Index: branches/fc19-dev/server/common/patches/httpd-2.2.x-304.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-2.2.x-304.patch (revision 2402) +++ (revision ) @@ -1,14 +1,0 @@ ---- httpd-2.2.10/server/util_script.c.orig 2006-09-15 09:19:25.000000000 -0400 -+++ httpd-2.2.10/server/util_script.c 2009-03-28 14:33:17.000000000 -0400 -@@ -482,6 +482,11 @@ - if ((cgi_status == HTTP_UNSET) && (r->method_number == M_GET)) { - cond_status = ap_meets_conditions(r); - } -+ else if ((cgi_status == HTTP_NO_CONTENT) || -+ (cgi_status == HTTP_NOT_MODIFIED) || -+ ap_is_HTTP_INFO(cgi_status)) { -+ r->header_only = 1; /* discard any body */ -+ } - apr_table_overlap(r->err_headers_out, merge, - APR_OVERLAP_TABLES_MERGE); - if (!apr_is_empty_table(cookie_table)) { Index: branches/fc19-dev/server/common/patches/httpd-2.2.x-log-docroot.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-2.2.x-log-docroot.patch (revision 2402) +++ (revision ) @@ -1,13 +1,0 @@ ---- httpd-2.2.8/server/log.c.orig 2009-02-20 01:48:06.000000000 -0500 -+++ httpd-2.2.8/server/log.c 2009-02-20 01:55:40.000000000 -0500 -@@ -621,6 +621,10 @@ - len += apr_snprintf(errstr + len, MAX_STRING_LEN - len, - "[client %s] ", c->remote_ip); - } -+ if (r) { // Extract the document root and print it -+ len += apr_sprintf(errstr + len, MAX_STRING_LEN - len, -+ "[docroot %s] ", ap_document_root(r)); -+ } - if (status != 0) { - if (status < APR_OS_START_EAIERR) { - len += apr_snprintf(errstr + len, MAX_STRING_LEN - len, Index: branches/fc19-dev/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch (revision 2402) +++ (revision ) @@ -1,176 +1,0 @@ -Index: httpd-2.2.x/modules/ssl/ssl_private.h -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_private.h (revision 833672) -+++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) -@@ -395,6 +395,9 @@ typedef struct { - #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) - const char *szCryptoDevice; - #endif -+#ifndef OPENSSL_NO_TLSEXT -+ ssl_enabled_t session_tickets_enabled; -+#endif - struct { - void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; - } rCtx; -@@ -547,6 +550,7 @@ const char *ssl_cmd_SSLRequire(cmd_parm - const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); - const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); - const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); -+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag); - - const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); - const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); -Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 833672) -+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) -@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions( - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); - ssl_die(); - } -+ -+ /* -+ * Session tickets (stateless resumption) -+ */ -+ if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "Disabling TLS session ticket support"); -+ SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET); -+ } - } - #endif - -@@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b - - BOOL conflict = FALSE; - -+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 -+ unsigned char *tlsext_tick_keys = NULL; -+ long tick_keys_len; -+#endif -+ - /* - * Give out warnings when a server has HTTPS configured - * for the HTTP port or vice versa -@@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b - ssl_util_vhostid(p, s), - DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT); - } -+ -+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0 -+ /* -+ * When using OpenSSL versions 0.9.8f through 0.9.8l, configure -+ * the same ticket encryption parameters for every SSL_CTX (workaround -+ * for SNI+SessionTicket extension interoperability issue in these versions) -+ */ -+ if ((sc->enabled == SSL_ENABLED_TRUE) || -+ (sc->enabled == SSL_ENABLED_OPTIONAL)) { -+ if (!tlsext_tick_keys) { -+ tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, -+ (-1),(NULL)); -+ tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len); -+ RAND_bytes(tlsext_tick_keys, tick_keys_len); -+ } -+ SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS, -+ (tick_keys_len),(tlsext_tick_keys)); -+ } -+#endif - } - - /* -Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_config.c (revision 833672) -+++ httpd-2.2.x/modules/ssl/ssl_engine_config.c (working copy) -@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat - #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) - mc->szCryptoDevice = NULL; - #endif -+#ifndef OPENSSL_NO_TLSEXT -+ mc->session_tickets_enabled = SSL_ENABLED_UNSET; -+#endif - - memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); - -@@ -1471,6 +1474,26 @@ const char *ssl_cmd_SSLStrictSNIVHostCh - #endif - } - -+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag) -+{ -+#ifndef OPENSSL_NO_TLSEXT -+ const char *err; -+ SSLModConfigRec *mc = myModConfig(cmd->server); -+ -+ if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { -+ return err; -+ } -+ -+ mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; -+ -+ return NULL; -+#else -+ return "SSLSessionTicketExtension failed; OpenSSL is not built with support " -+ "for TLS extensions. Refer to the documentation, and build " -+ "a compatible version of OpenSSL."; -+#endif -+} -+ - void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) - { - if (!ap_exists_config_define("DUMP_CERTS")) { -Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 833672) -+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) -@@ -29,6 +29,7 @@ - time I was too famous.'' - -- Unknown */ - #include "ssl_private.h" -+#include "util_md5.h" - - static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); - #ifndef OPENSSL_NO_TLSEXT -@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna - apr_array_header_t *names; - int i; - SSLConnRec *sslcon; -+ char *sid_ctx; - - /* check ServerName */ - if (!strcasecmp(servername, s->server_hostname)) { -@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna - SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), - SSL_CTX_get_verify_callback(ssl->ctx)); - } -+ /* -+ * Adjust the session id context. ssl_init_ssl_connection() -+ * always picks the configuration of the first vhost when -+ * calling SSL_new(), but we want to tie the session to the -+ * vhost we have just switched to. Again, we have to make sure -+ * that we're not overwriting a session id context which was -+ * possibly set in ssl_hook_Access(), before triggering -+ * a renegotation. -+ */ -+ if (!SSL_num_renegotiations(ssl)) { -+ sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id, -+ sc->vhost_id_len); -+ SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx, -+ APR_MD5_DIGESTSIZE*2); -+ } - - /* - * Save the found server into our SSLConnRec for later -Index: httpd-2.2.x/modules/ssl/mod_ssl.c -=================================================================== ---- httpd-2.2.x/modules/ssl/mod_ssl.c (revision 833672) -+++ httpd-2.2.x/modules/ssl/mod_ssl.c (working copy) -@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds - SSL_CMD_SRV(RandomSeed, TAKE23, - "SSL Pseudo Random Number Generator (PRNG) seeding source " - "(`startup|connect builtin|file:/path|exec:/path [bytes]')") -+ SSL_CMD_SRV(SessionTicketExtension, FLAG, -+ "TLS Session Ticket extension support") - - /* - * Per-server context configuration directives Index: branches/fc19-dev/server/common/patches/httpd-2.2.x-mod_status-security.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-2.2.x-mod_status-security.patch (revision 2402) +++ (revision ) @@ -1,70 +1,0 @@ -Prevents mod_status from taking effect in .htaccess files, by requiring -a directive that's only permitted in directory context. - -Signed-off-by: Quentin Smith -Signed-off-by: Geoffrey Thomas ---- a/modules/generators/mod_status.c 2008-01-02 04:43:52.000000000 -0500 -+++ b/modules/generators/mod_status.c 2008-08-06 01:31:26.000000000 -0400 -@@ -115,6 +115,10 @@ - static pid_t child_pid; - #endif - -+typedef struct { -+ int permit_status_handler; -+} status_config_rec; -+ - /* - * command-related code. This is here to prevent use of ExtendedStatus - * without status_module included. -@@ -139,6 +143,13 @@ - return NULL; - } - -+static void *create_status_dir_config(apr_pool_t *p, char *d) -+{ -+ status_config_rec *conf = apr_pcalloc(p, sizeof(*conf)); -+ conf->permit_status_handler = 0; -+ return conf; -+} -+ - - static const command_rec status_module_cmds[] = - { -@@ -147,6 +158,11 @@ - AP_INIT_FLAG("SeeRequestTail", set_reqtail, NULL, RSRC_CONF, - "For verbose requests, \"On\" to see the last 63 chars of the request, " - "\"Off\" (default) to see the first 63 in extended status display"), -+ AP_INIT_FLAG("PermitStatusHandler", ap_set_flag_slot, -+ (void *)APR_OFFSETOF(status_config_rec, permit_status_handler), -+ ACCESS_CONF, -+ "As a security measure, only permit status handlers where this flag " -+ "is set. Only legal in directory context, not .htaccess."), - {NULL} - }; - -@@ -247,9 +263,13 @@ - pid_t *pid_buffer, worker_pid; - clock_t tu, ts, tcu, tcs; - ap_generation_t worker_generation; -- -- if (strcmp(r->handler, STATUS_MAGIC_TYPE) && -- strcmp(r->handler, "server-status")) { -+ -+ status_config_rec *conf = ap_get_module_config(r->per_dir_config, -+ &status_module); -+ -+ if ((strcmp(r->handler, STATUS_MAGIC_TYPE) && -+ strcmp(r->handler, "server-status")) || -+ !conf->permit_status_handler) { - return DECLINED; - } - -@@ -871,7 +891,7 @@ - module AP_MODULE_DECLARE_DATA status_module = - { - STANDARD20_MODULE_STUFF, -- NULL, /* dir config creater */ -+ create_status_dir_config, /* dir config creater */ - NULL, /* dir merger --- default is to override */ - NULL, /* server config */ - NULL, /* merge server config */ Index: branches/fc19-dev/server/common/patches/httpd-304s.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-304s.patch (revision 2422) +++ branches/fc19-dev/server/common/patches/httpd-304s.patch (revision 2422) @@ -0,0 +1,44 @@ +From 1ee367569729f9cf153cd1df87e15e05e00d7645 Mon Sep 17 00:00:00 2001 +From: Alexander Chernyakhovsky +Date: Fri, 3 May 2013 21:40:07 -0400 +Subject: [PATCH 3/4] Fix "the-bug" (non-empty content in 304s) + +PHP should not produce any output, even if zlib.output_compression is +on, if the HTTP response code is 204 or 304 (no content or not modified). + +ixes PHP bug #42362 with php.cvs #56693, see: +http://bugs.php.net/bug.php?id=42362 +http://news.php.net/php.cvs/56693 +http://cvs.php.net/viewvc.cgi/php-src/ext/zlib/zlib.c?r1=1.183.2.6.2.5.2.9&r2=1.183.2.6.2.5.2.10 + +Apache should discard any body provided by a script (in any language, not +just PHP) when the status is "no content" or "not modified". +Addresses part of Apache bug #40953, see: +https://issues.apache.org/bugzilla/show_bug.cgi?id=40953#c7 + +Solves scripts.mit.edu support issue #773060, see: +https://help.mit.edu/Ticket/UpdateCallCenter.html?id=773060 +https://diswww.mit.edu/charon/scripts/24018 +--- + server/util_script.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/server/util_script.c b/server/util_script.c +index 5708c08..187e30f 100644 +--- a/server/util_script.c ++++ b/server/util_script.c +@@ -503,6 +503,11 @@ AP_DECLARE(int) ap_scan_script_header_err_core_ex(request_rec *r, char *buffer, + if ((cgi_status == HTTP_UNSET) && (r->method_number == M_GET)) { + cond_status = ap_meets_conditions(r); + } ++ else if ((cgi_status == HTTP_NO_CONTENT) || ++ (cgi_status == HTTP_NOT_MODIFIED) || ++ ap_is_HTTP_INFO(cgi_status)) { ++ r->header_only = 1; /* discard any body */ ++ } + apr_table_overlap(r->err_headers_out, merge, + APR_OVERLAP_TABLES_MERGE); + if (!apr_is_empty_table(cookie_table)) { +-- +1.7.9.6 (Apple Git-31.1) + Index: branches/fc19-dev/server/common/patches/httpd-SSLCompression.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-SSLCompression.patch (revision 2402) +++ (revision ) @@ -1,125 +1,0 @@ -Description: mod_ssl: Add new directive SSLCompression to disable TLS-level compression. -Origin: http://svn.apache.org/viewvc?view=revision&revision=1369585 - -diff -r -U3 httpd-2.2.23/modules/ssl/mod_ssl.c httpd-2.2.23.patched/modules/ssl/mod_ssl.c ---- httpd-2.2.23/modules/ssl/mod_ssl.c 2013-02-14 18:32:59.360289681 -0500 -+++ httpd-2.2.23.patched/modules/ssl/mod_ssl.c 2013-02-14 18:34:22.670718893 -0500 -@@ -158,6 +158,9 @@ - "('[+-][" SSL_PROTOCOLS "] ...' - see manual)") - SSL_CMD_SRV(HonorCipherOrder, FLAG, - "Use the server's cipher ordering preference") -+ SSL_CMD_SRV(Compression, FLAG, -+ "Enable SSL level compression" -+ "(`on', `off')") - SSL_CMD_SRV(InsecureRenegotiation, FLAG, - "Enable support for insecure renegotiation") - SSL_CMD_ALL(UserName, TAKE1, -diff -r -U3 httpd-2.2.23/modules/ssl/ssl_engine_config.c httpd-2.2.23.patched/modules/ssl/ssl_engine_config.c ---- httpd-2.2.23/modules/ssl/ssl_engine_config.c 2013-02-14 18:32:59.358289719 -0500 -+++ httpd-2.2.23.patched/modules/ssl/ssl_engine_config.c 2013-02-14 18:34:22.672718856 -0500 -@@ -183,6 +183,9 @@ - #ifdef HAVE_FIPS - sc->fips = UNSET; - #endif -+#ifndef OPENSSL_NO_COMP -+ sc->compression = UNSET; -+#endif - - modssl_ctx_init_proxy(sc, p); - -@@ -281,6 +284,9 @@ - #ifdef HAVE_FIPS - cfgMergeBool(fips); - #endif -+#ifndef OPENSSL_NO_COMP -+ cfgMergeBool(compression); -+#endif - - modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); - -@@ -714,6 +720,23 @@ - - } - -+const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag) -+{ -+#if !defined(OPENSSL_NO_COMP) -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+#ifndef SSL_OP_NO_COMPRESSION -+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); -+ if (err) -+ return "This version of openssl does not support configuring " -+ "compression within sections."; -+#endif -+ sc->compression = flag ? TRUE : FALSE; -+ return NULL; -+#else -+ return "Setting Compression mode unsupported; not implemented by the SSL library"; -+#endif -+} -+ - const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) - { - #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE -Only in httpd-2.2.23.patched/modules/ssl: ssl_engine_config.c.orig -diff -r -U3 httpd-2.2.23/modules/ssl/ssl_engine_init.c httpd-2.2.23.patched/modules/ssl/ssl_engine_init.c ---- httpd-2.2.23/modules/ssl/ssl_engine_init.c 2013-02-14 18:32:59.358289719 -0500 -+++ httpd-2.2.23.patched/modules/ssl/ssl_engine_init.c 2013-02-14 18:34:22.672718856 -0500 -@@ -542,6 +542,18 @@ - } - #endif - -+ -+#ifndef OPENSSL_NO_COMP -+ if (sc->compression == FALSE) { -+#ifdef SSL_OP_NO_COMPRESSION -+ /* OpenSSL >= 1.0 only */ -+ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); -+#elif OPENSSL_VERSION_NUMBER >= 0x00908000L -+ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); -+#endif -+ } -+#endif -+ - #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION - if (sc->insecure_reneg == TRUE) { - SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); -Only in httpd-2.2.23.patched/modules/ssl: ssl_engine_init.c.orig -diff -r -U3 httpd-2.2.23/modules/ssl/ssl_private.h httpd-2.2.23.patched/modules/ssl/ssl_private.h ---- httpd-2.2.23/modules/ssl/ssl_private.h 2013-02-14 18:32:59.357289737 -0500 -+++ httpd-2.2.23.patched/modules/ssl/ssl_private.h 2013-02-14 18:34:22.673718837 -0500 -@@ -507,6 +507,9 @@ - #ifdef HAVE_FIPS - BOOL fips; - #endif -+#ifndef OPENSSL_NO_COMP -+ BOOL compression; -+#endif - }; - - /** -@@ -563,6 +566,7 @@ - const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); -+const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); - const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); -Only in httpd-2.2.23.patched/modules/ssl: ssl_private.h.orig -diff -r -U3 httpd-2.2.23/modules/ssl/ssl_toolkit_compat.h httpd-2.2.23.patched/modules/ssl/ssl_toolkit_compat.h ---- httpd-2.2.23/modules/ssl/ssl_toolkit_compat.h 2012-08-17 13:30:46.000000000 -0400 -+++ httpd-2.2.23.patched/modules/ssl/ssl_toolkit_compat.h 2013-02-14 18:34:22.674718818 -0500 -@@ -277,6 +277,11 @@ - #endif - #endif - -+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ -+ && OPENSSL_VERSION_NUMBER < 0x00908000L -+#define OPENSSL_NO_COMP -+#endif -+ - #endif /* SSL_TOOLKIT_COMPAT_H */ - - /** @} */ -Only in httpd-2.2.23.patched/modules/ssl: ssl_toolkit_compat.h.orig Index: branches/fc19-dev/server/common/patches/httpd-fixup-vhost.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-fixup-vhost.patch (revision 2402) +++ branches/fc19-dev/server/common/patches/httpd-fixup-vhost.patch (revision 2422) @@ -1,85 +1,101 @@ -commit 3b081163d6250d893838d69d9a83f217c341d657 -Author: Greg Brockman -Date: Fri Aug 6 23:19:15 2010 -0400 +From 2e62dad3d91280032b2130f02553c968d306edf5 Mon Sep 17 00:00:00 2001 +From: Alexander Chernyakhovsky +Date: Fri, 3 May 2013 22:43:28 -0400 +Subject: [PATCH 4/4] Export method to fixup a single virtual host - Add method to merge virtual host with a main server_rec +Apache normally provides ap_fixup_virtual_hosts, which merges the +configuration from the main server into each virtual host. Refactor +this code to allow merging the configuration into a single virtual +host, and export this method for use in mod_vhost_ldap. + +Additionally, call the newly created method in the loop in +ap_fixup_virtual_hosts. +--- + include/http_config.h | 9 ++++++++ + server/config.c | 58 +++++++++++++++++++++++++++---------------------- + 2 files changed, 41 insertions(+), 26 deletions(-) diff --git a/include/http_config.h b/include/http_config.h -index 5e9fd51..8e6f247 100644 +index 7ee3760..e3657ea 100644 --- a/include/http_config.h +++ b/include/http_config.h -@@ -827,6 +827,16 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p); - AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, +@@ -1012,6 +1012,15 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p); + */ + AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server); - +/** -+ * Setup a single virtual host by merging the main server_rec into it. ++ * Setup all virtual hosts + * @param p The pool to allocate from -+ * @param main_server The server_rec with which to merge -+ * @param virt The virtual host server_rec with some set of directives to override already set ++ * @param main_server The head of the server_rec list ++ * @param virt The individual virtual host to fix + */ +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p, + server_rec *main_server, + server_rec *virt); -+ - /* For http_request.c... */ /** + * Reserve some modules slots for modules loaded by other means than diff --git a/server/config.c b/server/config.c -index 101d0e4..ef0f2ba 100644 +index bc0804a..488954d 100644 --- a/server/config.c +++ b/server/config.c -@@ -1902,38 +1902,43 @@ AP_CORE_DECLARE(const char *) ap_init_virtual_host(apr_pool_t *p, +@@ -2246,46 +2246,52 @@ AP_DECLARE(void) ap_merge_log_config(const struct ap_logconf *old_conf, + } } - -AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server) +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p, server_rec *main_server, -+ server_rec *virt) ++ server_rec *virt) { - server_rec *virt; -+ merge_server_configs(p, main_server->module_config, -+ virt->module_config); + core_dir_config *dconf = + ap_get_core_module_config(main_server->lookup_defaults); + dconf->log = &main_server->log; - for (virt = main_server->next; virt; virt = virt->next) { - merge_server_configs(p, main_server->module_config, - virt->module_config); -+ virt->lookup_defaults = -+ ap_merge_per_dir_configs(p, main_server->lookup_defaults, -+ virt->lookup_defaults); ++ merge_server_configs(p, main_server->module_config, ++ virt->module_config); - virt->lookup_defaults = - ap_merge_per_dir_configs(p, main_server->lookup_defaults, - virt->lookup_defaults); -+ if (virt->server_admin == NULL) -+ virt->server_admin = main_server->server_admin; ++ virt->lookup_defaults = ++ ap_merge_per_dir_configs(p, main_server->lookup_defaults, ++ virt->lookup_defaults); - if (virt->server_admin == NULL) - virt->server_admin = main_server->server_admin; -+ if (virt->timeout == 0) -+ virt->timeout = main_server->timeout; ++ if (virt->server_admin == NULL) ++ virt->server_admin = main_server->server_admin; - if (virt->timeout == 0) - virt->timeout = main_server->timeout; -+ if (virt->keep_alive_timeout == 0) -+ virt->keep_alive_timeout = main_server->keep_alive_timeout; ++ if (virt->timeout == 0) ++ virt->timeout = main_server->timeout; - if (virt->keep_alive_timeout == 0) - virt->keep_alive_timeout = main_server->keep_alive_timeout; -+ if (virt->keep_alive == -1) -+ virt->keep_alive = main_server->keep_alive; ++ if (virt->keep_alive_timeout == 0) ++ virt->keep_alive_timeout = main_server->keep_alive_timeout; - if (virt->keep_alive == -1) - virt->keep_alive = main_server->keep_alive; -+ if (virt->keep_alive_max == -1) -+ virt->keep_alive_max = main_server->keep_alive_max; ++ if (virt->keep_alive == -1) ++ virt->keep_alive = main_server->keep_alive; - if (virt->keep_alive_max == -1) - virt->keep_alive_max = main_server->keep_alive_max; -+ /* XXX: this is really something that should be dealt with by a -+ * post-config api phase -+ */ -+ ap_core_reorder_directories(p, virt); -+} ++ if (virt->keep_alive_max == -1) ++ virt->keep_alive_max = main_server->keep_alive_max; + +- ap_merge_log_config(&main_server->log, &virt->log); ++ ap_merge_log_config(&main_server->log, &virt->log); + +- dconf = ap_get_core_module_config(virt->lookup_defaults); +- dconf->log = &virt->log; ++ dconf = ap_get_core_module_config(virt->lookup_defaults); ++ dconf->log = &virt->log; - /* XXX: this is really something that should be dealt with by a @@ -88,8 +104,14 @@ - ap_core_reorder_directories(p, virt); - } ++ /* XXX: this is really something that should be dealt with by a ++ * post-config api phase ++ */ ++ ap_core_reorder_directories(p, virt); ++} ++ +AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server) +{ + server_rec *virt; -+ ++ + for (virt = main_server->next; virt; virt = virt->next) + ap_fixup_virtual_host(p, main_server, virt); @@ -97,2 +119,5 @@ ap_core_reorder_directories(p, main_server); } +-- +1.7.9.6 (Apple Git-31.1) + Index: branches/fc19-dev/server/common/patches/httpd-mod_status-security.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-mod_status-security.patch (revision 2422) +++ branches/fc19-dev/server/common/patches/httpd-mod_status-security.patch (revision 2422) @@ -0,0 +1,103 @@ +From 0c2aac95f8df4e7c243ea00d54d4050e32f7868b Mon Sep 17 00:00:00 2001 +From: Alexander Chernyakhovsky +Date: Fri, 3 May 2013 21:39:17 -0400 +Subject: [PATCH 2/4] Prevent mod_status from taking effect in .htaccess files + +Introduce a directive to the Apache configuration that is only +permitted in a directory context, called "PermitStatusHandler", to +prevent users from enabling mod_status from their .htaccess files. + +Signed-off-by: Quentin Smith +Signed-off-by: Geoffrey Thomas +--- + modules/generators/mod_status.c | 60 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 57 insertions(+), 3 deletions(-) + +diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c +index 0237f1d..c7fd0e0 100644 +--- a/modules/generators/mod_status.c ++++ b/modules/generators/mod_status.c +@@ -103,6 +103,56 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ap, STATUS, int, status_hook, + static pid_t child_pid; + #endif + ++typedef struct { ++ int permit_status_handler; ++} status_config_rec; ++ ++/* ++ * command-related code. This is here to prevent use of ExtendedStatus ++ * without status_module included. ++ */ ++static const char *set_extended_status(cmd_parms *cmd, void *dummy, int arg) ++{ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ap_extended_status = arg; ++ return NULL; ++} ++ ++static const char *set_reqtail(cmd_parms *cmd, void *dummy, int arg) ++{ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ap_mod_status_reqtail = arg; ++ return NULL; ++} ++ ++static void *create_status_dir_config(apr_pool_t *p, char *d) ++{ ++ status_config_rec *conf = apr_pcalloc(p, sizeof(*conf)); ++ conf->permit_status_handler = 0; ++ return conf; ++} ++ ++static const command_rec status_module_cmds[] = ++{ ++ AP_INIT_FLAG("ExtendedStatus", set_extended_status, NULL, RSRC_CONF, ++ "\"On\" to enable extended status information, \"Off\" to disable"), ++ AP_INIT_FLAG("SeeRequestTail", set_reqtail, NULL, RSRC_CONF, ++ "For verbose requests, \"On\" to see the last 63 chars of the request, " ++ "\"Off\" (default) to see the first 63 in extended status display"), ++ AP_INIT_FLAG("PermitStatusHandler", ap_set_flag_slot, ++ (void *)APR_OFFSETOF(status_config_rec, permit_status_handler), ++ ACCESS_CONF, ++ "As a security measure, only permit status handlers where this flag " ++ "is set. Only legal in directory context, not .htaccess."), ++ {NULL} ++}; ++ + /* Format the number of bytes nicely */ + static void format_byte_out(request_rec *r, apr_off_t bytes) + { +@@ -207,8 +257,12 @@ static int status_handler(request_rec *r) + int times_per_thread; + #endif + +- if (strcmp(r->handler, STATUS_MAGIC_TYPE) && strcmp(r->handler, +- "server-status")) { ++ status_config_rec *conf = ap_get_module_config(r->per_dir_config, ++ &status_module); ++ ++ if ((strcmp(r->handler, STATUS_MAGIC_TYPE) && ++ strcmp(r->handler, "server-status")) || ++ !conf->permit_status_handler) { + return DECLINED; + } + +@@ -974,7 +1028,7 @@ static void register_hooks(apr_pool_t *p) + AP_DECLARE_MODULE(status) = + { + STANDARD20_MODULE_STUFF, +- NULL, /* dir config creater */ ++ create_status_dir_config, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + NULL, /* server config */ + NULL, /* merge server config */ +-- +1.7.9.6 (Apple Git-31.1) + Index: branches/fc19-dev/server/common/patches/httpd-suexec-cloexec.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-suexec-cloexec.patch (revision 2402) +++ (revision ) @@ -1,52 +1,0 @@ -From: Stefan Fritsch -Date: Sat, 3 Oct 2009 13:46:48 +0000 -Subject: suexec: Allow to log an error if exec fails by setting FD_CLOEXEC on the log file instead of closing it. - -PR: 10744 -Submitted by: Nicolas Rachinsky -Reviewed by: Stefan Fritsch - -Origin: upstream, http://svn.apache.org/viewvc?rev=821321&view=rev -Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=10744 ---- - support/suexec.c | 18 +++++++++--------- - 1 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/support/suexec.c b/support/suexec.c -index cb4e85f..85e1318 100644 ---- a/support/suexec.c -+++ b/support/suexec.c -@@ -49,6 +49,7 @@ - #include - #include - #include -+#include - #include - - #ifdef HAVE_PWD_H -@@ -714,17 +715,16 @@ TRUSTED_DIRECTORY: - #endif /* AP_SUEXEC_UMASK */ - - /* -- * Be sure to close the log file so the CGI can't -- * mess with it. If the exec fails, it will be reopened -- * automatically when log_err is called. Note that the log -- * might not actually be open if AP_LOG_EXEC isn't defined. -- * However, the "log" cell isn't ifdef'd so let's be defensive -- * and assume someone might have done something with it -- * outside an ifdef'd AP_LOG_EXEC block. -+ * ask fcntl(2) to set the FD_CLOEXEC flag on the log file, -+ * so it'll be automagically closed if the exec() call succeeds. - */ - if (log != NULL) { -- fclose(log); -- log = NULL; -+ fflush(log); -+ setbuf(log,NULL); -+ if ((fcntl(fileno(log), F_SETFD, FD_CLOEXEC) == -1)) { -+ log_err("error: can't set close-on-exec flag"); -+ exit(122); -+ } - } - - /* Index: branches/fc19-dev/server/common/patches/httpd-suexec-scripts.patch =================================================================== --- branches/fc19-dev/server/common/patches/httpd-suexec-scripts.patch (revision 2402) +++ branches/fc19-dev/server/common/patches/httpd-suexec-scripts.patch (revision 2422) @@ -1,38 +1,31 @@ -# scripts.mit.edu httpd suexec patch -# Copyright (C) 2006, 2007, 2008 Jeff Arnold , -# Joe Presbrey , -# Anders Kaseorg , -# Geoffrey Thomas -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -# -# See /COPYRIGHT in this repository for more information. -# ---- httpd-2.2.2/support/Makefile.in.old 2005-07-06 19:15:34.000000000 -0400 -+++ httpd-2.2.2/support/Makefile.in 2007-01-20 17:12:51.000000000 -0500 -@@ -60,7 +60,7 @@ - - suexec_OBJECTS = suexec.lo - suexec: $(suexec_OBJECTS) -- $(LINK) $(suexec_OBJECTS) -+ $(LINK) -lselinux $(suexec_OBJECTS) - - htcacheclean_OBJECTS = htcacheclean.lo - htcacheclean: $(htcacheclean_OBJECTS) ---- httpd-2.2.2/configure.in.old 2007-07-17 10:48:25.000000000 -0400 -+++ httpd-2.2.2/configure.in 2008-08-29 08:15:41.000000000 -0400 -@@ -559,6 +559,10 @@ +From 8445788d68230b2e18739166f4c3ae6434038421 Mon Sep 17 00:00:00 2001 +From: Alexander Chernyakhovsky +Date: Fri, 3 May 2013 21:38:58 -0400 +Subject: [PATCH 1/4] Add scripts-specific support to suexec + +This patch make suexec aware of static-cat, Scripts' tool to serve +static content out of AFS. Specifically, this introduces a whitelist +of extensions for which suexec is supposed to invoke static-cat as a +content-handler. + +Additionally, this patch also sets JAVA_TOOL_OPTIONS, to allow the JVM +to start up in Scripts' limited memory environment. + +Furthermore, this patch deals with some of suexec's paranoia being +incorrect in an AFS world, by ignoring some of the irrelevant stat +results. + +Finally, add support for invoking php-cgi for php files, in a safe +manner that will strip arguments passed by Apache to php-cgi. +--- + configure.in | 4 ++ + support/suexec.c | 172 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 173 insertions(+), 3 deletions(-) + +diff --git a/configure.in b/configure.in +index d93f78c..14faccf 100644 +--- a/configure.in ++++ b/configure.in +@@ -720,6 +720,10 @@ AC_ARG_WITH(suexec-userdir, APACHE_HELP_STRING(--with-suexec-userdir,User subdirectory),[ AC_DEFINE_UNQUOTED(AP_USERDIR_SUFFIX, "$withval", [User subdirectory] ) ] ) @@ -45,6 +38,8 @@ APACHE_HELP_STRING(--with-suexec-docroot,SuExec root directory),[ AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] ) ---- httpd-2.2.11/support/suexec.c.old 2008-11-30 10:47:31.000000000 -0500 -+++ httpd-2.2.11/support/suexec.c 2009-06-08 09:02:17.000000000 -0400 +diff --git a/support/suexec.c b/support/suexec.c +index 5b6b254..e377042 100644 +--- a/support/suexec.c ++++ b/support/suexec.c @@ -30,6 +30,9 @@ * @@ -57,13 +52,5 @@ #include "ap_config.h" #include "suexec.h" -@@ -46,6 +49,7 @@ - #include - #include - #include -+#include - - #ifdef HAVE_PWD_H - #include -@@ -95,6 +99,7 @@ +@@ -92,6 +95,7 @@ static const char *const safe_env_lst[] = { /* variable name starts with */ @@ -73,5 +60,5 @@ /* variable name is */ -@@ -245,9 +250,108 @@ +@@ -264,9 +268,108 @@ static void clean_env(void) environ = cleanenv; } @@ -182,5 +169,5 @@ gid_t gid; /* target group placeholder */ char *target_uname; /* target user name */ -@@ -268,6 +368,7 @@ +@@ -286,6 +389,7 @@ int main(int argc, char *argv[]) * Start with a "clean" environment */ @@ -188,7 +175,7 @@ + setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */ - prog = argv[0]; - /* -@@ -350,6 +451,20 @@ + /* + * Check existence/validity of the UID of the user +@@ -369,6 +473,20 @@ int main(int argc, char *argv[]) #endif /*_OSD_POSIX*/ @@ -211,5 +198,5 @@ * or attempts to back up out of the current directory, * to protect against attacks. If any are -@@ -371,6 +486,7 @@ +@@ -390,6 +508,7 @@ int main(int argc, char *argv[]) userdir = 1; } @@ -219,5 +206,5 @@ * Error out if the target username is invalid. */ -@@ -452,7 +568,7 @@ +@@ -471,7 +590,7 @@ int main(int argc, char *argv[]) * Error out if attempt is made to execute as root or as * a UID less than AP_UID_MIN. Tsk tsk. @@ -225,9 +212,9 @@ - if ((uid == 0) || (uid < AP_UID_MIN)) { + if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) { /* uid 102 = signup */ - log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); + log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd); exit(107); } -@@ -484,6 +599,7 @@ - log_err("failed to setuid (%ld: %s)\n", uid, cmd); +@@ -503,6 +622,7 @@ int main(int argc, char *argv[]) + log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd); exit(110); } @@ -236,5 +223,5 @@ /* * Get the current working directory, as well as the proper -@@ -506,6 +637,21 @@ +@@ -525,6 +645,21 @@ int main(int argc, char *argv[]) log_err("cannot get docroot information (%s)\n", target_homedir); exit(112); @@ -258,5 +245,5 @@ else { if (((chdir(AP_DOC_ROOT)) != 0) || -@@ -532,15 +678,17 @@ +@@ -551,15 +686,17 @@ int main(int argc, char *argv[]) /* * Error out if cwd is writable by others. @@ -277,5 +264,5 @@ exit(117); } -@@ -548,10 +696,12 @@ +@@ -567,10 +704,12 @@ int main(int argc, char *argv[]) /* * Error out if the program is writable by others. @@ -290,5 +277,5 @@ /* * Error out if the file is setuid or setgid. -@@ -565,6 +715,7 @@ +@@ -584,6 +723,7 @@ int main(int argc, char *argv[]) * Error out if the target name/group is different from * the name/group of the cwd or the program. @@ -298,6 +285,6 @@ (gid != dir_info.st_gid) || (uid != prg_info.st_uid) || -@@ -576,12 +727,14 @@ - prg_info.st_uid, prg_info.st_gid); +@@ -595,12 +735,14 @@ int main(int argc, char *argv[]) + (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid); exit(120); } @@ -314,5 +301,5 @@ exit(121); } -@@ -614,6 +767,30 @@ +@@ -649,6 +791,30 @@ int main(int argc, char *argv[]) /* * Execute the command, replacing our image with its own. @@ -345,2 +332,5 @@ /* We need the #! emulation when we want to execute scripts */ { +-- +1.7.9.6 (Apple Git-31.1) +