Ruediger Pluem [Sun, 10 May 2009 10:31:35 +0000 (10:31 +0000)]
* Fix for the following configuration where the exec command was disabled
in /subdir. All CVE-2009-1195 tests still pass with this patch.
# only two containers in the config
<Directory />
Options Includes
AllowOverride None
</Directory>
<Directory /subdir>
# with this container, mod_cgi/mod_cgid complains about exec being off
# without it, exec cmd= works as expected
SetEnv foo bar
</Directory>
Joe Orton [Fri, 8 May 2009 14:13:15 +0000 (14:13 +0000)]
Security fix for CVE-2009-1195: fix Options handling such that
'AllowOverride Options=IncludesNoExec' does not permit Includes with
exec= enabled to be configured in an .htaccess file:
* include/http_core.h: Change semantics of Includes/IncludeNoExec
options bits to be additive; OPT_INCLUDES now means SSI is enabled
without exec=. OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
with exec=.
* server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
from default override_opts; no functional change.
(merge_core_dir_configs): Update logic to ensure that exec= is
disabled in a context where IncludesNoexec is configured, even if
Includes-with-exec is permitted in the inherited options set.
(set_allow_opts, set_options): Update to reflect new semantics
of OPT_INCLUDES, OPT_INC_WITH_EXEC.
* server/config.c: Update to remove OPT_INCNOEXEC from default
override_opts; no functional change.
* modules/filters/mod_include.c (includes_filter): Update to reflect
new options semantics - disable exec= support if the
OPT_INC_WITH_EXEC bit is not set.
Submitted by: Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>,
jorton
Thanks to: Vincent Danon <vdanon redhat.com>
Add . 'default' test first before searching paths, to determine if the
lua.h, liblua5.1, liblua-5.1 or liblua can be resolved. This avoids
adding strange paths on fedora/redhat, and choosing the wrong /lib[64]
flavor.
Also ensure -lm is always added to the actual linked libraries, avoiding
a LoadModule failure on fedora/redhat. Still should first try to search
for pkg-config lua settings, but note this would break fedora until that
build hackery is corrected, c.f. the bug
https://bugzilla.redhat.com/show_bug.cgi?id=499238
Here's the simpler solution to the two groups of mappers/ modules...
The mod_so and mod_watchdog are truly not mappers/ at all. Very open
to better names than modules/core/ but these are clearly API's which
are to be consumed by the httpd core, or generically, any module.
Rainer Jung [Wed, 6 May 2009 16:53:55 +0000 (16:53 +0000)]
Fix usage message on the Windows platform.
- do not include graceful commands and duplicate
start|restart|stop
- add ServerRoot to the parameters encapsulated by "-n"
Change the order of mod_proxy and mod_proxy_balancer child_init().
Change the balancer workers area to the address of workers instead copying the workers.
Arrange lbmethod accordingly.
Move the creation of conf->forward worker to mod_proxy child_init().
As mentioned inline in comments, correctly handle more sophisticated
transformations which currently fail for balancer://foo targets, but
work just fine with other ProxyReverse targets.
The balancer comparison is a bit trickier. Given the context
translate url http://example.com/foo/bar/that to /bash/that
E.g. there may be several different url-suffixes (1st order) of any
particular BalancerMember set e.g. /app1, /app1 and /appbeta while
there may be additional suffixes associated with the actual
ProxyPassReverse directive. Neither were properly reversed, now
both should be properly handled.
should be documented as a meaningless construct, since one cannot
have two members, balancer://alias/foo and balancer://alias/bar,
and the balancer member structures discard this path.
Note one more existing error case as an XXX comment due to invalid
uri comparisons.
Nick Kew [Sun, 3 May 2009 23:02:35 +0000 (23:02 +0000)]
mod_privileges: introduce PrivilegesMode: fast mode as before vs secure
mode to fork an unprivileged child per-request in the manner of MPM-ITK
anwhere there's a risk of running malicious code.
Documentation to follow.
* Don't assign pointers to int's. This is a nightmare when changeing
between 32 and 64 bit and waiting for an accident to happen.
Also: It produces compiler warnings (at least 64 bit) :-).
* Improve and simplify the implementation of SSLProxyCheckPeerExpire by
directly using X509_get_notBefore(), X509_get_notAfter() and
X509_cmp_current_time().
Thanks to jorton for the pointer.
Jim Jagielski [Mon, 27 Apr 2009 15:02:40 +0000 (15:02 +0000)]
Fold in initial template for methods to be able to
reset (initialize) and "age" their data, useful when
adding new workers, or when workers come back into
the fold....
* r->connection->aborted signals that the client aborted the connection, but
in this case *we* decide to close the connection so use
r->connection->keepalive = AP_CONN_CLOSE
Escape should simply close the dialog; Enter should perform the
appropriate button, or within the list, start and stop. (also
clear up the transitions between the list focus and nonfocus).
Mark J. Cox [Tue, 21 Apr 2009 09:44:43 +0000 (09:44 +0000)]
Use CVE-2009-1191 for this issue. We would only
share a CVE name where the flaw was due to a
shared code base, and this isn't the case for
the mod_jk CVE-2008-5519 issue.
Eric Covener [Tue, 21 Apr 2009 02:13:04 +0000 (02:13 +0000)]
rework the NameVirtualHost documentation to hopefully be a little
less confusing and match the conventional wisdom of the various
support fora.
Provide a longer example that demonstrates the 1:n nature,
relation to IP-based vhosts, and always uses a port.
Avoid phrasing that makes NVH look like Listen.
Remove the over-complicated hints about NVH impact on _default_ and base
server configs, which boils down to the basic ip-based vhost mapping
algorithm.
Jeff Trawick [Fri, 17 Apr 2009 16:59:48 +0000 (16:59 +0000)]
Move logic to decide if an MPM is supported, and whether the MPM is
threaded, down to the MPM itself.
(server/mpm/FOO/config.m4, which runs before the actual MPM selection)
server/mpm/config.m4 makes some general platform checks that can be used
for MPM decisions, and contains some functions related to MPMs.
XXX The check here for whether APR_POLLSET_THREADSAFE is available
is a rough approximation and needs to be replaced by a run-time
check.
Replace the limited per-platform hard-coded MPM selection and the
current defaulting to event (whether or not it works) with a selection
based on which MPMs work on the platform, as reported by the MPMs
themselves.
(config2.m4, which runs after the MPMs record whether they are supported)
Order of preference:
WinNT (mingw32 only)
then Event
then Worker
then Prefork
Jeff Trawick [Thu, 16 Apr 2009 19:23:45 +0000 (19:23 +0000)]
mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock).
Dynamically allocate the AF_UNIX sockaddr based on the required filename size.
For some platforms (e.g., Solaris, OS X, FreeBSD), this allows longer
socket filenames to be used.
When the name is too long, the failure reporting is more consistent and a
socket with truncated pathname is not left stranded. The user still needs
to use ScriptSock to specify a shorter name.
An extra unlink() failure message may be generated when attempting to clean
up the socket after a daemon initialization error; the message is surpressed
for ENOTENT, but not for ENAMETOOLONG.
I'll still pay off if somebody does it legitimately, but I haven't been
to Apachecon in ages so we'll have to work out a different delivery
mechanism. With the stability of the 2.0.x and 2.2.x releases and
Moore's Law in effect for the last decade, it might be possible...
* Avoid delivering content from a previous request which failed to send a request
body by closing the connection to the backend in this case instead of reusing it.
projects / apache / log