head 1.42; access; symbols OPENPKG_E1_MP_HEAD:1.24 OPENPKG_E1_MP:1.24 OPENPKG_E1_MP_2_STABLE:1.22.2.2 OPENPKG_E1_FP:1.22.2.2 OPENPKG_2_STABLE_MP:1.24 OPENPKG_2_STABLE_20061018:1.22.2.2 OPENPKG_2_STABLE_20060622:1.22 OPENPKG_2_STABLE:1.22.0.2 OPENPKG_2_STABLE_BP:1.22 OPENPKG_2_5_RELEASE:1.18 OPENPKG_2_5_SOLID:1.18.0.6 OPENPKG_2_5_SOLID_BP:1.18 OPENPKG_2_4_RELEASE:1.18 OPENPKG_2_4_SOLID:1.18.0.4 OPENPKG_2_4_SOLID_BP:1.18 OPENPKG_CW_FP:1.18 OPENPKG_2_3_RELEASE:1.18 OPENPKG_2_3_SOLID:1.18.0.2 OPENPKG_2_3_SOLID_BP:1.18 OPENPKG_2_2_RELEASE:1.15 OPENPKG_2_2_SOLID:1.15.0.2 OPENPKG_2_2_SOLID_BP:1.15 OPENPKG_2_1_RELEASE:1.13.2.1 OPENPKG_2_1_SOLID:1.13.0.2 OPENPKG_2_1_SOLID_BP:1.13 OPENPKG_2_0_RELEASE:1.9 OPENPKG_2_0_SOLID:1.9.0.2 OPENPKG_2_0_SOLID_BP:1.9 OPENPKG_1_3_RELEASE:1.1.6.2 OPENPKG_1_3_SOLID:1.1.6.2.0.2 OPENPKG_1_3_SOLID_BP:1.1.6.2 OPENPKG_1_STABLE_MP:1.6 OPENPKG_1_2_SOLID:1.1.0.8 OPENPKG_1_2_SOLID_BP:1.1 OPENPKG_1_STABLE:1.1.0.6 OPENPKG_1_STABLE_BP:1.1 OPENPKG_1_1_SOLID:1.1.0.4 OPENPKG_1_0_SOLID:1.1.0.2; locks; strict; comment @# @; 1.42 date 2009.10.04.17.09.19; author rse; state Exp; branches; next 1.41; commitid 4V08IXLgF3TdWe6u; 1.41 date 2009.07.28.17.44.08; author rse; state Exp; branches; next 1.40; commitid YVut8KfbKY8GjvXt; 1.40 date 2009.02.01.19.17.27; author rse; state Exp; branches; next 1.39; commitid gZ1t9KuvVjBqwLAt; 1.39 date 2008.12.14.10.07.08; author rse; state Exp; branches; next 1.38; commitid c79W2lCmb3ni3qut; 1.38 date 2008.07.26.18.38.54; author rse; state Exp; branches; next 1.37; commitid JIdAUIGqq5uRplct; 1.37 date 2008.06.14.07.02.34; author rse; state Exp; branches; next 1.36; commitid EjpKXJcmclXFUS6t; 1.36 date 2007.09.10.18.20.04; author rse; state Exp; branches; next 1.35; commitid alZTqg6cClP7Bdxs; 1.35 date 2007.09.07.08.18.18; author rse; state Exp; branches; next 1.34; commitid NZ1UVm2voL1FmMws; 1.34 date 2007.07.19.17.47.01; author cs; state Exp; branches; next 1.33; commitid DD3boI7rTLTn7pqs; 1.33 date 2007.06.28.20.51.37; author rse; state Exp; branches; next 1.32; commitid VViG93vJqAZAOIns; 1.32 date 2007.06.23.09.45.09; author rse; state Exp; branches; next 1.31; commitid qfLvMokO9V2Vh1ns; 1.31 date 2007.06.22.16.42.07; author rse; state Exp; branches; next 1.30; commitid zTclnSlmIWpXCVms; 1.30 date 2007.06.22.15.33.13; author rse; state Exp; branches; next 1.29; commitid TAtNhSf1xNXjfVms; 1.29 date 2007.06.22.14.50.01; author rse; state Exp; branches; next 1.28; commitid 3hA8i8fQ3vbv0Vms; 1.28 date 2007.06.22.11.59.16; author rse; state Exp; branches; next 1.27; commitid axe4vp8h9ovV3Ums; 1.27 date 2007.06.22.10.54.02; author rse; state Exp; branches; next 1.26; commitid ZbFoU2hEtnBxHTms; 1.26 date 2007.04.15.16.13.05; author rse; state Exp; branches; next 1.25; commitid PJPoGA96M0wvEbes; 1.25 date 2007.04.02.15.07.30; author rse; state Exp; branches; next 1.24; commitid obcFxT8y3aiTHvcs; 1.24 date 2006.09.10.13.20.33; author rse; state Exp; branches; next 1.23; commitid lMx6FEKoDnOMFhMr; 1.23 date 2006.07.28.06.09.19; author rse; state Exp; branches; next 1.22; commitid zbcPeIzbXntxHAGr; 1.22 date 2006.05.17.19.44.32; author rse; state Exp; branches 1.22.2.1; next 1.21; commitid i50MomNXv1IGwpxr; 1.21 date 2006.04.30.17.36.04; author rse; state Exp; branches; next 1.20; commitid 1Dxjrrzr86Wumdvr; 1.20 date 2005.12.14.20.11.02; author rse; state Exp; branches; next 1.19; commitid laKLTuqRk5gGCCdr; 1.19 date 2005.10.18.06.46.26; author rse; state Exp; branches; next 1.18; 1.18 date 2004.10.29.10.30.05; author rse; state Exp; branches 1.18.2.1 1.18.4.1 1.18.6.1; next 1.17; 1.17 date 2004.10.22.09.55.44; author rse; state Exp; branches; next 1.16; 1.16 date 2004.10.22.09.04.45; author hms; state Exp; branches; next 1.15; 1.15 date 2004.07.26.13.06.36; author rse; state Exp; branches 1.15.2.1; next 1.14; 1.14 date 2004.07.07.09.31.13; author thl; state Exp; branches; next 1.13; 1.13 date 2004.06.11.14.42.25; author thl; state Exp; branches 1.13.2.1; next 1.12; 1.12 date 2004.05.12.08.51.38; author rse; state Exp; branches; next 1.11; 1.11 date 2004.05.11.19.51.59; author rse; state Exp; branches; next 1.10; 1.10 date 2004.03.11.12.34.37; author thl; state Exp; branches; next 1.9; 1.9 date 2003.10.28.10.47.24; author rse; state Exp; branches 1.9.2.1; next 1.8; 1.8 date 2003.07.29.14.17.17; author rse; state Exp; branches; next 1.7; 1.7 date 2003.07.29.13.31.01; author mlelstv; state Exp; branches; next 1.6; 1.6 date 2003.07.18.17.34.11; author rse; state Exp; branches; next 1.5; 1.5 date 2003.06.11.10.55.07; author mlelstv; state Exp; branches; next 1.4; 1.4 date 2003.06.11.10.18.20; author mlelstv; state Exp; branches; next 1.3; 1.3 date 2003.06.04.16.36.35; author mlelstv; state Exp; branches; next 1.2; 1.2 date 2003.02.10.10.22.02; author rse; state Exp; branches; next 1.1; 1.1 date 2002.06.19.15.36.49; author rse; state dead; branches 1.1.2.1 1.1.4.1 1.1.6.1 1.1.8.1; next ; 1.22.2.1 date 2006.07.28.06.10.36; author rse; state Exp; branches; next 1.22.2.2; commitid d0Jeqb0efcQYHAGr; 1.22.2.2 date 2006.09.20.19.36.19; author rse; state Exp; branches; next ; commitid XmQ7rH2KpwBLqBNr; 1.18.2.1 date 2005.10.18.08.07.04; author rse; state Exp; branches; next 1.18.2.2; 1.18.2.2 date 2005.12.14.20.17.25; author rse; state Exp; branches; next ; commitid lH0NKarzPDBSECdr; 1.18.4.1 date 2005.10.18.08.05.06; author rse; state Exp; branches; next 1.18.4.2; 1.18.4.2 date 2005.12.14.20.15.33; author rse; state Exp; branches; next 1.18.4.3; commitid PGvX6l9bEYzdECdr; 1.18.4.3 date 2006.07.28.08.42.04; author cs; state Exp; branches; next ; commitid KpTJKLzNQxjWxBGr; 1.18.6.1 date 2005.10.18.08.02.38; author rse; state Exp; branches; next 1.18.6.2; 1.18.6.2 date 2005.12.14.20.13.11; author rse; state Exp; branches; next 1.18.6.3; commitid 6pvJ3Kj6yIeqDCdr; 1.18.6.3 date 2006.07.28.06.06.03; author rse; state Exp; branches; next ; commitid fULA5a6ilFxpGAGr; 1.15.2.1 date 2004.10.29.11.18.26; author rse; state Exp; branches; next ; 1.13.2.1 date 2004.07.07.13.47.36; author thl; state Exp; branches; next 1.13.2.2; 1.13.2.2 date 2004.07.27.10.12.09; author rse; state Exp; branches; next 1.13.2.3; 1.13.2.3 date 2004.10.29.11.23.38; author rse; state Exp; branches; next ; 1.9.2.1 date 2004.05.12.11.55.07; author rse; state Exp; branches; next 1.9.2.2; 1.9.2.2 date 2004.06.11.14.42.47; author thl; state Exp; branches; next 1.9.2.3; 1.9.2.3 date 2004.10.29.11.26.57; author rse; state Exp; branches; next ; 1.1.2.1 date 2002.06.19.15.36.49; author rse; state Exp; branches; next 1.1.2.2; 1.1.2.2 date 2002.10.04.19.39.15; author rse; state Exp; branches; next ; 1.1.4.1 date 2002.10.04.19.31.28; author rse; state Exp; branches; next ; 1.1.6.1 date 2003.07.24.20.43.50; author rse; state Exp; branches; next 1.1.6.2; 1.1.6.2 date 2003.07.29.14.32.19; author rse; state Exp; branches 1.1.6.2.2.1; next ; 1.1.6.2.2.1 date 2003.10.28.14.26.43; author rse; state Exp; branches; next 1.1.6.2.2.2; 1.1.6.2.2.2 date 2004.05.12.11.56.52; author rse; state Exp; branches; next 1.1.6.2.2.3; 1.1.6.2.2.3 date 2004.06.11.14.43.06; author thl; state Exp; branches; next ; 1.1.8.1 date 2003.10.28.14.30.57; author rse; state Exp; branches; next ; desc @@ 1.42 log @upgrading package: apache 2.2.13 -> 2.2.14 @ text @Index: build/config_vars.sh.in --- build/config_vars.sh.in.orig 2008-02-05 00:00:07 +0100 +++ build/config_vars.sh.in 2009-10-04 19:02:09 +0200 @@@@ -35,7 +35,7 @@@@ APU_CONFIG=@@APU_CONFIG@@ fi -APR_LIBTOOL="`${APR_CONFIG} --apr-libtool`" +APR_LIBTOOL="@@prefix@@/share/apache/build/libtool" APR_INCLUDEDIR="`${APR_CONFIG} --includedir`" APU_INCLUDEDIR="`${APU_CONFIG} --includedir`" Index: config.layout --- config.layout.orig 2004-11-21 19:50:36 +0100 +++ config.layout 2009-10-04 19:02:09 +0200 @@@@ -50,7 +50,7 @@@@ iconsdir: ${datadir}/icons htdocsdir: ${datadir}/htdocs manualdir: ${datadir}/manual - cgidir: ${datadir}/cgi-bin + cgidir: ${exec_prefix}/cgi includedir: ${prefix}/include+ localstatedir: ${prefix}/var+ runtimedir: ${localstatedir}/run Index: configure --- configure.orig 2009-09-24 01:29:56 +0200 +++ configure 2009-10-04 19:02:09 +0200 @@@@ -3849,6 +3849,11 @@@@ as_fn_error "APR not found. Please read the documentation." "$LINENO" 5 fi +if test "x${USE_BUNDLED_APR}" != "x" ; then + apr_found=reconfig + apr_config=srclib/apr/apr-1-config +fi + if test "$apr_found" = "reconfig"; then # save our work to this point; this allows the sub-package to use it @@@@ -4201,6 +4206,11 @@@@ as_fn_error "APR-util not found. Please read the documentation." "$LINENO" 5 fi +if test "x${USE_BUNDLED_APR}" != "x" ; then + apu_found=reconfig + apu_config=srclib/apr-util/apu-1-config +fi + # Catch some misconfigurations: case ${apr_found}.${apu_found} in reconfig.yes) Index: docs/conf/mime.types --- docs/conf/mime.types.orig 2009-08-28 16:37:37 +0200 +++ docs/conf/mime.types 2009-10-04 19:02:09 +0200 @@@@ -98,6 +98,7 @@@@ application/mbox mbox application/media_control+xml application/mediaservercontrol+xml mscml +application/metalink+xml metalink application/mikey application/moss-keys application/moss-signature @@@@ -547,6 +548,14 @@@@ application/vnd.oasis.opendocument.text-template ott application/vnd.oasis.opendocument.text-web oth application/vnd.obn +application/vnd.openxmlformats-officedocument.presentationml.presentation pptx +application/vnd.openxmlformats-officedocument.presentationml.slide sldx +application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx +application/vnd.openxmlformats-officedocument.presentationml.template potx +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx +application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx +application/vnd.openxmlformats-officedocument.wordprocessingml.document docx +application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx application/vnd.olpc-sugar xo application/vnd.oma-scws-config application/vnd.oma-scws-http-request Index: docs/docroot/index.html --- docs/docroot/index.html.orig 2004-11-20 21:16:24 +0100 +++ docs/docroot/index.html 2009-10-04 19:02:09 +0200 @@@@ -1 +1,7 @@@@ -

It works!

\ No newline at end of file + + +

It works!

+ It works! Your OpenPKG based Apache HTTP server was successfully installed and started.
+ You now have to read the documentation and configure it according to your local demands. + + Index: modules/generators/mod_autoindex.c --- modules/generators/mod_autoindex.c.orig 2009-08-28 16:37:37 +0200 +++ modules/generators/mod_autoindex.c 2009-10-04 19:03:01 +0200 @@@@ -1573,17 +1573,17 @@@@ ++cols; } - ap_rputs("", r); + ap_rputs("", r); emit_link(r, "Name", K_NAME, keyid, direction, colargs, static_columns); if (!(autoindex_opts & SUPPRESS_LAST_MOD)) { - ap_rputs("", r); + ap_rputs("", r); emit_link(r, "Last modified", K_LAST_MOD, keyid, direction, colargs, static_columns); ++cols; } if (!(autoindex_opts & SUPPRESS_SIZE)) { - ap_rputs("", r); + ap_rputs("", r); emit_link(r, "Size", K_SIZE, keyid, direction, colargs, static_columns); ++cols; @@@@ -1677,7 +1677,14 @@@@ } if (autoindex_opts & TABLE_INDEXING) { - ap_rputs("", r); + char *class; + if (strcmp(t2, "Parent Directory") == 0) + class = "updir"; + else if (ar[x]->isdir) + class = "dir"; + else + class = "file"; + ap_rvputs(r, "", NULL); if (!(autoindex_opts & SUPPRESS_ICON)) { ap_rputs("", r); if (autoindex_opts & ICONS_ARE_LINKS) { @@@@ -1762,9 +1769,6 @@@@ desc_width), NULL); } } - else { - ap_rputs(" ", r); - } } ap_rputs("\n", r); } Index: server/Makefile.in --- server/Makefile.in.orig 2006-03-09 22:29:55 +0100 +++ server/Makefile.in 2009-10-04 19:02:09 +0200 @@@@ -56,7 +56,8 @@@@ tmp=export_files_unsorted.txt; \ rm -f $$tmp && touch $$tmp; \ for dir in $(EXPORT_DIRS); do \ - ls $$dir/*.h >> $$tmp; \ + abs_dir=`cd $$dir && exec pwd`; \ + ls $$abs_dir/*.h >> $$tmp; \ done; \ for dir in $(EXPORT_DIRS_APR); do \ (ls $$dir/ap[ru].h $$dir/ap[ru]_*.h >> $$tmp 2>/dev/null); \ Index: support/Makefile.in --- support/Makefile.in.orig 2005-07-07 01:15:34 +0200 +++ support/Makefile.in 2009-10-04 19:02:09 +0200 @@@@ -22,12 +22,6 @@@@ chmod 755 $(DESTDIR)$(sbindir)/$$i; \ fi ; \ done - @@if test -f "$(builddir)/envvars-std"; then \ - cp -p envvars-std $(DESTDIR)$(sbindir); \ - if test ! -f $(DESTDIR)$(sbindir)/envvars; then \ - cp -p envvars-std $(DESTDIR)$(sbindir)/envvars ; \ - fi ; \ - fi htpasswd_OBJECTS = htpasswd.lo htpasswd: $(htpasswd_OBJECTS) Index: support/apachectl.in --- support/apachectl.in.orig 2006-07-12 05:38:44 +0200 +++ support/apachectl.in 2009-10-04 19:02:09 +0200 @@@@ -43,11 +43,6 @@@@ # the path to your httpd binary, including options if necessary HTTPD='@@exp_sbindir@@/@@progname@@' # -# pick up any necessary environment variables -if test -f @@exp_sbindir@@/envvars; then - . @@exp_sbindir@@/envvars -fi -# # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other # programs may work. Index: support/apxs.in --- support/apxs.in.orig 2006-07-12 05:38:44 +0200 +++ support/apxs.in 2009-10-04 19:02:09 +0200 @@@@ -190,9 +190,6 @@@@ my $httpd = get_vars("sbindir") . "/" . get_vars("progname"); $httpd = eval qq("$httpd"); $httpd = eval qq("$httpd"); -my $envvars = get_vars("sbindir") . "/envvars"; -$envvars = eval qq("$envvars"); -$envvars = eval qq("$envvars"); #allow apxs to be run from the source tree, before installation if ($0 =~ m:support/apxs$:) { @@@@ -204,7 +201,7 @@@@ exit 1; } -unless (grep /mod_so/, `. $envvars && $httpd -l`) { +unless (grep /mod_so/, `$httpd -l`) { error("Sorry, no shared object support for Apache"); error("available under your platform. Make sure"); error("the Apache module mod_so is compiled into"); @@@@ -338,8 +335,7 @@@@ exit(1); } -my $libtool = `$apr_config --apr-libtool`; -chomp($libtool); +my $libtool = "$prefix/share/apache/build/libtool"; my $apr_includedir = `$apr_config --includes`; chomp($apr_includedir); @ 1.41 log @upgrading package: apache 2.2.11 -> 2.2.12 @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2009-07-28 19:37:48 +0200 d15 1 a15 1 +++ config.layout 2009-07-28 19:37:48 +0200 d26 4 a29 4 --- configure.orig 2009-07-20 22:24:36 +0200 +++ configure 2009-07-28 19:37:49 +0200 @@@@ -3597,6 +3597,11 @@@@ { (exit 1); exit 1; }; } d40 2 a41 2 @@@@ -3957,6 +3962,11 @@@@ { (exit 1); exit 1; }; } d53 2 a54 2 --- docs/conf/mime.types.orig 2009-07-10 14:30:17 +0200 +++ docs/conf/mime.types 2009-07-28 19:37:49 +0200 d80 1 a80 1 +++ docs/docroot/index.html 2009-07-28 19:37:49 +0200 d92 2 a93 2 --- modules/generators/mod_autoindex.c.orig 2008-11-29 22:47:13 +0100 +++ modules/generators/mod_autoindex.c 2009-07-28 19:37:49 +0200 d131 2 a132 1 @@@@ -1763,9 +1770,6 @@@@ d135 3 a138 3 - else { - ap_rputs(" ", r); - } a140 1 else if (autoindex_opts & FANCY_INDEXING) { d143 1 a143 1 +++ server/Makefile.in 2009-07-28 19:37:49 +0200 d156 1 a156 1 +++ support/Makefile.in 2009-07-28 19:37:49 +0200 d172 1 a172 1 +++ support/apachectl.in 2009-07-28 19:37:49 +0200 d187 1 a187 1 +++ support/apxs.in 2009-07-28 19:37:49 +0200 @ 1.40 log @fix autoindex table output and improve output by adding CSS classes @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2009-02-01 17:53:32 +0100 d15 1 a15 1 +++ config.layout 2009-02-01 17:53:32 +0100 d26 2 a27 2 --- configure.orig 2008-12-06 16:17:59 +0100 +++ configure 2009-02-01 17:53:32 +0100 d53 3 a55 3 --- docs/conf/mime.types.orig 2008-12-01 06:54:25 +0100 +++ docs/conf/mime.types 2009-02-01 17:53:32 +0100 @@@@ -83,6 +83,7 @@@@ d63 1 a63 35 @@@@ -103,6 +104,7 @@@@ application/oda oda application/oebps-package+xml application/ogg ogx +application/onenote onetoc onetoc2 onetmp onepkg application/parityfec application/patch-ops-error+xml xer application/pdf pdf @@@@ -409,14 +411,25 @@@@ application/vnd.ms-asf asf application/vnd.ms-cab-compressed cab application/vnd.ms-excel xls xlm xla xlc xlt xlw +application/vnd.ms-excel.addin.macroEnabled.12 xlam +application/vnd.ms-excel.sheet.binary.macroEnabled.12 xlsb +application/vnd.ms-excel.sheet.macroEnabled.12 xlsm +application/vnd.ms-excel.template.macroEnabled.12 xltm application/vnd.ms-fontobject eot application/vnd.ms-htmlhelp chm application/vnd.ms-ims ims application/vnd.ms-lrm lrm application/vnd.ms-playready.initiator+xml application/vnd.ms-powerpoint ppt pps pot +application/vnd.ms-powerpoint.addin.macroEnabled.12 ppam +application/vnd.ms-powerpoint.presentation.macroEnabled.12 pptm +application/vnd.ms-powerpoint.slide.macroEnabled.12i sldm +application/vnd.ms-powerpoint.slideshow.macroEnabled.12 ppsm +application/vnd.ms-powerpoint.template.macroEnabled.12 potm application/vnd.ms-project mpp mpt application/vnd.ms-tnef +application/vnd.ms-word.document.macroEnabled.12 docm +application/vnd.ms-word.template.macroEnabled.12 dotm application/vnd.ms-wmdrm.lic-chlg-req application/vnd.ms-wmdrm.lic-resp application/vnd.ms-wmdrm.meter-chlg-req @@@@ -475,6 +488,14 @@@@ a77 8 @@@@ -705,6 +726,7 @@@@ application/x-ustar ustar application/x-wais-source src application/x-x509-ca-cert der crt +application/x-xpinstall xpi application/x400-bp application/xcap-att+xml application/xcap-caps+xml d80 1 a80 1 +++ docs/docroot/index.html 2009-02-01 17:53:32 +0100 d93 1 a93 1 +++ modules/generators/mod_autoindex.c 2009-02-01 18:06:21 +0100 d143 1 a143 1 +++ server/Makefile.in 2009-02-01 17:53:32 +0100 d156 1 a156 1 +++ support/Makefile.in 2009-02-01 17:53:32 +0100 d172 1 a172 1 +++ support/apachectl.in 2009-02-01 17:53:32 +0100 d187 1 a187 1 +++ support/apxs.in 2009-02-01 17:53:32 +0100 @ 1.39 log @upgrading package: apache 2.2.10 -> 2.2.11 @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2008-12-14 11:00:41 +0100 d15 1 a15 1 +++ config.layout 2008-12-14 11:00:41 +0100 d27 1 a27 1 +++ configure 2008-12-14 11:00:41 +0100 d54 1 a54 1 +++ docs/conf/mime.types 2008-12-14 11:01:41 +0100 d122 1 a122 1 +++ docs/docroot/index.html 2008-12-14 11:00:41 +0100 d135 1 a135 1 +++ modules/generators/mod_autoindex.c 2008-12-14 11:00:41 +0100 d157 26 d185 1 a185 1 +++ server/Makefile.in 2008-12-14 11:00:41 +0100 d198 1 a198 1 +++ support/Makefile.in 2008-12-14 11:00:41 +0100 d214 1 a214 1 +++ support/apachectl.in 2008-12-14 11:00:41 +0100 d229 1 a229 1 +++ support/apxs.in 2008-12-14 11:00:41 +0100 @ 1.38 log @add out-of-the-box support for downloading Mozilla XPI files (packed extensions) @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2008-07-26 20:35:59 +0200 d15 1 a15 1 +++ config.layout 2008-07-26 20:35:59 +0200 d26 3 a28 3 --- configure.orig 2008-06-10 21:18:00 +0200 +++ configure 2008-07-26 20:35:59 +0200 @@@@ -3591,6 +3591,11 @@@@ d40 1 a40 1 @@@@ -3950,6 +3955,11 @@@@ d53 3 a55 4 --- docs/conf/mime.types.orig 2008-01-02 23:10:01 +0100 +++ docs/conf/mime.types 2008-07-26 20:36:56 +0200 @@@@ -81,6 +81,7 @@@@ application/mbms-user-service-description+xml d57 1 d63 1 a63 1 @@@@ -102,6 +103,7 @@@@ d66 2 a67 2 application/ogg ogg +application/onenote onetoc onetoc2 onetmp onepkg d69 1 d71 1 a71 2 application/pgp-encrypted pgp @@@@ -389,14 +391,25 @@@@ d97 1 a97 1 @@@@ -455,6 +468,14 @@@@ d112 1 a112 1 @@@@ -674,6 +695,7 @@@@ d122 1 a122 1 +++ docs/docroot/index.html 2008-07-26 20:35:59 +0200 d134 3 a136 3 --- modules/generators/mod_autoindex.c.orig 2007-12-09 15:46:56 +0100 +++ modules/generators/mod_autoindex.c 2008-07-26 20:35:59 +0200 @@@@ -1564,17 +1564,17 @@@@ d159 1 a159 1 +++ server/Makefile.in 2008-07-26 20:35:59 +0200 d172 1 a172 1 +++ support/Makefile.in 2008-07-26 20:35:59 +0200 d188 1 a188 1 +++ support/apachectl.in 2008-07-26 20:35:59 +0200 d203 1 a203 1 +++ support/apxs.in 2008-07-26 20:35:59 +0200 @ 1.37 log @upgrading package: apache 2.2.8 -> 2.2.9 @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2008-06-13 23:59:56 +0200 d15 1 a15 1 +++ config.layout 2008-06-13 23:59:56 +0200 d27 1 a27 1 +++ configure 2008-06-13 23:59:56 +0200 d54 1 a54 1 +++ docs/conf/mime.types 2008-06-13 23:59:56 +0200 d112 8 d122 1 a122 1 +++ docs/docroot/index.html 2008-06-13 23:59:56 +0200 d135 1 a135 1 +++ modules/generators/mod_autoindex.c 2008-06-13 23:59:56 +0200 d159 1 a159 1 +++ server/Makefile.in 2008-06-13 23:59:56 +0200 d172 1 a172 1 +++ support/Makefile.in 2008-06-13 23:59:56 +0200 d188 1 a188 1 +++ support/apachectl.in 2008-06-13 23:59:56 +0200 d203 1 a203 1 +++ support/apxs.in 2008-06-13 23:59:56 +0200 @ 1.36 log @add Metalink type @ text @d2 2 a3 2 --- build/config_vars.sh.in.orig 2006-07-12 05:38:44 +0200 +++ build/config_vars.sh.in 2007-09-10 20:17:11 +0200 d15 1 a15 1 +++ config.layout 2007-09-10 20:17:11 +0200 d26 3 a28 3 --- configure.orig 2007-09-04 22:09:24 +0200 +++ configure 2007-09-10 20:17:11 +0200 @@@@ -3355,6 +3355,11 @@@@ d40 1 a40 1 @@@@ -3710,6 +3715,11 @@@@ d53 2 a54 2 --- docs/conf/mime.types.orig 2007-09-01 00:00:42 +0200 +++ docs/conf/mime.types 2007-09-10 20:18:04 +0200 d61 3 a63 3 application/mp4 mp4s application/mpeg4-generic @@@@ -98,6 +99,7 @@@@ d71 1 a71 1 @@@@ -376,14 +378,25 @@@@ d97 1 a97 1 @@@@ -438,6 +451,14 @@@@ d114 1 a114 1 +++ docs/docroot/index.html 2007-09-10 20:17:11 +0200 d126 3 a128 3 --- modules/generators/mod_autoindex.c.orig 2007-08-30 00:37:26 +0200 +++ modules/generators/mod_autoindex.c 2007-09-10 20:17:11 +0200 @@@@ -1555,17 +1555,17 @@@@ d151 1 a151 1 +++ server/Makefile.in 2007-09-10 20:17:11 +0200 a161 12 Index: srclib/apr-util/crypto/getuuid.c --- srclib/apr-util/crypto/getuuid.c.orig 2006-04-14 20:01:58 +0200 +++ srclib/apr-util/crypto/getuuid.c 2007-09-10 20:17:11 +0200 @@@@ -131,7 +131,7 @@@@ /* crap. this isn't crypto quality, but it will be Good Enough */ - get_system_time(&time_now); + time_now = apr_time_now(); srand((unsigned int)(((time_now >> 32) ^ time_now) & 0xffffffff)); return rand() & 0x0FFFF; d164 1 a164 1 +++ support/Makefile.in 2007-09-10 20:17:11 +0200 d180 1 a180 1 +++ support/apachectl.in 2007-09-10 20:17:11 +0200 d195 1 a195 1 +++ support/apxs.in 2007-09-10 20:17:11 +0200 @ 1.35 log @upgrading package: apache 2.2.4 -> 2.2.6 @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2007-09-07 10:12:40 +0200 d15 1 a15 1 +++ config.layout 2007-09-07 10:12:40 +0200 d27 1 a27 1 +++ configure 2007-09-07 10:12:40 +0200 d54 10 a63 2 +++ docs/conf/mime.types 2007-09-07 10:14:33 +0200 @@@@ -98,6 +98,7 @@@@ d71 1 a71 1 @@@@ -376,14 +377,25 @@@@ d97 1 a97 1 @@@@ -438,6 +450,14 @@@@ d114 1 a114 1 +++ docs/docroot/index.html 2007-09-07 10:12:40 +0200 d127 1 a127 1 +++ modules/generators/mod_autoindex.c 2007-09-07 10:12:40 +0200 d151 1 a151 1 +++ server/Makefile.in 2007-09-07 10:12:40 +0200 d164 1 a164 1 +++ srclib/apr-util/crypto/getuuid.c 2007-09-07 10:12:40 +0200 d176 1 a176 1 +++ support/Makefile.in 2007-09-07 10:12:40 +0200 d192 1 a192 1 +++ support/apachectl.in 2007-09-07 10:12:40 +0200 d207 1 a207 1 +++ support/apxs.in 2007-09-07 10:12:40 +0200 @ 1.34 log @add a bunch of MIME types regarding Microsoft Office 2007. As I wasn't lucky to find those information at IANA I tried at microsoft.com. The only source I found was the Japanse TechNet site (http://www.microsoft.com/japan/technet/prodtechnol/office/ork/library/f88d06fb-c9a4-413c-a1d3-40c97e340c5a.mspx?mfr=true). So hopefully everything is set up right, at least for my few test cases it worked correctly. @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2007-06-28 22:12:16 +0200 d15 1 a15 1 +++ config.layout 2007-06-28 22:12:16 +0200 d26 3 a28 3 --- configure.orig 2007-01-06 07:40:00 +0100 +++ configure 2007-06-28 22:12:16 +0200 @@@@ -2711,6 +2711,11 @@@@ d40 1 a40 1 @@@@ -3047,6 +3052,11 @@@@ d53 6 a58 6 --- docs/conf/mime.types.orig 2006-01-29 23:34:37.000000000 +0100 +++ docs/conf/mime.types 2007-07-19 19:05:56.000000000 +0200 @@@@ -54,6 +54,7 @@@@ application/octet-stream bin dms lha lzh exe class so dll dmg application/oda oda application/ogg ogg d61 6 a66 6 application/pdf pdf application/pgp-encrypted @@@@ -248,10 +249,21 @@@@ application/vnd.ms-artgalry application/vnd.ms-asf application/vnd.ms-excel xls d71 6 a76 2 application/vnd.ms-lrm application/vnd.ms-powerpoint ppt d82 1 a82 1 application/vnd.ms-project d86 6 a91 23 application/vnd.ms-works application/vnd.ms-wpl application/vnd.mseq @@@@ -265,7 +277,31 @@@@ application/vnd.novadigm.edm application/vnd.novadigm.edx application/vnd.novadigm.ext +application/vnd.oasis.opendocument.text odt +application/vnd.oasis.opendocument.spreadsheet ods +application/vnd.oasis.opendocument.presentation odp +application/vnd.oasis.opendocument.graphics odg +application/vnd.oasis.opendocument.chart odc +application/vnd.oasis.opendocument.formula odf +application/vnd.oasis.opendocument.image odi +application/vnd.oasis.opendocument.text-template ott +application/vnd.oasis.opendocument.spreadsheet-template ots +application/vnd.oasis.opendocument.presentation-template otp +application/vnd.oasis.opendocument.graphics-template otg +application/vnd.oasis.opendocument.chart-template otc +application/vnd.oasis.opendocument.formula-template oft +application/vnd.oasis.opendocument.image-template oti +application/vnd.oasis.opendocument.text-master odm +application/vnd.oasis.opendocument.text-web oth d101 3 a103 3 application/vnd.osa.netdeploy application/vnd.palm application/vnd.pg.format d106 1 a106 1 +++ docs/docroot/index.html 2007-06-28 22:12:16 +0200 d118 3 a120 3 --- modules/generators/mod_autoindex.c.orig 2006-07-12 05:38:44 +0200 +++ modules/generators/mod_autoindex.c 2007-06-28 22:12:16 +0200 @@@@ -1544,17 +1544,17 @@@@ d143 1 a143 1 +++ server/Makefile.in 2007-06-28 22:12:16 +0200 d156 1 a156 1 +++ srclib/apr-util/crypto/getuuid.c 2007-06-28 22:12:16 +0200 d168 1 a168 1 +++ support/Makefile.in 2007-06-28 22:16:54 +0200 d184 1 a184 1 +++ support/apachectl.in 2007-06-28 22:15:56 +0200 d199 1 a199 1 +++ support/apxs.in 2007-06-28 22:14:31 +0200 @ 1.33 log @nuke envvars stuff (we have apache.sh), remove more runtime files and cleanup packaging in general @ text @d53 33 a85 3 --- docs/conf/mime.types.orig 2006-01-29 23:34:37 +0100 +++ docs/conf/mime.types 2007-06-28 22:12:16 +0200 @@@@ -265,6 +265,22 @@@@ d106 8 d116 1 @ 1.32 log @fix the broken alignments which hurts my eyes @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2007-06-23 11:42:21 +0200 d15 1 a15 1 +++ config.layout 2007-06-23 11:42:21 +0200 d27 1 a27 1 +++ configure 2007-06-23 11:42:21 +0200 d54 1 a54 1 +++ docs/conf/mime.types 2007-06-23 11:42:21 +0200 d80 1 a80 1 +++ docs/docroot/index.html 2007-06-23 11:42:21 +0200 d93 1 a93 1 +++ modules/generators/mod_autoindex.c 2007-06-23 11:43:20 +0200 d117 1 a117 1 +++ server/Makefile.in 2007-06-23 11:42:21 +0200 d130 1 a130 1 +++ srclib/apr-util/crypto/getuuid.c 2007-06-23 11:42:21 +0200 d140 31 d173 21 a193 2 +++ support/apxs.in 2007-06-23 11:42:21 +0200 @@@@ -338,8 +338,7 @@@@ @ 1.31 log @reuse the libtool from APR but post-adjust it for DSO support @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2007-06-22 17:28:50 +0200 d15 1 a15 1 +++ config.layout 2007-06-22 17:28:50 +0200 d27 1 a27 1 +++ configure 2007-06-22 17:28:50 +0200 d54 1 a54 1 +++ docs/conf/mime.types 2007-06-22 17:28:50 +0200 d80 1 a80 1 +++ docs/docroot/index.html 2007-06-22 17:29:05 +0200 d91 24 d117 1 a117 1 +++ server/Makefile.in 2007-06-22 17:28:50 +0200 d130 1 a130 1 +++ srclib/apr-util/crypto/getuuid.c 2007-06-22 17:28:50 +0200 d142 1 a142 1 +++ support/apxs.in 2007-06-22 17:28:50 +0200 @ 1.30 log @provide a start page with OpenPKG branding and a link to the Apache website and local manual @ text @d9 1 a9 1 +APR_LIBTOOL="@@prefix@@/bin/libtool" d125 1 a125 1 +my $libtool = "$prefix/bin/libtool"; @ 1.29 log @provide /openpkg-cgi/printenv again and provide a new /apache-manual @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2007-06-22 16:45:16 +0200 d15 1 a15 1 +++ config.layout 2007-06-22 16:45:33 +0200 d27 1 a27 1 +++ configure 2007-06-22 16:45:16 +0200 d54 1 a54 1 +++ docs/conf/mime.types 2007-06-22 16:45:16 +0200 d78 13 d93 1 a93 1 +++ server/Makefile.in 2007-06-22 16:45:16 +0200 d106 1 a106 1 +++ srclib/apr-util/crypto/getuuid.c 2007-06-22 16:45:16 +0200 d118 1 a118 1 +++ support/apxs.in 2007-06-22 16:45:16 +0200 @ 1.28 log @use a DSO-capable GNU libtool in Apache apxs instead of the DSO-disabled one from APR @ text @d3 1 a3 1 +++ build/config_vars.sh.in 2007-06-22 13:49:29 +0200 d13 12 d27 1 a27 1 +++ configure 2007-06-22 13:48:25 +0200 d54 1 a54 1 +++ docs/conf/mime.types 2007-06-22 13:48:25 +0200 d80 1 a80 1 +++ server/Makefile.in 2007-06-22 13:48:25 +0200 d93 1 a93 1 +++ srclib/apr-util/crypto/getuuid.c 2007-06-22 13:48:25 +0200 d105 1 a105 1 +++ support/apxs.in 2007-06-22 13:48:25 +0200 @ 1.27 log @new OpenPKG world order: upgrade from Apache 1.3 to 2.2 (part 1/3: updated/new packages) @ text @d1 12 d15 1 a15 1 +++ configure 2007-01-10 19:46:27 +0100 d42 1 a42 1 +++ docs/conf/mime.types 2007-01-10 19:46:27 +0100 d68 1 a68 1 +++ server/Makefile.in 2007-01-10 19:46:27 +0100 d81 1 a81 1 +++ srclib/apr-util/crypto/getuuid.c 2007-01-10 19:46:27 +0100 d91 13 @ 1.26 log @allow a reasonably sized (128KB instead of just 8KB lines) AuthGroupFile, please @ text @d1 30 a30 3 Index: apache_1.3.37/conf/mime.types --- apache_1.3.37/conf/mime.types.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.37/conf/mime.types 2006-09-10 14:51:11 +0200 d54 23 a76 77 Index: apache_1.3.37/configure --- apache_1.3.37/configure.orig 2006-07-12 10:16:05 +0200 +++ apache_1.3.37/configure 2006-09-10 14:49:50 +0200 @@@@ -1175,10 +1175,10 @@@@ ## or we cannot support the case where the relative ## path is just the emtpy one, i.e. ""] ## -runtimedir_relative=`echo $runtimedir | sed -e "s:^$prefix/*::" -e 's:\(.\)$:\1/:'` -logfiledir_relative=`echo $logfiledir | sed -e "s:^$prefix/*::" -e 's:\(.\)$:\1/:'` -sysconfdir_relative=`echo $sysconfdir | sed -e "s:^$prefix/*::" -e 's:\(.\)$:\1/:'` -libexecdir_relative=`echo $libexecdir | sed -e "s:^$prefix/*::" -e 's:\(.\)$:\1/:'` +runtimedir_relative="$runtimedir/" +logfiledir_relative="$logfiledir/" +sysconfdir_relative="$sysconfdir/" +libexecdir_relative="$libexecdir/" ## ## check and debug Index: apache_1.3.37/src/Configure --- apache_1.3.37/src/Configure.orig 2006-07-12 10:16:05 +0200 +++ apache_1.3.37/src/Configure 2006-09-10 14:49:50 +0200 @@@@ -1158,14 +1158,20 @@@@ SHLIB_SUFFIX_DEPTH=0 ;; *-solaris2*) - if [ "x`$CC -v 2>&1 | grep gcc`" != "x" ]; then - CFLAGS_SHLIB="-fPIC" - else - CFLAGS_SHLIB="-KPIC" - fi + CFLAGS_SHLIB="-KPIC" LDFLAGS_SHLIB="-G" - LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB LDFLAGS_SHLIB_EXPORT="" + for word in `$CC -v 2>&1` ; do + case $word in + --with-gnu-ld) + LDFLAGS_SHLIB="-shared" + ;; + *gcc*) + CFLAGS_SHLIB="-fPIC" + ;; + esac + done + LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB SHLIB_SUFFIX_DEPTH=1 ;; *-sunos4*) @@@@ -1874,27 +1880,12 @@@@ # set the default, based on whether expat-lite is bundled. if it is present, # then we can always include expat. if [ "x$RULE_EXPAT" = "xdefault" ]; then - if [ -d ./lib/expat-lite/ ]; then - RULE_EXPAT=yes - else - RULE_EXPAT=no - fi + RULE_EXPAT=no fi if [ "x$RULE_EXPAT" = "xyes" ]; then - if ./helpers/TestCompile lib expat; then - echo " + using system Expat" - LIBS="$LIBS -lexpat" - else - if [ ! -d ./lib/expat-lite/ ]; then - echo "ERROR: RULE_EXPAT set to \"yes\" but is not available." - exit 1 - fi - echo " + using builtin Expat" - EXPATLIB="lib/expat-lite/libexpat.a" - APLIBDIRS="expat-lite $APLIBDIRS" - CFLAGS="$CFLAGS -DUSE_EXPAT -I\$(SRCDIR)/lib/expat-lite" - fi + echo " + using system Expat" + LIBS="$LIBS -lexpat" fi d78 1 a78 49 #################################################################### Index: apache_1.3.37/src/main/util_script.c --- apache_1.3.37/src/main/util_script.c.orig 2006-07-12 10:16:05 +0200 +++ apache_1.3.37/src/main/util_script.c 2006-09-10 14:49:50 +0200 @@@@ -204,6 +204,7 @@@@ } } + if (!(env_path = ap_pstrdup(r->pool, ap_table_get(r->subprocess_env, "PATH")))) if (!(env_path = ap_pstrdup(r->pool, getenv("PATH")))) { env_path = DEFAULT_PATH; } Index: apache_1.3.37/src/include/ap_sha1.h --- apache_1.3.37/src/include/ap_sha1.h.orig 2007-04-02 16:48:10 +0200 +++ apache_1.3.37/src/include/ap_sha1.h 2007-04-02 16:56:23 +0200 @@@@ -38,7 +38,7 @@@@ #define AP_SHA1PW_ID "{SHA}" #define AP_SHA1PW_IDLEN 5 -typedef unsigned long AP_LONG; /* a 32-bit quantity */ +typedef unsigned int AP_LONG; /* a 32-bit quantity */ typedef struct { AP_LONG digest[5]; /* message digest */ Index: apache_1.3.37/src/modules/standard/mod_auth.c --- apache_1.3.37/src/modules/standard/mod_auth.c.orig 2006-07-12 10:16:05 +0200 +++ apache_1.3.37/src/modules/standard/mod_auth.c 2007-04-15 18:08:53 +0200 @@@@ -107,7 +107,7 @@@@ configfile_t *f; table *grps = ap_make_table(p, 15); pool *sp; - char l[MAX_STRING_LEN]; + char *l; const char *group_name, *ll, *w; if (!(f = ap_pcfg_openfile(p, grpfile))) { @@@@ -116,9 +116,11 @@@@ return NULL; } + if ((l = (char *)ap_palloc(p, 128*1024)) == NULL) + return NULL; sp = ap_make_sub_pool(p); - while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { + while (!(ap_cfg_getline(l, 128*1024, f))) { if ((l[0] == '#') || (!l[0])) continue; ll = l; @ 1.25 log @fix SHA1 function under AMD64 (where "sizeof(unsigned long) == 8") by using "unsigned int" in the same brain-dead and still partly broken way (as "sizeof(unsigned int) == 4" cannot be assumed in general) as the MD5 function in the Apache source. KEEP IN MIND THAT THIS IS STILL UGLY, BUT AT LEAST SLIGHTLY BETTER AND AT LEAST AS BRAIN-DEAD AS THE EXISTING MD5 CODE. @ text @d129 25 @ 1.24 log @now that the OpenDocument stuff is officially registered at IANA (see http://www.iana.org/assignments/media-types/application/), add the MIME types to Apache's mime.types database @ text @d117 12 @ 1.23 log @upgrading package: apache 1.3.36 -> 1.3.37 @ text @d1 26 d29 1 a29 1 +++ apache_1.3.37/configure 2006-07-28 08:07:56 +0200 d47 1 a47 1 +++ apache_1.3.37/src/Configure 2006-07-28 08:07:56 +0200 d108 1 a108 1 +++ apache_1.3.37/src/main/util_script.c 2006-07-28 08:07:56 +0200 @ 1.22 log @upgrading package: apache 1.3.35 -> 1.3.36 @ text @d1 4 a4 4 Index: apache_1.3.36/configure --- apache_1.3.36/configure.orig 2006-04-21 20:40:11 +0200 +++ apache_1.3.36/configure 2006-04-30 19:30:09 +0200 @@@@ -1174,10 +1174,10 @@@@ d19 4 a22 4 Index: apache_1.3.36/src/Configure --- apache_1.3.36/src/Configure.orig 2005-10-14 01:36:04 +0200 +++ apache_1.3.36/src/Configure 2006-04-30 19:30:09 +0200 @@@@ -1157,14 +1157,20 @@@@ d49 1 a49 1 @@@@ -1873,27 +1879,12 @@@@ d80 4 a83 4 Index: apache_1.3.36/src/main/util_script.c --- apache_1.3.36/src/main/util_script.c.orig 2006-04-21 20:40:11 +0200 +++ apache_1.3.36/src/main/util_script.c 2006-04-30 19:30:09 +0200 @@@@ -203,6 +203,7 @@@@ @ 1.22.2.1 log @upgrading package: apache 1.3.36 -> 1.3.37 @ text @d1 4 a4 4 Index: apache_1.3.37/configure --- apache_1.3.37/configure.orig 2006-07-12 10:16:05 +0200 +++ apache_1.3.37/configure 2006-07-28 08:07:56 +0200 @@@@ -1175,10 +1175,10 @@@@ d19 4 a22 4 Index: apache_1.3.37/src/Configure --- apache_1.3.37/src/Configure.orig 2006-07-12 10:16:05 +0200 +++ apache_1.3.37/src/Configure 2006-07-28 08:07:56 +0200 @@@@ -1158,14 +1158,20 @@@@ d49 1 a49 1 @@@@ -1874,27 +1880,12 @@@@ d80 4 a83 4 Index: apache_1.3.37/src/main/util_script.c --- apache_1.3.37/src/main/util_script.c.orig 2006-07-12 10:16:05 +0200 +++ apache_1.3.37/src/main/util_script.c 2006-07-28 08:07:56 +0200 @@@@ -204,6 +204,7 @@@@ @ 1.22.2.2 log @MFC: recent PHP update and ODF additions @ text @a0 26 Index: apache_1.3.37/conf/mime.types --- apache_1.3.37/conf/mime.types.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.37/conf/mime.types 2006-09-10 14:51:11 +0200 @@@@ -265,6 +265,22 @@@@ application/vnd.novadigm.edm application/vnd.novadigm.edx application/vnd.novadigm.ext +application/vnd.oasis.opendocument.text odt +application/vnd.oasis.opendocument.spreadsheet ods +application/vnd.oasis.opendocument.presentation odp +application/vnd.oasis.opendocument.graphics odg +application/vnd.oasis.opendocument.chart odc +application/vnd.oasis.opendocument.formula odf +application/vnd.oasis.opendocument.image odi +application/vnd.oasis.opendocument.text-template ott +application/vnd.oasis.opendocument.spreadsheet-template ots +application/vnd.oasis.opendocument.presentation-template otp +application/vnd.oasis.opendocument.graphics-template otg +application/vnd.oasis.opendocument.chart-template otc +application/vnd.oasis.opendocument.formula-template oft +application/vnd.oasis.opendocument.image-template oti +application/vnd.oasis.opendocument.text-master odm +application/vnd.oasis.opendocument.text-web oth application/vnd.obn application/vnd.osa.netdeploy application/vnd.palm d3 1 a3 1 +++ apache_1.3.37/configure 2006-09-10 14:49:50 +0200 d21 1 a21 1 +++ apache_1.3.37/src/Configure 2006-09-10 14:49:50 +0200 d82 1 a82 1 +++ apache_1.3.37/src/main/util_script.c 2006-09-10 14:49:50 +0200 @ 1.21 log @upgrading package: apache 1.3.34 -> 1.3.35 @ text @d1 3 a3 3 Index: apache_1.3.35/configure --- apache_1.3.35/configure.orig 2006-04-21 20:40:11 +0200 +++ apache_1.3.35/configure 2006-04-30 19:30:09 +0200 d19 3 a21 3 Index: apache_1.3.35/src/Configure --- apache_1.3.35/src/Configure.orig 2005-10-14 01:36:04 +0200 +++ apache_1.3.35/src/Configure 2006-04-30 19:30:09 +0200 d80 3 a82 3 Index: apache_1.3.35/src/main/util_script.c --- apache_1.3.35/src/main/util_script.c.orig 2006-04-21 20:40:11 +0200 +++ apache_1.3.35/src/main/util_script.c 2006-04-30 19:30:09 +0200 @ 1.20 log @Security Fix (CVE-2005-3352) @ text @d1 3 a3 3 Index: apache_1.3.34/configure --- apache_1.3.34/configure.orig 2004-02-20 23:40:50 +0100 +++ apache_1.3.34/configure 2004-10-22 11:53:40 +0200 d19 3 a21 3 Index: apache_1.3.34/src/Configure --- apache_1.3.34/src/Configure.orig 2004-09-16 01:45:17 +0200 +++ apache_1.3.34/src/Configure 2004-10-22 11:53:40 +0200 d80 3 a82 3 Index: apache_1.3.34/src/main/util_script.c --- apache_1.3.34/src/main/util_script.c.orig 2004-02-16 23:29:33 +0100 +++ apache_1.3.34/src/main/util_script.c 2004-10-22 11:53:40 +0200 a90 41 ----------------------------------------------------------------------------- Security Fix (CVE-2005-3352) Index: apache_1.3.34/src/main/util.c --- apache_1.3.34/src/main/util.c.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.34/src/main/util.c 2005-12-14 21:06:57 +0100 @@@@ -1722,6 +1722,8 @@@@ j += 3; else if (s[i] == '&') j += 4; + else if (s[i] == '"') + j += 5; if (j == 0) return ap_pstrndup(p, s, i); @@@@ -1740,6 +1742,10 @@@@ memcpy(&x[j], "&", 5); j += 4; } + else if (s[i] == '"') { + memcpy(&x[j], """, 6); + j += 5; + } else x[j] = s[i]; Index: apache_1.3.34/src/modules/standard/mod_imap.c --- apache_1.3.34/src/modules/standard/mod_imap.c.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.34/src/modules/standard/mod_imap.c 2005-12-14 21:06:57 +0100 @@@@ -328,7 +328,7 @@@@ if (!strcasecmp(value, "referer")) { referer = ap_table_get(r->headers_in, "Referer"); if (referer && *referer) { - return ap_pstrdup(r->pool, referer); + return ap_escape_html(r->pool, referer); } else { /* XXX: This used to do *value = '\0'; ... which is totally bogus @ 1.19 log @upgrading package: apache 1.3.33 -> 1.3.34 @ text @d91 41 @ 1.18 log @upgrading package: apache 1.3.32 -> 1.3.33 @ text @d1 3 a3 3 Index: apache_1.3.33/configure --- apache_1.3.33/configure.orig 2004-02-20 23:40:50 +0100 +++ apache_1.3.33/configure 2004-10-22 11:53:40 +0200 d19 3 a21 3 Index: apache_1.3.33/src/Configure --- apache_1.3.33/src/Configure.orig 2004-09-16 01:45:17 +0200 +++ apache_1.3.33/src/Configure 2004-10-22 11:53:40 +0200 d80 3 a82 3 Index: apache_1.3.33/src/main/util_script.c --- apache_1.3.33/src/main/util_script.c.orig 2004-02-16 23:29:33 +0100 +++ apache_1.3.33/src/main/util_script.c 2004-10-22 11:53:40 +0200 @ 1.18.2.1 log @apply security fix @ text @a90 28 ----------------------------------------------------------------------------- Security Fix: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. This has no impact on mod_proxy_http, yet affects any module which supports chunked encoding yet fails to prefer T-E: chunked over the Content-Length purported value. Index: apache_1.3.33/src/main/http_protocol.c --- apache_1.3.33/src/main/http_protocol.c 2004-09-16 01:45:18 +0200 +++ apache_1.3.33/src/main/http_protocol.c 2005-08-08 19:52:01 +0200 @@@@ -1210,6 +1212,14 @@@@ ap_log_transaction(r); return r; } + if (ap_table_get(r->headers_in, "Transfer-Encoding") + && ap_table_get(r->headers_in, "Content-Length")) { + /* 2616 section 4.4, point 3: "if both Transfer-Encoding + * and Content-Length are received, the latter MUST be + * ignored"; so unset it here to prevent any confusion + * later. */ + ap_table_unset(r->headers_in, "Content-Length"); + } } else { ap_kill_timeout(r); @ 1.18.2.2 log @Security Fix (CVE-2005-3352) @ text @a118 41 ----------------------------------------------------------------------------- Security Fix (CVE-2005-3352) Index: apache_1.3.33/src/main/util.c --- apache_1.3.33/src/main/util.c.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.33/src/main/util.c 2005-12-14 21:06:57 +0100 @@@@ -1722,6 +1722,8 @@@@ j += 3; else if (s[i] == '&') j += 4; + else if (s[i] == '"') + j += 5; if (j == 0) return ap_pstrndup(p, s, i); @@@@ -1740,6 +1742,10 @@@@ memcpy(&x[j], "&", 5); j += 4; } + else if (s[i] == '"') { + memcpy(&x[j], """, 6); + j += 5; + } else x[j] = s[i]; Index: apache_1.3.33/src/modules/standard/mod_imap.c --- apache_1.3.33/src/modules/standard/mod_imap.c.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.33/src/modules/standard/mod_imap.c 2005-12-14 21:06:57 +0100 @@@@ -328,7 +328,7 @@@@ if (!strcasecmp(value, "referer")) { referer = ap_table_get(r->headers_in, "Referer"); if (referer && *referer) { - return ap_pstrdup(r->pool, referer); + return ap_escape_html(r->pool, referer); } else { /* XXX: This used to do *value = '\0'; ... which is totally bogus @ 1.18.4.1 log @apply security fix @ text @a90 28 ----------------------------------------------------------------------------- Security Fix: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. This has no impact on mod_proxy_http, yet affects any module which supports chunked encoding yet fails to prefer T-E: chunked over the Content-Length purported value. Index: apache_1.3.33/src/main/http_protocol.c --- apache_1.3.33/src/main/http_protocol.c 2004-09-16 01:45:18 +0200 +++ apache_1.3.33/src/main/http_protocol.c 2005-08-08 19:52:01 +0200 @@@@ -1210,6 +1212,14 @@@@ ap_log_transaction(r); return r; } + if (ap_table_get(r->headers_in, "Transfer-Encoding") + && ap_table_get(r->headers_in, "Content-Length")) { + /* 2616 section 4.4, point 3: "if both Transfer-Encoding + * and Content-Length are received, the latter MUST be + * ignored"; so unset it here to prevent any confusion + * later. */ + ap_table_unset(r->headers_in, "Content-Length"); + } } else { ap_kill_timeout(r); @ 1.18.4.2 log @Security Fix (CVE-2005-3352) @ text @a118 40 ----------------------------------------------------------------------------- Security Fix (CVE-2005-3352) Index: apache_1.3.33/src/main/util.c --- apache_1.3.33/src/main/util.c.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.33/src/main/util.c 2005-12-14 21:06:57 +0100 @@@@ -1722,6 +1722,8 @@@@ j += 3; else if (s[i] == '&') j += 4; + else if (s[i] == '"') + j += 5; if (j == 0) return ap_pstrndup(p, s, i); @@@@ -1740,6 +1742,10 @@@@ memcpy(&x[j], "&", 5); j += 4; } + else if (s[i] == '"') { + memcpy(&x[j], """, 6); + j += 5; + } else x[j] = s[i]; Index: apache_1.3.33/src/modules/standard/mod_imap.c --- apache_1.3.33/src/modules/standard/mod_imap.c.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.33/src/modules/standard/mod_imap.c 2005-12-14 21:06:57 +0100 @@@@ -328,7 +328,7 @@@@ if (!strcasecmp(value, "referer")) { referer = ap_table_get(r->headers_in, "Referer"); if (referer && *referer) { - return ap_pstrdup(r->pool, referer); + return ap_escape_html(r->pool, referer); } else { /* XXX: This used to do *value = '\0'; ... which is totally bogus @ 1.18.4.3 log @Security Fix (CVE-2006-3747) @ text @a158 19 ----------------------------------------------------------------------------- Security Fix (CVE-2006-3747) Index: apache_1.3.33/src/modules/standard/mod_rewrite.c --- apache_1.3.33/src/modules/standard/mod_rewrite.c.orig 2004-10-27 16:23:04 +0200 +++ apache_1.3.33/src/modules/standard/mod_rewrite.c 2006-07-27 19:28:17 +0200 @@@@ -2735,7 +2735,7 @@@@ int c = 0; token[0] = cp = ap_pstrdup(p, cp); - while (*cp && c < 5) { + while (*cp && c < 4) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; @ 1.18.6.1 log @apply security fix @ text @a90 28 ----------------------------------------------------------------------------- Security Fix: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. This has no impact on mod_proxy_http, yet affects any module which supports chunked encoding yet fails to prefer T-E: chunked over the Content-Length purported value. Index: apache_1.3.33/src/main/http_protocol.c --- apache_1.3.33/src/main/http_protocol.c 2004-09-16 01:45:18 +0200 +++ apache_1.3.33/src/main/http_protocol.c 2005-08-08 19:52:01 +0200 @@@@ -1210,6 +1212,14 @@@@ ap_log_transaction(r); return r; } + if (ap_table_get(r->headers_in, "Transfer-Encoding") + && ap_table_get(r->headers_in, "Content-Length")) { + /* 2616 section 4.4, point 3: "if both Transfer-Encoding + * and Content-Length are received, the latter MUST be + * ignored"; so unset it here to prevent any confusion + * later. */ + ap_table_unset(r->headers_in, "Content-Length"); + } } else { ap_kill_timeout(r); @ 1.18.6.2 log @Security Fix (CVE-2005-3352) @ text @a118 40 ----------------------------------------------------------------------------- Security Fix (CVE-2005-3352) Index: apache_1.3.33/src/main/util.c --- apache_1.3.33/src/main/util.c.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.33/src/main/util.c 2005-12-14 21:06:57 +0100 @@@@ -1722,6 +1722,8 @@@@ j += 3; else if (s[i] == '&') j += 4; + else if (s[i] == '"') + j += 5; if (j == 0) return ap_pstrndup(p, s, i); @@@@ -1740,6 +1742,10 @@@@ memcpy(&x[j], "&", 5); j += 4; } + else if (s[i] == '"') { + memcpy(&x[j], """, 6); + j += 5; + } else x[j] = s[i]; Index: apache_1.3.33/src/modules/standard/mod_imap.c --- apache_1.3.33/src/modules/standard/mod_imap.c.orig 2004-11-24 20:10:19 +0100 +++ apache_1.3.33/src/modules/standard/mod_imap.c 2005-12-14 21:06:57 +0100 @@@@ -328,7 +328,7 @@@@ if (!strcasecmp(value, "referer")) { referer = ap_table_get(r->headers_in, "Referer"); if (referer && *referer) { - return ap_pstrdup(r->pool, referer); + return ap_escape_html(r->pool, referer); } else { /* XXX: This used to do *value = '\0'; ... which is totally bogus @ 1.18.6.3 log @Security Fix (CVE-2006-3747) @ text @a158 19 ----------------------------------------------------------------------------- Security Fix (CVE-2006-3747) Index: apache_1.3.33/src/modules/standard/mod_rewrite.c --- apache_1.3.33/src/modules/standard/mod_rewrite.c.orig 2004-10-27 16:23:04 +0200 +++ apache_1.3.33/src/modules/standard/mod_rewrite.c 2006-07-27 19:28:17 +0200 @@@@ -2735,7 +2735,7 @@@@ int c = 0; token[0] = cp = ap_pstrdup(p, cp); - while (*cp && c < 5) { + while (*cp && c < 4) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; @ 1.17 log @simplify packaging again by recreating the patch against the new apache source dir and this way also merging together the two patches against src/Configure @ text @d1 3 a3 3 Index: apache_1.3.32/configure --- apache_1.3.32/configure.orig 2004-02-20 23:40:50 +0100 +++ apache_1.3.32/configure 2004-10-22 11:53:40 +0200 d19 3 a21 3 Index: apache_1.3.32/src/Configure --- apache_1.3.32/src/Configure.orig 2004-09-16 01:45:17 +0200 +++ apache_1.3.32/src/Configure 2004-10-22 11:53:40 +0200 d80 3 a82 3 Index: apache_1.3.32/src/main/util_script.c --- apache_1.3.32/src/main/util_script.c.orig 2004-02-16 23:29:33 +0100 +++ apache_1.3.32/src/main/util_script.c 2004-10-22 11:53:40 +0200 @ 1.16 log @upgrading package: apache 1.3.31 -> 1.3.32 @ text @d1 4 a4 3 --- apache_1.3.31/configure.orig Tue May 21 14:24:59 2002 +++ apache_1.3.31/configure Mon Feb 10 11:08:40 2003 @@@@ -1216,10 +1216,10 @@@@ d19 4 a22 3 --- apache_1.3.31/src/Configure.dist 2003-06-11 11:59:51.000000000 +0200 +++ apache_1.3.31/src/Configure 2003-06-11 12:46:14.000000000 +0200 @@@@ -1190,14 +1190,20 @@@@ d49 1 a49 15 --- apache_1.3.31/src/main/util_script.c.orig Mon Jul 28 17:13:56 2003 +++ apache_1.3.31/src/main/util_script.c Tue Jul 29 15:55:27 2003 @@@@ -246,6 +246,7 @@@@ } } + if (!(env_path = ap_pstrdup(r->pool, ap_table_get(r->subprocess_env, "PATH")))) if (!(env_path = ap_pstrdup(r->pool, getenv("PATH")))) { env_path = DEFAULT_PATH; } Index: apache_1.3.31/src/Configure --- apache_1.3.31/src/Configure.orig 2004-07-26 14:20:53 +0200 +++ apache_1.3.31/src/Configure 2004-07-26 14:41:24 +0200 @@@@ -1867,27 +1867,12 @@@@ d80 11 @ 1.15 log @fix use-external-Expat patch @ text @a57 24 =================================================================== SA-2004.029-apache CAN-2004-0492 RCS file: /home/cvspublic/apache-1.3/src/modules/proxy/proxy_http.c,v retrieving revision 1.106 retrieving revision 1.107 diff -u -r1.106 -r1.107 --- apache_1.3.31/src/modules/proxy/proxy_http.c 2004/03/29 17:47:15 1.106 +++ apache_1.3.31/src/modules/proxy/proxy_http.c 2004/06/11 07:54:38 1.107 @@@@ -485,6 +485,13 @@@@ content_length = ap_table_get(resp_hdrs, "Content-Length"); if (content_length != NULL) { c->len = ap_strtol(content_length, NULL, 10); + + if (c->len < 0) { + ap_kill_timeout(r); + return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, + "Invalid Content-Length from remote server", + NULL)); + } } } @ 1.15.2.1 log @Security Fix (CAN-2004-0940) @ text @d57 25 a115 249 ----------------------------------------------------------------------------- Security Fix (SA-2004.029-apache CAN-2004-0492) Heap-based buffer overflow mod_proxy allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. Index: apache_1.3.31/src/modules/proxy/proxy_http.c --- apache_1.3.31/src/modules/proxy/proxy_http.c 2004-03-29 19:47:15 +0200 +++ apache_1.3.31/src/modules/proxy/proxy_http.c 2004-06-11 09:54:38 +0200 @@@@ -485,6 +485,13 @@@@ content_length = ap_table_get(resp_hdrs, "Content-Length"); if (content_length != NULL) { c->len = ap_strtol(content_length, NULL, 10); + + if (c->len < 0) { + ap_kill_timeout(r); + return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, + "Invalid Content-Length from remote server", + NULL)); + } } } ----------------------------------------------------------------------------- Security Fix (CAN-2004-0940) Buffer overflow in the get_tag() function in mod_include allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI (XSSI) documents that trigger a length calculation error. Index: apache_1.3.31/src/modules/standard/mod_include.c --- apache_1.3.31/src/modules/standard/mod_include.c 2004-02-28 23:19:04 +0100 +++ apache_1.3.31/src/modules/standard/mod_include.c 2004-10-25 17:44:04 +0200 @@@@ -309,9 +309,10 @@@@ * the tag value is html decoded if dodecode is non-zero */ -static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) +static char *get_tag(request_rec *r, FILE *in, char *tag, int tagbuf_len, int dodecode) { char *t = tag, *tag_val, c, term; + pool *p = r->pool; /* makes code below a little less cluttered */ --tagbuf_len; @@@@ -337,7 +338,7 @@@@ /* find end of tag name */ while (1) { - if (t - tag == tagbuf_len) { + if (t == tag + tagbuf_len) { *t = '\0'; return NULL; } @@@@ -371,16 +372,30 @@@@ term = c; while (1) { GET_CHAR(in, c, NULL, p); - if (t - tag == tagbuf_len) { + if (t == tag + tagbuf_len) { *t = '\0'; + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "mod_include: value length exceeds limit" + " (%d) in %s", tagbuf_len, r->filename); return NULL; } -/* Want to accept \" as a valid character within a string. */ + /* Want to accept \" as a valid character within a string. */ if (c == '\\') { - *(t++) = c; /* Add backslash */ GET_CHAR(in, c, NULL, p); - if (c == term) { /* Only if */ - *(--t) = c; /* Replace backslash ONLY for terminator */ + /* Insert backslash only if not escaping a terminator char */ + if (c != term) { + *(t++) = '\\'; + /* + * check to make sure that adding in the backslash won't cause + * an overflow, since we're now 1 character ahead. + */ + if (t == tag + tagbuf_len) { + *t = '\0'; + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "mod_include: value length exceeds limit" + " (%d) in %s", tagbuf_len, r->filename); + return NULL; + } } } else if (c == term) { @@@@ -395,9 +410,10 @@@@ return ap_pstrdup(p, tag_val); } -static int get_directive(FILE *in, char *dest, size_t len, pool *p) +static int get_directive(FILE *in, char *dest, size_t len, request_rec *r) { char *d = dest; + pool *p = r->pool; char c; /* make room for nul terminator */ @@@@ -413,6 +429,9 @@@@ /* now get directive */ while (1) { if (d == len + dest) { + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "mod_include: directive length exceeds limit" + " (%lu) in %s", (unsigned long)len+1, r->filename); return 1; } *d++ = ap_tolower(c); @@@@ -616,7 +635,7 @@@@ char *tag_val; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } if (!strcmp(tag, "file") || !strcmp(tag, "virtual")) { @@@@ -839,7 +858,7 @@@@ char parsed_string[MAX_STRING_LEN]; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } if (!strcmp(tag, "cmd")) { @@@@ -890,7 +909,7 @@@@ encode = E_ENTITY; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } if (!strcmp(tag, "var")) { @@@@ -952,7 +971,7 @@@@ return DECLINED; } while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { break; } if (strnEQ(tag, "sub", 3)) { @@@@ -985,7 +1004,7 @@@@ table *env = r->subprocess_env; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 0))) { return 1; } if (!strcmp(tag, "errmsg")) { @@@@ -1101,7 +1120,7 @@@@ char parsed_string[MAX_STRING_LEN]; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -1141,7 +1160,7 @@@@ char parsed_string[MAX_STRING_LEN]; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -1917,7 +1936,7 @@@@ expr = NULL; while (1) { - tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0); + tag_val = get_tag(r, in, tag, sizeof(tag), 0); if (!tag_val || *tag == '\0') { return 1; } @@@@ -1960,7 +1979,7 @@@@ expr = NULL; while (1) { - tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0); + tag_val = get_tag(r, in, tag, sizeof(tag), 0); if (!tag_val || *tag == '\0') { return 1; } @@@@ -2007,7 +2026,7 @@@@ { char tag[MAX_STRING_LEN]; - if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) { + if (!get_tag(r, in, tag, sizeof(tag), 1)) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2035,7 +2054,7 @@@@ { char tag[MAX_STRING_LEN]; - if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) { + if (!get_tag(r, in, tag, sizeof(tag), 1)) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2065,7 +2084,7 @@@@ var = (char *) NULL; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2102,7 +2121,7 @@@@ table_entry *elts = (table_entry *) arr->elts; int i; - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2173,10 +2192,7 @@@@ while (1) { if (!find_string(f, STARTING_SEQUENCE, r, printing)) { - if (get_directive(f, directive, sizeof(directive), r->pool)) { - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, - "mod_include: error reading directive in %s", - r->filename); + if (get_directive(f, directive, sizeof(directive), r)) { ap_rputs(error, r); return; } @ 1.14 log @force apache to use OpenPKG expat because mod_dav and mod_php_xml do it already and suffer from symbol conflicts with apache internal expat-lite @ text @d82 13 a94 4 Index: Configure --- apache_1.3.31/src/Configure.orig 2004-04-09 19:01:50 +0200 +++ apache_1.3.31/src/Configure 2004-07-06 22:05:44 +0200 @@@@ -1869,19 +1875,8 @@@@ @ 1.13 log @SA-2004.029-apache; CAN-2004-0492 @ text @d82 25 @ 1.13.2.1 log @MFC: force apache to use OpenPKG expat @ text @a81 25 Index: Configure --- apache_1.3.31/src/Configure.orig 2004-04-09 19:01:50 +0200 +++ apache_1.3.31/src/Configure 2004-07-06 22:05:44 +0200 @@@@ -1869,19 +1875,8 @@@@ fi if [ "x$RULE_EXPAT" = "xyes" ]; then - if ./helpers/TestCompile lib expat; then - echo " + using system Expat" - LIBS="$LIBS -lexpat" - else - if [ ! -d ./lib/expat-lite/ ]; then - echo "ERROR: RULE_EXPAT set to \"yes\" but is not available." - exit 1 - fi - echo " + using builtin Expat" - EXPATLIB="lib/expat-lite/libexpat.a" - APLIBDIRS="expat-lite $APLIBDIRS" - CFLAGS="$CFLAGS -DUSE_EXPAT -I\$(SRCDIR)/lib/expat-lite" - fi + echo " + using system Expat" + LIBS="$LIBS -lexpat" fi #################################################################### @ 1.13.2.2 log @MFC: latest fixes from CURRENT for PHP and Expat @ text @d82 4 a85 13 Index: apache_1.3.31/src/Configure --- apache_1.3.31/src/Configure.orig 2004-07-26 14:20:53 +0200 +++ apache_1.3.31/src/Configure 2004-07-26 14:41:24 +0200 @@@@ -1867,27 +1867,12 @@@@ # set the default, based on whether expat-lite is bundled. if it is present, # then we can always include expat. if [ "x$RULE_EXPAT" = "xdefault" ]; then - if [ -d ./lib/expat-lite/ ]; then - RULE_EXPAT=yes - else - RULE_EXPAT=no - fi + RULE_EXPAT=no @ 1.13.2.3 log @Security Fix (CAN-2004-0940) @ text @d57 25 a115 249 ----------------------------------------------------------------------------- Security Fix (SA-2004.029-apache CAN-2004-0492) Heap-based buffer overflow mod_proxy allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. Index: apache_1.3.31/src/modules/proxy/proxy_http.c --- apache_1.3.31/src/modules/proxy/proxy_http.c 2004-03-29 19:47:15 +0200 +++ apache_1.3.31/src/modules/proxy/proxy_http.c 2004-06-11 09:54:38 +0200 @@@@ -485,6 +485,13 @@@@ content_length = ap_table_get(resp_hdrs, "Content-Length"); if (content_length != NULL) { c->len = ap_strtol(content_length, NULL, 10); + + if (c->len < 0) { + ap_kill_timeout(r); + return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, + "Invalid Content-Length from remote server", + NULL)); + } } } ----------------------------------------------------------------------------- Security Fix (CAN-2004-0940) Buffer overflow in the get_tag() function in mod_include allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI (XSSI) documents that trigger a length calculation error. Index: apache_1.3.31/src/modules/standard/mod_include.c --- apache_1.3.31/src/modules/standard/mod_include.c 2004-02-28 23:19:04 +0100 +++ apache_1.3.31/src/modules/standard/mod_include.c 2004-10-25 17:44:04 +0200 @@@@ -309,9 +309,10 @@@@ * the tag value is html decoded if dodecode is non-zero */ -static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) +static char *get_tag(request_rec *r, FILE *in, char *tag, int tagbuf_len, int dodecode) { char *t = tag, *tag_val, c, term; + pool *p = r->pool; /* makes code below a little less cluttered */ --tagbuf_len; @@@@ -337,7 +338,7 @@@@ /* find end of tag name */ while (1) { - if (t - tag == tagbuf_len) { + if (t == tag + tagbuf_len) { *t = '\0'; return NULL; } @@@@ -371,16 +372,30 @@@@ term = c; while (1) { GET_CHAR(in, c, NULL, p); - if (t - tag == tagbuf_len) { + if (t == tag + tagbuf_len) { *t = '\0'; + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "mod_include: value length exceeds limit" + " (%d) in %s", tagbuf_len, r->filename); return NULL; } -/* Want to accept \" as a valid character within a string. */ + /* Want to accept \" as a valid character within a string. */ if (c == '\\') { - *(t++) = c; /* Add backslash */ GET_CHAR(in, c, NULL, p); - if (c == term) { /* Only if */ - *(--t) = c; /* Replace backslash ONLY for terminator */ + /* Insert backslash only if not escaping a terminator char */ + if (c != term) { + *(t++) = '\\'; + /* + * check to make sure that adding in the backslash won't cause + * an overflow, since we're now 1 character ahead. + */ + if (t == tag + tagbuf_len) { + *t = '\0'; + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "mod_include: value length exceeds limit" + " (%d) in %s", tagbuf_len, r->filename); + return NULL; + } } } else if (c == term) { @@@@ -395,9 +410,10 @@@@ return ap_pstrdup(p, tag_val); } -static int get_directive(FILE *in, char *dest, size_t len, pool *p) +static int get_directive(FILE *in, char *dest, size_t len, request_rec *r) { char *d = dest; + pool *p = r->pool; char c; /* make room for nul terminator */ @@@@ -413,6 +429,9 @@@@ /* now get directive */ while (1) { if (d == len + dest) { + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "mod_include: directive length exceeds limit" + " (%lu) in %s", (unsigned long)len+1, r->filename); return 1; } *d++ = ap_tolower(c); @@@@ -616,7 +635,7 @@@@ char *tag_val; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } if (!strcmp(tag, "file") || !strcmp(tag, "virtual")) { @@@@ -839,7 +858,7 @@@@ char parsed_string[MAX_STRING_LEN]; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } if (!strcmp(tag, "cmd")) { @@@@ -890,7 +909,7 @@@@ encode = E_ENTITY; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } if (!strcmp(tag, "var")) { @@@@ -952,7 +971,7 @@@@ return DECLINED; } while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { break; } if (strnEQ(tag, "sub", 3)) { @@@@ -985,7 +1004,7 @@@@ table *env = r->subprocess_env; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 0))) { return 1; } if (!strcmp(tag, "errmsg")) { @@@@ -1101,7 +1120,7 @@@@ char parsed_string[MAX_STRING_LEN]; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -1141,7 +1160,7 @@@@ char parsed_string[MAX_STRING_LEN]; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -1917,7 +1936,7 @@@@ expr = NULL; while (1) { - tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0); + tag_val = get_tag(r, in, tag, sizeof(tag), 0); if (!tag_val || *tag == '\0') { return 1; } @@@@ -1960,7 +1979,7 @@@@ expr = NULL; while (1) { - tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0); + tag_val = get_tag(r, in, tag, sizeof(tag), 0); if (!tag_val || *tag == '\0') { return 1; } @@@@ -2007,7 +2026,7 @@@@ { char tag[MAX_STRING_LEN]; - if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) { + if (!get_tag(r, in, tag, sizeof(tag), 1)) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2035,7 +2054,7 @@@@ { char tag[MAX_STRING_LEN]; - if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) { + if (!get_tag(r, in, tag, sizeof(tag), 1)) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2065,7 +2084,7 @@@@ var = (char *) NULL; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2102,7 +2121,7 @@@@ table_entry *elts = (table_entry *) arr->elts; int i; - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2173,10 +2192,7 @@@@ while (1) { if (!find_string(f, STARTING_SEQUENCE, r, printing)) { - if (get_directive(f, directive, sizeof(directive), r->pool)) { - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, - "mod_include: error reading directive in %s", - r->filename); + if (get_directive(f, directive, sizeof(directive), r)) { ap_rputs(error, r); return; } @ 1.12 log @remove obsolete patch (already applied in 1.3.31) @ text @d58 24 @ 1.11 log @upgrading package: apache 1.3.29 -> 1.3.31 @ text @a57 126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993 Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions. http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_access.c?r1=1.46&r2=1.47 =================================================================== RCS file: /home/cvspublic/apache-1.3/src/modules/standard/mod_access.c,v retrieving revision 1.46 retrieving revision 1.47 diff -u -r1.46 -r1.47 --- apache_1.3.31/src/modules/standard/mod_access.c 2004/02/20 20:37:40 1.46 +++ apache_1.3.31/src/modules/standard/mod_access.c 2004/03/07 21:47:14 1.47 @@@@ -39,8 +39,8 @@@@ union { char *from; struct { - unsigned long net; - unsigned long mask; + struct in_addr net; + struct in_addr mask; } ip; } x; enum allowdeny_type type; @@@@ -124,14 +124,14 @@@@ } else if ((s = strchr(where, '/'))) { - unsigned long mask; + struct in_addr mask; a->type = T_IP; /* trample on where, we won't be using it any more */ *s++ = '\0'; if (!is_ip(where) - || (a->x.ip.net = ap_inet_addr(where)) == INADDR_NONE) { + || (a->x.ip.net.s_addr = ap_inet_addr(where)) == INADDR_NONE) { a->type = T_FAIL; return "syntax error in network portion of network/netmask"; } @@@@ -143,24 +143,26 @@@@ } /* is it in /a.b.c.d form? */ if (strchr(s, '.')) { - mask = ap_inet_addr(s); - if (mask == INADDR_NONE) { + mask.s_addr = ap_inet_addr(s); + if (mask.s_addr == INADDR_NONE) { a->type = T_FAIL; return "syntax error in mask portion of network/netmask"; } } else { + int i; + /* assume it's in /nnn form */ - mask = atoi(s); - if (mask > 32 || mask <= 0) { + i = atoi(s); + if (i > 32 || i <= 0) { a->type = T_FAIL; return "invalid mask in network/netmask"; } - mask = 0xFFFFFFFFUL << (32 - mask); - mask = htonl(mask); + mask.s_addr = 0xFFFFFFFFUL << (32 - i); + mask.s_addr = htonl(mask.s_addr); } a->x.ip.mask = mask; - a->x.ip.net = (a->x.ip.net & mask); /* pjr - This fixes PR 4770 */ + a->x.ip.net.s_addr = (a->x.ip.net.s_addr & mask.s_addr); /* pjr - This fixes PR 4770 */ } else if (ap_isdigit(*where) && is_ip(where)) { /* legacy syntax for ip addrs: a.b.c. ==> a.b.c.0/24 for example */ @@@@ -171,8 +173,8 @@@@ a->type = T_IP; /* parse components */ s = where; - a->x.ip.net = 0; - a->x.ip.mask = 0; + a->x.ip.net.s_addr = 0; + a->x.ip.mask.s_addr = 0; shift = 24; while (*s) { t = s; @@@@ -191,6 +193,7 @@@@ return "invalid ip address"; } if (shift < 0) { + a->type = T_FAIL; return "invalid ip address, only 4 octets allowed"; } octet = atoi(s); @@@@ -198,13 +201,13 @@@@ a->type = T_FAIL; return "each octet must be between 0 and 255 inclusive"; } - a->x.ip.net |= octet << shift; - a->x.ip.mask |= 0xFFUL << shift; + a->x.ip.net.s_addr |= (unsigned int)octet << shift; + a->x.ip.mask.s_addr |= 0xFFUL << shift; s = t; shift -= 8; } - a->x.ip.net = ntohl(a->x.ip.net); - a->x.ip.mask = ntohl(a->x.ip.mask); + a->x.ip.net.s_addr = ntohl(a->x.ip.net.s_addr); + a->x.ip.mask.s_addr = ntohl(a->x.ip.mask.s_addr); } else { a->type = T_HOST; @@@@ -272,9 +275,9 @@@@ return 1; case T_IP: - if (ap[i].x.ip.net != INADDR_NONE + if (ap[i].x.ip.net.s_addr != INADDR_NONE && (r->connection->remote_addr.sin_addr.s_addr - & ap[i].x.ip.mask) == ap[i].x.ip.net) { + & ap[i].x.ip.mask.s_addr) == ap[i].x.ip.net.s_addr) { return 1; } break; @ 1.10 log @CAN-2003-0993; not applicable for any supported or tentative and almost any obsoleted platforms in OPENPKG_2_0_RELEASE; only obsoleted Solaris 2.6 might be affected, so MFC/SA is questionable @ text @d1 2 a2 2 --- apache_1.3.29/configure.orig Tue May 21 14:24:59 2002 +++ apache_1.3.29/configure Mon Feb 10 11:08:40 2003 d18 2 a19 2 --- apache_1.3.29/src/Configure.dist 2003-06-11 11:59:51.000000000 +0200 +++ apache_1.3.29/src/Configure 2003-06-11 12:46:14.000000000 +0200 d47 2 a48 2 --- apache_1.3.29/src/main/util_script.c.orig Mon Jul 28 17:13:56 2003 +++ apache_1.3.29/src/main/util_script.c Tue Jul 29 15:55:27 2003 d70 2 a71 2 --- apache_1.3.29/src/modules/standard/mod_access.c 2004/02/20 20:37:40 1.46 +++ apache_1.3.29/src/modules/standard/mod_access.c 2004/03/07 21:47:14 1.47 @ 1.9 log @upgrading package: apache 1.3.28 -> 1.3.29 @ text @d57 127 @ 1.9.2.1 log @apply security fixes (CAN-2003-0993, CAN-2003-0020, CAN-2003-0987, CAN-2004-0174) @ text @a56 691 ============================================================================= Security Fix (CAN-2003-0993, Apache PR 23850): mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions. Index: apache_1.3.29/src/modules/standard/mod_access.c --- apache_1.3.29/src/modules/standard/mod_access.c.orig 2003-02-03 18:13:27.000000000 +0100 +++ apache_1.3.29/src/modules/standard/mod_access.c 2004-05-12 10:03:14.000000000 +0200 @@@@ -82,8 +82,8 @@@@ union { char *from; struct { - unsigned long net; - unsigned long mask; + struct in_addr net; + struct in_addr mask; } ip; } x; enum allowdeny_type type; @@@@ -167,14 +167,14 @@@@ } else if ((s = strchr(where, '/'))) { - unsigned long mask; + struct in_addr mask; a->type = T_IP; /* trample on where, we won't be using it any more */ *s++ = '\0'; if (!is_ip(where) - || (a->x.ip.net = ap_inet_addr(where)) == INADDR_NONE) { + || (a->x.ip.net.s_addr = ap_inet_addr(where)) == INADDR_NONE) { a->type = T_FAIL; return "syntax error in network portion of network/netmask"; } @@@@ -186,24 +186,26 @@@@ } /* is it in /a.b.c.d form? */ if (strchr(s, '.')) { - mask = ap_inet_addr(s); - if (mask == INADDR_NONE) { + mask.s_addr = ap_inet_addr(s); + if (mask.s_addr == INADDR_NONE) { a->type = T_FAIL; return "syntax error in mask portion of network/netmask"; } } else { + int i; + /* assume it's in /nnn form */ - mask = atoi(s); - if (mask > 32 || mask <= 0) { + i = atoi(s); + if (i > 32 || i <= 0) { a->type = T_FAIL; return "invalid mask in network/netmask"; } - mask = 0xFFFFFFFFUL << (32 - mask); - mask = htonl(mask); + mask.s_addr = 0xFFFFFFFFUL << (32 - i); + mask.s_addr = htonl(mask.s_addr); } a->x.ip.mask = mask; - a->x.ip.net = (a->x.ip.net & mask); /* pjr - This fixes PR 4770 */ + a->x.ip.net.s_addr = (a->x.ip.net.s_addr & mask.s_addr); /* pjr - This fixes PR 4770 */ } else if (ap_isdigit(*where) && is_ip(where)) { /* legacy syntax for ip addrs: a.b.c. ==> a.b.c.0/24 for example */ @@@@ -214,8 +216,8 @@@@ a->type = T_IP; /* parse components */ s = where; - a->x.ip.net = 0; - a->x.ip.mask = 0; + a->x.ip.net.s_addr = 0; + a->x.ip.mask.s_addr = 0; shift = 24; while (*s) { t = s; @@@@ -234,6 +236,7 @@@@ return "invalid ip address"; } if (shift < 0) { + a->type = T_FAIL; return "invalid ip address, only 4 octets allowed"; } octet = atoi(s); @@@@ -241,13 +244,13 @@@@ a->type = T_FAIL; return "each octet must be between 0 and 255 inclusive"; } - a->x.ip.net |= octet << shift; - a->x.ip.mask |= 0xFFUL << shift; + a->x.ip.net.s_addr |= (unsigned int)octet << shift; + a->x.ip.mask.s_addr |= 0xFFUL << shift; s = t; shift -= 8; } - a->x.ip.net = ntohl(a->x.ip.net); - a->x.ip.mask = ntohl(a->x.ip.mask); + a->x.ip.net.s_addr = ntohl(a->x.ip.net.s_addr); + a->x.ip.mask.s_addr = ntohl(a->x.ip.mask.s_addr); } else { a->type = T_HOST; @@@@ -315,9 +318,9 @@@@ return 1; case T_IP: - if (ap[i].x.ip.net != INADDR_NONE + if (ap[i].x.ip.net.s_addr != INADDR_NONE && (r->connection->remote_addr.sin_addr.s_addr - & ap[i].x.ip.mask) == ap[i].x.ip.net) { + & ap[i].x.ip.mask.s_addr) == ap[i].x.ip.net.s_addr) { return 1; } break; ============================================================================= Security Fix (CAN-2003-0020): Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. Index: apache_1.3.29/src/include/httpd.h --- apache_1.3.29/src/include/httpd.h.orig 2003-10-24 18:11:40.000000000 +0200 +++ apache_1.3.29/src/include/httpd.h 2004-05-12 10:04:43.000000000 +0200 @@@@ -1028,6 +1028,8 @@@@ API_EXPORT(char *) ap_construct_server(pool *p, const char *hostname, unsigned port, const request_rec *r); API_EXPORT(char *) ap_escape_logitem(pool *p, const char *str); +API_EXPORT(size_t) ap_escape_errorlog_item(char *dest, const char *source, + size_t buflen); API_EXPORT(char *) ap_escape_shell_cmd(pool *p, const char *s); API_EXPORT(int) ap_count_dirs(const char *path); Index: apache_1.3.29/src/main/http_log.c --- apache_1.3.29/src/main/http_log.c.orig 2003-02-03 18:13:21.000000000 +0100 +++ apache_1.3.29/src/main/http_log.c 2004-05-12 10:04:43.000000000 +0200 @@@@ -314,6 +314,9 @@@@ const char *fmt, va_list args) { char errstr[MAX_STRING_LEN]; +#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED + char scratch[MAX_STRING_LEN]; +#endif size_t len; int save_errno = errno; FILE *logf; @@@@ -445,7 +448,14 @@@@ } #endif +#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED + if (ap_vsnprintf(scratch, sizeof(scratch) - len, fmt, args)) { + len += ap_escape_errorlog_item(errstr + len, scratch, + sizeof(errstr) - len); + } +#else len += ap_vsnprintf(errstr + len, sizeof(errstr) - len, fmt, args); +#endif /* NULL if we are logging to syslog */ if (logf) { Index: apache_1.3.29/src/main/util.c --- apache_1.3.29/src/main/util.c.orig 2003-02-03 18:13:23.000000000 +0100 +++ apache_1.3.29/src/main/util.c 2004-05-12 10:04:43.000000000 +0200 @@@@ -1520,6 +1520,69 @@@@ return ret; } +API_EXPORT(size_t) ap_escape_errorlog_item(char *dest, const char *source, + size_t buflen) +{ + unsigned char *d, *ep; + const unsigned char *s; + + if (!source || !buflen) { /* be safe */ + return 0; + } + + d = (unsigned char *)dest; + s = (const unsigned char *)source; + ep = d + buflen - 1; + + for (; d < ep && *s; ++s) { + + if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) { + *d++ = '\\'; + if (d >= ep) { + --d; + break; + } + + switch(*s) { + case '\b': + *d++ = 'b'; + break; + case '\n': + *d++ = 'n'; + break; + case '\r': + *d++ = 'r'; + break; + case '\t': + *d++ = 't'; + break; + case '\v': + *d++ = 'v'; + break; + case '\\': + *d++ = *s; + break; + case '"': /* no need for this in error log */ + d[-1] = *s; + break; + default: + if (d >= ep - 2) { + ep = --d; /* break the for loop as well */ + break; + } + c2x(*s, d); + *d = 'x'; + d += 3; + } + } + else { + *d++ = *s; + } + } + *d = '\0'; + + return (d - (unsigned char *)dest); +} API_EXPORT(char *) ap_escape_shell_cmd(pool *p, const char *str) { ============================================================================= Security Fix (CAN-2003-0987): mod_digest for Apache did not properly verify the nonce of a client response by using a AuthNonce secret. Now Apache verifies the nonce returned in the client response to check whether it was issued by itself by means of a AuthDigestRealmSeed secret exposed as an md5(). Index: apache_1.3.29/src/include/http_core.h --- apache_1.3.29/src/include/http_core.h.orig 2003-07-07 02:34:09.000000000 +0200 +++ apache_1.3.29/src/include/http_core.h 2004-05-12 10:03:51.000000000 +0200 @@@@ -162,6 +162,7 @@@@ API_EXPORT(const char *) ap_auth_type (request_rec *); API_EXPORT(const char *) ap_auth_name (request_rec *); +API_EXPORT(const char *) ap_auth_nonce (request_rec *); API_EXPORT(int) ap_satisfies (request_rec *r); API_EXPORT(const array_header *) ap_requires (request_rec *); @@@@ -355,6 +356,9 @@@@ */ ap_flag_e cgi_command_args; + /* Digest auth. */ + char *ap_auth_nonce; + } core_dir_config; /* Per-server core configuration */ Index: apache_1.3.29/src/main/http_core.c --- apache_1.3.29/src/main/http_core.c.orig 2003-10-19 15:20:57.000000000 +0200 +++ apache_1.3.29/src/main/http_core.c 2004-05-12 10:03:51.000000000 +0200 @@@@ -236,6 +236,9 @@@@ if (new->ap_auth_name) { conf->ap_auth_name = new->ap_auth_name; } + if (new->ap_auth_nonce) { + conf->ap_auth_nonce = new->ap_auth_nonce; + } if (new->ap_requires) { conf->ap_requires = new->ap_requires; } @@@@ -577,6 +580,31 @@@@ return conf->ap_auth_name; } +API_EXPORT(const char *) ap_auth_nonce(request_rec *r) +{ + core_dir_config *conf; + conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, + &core_module); + if (conf->ap_auth_nonce) + return conf->ap_auth_nonce; + + /* Ideally we'd want to mix in some per-directory style + * information; as we are likely to want to detect replay + * across those boundaries and some randomness. But that + * is harder due to the adhoc nature of .htaccess memory + * structures, restarts and forks. + * + * But then again - you should use AuthDigestRealmSeed in your config + * file if you care. So the adhoc value should do. + */ + return ap_psprintf(r->pool,"%pp%pp%pp%pp%pp", + (void *)&((r->connection->local_addr).sin_addr ), + (void *)ap_user_name, + (void *)ap_listeners, + (void *)ap_server_argv0, + (void *)ap_pid_fname); +} + API_EXPORT(const char *) ap_default_type(request_rec *r) { core_dir_config *conf; @@@@ -2786,6 +2814,28 @@@@ return NULL; } +/* + * Load an authorisation nonce into our location configuration, and + * force it to be in the 0-9/A-Z realm. + */ +static const char *set_authnonce (cmd_parms *cmd, void *mconfig, char *word1) +{ + core_dir_config *aconfig = (core_dir_config *)mconfig; + size_t i; + + aconfig->ap_auth_nonce = ap_escape_quotes(cmd->pool, word1); + + if (strlen(aconfig->ap_auth_nonce) > 510) + return "AuthDigestRealmSeed length limited to 510 chars for browser compatibility"; + + for(i=0;iap_auth_nonce );i++) + if (!ap_isalnum(aconfig->ap_auth_nonce [i])) + return "AuthDigestRealmSeed limited to 0-9 and A-Z range for browser compatibility"; + + return NULL; +} + + #ifdef _OSD_POSIX /* BS2000 Logon Passwd file */ static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name) { @@@@ -3400,6 +3450,9 @@@@ "An HTTP authorization type (e.g., \"Basic\")" }, { "AuthName", set_authname, NULL, OR_AUTHCFG, TAKE1, "The authentication realm (e.g. \"Members Only\")" }, +{ "AuthDigestRealmSeed", set_authnonce, NULL, OR_AUTHCFG, TAKE1, + "An authentication token which should be different for each logical realm. "\ + "A random value or the servers IP may be a good choise.\n" }, { "Require", require, NULL, OR_AUTHCFG, RAW_ARGS, "Selects which authenticated users or groups may access a protected space" }, { "Satisfy", satisfy, NULL, OR_AUTHCFG, TAKE1, Index: apache_1.3.29/src/main/http_protocol.c --- apache_1.3.29/src/main/http_protocol.c.orig 2003-02-03 18:13:22.000000000 +0100 +++ apache_1.3.29/src/main/http_protocol.c 2004-05-12 10:03:51.000000000 +0200 @@@@ -76,6 +76,7 @@@@ #include "util_date.h" /* For parseHTTPdate and BAD_DATE */ #include #include "http_conf_globals.h" +#include "util_md5.h" /* For digestAuth */ #define SET_BYTES_SENT(r) \ do { if (r->sent_bodyct) \ @@@@ -1391,11 +1392,25 @@@@ API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r) { + /* We need to create a nonce which: + * a) changes all the time (see r->request_time) + * below and + * b) of which we can verify that it is our own + * fairly easily when it comes to veryfing + * the digest coming back in the response. + * c) and which as a whole should not + * be unlikely to be in use anywhere else. + */ + char * nonce_prefix = ap_md5(r->pool, + (unsigned char *) + ap_psprintf(r->pool, "%s%lu", + ap_auth_nonce(r), r->request_time)); + ap_table_setn(r->err_headers_out, r->proxyreq == STD_PROXY ? "Proxy-Authenticate" : "WWW-Authenticate", - ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%lu\"", - ap_auth_name(r), r->request_time)); + ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%s%lu\"", + ap_auth_name(r), nonce_prefix, r->request_time)); } API_EXPORT(int) ap_get_basic_auth_pw(request_rec *r, const char **pw) Index: apache_1.3.29/src/modules/standard/mod_digest.c --- apache_1.3.29/src/modules/standard/mod_digest.c.orig 2003-02-03 18:13:27.000000000 +0100 +++ apache_1.3.29/src/modules/standard/mod_digest.c 2004-05-12 10:03:51.000000000 +0200 @@@@ -316,6 +316,23 @@@@ /* The actual MD5 code... whee */ +/* Check that a given nonce is actually one which was + * issued by this server in the right context. + */ +static int check_nonce(pool *p, const char *prefix, const char *nonce) { + char *timestamp = (char *)nonce + 2 * MD5_DIGESTSIZE; + char *md5; + + if (strlen(nonce) < MD5_DIGESTSIZE) + return AUTH_REQUIRED; + + md5 = ap_md5(p, (unsigned char *)ap_pstrcat(p, prefix, timestamp, NULL)); + + return strncmp(md5, nonce, 2 * MD5_DIGESTSIZE); +} + +/* Check the digest itself. + */ static char *find_digest(request_rec *r, digest_header_rec * h, char *a1) { return ap_md5(r->pool, @@@@ -356,6 +373,15 @@@@ if (!sec->pwfile) return DECLINED; + /* Check that the nonce was one we actually issued. */ + if (check_nonce(r->pool, ap_auth_nonce(r), response->nonce)) { + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "Client is using a nonce which was not issued by " + "this server for this context: %s", r->uri); + ap_note_digest_auth_failure(r); + return AUTH_REQUIRED; + } + if (!(a1 = get_hash(r, c->user, sec->pwfile))) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "user %s not found: %s", c->user, r->uri); ============================================================================= Security Fix (CAN-2004-0174): Apache before 2.0.49 and 1.3.30, when using multiple listening sockets on certain platforms, allows remote attackers to cause a Denial of Service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." This fixes the starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. Enabled for some platforms only which are known to have the issue (accept() blocking after select() returns readable). Index: apache_1.3.29/src/include/ap_config.h --- apache_1.3.29/src/include/ap_config.h.orig 2003-05-05 13:45:49.000000000 +0200 +++ apache_1.3.29/src/include/ap_config.h 2004-05-12 10:05:56.000000000 +0200 @@@@ -193,6 +193,7 @@@@ int gethostname(char *name, int namelen); #define HAVE_SYSLOG 1 #define SYS_SIGLIST _sys_siglist +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(IRIX) #undef HAVE_GMTOFF @@@@ -216,6 +217,7 @@@@ #define NO_LONG_DOUBLE #define NO_LINGCLOSE #define HAVE_SYSLOG 1 +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(HIUX) #undef HAVE_GMTOFF @@@@ -299,6 +301,7 @@@@ #elif AIX >= 420 #define NET_SIZE_T size_t #endif +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(ULTRIX) /* we don't want to use sys/resource.h under @@@@ -325,6 +328,7 @@@@ #define HAVE_SYSLOG 1 #define HAVE_FLOCK_SERIALIZED_ACCEPT #define SINGLE_LISTEN_UNSERIALIZED_ACCEPT +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(PARAGON) #define HAVE_GMTOFF 1 @@@@ -1015,6 +1019,7 @@@@ #include #define NET_SIZE_T size_t #define NEED_HASHBANG_EMUL +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(CYGWIN) /* Cygwin 1.x POSIX layer for Win32 */ #define SYSTEM_UID 18 @@@@ -1034,6 +1039,8 @@@@ #define USE_PTHREAD_SERIALIZED_ACCEPT #endif +#elif defined(NETWARE) +#define NONBLOCK_WHEN_MULTI_LISTEN #else /* Unknown system - Edit these to match */ Index: apache_1.3.29/src/main/http_main.c --- apache_1.3.29/src/main/http_main.c.orig 2003-10-19 20:00:35.000000000 +0200 +++ apache_1.3.29/src/main/http_main.c 2004-05-12 10:05:56.000000000 +0200 @@@@ -3905,6 +3905,76 @@@@ old_listeners = NULL; } +#ifdef NONBLOCK_WHEN_MULTI_LISTEN +/* retrieved from APR */ +static int soblock(int sd) +{ +#ifdef NETWARE + u_long one = 0; + + if (ioctlsocket(sd, FIONBIO, &one) == SOCKET_ERROR) { + return -1; + } +#else +#ifndef BEOS + int fd_flags; + + fd_flags = fcntl(sd, F_GETFL, 0); +#if defined(O_NONBLOCK) + fd_flags &= ~O_NONBLOCK; +#elif defined(O_NDELAY) + fd_flags &= ~O_NDELAY; +#elif defined(FNDELAY) + fd_flags &= ~FNDELAY; +#else +#error Teach soblock() how to make a socket blocking on your platform. +#endif + if (fcntl(sd, F_SETFL, fd_flags) == -1) { + return errno; + } +#else + int on = 0; + if (setsockopt(sd, SOL_SOCKET, SO_NONBLOCK, &on, sizeof(int)) < 0) + return errno; +#endif /* BEOS */ +#endif /* NETWARE */ + return 0; +} + +static int sononblock(int sd) +{ +#ifdef NETWARE + u_long one = 1; + + if (ioctlsocket(sd, FIONBIO, &one) == SOCKET_ERROR) { + return -1; + } +#else +#ifndef BEOS + int fd_flags; + + fd_flags = fcntl(sd, F_GETFL, 0); +#if defined(O_NONBLOCK) + fd_flags |= O_NONBLOCK; +#elif defined(O_NDELAY) + fd_flags |= O_NDELAY; +#elif defined(FNDELAY) + fd_flags |= FNDELAY; +#else +#error Teach sononblock() how to make a socket non-blocking on your platform. +#endif + if (fcntl(sd, F_SETFL, fd_flags) == -1) { + return errno; + } +#else + int on = 1; + if (setsockopt(sd, SOL_SOCKET, SO_NONBLOCK, &on, sizeof(int)) < 0) + return errno; +#endif /* BEOS */ +#endif /* NETWARE */ + return 0; +} +#endif /* NONBLOCK_WHEN_MULTI_LISTEN */ /* open sockets, and turn the listeners list into a singly linked ring */ static void setup_listeners(pool *p) @@@@ -3937,6 +4007,31 @@@@ head_listener = ap_listeners; close_unused_listeners(); +#ifdef NONBLOCK_WHEN_MULTI_LISTEN + if (ap_listeners->next != ap_listeners) { + lr = ap_listeners; + do { + if (sononblock(lr->fd) < 0) { + ap_log_error(APLOG_MARK, APLOG_CRIT, NULL, + "A listening socket could not be made non-blocking."); + exit(APEXIT_INIT); + } + lr = lr->next; + } while (lr != ap_listeners); + } + else { + /* we could be restarting with a single remaining listening + * socket, still in non-blocking state from a previous + * generation which had more listening sockets + */ + if (soblock(ap_listeners->fd) < 0) { + ap_log_error(APLOG_MARK, APLOG_CRIT, NULL, + "A listening socket could not be made blocking."); + exit(APEXIT_INIT); + } + } +#endif /* NONBLOCK_WHEN_MULTI_LISTEN */ + #ifdef NO_SERIALIZED_ACCEPT /* warn them about the starvation problem if they're using multiple * sockets @@@@ -4472,6 +4567,19 @@@@ #ifdef ENETUNREACH case ENETUNREACH: #endif + /* EAGAIN/EWOULDBLOCK can be returned on BSD-derived + * TCP stacks when the connection is aborted before + * we call connect, but only because our listener + * sockets are non-blocking (NONBLOCK_WHEN_MULTI_LISTEN) + */ +#ifdef EAGAIN + case EAGAIN: +#endif +#ifdef EWOULDBLOCK +#if !defined(EAGAIN) || EAGAIN != EWOULDBLOCK + case EWOULDBLOCK: +#endif +#endif break; #ifdef ENETDOWN case ENETDOWN: @@@@ -4561,6 +4669,21 @@@@ * socket options, file descriptors, and read/write buffers. */ +#ifdef NONBLOCK_WHEN_MULTI_LISTEN + /* This assumes that on this platform the non-blocking setting of + * a listening socket is inherited. If that isn't the case, + * this is wasted effort. + */ + if (ap_listeners != ap_listeners->next) { + if (soblock(csd) != 0) { + ap_log_error(APLOG_MARK, APLOG_CRIT, NULL, + "couldn't make socket descriptor (%d) blocking again", + csd); + continue; + } + } +#endif /* NONBLOCK_WHEN_MULTI_LISTEN */ + clen = sizeof(sa_server); if (getsockname(csd, &sa_server, &clen) < 0) { ap_log_error(APLOG_MARK, APLOG_DEBUG, server_conf, @@@@ -6332,15 +6455,22 @@@@ if (csd == INVALID_SOCKET) { csd = -1; } - } while (csd < 0 && h_errno == EINTR); + } while (csd < 0 && h_errno == WSAEINTR); if (csd == INVALID_SOCKET) { - if (h_errno != WSAECONNABORTED) { + if ((h_errno != WSAECONNABORTED) && (h_errno != WSAEWOULDBLOCK)) { ap_log_error(APLOG_MARK, APLOG_ERR, server_conf, "accept: (client socket) failed with errno = %d",h_errno); } } else { + u_long one = 0; + + if (soblock(csd) != 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, server_conf, + "%d couldn't make socket descriptor (%d) blocking again.", h_errno, csd); + continue; + } add_job(csd); } } @ 1.9.2.2 log @SA-2004.029-apache; CAN-2004-0492 @ text @a747 24 =================================================================== SA-2004.029-apache CAN-2004-0492 RCS file: /home/cvspublic/apache-1.3/src/modules/proxy/proxy_http.c,v retrieving revision 1.106 retrieving revision 1.107 diff -u -r1.106 -r1.107 --- apache_1.3.29/src/modules/proxy/proxy_http.c 2004/03/29 17:47:15 1.106 +++ apache_1.3.29/src/modules/proxy/proxy_http.c 2004/06/11 07:54:38 1.107 @@@@ -485,6 +485,13 @@@@ content_length = ap_table_get(resp_hdrs, "Content-Length"); if (content_length != NULL) { c->len = ap_strtol(content_length, NULL, 10); + + if (c->len < 0) { + ap_kill_timeout(r); + return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, + "Invalid Content-Length from remote server", + NULL)); + } } } @ 1.9.2.3 log @Security Fix (CAN-2004-0940) @ text @a747 1 d749 1 d751 4 a754 2 Security Fix (SA-2004.029-apache CAN-2004-0492) a771 221 =================================================================== Security Fix (CAN-2004-0940) Buffer overflow in the get_tag() function in mod_include allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI (XSSI) documents that trigger a length calculation error. Index: apache_1.3.29/src/modules/standard/mod_include.c --- apache_1.3.29/src/modules/standard/mod_include.c 2004-02-28 23:19:04 +0100 +++ apache_1.3.29/src/modules/standard/mod_include.c 2004-10-25 17:44:04 +0200 @@@@ -309,9 +309,10 @@@@ * the tag value is html decoded if dodecode is non-zero */ -static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) +static char *get_tag(request_rec *r, FILE *in, char *tag, int tagbuf_len, int dodecode) { char *t = tag, *tag_val, c, term; + pool *p = r->pool; /* makes code below a little less cluttered */ --tagbuf_len; @@@@ -337,7 +338,7 @@@@ /* find end of tag name */ while (1) { - if (t - tag == tagbuf_len) { + if (t == tag + tagbuf_len) { *t = '\0'; return NULL; } @@@@ -371,16 +372,30 @@@@ term = c; while (1) { GET_CHAR(in, c, NULL, p); - if (t - tag == tagbuf_len) { + if (t == tag + tagbuf_len) { *t = '\0'; + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "mod_include: value length exceeds limit" + " (%d) in %s", tagbuf_len, r->filename); return NULL; } -/* Want to accept \" as a valid character within a string. */ + /* Want to accept \" as a valid character within a string. */ if (c == '\\') { - *(t++) = c; /* Add backslash */ GET_CHAR(in, c, NULL, p); - if (c == term) { /* Only if */ - *(--t) = c; /* Replace backslash ONLY for terminator */ + /* Insert backslash only if not escaping a terminator char */ + if (c != term) { + *(t++) = '\\'; + /* + * check to make sure that adding in the backslash won't cause + * an overflow, since we're now 1 character ahead. + */ + if (t == tag + tagbuf_len) { + *t = '\0'; + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "mod_include: value length exceeds limit" + " (%d) in %s", tagbuf_len, r->filename); + return NULL; + } } } else if (c == term) { @@@@ -395,9 +410,10 @@@@ return ap_pstrdup(p, tag_val); } -static int get_directive(FILE *in, char *dest, size_t len, pool *p) +static int get_directive(FILE *in, char *dest, size_t len, request_rec *r) { char *d = dest; + pool *p = r->pool; char c; /* make room for nul terminator */ @@@@ -413,6 +429,9 @@@@ /* now get directive */ while (1) { if (d == len + dest) { + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "mod_include: directive length exceeds limit" + " (%lu) in %s", (unsigned long)len+1, r->filename); return 1; } *d++ = ap_tolower(c); @@@@ -616,7 +635,7 @@@@ char *tag_val; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } if (!strcmp(tag, "file") || !strcmp(tag, "virtual")) { @@@@ -839,7 +858,7 @@@@ char parsed_string[MAX_STRING_LEN]; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } if (!strcmp(tag, "cmd")) { @@@@ -890,7 +909,7 @@@@ encode = E_ENTITY; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } if (!strcmp(tag, "var")) { @@@@ -952,7 +971,7 @@@@ return DECLINED; } while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { break; } if (strnEQ(tag, "sub", 3)) { @@@@ -985,7 +1004,7 @@@@ table *env = r->subprocess_env; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 0))) { return 1; } if (!strcmp(tag, "errmsg")) { @@@@ -1101,7 +1120,7 @@@@ char parsed_string[MAX_STRING_LEN]; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -1141,7 +1160,7 @@@@ char parsed_string[MAX_STRING_LEN]; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -1917,7 +1936,7 @@@@ expr = NULL; while (1) { - tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0); + tag_val = get_tag(r, in, tag, sizeof(tag), 0); if (!tag_val || *tag == '\0') { return 1; } @@@@ -1960,7 +1979,7 @@@@ expr = NULL; while (1) { - tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0); + tag_val = get_tag(r, in, tag, sizeof(tag), 0); if (!tag_val || *tag == '\0') { return 1; } @@@@ -2007,7 +2026,7 @@@@ { char tag[MAX_STRING_LEN]; - if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) { + if (!get_tag(r, in, tag, sizeof(tag), 1)) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2035,7 +2054,7 @@@@ { char tag[MAX_STRING_LEN]; - if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) { + if (!get_tag(r, in, tag, sizeof(tag), 1)) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2065,7 +2084,7 @@@@ var = (char *) NULL; while (1) { - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2102,7 +2121,7 @@@@ table_entry *elts = (table_entry *) arr->elts; int i; - if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { + if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { return 1; } else if (!strcmp(tag, "done")) { @@@@ -2173,10 +2192,7 @@@@ while (1) { if (!find_string(f, STARTING_SEQUENCE, r, printing)) { - if (get_directive(f, directive, sizeof(directive), r->pool)) { - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, - "mod_include: error reading directive in %s", - r->filename); + if (get_directive(f, directive, sizeof(directive), r)) { ap_rputs(error, r); return; } @ 1.8 log @allow SetEnv to set PATH variable; use suexec.log instead of default suexec_log @ text @d1 2 a2 2 --- apache_1.3.28/configure.orig Tue May 21 14:24:59 2002 +++ apache_1.3.28/configure Mon Feb 10 11:08:40 2003 d18 2 a19 2 --- apache_1.3.28/src/Configure.dist 2003-06-11 11:59:51.000000000 +0200 +++ apache_1.3.28/src/Configure 2003-06-11 12:46:14.000000000 +0200 d47 2 a48 23 --- apache_1.3.28/src/main/alloc.c.dist 2003-07-29 15:23:08.000000000 +0200 +++ apache_1.3.28/src/main/alloc.c 2003-07-29 15:25:08.000000000 +0200 @@@@ -2858,13 +2858,11 @@@@ for (p = procs; p; p = p->next) { if ((p->kill_how == kill_after_timeout) || (p->kill_how == kill_only_once)) { - /* Subprocess may be dead already. Only need the timeout if not. */ - if (ap_os_kill(p->pid, SIGTERM) == -1) { - p->kill_how = kill_never; - } - else { - need_timeout = 1; - } + /* Dead subprocesses still need a waitpid to remove the zombie + * so we have to ignore errors returned by ap_os_kill() + */ + ap_os_kill(p->pid, SIGTERM); + need_timeout = 1; } else if (p->kill_how == kill_always) { kill(p->pid, SIGKILL); --- apache_1.3.28/src/main/util_script.c.orig Mon Jul 28 17:13:56 2003 +++ apache_1.3.28/src/main/util_script.c Tue Jul 29 15:55:27 2003 @ 1.7 log @fix suexec-zombie problem, see also http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21737 @ text @d68 10 @ 1.6 log @upgrading package: apache 1.3.27 -> 1.3.28 @ text @d47 21 @ 1.5 log @more smartness in linking @ text @d1 2 a2 2 --- apache_1.3.27/configure.orig Tue May 21 14:24:59 2002 +++ apache_1.3.27/configure Mon Feb 10 11:08:40 2003 d18 2 a19 2 --- apache_1.3.27/src/Configure.dist 2003-06-11 11:59:51.000000000 +0200 +++ apache_1.3.27/src/Configure 2003-06-11 12:46:14.000000000 +0200 @ 1.4 log @be smarter with linker options, but not smart enough @ text @d19 4 a22 2 +++ apache_1.3.27/src/Configure 2003-06-11 12:00:44.000000000 +0200 @@@@ -1192,12 +1192,14 @@@@ d24 20 a43 12 if [ "x`$CC -v 2>&1 | grep gcc`" != "x" ]; then CFLAGS_SHLIB="-fPIC" + LDFLAGS_SHLIB="-shared" + LDFLAGS_SHLIB_EXPORT="-Wl,-E" else CFLAGS_SHLIB="-KPIC" + LDFLAGS_SHLIB="-G" + LDFLAGS_SHLIB_EXPORT="" fi - LDFLAGS_SHLIB="-G" LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB - LDFLAGS_SHLIB_EXPORT="" @ 1.3 log @patch Configure for binutils-ld under Solaris @ text @d18 3 a20 5 --- apache_1.3.27/src/Configure.dist 2003-06-04 18:22:40 +0200 +++ apache_1.3.27/src/Configure 2003-06-04 18:24:18 +0200 @@@@ -1190,14 +1190,10 @@@@ SHLIB_SUFFIX_DEPTH=0 ;; d22 9 a30 5 - if [ "x`$CC -v 2>&1 | grep gcc`" != "x" ]; then - CFLAGS_SHLIB="-fPIC" - else - CFLAGS_SHLIB="-KPIC" - fi a31 2 + CFLAGS_SHLIB="-fPIC" + LDFLAGS_SHLIB="-shared" a33 1 + LDFLAGS_SHLIB_EXPORT="-Wl,-E" @ 1.2 log @remove calculation of relative path in APACI; performed under threat of force only @ text @d18 20 @ 1.1 log @file apache.patch was initially added on branch OPENPKG_1_0_SOLID. @ text @d1 17 @ 1.1.8.1 log @Security Bugfix (CAN-2003-0542, OpenPKG-SA-2003.046-apache) @ text @a0 110 Security Bugfix (CAN-2003-0542, OpenPKG-SA-2003.046-apache): Index: apache_1.3.27/src/include/httpd.h --- apache_1.3.27/src/include/httpd.h.orig 2002-09-30 18:35:21.000000000 +0200 +++ apache_1.3.27/src/include/httpd.h 2003-10-28 15:19:40.000000000 +0100 @@@@ -273,6 +273,9 @@@@ /* The size of the server's internal read-write buffers */ #define IOBUFSIZE 8192 +/* The max number of regex captures that can be expanded by ap_pregsub */ +#define AP_MAX_REG_MATCH 10 + /* Number of servers to spawn off by default --- also, if fewer than * this free when the caretaker checks, it will spawn more. */ Index: apache_1.3.27/src/modules/standard/mod_alias.c --- apache_1.3.27/src/modules/standard/mod_alias.c.orig 2002-03-13 22:05:33.000000000 +0100 +++ apache_1.3.27/src/modules/standard/mod_alias.c 2003-10-28 15:19:40.000000000 +0100 @@@@ -299,7 +299,7 @@@@ static char *try_alias_list(request_rec *r, array_header *aliases, int doesc, int *status) { alias_entry *entries = (alias_entry *) aliases->elts; - regmatch_t regm[10]; + regmatch_t regm[AP_MAX_REG_MATCH]; char *found = NULL; int i; @@@@ -308,10 +308,10 @@@@ int l; if (p->regexp) { - if (!ap_regexec(p->regexp, r->uri, p->regexp->re_nsub + 1, regm, 0)) { + if (!ap_regexec(p->regexp, r->uri, AP_MAX_REG_MATCH, regm, 0)) { if (p->real) { found = ap_pregsub(r->pool, p->real, r->uri, - p->regexp->re_nsub + 1, regm); + AP_MAX_REG_MATCH, regm); if (found && doesc) { found = ap_escape_uri(r->pool, found); } Index: apache_1.3.27/src/modules/standard/mod_rewrite.c --- apache_1.3.27/src/modules/standard/mod_rewrite.c.orig 2002-07-08 19:18:32.000000000 +0200 +++ apache_1.3.27/src/modules/standard/mod_rewrite.c 2003-10-28 15:19:40.000000000 +0100 @@@@ -1759,7 +1759,7 @@@@ const char *vary; char newuri[MAX_STRING_LEN]; regex_t *regexp; - regmatch_t regmatch[MAX_NMATCH]; + regmatch_t regmatch[AP_MAX_REG_MATCH]; backrefinfo *briRR = NULL; backrefinfo *briRC = NULL; int prefixstrip; @@@@ -1816,7 +1816,7 @@@@ rewritelog(r, 3, "[per-dir %s] applying pattern '%s' to uri '%s'", perdir, p->pattern, uri); } - rc = (ap_regexec(regexp, uri, regexp->re_nsub+1, regmatch, 0) == 0); + rc = (ap_regexec(regexp, uri, AP_MAX_REG_MATCH, regmatch, 0) == 0); if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) || (!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) { return 0; @@@@ -2117,7 +2117,7 @@@@ char input[MAX_STRING_LEN]; struct stat sb; request_rec *rsub; - regmatch_t regmatch[MAX_NMATCH]; + regmatch_t regmatch[AP_MAX_REG_MATCH]; int rc; /* @@@@ -2221,8 +2221,7 @@@@ } else { /* it is really a regexp pattern, so apply it */ - rc = (ap_regexec(p->regexp, input, - p->regexp->re_nsub+1, regmatch,0) == 0); + rc = (ap_regexec(p->regexp, input, AP_MAX_REG_MATCH, regmatch,0) == 0); /* if it isn't a negated pattern and really matched we update the passed-through regex subst info structure */ @@@@ -2380,7 +2379,7 @@@@ bri = briRC; } /* see ap_pregsub() in src/main/util.c */ - if (bri && n <= bri->nsub && + if (bri && n < AP_MAX_REG_MATCH && bri->regmatch[n].rm_eo > bri->regmatch[n].rm_so) { span = bri->regmatch[n].rm_eo - bri->regmatch[n].rm_so; if (span > space) { Index: apache_1.3.27/src/modules/standard/mod_rewrite.h --- apache_1.3.27/src/modules/standard/mod_rewrite.h.orig 2002-03-13 22:05:34.000000000 +0100 +++ apache_1.3.27/src/modules/standard/mod_rewrite.h 2003-10-28 15:20:13.000000000 +0100 @@@@ -253,8 +253,6 @@@@ #define MAX_ENV_FLAGS 15 -#define MAX_NMATCH 10 - /* ** ** our private data structures we handle with @@@@ -356,7 +354,7 @@@@ typedef struct backrefinfo { char *source; int nsub; - regmatch_t regmatch[10]; + regmatch_t regmatch[AP_MAX_REG_MATCH]; } backrefinfo; @ 1.1.6.1 log @mass Merge-From-CURRENT (MFC) in preparation for OpenPKG 1.3 [class BASE only] @ text @a0 46 --- apache_1.3.28/configure.orig Tue May 21 14:24:59 2002 +++ apache_1.3.28/configure Mon Feb 10 11:08:40 2003 @@@@ -1216,10 +1216,10 @@@@ ## or we cannot support the case where the relative ## path is just the emtpy one, i.e. ""] ## -runtimedir_relative=`echo $runtimedir | sed -e "s:^$prefix/*::" -e 's:\(.\)$:\1/:'` -logfiledir_relative=`echo $logfiledir | sed -e "s:^$prefix/*::" -e 's:\(.\)$:\1/:'` -sysconfdir_relative=`echo $sysconfdir | sed -e "s:^$prefix/*::" -e 's:\(.\)$:\1/:'` -libexecdir_relative=`echo $libexecdir | sed -e "s:^$prefix/*::" -e 's:\(.\)$:\1/:'` +runtimedir_relative="$runtimedir/" +logfiledir_relative="$logfiledir/" +sysconfdir_relative="$sysconfdir/" +libexecdir_relative="$libexecdir/" ## ## check and debug --- apache_1.3.28/src/Configure.dist 2003-06-11 11:59:51.000000000 +0200 +++ apache_1.3.28/src/Configure 2003-06-11 12:46:14.000000000 +0200 @@@@ -1190,14 +1190,20 @@@@ SHLIB_SUFFIX_DEPTH=0 ;; *-solaris2*) - if [ "x`$CC -v 2>&1 | grep gcc`" != "x" ]; then - CFLAGS_SHLIB="-fPIC" - else - CFLAGS_SHLIB="-KPIC" - fi + CFLAGS_SHLIB="-KPIC" LDFLAGS_SHLIB="-G" - LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB LDFLAGS_SHLIB_EXPORT="" + for word in `$CC -v 2>&1` ; do + case $word in + --with-gnu-ld) + LDFLAGS_SHLIB="-shared" + ;; + *gcc*) + CFLAGS_SHLIB="-fPIC" + ;; + esac + done + LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB SHLIB_SUFFIX_DEPTH=1 ;; *-sunos4*) @ 1.1.6.2 log @MFC: all changes since last merge @ text @a46 31 --- apache_1.3.28/src/main/alloc.c.dist 2003-07-29 15:23:08.000000000 +0200 +++ apache_1.3.28/src/main/alloc.c 2003-07-29 15:25:08.000000000 +0200 @@@@ -2858,13 +2858,11 @@@@ for (p = procs; p; p = p->next) { if ((p->kill_how == kill_after_timeout) || (p->kill_how == kill_only_once)) { - /* Subprocess may be dead already. Only need the timeout if not. */ - if (ap_os_kill(p->pid, SIGTERM) == -1) { - p->kill_how = kill_never; - } - else { - need_timeout = 1; - } + /* Dead subprocesses still need a waitpid to remove the zombie + * so we have to ignore errors returned by ap_os_kill() + */ + ap_os_kill(p->pid, SIGTERM); + need_timeout = 1; } else if (p->kill_how == kill_always) { kill(p->pid, SIGKILL); --- apache_1.3.28/src/main/util_script.c.orig Mon Jul 28 17:13:56 2003 +++ apache_1.3.28/src/main/util_script.c Tue Jul 29 15:55:27 2003 @@@@ -246,6 +246,7 @@@@ } } + if (!(env_path = ap_pstrdup(r->pool, ap_table_get(r->subprocess_env, "PATH")))) if (!(env_path = ap_pstrdup(r->pool, getenv("PATH")))) { env_path = DEFAULT_PATH; } @ 1.1.6.2.2.1 log @Security Bugfix (CAN-2003-0542, OpenPKG-SA-2003.046-apache) @ text @a77 114 ----------------------------------------------------------------------------- Security Bugfix (CAN-2003-0542, OpenPKG-SA-2003.046-apache): Index: apache_1.3.28/src/include/httpd.h --- apache_1.3.28/src/include/httpd.h.orig 2003-07-16 22:20:26.000000000 +0200 +++ apache_1.3.28/src/include/httpd.h 2003-10-28 14:10:48.000000000 +0100 @@@@ -274,6 +274,9 @@@@ /* The size of the server's internal read-write buffers */ #define IOBUFSIZE 8192 +/* The max number of regex captures that can be expanded by ap_pregsub */ +#define AP_MAX_REG_MATCH 10 + /* Number of servers to spawn off by default --- also, if fewer than * this free when the caretaker checks, it will spawn more. */ Index: apache_1.3.28/src/modules/standard/mod_alias.c --- apache_1.3.28/src/modules/standard/mod_alias.c.orig 2003-04-24 18:08:21.000000000 +0200 +++ apache_1.3.28/src/modules/standard/mod_alias.c 2003-10-28 14:10:48.000000000 +0100 @@@@ -299,7 +299,7 @@@@ static char *try_alias_list(request_rec *r, array_header *aliases, int doesc, int *status) { alias_entry *entries = (alias_entry *) aliases->elts; - regmatch_t regm[10]; + regmatch_t regm[AP_MAX_REG_MATCH]; char *found = NULL; int i; @@@@ -308,10 +308,10 @@@@ int l; if (p->regexp) { - if (!ap_regexec(p->regexp, r->uri, p->regexp->re_nsub + 1, regm, 0)) { + if (!ap_regexec(p->regexp, r->uri, AP_MAX_REG_MATCH, regm, 0)) { if (p->real) { found = ap_pregsub(r->pool, p->real, r->uri, - p->regexp->re_nsub + 1, regm); + AP_MAX_REG_MATCH, regm); if (found && doesc) { found = ap_escape_uri(r->pool, found); } Index: apache_1.3.28/src/modules/standard/mod_rewrite.c --- apache_1.3.28/src/modules/standard/mod_rewrite.c.orig 2003-05-19 04:35:31.000000000 +0200 +++ apache_1.3.28/src/modules/standard/mod_rewrite.c 2003-10-28 14:10:48.000000000 +0100 @@@@ -1834,7 +1834,7 @@@@ const char *vary; char newuri[MAX_STRING_LEN]; regex_t *regexp; - regmatch_t regmatch[MAX_NMATCH]; + regmatch_t regmatch[AP_MAX_REG_MATCH]; backrefinfo *briRR = NULL; backrefinfo *briRC = NULL; int prefixstrip; @@@@ -1891,7 +1891,7 @@@@ rewritelog(r, 3, "[per-dir %s] applying pattern '%s' to uri '%s'", perdir, p->pattern, uri); } - rc = (ap_regexec(regexp, uri, regexp->re_nsub+1, regmatch, 0) == 0); + rc = (ap_regexec(regexp, uri, AP_MAX_REG_MATCH, regmatch, 0) == 0); if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) || (!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) { return 0; @@@@ -2179,7 +2179,7 @@@@ char input[MAX_STRING_LEN]; struct stat sb; request_rec *rsub; - regmatch_t regmatch[MAX_NMATCH]; + regmatch_t regmatch[AP_MAX_REG_MATCH]; int rc; /* @@@@ -2283,8 +2283,7 @@@@ } else { /* it is really a regexp pattern, so apply it */ - rc = (ap_regexec(p->regexp, input, - p->regexp->re_nsub+1, regmatch,0) == 0); + rc = (ap_regexec(p->regexp, input, AP_MAX_REG_MATCH, regmatch,0) == 0); /* if it isn't a negated pattern and really matched we update the passed-through regex subst info structure */ @@@@ -2442,7 +2441,7 @@@@ bri = briRC; } /* see ap_pregsub() in src/main/util.c */ - if (bri && n <= bri->nsub && + if (bri && n < AP_MAX_REG_MATCH && bri->regmatch[n].rm_eo > bri->regmatch[n].rm_so) { span = bri->regmatch[n].rm_eo - bri->regmatch[n].rm_so; if (span > space) { Index: apache_1.3.28/src/modules/standard/mod_rewrite.h --- apache_1.3.28/src/modules/standard/mod_rewrite.h.orig 2003-05-19 04:35:31.000000000 +0200 +++ apache_1.3.28/src/modules/standard/mod_rewrite.h 2003-10-28 14:10:48.000000000 +0100 @@@@ -253,8 +253,6 @@@@ #define MAX_ENV_FLAGS 15 -#define MAX_NMATCH 10 - /* default maximum number of internal redirects */ #define REWRITE_REDIRECT_LIMIT 10 @@@@ -368,7 +366,7 @@@@ typedef struct backrefinfo { char *source; int nsub; - regmatch_t regmatch[10]; + regmatch_t regmatch[AP_MAX_REG_MATCH]; } backrefinfo; @ 1.1.6.2.2.2 log @apply security fixes (CAN-2003-0993, CAN-2003-0020, CAN-2003-0987, CAN-2004-0174) @ text @a191 690 ============================================================================= Security Fix (CAN-2003-0993, Apache PR 23850): mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions. Index: apache_1.3.28/src/modules/standard/mod_access.c --- apache_1.3.28/src/modules/standard/mod_access.c.orig 2003-02-03 18:13:27.000000000 +0100 +++ apache_1.3.28/src/modules/standard/mod_access.c 2004-05-12 10:03:14.000000000 +0200 @@@@ -82,8 +82,8 @@@@ union { char *from; struct { - unsigned long net; - unsigned long mask; + struct in_addr net; + struct in_addr mask; } ip; } x; enum allowdeny_type type; @@@@ -167,14 +167,14 @@@@ } else if ((s = strchr(where, '/'))) { - unsigned long mask; + struct in_addr mask; a->type = T_IP; /* trample on where, we won't be using it any more */ *s++ = '\0'; if (!is_ip(where) - || (a->x.ip.net = ap_inet_addr(where)) == INADDR_NONE) { + || (a->x.ip.net.s_addr = ap_inet_addr(where)) == INADDR_NONE) { a->type = T_FAIL; return "syntax error in network portion of network/netmask"; } @@@@ -186,24 +186,26 @@@@ } /* is it in /a.b.c.d form? */ if (strchr(s, '.')) { - mask = ap_inet_addr(s); - if (mask == INADDR_NONE) { + mask.s_addr = ap_inet_addr(s); + if (mask.s_addr == INADDR_NONE) { a->type = T_FAIL; return "syntax error in mask portion of network/netmask"; } } else { + int i; + /* assume it's in /nnn form */ - mask = atoi(s); - if (mask > 32 || mask <= 0) { + i = atoi(s); + if (i > 32 || i <= 0) { a->type = T_FAIL; return "invalid mask in network/netmask"; } - mask = 0xFFFFFFFFUL << (32 - mask); - mask = htonl(mask); + mask.s_addr = 0xFFFFFFFFUL << (32 - i); + mask.s_addr = htonl(mask.s_addr); } a->x.ip.mask = mask; - a->x.ip.net = (a->x.ip.net & mask); /* pjr - This fixes PR 4770 */ + a->x.ip.net.s_addr = (a->x.ip.net.s_addr & mask.s_addr); /* pjr - This fixes PR 4770 */ } else if (ap_isdigit(*where) && is_ip(where)) { /* legacy syntax for ip addrs: a.b.c. ==> a.b.c.0/24 for example */ @@@@ -214,8 +216,8 @@@@ a->type = T_IP; /* parse components */ s = where; - a->x.ip.net = 0; - a->x.ip.mask = 0; + a->x.ip.net.s_addr = 0; + a->x.ip.mask.s_addr = 0; shift = 24; while (*s) { t = s; @@@@ -234,6 +236,7 @@@@ return "invalid ip address"; } if (shift < 0) { + a->type = T_FAIL; return "invalid ip address, only 4 octets allowed"; } octet = atoi(s); @@@@ -241,13 +244,13 @@@@ a->type = T_FAIL; return "each octet must be between 0 and 255 inclusive"; } - a->x.ip.net |= octet << shift; - a->x.ip.mask |= 0xFFUL << shift; + a->x.ip.net.s_addr |= (unsigned int)octet << shift; + a->x.ip.mask.s_addr |= 0xFFUL << shift; s = t; shift -= 8; } - a->x.ip.net = ntohl(a->x.ip.net); - a->x.ip.mask = ntohl(a->x.ip.mask); + a->x.ip.net.s_addr = ntohl(a->x.ip.net.s_addr); + a->x.ip.mask.s_addr = ntohl(a->x.ip.mask.s_addr); } else { a->type = T_HOST; @@@@ -315,9 +318,9 @@@@ return 1; case T_IP: - if (ap[i].x.ip.net != INADDR_NONE + if (ap[i].x.ip.net.s_addr != INADDR_NONE && (r->connection->remote_addr.sin_addr.s_addr - & ap[i].x.ip.mask) == ap[i].x.ip.net) { + & ap[i].x.ip.mask.s_addr) == ap[i].x.ip.net.s_addr) { return 1; } break; ============================================================================= Security Fix (CAN-2003-0020): Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. Index: apache_1.3.28/src/include/httpd.h --- apache_1.3.28/src/include/httpd.h.orig 2003-10-24 18:11:40.000000000 +0200 +++ apache_1.3.28/src/include/httpd.h 2004-05-12 10:04:43.000000000 +0200 @@@@ -1028,6 +1028,8 @@@@ API_EXPORT(char *) ap_construct_server(pool *p, const char *hostname, unsigned port, const request_rec *r); API_EXPORT(char *) ap_escape_logitem(pool *p, const char *str); +API_EXPORT(size_t) ap_escape_errorlog_item(char *dest, const char *source, + size_t buflen); API_EXPORT(char *) ap_escape_shell_cmd(pool *p, const char *s); API_EXPORT(int) ap_count_dirs(const char *path); Index: apache_1.3.28/src/main/http_log.c --- apache_1.3.28/src/main/http_log.c.orig 2003-02-03 18:13:21.000000000 +0100 +++ apache_1.3.28/src/main/http_log.c 2004-05-12 10:04:43.000000000 +0200 @@@@ -314,6 +314,9 @@@@ const char *fmt, va_list args) { char errstr[MAX_STRING_LEN]; +#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED + char scratch[MAX_STRING_LEN]; +#endif size_t len; int save_errno = errno; FILE *logf; @@@@ -445,7 +448,14 @@@@ } #endif +#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED + if (ap_vsnprintf(scratch, sizeof(scratch) - len, fmt, args)) { + len += ap_escape_errorlog_item(errstr + len, scratch, + sizeof(errstr) - len); + } +#else len += ap_vsnprintf(errstr + len, sizeof(errstr) - len, fmt, args); +#endif /* NULL if we are logging to syslog */ if (logf) { Index: apache_1.3.28/src/main/util.c --- apache_1.3.28/src/main/util.c.orig 2003-02-03 18:13:23.000000000 +0100 +++ apache_1.3.28/src/main/util.c 2004-05-12 10:04:43.000000000 +0200 @@@@ -1520,6 +1520,69 @@@@ return ret; } +API_EXPORT(size_t) ap_escape_errorlog_item(char *dest, const char *source, + size_t buflen) +{ + unsigned char *d, *ep; + const unsigned char *s; + + if (!source || !buflen) { /* be safe */ + return 0; + } + + d = (unsigned char *)dest; + s = (const unsigned char *)source; + ep = d + buflen - 1; + + for (; d < ep && *s; ++s) { + + if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) { + *d++ = '\\'; + if (d >= ep) { + --d; + break; + } + + switch(*s) { + case '\b': + *d++ = 'b'; + break; + case '\n': + *d++ = 'n'; + break; + case '\r': + *d++ = 'r'; + break; + case '\t': + *d++ = 't'; + break; + case '\v': + *d++ = 'v'; + break; + case '\\': + *d++ = *s; + break; + case '"': /* no need for this in error log */ + d[-1] = *s; + break; + default: + if (d >= ep - 2) { + ep = --d; /* break the for loop as well */ + break; + } + c2x(*s, d); + *d = 'x'; + d += 3; + } + } + else { + *d++ = *s; + } + } + *d = '\0'; + + return (d - (unsigned char *)dest); +} API_EXPORT(char *) ap_escape_shell_cmd(pool *p, const char *str) { ============================================================================= Security Fix (CAN-2003-0987): mod_digest for Apache did not properly verify the nonce of a client response by using a AuthNonce secret. Now Apache verifies the nonce returned in the client response to check whether it was issued by itself by means of a AuthDigestRealmSeed secret exposed as an md5(). Index: apache_1.3.28/src/include/http_core.h --- apache_1.3.28/src/include/http_core.h.orig 2003-07-07 02:34:09.000000000 +0200 +++ apache_1.3.28/src/include/http_core.h 2004-05-12 10:03:51.000000000 +0200 @@@@ -162,6 +162,7 @@@@ API_EXPORT(const char *) ap_auth_type (request_rec *); API_EXPORT(const char *) ap_auth_name (request_rec *); +API_EXPORT(const char *) ap_auth_nonce (request_rec *); API_EXPORT(int) ap_satisfies (request_rec *r); API_EXPORT(const array_header *) ap_requires (request_rec *); @@@@ -355,6 +356,9 @@@@ */ ap_flag_e cgi_command_args; + /* Digest auth. */ + char *ap_auth_nonce; + } core_dir_config; /* Per-server core configuration */ Index: apache_1.3.28/src/main/http_core.c --- apache_1.3.28/src/main/http_core.c.orig 2003-10-19 15:20:57.000000000 +0200 +++ apache_1.3.28/src/main/http_core.c 2004-05-12 10:03:51.000000000 +0200 @@@@ -236,6 +236,9 @@@@ if (new->ap_auth_name) { conf->ap_auth_name = new->ap_auth_name; } + if (new->ap_auth_nonce) { + conf->ap_auth_nonce = new->ap_auth_nonce; + } if (new->ap_requires) { conf->ap_requires = new->ap_requires; } @@@@ -577,6 +580,31 @@@@ return conf->ap_auth_name; } +API_EXPORT(const char *) ap_auth_nonce(request_rec *r) +{ + core_dir_config *conf; + conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, + &core_module); + if (conf->ap_auth_nonce) + return conf->ap_auth_nonce; + + /* Ideally we'd want to mix in some per-directory style + * information; as we are likely to want to detect replay + * across those boundaries and some randomness. But that + * is harder due to the adhoc nature of .htaccess memory + * structures, restarts and forks. + * + * But then again - you should use AuthDigestRealmSeed in your config + * file if you care. So the adhoc value should do. + */ + return ap_psprintf(r->pool,"%pp%pp%pp%pp%pp", + (void *)&((r->connection->local_addr).sin_addr ), + (void *)ap_user_name, + (void *)ap_listeners, + (void *)ap_server_argv0, + (void *)ap_pid_fname); +} + API_EXPORT(const char *) ap_default_type(request_rec *r) { core_dir_config *conf; @@@@ -2786,6 +2814,28 @@@@ return NULL; } +/* + * Load an authorisation nonce into our location configuration, and + * force it to be in the 0-9/A-Z realm. + */ +static const char *set_authnonce (cmd_parms *cmd, void *mconfig, char *word1) +{ + core_dir_config *aconfig = (core_dir_config *)mconfig; + size_t i; + + aconfig->ap_auth_nonce = ap_escape_quotes(cmd->pool, word1); + + if (strlen(aconfig->ap_auth_nonce) > 510) + return "AuthDigestRealmSeed length limited to 510 chars for browser compatibility"; + + for(i=0;iap_auth_nonce );i++) + if (!ap_isalnum(aconfig->ap_auth_nonce [i])) + return "AuthDigestRealmSeed limited to 0-9 and A-Z range for browser compatibility"; + + return NULL; +} + + #ifdef _OSD_POSIX /* BS2000 Logon Passwd file */ static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char *name) { @@@@ -3400,6 +3450,9 @@@@ "An HTTP authorization type (e.g., \"Basic\")" }, { "AuthName", set_authname, NULL, OR_AUTHCFG, TAKE1, "The authentication realm (e.g. \"Members Only\")" }, +{ "AuthDigestRealmSeed", set_authnonce, NULL, OR_AUTHCFG, TAKE1, + "An authentication token which should be different for each logical realm. "\ + "A random value or the servers IP may be a good choise.\n" }, { "Require", require, NULL, OR_AUTHCFG, RAW_ARGS, "Selects which authenticated users or groups may access a protected space" }, { "Satisfy", satisfy, NULL, OR_AUTHCFG, TAKE1, Index: apache_1.3.28/src/main/http_protocol.c --- apache_1.3.28/src/main/http_protocol.c.orig 2003-02-03 18:13:22.000000000 +0100 +++ apache_1.3.28/src/main/http_protocol.c 2004-05-12 10:03:51.000000000 +0200 @@@@ -76,6 +76,7 @@@@ #include "util_date.h" /* For parseHTTPdate and BAD_DATE */ #include #include "http_conf_globals.h" +#include "util_md5.h" /* For digestAuth */ #define SET_BYTES_SENT(r) \ do { if (r->sent_bodyct) \ @@@@ -1391,11 +1392,25 @@@@ API_EXPORT(void) ap_note_digest_auth_failure(request_rec *r) { + /* We need to create a nonce which: + * a) changes all the time (see r->request_time) + * below and + * b) of which we can verify that it is our own + * fairly easily when it comes to veryfing + * the digest coming back in the response. + * c) and which as a whole should not + * be unlikely to be in use anywhere else. + */ + char * nonce_prefix = ap_md5(r->pool, + (unsigned char *) + ap_psprintf(r->pool, "%s%lu", + ap_auth_nonce(r), r->request_time)); + ap_table_setn(r->err_headers_out, r->proxyreq == STD_PROXY ? "Proxy-Authenticate" : "WWW-Authenticate", - ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%lu\"", - ap_auth_name(r), r->request_time)); + ap_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"%s%lu\"", + ap_auth_name(r), nonce_prefix, r->request_time)); } API_EXPORT(int) ap_get_basic_auth_pw(request_rec *r, const char **pw) Index: apache_1.3.28/src/modules/standard/mod_digest.c --- apache_1.3.28/src/modules/standard/mod_digest.c.orig 2003-02-03 18:13:27.000000000 +0100 +++ apache_1.3.28/src/modules/standard/mod_digest.c 2004-05-12 10:03:51.000000000 +0200 @@@@ -316,6 +316,23 @@@@ /* The actual MD5 code... whee */ +/* Check that a given nonce is actually one which was + * issued by this server in the right context. + */ +static int check_nonce(pool *p, const char *prefix, const char *nonce) { + char *timestamp = (char *)nonce + 2 * MD5_DIGESTSIZE; + char *md5; + + if (strlen(nonce) < MD5_DIGESTSIZE) + return AUTH_REQUIRED; + + md5 = ap_md5(p, (unsigned char *)ap_pstrcat(p, prefix, timestamp, NULL)); + + return strncmp(md5, nonce, 2 * MD5_DIGESTSIZE); +} + +/* Check the digest itself. + */ static char *find_digest(request_rec *r, digest_header_rec * h, char *a1) { return ap_md5(r->pool, @@@@ -356,6 +373,15 @@@@ if (!sec->pwfile) return DECLINED; + /* Check that the nonce was one we actually issued. */ + if (check_nonce(r->pool, ap_auth_nonce(r), response->nonce)) { + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "Client is using a nonce which was not issued by " + "this server for this context: %s", r->uri); + ap_note_digest_auth_failure(r); + return AUTH_REQUIRED; + } + if (!(a1 = get_hash(r, c->user, sec->pwfile))) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "user %s not found: %s", c->user, r->uri); ============================================================================= Security Fix (CAN-2004-0174): Apache before 2.0.49 and 1.3.30, when using multiple listening sockets on certain platforms, allows remote attackers to cause a Denial of Service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." This fixes the starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. Enabled for some platforms only which are known to have the issue (accept() blocking after select() returns readable). Index: apache_1.3.28/src/include/ap_config.h --- apache_1.3.28/src/include/ap_config.h.orig 2003-05-05 13:45:49.000000000 +0200 +++ apache_1.3.28/src/include/ap_config.h 2004-05-12 10:05:56.000000000 +0200 @@@@ -193,6 +193,7 @@@@ int gethostname(char *name, int namelen); #define HAVE_SYSLOG 1 #define SYS_SIGLIST _sys_siglist +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(IRIX) #undef HAVE_GMTOFF @@@@ -216,6 +217,7 @@@@ #define NO_LONG_DOUBLE #define NO_LINGCLOSE #define HAVE_SYSLOG 1 +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(HIUX) #undef HAVE_GMTOFF @@@@ -299,6 +301,7 @@@@ #elif AIX >= 420 #define NET_SIZE_T size_t #endif +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(ULTRIX) /* we don't want to use sys/resource.h under @@@@ -325,6 +328,7 @@@@ #define HAVE_SYSLOG 1 #define HAVE_FLOCK_SERIALIZED_ACCEPT #define SINGLE_LISTEN_UNSERIALIZED_ACCEPT +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(PARAGON) #define HAVE_GMTOFF 1 @@@@ -1015,6 +1019,7 @@@@ #include #define NET_SIZE_T size_t #define NEED_HASHBANG_EMUL +#define NONBLOCK_WHEN_MULTI_LISTEN #elif defined(CYGWIN) /* Cygwin 1.x POSIX layer for Win32 */ #define SYSTEM_UID 18 @@@@ -1034,6 +1039,8 @@@@ #define USE_PTHREAD_SERIALIZED_ACCEPT #endif +#elif defined(NETWARE) +#define NONBLOCK_WHEN_MULTI_LISTEN #else /* Unknown system - Edit these to match */ Index: apache_1.3.28/src/main/http_main.c --- apache_1.3.28/src/main/http_main.c.orig 2003-10-19 20:00:35.000000000 +0200 +++ apache_1.3.28/src/main/http_main.c 2004-05-12 10:05:56.000000000 +0200 @@@@ -3905,6 +3905,76 @@@@ old_listeners = NULL; } +#ifdef NONBLOCK_WHEN_MULTI_LISTEN +/* retrieved from APR */ +static int soblock(int sd) +{ +#ifdef NETWARE + u_long one = 0; + + if (ioctlsocket(sd, FIONBIO, &one) == SOCKET_ERROR) { + return -1; + } +#else +#ifndef BEOS + int fd_flags; + + fd_flags = fcntl(sd, F_GETFL, 0); +#if defined(O_NONBLOCK) + fd_flags &= ~O_NONBLOCK; +#elif defined(O_NDELAY) + fd_flags &= ~O_NDELAY; +#elif defined(FNDELAY) + fd_flags &= ~FNDELAY; +#else +#error Teach soblock() how to make a socket blocking on your platform. +#endif + if (fcntl(sd, F_SETFL, fd_flags) == -1) { + return errno; + } +#else + int on = 0; + if (setsockopt(sd, SOL_SOCKET, SO_NONBLOCK, &on, sizeof(int)) < 0) + return errno; +#endif /* BEOS */ +#endif /* NETWARE */ + return 0; +} + +static int sononblock(int sd) +{ +#ifdef NETWARE + u_long one = 1; + + if (ioctlsocket(sd, FIONBIO, &one) == SOCKET_ERROR) { + return -1; + } +#else +#ifndef BEOS + int fd_flags; + + fd_flags = fcntl(sd, F_GETFL, 0); +#if defined(O_NONBLOCK) + fd_flags |= O_NONBLOCK; +#elif defined(O_NDELAY) + fd_flags |= O_NDELAY; +#elif defined(FNDELAY) + fd_flags |= FNDELAY; +#else +#error Teach sononblock() how to make a socket non-blocking on your platform. +#endif + if (fcntl(sd, F_SETFL, fd_flags) == -1) { + return errno; + } +#else + int on = 1; + if (setsockopt(sd, SOL_SOCKET, SO_NONBLOCK, &on, sizeof(int)) < 0) + return errno; +#endif /* BEOS */ +#endif /* NETWARE */ + return 0; +} +#endif /* NONBLOCK_WHEN_MULTI_LISTEN */ /* open sockets, and turn the listeners list into a singly linked ring */ static void setup_listeners(pool *p) @@@@ -3937,6 +4007,31 @@@@ head_listener = ap_listeners; close_unused_listeners(); +#ifdef NONBLOCK_WHEN_MULTI_LISTEN + if (ap_listeners->next != ap_listeners) { + lr = ap_listeners; + do { + if (sononblock(lr->fd) < 0) { + ap_log_error(APLOG_MARK, APLOG_CRIT, NULL, + "A listening socket could not be made non-blocking."); + exit(APEXIT_INIT); + } + lr = lr->next; + } while (lr != ap_listeners); + } + else { + /* we could be restarting with a single remaining listening + * socket, still in non-blocking state from a previous + * generation which had more listening sockets + */ + if (soblock(ap_listeners->fd) < 0) { + ap_log_error(APLOG_MARK, APLOG_CRIT, NULL, + "A listening socket could not be made blocking."); + exit(APEXIT_INIT); + } + } +#endif /* NONBLOCK_WHEN_MULTI_LISTEN */ + #ifdef NO_SERIALIZED_ACCEPT /* warn them about the starvation problem if they're using multiple * sockets @@@@ -4472,6 +4567,19 @@@@ #ifdef ENETUNREACH case ENETUNREACH: #endif + /* EAGAIN/EWOULDBLOCK can be returned on BSD-derived + * TCP stacks when the connection is aborted before + * we call connect, but only because our listener + * sockets are non-blocking (NONBLOCK_WHEN_MULTI_LISTEN) + */ +#ifdef EAGAIN + case EAGAIN: +#endif +#ifdef EWOULDBLOCK +#if !defined(EAGAIN) || EAGAIN != EWOULDBLOCK + case EWOULDBLOCK: +#endif +#endif break; #ifdef ENETDOWN case ENETDOWN: @@@@ -4561,6 +4669,21 @@@@ * socket options, file descriptors, and read/write buffers. */ +#ifdef NONBLOCK_WHEN_MULTI_LISTEN + /* This assumes that on this platform the non-blocking setting of + * a listening socket is inherited. If that isn't the case, + * this is wasted effort. + */ + if (ap_listeners != ap_listeners->next) { + if (soblock(csd) != 0) { + ap_log_error(APLOG_MARK, APLOG_CRIT, NULL, + "couldn't make socket descriptor (%d) blocking again", + csd); + continue; + } + } +#endif /* NONBLOCK_WHEN_MULTI_LISTEN */ + clen = sizeof(sa_server); if (getsockname(csd, &sa_server, &clen) < 0) { ap_log_error(APLOG_MARK, APLOG_DEBUG, server_conf, @@@@ -6332,15 +6455,22 @@@@ if (csd == INVALID_SOCKET) { csd = -1; } - } while (csd < 0 && h_errno == EINTR); + } while (csd < 0 && h_errno == WSAEINTR); if (csd == INVALID_SOCKET) { - if (h_errno != WSAECONNABORTED) { + if ((h_errno != WSAECONNABORTED) && (h_errno != WSAEWOULDBLOCK)) { ap_log_error(APLOG_MARK, APLOG_ERR, server_conf, "accept: (client socket) failed with errno = %d",h_errno); } } else { + u_long one = 0; + + if (soblock(csd) != 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, server_conf, + "%d couldn't make socket descriptor (%d) blocking again.", h_errno, csd); + continue; + } add_job(csd); } } @ 1.1.6.2.2.3 log @SA-2004.029-apache; CAN-2004-0492 @ text @a881 24 =================================================================== SA-2004.029-apache CAN-2004-0492 RCS file: /home/cvspublic/apache-1.3/src/modules/proxy/proxy_http.c,v retrieving revision 1.106 retrieving revision 1.107 diff -u -r1.106 -r1.107 --- apache_1.3.28/src/modules/proxy/proxy_http.c 2004/03/29 17:47:15 1.106 +++ apache_1.3.28/src/modules/proxy/proxy_http.c 2004/06/11 07:54:38 1.107 @@@@ -485,6 +485,13 @@@@ content_length = ap_table_get(resp_hdrs, "Content-Length"); if (content_length != NULL) { c->len = ap_strtol(content_length, NULL, 10); + + if (c->len < 0) { + ap_kill_timeout(r); + return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, + "Invalid Content-Length from remote server", + NULL)); + } } } @ 1.1.4.1 log @fix security bugs (see OpenPKG-SA-2002.009-apache) @ text @a0 195 CAN-2002-0839 (cve.mitre.org): A vulnerability exists in all versions of Apache prior to 1.3.27 on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker who can execute under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. We thank iDefense for their responsible notification and disclosure of this issue. CAN-2002-0840 (cve.mitre.org): Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. We thank Matthew Murphy for notification of this issue. CAN-2002-0843 (cve.mitre.org): There were some possible overflows in ab.c which could be exploited by a malicious server. Note that this vulnerability is not in Apache itself, but rather one of the support programs bundled with Apache. We thank David Wagner for the responsible notification and disclosure of this issue. diff -ru3 apache_1.3.26.orig/src/include/http_conf_globals.h apache_1.3.26/src/include/http_conf_globals.h --- apache_1.3.26.orig/src/include/http_conf_globals.h Wed Mar 13 22:05:29 2002 +++ apache_1.3.26/src/include/http_conf_globals.h Fri Oct 4 18:11:24 2002 @@@@ -102,6 +102,7 @@@@ extern API_VAR_EXPORT char *ap_server_argv0; extern enum server_token_type ap_server_tokens; +extern int ap_change_shmem_uid; /* Trying to allocate these in the config pool gets us into some *nasty* * chicken-and-egg problems in http_main.c --- where do you stick them Only in apache_1.3.26/src/include: http_conf_globals.h~ diff -ru3 apache_1.3.26.orig/src/main/http_core.c apache_1.3.26/src/main/http_core.c --- apache_1.3.26.orig/src/main/http_core.c Tue Jun 18 02:59:57 2002 +++ apache_1.3.26/src/main/http_core.c Fri Oct 4 18:11:27 2002 @@@@ -2746,11 +2746,14 @@@@ return ap_pstrcat(r->pool, prefix, "
" SERVER_BASEVERSION " Server at server->server_admin, "\">", - ap_get_server_name(r), " Port ", sport, + ap_escape_html(r->pool, ap_get_server_name(r)), + " Port ", sport, "
\n", NULL); } return ap_pstrcat(r->pool, prefix, "
" SERVER_BASEVERSION - " Server at ", ap_get_server_name(r), " Port ", sport, + " Server at ", + ap_escape_html(r->pool, ap_get_server_name(r)), + " Port ", sport, "
\n", NULL); } @@@@ -2778,6 +2781,18 @@@@ } #endif /*_OSD_POSIX*/ +static const char *set_change_shmem_uid(cmd_parms *cmd, + core_dir_config *d, int arg) +{ + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + if (err != NULL) { + return err; + } + + ap_change_shmem_uid = arg != 0; + return NULL; +} + /* * Handle a request to include the server's OS platform in the Server * response header field (the ServerTokens directive). Unfortunately @@@@ -3411,6 +3426,8 @@@@ (void*)XtOffsetOf(core_dir_config, limit_req_body), OR_ALL, TAKE1, "Limit (in bytes) on maximum size of request message body" }, +{ "ShmemUIDisUser", set_change_shmem_uid, NULL, RSRC_CONF, FLAG, + "Enable the setting of SysV shared memory scoreboard uid/gid to User/Group" }, { "AcceptMutex", set_accept_mutex, NULL, RSRC_CONF, TAKE1, "Serialized Accept Mutex; the methods " #ifdef HAVE_USLOCK_SERIALIZED_ACCEPT @@@@ -3813,7 +3830,8 @@@@ if (r->method_number == M_INVALID) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, - "Invalid method in request %s", r->the_request); + "Invalid method in request %s", + ap_escape_logitem(r->pool, r->the_request)); return NOT_IMPLEMENTED; } if (r->method_number == M_OPTIONS) { Only in apache_1.3.26/src/main: http_core.c~ diff -ru3 apache_1.3.26.orig/src/main/http_main.c apache_1.3.26/src/main/http_main.c --- apache_1.3.26.orig/src/main/http_main.c Wed Jun 5 06:53:15 2002 +++ apache_1.3.26/src/main/http_main.c Fri Oct 4 18:11:24 2002 @@@@ -398,6 +398,8 @@@@ /* Global, alas, so http_core can talk to us */ enum server_token_type ap_server_tokens = SrvTk_FULL; +int ap_change_shmem_uid = 0; + /* * This routine is called when the pconf pool is vacuumed. It resets the * server version string to a known value and [re]enables modifications @@@@ -2327,7 +2329,9 @@@@ * We exit below, after we try to remove the segment */ } - else { /* only worry about permissions if we attached the segment */ + /* only worry about permissions if we attached the segment + and we want/need to change the uid/gid */ + else if (ap_change_shmem_uid) { if (shmctl(shmid, IPC_STAT, &shmbuf) != 0) { ap_log_error(APLOG_MARK, APLOG_ERR, server_conf, "shmctl() could not stat segment #%d", shmid); Only in apache_1.3.26/src/main: http_main.c~ diff -ru3 apache_1.3.26.orig/src/main/util_script.c apache_1.3.26/src/main/util_script.c --- apache_1.3.26.orig/src/main/util_script.c Thu Mar 21 17:07:02 2002 +++ apache_1.3.26/src/main/util_script.c Fri Oct 4 18:11:26 2002 @@@@ -280,7 +280,8 @@@@ ap_table_addn(e, "PATH", env_path); ap_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r)); ap_table_addn(e, "SERVER_SOFTWARE", ap_get_server_version()); - ap_table_addn(e, "SERVER_NAME", ap_get_server_name(r)); + ap_table_addn(e, "SERVER_NAME", + ap_escape_html(r->pool,ap_get_server_name(r))); ap_table_addn(e, "SERVER_ADDR", r->connection->local_ip); /* Apache */ ap_table_addn(e, "SERVER_PORT", ap_psprintf(r->pool, "%u", ap_get_server_port(r))); diff -ru3 apache_1.3.26.orig/src/support/ab.c apache_1.3.26/src/support/ab.c --- apache_1.3.26.orig/src/support/ab.c Sat May 11 22:47:57 2002 +++ apache_1.3.26/src/support/ab.c Fri Oct 4 18:11:23 2002 @@@@ -1079,11 +1079,12 @@@@ * this is first time, extract some interesting info */ char *p, *q; + int qlen; p = strstr(c->cbuff, "Server:"); - q = servername; + q = servername; qlen = sizeof(servername); if (p) { p += 8; - while (*p > 32) + while (*p > 32 && qlen-- > 1) *q++ = *p++; } *q = 0; @@@@ -1575,9 +1576,9 @@@@ strcpy(content_type, optarg); break; case 'C': - strncat(cookie, "Cookie: ", sizeof(cookie)); - strncat(cookie, optarg, sizeof(cookie)); - strncat(cookie, "\r\n", sizeof(cookie)); + strncat(cookie, "Cookie: ", sizeof(cookie)-strlen(cookie)-1); + strncat(cookie, optarg, sizeof(cookie)-strlen(cookie)-1); + strncat(cookie, "\r\n", sizeof(cookie)-strlen(cookie)-1); break; case 'A': /* @@@@ -1589,9 +1590,9 @@@@ l = ap_base64encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0'; - strncat(auth, "Authorization: Basic ", sizeof(auth)); - strncat(auth, tmp, sizeof(auth)); - strncat(auth, "\r\n", sizeof(auth)); + strncat(auth, "Authorization: Basic ", sizeof(auth)-strlen(auth)-1); + strncat(auth, tmp, sizeof(auth)-strlen(auth)-1); + strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1); break; case 'P': /* @@@@ -1602,9 +1603,9 @@@@ l = ap_base64encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0'; - strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth)); - strncat(auth, tmp, sizeof(auth)); - strncat(auth, "\r\n", sizeof(auth)); + strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth)-strlen(auth)-1); + strncat(auth, tmp, sizeof(auth)-strlen(auth)-1); + strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1); break; case 'X': { @@@@ -1622,8 +1623,8 @@@@ } break; case 'H': - strncat(hdrs, optarg, sizeof(hdrs)); - strncat(hdrs, "\r\n", sizeof(hdrs)); + strncat(hdrs, optarg, sizeof(hdrs)-strlen(hdrs)-1); + strncat(hdrs, "\r\n", sizeof(hdrs)-strlen(hdrs)-1); break; case 'V': copyright(); @ 1.1.2.1 log @backport Apache 1.3.24 -> 1.3.26 security bugfixes to Apache 1.3.22 @ text @a0 66 --- apache_1.3.22/src/main/http_protocol.c.orig Fri Jun 22 14:43:54 2001 +++ apache_1.3.22/src/main/http_protocol.c Wed Jun 19 17:32:11 2002 @@@@ -1913,6 +1913,12 @@@@ } r->remaining = atol(lenp); + if (r->remaining < 0) { + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "Request content-length of %s maps to negative number %ld", + lenp, r->remaining); + return HTTP_BAD_REQUEST; + } } if ((r->read_body == REQUEST_NO_BODY) && @@@@ -1963,21 +1969,34 @@@@ static long get_chunk_size(char *b) { long chunksize = 0; + long chunkbits = sizeof(long) * 8; + + /* Skip leading zeros */ + while (*b == '0') { + ++b; + } - while (ap_isxdigit(*b)) { + while (ap_isxdigit(*b) && (chunkbits > 0)) { int xvalue = 0; - /* This works even on EBCDIC. */ - if (*b >= '0' && *b <= '9') + if (*b >= '0' && *b <= '9') { xvalue = *b - '0'; - else if (*b >= 'A' && *b <= 'F') + } + else if (*b >= 'A' && *b <= 'F') { xvalue = *b - 'A' + 0xa; - else if (*b >= 'a' && *b <= 'f') + } + else if (*b >= 'a' && *b <= 'f') { xvalue = *b - 'a' + 0xa; + } chunksize = (chunksize << 4) | xvalue; + chunkbits -= 4; ++b; } + if (ap_isxdigit(*b) && (chunkbits <= 0)) { + /* overflow */ + return -1; + } return chunksize; } @@@@ -2060,6 +2079,10 @@@@ return 0; } r->remaining = -1; /* Indicate footers in-progress */ + } + else if (len_to_read < 0) { + r->connection->keepalive = -1; + return -1; } else { r->remaining = len_to_read; @ 1.1.2.2 log @fix security bugs (see OpenPKG-SA-2002.009-apache) @ text @a66 158 --- apache_1.3.22.orig/src/include/http_conf_globals.h Fri Jul 13 09:32:35 2001 +++ apache_1.3.22/src/include/http_conf_globals.h Fri Oct 4 18:18:29 2002 @@@@ -102,6 +102,7 @@@@ extern API_VAR_EXPORT char *ap_server_argv0; extern enum server_token_type ap_server_tokens; +extern int ap_change_shmem_uid; /* Trying to allocate these in the config pool gets us into some *nasty* * chicken-and-egg problems in http_main.c --- where do you stick them --- apache_1.3.22.orig/src/main/http_core.c Tue Sep 4 20:15:15 2001 +++ apache_1.3.22/src/main/http_core.c Fri Oct 4 18:18:29 2002 @@@@ -2693,11 +2693,14 @@@@ return ap_pstrcat(r->pool, prefix, "
" SERVER_BASEVERSION " Server at server->server_admin, "\">", - ap_get_server_name(r), " Port ", sport, + ap_escape_html(r->pool, ap_get_server_name(r)), + " Port ", sport, "
\n", NULL); } return ap_pstrcat(r->pool, prefix, "
" SERVER_BASEVERSION - " Server at ", ap_get_server_name(r), " Port ", sport, + " Server at ", + ap_escape_html(r->pool, ap_get_server_name(r)), + " Port ", sport, "
\n", NULL); } @@@@ -2725,6 +2728,18 @@@@ } #endif /*_OSD_POSIX*/ +static const char *set_change_shmem_uid(cmd_parms *cmd, + core_dir_config *d, int arg) +{ + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + if (err != NULL) { + return err; + } + + ap_change_shmem_uid = arg != 0; + return NULL; +} + /* * Handle a request to include the server's OS platform in the Server * response header field (the ServerTokens directive). Unfortunately @@@@ -3219,6 +3234,8 @@@@ (void*)XtOffsetOf(core_dir_config, limit_req_body), OR_ALL, TAKE1, "Limit (in bytes) on maximum size of request message body" }, +{ "ShmemUIDisUser", set_change_shmem_uid, NULL, RSRC_CONF, FLAG, + "Enable the setting of SysV shared memory scoreboard uid/gid to User/Group" }, { "AcceptMutex", set_accept_mutex, NULL, RSRC_CONF, TAKE1, "Serialized Accept Mutex; the methods " #ifdef HAVE_USLOCK_SERIALIZED_ACCEPT --- apache_1.3.22.orig/src/main/http_main.c Sat Oct 6 04:21:11 2001 +++ apache_1.3.22/src/main/http_main.c Fri Oct 4 18:18:29 2002 @@@@ -397,6 +397,8 @@@@ /* Global, alas, so http_core can talk to us */ enum server_token_type ap_server_tokens = SrvTk_FULL; +int ap_change_shmem_uid = 0; + /* * This routine is called when the pconf pool is vacuumed. It resets the * server version string to a known value and [re]enables modifications @@@@ -2243,7 +2245,9 @@@@ * We exit below, after we try to remove the segment */ } - else { /* only worry about permissions if we attached the segment */ + /* only worry about permissions if we attached the segment + and we want/need to change the uid/gid */ + else if (ap_change_shmem_uid) { if (shmctl(shmid, IPC_STAT, &shmbuf) != 0) { ap_log_error(APLOG_MARK, APLOG_ERR, server_conf, "shmctl() could not stat segment #%d", shmid); --- apache_1.3.22.orig/src/main/util_script.c Wed May 9 07:17:11 2001 +++ apache_1.3.22/src/main/util_script.c Fri Oct 4 18:18:29 2002 @@@@ -285,7 +285,8 @@@@ ap_table_addn(e, "PATH", env_path); ap_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r)); ap_table_addn(e, "SERVER_SOFTWARE", ap_get_server_version()); - ap_table_addn(e, "SERVER_NAME", ap_get_server_name(r)); + ap_table_addn(e, "SERVER_NAME", + ap_escape_html(r->pool,ap_get_server_name(r))); ap_table_addn(e, "SERVER_ADDR", r->connection->local_ip); /* Apache */ ap_table_addn(e, "SERVER_PORT", ap_psprintf(r->pool, "%u", ap_get_server_port(r))); --- apache_1.3.22.orig/src/support/ab.c Mon Oct 8 19:54:42 2001 +++ apache_1.3.22/src/support/ab.c Fri Oct 4 18:18:29 2002 @@@@ -1068,11 +1068,12 @@@@ * this is first time, extract some interesting info */ char *p, *q; + int qlen; p = strstr(c->cbuff, "Server:"); - q = servername; + q = servername; qlen = sizeof(servername); if (p) { p += 8; - while (*p > 32) + while (*p > 32 && qlen-- > 1) *q++ = *p++; } *q = 0; @@@@ -1545,9 +1546,9 @@@@ strcpy(content_type, optarg); break; case 'C': - strncat(cookie, "Cookie: ", sizeof(cookie)); - strncat(cookie, optarg, sizeof(cookie)); - strncat(cookie, "\r\n", sizeof(cookie)); + strncat(cookie, "Cookie: ", sizeof(cookie)-strlen(cookie)-1); + strncat(cookie, optarg, sizeof(cookie)-strlen(cookie)-1); + strncat(cookie, "\r\n", sizeof(cookie)-strlen(cookie)-1); break; case 'A': /* @@@@ -1559,9 +1560,9 @@@@ l = ap_base64encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0'; - strncat(auth, "Authorization: Basic ", sizeof(auth)); - strncat(auth, tmp, sizeof(auth)); - strncat(auth, "\r\n", sizeof(auth)); + strncat(auth, "Authorization: Basic ", sizeof(auth)-strlen(auth)-1); + strncat(auth, tmp, sizeof(auth)-strlen(auth)-1); + strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1); break; case 'P': /* @@@@ -1572,9 +1573,9 @@@@ l = ap_base64encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0'; - strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth)); - strncat(auth, tmp, sizeof(auth)); - strncat(auth, "\r\n", sizeof(auth)); + strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth)-strlen(auth)-1); + strncat(auth, tmp, sizeof(auth)-strlen(auth)-1); + strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1); break; case 'X': { @@@@ -1592,8 +1593,8 @@@@ } break; case 'H': - strncat(hdrs, optarg, sizeof(hdrs)); - strncat(hdrs, "\r\n", sizeof(hdrs)); + strncat(hdrs, optarg, sizeof(hdrs)-strlen(hdrs)-1); + strncat(hdrs, "\r\n", sizeof(hdrs)-strlen(hdrs)-1); break; case 'V': copyright(); @