arrfab / rpms / httpd

Forked from rpms/httpd 5 years ago
Clone

Blame SOURCES/httpd-2.4.6-CVE-2013-5704.patch

75a229
diff --git a/include/http_core.h b/include/http_core.h
75a229
index 3c47989..f6f4aa2 100644
75a229
--- a/include/http_core.h
75a229
+++ b/include/http_core.h
75a229
@@ -663,6 +663,10 @@ typedef struct {
75a229
 #define AP_TRACE_ENABLE    1
75a229
 #define AP_TRACE_EXTENDED  2
75a229
     int trace_enable;
75a229
+#define AP_MERGE_TRAILERS_UNSET    0
75a229
+#define AP_MERGE_TRAILERS_ENABLE   1
75a229
+#define AP_MERGE_TRAILERS_DISABLE  2
75a229
+    int merge_trailers;
75a229
 
75a229
 } core_server_config;
75a229
 
75a229
diff --git a/include/httpd.h b/include/httpd.h
75a229
index 36cd58d..2e415f9 100644
75a229
--- a/include/httpd.h
75a229
+++ b/include/httpd.h
75a229
@@ -1032,6 +1032,11 @@ struct request_rec {
75a229
      */
75a229
     apr_sockaddr_t *useragent_addr;
75a229
     char *useragent_ip;
75a229
+
75a229
+    /** MIME trailer environment from the request */
75a229
+    apr_table_t *trailers_in;
75a229
+    /** MIME trailer environment from the response */
75a229
+    apr_table_t *trailers_out;
75a229
 };
75a229
 
75a229
 /**
75a229
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
75a229
index 24a939a..2ae8f46 100644
75a229
--- a/modules/http/http_filters.c
75a229
+++ b/modules/http/http_filters.c
75a229
@@ -214,6 +214,49 @@ static apr_status_t get_chunk_line(http_ctx_t *ctx, apr_bucket_brigade *b,
75a229
 }
75a229
 
75a229
 
75a229
+static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f,
75a229
+                                          apr_bucket_brigade *b, int merge)
75a229
+{
75a229
+    int rv;
75a229
+    apr_bucket *e;
75a229
+    request_rec *r = f->r;
75a229
+    apr_table_t *saved_headers_in = r->headers_in;
75a229
+    int saved_status = r->status;
75a229
+
75a229
+    r->status = HTTP_OK;
75a229
+    r->headers_in = r->trailers_in;
75a229
+    apr_table_clear(r->headers_in);
75a229
+    ctx->state = BODY_NONE;
75a229
+    ap_get_mime_headers(r);
75a229
+
75a229
+    if(r->status == HTTP_OK) {
75a229
+        r->status = saved_status;
75a229
+        e = apr_bucket_eos_create(f->c->bucket_alloc);
75a229
+        APR_BRIGADE_INSERT_TAIL(b, e);
75a229
+        ctx->eos_sent = 1;
75a229
+        rv = APR_SUCCESS;
75a229
+    }
75a229
+    else {
75a229
+        const char *error_notes = apr_table_get(r->notes,
75a229
+                                                "error-notes");
75a229
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
75a229
+                      "Error while reading HTTP trailer: %i%s%s",
75a229
+                      r->status, error_notes ? ": " : "",
75a229
+                      error_notes ? error_notes : "");
75a229
+        rv = APR_EINVAL;
75a229
+    }
75a229
+
75a229
+    if(!merge) {
75a229
+        r->headers_in = saved_headers_in;
75a229
+    }
75a229
+    else {
75a229
+        r->headers_in = apr_table_overlay(r->pool, saved_headers_in,
75a229
+                r->trailers_in);
75a229
+    }
75a229
+
75a229
+    return rv;
75a229
+}
75a229
+
75a229
 /* This is the HTTP_INPUT filter for HTTP requests and responses from
75a229
  * proxied servers (mod_proxy).  It handles chunked and content-length
75a229
  * bodies.  This can only be inserted/used after the headers
75a229
@@ -223,6 +266,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
75a229
                             ap_input_mode_t mode, apr_read_type_e block,
75a229
                             apr_off_t readbytes)
75a229
 {
75a229
+    core_server_config *conf;
75a229
     apr_bucket *e;
75a229
     http_ctx_t *ctx = f->ctx;
75a229
     apr_status_t rv;
75a229
@@ -230,6 +274,9 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
75a229
     int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE;
75a229
     apr_bucket_brigade *bb;
75a229
 
75a229
+    conf = (core_server_config *)
75a229
+        ap_get_module_config(f->r->server->module_config, &core_module);
75a229
+
75a229
     /* just get out of the way of things we don't want. */
75a229
     if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {
75a229
         return ap_get_brigade(f->next, b, mode, block, readbytes);
75a229
@@ -403,13 +450,8 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
75a229
             }
75a229
 
75a229
             if (!ctx->remaining) {
75a229
-                /* Handle trailers by calling ap_get_mime_headers again! */
75a229
-                ctx->state = BODY_NONE;
75a229
-                ap_get_mime_headers(f->r);
75a229
-                e = apr_bucket_eos_create(f->c->bucket_alloc);
75a229
-                APR_BRIGADE_INSERT_TAIL(b, e);
75a229
-                ctx->eos_sent = 1;
75a229
-                return APR_SUCCESS;
75a229
+                return read_chunked_trailers(ctx, f, b,
75a229
+                        conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE);
75a229
             }
75a229
         }
75a229
     }
75a229
@@ -509,13 +551,8 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
75a229
                 }
75a229
 
75a229
                 if (!ctx->remaining) {
75a229
-                    /* Handle trailers by calling ap_get_mime_headers again! */
75a229
-                    ctx->state = BODY_NONE;
75a229
-                    ap_get_mime_headers(f->r);
75a229
-                    e = apr_bucket_eos_create(f->c->bucket_alloc);
75a229
-                    APR_BRIGADE_INSERT_TAIL(b, e);
75a229
-                    ctx->eos_sent = 1;
75a229
-                    return APR_SUCCESS;
75a229
+                    return read_chunked_trailers(ctx, f, b,
75a229
+                            conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE);
75a229
                 }
75a229
             }
75a229
             break;
75a229
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
75a229
index 796d506..cdfec8b 100644
75a229
--- a/modules/http/http_request.c
75a229
+++ b/modules/http/http_request.c
75a229
@@ -463,6 +463,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
75a229
     new->main            = r->main;
75a229
 
75a229
     new->headers_in      = r->headers_in;
75a229
+    new->trailers_in     = r->trailers_in;
75a229
     new->headers_out     = apr_table_make(r->pool, 12);
75a229
     if (ap_is_HTTP_REDIRECT(new->status)) {
75a229
         const char *location = apr_table_get(r->headers_out, "Location");
75a229
@@ -470,6 +471,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
75a229
             apr_table_setn(new->headers_out, "Location", location);
75a229
     }
75a229
     new->err_headers_out = r->err_headers_out;
75a229
+    new->trailers_out    = apr_table_make(r->pool, 5);
75a229
     new->subprocess_env  = rename_original_env(r->pool, r->subprocess_env);
75a229
     new->notes           = apr_table_make(r->pool, 5);
75a229
 
75a229
@@ -583,6 +585,8 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r)
75a229
                                        r->headers_out);
75a229
     r->err_headers_out = apr_table_overlay(r->pool, rr->err_headers_out,
75a229
                                            r->err_headers_out);
75a229
+    r->trailers_out = apr_table_overlay(r->pool, rr->trailers_out,
75a229
+                                           r->trailers_out);
75a229
     r->subprocess_env = apr_table_overlay(r->pool, rr->subprocess_env,
75a229
                                           r->subprocess_env);
75a229
 
75a229
diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c
75a229
index 25f5030..b021dd3 100644
75a229
--- a/modules/loggers/mod_log_config.c
75a229
+++ b/modules/loggers/mod_log_config.c
75a229
@@ -431,6 +431,12 @@ static const char *log_header_in(request_rec *r, char *a)
75a229
     return ap_escape_logitem(r->pool, apr_table_get(r->headers_in, a));
75a229
 }
75a229
 
75a229
+static const char *log_trailer_in(request_rec *r, char *a)
75a229
+{
75a229
+    return ap_escape_logitem(r->pool, apr_table_get(r->trailers_in, a));
75a229
+}
75a229
+
75a229
+
75a229
 static APR_INLINE char *find_multiple_headers(apr_pool_t *pool,
75a229
                                               const apr_table_t *table,
75a229
                                               const char *key)
75a229
@@ -514,6 +520,11 @@ static const char *log_header_out(request_rec *r, char *a)
75a229
     return ap_escape_logitem(r->pool, cp);
75a229
 }
75a229
 
75a229
+static const char *log_trailer_out(request_rec *r, char *a)
75a229
+{
75a229
+    return ap_escape_logitem(r->pool, apr_table_get(r->trailers_out, a));
75a229
+}
75a229
+
75a229
 static const char *log_note(request_rec *r, char *a)
75a229
 {
75a229
     return ap_escape_logitem(r->pool, apr_table_get(r->notes, a));
75a229
@@ -916,7 +927,7 @@ static char *parse_log_misc_string(apr_pool_t *p, log_format_item *it,
75a229
 static char *parse_log_item(apr_pool_t *p, log_format_item *it, const char **sa)
75a229
 {
75a229
     const char *s = *sa;
75a229
-    ap_log_handler *handler;
75a229
+    ap_log_handler *handler = NULL;
75a229
 
75a229
     if (*s != '%') {
75a229
         return parse_log_misc_string(p, it, sa);
75a229
@@ -986,7 +997,16 @@ static char *parse_log_item(apr_pool_t *p, log_format_item *it, const char **sa)
75a229
             break;
75a229
 
75a229
         default:
75a229
-            handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1);
75a229
+            /* check for '^' + two character format first */
75a229
+            if (*s == '^' && *(s+1) && *(s+2)) { 
75a229
+                handler = (ap_log_handler *)apr_hash_get(log_hash, s, 3); 
75a229
+                if (handler) { 
75a229
+                   s += 3;
75a229
+                }
75a229
+            }
75a229
+            if (!handler) {  
75a229
+                handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1);  
75a229
+            }
75a229
             if (!handler) {
75a229
                 char dummy[2];
75a229
 
75a229
@@ -1516,7 +1536,7 @@ static void ap_register_log_handler(apr_pool_t *p, char *tag,
75a229
     log_struct->func = handler;
75a229
     log_struct->want_orig_default = def;
75a229
 
75a229
-    apr_hash_set(log_hash, tag, 1, (const void *)log_struct);
75a229
+    apr_hash_set(log_hash, tag, strlen(tag), (const void *)log_struct);
75a229
 }
75a229
 static ap_log_writer_init* ap_log_set_writer_init(ap_log_writer_init *handle)
75a229
 {
75a229
@@ -1686,6 +1706,9 @@ static int log_pre_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp)
75a229
         log_pfn_register(p, "U", log_request_uri, 1);
75a229
         log_pfn_register(p, "s", log_status, 1);
75a229
         log_pfn_register(p, "R", log_handler, 1);
75a229
+
75a229
+        log_pfn_register(p, "^ti", log_trailer_in, 0);
75a229
+        log_pfn_register(p, "^to", log_trailer_out, 0);
75a229
     }
75a229
 
75a229
     /* reset to default conditions */
75a229
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
75a229
index 7ae0fa4..05f33b4 100644
75a229
--- a/modules/proxy/mod_proxy_http.c
75a229
+++ b/modules/proxy/mod_proxy_http.c
75a229
@@ -994,8 +994,11 @@ static request_rec *make_fake_req(conn_rec *c, request_rec *r)
75a229
     rp->status          = HTTP_OK;
75a229
 
75a229
     rp->headers_in      = apr_table_make(pool, 50);
75a229
+    rp->trailers_in     = apr_table_make(pool, 5);
75a229
+
75a229
     rp->subprocess_env  = apr_table_make(pool, 50);
75a229
     rp->headers_out     = apr_table_make(pool, 12);
75a229
+    rp->trailers_out    = apr_table_make(pool, 5);
75a229
     rp->err_headers_out = apr_table_make(pool, 5);
75a229
     rp->notes           = apr_table_make(pool, 5);
75a229
 
75a229
@@ -1076,6 +1079,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
75a229
     psc = (proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
75a229
 
75a229
     r->headers_out = apr_table_make(r->pool, 20);
75a229
+    r->trailers_out = apr_table_make(r->pool, 5);
75a229
     *pread_len = 0;
75a229
 
75a229
     /*
75a229
@@ -1206,6 +1210,14 @@ apr_status_t ap_proxygetline(apr_bucket_brigade *bb, char *s, int n, request_rec
75a229
 #define AP_MAX_INTERIM_RESPONSES 10
75a229
 #endif
75a229
 
75a229
+static int add_trailers(void *data, const char *key, const char *val)
75a229
+{
75a229
+    if (val) {
75a229
+        apr_table_add((apr_table_t*)data, key, val);
75a229
+    }
75a229
+    return 1;
75a229
+}
75a229
+
75a229
 static
75a229
 apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
75a229
                                             proxy_conn_rec **backend_ptr,
75a229
@@ -1717,6 +1729,12 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
75a229
                     /* next time try a non-blocking read */
75a229
                     mode = APR_NONBLOCK_READ;
75a229
 
75a229
+                    if (!apr_is_empty_table(backend->r->trailers_in)) {
75a229
+                        apr_table_do(add_trailers, r->trailers_out,
75a229
+                                backend->r->trailers_in, NULL);
75a229
+                        apr_table_clear(backend->r->trailers_in);
75a229
+                    }
75a229
+
75a229
                     apr_brigade_length(bb, 0, &readbytes);
75a229
                     backend->worker->s->read += readbytes;
75a229
 #if DEBUGGING
75a229
diff --git a/server/core.c b/server/core.c
75a229
index 024bab6..7cfde63 100644
75a229
--- a/server/core.c
75a229
+++ b/server/core.c
75a229
@@ -523,6 +523,10 @@ static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
75a229
     if (virt->error_log_req)
75a229
         conf->error_log_req = virt->error_log_req;
75a229
 
75a229
+    conf->merge_trailers = (virt->merge_trailers != AP_MERGE_TRAILERS_UNSET)
75a229
+                           ? virt->merge_trailers
75a229
+                           : base->merge_trailers;
75a229
+
75a229
     return conf;
75a229
 }
75a229
 
75a229
@@ -3877,6 +3881,16 @@ AP_DECLARE(void) ap_register_errorlog_handler(apr_pool_t *p, char *tag,
75a229
 }
75a229
 
75a229
 
75a229
+static const char *set_merge_trailers(cmd_parms *cmd, void *dummy, int arg)
75a229
+{
75a229
+    core_server_config *conf = ap_get_module_config(cmd->server->module_config,
75a229
+                                                    &core_module);
75a229
+    conf->merge_trailers = (arg ? AP_MERGE_TRAILERS_ENABLE :
75a229
+            AP_MERGE_TRAILERS_DISABLE);
75a229
+
75a229
+    return NULL;
75a229
+}
75a229
+
75a229
 /* Note --- ErrorDocument will now work from .htaccess files.
75a229
  * The AllowOverride of Fileinfo allows webmasters to turn it off
75a229
  */
75a229
@@ -4124,6 +4138,8 @@ AP_INIT_TAKE1("EnableExceptionHook", ap_mpm_set_exception_hook, NULL, RSRC_CONF,
75a229
 #endif
75a229
 AP_INIT_TAKE1("TraceEnable", set_trace_enable, NULL, RSRC_CONF,
75a229
               "'on' (default), 'off' or 'extended' to trace request body content"),
75a229
+AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF,
75a229
+              "merge request trailers into request headers or not"),
75a229
 { NULL }
75a229
 };
75a229
 
75a229
@@ -4206,7 +4222,6 @@ static int core_map_to_storage(request_rec *r)
75a229
 
75a229
 static int do_nothing(request_rec *r) { return OK; }
75a229
 
75a229
-
75a229
 static int core_override_type(request_rec *r)
75a229
 {
75a229
     core_dir_config *conf =
75a229
diff --git a/server/protocol.c b/server/protocol.c
75a229
index 14329eb..46fc034 100644
75a229
--- a/server/protocol.c
75a229
+++ b/server/protocol.c
75a229
@@ -718,6 +718,8 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
75a229
                 r->status = HTTP_REQUEST_TIME_OUT;
75a229
             }
75a229
             else {
75a229
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, 
75a229
+                              "Failed to read request header line %s", field);
75a229
                 r->status = HTTP_BAD_REQUEST;
75a229
             }
75a229
 
75a229
@@ -917,9 +919,11 @@ request_rec *ap_read_request(conn_rec *conn)
75a229
     r->allowed_methods = ap_make_method_list(p, 2);
75a229
 
75a229
     r->headers_in      = apr_table_make(r->pool, 25);
75a229
+    r->trailers_in     = apr_table_make(r->pool, 5);
75a229
     r->subprocess_env  = apr_table_make(r->pool, 25);
75a229
     r->headers_out     = apr_table_make(r->pool, 12);
75a229
     r->err_headers_out = apr_table_make(r->pool, 5);
75a229
+    r->trailers_out    = apr_table_make(r->pool, 5);
75a229
     r->notes           = apr_table_make(r->pool, 5);
75a229
 
75a229
     r->request_config  = ap_create_request_config(r->pool);
75a229
@@ -1162,6 +1166,7 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,
75a229
     rnew->status          = HTTP_OK;
75a229
 
75a229
     rnew->headers_in      = apr_table_copy(rnew->pool, r->headers_in);
75a229
+    rnew->trailers_in     = apr_table_copy(rnew->pool, r->trailers_in);
75a229
 
75a229
     /* did the original request have a body?  (e.g. POST w/SSI tags)
75a229
      * if so, make sure the subrequest doesn't inherit body headers
75a229
@@ -1173,6 +1178,7 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,
75a229
     rnew->subprocess_env  = apr_table_copy(rnew->pool, r->subprocess_env);
75a229
     rnew->headers_out     = apr_table_make(rnew->pool, 5);
75a229
     rnew->err_headers_out = apr_table_make(rnew->pool, 5);
75a229
+    rnew->trailers_out    = apr_table_make(rnew->pool, 5);
75a229
     rnew->notes           = apr_table_make(rnew->pool, 5);
75a229
 
75a229
     rnew->expecting_100   = r->expecting_100;