diff options
Diffstat (limited to '2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch')
| -rw-r--r-- | 2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch | 165 |
1 files changed, 0 insertions, 165 deletions
diff --git a/2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch b/2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch deleted file mode 100644 index e7911e0..0000000 --- a/2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch +++ /dev/null @@ -1,165 +0,0 @@ -Author: wrowe -Date: Wed Jul 16 20:56:51 2014 -New Revision: 1611185 - -URL: http://svn.apache.org/r1611185 -Log: -SECURITY: CVE-2014-0231 - - mod_cgid: Fix a denial of service against CGI scripts that do - not consume stdin that could lead to lingering HTTPD child processes - filling up the scoreboard and eventually hanging the server. - -Submitted by: Rainer Jung, Eric Covener, Yann Ylavic -Backports: r1610509, r1535125 -Reviewed by: covener, trawick, ylavic - -Modified: - httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c - -Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c -URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c?rev=1611185&r1=1611184&r2=1611185&view=diff -============================================================================== ---- httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c (original) -+++ httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c Wed Jul 16 20:56:51 2014 -@@ -93,6 +93,10 @@ static const char *sockname; - static pid_t parent_pid; - static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 }; - -+typedef struct { -+ apr_interval_time_t timeout; -+} cgid_dirconf; -+ - /* The APR other-child API doesn't tell us how the daemon exited - * (SIGSEGV vs. exit(1)). The other-child maintenance function - * needs to decide whether to restart the daemon after a failure -@@ -934,7 +938,14 @@ static void *merge_cgid_config(apr_pool_ - return overrides->logname ? overrides : base; - } - -+static void *create_cgid_dirconf(apr_pool_t *p, char *dummy) -+{ -+ cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf)); -+ return c; -+} -+ - static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) -+ - { - server_rec *s = cmd->server; - cgid_server_conf *conf = ap_get_module_config(s->module_config, -@@ -987,7 +998,16 @@ static const char *set_script_socket(cmd - - return NULL; - } -+static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg) -+{ -+ cgid_dirconf *dc = dummy; - -+ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { -+ return "CGIDScriptTimeout has wrong format"; -+ } -+ -+ return NULL; -+} - static const command_rec cgid_cmds[] = - { - AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF, -@@ -999,6 +1019,10 @@ static const command_rec cgid_cmds[] = - AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF, - "the name of the socket to use for communication with " - "the cgi daemon."), -+ AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF, -+ "The amount of time to wait between successful reads from " -+ "the CGI script, in seconds."), -+ - {NULL} - }; - -@@ -1335,11 +1359,15 @@ static int cgid_handler(request_rec *r) - apr_file_t *tempsock; - struct cleanup_script_info *info; - apr_status_t rv; -+ cgid_dirconf *dc; - - if (strcmp(r->handler,CGI_MAGIC_TYPE) && strcmp(r->handler,"cgi-script")) - return DECLINED; - - conf = ap_get_module_config(r->server->module_config, &cgid_module); -+ dc = ap_get_module_config(r->per_dir_config, &cgid_module); -+ -+ - is_included = !strcmp(r->protocol, "INCLUDED"); - - if ((argv0 = strrchr(r->filename, '/')) != NULL) -@@ -1412,6 +1440,12 @@ static int cgid_handler(request_rec *r) - */ - - apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); -+ if (dc->timeout > 0) { -+ apr_file_pipe_timeout_set(tempsock, dc->timeout); -+ } -+ else { -+ apr_file_pipe_timeout_set(tempsock, r->server->timeout); -+ } - apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); - - if ((argv0 = strrchr(r->filename, '/')) != NULL) -@@ -1487,6 +1521,10 @@ static int cgid_handler(request_rec *r) - if (rv != APR_SUCCESS) { - /* silly script stopped reading, soak up remaining message */ - child_stopped_reading = 1; -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, -+ "Error writing request body to script %s", -+ r->filename); -+ - } - } - apr_brigade_cleanup(bb); -@@ -1577,7 +1615,13 @@ static int cgid_handler(request_rec *r) - return HTTP_MOVED_TEMPORARILY; - } - -- ap_pass_brigade(r->output_filters, bb); -+ rv = ap_pass_brigade(r->output_filters, bb); -+ if (rv != APR_SUCCESS) { -+ /* APLOG_ERR because the core output filter message is at error, -+ * but doesn't know it's passing CGI output -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "Failed to flush CGI output to client"); -+ } - } - - if (nph) { -@@ -1707,6 +1751,8 @@ static int include_cmd(include_ctx_t *ct - request_rec *r = f->r; - cgid_server_conf *conf = ap_get_module_config(r->server->module_config, - &cgid_module); -+ cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module); -+ - struct cleanup_script_info *info; - - add_ssi_vars(r); -@@ -1736,6 +1782,13 @@ static int include_cmd(include_ctx_t *ct - * get rid of the cleanup we registered when we created the socket. - */ - apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); -+ if (dc->timeout > 0) { -+ apr_file_pipe_timeout_set(tempsock, dc->timeout); -+ } -+ else { -+ apr_file_pipe_timeout_set(tempsock, r->server->timeout); -+ } -+ - apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); - - APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock, -@@ -1841,7 +1894,7 @@ static void register_hook(apr_pool_t *p) - - module AP_MODULE_DECLARE_DATA cgid_module = { - STANDARD20_MODULE_STUFF, -- NULL, /* dir config creater */ -+ create_cgid_dirconf, /* dir config creater */ - NULL, /* dir merger --- default is to override */ - create_cgid_config, /* server config */ - merge_cgid_config, /* merge server config */ |