Changeset 2422 for branches/fc19-dev

Timestamp:

May 29, 2013, 1:13:40 AM (11 years ago)

Author:

tboning

Message:

Rebase Scripts httpd patches for httpd 2.4:

Location:

branches/fc19-dev/server

Files:

• common/patches/httpd-2.2.x-304.patch (deleted)
• common/patches/httpd-2.2.x-log-docroot.patch (deleted)
• common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch (deleted)
• common/patches/httpd-2.2.x-mod_status-security.patch (deleted)
• common/patches/httpd-304s.patch (added)
• common/patches/httpd-SSLCompression.patch (deleted)
• common/patches/httpd-fixup-vhost.patch (modified) (3 diffs)
• common/patches/httpd-mod_status-security.patch (added)
• common/patches/httpd-suexec-cloexec.patch (deleted)
• common/patches/httpd-suexec-scripts.patch (modified) (16 diffs)
• fedora/specs/httpd.spec.patch (modified) (4 diffs)

branches/fc19-dev/server/common/patches/httpd-fixup-vhost.patch

@@ -1 @@
-commit 3b081163d6250d893838d69d9a83f217c341d657
-Author: Greg Brockman <gdb@mit.edu>
-Date:   Fri Aug 6 23:19:15 2010 -0400
+From 2e62dad3d91280032b2130f02553c968d306edf5 Mon Sep 17 00:00:00 2001
+From: Alexander Chernyakhovsky <achernya@mit.edu>
+Date: Fri, 3 May 2013 22:43:28 -0400
+Subject: [PATCH 4/4] Export method to fixup a single virtual host
 
-    Add method to merge virtual host with a main server_rec
+Apache normally provides ap_fixup_virtual_hosts, which merges the
+configuration from the main server into each virtual host.  Refactor
+this code to allow merging the configuration into a single virtual
+host, and export this method for use in mod_vhost_ldap.
+
+Additionally, call the newly created method in the loop in
+ap_fixup_virtual_hosts.
+---
+ include/http_config.h |    9 ++++++++
+ server/config.c       |   58 +++++++++++++++++++++++++++----------------------
+ 2 files changed, 41 insertions(+), 26 deletions(-)
 
 diff --git a/include/http_config.h b/include/http_config.h
-index 5e9fd51..8e6f247 100644
+index 7ee3760..e3657ea 100644
 --- a/include/http_config.h
 +++ b/include/http_config.h
-@@ -827,6 +827,16 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p);
- AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, 
+@@ -1012,6 +1012,15 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p);
+  */
+ AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p,
                                          server_rec *main_server);
- 
 +/**
-+ * Setup a single virtual host by merging the main server_rec into it.
++ * Setup all virtual hosts
 + * @param p The pool to allocate from
-+ * @param main_server The server_rec with which to merge
-+ * @param virt The virtual host server_rec with some set of directives to override already set
++ * @param main_server The head of the server_rec list
++ * @param virt The individual virtual host to fix
 + */
 +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p,
 +                                      server_rec *main_server,
 +                                      server_rec *virt);
-+
- /* For http_request.c... */
  
  /**
+  * Reserve some modules slots for modules loaded by other means than
 diff --git a/server/config.c b/server/config.c
-index 101d0e4..ef0f2ba 100644
+index bc0804a..488954d 100644
 --- a/server/config.c
 +++ b/server/config.c
-@@ -1902,38 +1902,43 @@ AP_CORE_DECLARE(const char *) ap_init_virtual_host(apr_pool_t *p,
+@@ -2246,46 +2246,52 @@ AP_DECLARE(void) ap_merge_log_config(const struct ap_logconf *old_conf,
+     }
  }
- 
  
 -AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server)
 +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p, server_rec *main_server,
-+                                       server_rec *virt)
++                                      server_rec *virt)
  {
 -    server_rec *virt;
-+    merge_server_configs(p, main_server->module_config,
-+                         virt->module_config);
+     core_dir_config *dconf =
+         ap_get_core_module_config(main_server->lookup_defaults);
+     dconf->log = &main_server->log;
  
 -    for (virt = main_server->next; virt; virt = virt->next) {
 -        merge_server_configs(p, main_server->module_config,
 -                             virt->module_config);
-+    virt->lookup_defaults =
-+        ap_merge_per_dir_configs(p, main_server->lookup_defaults,
-+                                 virt->lookup_defaults);
++    merge_server_configs(p, main_server->module_config,
++                        virt->module_config);
  
 -        virt->lookup_defaults =
 -            ap_merge_per_dir_configs(p, main_server->lookup_defaults,
 -                                     virt->lookup_defaults);
-+    if (virt->server_admin == NULL)
-+        virt->server_admin = main_server->server_admin;
++    virt->lookup_defaults =
++       ap_merge_per_dir_configs(p, main_server->lookup_defaults,
++                                virt->lookup_defaults);
  
 -        if (virt->server_admin == NULL)
 -            virt->server_admin = main_server->server_admin;
-+    if (virt->timeout == 0)
-+        virt->timeout = main_server->timeout;
++    if (virt->server_admin == NULL)
++       virt->server_admin = main_server->server_admin;
  
 -        if (virt->timeout == 0)
 -            virt->timeout = main_server->timeout;
-+    if (virt->keep_alive_timeout == 0)
-+        virt->keep_alive_timeout = main_server->keep_alive_timeout;
++    if (virt->timeout == 0)
++       virt->timeout = main_server->timeout;
  
 -        if (virt->keep_alive_timeout == 0)
 -            virt->keep_alive_timeout = main_server->keep_alive_timeout;
-+    if (virt->keep_alive == -1)
-+        virt->keep_alive = main_server->keep_alive;
++    if (virt->keep_alive_timeout == 0)
++       virt->keep_alive_timeout = main_server->keep_alive_timeout;
  
 -        if (virt->keep_alive == -1)
 -            virt->keep_alive = main_server->keep_alive;
-+    if (virt->keep_alive_max == -1)
-+        virt->keep_alive_max = main_server->keep_alive_max;
++    if (virt->keep_alive == -1)
++       virt->keep_alive = main_server->keep_alive;
  
 -        if (virt->keep_alive_max == -1)
 -            virt->keep_alive_max = main_server->keep_alive_max;
-+    /* XXX: this is really something that should be dealt with by a
-+     * post-config api phase
-+     */
-+    ap_core_reorder_directories(p, virt);
-+}
++    if (virt->keep_alive_max == -1)
++       virt->keep_alive_max = main_server->keep_alive_max;
+ 
+-        ap_merge_log_config(&main_server->log, &virt->log);
++    ap_merge_log_config(&main_server->log, &virt->log);
+ 
+-        dconf = ap_get_core_module_config(virt->lookup_defaults);
+-        dconf->log = &virt->log;
++    dconf = ap_get_core_module_config(virt->lookup_defaults);
++    dconf->log = &virt->log;
  
 -        /* XXX: this is really something that should be dealt with by a
@@ -88 +104 @@
 -        ap_core_reorder_directories(p, virt);
 -    }
++    /* XXX: this is really something that should be dealt with by a
++     * post-config api phase
++     */
++    ap_core_reorder_directories(p, virt);
++}
++
 +AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server)
 +{
 +    server_rec *virt;
-+
++    
 +    for (virt = main_server->next; virt; virt = virt->next)
 +        ap_fixup_virtual_host(p, main_server, virt);
@@ -97 +119 @@
      ap_core_reorder_directories(p, main_server);
  }
+-- 
+1.7.9.6 (Apple Git-31.1)
+

branches/fc19-dev/server/common/patches/httpd-suexec-scripts.patch

@@ -1 @@
-# scripts.mit.edu httpd suexec patch
-# Copyright (C) 2006, 2007, 2008  Jeff Arnold <jbarnold@mit.edu>,
-#                                 Joe Presbrey <presbrey@mit.edu>,
-#                                 Anders Kaseorg <andersk@mit.edu>,
-#                                 Geoffrey Thomas <geofft@mit.edu>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-#
-# See /COPYRIGHT in this repository for more information.
-#
---- httpd-2.2.2/support/Makefile.in.old 2005-07-06 19:15:34.000000000 -0400
-+++ httpd-2.2.2/support/Makefile.in     2007-01-20 17:12:51.000000000 -0500
-@@ -60,7 +60,7 @@
-
- suexec_OBJECTS = suexec.lo
- suexec: $(suexec_OBJECTS)
--       $(LINK) $(suexec_OBJECTS)
-+       $(LINK) -lselinux $(suexec_OBJECTS)
-
- htcacheclean_OBJECTS = htcacheclean.lo
- htcacheclean: $(htcacheclean_OBJECTS)
---- httpd-2.2.2/configure.in.old        2007-07-17 10:48:25.000000000 -0400
-+++ httpd-2.2.2/configure.in    2008-08-29 08:15:41.000000000 -0400
-@@ -559,6 +559,10 @@
+From 8445788d68230b2e18739166f4c3ae6434038421 Mon Sep 17 00:00:00 2001
+From: Alexander Chernyakhovsky <achernya@mit.edu>
+Date: Fri, 3 May 2013 21:38:58 -0400
+Subject: [PATCH 1/4] Add scripts-specific support to suexec
+
+This patch make suexec aware of static-cat, Scripts' tool to serve
+static content out of AFS.  Specifically, this introduces a whitelist
+of extensions for which suexec is supposed to invoke static-cat as a
+content-handler.
+
+Additionally, this patch also sets JAVA_TOOL_OPTIONS, to allow the JVM
+to start up in Scripts' limited memory environment.
+
+Furthermore, this patch deals with some of suexec's paranoia being
+incorrect in an AFS world, by ignoring some of the irrelevant stat
+results.
+
+Finally, add support for invoking php-cgi for php files, in a safe
+manner that will strip arguments passed by Apache to php-cgi.
+---
+ configure.in     |    4 ++
+ support/suexec.c |  172 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 173 insertions(+), 3 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index d93f78c..14faccf 100644
+--- a/configure.in
++++ b/configure.in
+@@ -720,6 +720,10 @@ AC_ARG_WITH(suexec-userdir,
  APACHE_HELP_STRING(--with-suexec-userdir,User subdirectory),[
    AC_DEFINE_UNQUOTED(AP_USERDIR_SUFFIX, "$withval", [User subdirectory] ) ] )
@@ -45 +38 @@
  APACHE_HELP_STRING(--with-suexec-docroot,SuExec root directory),[
    AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] )
---- httpd-2.2.11/support/suexec.c.old   2008-11-30 10:47:31.000000000 -0500
-+++ httpd-2.2.11/support/suexec.c       2009-06-08 09:02:17.000000000 -0400
+diff --git a/support/suexec.c b/support/suexec.c
+index 5b6b254..e377042 100644
+--- a/support/suexec.c
++++ b/support/suexec.c
 @@ -30,6 +30,9 @@
   *
@@ -57 +52 @@
  #include "ap_config.h"
  #include "suexec.h"
-@@ -46,6 +49,7 @@
- #include <stdio.h>
- #include <stdarg.h>
- #include <stdlib.h>
-+#include <selinux/selinux.h>
- 
- #ifdef HAVE_PWD_H
- #include <pwd.h>
-@@ -95,6 +99,7 @@
+@@ -92,6 +95,7 @@ static const char *const safe_env_lst[] =
  {
      /* variable name starts with */
@@ -73 +60 @@
  
      /* variable name is */
-@@ -245,9 +250,108 @@
+@@ -264,9 +268,108 @@ static void clean_env(void)
      environ = cleanenv;
  }
@@ -182 +169 @@
      gid_t gid;              /* target group placeholder  */
      char *target_uname;     /* target user name          */
-@@ -268,6 +368,7 @@
+@@ -286,6 +389,7 @@ int main(int argc, char *argv[])
       * Start with a "clean" environment
       */
@@ -188 +175 @@
 +    setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */
  
-     prog = argv[0];
-     /*
-@@ -350,6 +451,20 @@
+     /*
+      * Check existence/validity of the UID of the user
+@@ -369,6 +473,20 @@ int main(int argc, char *argv[])
  #endif /*_OSD_POSIX*/
  
@@ -211 +198 @@
       * or attempts to back up out of the current directory,
       * to protect against attacks.  If any are
-@@ -371,6 +486,7 @@
+@@ -390,6 +508,7 @@ int main(int argc, char *argv[])
          userdir = 1;
      }
@@ -219 +206 @@
       * Error out if the target username is invalid.
       */
-@@ -452,7 +568,7 @@
+@@ -471,7 +590,7 @@ int main(int argc, char *argv[])
       * Error out if attempt is made to execute as root or as
       * a UID less than AP_UID_MIN.  Tsk tsk.
@@ -225 +212 @@
 -    if ((uid == 0) || (uid < AP_UID_MIN)) {
 +    if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) { /* uid 102 = signup  */
-         log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
+         log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);
          exit(107);
      }
-@@ -484,6 +599,7 @@
-         log_err("failed to setuid (%ld: %s)\n", uid, cmd);
+@@ -503,6 +622,7 @@ int main(int argc, char *argv[])
+         log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);
          exit(110);
      }
@@ -236 +223 @@
      /*
       * Get the current working directory, as well as the proper
-@@ -506,6 +637,21 @@
+@@ -525,6 +645,21 @@ int main(int argc, char *argv[])
              log_err("cannot get docroot information (%s)\n", target_homedir);
              exit(112);
@@ -258 +245 @@
      else {
          if (((chdir(AP_DOC_ROOT)) != 0) ||
-@@ -532,15 +678,17 @@
+@@ -551,15 +686,17 @@ int main(int argc, char *argv[])
      /*
       * Error out if cwd is writable by others.
@@ -277 +264 @@
          exit(117);
      }
-@@ -548,10 +696,12 @@
+@@ -567,10 +704,12 @@ int main(int argc, char *argv[])
      /*
       * Error out if the program is writable by others.
@@ -290 +277 @@
      /*
       * Error out if the file is setuid or setgid.
-@@ -565,6 +715,7 @@
+@@ -584,6 +723,7 @@ int main(int argc, char *argv[])
       * Error out if the target name/group is different from
       * the name/group of the cwd or the program.
@@ -298 +285 @@
          (gid != dir_info.st_gid) ||
          (uid != prg_info.st_uid) ||
-@@ -576,12 +727,14 @@
-                 prg_info.st_uid, prg_info.st_gid);
+@@ -595,12 +735,14 @@ int main(int argc, char *argv[])
+                 (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);
          exit(120);
      }
@@ -314 +301 @@
          exit(121);
      }
-@@ -614,6 +767,30 @@
+@@ -649,6 +791,30 @@ int main(int argc, char *argv[])
      /*
       * Execute the command, replacing our image with its own.
@@ -345 +332 @@
      /* We need the #! emulation when we want to execute scripts */
      {
+-- 
+1.7.9.6 (Apple Git-31.1)
+

branches/fc19-dev/server/fedora/specs/httpd.spec.patch

@@ -1 @@
---- /tmp/httpd/httpd.spec.orig  2013-02-14 17:53:29.967176396 -0500
-+++ /tmp/httpd/httpd.spec       2013-02-14 17:54:57.172521444 -0500
-@@ -9,7 +9,7 @@
+--- httpd.spec.orig     2013-05-29 00:46:07.522169507 -0400
++++ httpd.spec  2013-05-29 00:46:37.905169507 -0400
+@@ -14,7 +14,7 @@
  Summary: Apache HTTP Server
  Name: httpd
- Version: 2.2.23
--Release: 1%{?dist}
-+Release: 1%{?dist}.scripts.%{scriptsversion}
+ Version: 2.4.4
+-Release: 4%{?dist}
++Release: 4%{?dist}.scripts.%{scriptsversion}
  URL: http://httpd.apache.org/
  Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
  Source1: index.html
-@@ -57,6 +57,15 @@
+@@ -79,6 +79,12 @@
  Requires(postun): systemd-units
  Requires(post): systemd-units
  
 +Provides: scripts-httpd = %{version}-%{release}
-+Patch1000: httpd-suexec-scripts.patch
-+Patch1003: httpd-2.2.x-mod_status-security.patch
-+Patch1004: httpd-2.2.x-304.patch
-+Patch1005: httpd-2.2.x-mod_ssl-sessioncaching.patch
-+Patch1006: httpd-suexec-cloexec.patch
-+Patch1007: httpd-fixup-vhost.patch
-+Patch1008: httpd-SSLCompression.patch
++Patch1001: httpd-suexec-scripts.patch
++Patch1002: httpd-mod_status-security.patch
++Patch1003: httpd-304s.patch
++Patch1004: httpd-fixup-vhost.patch
 +
  %description
  The Apache HTTP Server is a powerful, efficient, and extensible
  web server.
-@@ -67,6 +76,7 @@
+@@ -89,6 +95,7 @@
  Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel
  Requires: apr-devel, apr-util-devel, pkgconfig
@@ -34 +31 @@
  %description devel
  The httpd-devel package contains the APXS binary and other files
-@@ -105,6 +115,7 @@
+@@ -127,6 +134,7 @@
  Requires(post): openssl, /bin/cat
  Requires(pre): httpd
@@ -42 +39 @@
  
  %description -n mod_ssl
-@@ -131,6 +142,14 @@
- # Patch in vendor/release string
- sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
+@@ -189,6 +197,11 @@
+ # Prevent use of setcap in "install-suexec-caps" target.
+ sed -i '/suexec/s,setcap ,echo Skipping setcap for ,' Makefile.in
  
-+%patch1000 -p1 -b .scripts
-+%patch1003 -p1 -b .permitstatus
-+%patch1004 -p1 -b .scripts-304
-+%patch1005 -p1 -b .ssl-sessioncache
-+%patch1006 -p1 -b .cloexec
-+%patch1007 -p1 -b .fixup-vhost
-+%patch1008 -p1 -b .sslcompression
++%patch1001 -p1 -b .suexec-scripts
++%patch1002 -p1 -b .mod_status-security
++%patch1003 -p1 -b .scripts-304s
++%patch1004 -p1 -b .fixup-vhost
 +
  # Safety check: prevent build if defined MMN does not equal upstream MMN.
  vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'`
  if test "x${vmmn}" != "x%{mmn}"; then
-@@ -191,10 +210,12 @@
-         --with-apr=%{_prefix} --with-apr-util=%{_prefix} \
+@@ -235,11 +248,13 @@
         --enable-suexec --with-suexec \
+         --enable-suexec-capabilities \
         --with-suexec-caller=%{suexec_caller} \
--       --with-suexec-docroot=%{contentdir} \
+-       --with-suexec-docroot=%{docroot} \
+-       --without-suexec-logfile \
+-        --with-suexec-syslog \
 +       --with-suexec-docroot=/ \
 +       --with-suexec-userdir=web_scripts \
 +       --with-suexec-trusteddir=/usr/libexec/scripts-trusted \
-        --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \
++       --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \
++        --without-suexec-syslog \
         --with-suexec-bin=%{_sbindir}/suexec \
 -       --with-suexec-uidmin=500 --with-suexec-gidmin=100 \
@@ -71 +68 @@
          --enable-pie \
          --with-pcre \
-        $*
+         --enable-mods-shared=all \