packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

change default value of HeartbeatMaxServers

Browse Source 
fix setting and comparison of IPs fileds
avoid voerflow in case of indecently large session
make ap_escape_quotes() work correctly
fix lua_request with cast first
Handle children killed pathologically
q
This commit is contained in:
chengyechun 2022-12-14 10:54:40 +08:00
parent 229651bf58
commit b981a203d9
9 changed files with 455 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
backport-Handle-children-killed-pathologically.patch Normal file
View File

@ -0,0 +1,108 @@
From 5f33010a643ac7c67b7733484797d41366e328ecdb Mon Sep 17 00:00:00 2001
From: icing <icing@apache.org>
Date: Tue, 30 Aug 2022 14:47:19 +0800
Subject: [PATCH] Handle children killed pathologically
Conflict:NA
Reference:https://github.com/apache/httpd/commit/5f3010a643ac7c67b733484797d41366e328ecdb
---
server/mpm/event/event.c | 26 +++++++++++++++++++++++---
server/mpm/worker/worker.c | 26 +++++++++++++++++++++++---
2 files changed, 46 insertions(+), 6 deletions(-)
diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c
index dddff35..5969c88 100644
--- a/server/mpm/event/event.c
+++ b/server/mpm/event/event.c
@@ -2983,6 +2983,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets)
static void server_main_loop(int remaining_children_to_start, int num_buckets)
{
+ int successive_kills = 0;
int child_slot;
apr_exit_why_e exitwhy;
int status, processed_status;
@@ -3072,11 +3073,30 @@ static void server_main_loop(int remaining_children_to_start, int num_buckets)
/* Don't perform idle maintenance when a child dies,
* only do it when there's a timeout. Remember only a
* finite number of children can die, and it's pretty
- * pathological for a lot to die suddenly.
+ * pathological for a lot to die suddenly. If a child is
+ * killed by a signal (faulting) we want to restart it ASAP
+ * though, up to 3 successive faults or we stop this until
+ * a timeout happens again (to avoid the flood of fork()ed
+ * process that keep being killed early).
*/
- continue;
+ if (child_slot < 0 || !APR_PROC_CHECK_SIGNALED(exitwhy)) {
+ continue;
+ }
+ if (++successive_kills >= 3) {
+ if (successive_kills % 10 == 3) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
+ ap_server_conf, APLOGNO(10392)
+ "children are killed successively!");
+ }
+ continue;
+ }
+ ++remaining_children_to_start;
+ }
+ else {
+ successive_kills = 0;
}
- else if (remaining_children_to_start) {
+
+ if (remaining_children_to_start) {
/* we hit a 1 second timeout in which none of the previous
* generation of children needed to be reaped... so assume
* they're all done, and pick up the slack if any is left.
diff --git a/server/mpm/worker/worker.c b/server/mpm/worker/worker.c
index bd56f61..30d5aeb 100644
--- a/server/mpm/worker/worker.c
+++ b/server/mpm/worker/worker.c
@@ -1569,6 +1569,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets)
static void server_main_loop(int remaining_children_to_start, int num_buckets)
{
+ int successive_kills = 0;
ap_generation_t old_gen;
int child_slot;
apr_exit_why_e exitwhy;
@@ -1663,11 +1664,30 @@ static void server_main_loop(int remaining_children_to_start, int num_buckets)
/* Don't perform idle maintenance when a child dies,
* only do it when there's a timeout. Remember only a
* finite number of children can die, and it's pretty
- * pathological for a lot to die suddenly.
+ * pathological for a lot to die suddenly. If a child is
+ * killed by a signal (faulting) we want to restart if ASAP
+ * though, up to 3 successive faults or we stop this until
+ * a timeout happens again (to avoid the flood of fork()ed
+ * processes that keep being killed early).
*/
- continue;
+ if (child_slot < 0 || !APR_PROC_CHECK_SIGNALED(exitwhy)) {
+ continue;
+ }
+ if (++successive_kills >= 3) {
+ if (successive_kills % 10 == 3) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
+ ap_server_conf, APLOGNO(10392)
+ "children are killed successively!");
+ }
+ continue;
+ }
+ ++remaining_children_to_start;
+ }
+ else {
+ successive_kills = 0;
}
- else if (remaining_children_to_start) {
+
+ if (remaining_children_to_start) {
/* we hit a 1 second timeout in which none of the previous
* generation of children needed to be reaped... so assume
* they're all done, and pick up the slack if any is left.
--
2.23.0

49
backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch Normal file
View File

@ -0,0 +1,49 @@
From 0befd97dfe19e23921b4cc5412d6177f2cab6aac Mon Sep 17 00:00:00 2001
From: jimjag <jimjag@gmail.com>
Date: Tue May 17 18:14:29 2022 UTC
Subject: [PATCH] mod_session:Harden mod_session and avoid overflow of large session
Conflict:NA
Reference:https://github.com/apache/httpd/commit/0befd97dfe19e23921b4cc5412d6177f2cab6aac
---
modules/session/mod_session.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
index ec4ac2e..fa8d406 100644
--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -317,7 +317,8 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
static int identity_count(void *v, const char *key, const char *val)
{
- int *count = v;
+ apr_size_t *count = v;
+
*count += strlen(key) * 3 + strlen(val) * 3 + 2;
return 1;
}
@@ -325,7 +326,8 @@ static int identity_count(void *v, const char *key, const char *val)
static int identity_concat(void *v, const char *key, const char *val)
{
char *slider = v;
- int length = strlen(slider);
+ apr_size_t length = strlen(slider);
+
slider += length;
if (length) {
*slider = '&';
@@ -355,7 +357,8 @@ static int identity_concat(void *v, const char *key, const char *val)
static apr_status_t session_identity_encode(request_rec * r, session_rec * z)
{
char *buffer = NULL;
- int length = 0;
+ apr_size_t length = 0;
+
if (z->expiry) {
char *expiry = apr_psprintf(z->pool, "%" APR_INT64_T_FMT, z->expiry);
apr_table_setn(z->entries, SESSION_EXPIRY, expiry);
--
2.23.0

62
backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch Normal file
View File

@ -0,0 +1,62 @@
From 73ce13be5aa9ae541472bc6a8a2f7de8dd2db34 Mon Sep 17 00:00:00 2001
From: Christophe Jaillet <jailletc36@apache.org>
Date: Sat, 19 Feb 2022 13:47:02 UTC
Subject: [PATCH] Merge r1589986 r1589985 r1633528 from trunk
*) Add the ldap function to the expression API, allowing ldap filters
and distinguished names based on expression to be excaped correctly
to guared against LDAP injection.
Conflict:NA
Reference:https://github.com/apache/httpd/commit/73ce13be5aa9ae5414772bc6a8a2f7de8dd2db34
---
server/util_expr_eval.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c
index 2e031d0..75295ba 100644
--- a/server/util_expr_eval.c
+++ b/server/util_expr_eval.c
@@ -32,6 +32,10 @@
#include "apr_fnmatch.h"
#include "apr_base64.h"
#include "apr_sha1.h"
+#include "apr_version.h"
+#if APR_VERSION_AT_LEAST(1,5,0)
+#include "apr_escape.h"
+#endif
#include <limits.h> /* for INT_MAX */
@@ -1087,9 +1091,16 @@ static const char *sha1_func(ap_expr_eval_ctx_t *ctx, const void *data,
static const char *md5_func(ap_expr_eval_ctx_t *ctx, const void *data,
const char *arg)
{
- return ap_md5(ctx->p, (const unsigned char *)arg);
+ return ap_md5(ctx->p, (const unsigned char *)arg);
}
+#if APR_VERSION_AT_LEAST(1,6,0)
+static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data,
+ const char *arg)
+{
+ return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL);
+}
+#endif
#define MAX_FILE_SIZE 10*1024*1024
static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data,
@@ -1667,6 +1678,9 @@ static const struct expr_provider_single string_func_providers[] = {
{ unbase64_func, "unbase64", NULL, 0 },
{ sha1_func, "sha1", NULL, 0 },
{ md5_func, "md5", NULL, 0 },
+#if APR_VERSION_AT_LEAST(1,6,0)
+ { ldap_func, "ldap", NULL, 0 },
+#endif
{ NULL, NULL, NULL}
};
--
2.23.0

28
backport-fix-error-HeartbeatMaxServers-default-value.patch Normal file
View File

@ -0,0 +1,28 @@
From b64b0488b12dc81df972bff4747d9b9c68fbad3f Mon Sep 17 00:00:00 2001
From: jimjag <jimjag@gmail.com>
Date: Mon May 9 2022 17:54:42 UTC
Subject: [PATCH] mod_heartmonitor:fix error HeartbeatMaxServers default value
Conflict:NA
Reference:https://github.com/apache/httpd/commit/b64b0488b12dc81df972bff4747d9b9c68fbad3f
---
modules/cluster/mod_heartmonitor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/cluster/mod_heartmonitor.c b/modules/cluster/mod_heartmonitor.c
index 2e8d12d..bfda7f8 100644
--- a/modules/cluster/mod_heartmonitor.c
+++ b/modules/cluster/mod_heartmonitor.c
@@ -39,7 +39,7 @@
static const ap_slotmem_provider_t *storage = NULL;
static ap_slotmem_instance_t *slotmem = NULL;
-static int maxworkers = 0;
+static int maxworkers = 10;
module AP_MODULE_DECLARE_DATA heartmonitor_module;
--
2.23.0

28
backport-fix-lua-request-with-cast-first.patch Normal file
View File

@ -0,0 +1,28 @@
From 1a09953b2439f94714feb03358b793ccbae8a2ca Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Wed Jun 1 12:31:19 2022 UTC
Subject: [PATCH] lua_request:fix lua request with cast first
Conflict:NA
Reference:https://github.com/apache/httpd/commit/1a09953b2439f94714feb03358b793ccbae8a2ca
---
modules/lua/lua_request.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
index a7e501b..1ba6a2f 100644
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -251,7 +251,7 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
if (maxsize != 0 && length > maxsize) {
return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */
}
- *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1));
+ *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length) + 1);
while ((rpos < length)
&& (len_read = ap_get_client_block(r, (char *) *rbuf + rpos,
length - rpos)) > 0) {
--
2.23.0

47
backport-fix-setting-and-comparison-of-IPs-fields.patch Normal file
View File

@ -0,0 +1,47 @@
From 1fa621fafde4cc73bdc887b94c0a8b7dade2162b Mon Sep 17 00:00:00 2001
From: icing <icing@eissing.org>
Date: Tue May 17 13:32:43 2022 UTC
Subject: [PATCH] mod_heartmonitor:fix setting and comparsion of IPs fields
Conflict:NA
Reference:https://github.com/apache/httpd/commit/1fa621fafde4cc73bdc887b94c0a8b7dade2162b
---
modules/cluster/mod_heartmonitor.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/modules/cluster/mod_heartmonitor.c b/modules/cluster/mod_heartmonitor.c
index bfda7f8..30db11a 100644
--- a/modules/cluster/mod_heartmonitor.c
+++ b/modules/cluster/mod_heartmonitor.c
@@ -171,7 +171,7 @@ static apr_status_t hm_update(void* mem, void *data, apr_pool_t *p)
hm_slot_server_t *old = (hm_slot_server_t *) mem;
hm_slot_server_ctx_t *s = (hm_slot_server_ctx_t *) data;
hm_server_t *new = s->s;
- if (strncmp(old->ip, new->ip, MAXIPSIZE)==0) {
+ if (strcmp(old->ip, new->ip)==0) {
s->found = 1;
old->busy = new->busy;
old->ready = new->ready;
@@ -185,7 +185,7 @@ static apr_status_t hm_readid(void* mem, void *data, apr_pool_t *p)
hm_slot_server_t *old = (hm_slot_server_t *) mem;
hm_slot_server_ctx_t *s = (hm_slot_server_ctx_t *) data;
hm_server_t *new = s->s;
- if (strncmp(old->ip, new->ip, MAXIPSIZE)==0) {
+ if (strcmp(old->ip, new->ip)==0) {
s->found = 1;
s->item_id = old->id;
}
@@ -202,7 +202,8 @@ static apr_status_t hm_slotmem_update_stat(hm_server_t *s, apr_pool_t *pool)
if (!ctx.found) {
unsigned int i;
hm_slot_server_t hmserver;
- memcpy(hmserver.ip, s->ip, MAXIPSIZE);
+ memset(&hmserver, 0, sizeof(hmserver));
+ apr_cpystrn(hmserver.ip, s->ip, sizeof(hmserver.ip));
hmserver.busy = s->busy;
hmserver.ready = s->ready;
hmserver.seen = s->seen;
--
2.23.0

73
backport-make-ap_escape_quotes-work-correctly.patch Normal file
View File

@ -0,0 +1,73 @@
From 229dc3a47e0858a0b6772fa878a60f09ee5293 Mon Sep 17 00:00:00 2001
From: ylavic <ylavic@apache.org>
Date: Tue May 24 08:55:16 2022
Subject: [PATCH] core:make ap_escape_quotes work correctly
Conflict:NA
Reference:https://github.com/apache/httpd/commit/229dc3ac47e0858a0b67227fa878a60f09ee5293
---
server/util.c | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
diff --git a/server/util.c b/server/util.c
index 09ac0c5..1e006a3 100644
--- a/server/util.c
+++ b/server/util.c
@@ -2535,7 +2535,7 @@ AP_DECLARE(void) ap_content_type_tolower(char *str)
*/
AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
{
- int newlen = 0;
+ apr_size_t size, extra = 0;
const char *inchr = instring;
char *outchr, *outstring;
@@ -2544,9 +2544,8 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
* string up by an extra byte each time we find an unescaped ".
*/
while (*inchr != '\0') {
- newlen++;
if (*inchr == '"') {
- newlen++;
+ extra++;
}
/*
* If we find a slosh, and it's not the last byte in the string,
@@ -2554,11 +2553,31 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
*/
if ((*inchr == '\\') && (inchr[1] != '\0')) {
inchr++;
- newlen++;
}
inchr++;
}
- outstring = apr_palloc(p, newlen + 1);
+ if (!extra) {
+ return apr_pstrdup(p, instring);
+ }
+
+ /* How large will the string become, once we escaped all the quotes?
+ * The tricky cases are
+ * - an `instring` that is already longer than `ptrdiff_t`
+ * can hold (which is an undefined case in C, as C defines ptrdiff_t as
+ * a signed difference between pointers into the same array and one index
+ * beyond).
+ * - an `instring` that, including the `extra` chars we want to add, becomes
+ * even larger than apr_size_t can handle.
+ * Since thsi function was nto designed to ever return NULL for failure, we
+ * can only trigger a hard assertion failure. It seems more a programming
+ * mistake (or failure to verify the input causing this) that leads to this
+ * situation.
+ */
+ ap_assert(inchr - instring > 0);
+ size = ((apr_size_t)(inchr - instring)) + 1;
+ ap_assert(size + extra > size);
+
+ outstring = apr_palloc(p, size + extra);
inchr = instring;
outchr = outstring;
/*
--
2.23.0

39
backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch Normal file
View File

@ -0,0 +1,39 @@
From 960d719aa31c35a8aac99b1fa413df7a91085bbd Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Tue, 8 Feb 2022 12:28:37 UTC
Subject: [PATCH] mod_md do not interfere with requests to well known acme challenge
resources if challenge type 'http-01' is not configure for a domain.
Fixex <https://github.com/icing/mod_md/issue/279>.
git-svn-id:https://svn.apache.org/repos/afs/httpd/httpd/branches/2.4.x@1897865
Conflict:NA
Reference:https://github.com/apache/httpd/commit/960d719aa31c35a8aac99b1fa413df7a91085bbd
---
modules/md/mod_md.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c
index 8b379eb..c929168 100644
--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@@ -1347,6 +1347,15 @@ static int md_http_challenge_pr(request_rec *r)
md = md_get_by_domain(sc->mc->mds, r->hostname);
name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1;
reg = sc && sc->mc? sc->mc->reg : NULL;
+
+ if (md && md->ca_challenges
+ && md_array_str_index(md->ca_challenges, MD_AUTHZ_CHA_HTTP_01, 0, 1) < 0) {
+ /* The MD this chanllenge is for dose nto allow http-01 challanges,
+ * we have to decline. See #279 for a setup example where this
+ * is necessary.
+ */
+ return DECLINED;
+ }
if (strlen(name) && !ap_strchr_c(name, '/') && reg) {
md_store_t *store = md_reg_store_get(reg);
--
2.23.0

22
httpd.spec
View File

@ -8,7 +8,7 @@
Name: httpd
Summary: Apache HTTP Server
Version: 2.4.51
Release: 10
Release: 11
License: ASL 2.0
URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -86,6 +86,14 @@ Patch32: backport-CVE-2022-26377.patch
Patch33: backport-CVE-2022-30522.patch
Patch34: backport-CVE-2022-30556.patch
Patch35: backport-CVE-2022-28330.patch
Patch36: backport-fix-error-HeartbeatMaxServers-default-value.patch
Patch37: backport-fix-setting-and-comparison-of-IPs-fields.patch
Patch38: backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch
Patch39: backport-make-ap_escape_quotes-work-correctly.patch
Patch40: backport-fix-lua-request-with-cast-first.patch
Patch41: backport-Handle-children-killed-pathologically.patch
Patch42: backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch
Patch43: backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -518,6 +526,18 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Wed Dec 14 2022 chengyechun <chengyechun1@huawei.com> - 2.4.51-11
- Type:bugfix
- ID:
- SUG:restart
- DESC:change default value of HeartbeatMaxServers
fix setting and comparison of IPs fileds
avoid voerflow in case of indecently large session
make ap_escape_quotes() work correctly
fix lua_request with cast first
Handle children killed pathologically
mod_md do not interfere with requests if challenge type http-01
* Mon Dec 12 2022 chengyechun <chengyechun1@huawei.com> - 2.4.51-10
- Type:bugfix
- ID: