {
/* it should go on as an internal proxy request */
- /* make sure the QUERY_STRING and
- * PATH_INFO parts get incorporated
+ /* check if the proxy module is enabled, so
+ * we can actually use it!
+ */
+ if (!proxy_available) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10160)
+ "attempt to make remote request from mod_rewrite "
+ "without proxy enabled: %s", r->filename);
+ return HTTP_FORBIDDEN;
+ }
+
+ if (rulestatus == ACTION_NOESCAPE) {
+ apr_table_setn(r->notes, "proxy-nocanon", "1");
+ }
+
+ /* make sure the QUERY_STRING gets incorporated in the case
+ * [NE] was specified on the Proxy rule. We are preventing
+ * mod_proxy canon handler from incorporating r->args as well
+ * as escaping the URL.
* (r->path_info was already appended by the
* rewriting engine because of the per-dir context!)
*/
- if (r->args != NULL) {
- /* see proxy_http:proxy_http_canon() */
+ if ((r->args != NULL) && apr_table_get(r->notes, "proxy-nocanon")) {
r->filename = apr_pstrcat(r->pool, r->filename,
"?", r->args, NULL);
}
@@ -5610,10 +5611,7 @@ static void ap_register_rewrite_mapfunc(char *name, rewrite_mapfunc_t *func)
static void register_hooks(apr_pool_t *p)
{
- /* fixup after mod_proxy, so that the proxied url will not
- * escaped accidentally by mod_proxy's fixup.
- */
- static const char * const aszPre[]={ "mod_proxy.c", NULL };
+ static const char * const aszModProxy[] = { "mod_proxy.c", NULL };
/* make the hashtable before registering the function, so that
* other modules are prevented from accessing uninitialized memory.
@@ -5625,10 +5623,12 @@ static void register_hooks(apr_pool_t *p)
ap_hook_pre_config(pre_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(post_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_child_init(init_child, NULL, NULL, APR_HOOK_MIDDLE);
-
- ap_hook_fixups(hook_fixup, aszPre, NULL, APR_HOOK_FIRST);
+
+ /* allow to change the uri before mod_proxy takes over it */
+ ap_hook_translate_name(hook_uri2file, NULL, aszModProxy, APR_HOOK_FIRST);
+ /* fixup before mod_proxy so that a [P] URL gets fixed up there */
+ ap_hook_fixups(hook_fixup, NULL, aszModProxy, APR_HOOK_FIRST);
ap_hook_fixups(hook_mimetype, NULL, NULL, APR_HOOK_LAST);
- ap_hook_translate_name(hook_uri2file, NULL, NULL, APR_HOOK_FIRST);
}
/* the main config structure */
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 8f13e68..bd0aa68 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -3344,27 +3344,26 @@ static int proxy_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
}
static void register_hooks(apr_pool_t *p)
{
- /* fixup before mod_rewrite, so that the proxied url will not
- * escaped accidentally by our fixup.
- */
- static const char * const aszSucc[] = { "mod_rewrite.c", NULL};
/* Only the mpm_winnt has child init hook handler.
* make sure that we are called after the mpm
* initializes.
*/
static const char *const aszPred[] = { "mpm_winnt.c", "mod_proxy_balancer.c",
"mod_proxy_hcheck.c", NULL};
+ static const char * const aszModRewrite[] = { "mod_rewrite.c", NULL };
+
/* handler */
ap_hook_handler(proxy_handler, NULL, NULL, APR_HOOK_FIRST);
/* filename-to-URI translation */
ap_hook_pre_translate_name(proxy_pre_translate_name, NULL, NULL,
APR_HOOK_MIDDLE);
- ap_hook_translate_name(proxy_translate_name, aszSucc, NULL,
+ /* mod_rewrite has a say on the uri before proxy translation */
+ ap_hook_translate_name(proxy_translate_name, aszModRewrite, NULL,
APR_HOOK_FIRST);
/* walk <Proxy > entries and suppress default TRACE behavior */
ap_hook_map_to_storage(proxy_map_location, NULL,NULL, APR_HOOK_FIRST);
- /* fixups */
- ap_hook_fixups(proxy_fixup, NULL, aszSucc, APR_HOOK_FIRST);
+ /* fixup after mod_rewrite so that a [P] URL from there gets fixed up */
+ ap_hook_fixups(proxy_fixup, aszModRewrite, NULL, APR_HOOK_FIRST);
/* post read_request handling */
ap_hook_post_read_request(proxy_detect, NULL, NULL, APR_HOOK_FIRST);
/* pre config handling */

136
SOURCES/httpd-2.4.62-r1922080.patch Normal file
View File

@ -0,0 +1,136 @@
From 2aa446f5b08a10c37e952daf96d0c80d3460873a Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 25 Nov 2024 13:32:44 +0000
Subject: [PATCH] Merge r1919620, r1919621, r1919623, r1919628, r1921237 from
trunk:
mod_proxy_fcgi: Don't re-encode SCRIPT_FILENAME. PR 69203
Before r1918550 (r1918559 in 2.4.60), "SetHandler proxy:..." configurations
did not pass through proxy_fixup() hence the proxy_canon_handler hooks, leaving
fcgi's SCRIPT_FILENAME environment variable (from r->filename) decoded, or more
exactly not re-encoded.
We still want to call ap_proxy_canon_url() for "fcgi:" to handle/strip the UDS
"unix:" case and check that r->filename is valid and contains no controls, but
proxy_fcgi_canon() will not ap_proxy_canonenc_ex() thus re-encode anymore.
Note that this will do the same for "ProxyPass fcgi:...", there is no reason
that using SetHandler or ProxyPass don't result in the same thing. If an opt
in/out makes sense we should probably look at ProxyFCGIBackendType.
Follow up to r1919620: CHANGES entry indent.
Follow up to r1919620: init path after "proxy:" is skipped.
Follow up to r1919620: Restore r->filename re-encoding for ProxyPass URLs.
mod_proxy_fgci: Follow up to r1919628: Simplify.
Variable from_handler is used once so axe it.
Submitted by: ylavic
Reviewed by: ylavic, covener, jorton
Github: closes #470
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1922080 13f79535-47bb-0310-9956-ffa450edef68
---
CHANGES | 3 +++
changes-entries/bz69203.txt | 2 ++
modules/proxy/mod_proxy.c | 2 ++
modules/proxy/mod_proxy_fcgi.c | 37 +++++++++++++++++++++++-----------
4 files changed, 32 insertions(+), 12 deletions(-)
create mode 100644 changes-entries/bz69203.txt
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index ab29c321df8..4047d58f2aa 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -1240,6 +1240,7 @@ static int proxy_handler(request_rec *r)
r->proxyreq = PROXYREQ_REVERSE;
r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
+ apr_table_setn(r->notes, "proxy-sethandler", "1");
/* Still need to canonicalize r->filename */
rc = ap_proxy_canon_url(r);
@@ -1249,6 +1250,7 @@ static int proxy_handler(request_rec *r)
}
}
else if (r->proxyreq && strncmp(r->filename, "proxy:", 6) == 0) {
+ apr_table_unset(r->notes, "proxy-sethandler");
rc = OK;
}
if (rc != OK) {
diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
index d420df6a77a..50f443e50d9 100644
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -63,6 +63,8 @@ static int proxy_fcgi_canon(request_rec *r, char *url)
apr_port_t port, def_port;
fcgi_req_config_t *rconf = NULL;
const char *pathinfo_type = NULL;
+ fcgi_dirconf_t *dconf = ap_get_module_config(r->per_dir_config,
+ &proxy_fcgi_module);
if (ap_cstr_casecmpn(url, "fcgi:", 5) == 0) {
url += 5;
@@ -92,9 +94,30 @@ static int proxy_fcgi_canon(request_rec *r, char *url)
host = apr_pstrcat(r->pool, "[", host, "]", NULL);
}
- if (apr_table_get(r->notes, "proxy-nocanon")
+ if (apr_table_get(r->notes, "proxy-sethandler")
+ || apr_table_get(r->notes, "proxy-nocanon")
|| apr_table_get(r->notes, "proxy-noencode")) {
- path = url; /* this is the raw/encoded path */
+ char *c = url;
+
+ /* We do not call ap_proxy_canonenc_ex() on the path here, don't
+ * let control characters pass still, and for php-fpm no '?' either.
+ */
+ if (FCGI_MAY_BE_FPM(dconf)) {
+ while (!apr_iscntrl(*c) && *c != '?')
+ c++;
+ }
+ else {
+ while (!apr_iscntrl(*c))
+ c++;
+ }
+ if (*c) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10414)
+ "To be forwarded path contains control characters%s (%s)",
+ FCGI_MAY_BE_FPM(dconf) ? " or '?'" : "", url);
+ return HTTP_FORBIDDEN;
+ }
+
+ path = url; /* this is the raw path */
}
else {
core_dir_config *d = ap_get_core_module_config(r->per_dir_config);
@@ -106,16 +129,6 @@ static int proxy_fcgi_canon(request_rec *r, char *url)
return HTTP_BAD_REQUEST;
}
}
- /*
- * If we have a raw control character or a ' ' in nocanon path,
- * correct encoding was missed.
- */
- if (path == url && *ap_scan_vchar_obstext(path)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10414)
- "To be forwarded path contains control "
- "characters or spaces");
- return HTTP_FORBIDDEN;
- }
r->filename = apr_pstrcat(r->pool, "proxy:fcgi://", host, sport, "/",
path, NULL);

23
SPECS/httpd.spec
View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.62
Release: 1%{?dist}
Release: 4%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -96,6 +96,12 @@ Patch100: httpd-2.4.43-enable-sslv3.patch
Patch101: httpd-2.4.48-full-release.patch
# https://bz.apache.org/bugzilla/show_bug.cgi?id=69197
Patch102: httpd-2.4.62-r1919325.patch
# https://issues.redhat.com/browse/RHEL-36755
Patch103: httpd-2.4.62-engine-fallback.patch
# https://issues.redhat.com/browse/RHEL-68660
Patch104: httpd-2.4.62-r1921299.patch
# https://issues.redhat.com/browse/RHEL-66488
Patch105: httpd-2.4.62-r1922080.patch
# Security fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=...
@ -258,6 +264,9 @@ written in the Lua programming language.
%patch100 -p1 -b .enable-sslv3
%patch101 -p1 -b .full-release
%patch102 -p1 -b .r1919325
%patch103 -p0 -b .engine-fallback
%patch104 -p1 -b .r1921299
%patch105 -p1 -b .r1922080
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -819,6 +828,18 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Wed Jan 29 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-4
- Resolves: RHEL-66488 - Apache HTTPD no longer parse PHP files with unicode
characters in the name
* Thu Jan 09 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-3
- Resolves: RHEL-68660 - RewriteRule proxying to UDS (unix domain socket)
configured in .htaccess doesn't work on httpd-2.4.62-1
* Thu Sep 12 2024 Joe Orton <jorton@redhat.com> - 2.4.62-2
- mod_ssl: fix loading keys via ENGINE API
Resolves: RHEL-36755
* Sat Aug 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1
- new version 2.4.62
- Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix