Blame SOURCES/httpd-2.4.6-CVE-2013-5704.patch

008793
diff --git a/include/http_core.h b/include/http_core.h
008793
index 3c47989..f6f4aa2 100644
008793
--- a/include/http_core.h
008793
+++ b/include/http_core.h
008793
@@ -663,6 +663,10 @@ typedef struct {
008793
 #define AP_TRACE_ENABLE    1
008793
 #define AP_TRACE_EXTENDED  2
008793
     int trace_enable;
008793
+#define AP_MERGE_TRAILERS_UNSET    0
008793
+#define AP_MERGE_TRAILERS_ENABLE   1
008793
+#define AP_MERGE_TRAILERS_DISABLE  2
008793
+    int merge_trailers;
008793
 
008793
 } core_server_config;
008793
 
008793
diff --git a/include/httpd.h b/include/httpd.h
008793
index 36cd58d..2e415f9 100644
008793
--- a/include/httpd.h
008793
+++ b/include/httpd.h
008793
@@ -1032,6 +1032,11 @@ struct request_rec {
008793
      */
008793
     apr_sockaddr_t *useragent_addr;
008793
     char *useragent_ip;
008793
+
008793
+    /** MIME trailer environment from the request */
008793
+    apr_table_t *trailers_in;
008793
+    /** MIME trailer environment from the response */
008793
+    apr_table_t *trailers_out;
008793
 };
008793
 
008793
 /**
008793
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
008793
index 24a939a..2ae8f46 100644
008793
--- a/modules/http/http_filters.c
008793
+++ b/modules/http/http_filters.c
008793
@@ -214,6 +214,49 @@ static apr_status_t get_chunk_line(http_ctx_t *ctx, apr_bucket_brigade *b,
008793
 }
008793
 
008793
 
008793
+static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f,
008793
+                                          apr_bucket_brigade *b, int merge)
008793
+{
008793
+    int rv;
008793
+    apr_bucket *e;
008793
+    request_rec *r = f->r;
008793
+    apr_table_t *saved_headers_in = r->headers_in;
008793
+    int saved_status = r->status;
008793
+
008793
+    r->status = HTTP_OK;
008793
+    r->headers_in = r->trailers_in;
008793
+    apr_table_clear(r->headers_in);
008793
+    ctx->state = BODY_NONE;
008793
+    ap_get_mime_headers(r);
008793
+
008793
+    if(r->status == HTTP_OK) {
008793
+        r->status = saved_status;
008793
+        e = apr_bucket_eos_create(f->c->bucket_alloc);
008793
+        APR_BRIGADE_INSERT_TAIL(b, e);
008793
+        ctx->eos_sent = 1;
008793
+        rv = APR_SUCCESS;
008793
+    }
008793
+    else {
008793
+        const char *error_notes = apr_table_get(r->notes,
008793
+                                                "error-notes");
008793
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
008793
+                      "Error while reading HTTP trailer: %i%s%s",
008793
+                      r->status, error_notes ? ": " : "",
008793
+                      error_notes ? error_notes : "");
008793
+        rv = APR_EINVAL;
008793
+    }
008793
+
008793
+    if(!merge) {
008793
+        r->headers_in = saved_headers_in;
008793
+    }
008793
+    else {
008793
+        r->headers_in = apr_table_overlay(r->pool, saved_headers_in,
008793
+                r->trailers_in);
008793
+    }
008793
+
008793
+    return rv;
008793
+}
008793
+
008793
 /* This is the HTTP_INPUT filter for HTTP requests and responses from
008793
  * proxied servers (mod_proxy).  It handles chunked and content-length
008793
  * bodies.  This can only be inserted/used after the headers
008793
@@ -223,6 +266,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
008793
                             ap_input_mode_t mode, apr_read_type_e block,
008793
                             apr_off_t readbytes)
008793
 {
008793
+    core_server_config *conf;
008793
     apr_bucket *e;
008793
     http_ctx_t *ctx = f->ctx;
008793
     apr_status_t rv;
008793
@@ -230,6 +274,9 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
008793
     int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE;
008793
     apr_bucket_brigade *bb;
008793
 
008793
+    conf = (core_server_config *)
008793
+        ap_get_module_config(f->r->server->module_config, &core_module);
008793
+
008793
     /* just get out of the way of things we don't want. */
008793
     if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {
008793
         return ap_get_brigade(f->next, b, mode, block, readbytes);
008793
@@ -403,13 +450,8 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
008793
             }
008793
 
008793
             if (!ctx->remaining) {
008793
-                /* Handle trailers by calling ap_get_mime_headers again! */
008793
-                ctx->state = BODY_NONE;
008793
-                ap_get_mime_headers(f->r);
008793
-                e = apr_bucket_eos_create(f->c->bucket_alloc);
008793
-                APR_BRIGADE_INSERT_TAIL(b, e);
008793
-                ctx->eos_sent = 1;
008793
-                return APR_SUCCESS;
008793
+                return read_chunked_trailers(ctx, f, b,
008793
+                        conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE);
008793
             }
008793
         }
008793
     }
008793
@@ -509,13 +551,8 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
008793
                 }
008793
 
008793
                 if (!ctx->remaining) {
008793
-                    /* Handle trailers by calling ap_get_mime_headers again! */
008793
-                    ctx->state = BODY_NONE;
008793
-                    ap_get_mime_headers(f->r);
008793
-                    e = apr_bucket_eos_create(f->c->bucket_alloc);
008793
-                    APR_BRIGADE_INSERT_TAIL(b, e);
008793
-                    ctx->eos_sent = 1;
008793
-                    return APR_SUCCESS;
008793
+                    return read_chunked_trailers(ctx, f, b,
008793
+                            conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE);
008793
                 }
008793
             }
008793
             break;
008793
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
008793
index 796d506..cdfec8b 100644
008793
--- a/modules/http/http_request.c
008793
+++ b/modules/http/http_request.c
008793
@@ -463,6 +463,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
008793
     new->main            = r->main;
008793
 
008793
     new->headers_in      = r->headers_in;
008793
+    new->trailers_in     = r->trailers_in;
008793
     new->headers_out     = apr_table_make(r->pool, 12);
008793
     if (ap_is_HTTP_REDIRECT(new->status)) {
008793
         const char *location = apr_table_get(r->headers_out, "Location");
008793
@@ -470,6 +471,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
008793
             apr_table_setn(new->headers_out, "Location", location);
008793
     }
008793
     new->err_headers_out = r->err_headers_out;
008793
+    new->trailers_out    = apr_table_make(r->pool, 5);
008793
     new->subprocess_env  = rename_original_env(r->pool, r->subprocess_env);
008793
     new->notes           = apr_table_make(r->pool, 5);
008793
 
008793
@@ -583,6 +585,8 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r)
008793
                                        r->headers_out);
008793
     r->err_headers_out = apr_table_overlay(r->pool, rr->err_headers_out,
008793
                                            r->err_headers_out);
008793
+    r->trailers_out = apr_table_overlay(r->pool, rr->trailers_out,
008793
+                                           r->trailers_out);
008793
     r->subprocess_env = apr_table_overlay(r->pool, rr->subprocess_env,
008793
                                           r->subprocess_env);
008793
 
008793
diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c
008793
index 25f5030..b021dd3 100644
008793
--- a/modules/loggers/mod_log_config.c
008793
+++ b/modules/loggers/mod_log_config.c
008793
@@ -431,6 +431,12 @@ static const char *log_header_in(request_rec *r, char *a)
008793
     return ap_escape_logitem(r->pool, apr_table_get(r->headers_in, a));
008793
 }
008793
 
008793
+static const char *log_trailer_in(request_rec *r, char *a)
008793
+{
008793
+    return ap_escape_logitem(r->pool, apr_table_get(r->trailers_in, a));
008793
+}
008793
+
008793
+
008793
 static APR_INLINE char *find_multiple_headers(apr_pool_t *pool,
008793
                                               const apr_table_t *table,
008793
                                               const char *key)
008793
@@ -514,6 +520,11 @@ static const char *log_header_out(request_rec *r, char *a)
008793
     return ap_escape_logitem(r->pool, cp);
008793
 }
008793
 
008793
+static const char *log_trailer_out(request_rec *r, char *a)
008793
+{
008793
+    return ap_escape_logitem(r->pool, apr_table_get(r->trailers_out, a));
008793
+}
008793
+
008793
 static const char *log_note(request_rec *r, char *a)
008793
 {
008793
     return ap_escape_logitem(r->pool, apr_table_get(r->notes, a));
008793
@@ -916,7 +927,7 @@ static char *parse_log_misc_string(apr_pool_t *p, log_format_item *it,
008793
 static char *parse_log_item(apr_pool_t *p, log_format_item *it, const char **sa)
008793
 {
008793
     const char *s = *sa;
008793
-    ap_log_handler *handler;
008793
+    ap_log_handler *handler = NULL;
008793
 
008793
     if (*s != '%') {
008793
         return parse_log_misc_string(p, it, sa);
008793
@@ -986,7 +997,16 @@ static char *parse_log_item(apr_pool_t *p, log_format_item *it, const char **sa)
008793
             break;
008793
 
008793
         default:
008793
-            handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1);
008793
+            /* check for '^' + two character format first */
008793
+            if (*s == '^' && *(s+1) && *(s+2)) { 
008793
+                handler = (ap_log_handler *)apr_hash_get(log_hash, s, 3); 
008793
+                if (handler) { 
008793
+                   s += 3;
008793
+                }
008793
+            }
008793
+            if (!handler) {  
008793
+                handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1);  
008793
+            }
008793
             if (!handler) {
008793
                 char dummy[2];
008793
 
008793
@@ -1516,7 +1536,7 @@ static void ap_register_log_handler(apr_pool_t *p, char *tag,
008793
     log_struct->func = handler;
008793
     log_struct->want_orig_default = def;
008793
 
008793
-    apr_hash_set(log_hash, tag, 1, (const void *)log_struct);
008793
+    apr_hash_set(log_hash, tag, strlen(tag), (const void *)log_struct);
008793
 }
008793
 static ap_log_writer_init* ap_log_set_writer_init(ap_log_writer_init *handle)
008793
 {
008793
@@ -1686,6 +1706,9 @@ static int log_pre_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp)
008793
         log_pfn_register(p, "U", log_request_uri, 1);
008793
         log_pfn_register(p, "s", log_status, 1);
008793
         log_pfn_register(p, "R", log_handler, 1);
008793
+
008793
+        log_pfn_register(p, "^ti", log_trailer_in, 0);
008793
+        log_pfn_register(p, "^to", log_trailer_out, 0);
008793
     }
008793
 
008793
     /* reset to default conditions */
008793
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
008793
index 7ae0fa4..05f33b4 100644
008793
--- a/modules/proxy/mod_proxy_http.c
008793
+++ b/modules/proxy/mod_proxy_http.c
008793
@@ -994,8 +994,11 @@ static request_rec *make_fake_req(conn_rec *c, request_rec *r)
008793
     rp->status          = HTTP_OK;
008793
 
008793
     rp->headers_in      = apr_table_make(pool, 50);
008793
+    rp->trailers_in     = apr_table_make(pool, 5);
008793
+
008793
     rp->subprocess_env  = apr_table_make(pool, 50);
008793
     rp->headers_out     = apr_table_make(pool, 12);
008793
+    rp->trailers_out    = apr_table_make(pool, 5);
008793
     rp->err_headers_out = apr_table_make(pool, 5);
008793
     rp->notes           = apr_table_make(pool, 5);
008793
 
008793
@@ -1076,6 +1079,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
008793
     psc = (proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
008793
 
008793
     r->headers_out = apr_table_make(r->pool, 20);
008793
+    r->trailers_out = apr_table_make(r->pool, 5);
008793
     *pread_len = 0;
008793
 
008793
     /*
008793
@@ -1206,6 +1210,14 @@ apr_status_t ap_proxygetline(apr_bucket_brigade *bb, char *s, int n, request_rec
008793
 #define AP_MAX_INTERIM_RESPONSES 10
008793
 #endif
008793
 
008793
+static int add_trailers(void *data, const char *key, const char *val)
008793
+{
008793
+    if (val) {
008793
+        apr_table_add((apr_table_t*)data, key, val);
008793
+    }
008793
+    return 1;
008793
+}
008793
+
008793
 static
008793
 apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
008793
                                             proxy_conn_rec **backend_ptr,
008793
@@ -1717,6 +1729,12 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
008793
                     /* next time try a non-blocking read */
008793
                     mode = APR_NONBLOCK_READ;
008793
 
008793
+                    if (!apr_is_empty_table(backend->r->trailers_in)) {
008793
+                        apr_table_do(add_trailers, r->trailers_out,
008793
+                                backend->r->trailers_in, NULL);
008793
+                        apr_table_clear(backend->r->trailers_in);
008793
+                    }
008793
+
008793
                     apr_brigade_length(bb, 0, &readbytes);
008793
                     backend->worker->s->read += readbytes;
008793
 #if DEBUGGING
008793
diff --git a/server/core.c b/server/core.c
008793
index 024bab6..7cfde63 100644
008793
--- a/server/core.c
008793
+++ b/server/core.c
008793
@@ -523,6 +523,10 @@ static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
008793
     if (virt->error_log_req)
008793
         conf->error_log_req = virt->error_log_req;
008793
 
008793
+    conf->merge_trailers = (virt->merge_trailers != AP_MERGE_TRAILERS_UNSET)
008793
+                           ? virt->merge_trailers
008793
+                           : base->merge_trailers;
008793
+
008793
     return conf;
008793
 }
008793
 
008793
@@ -3877,6 +3881,16 @@ AP_DECLARE(void) ap_register_errorlog_handler(apr_pool_t *p, char *tag,
008793
 }
008793
 
008793
 
008793
+static const char *set_merge_trailers(cmd_parms *cmd, void *dummy, int arg)
008793
+{
008793
+    core_server_config *conf = ap_get_module_config(cmd->server->module_config,
008793
+                                                    &core_module);
008793
+    conf->merge_trailers = (arg ? AP_MERGE_TRAILERS_ENABLE :
008793
+            AP_MERGE_TRAILERS_DISABLE);
008793
+
008793
+    return NULL;
008793
+}
008793
+
008793
 /* Note --- ErrorDocument will now work from .htaccess files.
008793
  * The AllowOverride of Fileinfo allows webmasters to turn it off
008793
  */
008793
@@ -4124,6 +4138,8 @@ AP_INIT_TAKE1("EnableExceptionHook", ap_mpm_set_exception_hook, NULL, RSRC_CONF,
008793
 #endif
008793
 AP_INIT_TAKE1("TraceEnable", set_trace_enable, NULL, RSRC_CONF,
008793
               "'on' (default), 'off' or 'extended' to trace request body content"),
008793
+AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF,
008793
+              "merge request trailers into request headers or not"),
008793
 { NULL }
008793
 };
008793
 
008793
@@ -4206,7 +4222,6 @@ static int core_map_to_storage(request_rec *r)
008793
 
008793
 static int do_nothing(request_rec *r) { return OK; }
008793
 
008793
-
008793
 static int core_override_type(request_rec *r)
008793
 {
008793
     core_dir_config *conf =
008793
diff --git a/server/protocol.c b/server/protocol.c
008793
index 14329eb..46fc034 100644
008793
--- a/server/protocol.c
008793
+++ b/server/protocol.c
008793
@@ -718,6 +718,8 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
008793
                 r->status = HTTP_REQUEST_TIME_OUT;
008793
             }
008793
             else {
008793
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, 
008793
+                              "Failed to read request header line %s", field);
008793
                 r->status = HTTP_BAD_REQUEST;
008793
             }
008793
 
008793
@@ -917,9 +919,11 @@ request_rec *ap_read_request(conn_rec *conn)
008793
     r->allowed_methods = ap_make_method_list(p, 2);
008793
 
008793
     r->headers_in      = apr_table_make(r->pool, 25);
008793
+    r->trailers_in     = apr_table_make(r->pool, 5);
008793
     r->subprocess_env  = apr_table_make(r->pool, 25);
008793
     r->headers_out     = apr_table_make(r->pool, 12);
008793
     r->err_headers_out = apr_table_make(r->pool, 5);
008793
+    r->trailers_out    = apr_table_make(r->pool, 5);
008793
     r->notes           = apr_table_make(r->pool, 5);
008793
 
008793
     r->request_config  = ap_create_request_config(r->pool);
008793
@@ -1162,6 +1166,7 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,
008793
     rnew->status          = HTTP_OK;
008793
 
008793
     rnew->headers_in      = apr_table_copy(rnew->pool, r->headers_in);
008793
+    rnew->trailers_in     = apr_table_copy(rnew->pool, r->trailers_in);
008793
 
008793
     /* did the original request have a body?  (e.g. POST w/SSI tags)
008793
      * if so, make sure the subrequest doesn't inherit body headers
008793
@@ -1173,6 +1178,7 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,
008793
     rnew->subprocess_env  = apr_table_copy(rnew->pool, r->subprocess_env);
008793
     rnew->headers_out     = apr_table_make(rnew->pool, 5);
008793
     rnew->err_headers_out = apr_table_make(rnew->pool, 5);
008793
+    rnew->trailers_out    = apr_table_make(rnew->pool, 5);
008793
     rnew->notes           = apr_table_make(rnew->pool, 5);
008793
 
008793
     rnew->expecting_100   = r->expecting_100;