Hello community, here is the log from the commit of package uwsgi for openSUSE:Factory checked in at 2018-04-17 11:19:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/uwsgi (Old) and /work/SRC/openSUSE:Factory/.uwsgi.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "uwsgi" Tue Apr 17 11:19:23 2018 rev:26 rq:597249 version:2.0.17 Changes: -------- --- /work/SRC/openSUSE:Factory/uwsgi/uwsgi.changes 2018-03-01 12:07:40.206396934 +0100 +++ /work/SRC/openSUSE:Factory/.uwsgi.new/uwsgi.changes 2018-04-17 11:19:30.760799915 +0200 @@ -1,0 +2,17 @@ +Mon Apr 16 23:48:42 UTC 2018 - jfunk@funktronics.ca + +- Disable apache2-mod_proxy_uwsgi on Leap 15 since upstream Apache includes + the module now + +------------------------------------------------------------------- +Mon Apr 16 13:42:59 UTC 2018 - jfunk@funktronics.ca + +- Update to 2.0.17: + * The Emperor throttling subsystem does not make use anymore of blocking + functions, like usleep(), this should fix stats serving and should improve + vassals startup time + * [Security/PHP] enforce DOCUMENT_ROOT check when using --php-docroot to + avoid directory traversal (Marios Nicolaides) + * added --shutdown-sockets to improve graceful shutdowns (Andrew Wason) + +------------------------------------------------------------------- Old: ---- uwsgi-2.0.16.tar.gz New: ---- uwsgi-2.0.17.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ uwsgi.spec ++++++ --- /var/tmp/diff_new_pack.MVDDBK/_old 2018-04-17 11:19:31.528763920 +0200 +++ /var/tmp/diff_new_pack.MVDDBK/_new 2018-04-17 11:19:31.532763732 +0200 @@ -17,7 +17,7 @@ Name: uwsgi -Version: 2.0.16 +Version: 2.0.17 Release: 0 Summary: Application Container Server for Networked/Clustered Web Applications License: Apache-2.0 AND GPL-2.0-only WITH GCC-exception-2.0 @@ -48,6 +48,9 @@ %endif %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) BuildRequires: apache2-devel +%if 0%{?suse_version} >= 1500 +BuildRequires: argon2-devel +%endif BuildRequires: gcc-c++ BuildRequires: gcc-objc %if 0%{?suse_version} > 1220 @@ -75,6 +78,7 @@ BuildRequires: lua-devel %endif #BuildRequires: mono-web +BuildRequires: ncurses-devel BuildRequires: openldap2-devel BuildRequires: openssl-devel BuildRequires: pam-devel @@ -150,6 +154,7 @@ different technology on top of the same core. +%if 0%{suse_version} < 1500 %package -n apache2-mod_proxy_uwsgi Summary: uWSGI Proxy Module for Apache 2.0 Group: Productivity/Networking/Web/Servers @@ -159,7 +164,7 @@ uWSGI is a self-healing application container server coded in pure C. This package contains an Apache 2.0 proxy module for uWSGI. - +%endif %package -n apache2-mod_uwsgi Summary: uWSGI Module for Apache 2.0 @@ -521,7 +526,9 @@ python3 uwsgiconfig.py --plugin plugins/python opensuse python3 # Build Apache modules +%if 0%{suse_version} < 1500 %{apxs} -c apache2/mod_proxy_uwsgi.c +%endif %{apxs} -c apache2/mod_uwsgi.c # Build php7 plugin @@ -652,9 +659,11 @@ %{_libdir}/uwsgi/zabbix_plugin.so %{_libdir}/uwsgi/zergpool_plugin.so +%if 0%{suse_version} < 1500 %files -n apache2-mod_proxy_uwsgi %defattr(-,root,root,-) %{apache_libexecdir}/mod_proxy_uwsgi.so +%endif %files -n apache2-mod_uwsgi %defattr(-,root,root,-) ++++++ uwsgi-2.0.16.tar.gz -> uwsgi-2.0.17.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uwsgi-2.0.16/PKG-INFO new/uwsgi-2.0.17/PKG-INFO --- old/uwsgi-2.0.16/PKG-INFO 2018-02-10 11:00:57.000000000 +0100 +++ new/uwsgi-2.0.17/PKG-INFO 2018-02-26 19:34:40.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.0 Name: uWSGI -Version: 2.0.16 +Version: 2.0.17 Summary: The uWSGI server Home-page: https://uwsgi-docs.readthedocs.io/en/latest/ Author: Unbit diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uwsgi-2.0.16/core/emperor.c new/uwsgi-2.0.17/core/emperor.c --- old/uwsgi-2.0.16/core/emperor.c 2018-02-10 11:00:57.000000000 +0100 +++ new/uwsgi-2.0.17/core/emperor.c 2018-02-26 19:34:40.000000000 +0100 @@ -851,6 +851,7 @@ } } + // TODO make it meaningful if (now - emperor_throttle < 1) { emperor_throttle_level = emperor_throttle_level * 2; } @@ -868,6 +869,7 @@ #ifdef UWSGI_DEBUG uwsgi_log("emperor throttle = %d\n", emperor_throttle_level); #endif + /* if (emperor_warming_up) { if (emperor_throttle_level > 0) { // wait 10 milliseconds in case of fork-bombing @@ -878,6 +880,7 @@ else { usleep(emperor_throttle_level * 1000); } + */ if (uwsgi.emperor_tyrant) { if (uid == 0 || gid == 0) { @@ -2077,7 +2080,8 @@ if (uwsgi_stats_keylong_comma(us, "emperor_tyrant", (unsigned long long) uwsgi.emperor_tyrant)) goto end0; - if (uwsgi_stats_keylong_comma(us, "throttle_level", (unsigned long long) emperor_throttle_level / 1000)) + // will be zero for now + if (uwsgi_stats_keylong_comma(us, "throttle_level", (unsigned long long) 0)) goto end0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uwsgi-2.0.16/core/loop.c new/uwsgi-2.0.17/core/loop.c --- old/uwsgi-2.0.16/core/loop.c 2018-02-10 11:00:57.000000000 +0100 +++ new/uwsgi-2.0.17/core/loop.c 2018-02-26 19:34:40.000000000 +0100 @@ -60,6 +60,8 @@ void simple_loop() { uwsgi_loop_cores_run(simple_loop_run); + if (uwsgi.workers[uwsgi.mywid].shutdown_sockets) + uwsgi_shutdown_all_sockets(); } void uwsgi_loop_cores_run(void *(*func) (void *)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uwsgi-2.0.16/core/socket.c new/uwsgi-2.0.17/core/socket.c --- old/uwsgi-2.0.16/core/socket.c 2018-02-10 11:00:57.000000000 +0100 +++ new/uwsgi-2.0.17/core/socket.c 2018-02-26 19:34:40.000000000 +0100 @@ -1263,6 +1263,19 @@ } } +void uwsgi_shutdown_all_sockets() { + uwsgi_log_verbose("shutting down all sockets...\n"); + struct uwsgi_socket *uwsgi_sock = uwsgi.sockets; + + while (uwsgi_sock) { + if (uwsgi_sock->bound) { + shutdown(uwsgi_sock->fd, SHUT_RDWR); + close(uwsgi_sock->fd); + } + uwsgi_sock = uwsgi_sock->next; + } +} + void uwsgi_close_all_unshared_sockets() { struct uwsgi_socket *uwsgi_sock = uwsgi.sockets; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uwsgi-2.0.16/core/uwsgi.c new/uwsgi-2.0.17/core/uwsgi.c --- old/uwsgi-2.0.16/core/uwsgi.c 2018-02-10 11:00:57.000000000 +0100 +++ new/uwsgi-2.0.17/core/uwsgi.c 2018-02-26 19:34:40.000000000 +0100 @@ -525,6 +525,7 @@ {"socket-write-timeout", no_argument, 0, "set SO_SNDTIMEO", uwsgi_opt_set_int, &uwsgi.so_send_timeout, 0}, {"socket-sndbuf", required_argument, 0, "set SO_SNDBUF", uwsgi_opt_set_64bit, &uwsgi.so_sndbuf, 0}, {"socket-rcvbuf", required_argument, 0, "set SO_RCVBUF", uwsgi_opt_set_64bit, &uwsgi.so_rcvbuf, 0}, + {"shutdown-sockets", no_argument, 0, "force calling shutdown() in addition to close() when sockets are destroyed", uwsgi_opt_true, &uwsgi.shutdown_sockets, 0}, {"limit-as", required_argument, 0, "limit processes address space/vsz", uwsgi_opt_set_megabytes, &uwsgi.rl.rlim_max, 0}, {"limit-nproc", required_argument, 0, "limit the number of spawnable processes", uwsgi_opt_set_int, &uwsgi.rl_nproc.rlim_max, 0}, {"reload-on-as", required_argument, 0, "reload if address space is higher than specified megabytes", uwsgi_opt_set_megabytes, &uwsgi.reload_on_as, UWSGI_OPT_MEMORY}, @@ -1248,6 +1249,8 @@ struct wsgi_request *wsgi_req = current_wsgi_req(); wait_for_threads(); if (!uwsgi.workers[uwsgi.mywid].cores[wsgi_req->async_id].in_request) { + if (uwsgi.workers[uwsgi.mywid].shutdown_sockets) + uwsgi_shutdown_all_sockets(); exit(UWSGI_RELOAD_CODE); } return; @@ -1256,10 +1259,14 @@ // still not found a way to gracefully reload in async mode if (uwsgi.async > 1) { + if (uwsgi.workers[uwsgi.mywid].shutdown_sockets) + uwsgi_shutdown_all_sockets(); exit(UWSGI_RELOAD_CODE); } if (!uwsgi.workers[uwsgi.mywid].cores[0].in_request) { + if (uwsgi.workers[uwsgi.mywid].shutdown_sockets) + uwsgi_shutdown_all_sockets(); exit(UWSGI_RELOAD_CODE); } } @@ -1334,6 +1341,8 @@ int i; for (i = 1; i <= uwsgi.numproc; i++) { if (uwsgi.workers[i].pid > 0) { + if (uwsgi.shutdown_sockets) + uwsgi.workers[i].shutdown_sockets = 1; uwsgi_curse(i, SIGHUP); } } @@ -2600,7 +2609,6 @@ uwsgi_file_write_do(uwsgi.file_write_list); if (!uwsgi.master_as_root && !uwsgi.chown_socket && !uwsgi.drop_after_init && !uwsgi.drop_after_apps) { - uwsgi_log("dropping root privileges as early as possible\n"); uwsgi_as_root(); } @@ -2839,7 +2847,6 @@ uwsgi_bind_sockets(); if (!uwsgi.master_as_root && !uwsgi.drop_after_init && !uwsgi.drop_after_apps) { - uwsgi_log("dropping root privileges after socket binding\n"); uwsgi_as_root(); } @@ -2859,7 +2866,6 @@ } if (!uwsgi.master_as_root && !uwsgi.drop_after_apps) { - uwsgi_log("dropping root privileges after plugin initialization\n"); uwsgi_as_root(); } @@ -3113,7 +3119,6 @@ } if (!uwsgi.master_as_root) { - uwsgi_log("dropping root privileges after application loading\n"); uwsgi_as_root(); } @@ -3366,7 +3371,6 @@ } if (uwsgi.master_as_root) { - uwsgi_log("dropping root privileges after master thread creation\n"); uwsgi_as_root(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uwsgi-2.0.16/plugins/php/php_plugin.c new/uwsgi-2.0.17/plugins/php/php_plugin.c --- old/uwsgi-2.0.16/plugins/php/php_plugin.c 2018-02-10 11:00:57.000000000 +0100 +++ new/uwsgi-2.0.17/plugins/php/php_plugin.c 2018-02-26 19:34:40.000000000 +0100 @@ -17,6 +17,7 @@ struct uwsgi_string_list *vars; struct uwsgi_string_list *constants; char *docroot; + size_t docroot_len; char *app; char *app_qs; char *fallback; @@ -631,6 +632,8 @@ uwsgi_log("unable to set php docroot to %s\n", orig_docroot); exit(1); } + uwsgi_log("PHP document root set to %s\n", uphp.docroot); + uphp.docroot_len = strlen(uphp.docroot); } if (uphp.sapi_name) { @@ -849,6 +852,7 @@ free(filename); real_filename_len = strlen(real_filename); + // first check for valid doc roots if (uphp.allowed_docroot) { struct uwsgi_string_list *usl = uphp.allowed_docroot; while(usl) { @@ -861,6 +865,16 @@ uwsgi_log("PHP security error: %s is not under an allowed docroot\n", real_filename); return -1; } + // then for default docroot (if any) + else if (uphp.docroot) + { + if (!uwsgi_starts_with(real_filename, real_filename_len, uphp.docroot, uphp.docroot_len)) { + goto secure; + } + uwsgi_403(wsgi_req); + uwsgi_log("PHP security error: %s is not under the default docroot\n", real_filename); + return -1; + } secure: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uwsgi-2.0.16/uwsgi.gemspec new/uwsgi-2.0.17/uwsgi.gemspec --- old/uwsgi-2.0.16/uwsgi.gemspec 2018-02-10 11:00:57.000000000 +0100 +++ new/uwsgi-2.0.17/uwsgi.gemspec 2018-02-26 19:34:40.000000000 +0100 @@ -2,7 +2,7 @@ s.name = 'uwsgi' s.license = 'GPL-2' s.version = `python -c "import uwsgiconfig as uc; print uc.uwsgi_version"`.sub(/-dev-.*/,'') - s.date = '2018-02-10' + s.date = '2018-02-26' s.summary = "uWSGI" s.description = "The uWSGI server for Ruby/Rack" s.authors = ["Unbit"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uwsgi-2.0.16/uwsgi.h new/uwsgi-2.0.17/uwsgi.h --- old/uwsgi-2.0.16/uwsgi.h 2018-02-10 11:00:57.000000000 +0100 +++ new/uwsgi-2.0.17/uwsgi.h 2018-02-26 19:34:40.000000000 +0100 @@ -2828,6 +2828,9 @@ size_t response_header_limit; char *safe_pidfile; char *safe_pidfile2; + + // uWSGI 2.0.17 + int shutdown_sockets; }; struct uwsgi_rpc { @@ -3037,6 +3040,8 @@ int accepting; char name[0xff]; + + int shutdown_sockets; }; @@ -3547,6 +3552,7 @@ struct uwsgi_socket *uwsgi_del_socket(struct uwsgi_socket *); void uwsgi_close_all_sockets(void); +void uwsgi_shutdown_all_sockets(void); void uwsgi_close_all_unshared_sockets(void); struct uwsgi_string_list *uwsgi_string_new_list(struct uwsgi_string_list **, char *); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uwsgi-2.0.16/uwsgiconfig.py new/uwsgi-2.0.17/uwsgiconfig.py --- old/uwsgi-2.0.16/uwsgiconfig.py 2018-02-10 11:00:57.000000000 +0100 +++ new/uwsgi-2.0.17/uwsgiconfig.py 2018-02-26 19:34:40.000000000 +0100 @@ -1,6 +1,6 @@ # uWSGI build system -uwsgi_version = '2.0.16' +uwsgi_version = '2.0.17' import os import re