November 2013 - openSUSE Commits - openSUSE Mailing Lists

commit go for openSUSE:Factory
by root＠hilbert.suse.de 07 Nov '13

07 Nov '13

Hello community, here is the log from the commit of package go for openSUSE:Factory checked in at 2013-11-07 08:39:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/go (Old) and /work/SRC/openSUSE:Factory/.go.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "go" Changes: -------- --- /work/SRC/openSUSE:Factory/go/go.changes 2013-10-22 14:51:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.go.new/go.changes 2013-11-07 08:39:59.000000000 +0100 @@ -4 +4 @@ -- Add %go_tooldir macro +- Add %go_tooldir macro and create the tools directory in %goprep ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ macros.go ++++++ --- /var/tmp/diff_new_pack.XCyO69/_old 2013-11-07 08:40:00.000000000 +0100 +++ /var/tmp/diff_new_pack.XCyO69/_new 2013-11-07 08:40:00.000000000 +0100 @@ -51,8 +51,9 @@ rmdir ${pkg_dir} \ ln -s $GOPATH/src/$IMPORTPATH ${pkg_dir} \ cd ${pkg_dir} \ -# we'll be installing packages/binaries, make the targ dirs \ +# we'll be installing packages/binaries/tools, make the targ dirs \ install -d %{buildroot}%{go_contribdir} \ +install -d %{buildroot}%{go_tooldir} \ install -d %{buildroot}%{_bindir} \ %{nil} -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit exim for openSUSE:Factory
by root＠hilbert.suse.de 07 Nov '13

07 Nov '13

Hello community, here is the log from the commit of package exim for openSUSE:Factory checked in at 2013-11-07 08:39:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/exim (Old) and /work/SRC/openSUSE:Factory/.exim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "exim" Changes: -------- --- /work/SRC/openSUSE:Factory/exim/exim.changes 2013-06-17 10:04:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.exim.new/exim.changes 2013-11-07 08:39:42.000000000 +0100 @@ -1,0 +2,6 @@ +Sun Oct 27 17:35:43 UTC 2013 - p.drouand(a)gmail.com + +- Add systemd support for openSUSE > 12.2 +- Remove some obsolete conditionnal macros + +------------------------------------------------------------------- New: ---- exim.service ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ exim.spec ++++++ --- /var/tmp/diff_new_pack.qEiXek/_old 2013-11-07 08:39:43.000000000 +0100 +++ /var/tmp/diff_new_pack.qEiXek/_new 2013-11-07 08:39:43.000000000 +0100 @@ -24,13 +24,8 @@ BuildRequires: pcre-devel %if %{?suse_version:1}%{?!suse_version:0} BuildRequires: tcpd-devel -%if %suse_version > 910 BuildRequires: xorg-x11-devel %else -BuildRequires: XFree86-devel -BuildRequires: XFree86-libs -%endif -%else BuildRequires: libXaw-devel BuildRequires: libXext-devel BuildRequires: libXt-devel @@ -43,7 +38,15 @@ Provides: smtp_daemon %if %{?suse_version:%suse_version}%{?!suse_version:0} > 800 Requires: logrotate -PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd fileutils textutils +%if 0%{?suse_version} > 1220 +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} +%else +Requires(pre): %insserv_prereq +%endif +Requires(pre): %fillup_prereq +Requires(pre): /usr/sbin/useradd +Requires(pre): fileutils textutils %endif Version: 4.80.1 Release: 0 @@ -68,6 +71,7 @@ Source20: http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exim4-manpages… Source30: eximstats-html-update.py Source31: eximstats.conf +Source32: exim.service Patch: exim-tail.patch %if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 @@ -244,7 +248,11 @@ make %install +%if 0%{?suse_version} > 1220 +mkdir -p $RPM_BUILD_ROOT/%{_unitdir} +%else mkdir -p $RPM_BUILD_ROOT/etc/init.d +%endif mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d mkdir -p $RPM_BUILD_ROOT/usr/{bin,sbin,lib} mkdir -p $RPM_BUILD_ROOT/var/log/exim @@ -258,7 +266,11 @@ INSTALL_ARG=-no_chown install mv $RPM_BUILD_ROOT/usr/sbin/exim-%{version}* $RPM_BUILD_ROOT/usr/sbin/exim mv $RPM_BUILD_ROOT/etc/exim/exim.conf src/configure.default # with all substitutions done +%if 0%{?suse_version} > 1220 +install -m 755 %{S:32} $RPM_BUILD_ROOT/%{_unitdir}/exim.service +%else install -m 755 %{S:11} $RPM_BUILD_ROOT/etc/init.d/exim +%endif # aka... for i in \ /usr/lib/sendmail \ @@ -270,7 +282,11 @@ ln -sf ../sbin/exim $RPM_BUILD_ROOT$i done ln -sf exim $RPM_BUILD_ROOT/usr/sbin/sendmail +%if 0%{?suse_version} > 1220 +ln -sv ../../%{_unitdir}/exim.service $RPM_BUILD_ROOT/usr/sbin/rcexim +%else ln -sv ../../etc/init.d/exim $RPM_BUILD_ROOT/usr/sbin/rcexim +%endif %if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 mv $RPM_BUILD_ROOT/usr/sbin/eximon* $RPM_BUILD_ROOT/usr/bin/ %else @@ -305,11 +321,6 @@ # package the utilities without executable permissions, to silence rpmlint warnings chmod 644 util/*.{pl,sh} src/convert4r* # -# since 10.0, the permissions file is packaged in the 'permissions' package -%if %{?suse_version:%suse_version}%{?!suse_version:99999} < 1000 -install -m 0755 -d $RPM_BUILD_ROOT/etc/permissions.d -install -m 0644 $RPM_SOURCE_DIR/permissions.exim $RPM_BUILD_ROOT/etc/permissions.d/exim -%endif # eximstats-html files %if !%{?build_with_mysql:1}0 && !%{?build_with_pgsql:1}0 mkdir -p $RPM_BUILD_ROOT/srv/www/eximstats @@ -339,24 +350,35 @@ for i in var/log/exim/main.log var/log/exim/panic.log var/log/exim/reject.log; do if ! test -e $i; then touch $i; chown mail:mail $i; chmod 640 $i ; fi done +%if 0%{?suse_version} > 1220 +%{fillup_only} +%service_add_post exim.service +%else %{fillup_and_insserv exim} +%endif exit 0 -%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 +%if %{?suse_version:%suse_version} %preun +%if 0%{?suse_version} > 1220 +%service_del_preun exim.service +%else %stop_on_removal exim %endif +%endif %postun -%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 +%if %{?suse_version:%suse_version} +%if 0%{?suse_version} > 1220 +%service_del_postun exim.service +%else %restart_on_update exim %endif +%endif %insserv_cleanup %verifyscript %verify_permissions -e /usr/sbin/exim -%clean - %files %defattr(-,root,root) %doc ACKNOWLEDGMENTS CHANGES LICENCE NOTICE README.UPDATING README @@ -376,7 +398,11 @@ /usr/sbin/exiqsumm /usr/sbin/exiwhat %dir /etc/exim +%if 0%{?suse_version} > 1220 +%{_unitdir}/exim.service +%else %config /etc/init.d/exim +%endif %config(noreplace) /etc/logrotate.d/exim %if %{?suse_version:%suse_version}%{?!suse_version:99999} < 1000 %config(noreplace) /etc/permissions.d/exim ++++++ exim.service ++++++ [Unit] Description=Exim Mail Transport Agent After=network.target Conflicts=sendmail.service postfix.service [Service] PrivateTmp=true Environment=QUEUE=1h EnvironmentFile=-/etc/sysconfig/exim ExecStartPre=-/usr/libexec/exim-gen-cert ExecStart=/usr/sbin/exim -bd -q${QUEUE} [Install] WantedBy=multi-user.target -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit dropbear for openSUSE:Factory
by root＠hilbert.suse.de 07 Nov '13

07 Nov '13

Hello community, here is the log from the commit of package dropbear for openSUSE:Factory checked in at 2013-11-07 08:39:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dropbear (Old) and /work/SRC/openSUSE:Factory/.dropbear.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "dropbear" Changes: -------- --- /work/SRC/openSUSE:Factory/dropbear/dropbear.changes 2013-10-17 20:40:42.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dropbear.new/dropbear.changes 2013-11-07 08:39:22.000000000 +0100 @@ -8,0 +9 @@ +- used as bug fix release for bnc#845306 - VUL-0: CVE-2013-4421 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit crmsh for openSUSE:Factory
by root＠hilbert.suse.de 07 Nov '13

07 Nov '13

Hello community, here is the log from the commit of package crmsh for openSUSE:Factory checked in at 2013-11-07 08:37:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/crmsh (Old) and /work/SRC/openSUSE:Factory/.crmsh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "crmsh" Changes: -------- --- /work/SRC/openSUSE:Factory/crmsh/crmsh.changes 2013-10-17 14:01:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.crmsh.new/crmsh.changes 2013-11-07 08:38:00.000000000 +0100 @@ -1,0 +2,15 @@ +Mon Oct 28 15:57:05 UTC 2013 - dmuhamedagic(a)suse.com + +- build: add dependency on which +- upstream cs: eff5a29dc60e + +------------------------------------------------------------------- +Fri Oct 25 16:10:35 UTC 2013 - dmuhamedagic(a)suse.com + +- build: add hb_report from cluster-glue +- ui: anonymous temporary shadow CIBs +- ra: improve error reporting if the RA does not exist +- history: add wdiff command +- upstream cs: da117d6c690d + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ crmsh.spec ++++++ --- /var/tmp/diff_new_pack.tkZw3C/_old 2013-11-07 08:38:02.000000000 +0100 +++ /var/tmp/diff_new_pack.tkZw3C/_new 2013-11-07 08:38:02.000000000 +0100 @@ -55,6 +55,7 @@ Requires: python >= 2.4 Requires: python-dateutil Requires: python-lxml +Requires: which BuildRequires: python-lxml %if 0%{?suse_version} @@ -163,12 +164,12 @@ ########################################################### %defattr(-,root,root) -%{_datadir}/crmsh +%{_datadir}/%{name} %{_sbindir}/crm -%{py_sitedir}/crmsh +%{py_sitedir}/%{name} -%doc %{_mandir}/man8/crm.8* +%doc %{_mandir}/man8/* %{crmsh_docdir}/COPYING %{crmsh_docdir}/AUTHORS %{crmsh_docdir}/crm.8.html ++++++ crmsh-cibadmin_can_patch.patch ++++++ --- /var/tmp/diff_new_pack.tkZw3C/_old 2013-11-07 08:38:02.000000000 +0100 +++ /var/tmp/diff_new_pack.tkZw3C/_new 2013-11-07 08:38:02.000000000 +0100 @@ -1,18 +1,12 @@ -# HG changeset patch -# Parent edde9365afa66becafaea3b48d29d6c9a8268005 -High: cibconfig: enable cibadmin patch functionality - -diff -r edde9365afa6 -r 4155dbe91ca1 modules/utils.py ---- a/modules/utils.py Thu Sep 12 15:20:35 2013 +0200 -+++ b/modules/utils.py Fri Sep 13 15:04:02 2013 +0200 -@@ -1005,9 +1005,7 @@ def is_pcmk_118(cib_f=None): - +diff -r 13a63558be20 modules/utils.py +--- a/modules/utils.py Fri Oct 25 16:57:25 2013 +0200 ++++ b/modules/utils.py Fri Oct 25 17:14:45 2013 +0200 +@@ -1008,7 +1008,7 @@ def is_pcmk_118(cib_f=None): def cibadmin_can_patch(): -- # cibadmin -P doesn't handle comments, hopefully in v1.1.11 + # cibadmin -P doesn't handle comments, hopefully in v1.1.11 - return False -- #return is_min_pcmk_ver("1.1.11") + return True + #return is_min_pcmk_ver("1.1.11") - user_prefs = UserPrefs.getInstance() ++++++ crmsh.tar.bz2 ++++++ ++++ 9338 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit cmake for openSUSE:Factory
by root＠hilbert.suse.de 07 Nov '13

07 Nov '13

Hello community, here is the log from the commit of package cmake for openSUSE:Factory checked in at 2013-11-07 08:35:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cmake (Old) and /work/SRC/openSUSE:Factory/.cmake.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "cmake" Changes: -------- --- /work/SRC/openSUSE:Factory/cmake/cmake.changes 2013-10-19 11:14:31.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.cmake.new/cmake.changes 2013-11-07 08:35:52.000000000 +0100 @@ -1,0 +2,5 @@ +Wed Nov 6 12:42:56 UTC 2013 - boris(a)steki.net + +- updated cmake.macros to include installation path for cmake modules + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ cmake.spec: same change ++++++ cmake.macros ++++++ --- /var/tmp/diff_new_pack.VXZsOH/_old 2013-11-07 08:35:53.000000000 +0100 +++ /var/tmp/diff_new_pack.VXZsOH/_new 2013-11-07 08:35:53.000000000 +0100 @@ -34,7 +34,8 @@ -DBUILD_STATIC_LIBS:BOOL=OFF \\\ -DCMAKE_COLOR_MAKEFILE:BOOL=OFF \\\ -DCMAKE_INSTALL_DO_STRIP:BOOL=OFF \\\ - -DCMAKE_USER_MAKE_RULES_OVERRIDE="/usr/share/cmake/Modules/opensuse_rules.cmake" + -DCMAKE_MODULES_INSTALL_DIR=%{_datadir}/cmake/Modules \\\ + -DCMAKE_USER_MAKE_RULES_OVERRIDE="%{_datadir}/cmake/Modules/opensuse_rules.cmake" %cmake_install \ cd build \ -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit cdparanoia for openSUSE:Factory
by root＠hilbert.suse.de 07 Nov '13

07 Nov '13

Hello community, here is the log from the commit of package cdparanoia for openSUSE:Factory checked in at 2013-11-07 08:35:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cdparanoia (Old) and /work/SRC/openSUSE:Factory/.cdparanoia.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "cdparanoia" Changes: -------- --- /work/SRC/openSUSE:Factory/cdparanoia/cdparanoia.changes 2013-05-27 09:43:01.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.cdparanoia.new/cdparanoia.changes 2013-11-07 08:35:02.000000000 +0100 @@ -1,0 +2,12 @@ +Thu Oct 24 13:00:04 UTC 2013 - tchvatal(a)suse.com + +- Redo the buildsystem to use only shared libs and allow parallel + building to have it faster in obs. + * removed patches: + - cdparanoia-III-dt_needed.patch + - cdparanoia-large-pic.diff + * added patches: + - 010_build_system.patch + - 050_all_build_only_shared_libraries.patch + +------------------------------------------------------------------- Old: ---- cdparanoia-III-dt_needed.patch cdparanoia-large-pic.diff New: ---- 010_build_system.patch 050_all_build_only_shared_libraries.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cdparanoia.spec ++++++ --- /var/tmp/diff_new_pack.2tLSSL/_old 2013-11-07 08:35:03.000000000 +0100 +++ /var/tmp/diff_new_pack.2tLSSL/_new 2013-11-07 08:35:03.000000000 +0100 @@ -17,8 +17,6 @@ Name: cdparanoia -Provides: cdparano -Obsoletes: cdparano # bug437293 %ifarch ppc64 Obsoletes: cdparanoia-64bit @@ -33,15 +31,18 @@ %define filever III-10.2 Source: http://downloads.xiph.org/releases/%{name}/%{name}-%{filever}.src.tgz Source2: baselibs.conf -Patch1: cdparanoia-III-ide_majors.patch -Patch2: cdparanoia-III-dt_needed.patch +Patch1: 010_build_system.patch +Patch2: cdparanoia-III-ide_majors.patch Patch3: cdparanoia-III-c++.patch +Patch4: 050_all_build_only_shared_libraries.patch Patch10: cdparanoia-III-01-typos-and-spelling.dpatch Patch11: cdparanoia-III-05-gcc4.3.dpatch Patch12: cdparanoia-III-06-endian.dpatch -Patch13: cdparanoia-large-pic.diff Patch14: config-guess-sub-update.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build +Provides: cdparano = %{version} +Obsoletes: cdparano < %{version} +BuildRequires: autoconf BuildRequires: automake %package -n libcdda_interface0 @@ -89,19 +90,19 @@ %prep %setup -q -n cdparanoia-%{filever} -%patch1 -#%patch2 +%patch1 -p1 +%patch2 %patch3 +%patch4 %patch10 -p1 %patch11 -p1 %patch12 -p1 -%patch13 -p1 %patch14 %build -autoreconf +autoreconf -vi %configure -make +make OPT="%{optflags}" %{?_smp_mflags} %install make prefix=%{buildroot}%{_prefix} \ @@ -113,12 +114,6 @@ JAPN_MANDIR=%{buildroot}%{_mandir}/ja/man1 mkdir -p $JAPN_MANDIR install -m644 cdparanoia.1.jp $JAPN_MANDIR/cdparanoia.1 -# do not package static libraries. -rm %{buildroot}%{_libdir}/libcdda_interface.a -rm %{buildroot}%{_libdir}/libcdda_paranoia.a - -%clean -rm -rf %{buildroot} %post -n libcdda_interface0 -p /sbin/ldconfig ++++++ 010_build_system.patch ++++++ Fix build system to be usable by compiling shared libs as -fPIC and using DESTDIR for installing. Patch by Samuli Suominen <ssuominen AT gentoo.org> and Alexis Ballier <aballier AT gentoo.org>. See, http://trac.xiph.org/ticket/1368 (upstream bug) diff -ur cdparanoia-III-10.2.orig/interface/Makefile.in cdparanoia-III-10.2/interface/Makefile.in --- cdparanoia-III-10.2.orig/interface/Makefile.in 2008-08-21 19:08:54.000000000 +0300 +++ cdparanoia-III-10.2/interface/Makefile.in 2009-06-20 20:43:39.000000000 +0300 @@ -10,6 +10,7 @@ FLAGS=@SBPCD_H@ @UCDROM_H@ @TYPESIZES@ @CFLAGS@ OPT=@OPT@ $(FLAGS) DEBUG=@DEBUG@ -DCDDA_TEST +LIBFLAGS = -fPIC CC=@CC@ LD=@CC@ LDFLAGS=@LDFLAGS@ $(FLAGS) @@ -20,6 +21,8 @@ OFILES = scan_devices.o common_interface.o cooked_interface.o interface.o\ scsi_interface.o smallft.o toc.o test_interface.o +LOFILES = scan_devices.lo common_interface.lo cooked_interface.lo interface.lo\ + scsi_interface.lo smallft.lo toc.lo test_interface.lo export VERSION @@ -32,8 +35,7 @@ $(MAKE) libcdda_interface.a CFLAGS="$(OPT)" slib: - $(MAKE) lessmessy - $(MAKE) libcdda_interface.so CFLAGS="$(OPT) -fpic" + $(MAKE) libcdda_interface.so CFLAGS="$(OPT)" [ -e libcdda_interface.so.0 ] || ln -s libcdda_interface.so libcdda_interface.so.0 test: @@ -45,14 +47,17 @@ $(AR) -r libcdda_interface.a $(OFILES) $(RANLIB) libcdda_interface.a -libcdda_interface.so: $(OFILES) - $(CC) -fpic -shared -o libcdda_interface.so.0.$(VERSION) -Wl,-soname -Wl,libcdda_interface.so.0 $(OFILES) $(LIBS) +libcdda_interface.so: $(LOFILES) + $(CC) $(LDFLAGS) $(LIBFLAGS) -shared -o libcdda_interface.so.0.$(VERSION) -Wl,-soname -Wl,libcdda_interface.so.0 $(LOFILES) $(LIBS) [ -e libcdda_interface.so.0 ] || ln -s libcdda_interface.so.0.$(VERSION) libcdda_interface.so.0 [ -e libcdda_interface.so ] || ln -s libcdda_interface.so.0.$(VERSION) libcdda_interface.so .c.o: $(CC) $(CFLAGS) -c $< +%.lo: %.c + $(CC) $(CFLAGS) $(LIBFLAGS) -c $< -o $@ + lessmessy: -rm -f *.o core *~ *.out diff -ur cdparanoia-III-10.2.orig/Makefile.in cdparanoia-III-10.2/Makefile.in --- cdparanoia-III-10.2.orig/Makefile.in 2008-09-11 23:33:30.000000000 +0300 +++ cdparanoia-III-10.2/Makefile.in 2009-06-20 20:43:17.000000000 +0300 @@ -63,28 +63,28 @@ cd paranoia && $(MAKE) slib install: - $(INSTALL) -d -m 0755 $(BINDIR) - $(INSTALL) -m 755 $(srcdir)/cdparanoia $(BINDIR) - $(INSTALL) -d -m 0755 $(MANDIR) - $(INSTALL) -d -m 0755 $(MANDIR)/man1 - $(INSTALL) -m 0644 $(srcdir)/cdparanoia.1 $(MANDIR)/man1 - $(INSTALL) -d -m 0755 $(INCLUDEDIR) - $(INSTALL) -m 0644 $(srcdir)/paranoia/cdda_paranoia.h $(INCLUDEDIR) - $(INSTALL) -d -m 0755 $(LIBDIR) - $(INSTALL) -m 0644 $(srcdir)/paranoia/libcdda_paranoia.so.0.$(VERSION) $(LIBDIR) - $(INSTALL) -m 0644 $(srcdir)/paranoia/libcdda_paranoia.a $(LIBDIR) - $(INSTALL) -m 0644 $(srcdir)/interface/cdda_interface.h $(INCLUDEDIR) - $(INSTALL) -m 0644 $(srcdir)/interface/libcdda_interface.so.0.$(VERSION) $(LIBDIR) - $(INSTALL) -m 0644 $(srcdir)/interface/libcdda_interface.a $(LIBDIR) - $(INSTALL) -m 0644 $(srcdir)/utils.h $(INCLUDEDIR) + $(INSTALL) -d -m 0755 $(DESTDIR)$(BINDIR) + $(INSTALL) -m 755 $(srcdir)/cdparanoia $(DESTDIR)$(BINDIR) + $(INSTALL) -d -m 0755 $(DESTDIR)$(MANDIR) + $(INSTALL) -d -m 0755 $(DESTDIR)$(MANDIR)/man1 + $(INSTALL) -m 0644 $(srcdir)/cdparanoia.1 $(DESTDIR)$(MANDIR)/man1 + $(INSTALL) -d -m 0755 $(DESTDIR)$(INCLUDEDIR) + $(INSTALL) -m 0644 $(srcdir)/paranoia/cdda_paranoia.h $(DESTDIR)$(INCLUDEDIR) + $(INSTALL) -d -m 0755 $(DESTDIR)$(LIBDIR) + $(INSTALL) -m 0644 $(srcdir)/paranoia/libcdda_paranoia.so.0.$(VERSION) $(DESTDIR)$(LIBDIR) + $(INSTALL) -m 0644 $(srcdir)/paranoia/libcdda_paranoia.a $(DESTDIR)$(LIBDIR) + $(INSTALL) -m 0644 $(srcdir)/interface/cdda_interface.h $(DESTDIR)$(INCLUDEDIR) + $(INSTALL) -m 0644 $(srcdir)/interface/libcdda_interface.so.0.$(VERSION) $(DESTDIR)$(LIBDIR) + $(INSTALL) -m 0644 $(srcdir)/interface/libcdda_interface.a $(DESTDIR)$(LIBDIR) + $(INSTALL) -m 0644 $(srcdir)/utils.h $(DESTDIR)$(INCLUDEDIR) ln -fs libcdda_interface.so.0.$(VERSION) \ - $(LIBDIR)/libcdda_interface.so.0 + $(DESTDIR)$(LIBDIR)/libcdda_interface.so.0 ln -fs libcdda_interface.so.0.$(VERSION) \ - $(LIBDIR)/libcdda_interface.so + $(DESTDIR)$(LIBDIR)/libcdda_interface.so ln -fs libcdda_paranoia.so.0.$(VERSION) \ - $(LIBDIR)/libcdda_paranoia.so.0 + $(DESTDIR)$(LIBDIR)/libcdda_paranoia.so.0 ln -fs libcdda_paranoia.so.0.$(VERSION) \ - $(LIBDIR)/libcdda_paranoia.so + $(DESTDIR)$(LIBDIR)/libcdda_paranoia.so cdparanoia: $(OFILES) $(LIBDEP) $(LD) $(CFLAGS) $(LDFLAGS) $(OFILES) \ diff -ur cdparanoia-III-10.2.orig/paranoia/Makefile.in cdparanoia-III-10.2/paranoia/Makefile.in --- cdparanoia-III-10.2.orig/paranoia/Makefile.in 2008-09-04 22:02:47.000000000 +0300 +++ cdparanoia-III-10.2/paranoia/Makefile.in 2009-06-20 20:43:39.000000000 +0300 @@ -11,6 +11,7 @@ FLAGS=@TYPESIZES@ @CFLAGS@ OPT=@OPT@ $(FLAGS) DEBUG=@DEBUG@ +LIBFLAGS = -fPIC CC=@CC@ LD=@CC@ LDFLAGS=@LDFLAGS@ $(FLAGS) @@ -20,8 +21,9 @@ OFILES = paranoia.o p_block.o overlap.o gap.o isort.o #TFILES = isort.t gap.t p_block.t paranoia.t +LOFILES = paranoia.lo p_block.lo overlap.lo gap.lo isort.lo -LIBS = ../interface/libcdda_interface.a -lm +LIBS = ../interface/libcdda_interface.so -lm export VERSION all: lib slib @@ -33,8 +35,7 @@ $(MAKE) libcdda_paranoia.a CFLAGS="$(OPT)" slib: - $(MAKE) lessmessy - $(MAKE) libcdda_paranoia.so CFLAGS="$(OPT) -fpic" + $(MAKE) libcdda_paranoia.so CFLAGS="$(OPT)" #test: $(TFILES) # @@ -43,14 +44,17 @@ $(AR) -r libcdda_paranoia.a $(OFILES) $(RANLIB) libcdda_paranoia.a -libcdda_paranoia.so: $(OFILES) - $(CC) -fpic -shared -o libcdda_paranoia.so.0.$(VERSION) -Wl,-soname -Wl,libcdda_paranoia.so.0 $(OFILES) -L ../interface -lcdda_interface +libcdda_paranoia.so: $(LOFILES) + $(CC) $(LDFLAGS) $(LIBSFLAGS) -shared -o libcdda_paranoia.so.0.$(VERSION) -Wl,-soname -Wl,libcdda_paranoia.so.0 $(LOFILES) -L ../interface -lcdda_interface [ -e libcdda_paranoia.so.0 ] || ln -s libcdda_paranoia.so.0.$(VERSION) libcdda_paranoia.so.0 [ -e libcdda_paranoia.so ] || ln -s libcdda_paranoia.so.0.$(VERSION) libcdda_paranoia.so .c.o: $(CC) $(CFLAGS) -c $< +%.lo: %.c + $(CC) $(CFLAGS) $(LIBFLAGS) -c $< -o $@ + .c.t: $(CC) -g -DTEST $(DEBUG) -o $@ $< $(LIBS) $@ ++++++ 050_all_build_only_shared_libraries.patch ++++++ --- Makefile.in +++ Makefile.in @@ -41,8 +41,8 @@ all: - cd interface && $(MAKE) all - cd paranoia && $(MAKE) all + cd interface && $(MAKE) slib + cd paranoia && $(MAKE) slib $(MAKE) cdparanoia CFLAGS="$(OPT)" debug: @@ -72,10 +72,10 @@ $(INSTALL) -m 0644 $(srcdir)/paranoia/cdda_paranoia.h $(DESTDIR)$(INCLUDEDIR) $(INSTALL) -d -m 0755 $(DESTDIR)$(LIBDIR) $(INSTALL) -m 0644 $(srcdir)/paranoia/libcdda_paranoia.so.0.$(VERSION) $(DESTDIR)$(LIBDIR) - $(INSTALL) -m 0644 $(srcdir)/paranoia/libcdda_paranoia.a $(DESTDIR)$(LIBDIR) + -$(INSTALL) -m 0644 $(srcdir)/paranoia/libcdda_paranoia.a $(DESTDIR)$(LIBDIR) $(INSTALL) -m 0644 $(srcdir)/interface/cdda_interface.h $(DESTDIR)$(INCLUDEDIR) $(INSTALL) -m 0644 $(srcdir)/interface/libcdda_interface.so.0.$(VERSION) $(DESTDIR)$(LIBDIR) - $(INSTALL) -m 0644 $(srcdir)/interface/libcdda_interface.a $(DESTDIR)$(LIBDIR) + -$(INSTALL) -m 0644 $(srcdir)/interface/libcdda_interface.a $(DESTDIR)$(LIBDIR) $(INSTALL) -m 0644 $(srcdir)/utils.h $(DESTDIR)$(INCLUDEDIR) ln -fs libcdda_interface.so.0.$(VERSION) \ $(DESTDIR)$(LIBDIR)/libcdda_interface.so.0 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit ca-certificates-mozilla for openSUSE:Factory
by root＠hilbert.suse.de 07 Nov '13

07 Nov '13

Hello community, here is the log from the commit of package ca-certificates-mozilla for openSUSE:Factory checked in at 2013-11-07 08:34:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ca-certificates-mozilla (Old) and /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ca-certificates-mozilla" Changes: -------- --- /work/SRC/openSUSE:Factory/ca-certificates-mozilla/ca-certificates-mozilla.changes 2013-08-30 11:33:03.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new/ca-certificates-mozilla.changes 2013-11-07 08:34:03.000000000 +0100 @@ -1,0 +2,36 @@ +Tue Oct 29 13:52:16 UTC 2013 - meissner(a)suse.com + +- Updated to 1.94 + * new: CA_Disig_Root_R1:2.9.0.195.3.154.238.80.144.110.40.crt + server auth, code signing, email signing + * new: CA_Disig_Root_R2:2.9.0.146.184.136.219.176.138.193.99.crt + server auth, code signing, email signing + * new: China_Internet_Network_Information_Center_EV_Certificates_Root:2.4.72.159.0.1.crt + server auth + * changed: Digital_Signature_Trust_Co._Global_CA_1:2.4.54.112.21.150.crt + removed code signing and server auth abilities + * changed: Digital_Signature_Trust_Co._Global_CA_3:2.4.54.110.211.206.crt + removed code signing and server auth abilities + * new: D-TRUST_Root_Class_3_CA_2_2009:2.3.9.131.243.crt + server auth + * new: D-TRUST_Root_Class_3_CA_2_EV_2009:2.3.9.131.244.crt + server auth + * removed: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.185.102.crt + * new: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.222.248.crt + I think the missing flags were adjusted. + * removed: Equifax_Secure_eBusiness_CA_2:2.4.55.112.207.181.crt + * new: PSCProcert:2.1.11.crt + server auth, code signing, email signing + * new: Swisscom_Root_CA_2:2.16.30.158.40.232.72.242.229.239.195.124.74.30.90.24.103.182.crt + server auth, code signing, email signing + * new: Swisscom_Root_EV_CA_2:2.17.0.242.250.100.226.116.99.211.141.253.16.29.4.31.118.202.88.crt + server auth, code signing + * changed: TC_TrustCenter_Universal_CA_III:2.14.99.37.0.1.0.2.20.141.51.21.2.228.108.244.crt + removed all abilities + * new: TURKTRUST_Certificate_Services_Provider_Root_2007:2.1.1.crt + server auth, code signing + * changed: TWCA_Root_Certification_Authority:2.1.1.crt + added code signing ability +- removed temporary Entrust.net_Premium_2048_Secure_Server_CA.p11-kit override. + +------------------------------------------------------------------- Old: ---- Entrust.net_Premium_2048_Secure_Server_CA.p11-kit ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ca-certificates-mozilla.spec ++++++ --- /var/tmp/diff_new_pack.kQkFw5/_old 2013-11-07 08:34:04.000000000 +0100 +++ /var/tmp/diff_new_pack.kQkFw5/_new 2013-11-07 08:34:04.000000000 +0100 @@ -26,7 +26,7 @@ Name: ca-certificates-mozilla # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file: # https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/n… -Version: 1.93 +Version: 1.94 Release: 0 Summary: CA certificates for OpenSSL License: MPL-2.0 @@ -48,11 +48,6 @@ Source10: certdata2pem.py Source11: %{name}.COPYING Source12: compareoldnew -# make p11-kit think there are basic constraints in the Entrust -# cert (https://bugs.freedesktop.org/show_bug.cgi?id=62064) -# Remove after the updated cert is accepted into NSS -# https://bugzilla.mozilla.org/show_bug.cgi?id=694536 -Source99: Entrust.net_Premium_2048_Secure_Server_CA.p11-kit BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch # for update-ca-certificates @@ -104,7 +99,7 @@ openssl x509 -in "$i" "${args[@]}" } > "%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem" done -for i in *.p11-kit %{SOURCE99}; do +for i in *.p11-kit ; do install -m 644 "$i" "%{buildroot}/%{trustdir_static}" done set -x ++++++ certdata.txt ++++++ ++++ 1838 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/ca-certificates-mozilla/certdata.txt ++++ and /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new/certdata.txt ++++++ nssckbi.h ++++++ --- /var/tmp/diff_new_pack.kQkFw5/_old 2013-11-07 08:34:04.000000000 +0100 +++ /var/tmp/diff_new_pack.kQkFw5/_new 2013-11-07 08:34:04.000000000 +0100 @@ -45,8 +45,8 @@ * of the comment in the CK_VERSION type definition. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 93 -#define NSS_BUILTINS_LIBRARY_VERSION "1.93" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 94 +#define NSS_BUILTINS_LIBRARY_VERSION "1.94" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit apache2-mod_fcgid for openSUSE:Factory
by root＠hilbert.suse.de 07 Nov '13

07 Nov '13

Hello community, here is the log from the commit of package apache2-mod_fcgid for openSUSE:Factory checked in at 2013-11-07 08:33:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_fcgid (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_fcgid.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2-mod_fcgid" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_fcgid/apache2-mod_fcgid.changes 2013-03-12 22:36:29.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_fcgid.new/apache2-mod_fcgid.changes 2013-11-07 08:33:57.000000000 +0100 @@ -1,0 +2,23 @@ +Wed Nov 6 14:03:05 CET 2013 - draht(a)suse.de + +- update to 2.3.9: + + obsoletes apache2-mod_fcgid-CVE-2013-4365-bnc844935.diff + and fixes CVE-2013-4365 [bnc#844935] (heap overflow). + The heap overflow discovery and fix was done by + Robert Matthews <rob tigertech.com>. + + quoting and spaces parsing correction for FcgidWrapper directive + and commandline options. + + logging improvements for access controls + + remove redundant processing of Location headers when running in + FCGI_AUTHORIZER mode + +------------------------------------------------------------------- +Mon Oct 21 15:05:29 CEST 2013 - draht(a)suse.de + +- Intermediate fix for openSUSE:Factory eg. openSUSE:13.1: + apache2-mod_fcgid-CVE-2013-4365-bnc844935.diff fixes a heap + overflow identified by CVE-2013-4365 [bnc#844935]. + This patch will be obsoleted by the next version update (to + 2.3.9 or higher). + +------------------------------------------------------------------- Old: ---- mod_fcgid-2.3.7.tar.bz2 New: ---- mod_fcgid-2.3.9.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_fcgid.spec ++++++ --- /var/tmp/diff_new_pack.JRrJbV/_old 2013-11-07 08:33:58.000000000 +0100 +++ /var/tmp/diff_new_pack.JRrJbV/_new 2013-11-07 08:33:58.000000000 +0100 @@ -27,7 +27,7 @@ %define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) # -Version: 2.3.7 +Version: 2.3.9 Release: 0 # # @@ -46,12 +46,13 @@ Group: Productivity/Networking/Web/Servers %description -What is mod_fcgid? It is a binary compatibility alternative to Apache +A binary compatibile alternative to the Apache module mod_fastcgi. -mod_fcgid has a new process management strategy, which concentrates on -reducing the number of fastcgi server, and kick out the corrupt fastcgi -server as soon as possible. +The module implements an efficient process pool management for external +CGI program invocation. The pool of CGI programs is mapped against the +pool of apache workers in such way that there is always a weighted number +of programs waiting for requests in the pool. To load the module into Apache, run the command "a2enmod fcgid" as root. ++++++ mod_fcgid-2.3.7.tar.bz2 -> mod_fcgid-2.3.9.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/CHANGES-FCGID new/mod_fcgid-2.3.9/CHANGES-FCGID --- old/mod_fcgid-2.3.7/CHANGES-FCGID 2012-04-10 06:27:08.000000000 +0200 +++ new/mod_fcgid-2.3.9/CHANGES-FCGID 2013-10-04 03:53:35.000000000 +0200 @@ -1,4 +1,35 @@ -*- coding: utf-8 -*- +Changes with mod_fcgid 2.3.9 + + *) Revert fix for PR 53693, added in 2.3.8 but undocumented. Fix + issues with a minor optimization added in 2.3.8. [Jeff Trawick] + +Changes with mod_fcgid 2.3.8 + + *) SECURITY: CVE-2013-4365 (cve.mitre.org) + Fix possible heap buffer overwrite. Reported and solved by: + [Robert Matthews <rob tigertech.com>] + + *) Add experimental cmake-based build system for Windows. [Jeff Trawick] + + *) Correctly parse quotation and escaped spaces in FcgidWrapper and the + AAA Authenticator/Authorizor/Access directives' command line argument, + as currently documented. PR 51194 [William Rowe] + + *) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv + assignments). PR 51657 [William Rowe] + + *) Conform script response parsing with mod_cgid and ensure no response + body is sent when ap_meets_conditions() determines that request + conditions are met. [Chris Darroch] + + *) Improve logging in access control hook functions. [Chris Darroch] + + *) Avoid making internal sub-requests and processing Location headers + when in FCGI_AUTHORIZER mode, as the auth hook functions already + treat Location headers returned by scripts as an error since + redirections are not meaningful in this mode. [Chris Darroch] + Changes with mod_fcgid 2.3.7 *) Introduce FcgidWin32PreventOrphans directive on Windows to use OS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/NOTICE-FCGID new/mod_fcgid-2.3.9/NOTICE-FCGID --- old/mod_fcgid-2.3.7/NOTICE-FCGID 2012-01-21 23:49:25.000000000 +0100 +++ new/mod_fcgid-2.3.9/NOTICE-FCGID 2013-09-29 19:42:30.000000000 +0200 @@ -1,5 +1,5 @@ Apache HTTP Server mod_fcgid -Copyright 2012 The Apache Software Foundation +Copyright 2013 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/README-FCGID new/mod_fcgid-2.3.9/README-FCGID --- old/mod_fcgid-2.3.7/README-FCGID 2009-10-07 06:06:48.000000000 +0200 +++ new/mod_fcgid-2.3.9/README-FCGID 2013-09-19 16:43:42.000000000 +0200 @@ -30,6 +30,8 @@ Win32 Build Instructions ------------------------ +1. Win32 build based on Visual Studio + The windows packages prior to 2.2.7 (or 2.0.62) left out the file include\mod_log_config.h, just copy these from the source tree or you can export them from subversion, just change to your @@ -90,6 +92,35 @@ lines in Makefile.win, or you must manually copy the .so module from modules\fcgid\Release after compiling. +2. Win32 build based on cmake: + +Note: This support is experimental and may not build mod_fcgid in a + manner compatible with the existing Windows build support. The + build interfaces may change as feedback is received and bugs are + resolved. Currently a .conf file is not created. + +Install httpd and APR to a common prefix, and point CMAKE_INSTALL_PREFIX +to that prefix when configuring mod_fcgid. + +Example using the "NMake Makefiles" generator from a Visual Studio command +prompt: + + cd some-build-directory + cmake -G "NMake Makefiles" ^ + -DCMAKE_INSTALL_PREFIX=C:\Apache246 ^ + -DCMAKE_BUILD_TYPE=RelWithDebInfo ^ + C:\path\to\fcgid-sources\modules\fcgid + nmake && nmake install + +The last argument to cmake in the example is the directory "modules\fcgid" +within your svn checkout or tarball/zip extract of mod_fcgid. + +Add -DINSTALL_PDB=OFF to the cmake invocation to leave mod_fcgid.pdb (if +generated) in the build directory. + +Add the following LoadModule directive to your configuration: + + LoadModule fcgid_module modules/mod_fcgid.so Documentation Build ------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/STATUS-FCGID new/mod_fcgid-2.3.9/STATUS-FCGID --- old/mod_fcgid-2.3.7/STATUS-FCGID 2012-04-17 15:54:08.000000000 +0200 +++ new/mod_fcgid-2.3.9/STATUS-FCGID 2013-10-04 22:59:58.000000000 +0200 @@ -1,5 +1,5 @@ MOD_FCGID STATUS: -*-text-*- -Last modified at [$Date: 2012-04-17 13:54:08 +0000 (Tue, 17 Apr 2012) $] +Last modified at [$Date: 2013-10-04 20:59:58 +0000 (Fri, 04 Oct 2013) $] The current version of this file can be found at: @@ -14,8 +14,10 @@ [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases, while x.{even}.z versions are Stable/GA releases.] - 2.3.8 : in development - 2.3.7 : tagged April 17, 2012 + 2.3.10 : in development + 2.3.9 : tagged October 4, 2013 + 2.3.8 : not released + 2.3.7 : released April 23, 2012 2.3.6 : released November 6, 2010 2.3.5 : released January 28, 2010 2.3.4 : released October 15, 2009 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/CMakeLists.txt new/mod_fcgid-2.3.9/modules/fcgid/CMakeLists.txt --- old/mod_fcgid-2.3.7/modules/fcgid/CMakeLists.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/mod_fcgid-2.3.9/modules/fcgid/CMakeLists.txt 2013-09-19 16:43:42.000000000 +0200 @@ -0,0 +1,56 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Read the section on cmake builds in README-FCGID. + +PROJECT(mod_fcgid C) + +CMAKE_MINIMUM_REQUIRED(VERSION 2.8) + +IF(NOT EXISTS ${CMAKE_INSTALL_PREFIX}/lib/libhttpd.lib) + MESSAGE(FATAL_ERROR "libhttpd.lib was not found in prefix ${CMAKE_INSTALL_PREFIX}") +ENDIF() + +# Select APR trunk (libapr-2.lib) if it exists in PREFIX/lib; otherwise, select +# APR 1.x + APR-util 1.x +IF(EXISTS "${CMAKE_INSTALL_PREFIX}/lib/libapr-2.lib") + SET(apr_libraries + ${CMAKE_INSTALL_PREFIX}/lib/libapr-2.lib) +ELSEIF(EXISTS "${CMAKE_INSTALL_PREFIX}/lib/libapr-1.lib") + SET(apr_libraries + ${CMAKE_INSTALL_PREFIX}/lib/libapr-1.lib + ${CMAKE_INSTALL_PREFIX}/lib/libaprutil-1.lib) +ELSE() + MESSAGE(FATAL_ERROR "APR libraries were not found in prefix ${CMAKE_INSTALL_PREFIX}") +ENDIF() + +# Misc. options +OPTION(INSTALL_PDB "Install .pdb file (if generated)" ON) + +SET(mod_fcgid_sources + fcgid_bridge.c fcgid_bucket.c fcgid_conf.c fcgid_filter.c + fcgid_pm_main.c fcgid_pm_win.c fcgid_proc_win.c fcgid_proctbl_win.c + fcgid_protocol.c fcgid_spawn_ctl.c mod_fcgid.c mod_fcgid.rc +) +INCLUDE_DIRECTORIES(${CMAKE_INSTALL_PREFIX}/include) +ADD_LIBRARY(mod_fcgid SHARED ${mod_fcgid_sources}) +# magic base address taken from traditional Windows build +SET_TARGET_PROPERTIES(mod_fcgid PROPERTIES SUFFIX .so LINK_FLAGS /base:0x46430000) +TARGET_LINK_LIBRARIES(mod_fcgid ${CMAKE_INSTALL_PREFIX}/lib/libhttpd.lib ${apr_libraries}) +INSTALL(TARGETS mod_fcgid RUNTIME DESTINATION modules) +IF(INSTALL_PDB) + INSTALL(FILES ${CMAKE_BINARY_DIR}/mod_fcgid.pdb DESTINATION modules + CONFIGURATIONS RelWithDebInfo Debug) +ENDIF() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_bridge.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_bridge.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_bridge.c 2012-04-17 14:58:29.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_bridge.c 2013-10-04 03:48:20.000000000 +0200 @@ -316,7 +316,46 @@ /* Check the script header first; return immediately on error. */ if ((cond_status = ap_scan_script_header_err_core(r, sbuf, getsfunc_fcgid_BRIGADE, - brigade_stdout)) >= 400) { + brigade_stdout))) { + /* + * cond_status could be HTTP_NOT_MODIFIED in the case that the FCGI + * script does not set an explicit status and ap_meets_conditions, + * which is called by ap_scan_script_header_err_brigade, detects that + * the conditions of the requests are met and the response is + * not modified. + * In this case set r->status and return OK in order to prevent + * running through the error processing stack as this would + * break with mod_cache, if the conditions had been set by + * mod_cache itself to validate a stale entity. + * BTW: We circumvent the error processing stack anyway if the + * FCGI script set an explicit status code (whatever it is) and + * the only possible values for cond_status here are: + * + * HTTP_NOT_MODIFIED (set by ap_meets_conditions) + * HTTP_PRECONDITION_FAILED (set by ap_meets_conditions) + * HTTP_GATEWAY_TIME_OUT (script timed out, returned no headers) + * HTTP_INTERNAL_SERVER_ERROR (if something went wrong during the + * processing of the response of the FCGI script, e.g broken headers + * or a crashed FCGI process). + */ + if (cond_status == HTTP_NOT_MODIFIED) { + /* We need to remove our fcgid_filter before returning this + * status and code; otherwise, when ap_process_async_request() + * invokes ap_finalize_request_protocol() and that calls + * ap_pass_brigade(), fcgid_filter notices it has an empty + * brigade and returns without calling ap_pass_brigade() itself, + * which incorrectly circumvents the standard output filters. + */ + ap_remove_output_filter(r->output_filters); + + r->status = cond_status; + return OK; + } + + return cond_status; + } + + if (role == FCGI_AUTHORIZER) { return cond_status; } @@ -336,20 +375,34 @@ */ apr_table_unset(r->headers_in, "Content-Length"); + /* Setting this Location header value causes handle_request() to + * invoke ap_internal_redirect_handler(); that calls + * internal_internal_redirect() which sets the new sub-request's + * r->output_filters back to r->proto_output_filters before + * running the sub-request's handler. Because we return here + * without invoking ap_pass_brigade(), our fcgid_filter is ignored. + */ *location_ptr = location; - return HTTP_OK; + return OK; } else if (location && r->status == 200) { /* XX Note that if a script wants to produce its own Redirect * body, it now has to explicitly *say* "Status: 302" */ + + /* This return code causes ap_process_async_request() to invoke + * ap_die(); that calls ap_send_error_response(), which resets + * r->output_filters back to r->proto_output_filters, thus removing + * our fcgid_filter from the output chain before making a final call + * to ap_finalize_request_protocol(), which passes the brigade to + * the standard output filters. + */ return HTTP_MOVED_TEMPORARILY; } - /* Now pass to output filter */ - if (role == FCGI_RESPONDER - && (rv = ap_pass_brigade(r->output_filters, - brigade_stdout)) != APR_SUCCESS) { + /* Now pass any remaining response body data to output filters */ + if ((rv = ap_pass_brigade(r->output_filters, + brigade_stdout)) != APR_SUCCESS) { if (!APR_STATUS_IS_ECONNABORTED(rv)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, rv, r, "mod_fcgid: ap_pass_brigade failed in " @@ -376,14 +429,12 @@ bucket_ctx->ipc.request = r; apr_pool_cleanup_register(r->pool, bucket_ctx, bucket_ctx_cleanup, apr_pool_cleanup_null); + procmgr_init_spawn_cmd(&fcgi_request, r, cmd_conf); /* Try to get a connected ipc handle */ for (i = 0; i < FCGID_REQUEST_COUNT; i++) { /* Apply a free process slot, send a spawn request if I can't get one */ for (j = 0; j < FCGID_APPLY_TRY_COUNT; j++) { - /* Init spawn request */ - procmgr_init_spawn_cmd(&fcgi_request, r, cmd_conf); - bucket_ctx->ipc.connect_timeout = fcgi_request.cmdopts.ipc_connect_timeout; bucket_ctx->ipc.communation_timeout = @@ -406,7 +457,7 @@ } /* Send a spawn request if I can't get a process slot */ - procmgr_post_spawn_cmd(&fcgi_request, r); + procmgr_send_spawn_cmd(&fcgi_request, r); } /* Connect to the fastcgi server */ @@ -466,7 +517,7 @@ ap_internal_redirect_handler(location, r); } - /* Retrun condition status */ + /* Return condition status */ return cond_status; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_bucket.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_bucket.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_bucket.c 2010-11-04 13:10:10.000000000 +0100 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_bucket.c 2013-09-29 19:40:47.000000000 +0200 @@ -112,10 +112,12 @@ if (header.type == FCGI_STDERR) { char *logbuf = apr_bucket_alloc(APR_BUCKET_BUFF_SIZE, b->list); char *line; + apr_size_t hasput; memset(logbuf, 0, APR_BUCKET_BUFF_SIZE); hasread = 0; + hasput = 0; while (hasread < bodysize) { char *buffer; apr_size_t bufferlen, canput, willput; @@ -130,9 +132,10 @@ canput = fcgid_min(bufferlen, bodysize - hasread); willput = - fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasread - 1); - memcpy(logbuf + hasread, buffer, willput); + fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasput - 1); + memcpy(logbuf + hasput, buffer, willput); hasread += canput; + hasput += willput; /* Ignore the "canput" bytes */ fcgid_ignore_bytes(ctx, canput); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_conf.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_conf.c 2012-04-11 03:16:03.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.c 2013-09-17 13:08:37.000000000 +0200 @@ -621,9 +621,16 @@ apr_status_t rv; apr_finfo_t finfo; fcgid_dir_conf *dirconfig = (fcgid_dir_conf *) config; + char **args; + + /* Get wrapper path */ + apr_tokenize_to_argv(authenticator, &args, cmd->temp_pool); + + if (*args == NULL || **args == '\0') + return "Invalid authenticator config"; /* Fetch only required file details inode + device */ - if ((rv = apr_stat(&finfo, authenticator, APR_FINFO_IDENT, + if ((rv = apr_stat(&finfo, args[0], APR_FINFO_IDENT, cmd->temp_pool)) != APR_SUCCESS) { return missing_file_msg(cmd->pool, "Authenticator", authenticator, rv); } @@ -632,10 +639,8 @@ dirconfig->authenticator_info = apr_pcalloc(cmd->server->process->pconf, sizeof(*dirconfig->authenticator_info)); - dirconfig->authenticator_info->cgipath = - apr_pstrdup(cmd->pool, authenticator); - dirconfig->authenticator_info->cmdline = - dirconfig->authenticator_info->cgipath; + dirconfig->authenticator_info->cgipath = apr_pstrdup(cmd->pool, args[0]); + dirconfig->authenticator_info->cmdline = authenticator; dirconfig->authenticator_info->inode = finfo.inode; dirconfig->authenticator_info->deviceid = finfo.device; return NULL; @@ -670,9 +675,16 @@ apr_status_t rv; apr_finfo_t finfo; fcgid_dir_conf *dirconfig = (fcgid_dir_conf *) config; + char **args; + + /* Get wrapper path */ + apr_tokenize_to_argv(authorizer, &args, cmd->temp_pool); + + if (*args == NULL || **args == '\0') + return "Invalid authorizer config"; /* Fetch only required file details inode + device */ - if ((rv = apr_stat(&finfo, authorizer, APR_FINFO_IDENT, + if ((rv = apr_stat(&finfo, args[0], APR_FINFO_IDENT, cmd->temp_pool)) != APR_SUCCESS) { return missing_file_msg(cmd->pool, "Authorizer", authorizer, rv); } @@ -681,10 +693,8 @@ dirconfig->authorizer_info = apr_pcalloc(cmd->server->process->pconf, sizeof(*dirconfig->authorizer_info)); - dirconfig->authorizer_info->cgipath = - apr_pstrdup(cmd->pool, authorizer); - dirconfig->authorizer_info->cmdline = - dirconfig->authorizer_info->cgipath; + dirconfig->authorizer_info->cgipath = apr_pstrdup(cmd->pool, args[0]); + dirconfig->authorizer_info->cmdline = authorizer; dirconfig->authorizer_info->inode = finfo.inode; dirconfig->authorizer_info->deviceid = finfo.device; return NULL; @@ -719,9 +729,16 @@ apr_status_t rv; apr_finfo_t finfo; fcgid_dir_conf *dirconfig = (fcgid_dir_conf *) config; + char **args; + + /* Get wrapper path */ + apr_tokenize_to_argv(access, &args, cmd->temp_pool); + + if (*args == NULL || **args == '\0') + return "Invalid access config"; /* Fetch only required file details inode + device */ - if ((rv = apr_stat(&finfo, access, APR_FINFO_IDENT, + if ((rv = apr_stat(&finfo, args[0], APR_FINFO_IDENT, cmd->temp_pool)) != APR_SUCCESS) { return missing_file_msg(cmd->pool, "Access checker", access, rv); } @@ -730,10 +747,8 @@ dirconfig->access_info = apr_pcalloc(cmd->server->process->pconf, sizeof(*dirconfig->access_info)); - dirconfig->access_info->cgipath = - apr_pstrdup(cmd->pool, access); - dirconfig->access_info->cmdline = - dirconfig->access_info->cgipath; + dirconfig->access_info->cgipath = apr_pstrdup(cmd->pool, args[0]); + dirconfig->access_info->cmdline = access; dirconfig->access_info->inode = finfo.inode; dirconfig->access_info->deviceid = finfo.device; return NULL; @@ -749,6 +764,18 @@ return NULL; } +fcgid_cmd_conf *get_access_info(request_rec * r, int *authoritative) +{ + fcgid_dir_conf *config = + ap_get_module_config(r->per_dir_config, &fcgid_module); + + if (config != NULL && config->access_info != NULL) { + *authoritative = config->access_authoritative; + return config->access_info; + } + + return NULL; +} #ifdef WIN32 /* FcgidWin32PreventOrphans @@ -814,29 +841,17 @@ } #endif /* WIN32*/ -fcgid_cmd_conf *get_access_info(request_rec * r, int *authoritative) -{ - fcgid_dir_conf *config = - ap_get_module_config(r->per_dir_config, &fcgid_module); - - if (config != NULL && config->access_info != NULL) { - *authoritative = config->access_authoritative; - return config->access_info; - } - - return NULL; -} - const char *set_wrapper_config(cmd_parms * cmd, void *dirconfig, const char *wrapper_cmdline, const char *extension, const char *virtual) { - const char *path, *tmp; + const char *path; apr_status_t rv; apr_finfo_t finfo; fcgid_cmd_conf *wrapper = NULL; fcgid_dir_conf *config = (fcgid_dir_conf *) dirconfig; + char **args; /* Sanity checks */ @@ -855,8 +870,9 @@ return "Invalid wrapper file extension"; /* Get wrapper path */ - tmp = wrapper_cmdline; - path = ap_getword_white(cmd->temp_pool, &tmp); + apr_tokenize_to_argv(wrapper_cmdline, &args, cmd->temp_pool); + path = apr_pstrdup(cmd->pool, args[0]); + if (path == NULL || *path == '\0') return "Invalid wrapper config"; @@ -994,14 +1010,14 @@ } while (*args) { - const char *option = ap_getword_white(cmd->pool, &args); + const char *option = ap_getword_conf(cmd->pool, &args); const char *val; /* TODO: Consider supporting BusyTimeout. */ if (!strcasecmp(option, "ConnectTimeout")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "ConnectTimeout must have an argument"; } @@ -1010,7 +1026,7 @@ } if (!strcasecmp(option, "IdleTimeout")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "IdleTimeout must have an argument"; } @@ -1022,7 +1038,7 @@ char *name; char *eql; - name = ap_getword_white(cmd->pool, &args); + name = ap_getword_conf(cmd->pool, &args); if (!strlen(name)) { return "InitialEnv must have an argument"; } @@ -1041,7 +1057,7 @@ } if (!strcasecmp(option, "IOTimeout")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "IOTimeout must have an argument"; } @@ -1050,7 +1066,7 @@ } if (!strcasecmp(option, "MaxProcesses")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "MaxProcesses must have an argument"; } @@ -1059,7 +1075,7 @@ } if (!strcasecmp(option, "MaxProcessLifetime")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "MaxProcessLifetime must have an argument"; } @@ -1068,7 +1084,7 @@ } if (!strcasecmp(option, "MaxRequestsPerProcess")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "MaxRequestsPerProcess must have an argument"; } @@ -1077,7 +1093,7 @@ } if (!strcasecmp(option, "MinProcesses")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "MinProcesses must have an argument"; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_conf.h new/mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.h --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_conf.h 2012-04-17 15:54:08.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.h 2013-10-04 22:59:58.000000000 +0200 @@ -18,14 +18,12 @@ #ifndef FCGID_CONF_H #define FCGID_CONF_H -#include "apr_general.h" /* stringify */ - #define MODFCGID_COPYRIGHT \ - "Copyright 2012 The Apache Software Foundation." + "Copyright 2013 The Apache Software Foundation." #define MODFCGID_VERSION_MAJOR 2 #define MODFCGID_VERSION_MINOR 3 -#define MODFCGID_VERSION_SUBVER 7 +#define MODFCGID_VERSION_SUBVER 9 #define MODFCGID_VERSION_DEV 0 #if MODFCGID_VERSION_DEV @@ -34,6 +32,14 @@ #define MODFCGID_VERSION_DEVSTR "" #endif +/* APR_STRINGIFY is defined here, and also in apr_general.h, so wrap it */ +#ifndef APR_STRINGIFY +/** Properly quote a value as a string in the C preprocessor */ +#define APR_STRINGIFY(n) APR_STRINGIFY_HELPER(n) +/** Helper macro for APR_STRINGIFY */ +#define APR_STRINGIFY_HELPER(n) #n +#endif + #define MODFCGID_REVISION APR_STRINGIFY(MODFCGID_VERSION_MAJOR) \ "." APR_STRINGIFY(MODFCGID_VERSION_MINOR) \ "." APR_STRINGIFY(MODFCGID_VERSION_SUBVER) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_filter.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_filter.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_filter.c 2009-09-17 22:14:45.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_filter.c 2013-09-17 13:08:37.000000000 +0200 @@ -26,7 +26,7 @@ { apr_status_t rv; apr_bucket_brigade *tmp_brigade; - int save_size = 0; + apr_size_t save_size = 0; conn_rec *c = f->c; server_rec *s = f->r->server; fcgid_server_conf *sconf = ap_get_module_config(s->module_config, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm.h new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm.h --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm.h 2010-10-29 22:35:35.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm.h 2013-10-04 03:48:20.000000000 +0200 @@ -41,9 +41,9 @@ void procmgr_init_spawn_cmd(fcgid_command * command, request_rec * r, fcgid_cmd_conf *cmd_conf); -apr_status_t procmgr_post_spawn_cmd(fcgid_command * command, +apr_status_t procmgr_send_spawn_cmd(fcgid_command * command, request_rec * r); -apr_status_t procmgr_peek_cmd(fcgid_command * command, +apr_status_t procmgr_fetch_cmd(fcgid_command * command, server_rec * main_server); apr_status_t procmgr_finish_notify(server_rec * main_server); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_main.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_main.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_main.c 2012-01-20 23:02:50.000000000 +0100 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_main.c 2013-10-04 03:48:20.000000000 +0200 @@ -639,7 +639,7 @@ break; /* Wait for command */ - if (procmgr_peek_cmd(&command, main_server) == APR_SUCCESS) { + if (procmgr_fetch_cmd(&command, main_server) == APR_SUCCESS) { if (is_spawn_allowed(main_server, &command)) fastcgi_spawn(&command, main_server, configpool); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_unix.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_unix.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_unix.c 2011-09-23 15:41:15.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_unix.c 2013-10-04 03:48:20.000000000 +0200 @@ -354,7 +354,7 @@ fcgid_server_conf *sconf = ap_get_module_config(main_server->module_config, &fcgid_module); - /* Calculate procmgr_peek_cmd wake up interval */ + /* Calculate procmgr_fetch_cmd wake up interval */ g_wakeup_timeout = fcgid_min(sconf->error_scan_interval, sconf->busy_scan_interval); g_wakeup_timeout = fcgid_min(sconf->idle_scan_interval, @@ -427,8 +427,6 @@ fcgid_server_conf *sconf = ap_get_module_config(r->server->module_config, &fcgid_module); - memset(command, 0, sizeof(*command)); - /* suEXEC check */ if ((ugid = ap_run_get_suexec_identity(r))) { command->uid = ugid->uid; @@ -453,11 +451,14 @@ apr_cpystrn(command->server_hostname, r->server->server_hostname, sizeof command->server_hostname); } + else { + command->server_hostname[0] = '\0'; + } get_cmd_options(r, command->cgipath, &command->cmdopts, &command->cmdenv); } -apr_status_t procmgr_post_spawn_cmd(fcgid_command * command, +apr_status_t procmgr_send_spawn_cmd(fcgid_command * command, request_rec * r) { apr_status_t rv; @@ -515,7 +516,7 @@ } #define FOR_READ 1 -apr_status_t procmgr_peek_cmd(fcgid_command * command, +apr_status_t procmgr_fetch_cmd(fcgid_command * command, server_rec * main_server) { apr_status_t rv; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_win.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_win.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_win.c 2012-04-17 14:56:13.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_win.c 2013-10-04 03:53:35.000000000 +0200 @@ -44,7 +44,7 @@ apr_sleep(apr_time_from_sec(1)); } - /* Send a wake up message to procmgr_peek_cmd() */ + /* Send a wake up message to procmgr_fetch_cmd() */ if (!g_must_exit && g_msgqueue) apr_queue_trypush(g_msgqueue, NULL); } @@ -96,7 +96,7 @@ exit(1); } - /* Calculate procmgr_peek_cmd wake up interval */ + /* Calculate procmgr_fetch_cmd wake up interval */ g_wakeup_timeout = min(sconf->error_scan_interval, sconf->busy_scan_interval); g_wakeup_timeout = min(sconf->idle_scan_interval, @@ -136,14 +136,14 @@ fcgid_server_conf *sconf = ap_get_module_config(r->server->module_config, &fcgid_module); - memset(command, 0, sizeof(*command)); - /* no truncation should ever occur */ AP_DEBUG_ASSERT(sizeof command->cgipath > strlen(cmd_conf->cgipath)); apr_cpystrn(command->cgipath, cmd_conf->cgipath, sizeof command->cgipath); AP_DEBUG_ASSERT(sizeof command->cmdline > strlen(cmd_conf->cmdline)); apr_cpystrn(command->cmdline, cmd_conf->cmdline, sizeof command->cmdline); + command->inode = (apr_ino_t) -1; + command->deviceid = (dev_t) -1; command->uid = (uid_t) - 1; command->gid = (gid_t) - 1; command->userdir = 0; @@ -152,11 +152,14 @@ apr_cpystrn(command->server_hostname, r->server->server_hostname, sizeof command->server_hostname); } + else { + command->server_hostname[0] = '\0'; + } get_cmd_options(r, command->cgipath, &command->cmdopts, &command->cmdenv); } -apr_status_t procmgr_post_spawn_cmd(fcgid_command * command, +apr_status_t procmgr_send_spawn_cmd(fcgid_command * command, request_rec * r) { if (g_thread && g_msgqueue && !g_must_exit @@ -226,7 +229,7 @@ return rv; } -apr_status_t procmgr_peek_cmd(fcgid_command * command, +apr_status_t procmgr_fetch_cmd(fcgid_command * command, server_rec * main_server) { fcgid_command *peakcmd = NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_proc_unix.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_unix.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_proc_unix.c 2012-04-17 13:21:22.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_unix.c 2013-07-06 20:44:24.000000000 +0200 @@ -204,23 +204,11 @@ char **proc_environ; struct sockaddr_un unix_addr; apr_procattr_t *procattr = NULL; - int argc, len; - const char *wargv[APACHE_ARG_MAX + 1]; - const char *word; /* For wrapper */ - const char *tmp; + int len; + const char **wargv; /* Build wrapper args */ - argc = 0; - tmp = cmdline; - while (1) { - word = ap_getword_white(procnode->proc_pool, &tmp); - if (word == NULL || *word == '\0') - break; - if (argc >= APACHE_ARG_MAX) - break; - wargv[argc++] = word; - } - wargv[argc] = NULL; + apr_tokenize_to_argv(cmdline, (char ***)&wargv, procnode->proc_pool); /* Create UNIX domain socket before spawn diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_proc_win.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_win.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_proc_win.c 2012-04-11 01:59:13.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_win.c 2012-11-16 19:33:14.000000000 +0100 @@ -69,22 +69,10 @@ apr_file_t *file; const char * const *proc_environ; char sock_path[FCGID_PATH_MAX]; - int argc; - char const * wargv[APACHE_ARG_MAX + 1], *word; /* For wrapper */ - const char *tmp; + const char **wargv; /* Build wrapper args */ - argc = 0; - tmp = cmdline; - while (1) { - word = ap_getword_white(procnode->proc_pool, &tmp); - if (word == NULL || *word == '\0') - break; - if (argc >= APACHE_ARG_MAX) - break; - wargv[argc++] = word; - } - wargv[argc] = NULL; + apr_tokenize_to_argv(cmdline, (char ***)&wargv, procnode->proc_pool); memset(&SecurityAttributes, 0, sizeof(SecurityAttributes)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_protocol.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_protocol.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_protocol.c 2009-09-17 22:14:45.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_protocol.c 2013-09-17 13:08:37.000000000 +0200 @@ -25,7 +25,7 @@ static size_t init_environment(char *buf, char **envp) { char *spliter; - int namelen, valuelen; + apr_size_t namelen, valuelen; char *cur_buf = buf; size_t buffer_size = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/mod_fcgid.c new/mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c --- old/mod_fcgid-2.3.7/modules/fcgid/mod_fcgid.c 2012-04-11 02:54:32.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c 2012-07-17 02:02:26.000000000 +0200 @@ -46,6 +46,12 @@ FCGID_PROCNODE_TYPE_ERROR, }; +enum fcgid_auth_check_mode { + FCGID_AUTH_CHECK_AUTHN, + FCGID_AUTH_CHECK_AUTHZ, + FCGID_AUTH_CHECK_ACCESS +}; + /* Stolen from mod_cgi.c */ /* KLUDGE --- for back-compatibility, we don't have to check ExecCGI * in ScriptAliased directories, which means we need to know if this @@ -477,107 +483,78 @@ return 1; } -static int mod_fcgid_authenticator(request_rec * r) +static int mod_fcgid_check_auth(request_rec *r, + enum fcgid_auth_check_mode auth_check_mode) { int res = 0; const char *password = NULL; apr_table_t *saved_subprocess_env = NULL; - fcgid_cmd_conf *authenticator_info; + fcgid_cmd_conf *auth_cmd_info = NULL; int authoritative; + const char *auth_role = NULL; + const char *role_log_msg = NULL; + const char *user_log_msg = ""; + + /* Because we don't function as authn/z providers, integration with + * the standard httpd authn/z modules is somewhat problematic. + * + * With httpd 2.4 in particular, our hook functions may be + * circumvented by mod_authz_core's check_access_ex hook, unless + * Require directives specify that user-based authn/z is needed. + * + * Even then, APR_HOOK_MIDDLE may cause our authentication hook to be + * ordered after mod_auth_basic's check_authn hook, in which case it + * will be skipped unless AuthBasicAuthoritative is Off and no authn + * provider recognizes the user or outright denies the request. + * + * Also, when acting as an authenticator, we don't have a mechanism to + * set r->user based on the script response, so scripts can't implement + * a private authentication scheme; instead we use ap_get_basic_auth_pw() + * and only support Basic HTTP authentication. + * + * It is possible to act reliably as both authenticator and authorizer + * if mod_authn_core is loaded to support AuthType and AuthName, but + * mod_authz_core and mod_auth_basic are not loaded. However, in this + * case the Require directive is not available, which defeats many + * common configuration tropes. + */ - authenticator_info = get_authenticator_info(r, &authoritative); + switch (auth_check_mode) { + case FCGID_AUTH_CHECK_AUTHN: + auth_cmd_info = get_authenticator_info(r, &authoritative); + auth_role = "AUTHENTICATOR"; + role_log_msg = "Authentication"; + break; + + case FCGID_AUTH_CHECK_AUTHZ: + auth_cmd_info = get_authorizer_info(r, &authoritative); + auth_role = "AUTHORIZER"; + role_log_msg = "Authorization"; + break; + + case FCGID_AUTH_CHECK_ACCESS: + auth_cmd_info = get_access_info(r, &authoritative); + auth_role = "ACCESS_CHECKER"; + role_log_msg = "Access check"; + break; + } - /* Is authenticator enable? */ - if (authenticator_info == NULL) + /* Is this auth check command enabled? */ + if (auth_cmd_info == NULL) return DECLINED; /* Get the user password */ - if ((res = ap_get_basic_auth_pw(r, &password)) != OK) + if (auth_check_mode == FCGID_AUTH_CHECK_AUTHN + && (res = ap_get_basic_auth_pw(r, &password)) != OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "mod_fcgid: authenticator requires " + "basic HTTP auth credentials"); return res; - - /* Save old process environment */ - saved_subprocess_env = apr_table_copy(r->pool, r->subprocess_env); - - /* Add some environment variables */ - ap_add_common_vars(r); - ap_add_cgi_vars(r); - fcgid_add_cgi_vars(r); - apr_table_setn(r->subprocess_env, "REMOTE_PASSWD", password); - apr_table_setn(r->subprocess_env, "FCGI_APACHE_ROLE", "AUTHENTICATOR"); - - /* Drop the variables CONTENT_LENGTH, PATH_INFO, PATH_TRANSLATED, - * SCRIPT_NAME and most Hop-By-Hop headers - EXCEPT we will pass - * PROXY_AUTH to allow CGI to perform proxy auth for httpd - */ - apr_table_unset(r->subprocess_env, "CONTENT_LENGTH"); - apr_table_unset(r->subprocess_env, "PATH_INFO"); - apr_table_unset(r->subprocess_env, "PATH_TRANSLATED"); - apr_table_unset(r->subprocess_env, "SCRIPT_NAME"); - apr_table_unset(r->subprocess_env, "HTTP_KEEP_ALIVE"); - apr_table_unset(r->subprocess_env, "HTTP_TE"); - apr_table_unset(r->subprocess_env, "HTTP_TRAILER"); - apr_table_unset(r->subprocess_env, "HTTP_TRANSFER_ENCODING"); - apr_table_unset(r->subprocess_env, "HTTP_UPGRADE"); - - /* Connection hop-by-hop header to prevent the CGI from hanging */ - apr_table_set(r->subprocess_env, "HTTP_CONNECTION", "close"); - - /* Handle the request */ - res = bridge_request(r, FCGI_AUTHORIZER, authenticator_info); - - /* Restore r->subprocess_env */ - r->subprocess_env = saved_subprocess_env; - - if (res == OK && r->status == 200 - && apr_table_get(r->headers_out, "Location") == NULL) - { - /* Pass */ - ap_log_rerror(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authentication pass", r->user); - - /* Modify headers: An Authorizer application's 200 response may include headers - whose names are prefixed with Variable-. */ - apr_table_do(mod_fcgid_modify_auth_header, r->subprocess_env, - r->err_headers_out, NULL); - - return OK; - } else { - /* Print error info first */ - if (res != OK) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authentication failed, respond %d, URI %s", - r->user, res, r->uri); - else if (r->status != 200) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authentication failed, status %d, URI %s", - r->user, r->status, r->uri); - else - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authentication failed, redirected is not allowed", - r->user); - - /* Handle error */ - if (!authoritative) - return DECLINED; - else { - ap_note_basic_auth_failure(r); - return (res == OK) ? HTTP_UNAUTHORIZED : res; - } } -} -static int mod_fcgid_authorizer(request_rec * r) -{ - int res = 0; - apr_table_t *saved_subprocess_env = NULL; - fcgid_cmd_conf *authorizer_info; - int authoritative; - - authorizer_info = get_authorizer_info(r, &authoritative); - - /* Is authenticator enable? */ - if (authorizer_info == NULL) - return DECLINED; + if (auth_check_mode != FCGID_AUTH_CHECK_ACCESS) { + user_log_msg = apr_psprintf(r->pool, " of user %s", r->user); + } /* Save old process environment */ saved_subprocess_env = apr_table_copy(r->pool, r->subprocess_env); @@ -586,7 +563,10 @@ ap_add_common_vars(r); ap_add_cgi_vars(r); fcgid_add_cgi_vars(r); - apr_table_setn(r->subprocess_env, "FCGI_APACHE_ROLE", "AUTHORIZER"); + if (auth_check_mode == FCGID_AUTH_CHECK_AUTHN) { + apr_table_setn(r->subprocess_env, "REMOTE_PASSWD", password); + } + apr_table_setn(r->subprocess_env, "FCGI_APACHE_ROLE", auth_role); /* Drop the variables CONTENT_LENGTH, PATH_INFO, PATH_TRANSLATED, * SCRIPT_NAME and most Hop-By-Hop headers - EXCEPT we will pass @@ -606,17 +586,17 @@ apr_table_set(r->subprocess_env, "HTTP_CONNECTION", "close"); /* Handle the request */ - res = bridge_request(r, FCGI_AUTHORIZER, authorizer_info); + res = bridge_request(r, FCGI_AUTHORIZER, auth_cmd_info); /* Restore r->subprocess_env */ r->subprocess_env = saved_subprocess_env; - if (res == OK && r->status == 200 - && apr_table_get(r->headers_out, "Location") == NULL) - { + if (res == OK && r->status == HTTP_OK + && apr_table_get(r->headers_out, "Location") == NULL) { /* Pass */ - ap_log_rerror(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, 0, r, - "mod_fcgid: access granted (authorization)"); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "mod_fcgid: %s%s to access %s succeeded", + role_log_msg, user_log_msg, r->uri); /* Modify headers: An Authorizer application's 200 response may include headers whose names are prefixed with Variable-. */ @@ -624,112 +604,53 @@ r->err_headers_out, NULL); return OK; - } else { + } + else { + const char *add_err_msg = ""; + /* Print error info first */ - if (res != OK) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authorization failed, respond %d, URI %s", - r->user, res, r->uri); - else if (r->status != 200) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authorization failed, status %d, URI %s", - r->user, r->status, r->uri); - else - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authorization failed, redirected is not allowed", - r->user); + if (res != OK) { + add_err_msg = + apr_psprintf(r->pool, "; error or unexpected condition " + "while parsing response (%d)", res); + } + else if (r->status == HTTP_OK) { + add_err_msg = "; internal redirection not allowed"; + } + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "mod_fcgid: %s%s to access %s failed, reason: " + "script returned status %d%s", + role_log_msg, user_log_msg, r->uri, r->status, + add_err_msg); /* Handle error */ - if (!authoritative) + if (!authoritative) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "mod_fcgid: not authoritative"); return DECLINED; + } else { - ap_note_basic_auth_failure(r); + if (auth_check_mode != FCGID_AUTH_CHECK_ACCESS) { + ap_note_basic_auth_failure(r); + } return (res == OK) ? HTTP_UNAUTHORIZED : res; } } } -static int mod_fcgid_check_access(request_rec * r) +static int mod_fcgid_authenticator(request_rec *r) { - int res = 0; - apr_table_t *saved_subprocess_env = NULL; - fcgid_cmd_conf *access_info; - int authoritative; - - access_info = get_access_info(r, &authoritative); - - /* Is access check enable? */ - if (access_info == NULL) - return DECLINED; - - /* Save old process environment */ - saved_subprocess_env = apr_table_copy(r->pool, r->subprocess_env); - - /* Add some environment variables */ - ap_add_common_vars(r); - ap_add_cgi_vars(r); - fcgid_add_cgi_vars(r); - apr_table_setn(r->subprocess_env, "FCGI_APACHE_ROLE", - "ACCESS_CHECKER"); - - /* Drop the variables CONTENT_LENGTH, PATH_INFO, PATH_TRANSLATED, - * SCRIPT_NAME and most Hop-By-Hop headers - EXCEPT we will pass - * PROXY_AUTH to allow CGI to perform proxy auth for httpd - */ - apr_table_unset(r->subprocess_env, "CONTENT_LENGTH"); - apr_table_unset(r->subprocess_env, "PATH_INFO"); - apr_table_unset(r->subprocess_env, "PATH_TRANSLATED"); - apr_table_unset(r->subprocess_env, "SCRIPT_NAME"); - apr_table_unset(r->subprocess_env, "HTTP_KEEP_ALIVE"); - apr_table_unset(r->subprocess_env, "HTTP_TE"); - apr_table_unset(r->subprocess_env, "HTTP_TRAILER"); - apr_table_unset(r->subprocess_env, "HTTP_TRANSFER_ENCODING"); - apr_table_unset(r->subprocess_env, "HTTP_UPGRADE"); - - /* Connection hop-by-hop header to prevent the CGI from hanging */ - apr_table_set(r->subprocess_env, "HTTP_CONNECTION", "close"); - - /* Handle the request */ - res = bridge_request(r, FCGI_AUTHORIZER, access_info); - - /* Restore r->subprocess_env */ - r->subprocess_env = saved_subprocess_env; - - if (res == OK && r->status == 200 - && apr_table_get(r->headers_out, "Location") == NULL) - { - /* Pass */ - ap_log_rerror(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, 0, r, - "mod_fcgid: access check pass"); - - /* Modify headers: An Authorizer application's 200 response may include headers - whose names are prefixed with Variable-. */ - apr_table_do(mod_fcgid_modify_auth_header, r->subprocess_env, - r->err_headers_out, NULL); + return mod_fcgid_check_auth(r, FCGID_AUTH_CHECK_AUTHN); +} - return OK; - } else { - /* Print error info first */ - if (res != OK) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s access check failed, respond %d, URI %s", - r->user, res, r->uri); - else if (r->status != 200) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s access check failed, status %d, URI %s", - r->user, r->status, r->uri); - else - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s access check failed, redirected is not allowed", - r->user); +static int mod_fcgid_authorizer(request_rec *r) +{ + return mod_fcgid_check_auth(r, FCGID_AUTH_CHECK_AUTHZ); +} - /* Handle error */ - if (!authoritative) - return DECLINED; - else { - return (res == OK) ? HTTP_UNAUTHORIZED : res; - } - } +static int mod_fcgid_check_access(request_rec *r) +{ + return mod_fcgid_check_auth(r, FCGID_AUTH_CHECK_ACCESS); } static void initialize_child(apr_pool_t * pchild, server_rec * main_server) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit apache2 for openSUSE:Factory
by root＠hilbert.suse.de 07 Nov '13

07 Nov '13

Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2013-11-07 08:33:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2013-10-24 14:07:26.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2013-11-07 08:33:46.000000000 +0100 @@ -1,0 +2,5 @@ +Fri Oct 25 00:05:02 UTC 2013 - crrodriguez(a)opensuse.org + +- reenable mod_ssl-2.4.x-ekh.diff + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.5emAxL/_old 2013-11-07 08:33:49.000000000 +0100 +++ /var/tmp/diff_new_pack.5emAxL/_new 2013-11-07 08:33:49.000000000 +0100 @@ -163,7 +163,7 @@ Patch109: httpd-2.4.3-mod_systemd.patch Patch110: http://people.apache.org/~minfrin/httpd-event-ssl.patch Patch111: httpd-visibility.patch -#Patch112: mod_ssl-2.4.x-ekh.diff +Patch112: mod_ssl-2.4.x-ekh.diff Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -387,7 +387,7 @@ %patch109 -p1 %patch110 %patch111 -p1 -#%patch112 +%patch112 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{S:22}) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0

commit apache2-mod_fcgid for openSUSE:13.1
by root＠hilbert.suse.de 06 Nov '13

06 Nov '13

Hello community, here is the log from the commit of package apache2-mod_fcgid for openSUSE:13.1 checked in at 2013-11-06 15:56:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1/apache2-mod_fcgid (Old) and /work/SRC/openSUSE:13.1/.apache2-mod_fcgid.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2-mod_fcgid" Changes: -------- --- /work/SRC/openSUSE:13.1/apache2-mod_fcgid/apache2-mod_fcgid.changes 2013-09-23 10:47:10.000000000 +0200 +++ /work/SRC/openSUSE:13.1/.apache2-mod_fcgid.new/apache2-mod_fcgid.changes 2013-11-06 15:56:36.000000000 +0100 @@ -1,0 +2,23 @@ +Wed Nov 6 14:03:05 CET 2013 - draht(a)suse.de + +- update to 2.3.9: + + obsoletes apache2-mod_fcgid-CVE-2013-4365-bnc844935.diff + and fixes CVE-2013-4365 [bnc#844935] (heap overflow). + The heap overflow discovery and fix was done by + Robert Matthews <rob tigertech.com>. + + quoting and spaces parsing correction for FcgidWrapper directive + and commandline options. + + logging improvements for access controls + + remove redundant processing of Location headers when running in + FCGI_AUTHORIZER mode + +------------------------------------------------------------------- +Mon Oct 21 15:05:29 CEST 2013 - draht(a)suse.de + +- Intermediate fix for openSUSE:Factory eg. openSUSE:13.1: + apache2-mod_fcgid-CVE-2013-4365-bnc844935.diff fixes a heap + overflow identified by CVE-2013-4365 [bnc#844935]. + This patch will be obsoleted by the next version update (to + 2.3.9 or higher). + +------------------------------------------------------------------- Old: ---- mod_fcgid-2.3.7.tar.bz2 New: ---- mod_fcgid-2.3.9.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_fcgid.spec ++++++ --- /var/tmp/diff_new_pack.b4twa5/_old 2013-11-06 15:56:36.000000000 +0100 +++ /var/tmp/diff_new_pack.b4twa5/_new 2013-11-06 15:56:36.000000000 +0100 @@ -27,7 +27,7 @@ %define apache_sysconfdir %(%{apxs} -q SYSCONFDIR) %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) # -Version: 2.3.7 +Version: 2.3.9 Release: 0 # # @@ -46,12 +46,13 @@ Group: Productivity/Networking/Web/Servers %description -What is mod_fcgid? It is a binary compatibility alternative to Apache +A binary compatibile alternative to the Apache module mod_fastcgi. -mod_fcgid has a new process management strategy, which concentrates on -reducing the number of fastcgi server, and kick out the corrupt fastcgi -server as soon as possible. +The module implements an efficient process pool management for external +CGI program invocation. The pool of CGI programs is mapped against the +pool of apache workers in such way that there is always a weighted number +of programs waiting for requests in the pool. To load the module into Apache, run the command "a2enmod fcgid" as root. ++++++ mod_fcgid-2.3.7.tar.bz2 -> mod_fcgid-2.3.9.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/CHANGES-FCGID new/mod_fcgid-2.3.9/CHANGES-FCGID --- old/mod_fcgid-2.3.7/CHANGES-FCGID 2012-04-10 06:27:08.000000000 +0200 +++ new/mod_fcgid-2.3.9/CHANGES-FCGID 2013-10-04 03:53:35.000000000 +0200 @@ -1,4 +1,35 @@ -*- coding: utf-8 -*- +Changes with mod_fcgid 2.3.9 + + *) Revert fix for PR 53693, added in 2.3.8 but undocumented. Fix + issues with a minor optimization added in 2.3.8. [Jeff Trawick] + +Changes with mod_fcgid 2.3.8 + + *) SECURITY: CVE-2013-4365 (cve.mitre.org) + Fix possible heap buffer overwrite. Reported and solved by: + [Robert Matthews <rob tigertech.com>] + + *) Add experimental cmake-based build system for Windows. [Jeff Trawick] + + *) Correctly parse quotation and escaped spaces in FcgidWrapper and the + AAA Authenticator/Authorizor/Access directives' command line argument, + as currently documented. PR 51194 [William Rowe] + + *) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv + assignments). PR 51657 [William Rowe] + + *) Conform script response parsing with mod_cgid and ensure no response + body is sent when ap_meets_conditions() determines that request + conditions are met. [Chris Darroch] + + *) Improve logging in access control hook functions. [Chris Darroch] + + *) Avoid making internal sub-requests and processing Location headers + when in FCGI_AUTHORIZER mode, as the auth hook functions already + treat Location headers returned by scripts as an error since + redirections are not meaningful in this mode. [Chris Darroch] + Changes with mod_fcgid 2.3.7 *) Introduce FcgidWin32PreventOrphans directive on Windows to use OS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/NOTICE-FCGID new/mod_fcgid-2.3.9/NOTICE-FCGID --- old/mod_fcgid-2.3.7/NOTICE-FCGID 2012-01-21 23:49:25.000000000 +0100 +++ new/mod_fcgid-2.3.9/NOTICE-FCGID 2013-09-29 19:42:30.000000000 +0200 @@ -1,5 +1,5 @@ Apache HTTP Server mod_fcgid -Copyright 2012 The Apache Software Foundation +Copyright 2013 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/README-FCGID new/mod_fcgid-2.3.9/README-FCGID --- old/mod_fcgid-2.3.7/README-FCGID 2009-10-07 06:06:48.000000000 +0200 +++ new/mod_fcgid-2.3.9/README-FCGID 2013-09-19 16:43:42.000000000 +0200 @@ -30,6 +30,8 @@ Win32 Build Instructions ------------------------ +1. Win32 build based on Visual Studio + The windows packages prior to 2.2.7 (or 2.0.62) left out the file include\mod_log_config.h, just copy these from the source tree or you can export them from subversion, just change to your @@ -90,6 +92,35 @@ lines in Makefile.win, or you must manually copy the .so module from modules\fcgid\Release after compiling. +2. Win32 build based on cmake: + +Note: This support is experimental and may not build mod_fcgid in a + manner compatible with the existing Windows build support. The + build interfaces may change as feedback is received and bugs are + resolved. Currently a .conf file is not created. + +Install httpd and APR to a common prefix, and point CMAKE_INSTALL_PREFIX +to that prefix when configuring mod_fcgid. + +Example using the "NMake Makefiles" generator from a Visual Studio command +prompt: + + cd some-build-directory + cmake -G "NMake Makefiles" ^ + -DCMAKE_INSTALL_PREFIX=C:\Apache246 ^ + -DCMAKE_BUILD_TYPE=RelWithDebInfo ^ + C:\path\to\fcgid-sources\modules\fcgid + nmake && nmake install + +The last argument to cmake in the example is the directory "modules\fcgid" +within your svn checkout or tarball/zip extract of mod_fcgid. + +Add -DINSTALL_PDB=OFF to the cmake invocation to leave mod_fcgid.pdb (if +generated) in the build directory. + +Add the following LoadModule directive to your configuration: + + LoadModule fcgid_module modules/mod_fcgid.so Documentation Build ------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/STATUS-FCGID new/mod_fcgid-2.3.9/STATUS-FCGID --- old/mod_fcgid-2.3.7/STATUS-FCGID 2012-04-17 15:54:08.000000000 +0200 +++ new/mod_fcgid-2.3.9/STATUS-FCGID 2013-10-04 22:59:58.000000000 +0200 @@ -1,5 +1,5 @@ MOD_FCGID STATUS: -*-text-*- -Last modified at [$Date: 2012-04-17 13:54:08 +0000 (Tue, 17 Apr 2012) $] +Last modified at [$Date: 2013-10-04 20:59:58 +0000 (Fri, 04 Oct 2013) $] The current version of this file can be found at: @@ -14,8 +14,10 @@ [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases, while x.{even}.z versions are Stable/GA releases.] - 2.3.8 : in development - 2.3.7 : tagged April 17, 2012 + 2.3.10 : in development + 2.3.9 : tagged October 4, 2013 + 2.3.8 : not released + 2.3.7 : released April 23, 2012 2.3.6 : released November 6, 2010 2.3.5 : released January 28, 2010 2.3.4 : released October 15, 2009 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/CMakeLists.txt new/mod_fcgid-2.3.9/modules/fcgid/CMakeLists.txt --- old/mod_fcgid-2.3.7/modules/fcgid/CMakeLists.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/mod_fcgid-2.3.9/modules/fcgid/CMakeLists.txt 2013-09-19 16:43:42.000000000 +0200 @@ -0,0 +1,56 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Read the section on cmake builds in README-FCGID. + +PROJECT(mod_fcgid C) + +CMAKE_MINIMUM_REQUIRED(VERSION 2.8) + +IF(NOT EXISTS ${CMAKE_INSTALL_PREFIX}/lib/libhttpd.lib) + MESSAGE(FATAL_ERROR "libhttpd.lib was not found in prefix ${CMAKE_INSTALL_PREFIX}") +ENDIF() + +# Select APR trunk (libapr-2.lib) if it exists in PREFIX/lib; otherwise, select +# APR 1.x + APR-util 1.x +IF(EXISTS "${CMAKE_INSTALL_PREFIX}/lib/libapr-2.lib") + SET(apr_libraries + ${CMAKE_INSTALL_PREFIX}/lib/libapr-2.lib) +ELSEIF(EXISTS "${CMAKE_INSTALL_PREFIX}/lib/libapr-1.lib") + SET(apr_libraries + ${CMAKE_INSTALL_PREFIX}/lib/libapr-1.lib + ${CMAKE_INSTALL_PREFIX}/lib/libaprutil-1.lib) +ELSE() + MESSAGE(FATAL_ERROR "APR libraries were not found in prefix ${CMAKE_INSTALL_PREFIX}") +ENDIF() + +# Misc. options +OPTION(INSTALL_PDB "Install .pdb file (if generated)" ON) + +SET(mod_fcgid_sources + fcgid_bridge.c fcgid_bucket.c fcgid_conf.c fcgid_filter.c + fcgid_pm_main.c fcgid_pm_win.c fcgid_proc_win.c fcgid_proctbl_win.c + fcgid_protocol.c fcgid_spawn_ctl.c mod_fcgid.c mod_fcgid.rc +) +INCLUDE_DIRECTORIES(${CMAKE_INSTALL_PREFIX}/include) +ADD_LIBRARY(mod_fcgid SHARED ${mod_fcgid_sources}) +# magic base address taken from traditional Windows build +SET_TARGET_PROPERTIES(mod_fcgid PROPERTIES SUFFIX .so LINK_FLAGS /base:0x46430000) +TARGET_LINK_LIBRARIES(mod_fcgid ${CMAKE_INSTALL_PREFIX}/lib/libhttpd.lib ${apr_libraries}) +INSTALL(TARGETS mod_fcgid RUNTIME DESTINATION modules) +IF(INSTALL_PDB) + INSTALL(FILES ${CMAKE_BINARY_DIR}/mod_fcgid.pdb DESTINATION modules + CONFIGURATIONS RelWithDebInfo Debug) +ENDIF() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_bridge.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_bridge.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_bridge.c 2012-04-17 14:58:29.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_bridge.c 2013-10-04 03:48:20.000000000 +0200 @@ -316,7 +316,46 @@ /* Check the script header first; return immediately on error. */ if ((cond_status = ap_scan_script_header_err_core(r, sbuf, getsfunc_fcgid_BRIGADE, - brigade_stdout)) >= 400) { + brigade_stdout))) { + /* + * cond_status could be HTTP_NOT_MODIFIED in the case that the FCGI + * script does not set an explicit status and ap_meets_conditions, + * which is called by ap_scan_script_header_err_brigade, detects that + * the conditions of the requests are met and the response is + * not modified. + * In this case set r->status and return OK in order to prevent + * running through the error processing stack as this would + * break with mod_cache, if the conditions had been set by + * mod_cache itself to validate a stale entity. + * BTW: We circumvent the error processing stack anyway if the + * FCGI script set an explicit status code (whatever it is) and + * the only possible values for cond_status here are: + * + * HTTP_NOT_MODIFIED (set by ap_meets_conditions) + * HTTP_PRECONDITION_FAILED (set by ap_meets_conditions) + * HTTP_GATEWAY_TIME_OUT (script timed out, returned no headers) + * HTTP_INTERNAL_SERVER_ERROR (if something went wrong during the + * processing of the response of the FCGI script, e.g broken headers + * or a crashed FCGI process). + */ + if (cond_status == HTTP_NOT_MODIFIED) { + /* We need to remove our fcgid_filter before returning this + * status and code; otherwise, when ap_process_async_request() + * invokes ap_finalize_request_protocol() and that calls + * ap_pass_brigade(), fcgid_filter notices it has an empty + * brigade and returns without calling ap_pass_brigade() itself, + * which incorrectly circumvents the standard output filters. + */ + ap_remove_output_filter(r->output_filters); + + r->status = cond_status; + return OK; + } + + return cond_status; + } + + if (role == FCGI_AUTHORIZER) { return cond_status; } @@ -336,20 +375,34 @@ */ apr_table_unset(r->headers_in, "Content-Length"); + /* Setting this Location header value causes handle_request() to + * invoke ap_internal_redirect_handler(); that calls + * internal_internal_redirect() which sets the new sub-request's + * r->output_filters back to r->proto_output_filters before + * running the sub-request's handler. Because we return here + * without invoking ap_pass_brigade(), our fcgid_filter is ignored. + */ *location_ptr = location; - return HTTP_OK; + return OK; } else if (location && r->status == 200) { /* XX Note that if a script wants to produce its own Redirect * body, it now has to explicitly *say* "Status: 302" */ + + /* This return code causes ap_process_async_request() to invoke + * ap_die(); that calls ap_send_error_response(), which resets + * r->output_filters back to r->proto_output_filters, thus removing + * our fcgid_filter from the output chain before making a final call + * to ap_finalize_request_protocol(), which passes the brigade to + * the standard output filters. + */ return HTTP_MOVED_TEMPORARILY; } - /* Now pass to output filter */ - if (role == FCGI_RESPONDER - && (rv = ap_pass_brigade(r->output_filters, - brigade_stdout)) != APR_SUCCESS) { + /* Now pass any remaining response body data to output filters */ + if ((rv = ap_pass_brigade(r->output_filters, + brigade_stdout)) != APR_SUCCESS) { if (!APR_STATUS_IS_ECONNABORTED(rv)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, rv, r, "mod_fcgid: ap_pass_brigade failed in " @@ -376,14 +429,12 @@ bucket_ctx->ipc.request = r; apr_pool_cleanup_register(r->pool, bucket_ctx, bucket_ctx_cleanup, apr_pool_cleanup_null); + procmgr_init_spawn_cmd(&fcgi_request, r, cmd_conf); /* Try to get a connected ipc handle */ for (i = 0; i < FCGID_REQUEST_COUNT; i++) { /* Apply a free process slot, send a spawn request if I can't get one */ for (j = 0; j < FCGID_APPLY_TRY_COUNT; j++) { - /* Init spawn request */ - procmgr_init_spawn_cmd(&fcgi_request, r, cmd_conf); - bucket_ctx->ipc.connect_timeout = fcgi_request.cmdopts.ipc_connect_timeout; bucket_ctx->ipc.communation_timeout = @@ -406,7 +457,7 @@ } /* Send a spawn request if I can't get a process slot */ - procmgr_post_spawn_cmd(&fcgi_request, r); + procmgr_send_spawn_cmd(&fcgi_request, r); } /* Connect to the fastcgi server */ @@ -466,7 +517,7 @@ ap_internal_redirect_handler(location, r); } - /* Retrun condition status */ + /* Return condition status */ return cond_status; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_bucket.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_bucket.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_bucket.c 2010-11-04 13:10:10.000000000 +0100 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_bucket.c 2013-09-29 19:40:47.000000000 +0200 @@ -112,10 +112,12 @@ if (header.type == FCGI_STDERR) { char *logbuf = apr_bucket_alloc(APR_BUCKET_BUFF_SIZE, b->list); char *line; + apr_size_t hasput; memset(logbuf, 0, APR_BUCKET_BUFF_SIZE); hasread = 0; + hasput = 0; while (hasread < bodysize) { char *buffer; apr_size_t bufferlen, canput, willput; @@ -130,9 +132,10 @@ canput = fcgid_min(bufferlen, bodysize - hasread); willput = - fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasread - 1); - memcpy(logbuf + hasread, buffer, willput); + fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasput - 1); + memcpy(logbuf + hasput, buffer, willput); hasread += canput; + hasput += willput; /* Ignore the "canput" bytes */ fcgid_ignore_bytes(ctx, canput); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_conf.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_conf.c 2012-04-11 03:16:03.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.c 2013-09-17 13:08:37.000000000 +0200 @@ -621,9 +621,16 @@ apr_status_t rv; apr_finfo_t finfo; fcgid_dir_conf *dirconfig = (fcgid_dir_conf *) config; + char **args; + + /* Get wrapper path */ + apr_tokenize_to_argv(authenticator, &args, cmd->temp_pool); + + if (*args == NULL || **args == '\0') + return "Invalid authenticator config"; /* Fetch only required file details inode + device */ - if ((rv = apr_stat(&finfo, authenticator, APR_FINFO_IDENT, + if ((rv = apr_stat(&finfo, args[0], APR_FINFO_IDENT, cmd->temp_pool)) != APR_SUCCESS) { return missing_file_msg(cmd->pool, "Authenticator", authenticator, rv); } @@ -632,10 +639,8 @@ dirconfig->authenticator_info = apr_pcalloc(cmd->server->process->pconf, sizeof(*dirconfig->authenticator_info)); - dirconfig->authenticator_info->cgipath = - apr_pstrdup(cmd->pool, authenticator); - dirconfig->authenticator_info->cmdline = - dirconfig->authenticator_info->cgipath; + dirconfig->authenticator_info->cgipath = apr_pstrdup(cmd->pool, args[0]); + dirconfig->authenticator_info->cmdline = authenticator; dirconfig->authenticator_info->inode = finfo.inode; dirconfig->authenticator_info->deviceid = finfo.device; return NULL; @@ -670,9 +675,16 @@ apr_status_t rv; apr_finfo_t finfo; fcgid_dir_conf *dirconfig = (fcgid_dir_conf *) config; + char **args; + + /* Get wrapper path */ + apr_tokenize_to_argv(authorizer, &args, cmd->temp_pool); + + if (*args == NULL || **args == '\0') + return "Invalid authorizer config"; /* Fetch only required file details inode + device */ - if ((rv = apr_stat(&finfo, authorizer, APR_FINFO_IDENT, + if ((rv = apr_stat(&finfo, args[0], APR_FINFO_IDENT, cmd->temp_pool)) != APR_SUCCESS) { return missing_file_msg(cmd->pool, "Authorizer", authorizer, rv); } @@ -681,10 +693,8 @@ dirconfig->authorizer_info = apr_pcalloc(cmd->server->process->pconf, sizeof(*dirconfig->authorizer_info)); - dirconfig->authorizer_info->cgipath = - apr_pstrdup(cmd->pool, authorizer); - dirconfig->authorizer_info->cmdline = - dirconfig->authorizer_info->cgipath; + dirconfig->authorizer_info->cgipath = apr_pstrdup(cmd->pool, args[0]); + dirconfig->authorizer_info->cmdline = authorizer; dirconfig->authorizer_info->inode = finfo.inode; dirconfig->authorizer_info->deviceid = finfo.device; return NULL; @@ -719,9 +729,16 @@ apr_status_t rv; apr_finfo_t finfo; fcgid_dir_conf *dirconfig = (fcgid_dir_conf *) config; + char **args; + + /* Get wrapper path */ + apr_tokenize_to_argv(access, &args, cmd->temp_pool); + + if (*args == NULL || **args == '\0') + return "Invalid access config"; /* Fetch only required file details inode + device */ - if ((rv = apr_stat(&finfo, access, APR_FINFO_IDENT, + if ((rv = apr_stat(&finfo, args[0], APR_FINFO_IDENT, cmd->temp_pool)) != APR_SUCCESS) { return missing_file_msg(cmd->pool, "Access checker", access, rv); } @@ -730,10 +747,8 @@ dirconfig->access_info = apr_pcalloc(cmd->server->process->pconf, sizeof(*dirconfig->access_info)); - dirconfig->access_info->cgipath = - apr_pstrdup(cmd->pool, access); - dirconfig->access_info->cmdline = - dirconfig->access_info->cgipath; + dirconfig->access_info->cgipath = apr_pstrdup(cmd->pool, args[0]); + dirconfig->access_info->cmdline = access; dirconfig->access_info->inode = finfo.inode; dirconfig->access_info->deviceid = finfo.device; return NULL; @@ -749,6 +764,18 @@ return NULL; } +fcgid_cmd_conf *get_access_info(request_rec * r, int *authoritative) +{ + fcgid_dir_conf *config = + ap_get_module_config(r->per_dir_config, &fcgid_module); + + if (config != NULL && config->access_info != NULL) { + *authoritative = config->access_authoritative; + return config->access_info; + } + + return NULL; +} #ifdef WIN32 /* FcgidWin32PreventOrphans @@ -814,29 +841,17 @@ } #endif /* WIN32*/ -fcgid_cmd_conf *get_access_info(request_rec * r, int *authoritative) -{ - fcgid_dir_conf *config = - ap_get_module_config(r->per_dir_config, &fcgid_module); - - if (config != NULL && config->access_info != NULL) { - *authoritative = config->access_authoritative; - return config->access_info; - } - - return NULL; -} - const char *set_wrapper_config(cmd_parms * cmd, void *dirconfig, const char *wrapper_cmdline, const char *extension, const char *virtual) { - const char *path, *tmp; + const char *path; apr_status_t rv; apr_finfo_t finfo; fcgid_cmd_conf *wrapper = NULL; fcgid_dir_conf *config = (fcgid_dir_conf *) dirconfig; + char **args; /* Sanity checks */ @@ -855,8 +870,9 @@ return "Invalid wrapper file extension"; /* Get wrapper path */ - tmp = wrapper_cmdline; - path = ap_getword_white(cmd->temp_pool, &tmp); + apr_tokenize_to_argv(wrapper_cmdline, &args, cmd->temp_pool); + path = apr_pstrdup(cmd->pool, args[0]); + if (path == NULL || *path == '\0') return "Invalid wrapper config"; @@ -994,14 +1010,14 @@ } while (*args) { - const char *option = ap_getword_white(cmd->pool, &args); + const char *option = ap_getword_conf(cmd->pool, &args); const char *val; /* TODO: Consider supporting BusyTimeout. */ if (!strcasecmp(option, "ConnectTimeout")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "ConnectTimeout must have an argument"; } @@ -1010,7 +1026,7 @@ } if (!strcasecmp(option, "IdleTimeout")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "IdleTimeout must have an argument"; } @@ -1022,7 +1038,7 @@ char *name; char *eql; - name = ap_getword_white(cmd->pool, &args); + name = ap_getword_conf(cmd->pool, &args); if (!strlen(name)) { return "InitialEnv must have an argument"; } @@ -1041,7 +1057,7 @@ } if (!strcasecmp(option, "IOTimeout")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "IOTimeout must have an argument"; } @@ -1050,7 +1066,7 @@ } if (!strcasecmp(option, "MaxProcesses")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "MaxProcesses must have an argument"; } @@ -1059,7 +1075,7 @@ } if (!strcasecmp(option, "MaxProcessLifetime")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "MaxProcessLifetime must have an argument"; } @@ -1068,7 +1084,7 @@ } if (!strcasecmp(option, "MaxRequestsPerProcess")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "MaxRequestsPerProcess must have an argument"; } @@ -1077,7 +1093,7 @@ } if (!strcasecmp(option, "MinProcesses")) { - val = ap_getword_white(cmd->pool, &args); + val = ap_getword_conf(cmd->pool, &args); if (!strlen(val)) { return "MinProcesses must have an argument"; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_conf.h new/mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.h --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_conf.h 2012-04-17 15:54:08.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_conf.h 2013-10-04 22:59:58.000000000 +0200 @@ -18,14 +18,12 @@ #ifndef FCGID_CONF_H #define FCGID_CONF_H -#include "apr_general.h" /* stringify */ - #define MODFCGID_COPYRIGHT \ - "Copyright 2012 The Apache Software Foundation." + "Copyright 2013 The Apache Software Foundation." #define MODFCGID_VERSION_MAJOR 2 #define MODFCGID_VERSION_MINOR 3 -#define MODFCGID_VERSION_SUBVER 7 +#define MODFCGID_VERSION_SUBVER 9 #define MODFCGID_VERSION_DEV 0 #if MODFCGID_VERSION_DEV @@ -34,6 +32,14 @@ #define MODFCGID_VERSION_DEVSTR "" #endif +/* APR_STRINGIFY is defined here, and also in apr_general.h, so wrap it */ +#ifndef APR_STRINGIFY +/** Properly quote a value as a string in the C preprocessor */ +#define APR_STRINGIFY(n) APR_STRINGIFY_HELPER(n) +/** Helper macro for APR_STRINGIFY */ +#define APR_STRINGIFY_HELPER(n) #n +#endif + #define MODFCGID_REVISION APR_STRINGIFY(MODFCGID_VERSION_MAJOR) \ "." APR_STRINGIFY(MODFCGID_VERSION_MINOR) \ "." APR_STRINGIFY(MODFCGID_VERSION_SUBVER) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_filter.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_filter.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_filter.c 2009-09-17 22:14:45.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_filter.c 2013-09-17 13:08:37.000000000 +0200 @@ -26,7 +26,7 @@ { apr_status_t rv; apr_bucket_brigade *tmp_brigade; - int save_size = 0; + apr_size_t save_size = 0; conn_rec *c = f->c; server_rec *s = f->r->server; fcgid_server_conf *sconf = ap_get_module_config(s->module_config, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm.h new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm.h --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm.h 2010-10-29 22:35:35.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm.h 2013-10-04 03:48:20.000000000 +0200 @@ -41,9 +41,9 @@ void procmgr_init_spawn_cmd(fcgid_command * command, request_rec * r, fcgid_cmd_conf *cmd_conf); -apr_status_t procmgr_post_spawn_cmd(fcgid_command * command, +apr_status_t procmgr_send_spawn_cmd(fcgid_command * command, request_rec * r); -apr_status_t procmgr_peek_cmd(fcgid_command * command, +apr_status_t procmgr_fetch_cmd(fcgid_command * command, server_rec * main_server); apr_status_t procmgr_finish_notify(server_rec * main_server); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_main.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_main.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_main.c 2012-01-20 23:02:50.000000000 +0100 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_main.c 2013-10-04 03:48:20.000000000 +0200 @@ -639,7 +639,7 @@ break; /* Wait for command */ - if (procmgr_peek_cmd(&command, main_server) == APR_SUCCESS) { + if (procmgr_fetch_cmd(&command, main_server) == APR_SUCCESS) { if (is_spawn_allowed(main_server, &command)) fastcgi_spawn(&command, main_server, configpool); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_unix.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_unix.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_unix.c 2011-09-23 15:41:15.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_unix.c 2013-10-04 03:48:20.000000000 +0200 @@ -354,7 +354,7 @@ fcgid_server_conf *sconf = ap_get_module_config(main_server->module_config, &fcgid_module); - /* Calculate procmgr_peek_cmd wake up interval */ + /* Calculate procmgr_fetch_cmd wake up interval */ g_wakeup_timeout = fcgid_min(sconf->error_scan_interval, sconf->busy_scan_interval); g_wakeup_timeout = fcgid_min(sconf->idle_scan_interval, @@ -427,8 +427,6 @@ fcgid_server_conf *sconf = ap_get_module_config(r->server->module_config, &fcgid_module); - memset(command, 0, sizeof(*command)); - /* suEXEC check */ if ((ugid = ap_run_get_suexec_identity(r))) { command->uid = ugid->uid; @@ -453,11 +451,14 @@ apr_cpystrn(command->server_hostname, r->server->server_hostname, sizeof command->server_hostname); } + else { + command->server_hostname[0] = '\0'; + } get_cmd_options(r, command->cgipath, &command->cmdopts, &command->cmdenv); } -apr_status_t procmgr_post_spawn_cmd(fcgid_command * command, +apr_status_t procmgr_send_spawn_cmd(fcgid_command * command, request_rec * r) { apr_status_t rv; @@ -515,7 +516,7 @@ } #define FOR_READ 1 -apr_status_t procmgr_peek_cmd(fcgid_command * command, +apr_status_t procmgr_fetch_cmd(fcgid_command * command, server_rec * main_server) { apr_status_t rv; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_win.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_win.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_pm_win.c 2012-04-17 14:56:13.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_pm_win.c 2013-10-04 03:53:35.000000000 +0200 @@ -44,7 +44,7 @@ apr_sleep(apr_time_from_sec(1)); } - /* Send a wake up message to procmgr_peek_cmd() */ + /* Send a wake up message to procmgr_fetch_cmd() */ if (!g_must_exit && g_msgqueue) apr_queue_trypush(g_msgqueue, NULL); } @@ -96,7 +96,7 @@ exit(1); } - /* Calculate procmgr_peek_cmd wake up interval */ + /* Calculate procmgr_fetch_cmd wake up interval */ g_wakeup_timeout = min(sconf->error_scan_interval, sconf->busy_scan_interval); g_wakeup_timeout = min(sconf->idle_scan_interval, @@ -136,14 +136,14 @@ fcgid_server_conf *sconf = ap_get_module_config(r->server->module_config, &fcgid_module); - memset(command, 0, sizeof(*command)); - /* no truncation should ever occur */ AP_DEBUG_ASSERT(sizeof command->cgipath > strlen(cmd_conf->cgipath)); apr_cpystrn(command->cgipath, cmd_conf->cgipath, sizeof command->cgipath); AP_DEBUG_ASSERT(sizeof command->cmdline > strlen(cmd_conf->cmdline)); apr_cpystrn(command->cmdline, cmd_conf->cmdline, sizeof command->cmdline); + command->inode = (apr_ino_t) -1; + command->deviceid = (dev_t) -1; command->uid = (uid_t) - 1; command->gid = (gid_t) - 1; command->userdir = 0; @@ -152,11 +152,14 @@ apr_cpystrn(command->server_hostname, r->server->server_hostname, sizeof command->server_hostname); } + else { + command->server_hostname[0] = '\0'; + } get_cmd_options(r, command->cgipath, &command->cmdopts, &command->cmdenv); } -apr_status_t procmgr_post_spawn_cmd(fcgid_command * command, +apr_status_t procmgr_send_spawn_cmd(fcgid_command * command, request_rec * r) { if (g_thread && g_msgqueue && !g_must_exit @@ -226,7 +229,7 @@ return rv; } -apr_status_t procmgr_peek_cmd(fcgid_command * command, +apr_status_t procmgr_fetch_cmd(fcgid_command * command, server_rec * main_server) { fcgid_command *peakcmd = NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_proc_unix.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_unix.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_proc_unix.c 2012-04-17 13:21:22.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_unix.c 2013-07-06 20:44:24.000000000 +0200 @@ -204,23 +204,11 @@ char **proc_environ; struct sockaddr_un unix_addr; apr_procattr_t *procattr = NULL; - int argc, len; - const char *wargv[APACHE_ARG_MAX + 1]; - const char *word; /* For wrapper */ - const char *tmp; + int len; + const char **wargv; /* Build wrapper args */ - argc = 0; - tmp = cmdline; - while (1) { - word = ap_getword_white(procnode->proc_pool, &tmp); - if (word == NULL || *word == '\0') - break; - if (argc >= APACHE_ARG_MAX) - break; - wargv[argc++] = word; - } - wargv[argc] = NULL; + apr_tokenize_to_argv(cmdline, (char ***)&wargv, procnode->proc_pool); /* Create UNIX domain socket before spawn diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_proc_win.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_win.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_proc_win.c 2012-04-11 01:59:13.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_proc_win.c 2012-11-16 19:33:14.000000000 +0100 @@ -69,22 +69,10 @@ apr_file_t *file; const char * const *proc_environ; char sock_path[FCGID_PATH_MAX]; - int argc; - char const * wargv[APACHE_ARG_MAX + 1], *word; /* For wrapper */ - const char *tmp; + const char **wargv; /* Build wrapper args */ - argc = 0; - tmp = cmdline; - while (1) { - word = ap_getword_white(procnode->proc_pool, &tmp); - if (word == NULL || *word == '\0') - break; - if (argc >= APACHE_ARG_MAX) - break; - wargv[argc++] = word; - } - wargv[argc] = NULL; + apr_tokenize_to_argv(cmdline, (char ***)&wargv, procnode->proc_pool); memset(&SecurityAttributes, 0, sizeof(SecurityAttributes)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/fcgid_protocol.c new/mod_fcgid-2.3.9/modules/fcgid/fcgid_protocol.c --- old/mod_fcgid-2.3.7/modules/fcgid/fcgid_protocol.c 2009-09-17 22:14:45.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/fcgid_protocol.c 2013-09-17 13:08:37.000000000 +0200 @@ -25,7 +25,7 @@ static size_t init_environment(char *buf, char **envp) { char *spliter; - int namelen, valuelen; + apr_size_t namelen, valuelen; char *cur_buf = buf; size_t buffer_size = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mod_fcgid-2.3.7/modules/fcgid/mod_fcgid.c new/mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c --- old/mod_fcgid-2.3.7/modules/fcgid/mod_fcgid.c 2012-04-11 02:54:32.000000000 +0200 +++ new/mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c 2012-07-17 02:02:26.000000000 +0200 @@ -46,6 +46,12 @@ FCGID_PROCNODE_TYPE_ERROR, }; +enum fcgid_auth_check_mode { + FCGID_AUTH_CHECK_AUTHN, + FCGID_AUTH_CHECK_AUTHZ, + FCGID_AUTH_CHECK_ACCESS +}; + /* Stolen from mod_cgi.c */ /* KLUDGE --- for back-compatibility, we don't have to check ExecCGI * in ScriptAliased directories, which means we need to know if this @@ -477,107 +483,78 @@ return 1; } -static int mod_fcgid_authenticator(request_rec * r) +static int mod_fcgid_check_auth(request_rec *r, + enum fcgid_auth_check_mode auth_check_mode) { int res = 0; const char *password = NULL; apr_table_t *saved_subprocess_env = NULL; - fcgid_cmd_conf *authenticator_info; + fcgid_cmd_conf *auth_cmd_info = NULL; int authoritative; + const char *auth_role = NULL; + const char *role_log_msg = NULL; + const char *user_log_msg = ""; + + /* Because we don't function as authn/z providers, integration with + * the standard httpd authn/z modules is somewhat problematic. + * + * With httpd 2.4 in particular, our hook functions may be + * circumvented by mod_authz_core's check_access_ex hook, unless + * Require directives specify that user-based authn/z is needed. + * + * Even then, APR_HOOK_MIDDLE may cause our authentication hook to be + * ordered after mod_auth_basic's check_authn hook, in which case it + * will be skipped unless AuthBasicAuthoritative is Off and no authn + * provider recognizes the user or outright denies the request. + * + * Also, when acting as an authenticator, we don't have a mechanism to + * set r->user based on the script response, so scripts can't implement + * a private authentication scheme; instead we use ap_get_basic_auth_pw() + * and only support Basic HTTP authentication. + * + * It is possible to act reliably as both authenticator and authorizer + * if mod_authn_core is loaded to support AuthType and AuthName, but + * mod_authz_core and mod_auth_basic are not loaded. However, in this + * case the Require directive is not available, which defeats many + * common configuration tropes. + */ - authenticator_info = get_authenticator_info(r, &authoritative); + switch (auth_check_mode) { + case FCGID_AUTH_CHECK_AUTHN: + auth_cmd_info = get_authenticator_info(r, &authoritative); + auth_role = "AUTHENTICATOR"; + role_log_msg = "Authentication"; + break; + + case FCGID_AUTH_CHECK_AUTHZ: + auth_cmd_info = get_authorizer_info(r, &authoritative); + auth_role = "AUTHORIZER"; + role_log_msg = "Authorization"; + break; + + case FCGID_AUTH_CHECK_ACCESS: + auth_cmd_info = get_access_info(r, &authoritative); + auth_role = "ACCESS_CHECKER"; + role_log_msg = "Access check"; + break; + } - /* Is authenticator enable? */ - if (authenticator_info == NULL) + /* Is this auth check command enabled? */ + if (auth_cmd_info == NULL) return DECLINED; /* Get the user password */ - if ((res = ap_get_basic_auth_pw(r, &password)) != OK) + if (auth_check_mode == FCGID_AUTH_CHECK_AUTHN + && (res = ap_get_basic_auth_pw(r, &password)) != OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "mod_fcgid: authenticator requires " + "basic HTTP auth credentials"); return res; - - /* Save old process environment */ - saved_subprocess_env = apr_table_copy(r->pool, r->subprocess_env); - - /* Add some environment variables */ - ap_add_common_vars(r); - ap_add_cgi_vars(r); - fcgid_add_cgi_vars(r); - apr_table_setn(r->subprocess_env, "REMOTE_PASSWD", password); - apr_table_setn(r->subprocess_env, "FCGI_APACHE_ROLE", "AUTHENTICATOR"); - - /* Drop the variables CONTENT_LENGTH, PATH_INFO, PATH_TRANSLATED, - * SCRIPT_NAME and most Hop-By-Hop headers - EXCEPT we will pass - * PROXY_AUTH to allow CGI to perform proxy auth for httpd - */ - apr_table_unset(r->subprocess_env, "CONTENT_LENGTH"); - apr_table_unset(r->subprocess_env, "PATH_INFO"); - apr_table_unset(r->subprocess_env, "PATH_TRANSLATED"); - apr_table_unset(r->subprocess_env, "SCRIPT_NAME"); - apr_table_unset(r->subprocess_env, "HTTP_KEEP_ALIVE"); - apr_table_unset(r->subprocess_env, "HTTP_TE"); - apr_table_unset(r->subprocess_env, "HTTP_TRAILER"); - apr_table_unset(r->subprocess_env, "HTTP_TRANSFER_ENCODING"); - apr_table_unset(r->subprocess_env, "HTTP_UPGRADE"); - - /* Connection hop-by-hop header to prevent the CGI from hanging */ - apr_table_set(r->subprocess_env, "HTTP_CONNECTION", "close"); - - /* Handle the request */ - res = bridge_request(r, FCGI_AUTHORIZER, authenticator_info); - - /* Restore r->subprocess_env */ - r->subprocess_env = saved_subprocess_env; - - if (res == OK && r->status == 200 - && apr_table_get(r->headers_out, "Location") == NULL) - { - /* Pass */ - ap_log_rerror(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authentication pass", r->user); - - /* Modify headers: An Authorizer application's 200 response may include headers - whose names are prefixed with Variable-. */ - apr_table_do(mod_fcgid_modify_auth_header, r->subprocess_env, - r->err_headers_out, NULL); - - return OK; - } else { - /* Print error info first */ - if (res != OK) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authentication failed, respond %d, URI %s", - r->user, res, r->uri); - else if (r->status != 200) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authentication failed, status %d, URI %s", - r->user, r->status, r->uri); - else - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authentication failed, redirected is not allowed", - r->user); - - /* Handle error */ - if (!authoritative) - return DECLINED; - else { - ap_note_basic_auth_failure(r); - return (res == OK) ? HTTP_UNAUTHORIZED : res; - } } -} -static int mod_fcgid_authorizer(request_rec * r) -{ - int res = 0; - apr_table_t *saved_subprocess_env = NULL; - fcgid_cmd_conf *authorizer_info; - int authoritative; - - authorizer_info = get_authorizer_info(r, &authoritative); - - /* Is authenticator enable? */ - if (authorizer_info == NULL) - return DECLINED; + if (auth_check_mode != FCGID_AUTH_CHECK_ACCESS) { + user_log_msg = apr_psprintf(r->pool, " of user %s", r->user); + } /* Save old process environment */ saved_subprocess_env = apr_table_copy(r->pool, r->subprocess_env); @@ -586,7 +563,10 @@ ap_add_common_vars(r); ap_add_cgi_vars(r); fcgid_add_cgi_vars(r); - apr_table_setn(r->subprocess_env, "FCGI_APACHE_ROLE", "AUTHORIZER"); + if (auth_check_mode == FCGID_AUTH_CHECK_AUTHN) { + apr_table_setn(r->subprocess_env, "REMOTE_PASSWD", password); + } + apr_table_setn(r->subprocess_env, "FCGI_APACHE_ROLE", auth_role); /* Drop the variables CONTENT_LENGTH, PATH_INFO, PATH_TRANSLATED, * SCRIPT_NAME and most Hop-By-Hop headers - EXCEPT we will pass @@ -606,17 +586,17 @@ apr_table_set(r->subprocess_env, "HTTP_CONNECTION", "close"); /* Handle the request */ - res = bridge_request(r, FCGI_AUTHORIZER, authorizer_info); + res = bridge_request(r, FCGI_AUTHORIZER, auth_cmd_info); /* Restore r->subprocess_env */ r->subprocess_env = saved_subprocess_env; - if (res == OK && r->status == 200 - && apr_table_get(r->headers_out, "Location") == NULL) - { + if (res == OK && r->status == HTTP_OK + && apr_table_get(r->headers_out, "Location") == NULL) { /* Pass */ - ap_log_rerror(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, 0, r, - "mod_fcgid: access granted (authorization)"); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "mod_fcgid: %s%s to access %s succeeded", + role_log_msg, user_log_msg, r->uri); /* Modify headers: An Authorizer application's 200 response may include headers whose names are prefixed with Variable-. */ @@ -624,112 +604,53 @@ r->err_headers_out, NULL); return OK; - } else { + } + else { + const char *add_err_msg = ""; + /* Print error info first */ - if (res != OK) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authorization failed, respond %d, URI %s", - r->user, res, r->uri); - else if (r->status != 200) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authorization failed, status %d, URI %s", - r->user, r->status, r->uri); - else - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s authorization failed, redirected is not allowed", - r->user); + if (res != OK) { + add_err_msg = + apr_psprintf(r->pool, "; error or unexpected condition " + "while parsing response (%d)", res); + } + else if (r->status == HTTP_OK) { + add_err_msg = "; internal redirection not allowed"; + } + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "mod_fcgid: %s%s to access %s failed, reason: " + "script returned status %d%s", + role_log_msg, user_log_msg, r->uri, r->status, + add_err_msg); /* Handle error */ - if (!authoritative) + if (!authoritative) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "mod_fcgid: not authoritative"); return DECLINED; + } else { - ap_note_basic_auth_failure(r); + if (auth_check_mode != FCGID_AUTH_CHECK_ACCESS) { + ap_note_basic_auth_failure(r); + } return (res == OK) ? HTTP_UNAUTHORIZED : res; } } } -static int mod_fcgid_check_access(request_rec * r) +static int mod_fcgid_authenticator(request_rec *r) { - int res = 0; - apr_table_t *saved_subprocess_env = NULL; - fcgid_cmd_conf *access_info; - int authoritative; - - access_info = get_access_info(r, &authoritative); - - /* Is access check enable? */ - if (access_info == NULL) - return DECLINED; - - /* Save old process environment */ - saved_subprocess_env = apr_table_copy(r->pool, r->subprocess_env); - - /* Add some environment variables */ - ap_add_common_vars(r); - ap_add_cgi_vars(r); - fcgid_add_cgi_vars(r); - apr_table_setn(r->subprocess_env, "FCGI_APACHE_ROLE", - "ACCESS_CHECKER"); - - /* Drop the variables CONTENT_LENGTH, PATH_INFO, PATH_TRANSLATED, - * SCRIPT_NAME and most Hop-By-Hop headers - EXCEPT we will pass - * PROXY_AUTH to allow CGI to perform proxy auth for httpd - */ - apr_table_unset(r->subprocess_env, "CONTENT_LENGTH"); - apr_table_unset(r->subprocess_env, "PATH_INFO"); - apr_table_unset(r->subprocess_env, "PATH_TRANSLATED"); - apr_table_unset(r->subprocess_env, "SCRIPT_NAME"); - apr_table_unset(r->subprocess_env, "HTTP_KEEP_ALIVE"); - apr_table_unset(r->subprocess_env, "HTTP_TE"); - apr_table_unset(r->subprocess_env, "HTTP_TRAILER"); - apr_table_unset(r->subprocess_env, "HTTP_TRANSFER_ENCODING"); - apr_table_unset(r->subprocess_env, "HTTP_UPGRADE"); - - /* Connection hop-by-hop header to prevent the CGI from hanging */ - apr_table_set(r->subprocess_env, "HTTP_CONNECTION", "close"); - - /* Handle the request */ - res = bridge_request(r, FCGI_AUTHORIZER, access_info); - - /* Restore r->subprocess_env */ - r->subprocess_env = saved_subprocess_env; - - if (res == OK && r->status == 200 - && apr_table_get(r->headers_out, "Location") == NULL) - { - /* Pass */ - ap_log_rerror(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, 0, r, - "mod_fcgid: access check pass"); - - /* Modify headers: An Authorizer application's 200 response may include headers - whose names are prefixed with Variable-. */ - apr_table_do(mod_fcgid_modify_auth_header, r->subprocess_env, - r->err_headers_out, NULL); + return mod_fcgid_check_auth(r, FCGID_AUTH_CHECK_AUTHN); +} - return OK; - } else { - /* Print error info first */ - if (res != OK) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s access check failed, respond %d, URI %s", - r->user, res, r->uri); - else if (r->status != 200) - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s access check failed, status %d, URI %s", - r->user, r->status, r->uri); - else - ap_log_rerror(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, r, - "mod_fcgid: user %s access check failed, redirected is not allowed", - r->user); +static int mod_fcgid_authorizer(request_rec *r) +{ + return mod_fcgid_check_auth(r, FCGID_AUTH_CHECK_AUTHZ); +} - /* Handle error */ - if (!authoritative) - return DECLINED; - else { - return (res == OK) ? HTTP_UNAUTHORIZED : res; - } - } +static int mod_fcgid_check_access(request_rec *r) +{ + return mod_fcgid_check_auth(r, FCGID_AUTH_CHECK_ACCESS); } static void initialize_child(apr_pool_t * pchild, server_rec * main_server) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-commit+help(a)opensuse.org

1 0