mod_dav: add DavBasePath Resolves: RHEL-6600

Resolves: RHEL-17686

.httpd.metadata

@@ -0,0 +1,3 @@
+01044512374941fad939ec4b1537428cc7edc769 httpd-2.4.57.tar.bz2
+5cac6152cf2f175cc35ca0cf9d00b797c949b273 httpd-2.4.57.tar.bz2.asc
+b2457e3ce46a7634bf9272a92b4214974b9bc9e0 KEYS

httpd-2.4.57-r1884505+.patch

@@ -0,0 +1,39 @@
+# ./pullrev.sh 1884505 1915625
+http://svn.apache.org/viewvc?view=revision&revision=1884505
+http://svn.apache.org/viewvc?view=revision&revision=1915625
+
+--- httpd-2.4.57/modules/filters/mod_xml2enc.c
++++ httpd-2.4.57/modules/filters/mod_xml2enc.c
+@@ -329,7 +329,7 @@
+     apr_bucket* bstart;
+     apr_size_t insz = 0;
+     int pending_meta = 0;
+-    char *ctype;
++    char *mtype;
+     char *p;
+ 
+     if (!ctx || !f->r->content_type) {
+@@ -338,13 +338,17 @@
+         return ap_pass_brigade(f->next, bb) ;
+     }
+ 
+-    ctype = apr_pstrdup(f->r->pool, f->r->content_type);
+-    for (p = ctype; *p; ++p)
+-        if (isupper(*p))
+-            *p = tolower(*p);
++    /* Extract the media type, ignoring parameters in content-type. */
++    mtype = apr_pstrdup(f->r->pool, f->r->content_type);
++    if ((p = ap_strchr(mtype, ';')) != NULL) *p = '\0';
++    ap_str_tolower(mtype);
+ 
+-    /* only act if starts-with "text/" or contains "xml" */
+-    if (strncmp(ctype, "text/", 5) && !strstr(ctype, "xml"))  {
++    /* Accept text/ types, plus any XML media type per RFC 7303. */
++    if (!(strncmp(mtype, "text/", 5) == 0
++          || strcmp(mtype, "application/xml") == 0
++          || (strlen(mtype) > 7 /* minimum 'a/b+xml' length */
++              && (p = strstr(mtype, "+xml")) != NULL
++              && strlen(p) == 4 /* ensures +xml is a suffix */))) {
+         ap_remove_output_filter(f);
+         return ap_pass_brigade(f->next, bb) ;
+     }

httpd-2.4.57-r1912081.patch

@@ -0,0 +1,91 @@
+# ./pullrev.sh 1912081
+http://svn.apache.org/viewvc?view=revision&revision=1912081
+
+Upstream-Status: merged in 2.4.58
+
+--- httpd-2.4.57/modules/dav/main/mod_dav.c
++++ httpd-2.4.57/modules/dav/main/mod_dav.c
+@@ -81,6 +81,7 @@
+     const char *provider_name;
+     const dav_provider *provider;
+     const char *dir;
++    const char *base;
+     int locktimeout;
+     int allow_depthinfinity;
+     int allow_lockdiscovery;
+@@ -196,6 +197,7 @@
+ 
+     newconf->locktimeout = DAV_INHERIT_VALUE(parent, child, locktimeout);
+     newconf->dir = DAV_INHERIT_VALUE(parent, child, dir);
++    newconf->base = DAV_INHERIT_VALUE(parent, child, base);
+     newconf->allow_depthinfinity = DAV_INHERIT_VALUE(parent, child,
+                                                      allow_depthinfinity);
+     newconf->allow_lockdiscovery = DAV_INHERIT_VALUE(parent, child,
+@@ -283,6 +285,18 @@
+ }
+ 
+ /*
++ * Command handler for the DAVBasePath directive, which is TAKE1
++ */
++static const char *dav_cmd_davbasepath(cmd_parms *cmd, void *config, const char *arg1)
++{
++    dav_dir_conf *conf = config;
++
++    conf->base = arg1;
++
++    return NULL;
++}
++
++/*
+  * Command handler for the DAVDepthInfinity directive, which is FLAG.
+  */
+ static const char *dav_cmd_davdepthinfinity(cmd_parms *cmd, void *config,
+@@ -748,7 +762,7 @@
+                                    int use_checked_in, dav_resource **res_p)
+ {
+     dav_dir_conf *conf;
+-    const char *label = NULL;
++    const char *label = NULL, *base;
+     dav_error *err;
+ 
+     /* if the request target can be overridden, get any target selector */
+@@ -765,11 +779,27 @@
+                              ap_escape_html(r->pool, r->uri)));
+     }
+ 
++    /* Take the repos root from DAVBasePath if configured, else the
++     * path of the enclosing section. */
++    base = conf->base ? conf->base : conf->dir;
++
+     /* resolve the resource */
+-    err = (*conf->provider->repos->get_resource)(r, conf->dir,
++    err = (*conf->provider->repos->get_resource)(r, base,
+                                                  label, use_checked_in,
+                                                  res_p);
+     if (err != NULL) {
++        /* In the error path, give a hint that DavBasePath needs to be
++         * used if the location was configured via a regex match. */
++        if (!conf->base) {
++            core_dir_config *cdc = ap_get_core_module_config(r->per_dir_config);
++
++            if (cdc->r) {
++                ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(10484)
++                             "failed to find repository for location configured "
++                             "via regex match - missing DAVBasePath?");
++            }
++        }
++
+         err = dav_push_error(r->pool, err->status, 0,
+                              "Could not fetch resource information.", err);
+         return err;
+@@ -5164,6 +5194,10 @@
+     AP_INIT_TAKE1("DAV", dav_cmd_dav, NULL, ACCESS_CONF,
+                   "specify the DAV provider for a directory or location"),
+ 
++    /* per directory/location */
++    AP_INIT_TAKE1("DAVBasePath", dav_cmd_davbasepath, NULL, ACCESS_CONF,
++                  "specify the DAV repository base URL"),
++
+     /* per directory/location, or per server */
+     AP_INIT_TAKE1("DAVMinTimeout", dav_cmd_davmintimeout, NULL,
+                   ACCESS_CONF|RSRC_CONF,

httpd.spec

@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.57
-Release: 7%{?dist}
+Release: 8%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -96,6 +96,8 @@ Patch50: httpd-2.4.57-r1825120.patch
 Patch52: httpd-2.4.53-separate-systemd-fns.patch
 # https://issues.redhat.com/browse/RHEL-5071
 Patch53: httpd-2.4.57-r1912477+.patch
+# https://issues.redhat.com/browse/RHEL-6600
+Patch54: httpd-2.4.57-r1912081.patch
 
 
 # Bug fixes
@@ -118,7 +120,8 @@ Patch69: httpd-2.4.57-covscan.patch
 Patch70: httpd-2.4.57-mod_status-duplicate-key.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2217726
 Patch71: httpd-2.4.57-davenoent.patch
-
+# https://issues.redhat.com/browse/RHEL-17686
+Patch72: httpd-2.4.57-r1884505+.patch
 
 # Security fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=...
@@ -284,6 +287,7 @@ written in the Lua programming language.
 %patch50 -p1 -b .r1825120
 %patch52 -p1 -b .separatesystemd
 %patch53 -p1 -b .r1912477+
+%patch54 -p1 -b .r1912081
 
 %patch60 -p1 -b .enable-sslv3
 %patch61 -p1 -b .htcacheclean-dont-break
@@ -295,6 +299,7 @@ written in the Lua programming language.
 %patch69 -p1 -b .covstan
 %patch70 -p1 -b .duplicate-key
 %patch71 -p1 -b .davenoent
+%patch72 -p1 -b .r1884505+
 
 %patch200 -p1 -b .CVE-2023-31122
 
@@ -857,6 +862,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Wed Feb  7 2024 Joe Orton <jorton@redhat.com> - 2.4.57-8
+- mod_xml2enc: fix media type handling
+  Resolves: RHEL-17686
+- mod_dav: add DavBasePath
+  Resolves: RHEL-6600
+
 * Mon Feb 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-7
 - Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
   vulnerability (CVE-2023-31122)