Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
H
httpd
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
staging
src-rhel
rpms
httpd
Commits
b2517c6e
Commit
b2517c6e
authored
3 weeks ago
by
importbot
Browse files
Options
Downloads
Patches
Plain Diff
import httpd-2.4.37-65.module+el8+1010+deadbeef.3
parent
2f45ae7b
No related branches found
Branches containing commit
Tags
imports/c10s/golang-1.23.1-2.el10
Tags containing commit
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
.httpd.checksum
+1
-1
1 addition, 1 deletion
.httpd.checksum
SOURCES/httpd-2.4.37-r1922080.patch
+64
-0
64 additions, 0 deletions
SOURCES/httpd-2.4.37-r1922080.patch
SPECS/httpd.spec
+9
-1
9 additions, 1 deletion
SPECS/httpd.spec
with
74 additions
and
2 deletions
.httpd.checksum
+
1
−
1
View file @
b2517c6e
bc1c91f3fce3452aa7dba9810592cf2a40957ef5d3b2d23a96c1853365425c50
Direct Git Import
This diff is collapsed.
Click to expand it.
SOURCES/httpd-2.4.37-r1922080.patch
0 → 100644
+
64
−
0
View file @
b2517c6e
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 94ec87e..16ebd98 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -1043,6 +1043,7 @@
static int proxy_handler(request_rec *r)
r->proxyreq = PROXYREQ_REVERSE;
r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
+ apr_table_setn(r->notes, "proxy-sethandler", "1");
/* Still need to fixup/canonicalize r->filename */
rc = ap_proxy_fixup_uds_filename(r);
@@ -1055,6 +1056,7 @@
static int proxy_handler(request_rec *r)
}
}
else if (r->proxyreq && strncmp(r->filename, "proxy:", 6) == 0) {
+ apr_table_unset(r->notes, "proxy-sethandler");
rc = OK;
}
if (rc != OK) {
diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
index f9cf716..fa0b810 100644
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -63,6 +63,8 @@
static int proxy_fcgi_canon(request_rec *r, char *url)
apr_port_t port, def_port;
fcgi_req_config_t *rconf = NULL;
const char *pathinfo_type = NULL;
+ fcgi_dirconf_t *dconf = ap_get_module_config(r->per_dir_config,
+ &proxy_fcgi_module);
if (ap_cstr_casecmpn(url, "fcgi:", 5) == 0) {
url += 5;
@@ -92,7 +94,29 @@
static int proxy_fcgi_canon(request_rec *r, char *url)
host = apr_pstrcat(r->pool, "[", host, "]", NULL);
}
- if (apr_table_get(r->notes, "proxy-nocanon")) {
+ if (apr_table_get(r->notes, "proxy-sethandler")
+ || apr_table_get(r->notes, "proxy-nocanon")){
+
+ char *c = url;
+
+ /* We do not call ap_proxy_canonenc_ex() on the path here, don't
+ * let control characters pass still, and for php-fpm no '?' either.
+ */
+ if (FCGI_MAY_BE_FPM(dconf)) {
+ while (!apr_iscntrl(*c) && *c != '?')
+ c++;
+ }
+ else {
+ while (!apr_iscntrl(*c))
+ c++;
+ }
+ if (*c) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10414)
+ "To be forwarded path contains control characters%s (%s)",
+ FCGI_MAY_BE_FPM(dconf) ? " or '?'" : "", url);
+ return HTTP_FORBIDDEN;
+ }
+
path = url; /* this is the raw path */
}
else {
This diff is collapsed.
Click to expand it.
SPECS/httpd.spec
+
9
−
1
View file @
b2517c6e
...
...
@@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.37
Release: 65%{?dist}.
2
Release: 65%{?dist}.
3
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source2: httpd.logrotate
...
...
@@ -173,6 +173,8 @@ Patch93: httpd-2.4.37-r1885607.patch
Patch94: httpd-2.4.57-r1884505+.patch
# https://bz.apache.org/bugzilla/show_bug.cgi?id=69197
Patch95: httpd-2.4.37-r1919325.patch
# https://issues.redhat.com/browse/RHEL-56068
Patch96: httpd-2.4.37-r1922080.patch
# Security fixes
Patch200: httpd-2.4.37-r1851471.patch
...
...
@@ -514,6 +516,8 @@ interface for storing and accessing per-user session data.
%patch246 -p1 -b .CVE-2024-38476
%patch247 -p1 -b .CVE-2024-39884+
%patch96 -p1 -b .r1922080
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
sed -i 's/@RELEASE@/%{release}/' server/core.c
...
...
@@ -1018,6 +1022,10 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Wed Jan 29 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.3
- Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with
unicode characters in the name
* Tue Aug 06 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.2
- Resolves: RHEL-46040 - httpd:2.4/httpd: Security issues via backend
applications whose response headers are malicious or exploitable (CVE-2024-38476)
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment