Jim Jagielski [Tue, 30 May 2017 12:28:20 +0000 (12:28 +0000)]
SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
Merge r1796350 from trunk:
short-circuit on NULL
Submitted by: jchampion, covener
Reviewed by: covener, ylavic, jim
Jim Jagielski [Tue, 30 May 2017 12:27:41 +0000 (12:27 +0000)]
SECURITY: CVE-2017-3167 (cve.mitre.org)
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
Merge r1796348 from trunk:
core: Deprecate ap_get_basic_auth_pw() and add ap_get_basic_auth_components().
Jim Jagielski [Tue, 30 May 2017 12:26:05 +0000 (12:26 +0000)]
SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
Merge r1796343 from trunk:
mod_ssl: fix ctx passed to ssl_io_filter_error()
Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error().
Submitted by: ylavic, covener
Reviewed by: covener, ylavic, jim
Jim Jagielski [Tue, 30 May 2017 12:25:13 +0000 (12:25 +0000)]
Merge r1795635 from trunk:
When processing a 'SetEnv' directive, warn if the environment variable name includes a '='. It is likely a configuration error. PR 60249
Submitted by: jailletc36
Reviewed by: jailletc36, covener, ylavic
Jim Jagielski [Tue, 30 May 2017 12:24:22 +0000 (12:24 +0000)]
Merge r1776463 from trunk:
PR60009: RewriteRule local prefix checking update
*) mod_rewrite: When a substitution is a fully qualified URL, and the
scheme/host/port matches the current virtual host, stop interpreting the
path component as a local path just because the first component of the
path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
to revert to previous behavior. PR60009.
Jim Jagielski [Tue, 30 May 2017 12:19:58 +0000 (12:19 +0000)]
Merge r1584417, r1585157 from trunk:
allow users to workaround the over-agressive backreference
escaping by selecting the characters to escape.
add BNP flag to give control to the user on whether a space ' ' in
an escaped backrefernece is decoded to a + (default) or %20. Useful
if your backreference isn't going into the query string.
Luca Toscano [Thu, 25 May 2017 13:34:54 +0000 (13:34 +0000)]
Merge r1796135 from trunk:
Remove warning about nested If/ElseIf/Else evaluation
As noted by Christophe Jaillet in the dev@ ml nested
if/elseif/else conditions are now evaluated. The code
change has been already backported to 2.4.x.
Jim Jagielski [Tue, 23 May 2017 12:49:02 +0000 (12:49 +0000)]
Merge r1795830 from trunk:
ab: don't call malloc_init for OpenSSL 1.1.0
Patch by rjung.
The 1.1.0 compatibility macro for OpenSSL_malloc_init() causes problems
when mixed with procedure linkage stubs with some toolchains (e.g. GCC).
OpenSSL's malloc implementation doesn't recognize that the PLT stub
points back to it, which leads to infinite recursion.
Since the 1.1.0 documentation states that calling this function
explicitly is no longer necessary except "in certain shared-library
situations"(?), get rid of it.
Submitted by: jchampion
Reviewed by: jchampion, ylavic, gsmith
Jim Jagielski [Tue, 23 May 2017 12:48:27 +0000 (12:48 +0000)]
Merge r1792589 from trunk:
Evaluate nested If/ElseIf/Else config sections
It has been reported multiple times that nested
If/ElseIf/Else sections are not evaluated but
silently ignored.
This patch adds a simple recursion to the ap_if_walk
logic in order to allow arbitrary nested configs.
The overhead seems negligible compared to the actual
version of the ap_if_walk, but more expert feedback
is surely needed since this code gets called for every
HTTP request.
Tests are going to be added to t/apache/if_sections.t
Remove 3DES by default for users of older crypto librarys; the cipher
has been reclassified in current OpenSSL releases as WEAK due to 112
or fewer bits of remaining cipher strength, while the Sweet32 disclosure
extended the criticism of RC4 on to 3DES. (IDEA, which potentially has the
same issue, is never enabled by default in OpenSSL, due to patent concerns.)
This commit does not change default httpd behavior, but alters the suggested
behavior of newly provisioned httpd servers. Where adopted, XP with IE8 will
no longer handshake with mod_ssl (previously, XP with IE6 would not handshake.)
The same net effect occurs where OpenSSL is updated to 1.1.0.
Eric Covener [Thu, 11 May 2017 17:09:35 +0000 (17:09 +0000)]
Merge r1791400 from trunk:
mod_substitute: use local/native LF for splitting
On platforms where the APR_ASCII_LF != '\n', like EBCDIC systems,
strmatch or pcre patterns from the source or config will be in
the native encoding, and this module will really only work on
content in the native encoding.
(mod_substitute runs before mod_charset_lite for a similar reason)
I thought #if APR_CHARSET_EBCDIC or even #ifdef __MVS__ was overkill
here.
mod_http2: fail requests without ERROR log in case we need to read interim
responses and see only garbage. This can happen if proxied servers send
data where none should be, e.g. a body for a HEAD request.
Jim Jagielski [Tue, 2 May 2017 11:00:14 +0000 (11:00 +0000)]
Merge r1791975 from trunk:
PR61009: be as helpful as possible during -V operation
A configtest isn't useful if you're just trying to get compile settings.
Move the settings dump up to just after ap_read_config(), which has
already done the minimum necessary to figure out which MPM is in use.
Even if ap_read_config() failed, still print as many compile settings as
we can. The user will see the error log entry on stderr.
Submitted by: jchampion
Reviewed by: jchampion, covener, jim
Jim Jagielski [Tue, 2 May 2017 10:59:42 +0000 (10:59 +0000)]
Merge r1761824, r1771789, r1771827, r1779111 from trunk:
mod_brotli: Unbreak building other filter modules without libbrotlienc.
Don't add -lbrotlienc to the MOD_LDFLAGS unconditionally. And, when
adding it, use MOD_BROTLI_LDADD to avoid linking all filter modules
against this library.
mod_brotli: Rewrite the autoconf script in a, hopefully, less convoluted way.
Explicitly handle different cases when we do a pkg-config lookup
(<nothing>, --with-brotli or --with-brotli=yes) or examine the path
provided by the user (--with-brotli=PATH).
This lays the groundwork to simplify the switch to the official Brotli
library (https://github.com/google/brotli), instead of expecting the
install layout of a third-party wrapper (https://github.com/bagder/libbrotli).
mod_brotli: Update makefiles to use the library layout of the official
Brotli repository.
With the recent update (https://github.com/google/brotli/pull/464), the
official repository now produces pkg-config metadata files (brotli.pc),
and has a fixed library layout (libbrotlicommon/libbrotlienc/libbrotlidec)
on both Windows and Linux. Expect this layout in the makefiles, and take
advantage of the pkg-config metadata, if it's available.
mod_brotli: Update makefile to cope with the pkg-config layout change
in https://github.com/google/brotli/commit/fe9f9a9
There's a typo in the upstream commit [1] (s/brotlicommon/libbrotlicommon)
that currently produces an unusable libbrotlienc.pc file, but hopefully
this is going to be fixed there.
mpm_winnt: always invoke ap_lingering_close() at connection end as in
all other mpm modules, giving everyone a chance to cleanup at prep
lingering close hook.
KISS: RemoveType is a simpler fix for .tr; explain .da files; order our
LanguagePriority by a first-order comparison and drop negligable translations
from our ordered priority preference list entirely.
A better comparison would be total number of documents in-sync, or some
convoluted weight ordering each document by which are more in sync than
others. Leaving that puzzle to an interested hacker.
projects / apache / log