pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/www/apache22 Patch from upstream (fixed in trunk and 2...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/e4c89cdaf25d
branches:  trunk
changeset: 621166:e4c89cdaf25d
user:      manu <manu%pkgsrc.org@localhost>
date:      Fri Jul 05 15:36:25 2013 +0000

description:
Patch from upstream (fixed in trunk and 2.4 branch):
https://issues.apache.org/bugzilla/show_bug.cgi?id=29744

When using CONNECT inside a SSL connexion, fix a bug that caused
apache to reply in plain text.

diffstat:

 www/apache22/Makefile                                        |    4 +-
 www/apache22/distinfo                                        |    3 +-
 www/apache22/patches/patch-modules_proxy_mod_proxy_connect.c |  333 +++++++++++
 3 files changed, 337 insertions(+), 3 deletions(-)

diffs (truncated from 367 to 300 lines):

diff -r e3946970193b -r e4c89cdaf25d www/apache22/Makefile
--- a/www/apache22/Makefile     Fri Jul 05 15:31:54 2013 +0000
+++ b/www/apache22/Makefile     Fri Jul 05 15:36:25 2013 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.89 2013/05/31 12:42:31 wiz Exp $
+# $NetBSD: Makefile,v 1.90 2013/07/05 15:36:25 manu Exp $
 
 DISTNAME=      httpd-2.2.24
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/} \
                http://archive.apache.org/dist/httpd/ \
diff -r e3946970193b -r e4c89cdaf25d www/apache22/distinfo
--- a/www/apache22/distinfo     Fri Jul 05 15:31:54 2013 +0000
+++ b/www/apache22/distinfo     Fri Jul 05 15:36:25 2013 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.55 2013/05/30 22:58:14 tron Exp $
+$NetBSD: distinfo,v 1.56 2013/07/05 15:36:25 manu Exp $
 
 SHA1 (httpd-2.2.24.tar.bz2) = f73bce14832ec40c1aae68f4f8c367cab2266241
 RMD160 (httpd-2.2.24.tar.bz2) = 4c31b23615236c407779a23cbfcc8e05ba011224
@@ -16,5 +16,6 @@
 SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa
 SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
 SHA1 (patch-modules_mappers_mod_rewrite.c) = a1cee8c7c97936e15a1596a54ddc1839a5b1038d
+SHA1 (patch-modules_proxy_mod_proxy_connect.c) = 6d5ed1e075bc3d727c4940078a3a8b2abeb4b324
 SHA1 (patch-modules_ssl_ssl__engine__kernel.c) = fd6f425d18231f0daca9fc2553638891a7241a4a
 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
diff -r e3946970193b -r e4c89cdaf25d www/apache22/patches/patch-modules_proxy_mod_proxy_connect.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache22/patches/patch-modules_proxy_mod_proxy_connect.c      Fri Jul 05 15:36:25 2013 +0000
@@ -0,0 +1,333 @@
+--- modules/proxy/mod_proxy_connect.c
++++ modules/proxy/mod_proxy_connect.c
+@@ -21,6 +21,8 @@ 
+ #include "mod_proxy.h"
+ #include "apr_poll.h"
+ 
++#define CONN_BLKSZ AP_IOBUFSIZE
++
+ module AP_MODULE_DECLARE_DATA proxy_connect_module;
+ 
+ /*
+@@ -71,6 +73,50 @@ 
+     return OK;
+ }
+ 
++/* read available data (in blocks of CONN_BLKSZ) from c_i and copy to c_o */
++static int proxy_connect_transfer(request_rec *r, conn_rec *c_i, conn_rec *c_o,
++                                apr_bucket_brigade *bb, char *name)
++{
++    int rv;
++#ifdef DEBUGGING
++    apr_off_t len;
++#endif
++
++    do {
++      apr_brigade_cleanup(bb);
++      rv = ap_get_brigade(c_i->input_filters, bb, AP_MODE_READBYTES,
++                          APR_NONBLOCK_READ, CONN_BLKSZ);
++      if (rv == APR_SUCCESS) {
++          if (APR_BRIGADE_EMPTY(bb))
++              break;
++#ifdef DEBUGGING
++          len = -1;
++          apr_brigade_length(bb, 0, &len);
++          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                        "proxy: CONNECT: read %" APR_OFF_T_FMT
++                        " bytes from %s", len, name);
++#endif
++          rv = ap_pass_brigade(c_o->output_filters, bb);
++          if (rv == APR_SUCCESS) {
++              ap_fflush(c_o->output_filters, bb);
++          } else {
++              ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++                            "proxy: CONNECT: error on %s - ap_pass_brigade",
++                            name);
++          }
++      } else if (!APR_STATUS_IS_EAGAIN(rv)) {
++          ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
++                        "proxy: CONNECT: error on %s - ap_get_brigade",
++                        name);
++      }
++    } while (rv == APR_SUCCESS);
++
++    if (APR_STATUS_IS_EAGAIN(rv)) {
++      rv = APR_SUCCESS;
++    }
++    return rv;
++}
++
+ /* CONNECT handler */
+ static int proxy_connect_handler(request_rec *r, proxy_worker *worker,
+                                  proxy_server_conf *conf,
+@@ -79,11 +125,15 @@ 
+ {
+     apr_pool_t *p = r->pool;
+     apr_socket_t *sock;
++    conn_rec *c = r->connection;
++    conn_rec *backconn;
++
++    apr_bucket_brigade *bb = apr_brigade_create(p, c->bucket_alloc);
+     apr_status_t err, rv;
+     apr_size_t i, o, nbytes;
+     char buffer[HUGE_STRING_LEN];
+-    apr_socket_t *client_socket = ap_get_module_config(r->connection->conn_config, &core_module);
+-    int failed;
++    apr_socket_t *client_socket = ap_get_module_config(c->conn_config, &core_module);
++    int failed, rc;
+     apr_pollset_t *pollset;
+     apr_pollfd_t pollfd;
+     const apr_pollfd_t *signalled;
+@@ -158,12 +208,10 @@ 
+             case APR_URI_SNEWS_DEFAULT_PORT:
+                 break;
+             default:
+-                /* XXX can we call ap_proxyerror() here to get a nice log message? */
+-                return HTTP_FORBIDDEN;
++        return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine blocked");
+         }
+     } else if(!allowed_port(conf, uri.port)) {
+-        /* XXX can we call ap_proxyerror() here to get a nice log message? */
+-        return HTTP_FORBIDDEN;
++    return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine blocked");
+     }
+ 
+     /*
+@@ -205,18 +253,57 @@ 
+         }
+     }
+ 
++    /* setup polling for connection */
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                "proxy: CONNECT: setting up poll()");
++
++    if ((rv = apr_pollset_create(&pollset, 2, r->pool, 0)) != APR_SUCCESS) {
++      apr_socket_close(sock);
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++            "proxy: CONNECT: error apr_pollset_create()");
++        return HTTP_INTERNAL_SERVER_ERROR;
++    }
++
++    /* Add client side to the poll */
++    pollfd.p = r->pool;
++    pollfd.desc_type = APR_POLL_SOCKET;
++    pollfd.reqevents = APR_POLLIN;
++    pollfd.desc.s = client_socket;
++    pollfd.client_data = NULL;
++    apr_pollset_add(pollset, &pollfd);
++
++    /* Add the server side to the poll */
++    pollfd.desc.s = sock;
++    apr_pollset_add(pollset, &pollfd);
++
+     /*
+      * Step Three: Send the Request
+      *
+      * Send the HTTP/1.1 CONNECT request to the remote server
+      */
+ 
+-    /* we are acting as a tunnel - the output filter stack should
+-     * be completely empty, because when we are done here we are done completely.
+-     * We add the NULL filter to the stack to do this...
+-     */
+-    r->output_filters = NULL;
+-    r->connection->output_filters = NULL;
++    backconn = ap_run_create_connection(c->pool, r->server, sock,
++                                      c->id, c->sbh, c->bucket_alloc);
++    if (!backconn) {
++      /* peer reset */
++      ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++                    "proxy: an error occurred creating a new connection "
++                    "to %pI (%s)", connect_addr, connectname);
++      apr_socket_close(sock);
++      return HTTP_INTERNAL_SERVER_ERROR;
++    }
++    ap_proxy_ssl_disable(backconn);
++    rc = ap_run_pre_connection(backconn, sock);
++    if (rc != OK && rc != DONE) {
++      backconn->aborted = 1;
++      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                    "proxy: CONNECT: pre_connection setup failed (%d)", rc);
++      return HTTP_INTERNAL_SERVER_ERROR;
++    }
++
++    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                "proxy: CONNECT: connection complete to %pI (%s)",
++                connect_addr, connectname);
+ 
+ 
+     /* If we are connecting through a remote proxy, we need to pass
+@@ -227,12 +314,11 @@ 
+      */
+         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+              "proxy: CONNECT: sending the CONNECT request to the remote proxy");
+-        nbytes = apr_snprintf(buffer, sizeof(buffer),
++      ap_fprintf(backconn->output_filters, bb,
+                   "CONNECT %s HTTP/1.0" CRLF, r->uri);
+-        apr_socket_send(sock, buffer, &nbytes);
+-        nbytes = apr_snprintf(buffer, sizeof(buffer),
+-                  "Proxy-agent: %s" CRLF CRLF, ap_get_server_banner());
+-        apr_socket_send(sock, buffer, &nbytes);
++         ap_fprintf(backconn->output_filters, bb,
++                  "Proxy-agent: %s" CRLF CRLF, ap_get_server_version());
++         ap_fflush(backconn->output_filters, bb);
+     }
+     else {
+         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+@@ -240,11 +326,12 @@ 
+         nbytes = apr_snprintf(buffer, sizeof(buffer),
+                   "HTTP/1.0 200 Connection Established" CRLF);
+         ap_xlate_proto_to_ascii(buffer, nbytes);
+-        apr_socket_send(client_socket, buffer, &nbytes);
++       ap_fwrite(c->output_filters, bb, buffer, nbytes); 
+         nbytes = apr_snprintf(buffer, sizeof(buffer),
+                   "Proxy-agent: %s" CRLF CRLF, ap_get_server_banner());
+         ap_xlate_proto_to_ascii(buffer, nbytes);
+-        apr_socket_send(client_socket, buffer, &nbytes);
++        ap_fwrite(c->output_filters, bb, buffer, nbytes);
++      ap_fflush(c->output_filters, bb);
+ #if 0
+         /* This is safer code, but it doesn't work yet.  I'm leaving it
+          * here so that I can fix it later.
+@@ -265,27 +352,15 @@ 
+      * Handle two way transfer of data over the socket (this is a tunnel).
+      */
+ 
++    /* we are now acting as a tunnel - the input/output filter stacks should
++     * not contain any non-connection filters.
++     */
++    r->output_filters = c->output_filters;
++    r->proto_output_filters = c->output_filters;
++    r->input_filters = c->input_filters;
++    r->proto_input_filters = c->input_filters;
+ /*    r->sent_bodyct = 1;*/
+ 
+-    if ((rv = apr_pollset_create(&pollset, 2, r->pool, 0)) != APR_SUCCESS) {
+-        apr_socket_close(sock);
+-        ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+-            "proxy: CONNECT: error apr_pollset_create()");
+-        return HTTP_INTERNAL_SERVER_ERROR;
+-    }
+-
+-    /* Add client side to the poll */
+-    pollfd.p = r->pool;
+-    pollfd.desc_type = APR_POLL_SOCKET;
+-    pollfd.reqevents = APR_POLLIN;
+-    pollfd.desc.s = client_socket;
+-    pollfd.client_data = NULL;
+-    apr_pollset_add(pollset, &pollfd);
+-
+-    /* Add the server side to the poll */
+-    pollfd.desc.s = sock;
+-    apr_pollset_add(pollset, &pollfd);
+-
+     while (1) { /* Infinite loop until error (one side closes the connection) */
+         if ((rv = apr_pollset_poll(pollset, -1, &pollcnt, &signalled)) != APR_SUCCESS) {
+             if (APR_STATUS_IS_EINTR(rv)) { 
+@@ -297,7 +372,7 @@ 
+         }
+ #ifdef DEBUGGING
+         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+-                     "proxy: CONNECT: woke from select(), i=%d", pollcnt);
++                     "proxy: CONNECT: woke from poll(), i=%d", pollcnt);
+ #endif
+ 
+         for (pi = 0; pi < pollcnt; pi++) {
+@@ -307,72 +382,32 @@ 
+                 pollevent = cur->rtnevents;
+                 if (pollevent & APR_POLLIN) {
+ #ifdef DEBUGGING
+-                    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+-                                 "proxy: CONNECT: sock was set");
++                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++                                 "proxy: CONNECT: sock was readable");
+ #endif
+-                    nbytes = sizeof(buffer);
+-                    rv = apr_socket_recv(sock, buffer, &nbytes);
+-                    if (rv == APR_SUCCESS) {
+-                        o = 0;
+-                        i = nbytes;
+-                        while(i > 0)
+-                        {
+-                            nbytes = i;
+-    /* This is just plain wrong.  No module should ever write directly
+-     * to the client.  For now, this works, but this is high on my list of
+-     * things to fix.  The correct line is:
+-     * if ((nbytes = ap_rwrite(buffer + o, nbytes, r)) < 0)
+-     * rbb
+-     */
+-                            rv = apr_socket_send(client_socket, buffer + o, &nbytes);
+-                            if (rv != APR_SUCCESS)
+-                                break;
+-                            o += nbytes;
+-                            i -= nbytes;
+-                        }
++                    rv = proxy_connect_transfer(r, backconn, c, bb, "sock");
+                     }



Home | Main Index | Thread Index | Old Index