sync some patches from upstream

backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch

@@ -0,0 +1,36 @@
+From 296a99c3102e4dd91153a8fb732275b804f001fc Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 23 Jan 2023 04:59:22 PM GMT+0800
+Subject: [PATCH] Report an error if the AJP backend sends an invalid number of headers
+
+Conflict:NA
+Reference:https://github.com/apache/httpd/commit/296a99c3102e4dd91153a8fb732275b804f001fc
+
+---
+ modules/proxy/ajp_header.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
+index b4dc47c..a09a2e4 100644
+--- a/modules/proxy/ajp_header.c
++++ b/modules/proxy/ajp_header.c
+@@ -584,8 +584,15 @@ static apr_status_t ajp_unmarshal_response(ajp_msg_t *msg,
+         r->headers_out = save_table;
+     }
+     else {
+-        r->headers_out = NULL;
++        /*
++         * Reset headers, but not to NULL because things below the chain expect
++         * this to be non NULL e.g. the ap_content_length_filter.
++         */
++        r->headers_out = apr_table_make(r->pool, 1);
+         num_headers = 0;
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10405)
++                "ajp_unmarshal_response: Bad number of headers");
++        return rc;
+     }
+ 
+     ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r,
+-- 
+2.27.0
+

backport-avoid-delimiting-the-query-with-a-backreference.patch

@@ -0,0 +1,152 @@
+From 9282a06e55cb142666d6ed565c9031e728b7d537 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 6 Mar 2023 04:31:19 AM GMT+0800
+Subject: [PATCH] avoid delimiting the query with a backreference
+
+Conflict:NA
+Reference:https://github.com/apache/httpd/commit/9282a06e55cb142666d6ed565c9031e728b7d537
+
+---
+ modules/mappers/mod_rewrite.c | 44 +++++++++++++++++++++++++----------
+ 1 file changed, 32 insertions(+), 12 deletions(-)
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 7faaeb7..e539a44 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -167,6 +167,7 @@ static const char* really_last_key = "rewrite_really_last";
+ #define RULEFLAG_END                (1<<17)
+ #define RULEFLAG_ESCAPENOPLUS       (1<<18)
+ #define RULEFLAG_QSLAST             (1<<19)
++#define RULEFLAG_QSNONE             (1<<20) /* programattic only */
+ 
+ /* return code of the rewrite rule
+  * the result may be escaped - or not
+@@ -763,11 +764,19 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme)
+  * split out a QUERY_STRING part from
+  * the current URI string
+  */
+-static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard, 
+-                               int qslast)
++static void splitout_queryargs(request_rec *r, int flags)
+ {
+     char *q;
+     int split, skip;
++    int qsappend = flags & RULEFLAG_QSAPPEND;
++    int qsdiscard = flags & RULEFLAG_QSDISCARD;
++    int qslast = flags & RULEFLAG_QSLAST;
++
++    if (flags & RULEFLAG_QSNONE) {
++        rewritelog((r, 2, NULL, "discarding query string, no parse from substitution"));
++        r->args = NULL;
++        return;
++    }
+ 
+     /* don't touch, unless it's a scheme for which a query string makes sense.
+      * See RFC 1738 and RFC 2368.
+@@ -792,7 +801,7 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+         olduri = apr_pstrdup(r->pool, r->filename);
+         *q++ = '\0';
+         if (qsappend) {
+-            if (*q) { 
++            if (*q) {
+                 r->args = apr_pstrcat(r->pool, q, "&" , r->args, NULL);
+             }
+         }
+@@ -800,7 +809,7 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+             r->args = apr_pstrdup(r->pool, q);
+         }
+ 
+-        if (r->args) { 
++        if (r->args) {
+            len = strlen(r->args);
+       
+            if (!len) {
+@@ -2735,7 +2744,8 @@ static apr_status_t rewritelock_remove(void *data)
+  * XXX: what an inclined parser. Seems we have to leave it so
+  *      for backwards compat. *sigh*
+  */
+-static int parseargline(char *str, char **a1, char **a2, char **a3)
++static char *parseargline(apr_pool_t *p, char *str, char **a1,
++                          char **a2, char **a2_end, char **a3)
+ {
+     char quote;
+ 
+@@ -2786,8 +2796,10 @@ static int parseargline(char *str, char **a1, char **a2, char **a3)
+ 
+     if (!*str) {
+         *a3 = NULL; /* 3rd argument is optional */
++        *a2_end = str;
+         return 0;
+     }
++    *a2_end = str;
+     *str++ = '\0';
+ 
+     while (apr_isspace(*str)) {
+@@ -3327,7 +3339,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
+     rewrite_server_conf *sconf;
+     rewritecond_entry *newcond;
+     ap_regex_t *regexp;
+-    char *a1 = NULL, *a2 = NULL, *a3 = NULL;
++    char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL;
+     const char *err;
+ 
+     sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module);
+@@ -3345,7 +3357,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
+      * of the argument line. So we can use a1 .. a3 without
+      * copying them again.
+      */
+-    if (parseargline(str, &a1, &a2, &a3)) {
++    if ((err = parseargline(cmd->pool, str, &a1, &a2, &a2_end, &a3))) {
+         return apr_pstrcat(cmd->pool, "RewriteCond: bad argument line '", str,
+                            "'", NULL);
+     }
+@@ -3753,7 +3765,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+     rewrite_server_conf *sconf;
+     rewriterule_entry *newrule;
+     ap_regex_t *regexp;
+-    char *a1 = NULL, *a2 = NULL, *a3 = NULL;
++    char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL;
+     const char *err;
+ 
+     sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module);
+@@ -3767,7 +3779,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+     }
+ 
+     /*  parse the argument line ourself */
+-    if (parseargline(str, &a1, &a2, &a3)) {
++    if ((err = parseargline(cmd->pool, str, &a1, &a2, &a2_end, &a3))) {
+         return apr_pstrcat(cmd->pool, "RewriteRule: bad argument line '", str,
+                            "'", NULL);
+     }
+@@ -3814,6 +3826,16 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+         newrule->flags |= RULEFLAG_NOSUB;
+     }
+ 
++    if (*(a2_end-1) == '?') {
++        /* a literal ? at the end of the unsubstituted rewrite rule */
++        newrule->flags |= RULEFLAG_QSNONE;
++    }
++    else if (newrule->flags & RULEFLAG_QSDISCARD) {
++        if (NULL == ap_strchr(newrule->output, '?')) {
++            newrule->flags |= RULEFLAG_QSNONE;
++        }
++    }
++
+     /* now, if the server or per-dir config holds an
+      * array of RewriteCond entries, we take it for us
+      * and clear the array
+@@ -4219,9 +4241,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
+         r->path_info = NULL;
+     }
+ 
+-    splitout_queryargs(r, p->flags & RULEFLAG_QSAPPEND, 
+-                          p->flags & RULEFLAG_QSDISCARD, 
+-                          p->flags & RULEFLAG_QSLAST);
++    splitout_queryargs(r, p->flags);
+ 
+     /* Add the previously stripped per-directory location prefix, unless
+      * (1) it's an absolute URL path and
+-- 
+2.27.0
+

backport-fix-missing-APLOGNO.patch

@@ -0,0 +1,28 @@
+From 1061b64bb7da5339b037f936169a088150427bd1 Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Mon, 6 Mar 2023 05:25:17 PM GMT+0800
+Subject: [PATCH] modules/http2/mod_proxy_http2.c: Fix missing APLOGNO
+
+Conflict:NA
+Reference:https://github.com/apache/httpd/commit/1061b64bb7da5339b037f936169a088150427bd1
+
+---
+ modules/http2/mod_proxy_http2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
+index d8a77c8..753f7f4 100644
+--- a/modules/http2/mod_proxy_http2.c
++++ b/modules/http2/mod_proxy_http2.c
+@@ -167,7 +167,7 @@ static int proxy_http2_canon(request_rec *r, char *url)
+                  * We have a raw control character or a ' ' in r->args.
+                  * Correct encoding was missed.
+                  */
+-                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
++                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
+                               "To be forwarded query string contains control "
+                               "characters or spaces");
+                 return HTTP_FORBIDDEN;
+-- 
+2.27.0
+

backport-handled-a-negative-value-when-parsing-the-config.patch

@@ -0,0 +1,38 @@
+From b2d18fb704c64ce7767e07fe546eecec98c91b50 Mon Sep 17 00:00:00 2001
+From: Eirc Covener <covener@apache.org>
+Date: Fri, 27 Jan 2023 08:58:03 PM GMT+0800
+Subject: [PATCH] mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
+                           allow connections of any age to be reused. Up to now, a negative value
+                           was handled as an error when parsing the configuration file
+
+Conflict:NA
+Reference:https://github.com/apache/httpd/commit/b2d18fb704c64ce7767e07fe546eecec98c91b50
+
+---
+ modules/ldap/util_ldap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
+index 4d92ec9..14b774a 100644
+--- a/modules/ldap/util_ldap.c
++++ b/modules/ldap/util_ldap.c
+@@ -2752,12 +2752,14 @@ static const char *util_ldap_set_conn_ttl(cmd_parms *cmd,
+                                           void *dummy,
+                                           const char *val)
+ {
+-    apr_interval_time_t timeout;
++    apr_interval_time_t timeout = -1;
+     util_ldap_state_t *st =
+         (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
+                                                   &ldap_module);
+ 
+-    if (ap_timeout_parameter_parse(val, &timeout, "s") != APR_SUCCESS) {
++    /* Negative values mean AP_LDAP_CONNPOOL_INFINITE */
++    if (val[0] != '-' &&
++        ap_timeout_parameter_parse(val, &timeout, "s") != APR_SUCCESS) {
+         return "LDAPConnectionPoolTTL has wrong format";
+     }
+ 
+-- 
+2.27.0
+

httpd.spec

@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.51
-Release:          15
+Release:          16
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -100,6 +100,10 @@ Patch46:          backport-CVE-2022-37436.patch
 Patch47:          backport-open-the-lock-database-read-only-when-possible.patch
 Patch48:          backport-CVE-2023-27522.patch
 Patch49:          backport-CVE-2023-25690.patch
+Patch50:          backport-Report-an-error-if-the-AJP-backend-sends-an-invalid-number-of-headers.patch
+Patch51:          backport-handled-a-negative-value-when-parsing-the-config.patch
+Patch52:          backport-avoid-delimiting-the-query-with-a-backreference.patch
+Patch53:          backport-fix-missing-APLOGNO.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -532,6 +536,15 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Fri Apr 14 2023 chengyechun <chengyehcun1@huawei.com> - 2.4.51-16
+- Type:bugfix
+- ID:
+- SUG:restart
+- DESC:Report an error if the AJP backend sends an invalid number of headers
+       handled a negative value when parsing the config
+       avoid delimiting the query with a backreference
+       fix missing APLOGNO
+       
 * Fri Mar 10 2023 chengyechun <chengyechun1@huawei.com> - 2.4.51-15
 - Type:CVE
 - ID:CVE-2023-27522, CVE-2023-25690