-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add patch58 to set worker secret passed to tomcat in mod_proxy_ajp (F…
…edora)
- Loading branch information
1 parent
04fc916
commit eb2443b
Showing
2 changed files
with
141 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h | ||
| index c119a7e..267150a 100644 | ||
| diff -uap httpd-2.4.33/modules/proxy/ajp_header.c.r1738878 httpd-2.4.33/modules/proxy/ajp_header.c | ||
| --- httpd-2.4.33/modules/proxy/ajp_header.c.r1738878 | ||
| +++ httpd-2.4.33/modules/proxy/ajp_header.c | ||
| @@ -213,7 +213,8 @@ | ||
|
|
||
| static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, | ||
| request_rec *r, | ||
| - apr_uri_t *uri) | ||
| + apr_uri_t *uri, | ||
| + const char *secret) | ||
| { | ||
| int method; | ||
| apr_uint32_t i, num_headers = 0; | ||
| @@ -293,17 +294,15 @@ | ||
| i, elts[i].key, elts[i].val); | ||
| } | ||
|
|
||
| -/* XXXX need to figure out how to do this | ||
| - if (s->secret) { | ||
| + if (secret) { | ||
| if (ajp_msg_append_uint8(msg, SC_A_SECRET) || | ||
| - ajp_msg_append_string(msg, s->secret)) { | ||
| + ajp_msg_append_string(msg, secret)) { | ||
| ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228) | ||
| - "Error ajp_marshal_into_msgb - " | ||
| + "ajp_marshal_into_msgb: " | ||
| "Error appending secret"); | ||
| return APR_EGENERAL; | ||
| } | ||
| } | ||
| - */ | ||
|
|
||
| if (r->user) { | ||
| if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) || | ||
| @@ -671,7 +670,8 @@ | ||
| apr_status_t ajp_send_header(apr_socket_t *sock, | ||
| request_rec *r, | ||
| apr_size_t buffsize, | ||
| - apr_uri_t *uri) | ||
| + apr_uri_t *uri, | ||
| + const char *secret) | ||
| { | ||
| ajp_msg_t *msg; | ||
| apr_status_t rc; | ||
| @@ -683,7 +683,7 @@ | ||
| return rc; | ||
| } | ||
|
|
||
| - rc = ajp_marshal_into_msgb(msg, r, uri); | ||
| + rc = ajp_marshal_into_msgb(msg, r, uri, secret); | ||
| if (rc != APR_SUCCESS) { | ||
| ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988) | ||
| "ajp_send_header: ajp_marshal_into_msgb failed"); | ||
| diff -uap httpd-2.4.33/modules/proxy/ajp.h.r1738878 httpd-2.4.33/modules/proxy/ajp.h | ||
| --- httpd-2.4.33/modules/proxy/ajp.h.r1738878 | ||
| +++ httpd-2.4.33/modules/proxy/ajp.h | ||
| @@ -413,12 +413,14 @@ | ||
| * @param sock backend socket | ||
| * @param r current request | ||
| * @param buffsize max size of the AJP packet. | ||
| + * @param secret authentication secret | ||
| * @param uri requested uri | ||
| * @return APR_SUCCESS or error | ||
| */ | ||
| apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, | ||
| apr_size_t buffsize, | ||
| - apr_uri_t *uri); | ||
| + apr_uri_t *uri, | ||
| + const char *secret); | ||
|
|
||
| /** | ||
| * Read the ajp message and return the type of the message. | ||
| diff -uap httpd-2.4.33/modules/proxy/mod_proxy_ajp.c.r1738878 httpd-2.4.33/modules/proxy/mod_proxy_ajp.c | ||
| --- httpd-2.4.33/modules/proxy/mod_proxy_ajp.c.r1738878 | ||
| +++ httpd-2.4.33/modules/proxy/mod_proxy_ajp.c | ||
| @@ -193,6 +193,7 @@ | ||
| apr_off_t content_length = 0; | ||
| int original_status = r->status; | ||
| const char *original_status_line = r->status_line; | ||
| + const char *secret = NULL; | ||
|
|
||
| if (psf->io_buffer_size_set) | ||
| maxsize = psf->io_buffer_size; | ||
| @@ -202,12 +203,15 @@ | ||
| maxsize = AJP_MSG_BUFFER_SZ; | ||
| maxsize = APR_ALIGN(maxsize, 1024); | ||
|
|
||
| + if (*conn->worker->s->secret) | ||
| + secret = conn->worker->s->secret; | ||
| + | ||
| /* | ||
| * Send the AJP request to the remote server | ||
| */ | ||
|
|
||
| /* send request headers */ | ||
| - status = ajp_send_header(conn->sock, r, maxsize, uri); | ||
| + status = ajp_send_header(conn->sock, r, maxsize, uri, secret); | ||
| if (status != APR_SUCCESS) { | ||
| conn->close = 1; | ||
| ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868) | ||
| diff -uap httpd-2.4.33/modules/proxy/mod_proxy.c.r1738878 httpd-2.4.33/modules/proxy/mod_proxy.c | ||
| --- httpd-2.4.33/modules/proxy/mod_proxy.c.r1738878 | ||
| +++ httpd-2.4.33/modules/proxy/mod_proxy.c | ||
| @@ -318,6 +318,12 @@ | ||
| (int)sizeof(worker->s->upgrade)); | ||
| } | ||
| } | ||
| + else if (!strcasecmp(key, "secret")) { | ||
| + if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) { | ||
| + return apr_psprintf(p, "Secret length must be < %d characters", | ||
| + (int)sizeof(worker->s->secret)); | ||
| + } | ||
| + } | ||
| else { | ||
| if (set_worker_hc_param_f) { | ||
| return set_worker_hc_param_f(p, s, worker, key, val, NULL); | ||
| diff -uap httpd-2.4.33/modules/proxy/mod_proxy.h.r1738878 httpd-2.4.33/modules/proxy/mod_proxy.h | ||
| --- httpd-2.4.33/modules/proxy/mod_proxy.h.r1738878 | ||
| +++ httpd-2.4.33/modules/proxy/mod_proxy.h | ||
| @@ -353,6 +353,7 @@ | ||
| #define PROXY_WORKER_MAX_HOSTNAME_SIZE 64 | ||
| #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE | ||
| #define PROXY_BALANCER_MAX_STICKY_SIZE 64 | ||
| +#define PROXY_WORKER_MAX_SECRET_SIZE 64 | ||
|
|
||
| #define PROXY_RFC1035_HOSTNAME_SIZE 256 | ||
|
|
||
| @@ -447,6 +448,7 @@ | ||
| apr_interval_time_t interval; | ||
| char upgrade[PROXY_WORKER_MAX_SCHEME_SIZE];/* upgrade protocol used by mod_proxy_wstunnel */ | ||
| char hostname_ex[PROXY_RFC1035_HOSTNAME_SIZE]; /* RFC1035 compliant version of the remote backend address */ | ||
| + char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */ | ||
| } proxy_worker_shared; | ||
|
|
||
| #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -76,6 +76,8 @@ Patch30: httpd-2.4.4-cachehardmax.patch | |
| Patch34: httpd-2.4.17-socket-activation.patch | ||
|
|
||
| # Bug fixes | ||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 | ||
| Patch58: httpd-2.4.33-r1738878.patch | ||
|
|
||
| # Security fixes | ||
|
|
||
|
|
@@ -283,6 +285,7 @@ interface for storing and accessing per-user session data. | |
| %{?with_systemd:%patch29 -p1 -b .systemd} | ||
| %patch30 -p1 -b .cachehardmax | ||
| %{?with_systemd:%patch34 -p1 -b .socketactivation} | ||
| %patch58 -p1 -b .r1738878 | ||
|
|
||
| # Patch in the vendor string | ||
| sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h | ||
|
|
@@ -807,6 +810,7 @@ exit $rv | |
| - Reduce suexec uidmin and gidmin to match RHEL | ||
| - Drop NPN patch, no longer supported in major browsers | ||
| - Obsolete httpd24u-mod_proxy_uwsgi, merged upstream and is now part of this package | ||
| - Add patch58 to set worker secret passed to tomcat in mod_proxy_ajp (Fedora) | ||
|
|
||
| * Mon Oct 23 2017 Carl George <[email protected]> - 2.4.29-1.ius | ||
| - Latest upstream | ||
|
|
||