[Pkg-apache-commits] r1295 - in /trunk/apache2: ./ mpm-itk/ mpm-itk/patches/

sf at alioth.debian.org sf at alioth.debian.org
Mon Mar 21 22:01:09 UTC 2011


Author: sf
Date: Mon Mar 21 22:00:56 2011
New Revision: 1295

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1295
Log:
New mpm_itk upstream version 2.2.17-01:
- Fix CVE-2011-1176: If NiceValue was set, the default with no
  AssignUserID was to run as root:root instead of the default Apache user
  and group, due to the configuration merger having an incorrect default
  configuration. Closes: #618857

Added:
    trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch   (with props)
Modified:
    trunk/apache2/changelog
    trunk/apache2/mpm-itk/CHANGES
    trunk/apache2/mpm-itk/patches/01-copy-prefork.patch
    trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch
    trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch
    trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch
    trunk/apache2/mpm-itk/patches/05-add-copyright.patch
    trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch
    trunk/apache2/mpm-itk/patches/07-base-functionality.patch
    trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch
    trunk/apache2/mpm-itk/patches/09-capabilities.patch
    trunk/apache2/mpm-itk/patches/10-nice.patch
    trunk/apache2/mpm-itk/patches/series

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1295&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Mon Mar 21 22:00:56 2011
@@ -1,5 +1,10 @@
-apache2 (2.2.17-2) UNRELEASED; urgency=low
-
+apache2 (2.2.17-2) UNRELEASED; urgency=high
+
+  * New mpm_itk upstream version 2.2.17-01:
+    - Fix CVE-2011-1176: If NiceValue was set, the default with no
+      AssignUserID was to run as root:root instead of the default Apache user
+      and group, due to the configuration merger having an incorrect default
+      configuration. Closes: #618857
   * Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
     Closes: #613969
   * Set the default file descriptor limit to 8192 instead of whatever the

Modified: trunk/apache2/mpm-itk/CHANGES
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/CHANGES?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/CHANGES (original)
+++ trunk/apache2/mpm-itk/CHANGES Mon Mar 21 22:00:56 2011
@@ -1,3 +1,15 @@
+apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
+
+  * Fixed CVE-2011-1176: If NiceValue was set, the default with no
+    AssignUserID was to run as root:root instead of the default Apache user
+    and group, due to the configuration merger having an incorrect default
+    configuration.
+  * Rebase against Apache 2.2.17.
+  * Fix an issue where users can sometimes get spurious 403s on persistent
+    connections, if the .htaccess files are not world readable.
+  * In the config merger, don't reallocate the username, since it's already
+    in the correct pool. (This is not a memory leak, only a small inefficiency.)
+
 apache2.2-mpm-itk 2.2.11-02, released 2009-04-14:
 
   * Really fix the waitpid() code; thanks to Dave Cundiff for spotting the typo.

Modified: trunk/apache2/mpm-itk/patches/01-copy-prefork.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/01-copy-prefork.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/01-copy-prefork.patch (original)
+++ trunk/apache2/mpm-itk/patches/01-copy-prefork.patch Mon Mar 21 22:00:56 2011
@@ -5,29 +5,29 @@
   cp server/mpm/prefork/* server/mpm/experimental/itk/
   mv server/mpm/experimental/itk/prefork.c server/mpm/experimental/itk/itk.c
 
-Index: httpd-2.2.11/server/mpm/experimental/itk/Makefile.in
+Index: httpd-2.2.17/server/mpm/experimental/itk/Makefile.in
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/Makefile.in	2009-03-17 21:38:54.000000000 +0100
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/Makefile.in
 @@ -0,0 +1,5 @@
 +
 +LTLIBRARY_NAME    = libprefork.la
 +LTLIBRARY_SOURCES = prefork.c
 +
 +include $(top_srcdir)/build/ltlib.mk
-Index: httpd-2.2.11/server/mpm/experimental/itk/config.m4
+Index: httpd-2.2.17/server/mpm/experimental/itk/config.m4
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/config.m4	2009-03-17 21:38:53.000000000 +0100
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/config.m4
 @@ -0,0 +1,3 @@
 +if test "$MPM_NAME" = "prefork" ; then
 +    APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile)
 +fi
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c	2009-03-17 21:38:54.000000000 +0100
-@@ -0,0 +1,1486 @@
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
+@@ -0,0 +1,1503 @@
 +/* Licensed to the Apache Software Foundation (ASF) under one or more
 + * contributor license agreements.  See the NOTICE file distributed with
 + * this work for additional information regarding copyright ownership.
@@ -547,8 +547,12 @@
 +    (void) ap_update_child_status(sbh, SERVER_READY, (request_rec *) NULL);
 +
 +    /* Set up the pollfd array */
-+    /* ### check the status */
-+    (void) apr_pollset_create(&pollset, num_listensocks, pchild, 0);
++    status = apr_pollset_create(&pollset, num_listensocks, pchild, 0);
++    if (status != APR_SUCCESS) {
++        ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf,
++                     "Couldn't create pollset in child; check system or user limits");
++        clean_child_exit(APEXIT_CHILDSICK); /* assume temporary resource issue */
++    }
 +
 +    for (lr = ap_listeners, i = num_listensocks; i--; lr = lr->next) {
 +        apr_pollfd_t pfd = { 0 };
@@ -603,19 +607,27 @@
 +                apr_int32_t numdesc;
 +                const apr_pollfd_t *pdesc;
 +
-+                /* timeout == -1 == wait forever */
-+                status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc);
++                /* check for termination first so we don't sleep for a while in
++                 * poll if already signalled
++                 */
++                if (one_process && shutdown_pending) {
++                    SAFE_ACCEPT(accept_mutex_off());
++                    return;
++                }
++                else if (die_now) {
++                    /* In graceful stop/restart; drop the mutex
++                     * and terminate the child. */
++                    SAFE_ACCEPT(accept_mutex_off());
++                    clean_child_exit(0);
++                }
++                /* timeout == 10 seconds to avoid a hang at graceful restart/stop
++                 * caused by the closing of sockets by the signal handler
++                 */
++                status = apr_pollset_poll(pollset, apr_time_from_sec(10), 
++                                          &numdesc, &pdesc);
 +                if (status != APR_SUCCESS) {
-+                    if (APR_STATUS_IS_EINTR(status)) {
-+                        if (one_process && shutdown_pending) {
-+                            return;
-+                        }
-+                        else if (die_now) {
-+                            /* In graceful stop/restart; drop the mutex
-+                             * and terminate the child. */
-+                            SAFE_ACCEPT(accept_mutex_off());
-+                            clean_child_exit(0);
-+                        }
++                    if (APR_STATUS_IS_TIMEUP(status) ||
++                        APR_STATUS_IS_EINTR(status)) {
 +                        continue;
 +                    }
 +                    /* Single Unix documents select as returning errnos
@@ -697,6 +709,11 @@
 +            die_now = 1;
 +        }
 +    }
++    /* This apr_pool_clear call is redundant, should be redundant, but compensates
++     * a flaw in the apr reslist code.  This should be removed once that flaw has
++     * been addressed.
++     */
++    apr_pool_clear(ptrans);
 +    clean_child_exit(0);
 +}
 +
@@ -1514,10 +1531,10 @@
 +    prefork_cmds,               /* command apr_table_t */
 +    prefork_hooks,              /* register hooks */
 +};
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm.h
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h	2009-03-17 21:38:54.000000000 +0100
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm.h
 @@ -0,0 +1,62 @@
 +/* Licensed to the Apache Software Foundation (ASF) under one or more
 + * contributor license agreements.  See the NOTICE file distributed with
@@ -1581,10 +1598,10 @@
 +extern server_rec *ap_server_conf;
 +#endif /* APACHE_MPM_PREFORK_H */
 +/** @} */
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h	2009-03-17 21:38:54.000000000 +0100
+--- /dev/null
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
 @@ -0,0 +1,74 @@
 +/* Licensed to the Apache Software Foundation (ASF) under one or more
 + * contributor license agreements.  See the NOTICE file distributed with

Modified: trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch (original)
+++ trunk/apache2/mpm-itk/patches/02-rename-prefork-to-itk.patch Mon Mar 21 22:00:56 2011
@@ -1,9 +1,9 @@
 Rename prefork to itk in the copy that was created in 01-copy-prefork.patch.
 
-Index: httpd-2.2.11/server/mpm/experimental/itk/Makefile.in
+Index: httpd-2.2.17/server/mpm/experimental/itk/Makefile.in
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/Makefile.in	2009-03-17 21:38:54.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/Makefile.in	2009-03-17 21:39:03.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/Makefile.in
++++ httpd-2.2.17/server/mpm/experimental/itk/Makefile.in
 @@ -1,5 +1,5 @@
  
 -LTLIBRARY_NAME    = libprefork.la
@@ -12,20 +12,20 @@
 +LTLIBRARY_SOURCES = itk.c
  
  include $(top_srcdir)/build/ltlib.mk
-Index: httpd-2.2.11/server/mpm/experimental/itk/config.m4
+Index: httpd-2.2.17/server/mpm/experimental/itk/config.m4
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/config.m4	2009-03-17 21:38:53.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/config.m4	2009-03-17 21:39:03.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/config.m4
++++ httpd-2.2.17/server/mpm/experimental/itk/config.m4
 @@ -1,3 +1,3 @@
 -if test "$MPM_NAME" = "prefork" ; then
 +if test "$MPM_NAME" = "itk" ; then
      APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile)
  fi
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c	2009-03-17 21:38:54.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c	2009-03-17 21:39:03.000000000 +0100
-@@ -1250,7 +1250,7 @@
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
+@@ -1267,7 +1267,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p
  /* This really should be a post_config hook, but the error log is already
   * redirected by that point, so we need to do this in the open_logs phase.
   */
@@ -34,7 +34,7 @@
  {
      apr_status_t rv;
  
-@@ -1271,7 +1271,7 @@
+@@ -1288,7 +1288,7 @@ static int prefork_open_logs(apr_pool_t
      return OK;
  }
  
@@ -43,7 +43,7 @@
  {
      static int restart_num = 0;
      int no_detach, debug, foreground;
-@@ -1328,9 +1328,9 @@
+@@ -1345,9 +1345,9 @@ static int prefork_pre_config(apr_pool_t
      return OK;
  }
  
@@ -55,7 +55,7 @@
       * will be redirected to a file, and the messages won't print to the
       * console.
       */
-@@ -1340,11 +1340,11 @@
+@@ -1357,11 +1357,11 @@ static void prefork_hooks(apr_pool_t *p)
      (void) set42sig();
  #endif
  
@@ -69,7 +69,7 @@
  }
  
  static const char *set_daemons_to_start(cmd_parms *cmd, void *dummy, const char *arg)
-@@ -1457,7 +1457,7 @@
+@@ -1474,7 +1474,7 @@ static const char *set_server_limit (cmd
      return NULL;
  }
  
@@ -78,7 +78,7 @@
  UNIX_DAEMON_COMMANDS,
  LISTEN_COMMANDS,
  AP_INIT_TAKE1("StartServers", set_daemons_to_start, NULL, RSRC_CONF,
-@@ -1474,13 +1474,13 @@
+@@ -1491,13 +1491,13 @@ AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND,
  { NULL }
  };
  
@@ -95,10 +95,10 @@
 +    itk_cmds,                   /* command apr_table_t */
 +    itk_hooks,                  /* register hooks */
  };
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm.h
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm.h	2009-03-17 21:38:54.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h	2009-03-17 21:39:03.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/mpm.h
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm.h
 @@ -15,10 +15,10 @@
   */
  
@@ -137,10 +137,10 @@
 -#endif /* APACHE_MPM_PREFORK_H */
 +#endif /* APACHE_MPM_ITK_H */
  /** @} */
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm_default.h	2009-03-17 21:38:54.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h	2009-03-17 21:39:03.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/mpm_default.h
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
 @@ -15,10 +15,10 @@
   */
  

Modified: trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch (original)
+++ trunk/apache2/mpm-itk/patches/03-add-mpm-to-build-system.patch Mon Mar 21 22:00:56 2011
@@ -1,10 +1,10 @@
 Add the new MPM to the build system as an alternative to the other MPMs,
 and mark it as experimental.
 
-Index: apache2.2/server/mpm/config.m4
+Index: httpd-2.2.17/server/mpm/config.m4
 ===================================================================
---- apache2.2.orig/server/mpm/config.m4	2007-01-29 21:30:26.000000000 +0100
-+++ apache2.2/server/mpm/config.m4	2007-01-29 21:30:35.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/config.m4
++++ httpd-2.2.17/server/mpm/config.m4
 @@ -1,7 +1,7 @@
  AC_MSG_CHECKING(which MPM to use)
  AC_ARG_WITH(mpm,
@@ -14,7 +14,7 @@
    APACHE_MPM=$withval
  ],[
    if test "x$APACHE_MPM" = "x"; then
-@@ -23,7 +23,7 @@
+@@ -23,7 +23,7 @@ ap_mpm_is_threaded ()
  
  ap_mpm_is_experimental ()
  {

Modified: trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch (original)
+++ trunk/apache2/mpm-itk/patches/04-correct-output-makefile-location.patch Mon Mar 21 22:00:56 2011
@@ -2,10 +2,10 @@
 with the MPM in) instead of MPM_NAME (which returns the name of the MPM);
 they differ since the MPM is in experimental/.
 
-Index: apache2.2/server/mpm/experimental/itk/config.m4
+Index: httpd-2.2.17/server/mpm/experimental/itk/config.m4
 ===================================================================
---- apache2.2.orig/server/mpm/experimental/itk/config.m4	2007-01-29 21:03:51.000000000 +0100
-+++ apache2.2/server/mpm/experimental/itk/config.m4	2007-01-29 21:03:57.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/config.m4
++++ httpd-2.2.17/server/mpm/experimental/itk/config.m4
 @@ -1,3 +1,3 @@
  if test "$MPM_NAME" = "itk" ; then
 -    APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile)

Modified: trunk/apache2/mpm-itk/patches/05-add-copyright.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/05-add-copyright.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/05-add-copyright.patch (original)
+++ trunk/apache2/mpm-itk/patches/05-add-copyright.patch Mon Mar 21 22:00:56 2011
@@ -1,9 +1,9 @@
 Add copyright notices, as the next patches are going to add code.
 
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c	2009-03-21 13:02:18.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c	2009-03-21 13:02:33.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
 @@ -12,6 +12,12 @@
   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   * See the License for the specific language governing permissions and
@@ -17,10 +17,10 @@
   */
  
  #include "apr.h"
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm.h
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm.h	2009-03-21 13:02:18.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h	2009-03-21 13:02:33.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/mpm.h
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm.h
 @@ -12,6 +12,12 @@
   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   * See the License for the specific language governing permissions and
@@ -34,10 +34,10 @@
   */
  
  /**
-Index: httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h
+Index: httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm_default.h	2009-03-21 13:02:18.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h	2009-03-21 13:02:33.000000000 +0100
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/mpm_default.h
++++ httpd-2.2.17/server/mpm/experimental/itk/mpm_default.h
 @@ -12,6 +12,12 @@
   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   * See the License for the specific language governing permissions and
@@ -51,10 +51,10 @@
   */
  
  /**
-Index: httpd-2.2.11/include/http_request.h
+Index: httpd-2.2.17/include/http_request.h
 ===================================================================
---- httpd-2.2.11.orig/include/http_request.h	2009-03-21 13:03:19.000000000 +0100
-+++ httpd-2.2.11/include/http_request.h	2009-03-21 13:03:31.000000000 +0100
+--- httpd-2.2.17.orig/include/http_request.h
++++ httpd-2.2.17/include/http_request.h
 @@ -12,6 +12,12 @@
   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   * See the License for the specific language governing permissions and
@@ -68,10 +68,10 @@
   */
  
  /**
-Index: httpd-2.2.11/server/request.c
+Index: httpd-2.2.17/server/request.c
 ===================================================================
---- httpd-2.2.11.orig/server/request.c	2009-03-21 13:03:04.000000000 +0100
-+++ httpd-2.2.11/server/request.c	2009-03-21 13:03:13.000000000 +0100
+--- httpd-2.2.17.orig/server/request.c
++++ httpd-2.2.17/server/request.c
 @@ -12,6 +12,12 @@
   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   * See the License for the specific language governing permissions and

Modified: trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch (original)
+++ trunk/apache2/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch Mon Mar 21 22:00:56 2011
@@ -3,11 +3,11 @@
 is, as soon as know what uid/gid to use for this location), so we
 won't run all sorts of subrequests and other stuff as root.
 
-Index: httpd-2.2.11/include/http_request.h
+Index: httpd-2.2.17/include/http_request.h
 ===================================================================
---- httpd-2.2.11.orig/include/http_request.h	2009-03-21 13:03:31.000000000 +0100
-+++ httpd-2.2.11/include/http_request.h	2009-03-21 13:03:41.000000000 +0100
-@@ -356,6 +356,15 @@
+--- httpd-2.2.17.orig/include/http_request.h
++++ httpd-2.2.17/include/http_request.h
+@@ -356,6 +356,15 @@ AP_DECLARE_HOOK(int,auth_checker,(reques
   */
  AP_DECLARE_HOOK(void,insert_filter,(request_rec *r))
  
@@ -23,11 +23,11 @@
  AP_DECLARE(int) ap_location_walk(request_rec *r);
  AP_DECLARE(int) ap_directory_walk(request_rec *r);
  AP_DECLARE(int) ap_file_walk(request_rec *r);
-Index: httpd-2.2.11/server/request.c
+Index: httpd-2.2.17/server/request.c
 ===================================================================
---- httpd-2.2.11.orig/server/request.c	2009-03-21 13:03:13.000000000 +0100
-+++ httpd-2.2.11/server/request.c	2009-03-21 13:03:41.000000000 +0100
-@@ -67,6 +67,7 @@
+--- httpd-2.2.17.orig/server/request.c
++++ httpd-2.2.17/server/request.c
+@@ -67,6 +67,7 @@ APR_HOOK_STRUCT(
      APR_HOOK_LINK(auth_checker)
      APR_HOOK_LINK(insert_filter)
      APR_HOOK_LINK(create_request)
@@ -35,7 +35,7 @@
  )
  
  AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name,
-@@ -86,6 +87,8 @@
+@@ -86,6 +87,8 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(int,auth_che
  AP_IMPLEMENT_HOOK_VOID(insert_filter, (request_rec *r), (r))
  AP_IMPLEMENT_HOOK_RUN_ALL(int, create_request,
                            (request_rec *r), (r), OK, DECLINED)
@@ -44,7 +44,7 @@
  
  
  static int decl_die(int status, char *phase, request_rec *r)
-@@ -164,6 +167,13 @@
+@@ -164,6 +167,13 @@ AP_DECLARE(int) ap_process_request_inter
          return access_status;
      }
  

Modified: trunk/apache2/mpm-itk/patches/07-base-functionality.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/07-base-functionality.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/07-base-functionality.patch (original)
+++ trunk/apache2/mpm-itk/patches/07-base-functionality.patch Mon Mar 21 22:00:56 2011
@@ -1,10 +1,10 @@
 Add the base functionality of mpm_itk over prefork; parse the new configuration
 options, fork on each new connection, and setuid() as required.
 
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c	2009-03-21 23:52:01.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c	2009-04-14 23:27:51.000000000 +0200
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
 @@ -26,6 +26,11 @@
  #include "apr_thread_proc.h"
  #include "apr_signal.h"
@@ -25,7 +25,7 @@
  #include "scoreboard.h"
  #include "ap_mpm.h"
  #include "unixd.h"
-@@ -146,6 +152,15 @@
+@@ -146,6 +152,15 @@ char tpf_server_name[INETD_SERVNAME_LENG
  
  static volatile int die_now = 0;
  
@@ -41,7 +41,7 @@
  #ifdef GPROF
  /*
   * change directory for gprof to plop the gmon.out file
-@@ -512,10 +527,6 @@
+@@ -512,10 +527,6 @@ static void child_main(int child_num_arg
          clean_child_exit(APEXIT_CHILDFATAL);
      }
  
@@ -52,7 +52,7 @@
      ap_run_child_init(pchild, ap_server_conf);
  
      ap_create_sb_handle(&sbh, pchild, my_child_num, 0);
-@@ -651,10 +662,38 @@
+@@ -663,10 +674,38 @@ static void child_main(int child_num_arg
           * socket options, file descriptors, and read/write buffers.
           */
  
@@ -95,7 +95,7 @@
          }
  
          /* Check the pod and the generation number after processing a
-@@ -672,6 +711,10 @@
+@@ -684,6 +723,10 @@ static void child_main(int child_num_arg
               */
              die_now = 1;
          }
@@ -104,9 +104,9 @@
 +        if (getuid())
 +            die_now = 1;
      }
-     clean_child_exit(0);
- }
-@@ -1334,6 +1377,56 @@
+     /* This apr_pool_clear call is redundant, should be redundant, but compensates
+      * a flaw in the apr reslist code.  This should be removed once that flaw has
+@@ -1351,6 +1394,56 @@ static int itk_pre_config(apr_pool_t *p,
      return OK;
  }
  
@@ -163,7 +163,7 @@
  static void itk_hooks(apr_pool_t *p)
  {
      /* The itk open_logs phase must run before the core's, or stderr
-@@ -1351,6 +1444,9 @@
+@@ -1368,6 +1461,9 @@ static void itk_hooks(apr_pool_t *p)
       * to retrieve it, so register as REALLY_FIRST
       */
      ap_hook_pre_config(itk_pre_config, NULL, NULL, APR_HOOK_REALLY_FIRST);
@@ -173,7 +173,7 @@
  }
  
  static const char *set_daemons_to_start(cmd_parms *cmd, void *dummy, const char *arg)
-@@ -1463,6 +1559,15 @@
+@@ -1480,6 +1576,15 @@ static const char *set_server_limit (cmd
      return NULL;
  }
  
@@ -189,7 +189,7 @@
  static const command_rec itk_cmds[] = {
  UNIX_DAEMON_COMMANDS,
  LISTEN_COMMANDS,
-@@ -1476,14 +1581,25 @@
+@@ -1493,14 +1598,25 @@ AP_INIT_TAKE1("MaxClients", set_max_clie
                "Maximum number of children alive at the same time"),
  AP_INIT_TAKE1("ServerLimit", set_server_limit, NULL, RSRC_CONF,
                "Maximum value of MaxClients for this run of Apache"),

Modified: trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch (original)
+++ trunk/apache2/mpm-itk/patches/08-max-clients-per-vhost.patch Mon Mar 21 22:00:56 2011
@@ -2,11 +2,11 @@
 per-directory (since it works by reading the scoreboard), so we need to add
 per-server configuration data.
 
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c	2009-03-21 13:03:45.000000000 +0100
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c	2009-03-21 13:03:50.000000000 +0100
-@@ -159,6 +159,11 @@
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
+@@ -159,6 +159,11 @@ typedef struct
      char *username;
  } itk_per_dir_conf;
  
@@ -18,7 +18,7 @@
  module AP_MODULE_DECLARE_DATA mpm_itk_module;
  
  #ifdef GPROF
-@@ -1383,6 +1388,26 @@
+@@ -1400,6 +1405,26 @@ static int itk_post_perdir_config(reques
      gid_t wanted_gid;
      const char *wanted_username;
      int err = 0;
@@ -45,7 +45,7 @@
  
      itk_per_dir_conf *dconf =
          (itk_per_dir_conf *) ap_get_module_config(r->per_dir_config, &mpm_itk_module);
-@@ -1568,6 +1593,14 @@
+@@ -1585,6 +1610,14 @@ static const char *assign_user_id (cmd_p
      return NULL;
  }
  
@@ -60,7 +60,7 @@
  static const command_rec itk_cmds[] = {
  UNIX_DAEMON_COMMANDS,
  LISTEN_COMMANDS,
-@@ -1583,6 +1616,8 @@
+@@ -1600,6 +1633,8 @@ AP_INIT_TAKE1("ServerLimit", set_server_
                "Maximum value of MaxClients for this run of Apache"),
  AP_INIT_TAKE2("AssignUserID", assign_user_id, NULL, RSRC_CONF|ACCESS_CONF,
                "Tie a virtual host to a specific child process."),
@@ -69,7 +69,7 @@
  AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND,
  { NULL }
  };
-@@ -1596,12 +1631,21 @@
+@@ -1613,12 +1648,21 @@ static void *itk_create_dir_config(apr_p
      return c;
  }
  

Modified: trunk/apache2/mpm-itk/patches/09-capabilities.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/09-capabilities.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/09-capabilities.patch (original)
+++ trunk/apache2/mpm-itk/patches/09-capabilities.patch Mon Mar 21 22:00:56 2011
@@ -3,10 +3,10 @@
 code will still be able to run as any (normal) user on the system, but at least
 he/she cannot directly load kernel code etc.
 
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c	2009-04-14 23:28:02.000000000 +0200
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c	2009-04-14 23:29:16.000000000 +0200
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
 @@ -71,6 +71,10 @@
  #include <sys/processor.h> /* for bindprocessor() */
  #endif
@@ -18,7 +18,7 @@
  #include <signal.h>
  #include <sys/times.h>
  
-@@ -501,6 +505,15 @@
+@@ -501,6 +505,15 @@ static void child_main(int child_num_arg
      apr_bucket_alloc_t *bucket_alloc;
      int last_poll_idx = 0;
  
@@ -34,7 +34,7 @@
      mpm_state = AP_MPMQ_STARTING; /* for benefit of any hooks that run as this
                                     * child initializes
                                     */
-@@ -554,6 +567,22 @@
+@@ -558,6 +571,22 @@ static void child_main(int child_num_arg
          (void) apr_pollset_add(pollset, &pfd);
      }
  
@@ -57,11 +57,11 @@
      mpm_state = AP_MPMQ_RUNNING;
  
      bucket_alloc = apr_bucket_alloc_create(pchild);
-Index: httpd-2.2.11/server/mpm/config.m4
+Index: httpd-2.2.17/server/mpm/config.m4
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/config.m4	2009-04-14 23:26:41.000000000 +0200
-+++ httpd-2.2.11/server/mpm/config.m4	2009-04-14 23:28:03.000000000 +0200
-@@ -66,6 +66,11 @@
+--- httpd-2.2.17.orig/server/mpm/config.m4
++++ httpd-2.2.17/server/mpm/config.m4
+@@ -66,6 +66,11 @@ if ap_mpm_is_experimental; then
  else
    MPM_SUBDIR_NAME=$MPM_NAME
  fi

Modified: trunk/apache2/mpm-itk/patches/10-nice.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/10-nice.patch?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/10-nice.patch (original)
+++ trunk/apache2/mpm-itk/patches/10-nice.patch Mon Mar 21 22:00:56 2011
@@ -1,11 +1,11 @@
 Support a per-location nice value. Note that since we now have two different settings
 in the per-dir configuration, we need to introduce a merge function.
 
-Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.17/server/mpm/experimental/itk/itk.c
 ===================================================================
---- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c	2009-04-14 23:29:16.000000000 +0200
-+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c	2009-04-14 23:31:05.000000000 +0200
-@@ -156,11 +156,14 @@
+--- httpd-2.2.17.orig/server/mpm/experimental/itk/itk.c
++++ httpd-2.2.17/server/mpm/experimental/itk/itk.c
+@@ -156,11 +156,14 @@ char tpf_server_name[INETD_SERVNAME_LENG
  
  static volatile int die_now = 0;
  
@@ -20,7 +20,7 @@
  } itk_per_dir_conf;
  
  typedef struct
-@@ -511,6 +514,7 @@
+@@ -511,6 +514,7 @@ static void child_main(int child_num_arg
          CAP_SETUID,
          CAP_SETGID,
  	CAP_DAC_READ_SEARCH,
@@ -28,7 +28,7 @@
      };
  #endif    
  
-@@ -1444,6 +1448,12 @@
+@@ -1461,6 +1465,12 @@ static int itk_post_perdir_config(reques
      strncpy(ap_scoreboard_image->servers[my_child_num][0].vhost, r->server->server_hostname, 31);
      ap_scoreboard_image->servers[my_child_num][0].vhost[31] = 0;
  
@@ -41,7 +41,7 @@
      wanted_uid = dconf->uid;
      wanted_gid = dconf->gid;
      wanted_username = dconf->username;
-@@ -1454,7 +1464,7 @@
+@@ -1471,7 +1481,7 @@ static int itk_post_perdir_config(reques
          wanted_username = unixd_config.user_name;
      }
  
@@ -50,7 +50,7 @@
          if (setgid(wanted_gid)) {
              _DBG("setgid(%d): %s", wanted_gid, strerror(errno));
              err = 1;
-@@ -1474,7 +1484,7 @@
+@@ -1491,7 +1501,7 @@ static int itk_post_perdir_config(reques
       */
      if (err) {
          ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, \
@@ -59,7 +59,7 @@
          ap_lingering_close(r->connection);
          exit(0);
      }
-@@ -1630,6 +1640,27 @@
+@@ -1647,6 +1657,27 @@ static const char *set_max_clients_vhost
      return NULL;
  }
  
@@ -87,7 +87,7 @@
  static const command_rec itk_cmds[] = {
  UNIX_DAEMON_COMMANDS,
  LISTEN_COMMANDS,
-@@ -1647,6 +1678,8 @@
+@@ -1664,6 +1695,8 @@ AP_INIT_TAKE2("AssignUserID", assign_use
                "Tie a virtual host to a specific child process."),
  AP_INIT_TAKE1("MaxClientsVHost", set_max_clients_vhost, NULL, RSRC_CONF,
                "Maximum number of children alive at the same time for this virtual host."),
@@ -96,7 +96,7 @@
  AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND,
  { NULL }
  };
-@@ -1657,6 +1690,32 @@
+@@ -1674,6 +1707,32 @@ static void *itk_create_dir_config(apr_p
      itk_per_dir_conf *c = (itk_per_dir_conf *)
          apr_pcalloc(p, sizeof(itk_per_dir_conf));
      c->uid = c->gid = -1;
@@ -108,16 +108,16 @@
 +static void *itk_merge_dir_config(apr_pool_t *p, void *parent_ptr, void *child_ptr)
 +{
 +    itk_per_dir_conf *c = (itk_per_dir_conf *)
-+        apr_pcalloc(p, sizeof(itk_per_dir_conf));
++        itk_create_dir_config(p, NULL);
 +    itk_per_dir_conf *parent = (itk_per_dir_conf *) parent_ptr;
 +    itk_per_dir_conf *child = (itk_per_dir_conf *) child_ptr;
 +
 +    if (child->username != NULL) {
-+      c->username = apr_pstrdup(p, child->username);
++      c->username = child->username;
 +      c->uid = child->uid;
 +      c->gid = child->gid;
-+    } else if (parent->username != NULL) {
-+      c->username = apr_pstrdup(p, parent->username);
++    } else {
++      c->username = parent->username;
 +      c->uid = parent->uid;
 +      c->gid = parent->gid;
 +    }
@@ -129,7 +129,7 @@
      return c;
  }
  
-@@ -1673,7 +1732,7 @@
+@@ -1690,7 +1749,7 @@ module AP_MODULE_DECLARE_DATA mpm_itk_mo
      MPM20_MODULE_STUFF,
      ap_mpm_rewrite_args,        /* hook to run before apache parses args */
      itk_create_dir_config,      /* create per-directory config structure */

Added: trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch?rev=1295&op=file
==============================================================================
--- trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch (added)
+++ trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch Mon Mar 21 22:00:56 2011
@@ -1,0 +1,45 @@
+Fix an issue where users can sometimes get spurious 403s on persistent
+connections (the description in the comments explains the logic).
+This would particularly hit people with reverse proxies, since these
+have a higher tendency of accessing things from different vhosts in
+the same connection.
+
+Index: httpd-2.2.17/server/config.c
+===================================================================
+--- httpd-2.2.17.orig/server/config.c
++++ httpd-2.2.17/server/config.c
+@@ -1840,6 +1840,34 @@ AP_CORE_DECLARE(int) ap_parse_htaccess(a
+         else {
+             if (!APR_STATUS_IS_ENOENT(status)
+                 && !APR_STATUS_IS_ENOTDIR(status)) {
++#ifdef ITK_MPM
++                /*
++                 * If we are in a persistent connection, we might end up in a state
++                 * where we can no longer read .htaccess files because we have already
++                 * setuid(). This can either be because the previous request was for
++                 * another vhost (basically the same problem as when setuid() fails in
++                 * itk.c), or it can be because a .htaccess file is readable only by
++                 * root.
++                 *
++                 * In any case, we don't want to give out a 403, since the request has
++                 * a very real chance of succeeding on a fresh connection (where
++                 * presumably uid=0). Thus, we give up serving the request on this
++                 * TCP connection, and do a hard close of the socket. As long as we're
++                 * in a persistent connection (and there _should_ not be a way this
++                 * would happen on the first request in a connection, save for subrequests,
++                 * which we special-case), this is allowed, as it is what happens on
++                 * a timeout. The browser will simply open a new connection and try
++                 * again (there's of course a performance hit, though, both due to
++                 * the new connection setup and the fork() of a new server child).
++                 */
++                if (r->main == NULL && getuid() != 0) {
++                    ap_log_rerror(APLOG_MARK, APLOG_WARNING, status, r,
++                                  "Couldn't read %s, closing connection.",
++                                  filename);
++                    ap_lingering_close(r->connection);
++                    exit(0);
++                }
++#endif          
+                 ap_log_rerror(APLOG_MARK, APLOG_CRIT, status, r,
+                               "%s pcfg_openfile: unable to check htaccess file, "
+                               "ensure it is readable",

Propchange: trunk/apache2/mpm-itk/patches/11-fix-htaccess-reads-for-persistent-connections.patch
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: trunk/apache2/mpm-itk/patches/series
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/mpm-itk/patches/series?rev=1295&op=diff
==============================================================================
--- trunk/apache2/mpm-itk/patches/series (original)
+++ trunk/apache2/mpm-itk/patches/series Mon Mar 21 22:00:56 2011
@@ -8,3 +8,4 @@
 08-max-clients-per-vhost.patch
 09-capabilities.patch
 10-nice.patch
+11-fix-htaccess-reads-for-persistent-connections.patch




More information about the Pkg-apache-commits mailing list