Resolves: #1397243 - Backport Apache Bug 53098 - mod_proxy_ajp:

patch to set worker secret passed to tomcat
author: Luboš Uhliarik <luhliari@redhat.com> 2017-03-30 15:32:35 +0200
committer: Luboš Uhliarik <luhliari@redhat.com> 2017-03-30 15:32:35 +0200
commit: c58fda3be9f940c95777808718708cf2b1601502 (patch)
tree: afb76595121c098e8f8c5b22406a371a46daa04b
parent: c79ba20a8d846af5f884ec33930d234bab667899 (diff)
download: httpd-c58fda3be9f940c95777808718708cf2b1601502.tar.gz
httpd-c58fda3be9f940c95777808718708cf2b1601502.tar.xz
httpd-c58fda3be9f940c95777808718708cf2b1601502.zip
2 files changed, 138 insertions, 2 deletions
diff --git a/httpd-2.4.25-r1738878.patch b/httpd-2.4.25-r1738878.patch
new file mode 100644
index 0000000..a6a1b50
--- /dev/null
+++ b/httpd-2.4.25-r1738878.patch
@@ -0,0 +1,129 @@
+--- a/modules/proxy/ajp.h 2016/04/12 22:47:36 1738877
++++ b/modules/proxy/ajp.h 2016/04/12 23:09:07 1738878
+@@ -412,11 +412,13 @@
+  * @param r         current request
+  * @param buffsize  max size of the AJP packet.
+  * @param uri       requested uri
++ * @param secret    authentication secret
+  * @return          APR_SUCCESS or error
+  */
+ apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r,
+                              apr_size_t buffsize,
+-                             apr_uri_t *uri);
++                             apr_uri_t *uri,
++                             const char *secret);
+ 
+ /**
+  * Read the ajp message and return the type of the message.
+--- a/modules/proxy/ajp_header.c  2016/04/12 22:47:36 1738877
++++ b/modules/proxy/ajp_header.c  2016/04/12 23:09:07 1738878
+@@ -213,7 +213,8 @@
+ 
+ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,
+                                           request_rec *r,
+-                                          apr_uri_t *uri)
++                                          apr_uri_t *uri,
++                                          const char *secret)
+ {
+     int method;
+     apr_uint32_t i, num_headers = 0;
+@@ -293,17 +294,15 @@
+                    i, elts[i].key, elts[i].val);
+     }
+ 
+-/* XXXX need to figure out how to do this
+-    if (s->secret) {
++    if (secret) {
+         if (ajp_msg_append_uint8(msg, SC_A_SECRET) ||
+-            ajp_msg_append_string(msg, s->secret)) {
++            ajp_msg_append_string(msg, secret)) {
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228)
+-                   "Error ajp_marshal_into_msgb - "
++                   "ajp_marshal_into_msgb: "
+                    "Error appending secret");
+             return APR_EGENERAL;
+         }
+     }
+- */
+ 
+     if (r->user) {
+         if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) ||
+@@ -671,7 +670,8 @@
+ apr_status_t ajp_send_header(apr_socket_t *sock,
+                              request_rec *r,
+                              apr_size_t buffsize,
+-                             apr_uri_t *uri)
++                             apr_uri_t *uri,
++                             const char *secret)
+ {
+     ajp_msg_t *msg;
+     apr_status_t rc;
+@@ -683,7 +683,7 @@
+         return rc;
+     }
+ 
+-    rc = ajp_marshal_into_msgb(msg, r, uri);
++    rc = ajp_marshal_into_msgb(msg, r, uri, secret);
+     if (rc != APR_SUCCESS) {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988)
+                "ajp_send_header: ajp_marshal_into_msgb failed");
+--- a/modules/proxy/mod_proxy.c 2016/04/12 22:47:36 1738877
++++ b/modules/proxy/mod_proxy.c 2016/04/12 23:09:07 1738878
+@@ -308,6 +308,12 @@
+                                 (int)sizeof(worker->s->flusher));
+         }
+     }
++    else if (!strcasecmp(key, "secret")) {
++        if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) {
++            return apr_psprintf(p, "Secret length must be < %d characters",
++                                (int)sizeof(worker->s->secret));
++        }
++    }
+     else {
+         if (set_worker_hc_param_f) {
+             return set_worker_hc_param_f(p, s, worker, key, val, NULL);
+--- a/modules/proxy/mod_proxy.h 2016/04/12 22:47:36 1738877
++++ b/modules/proxy/mod_proxy.h 2016/04/12 23:09:07 1738878
+@@ -348,6 +348,7 @@
+ #define PROXY_WORKER_MAX_HOSTNAME_SIZE   96
+ #define PROXY_BALANCER_MAX_HOSTNAME_SIZE 64
+ #define PROXY_BALANCER_MAX_STICKY_SIZE   64
++#define PROXY_WORKER_MAX_SECRET_SIZE     64
+ 
+ /* RFC-1035 mentions limits of 255 for host-names and 253 for domain-names,
+  * dotted together(?) this would fit the below size (+ trailing NUL).
+@@ -444,6 +445,7 @@
+     unsigned int     disablereuse_set:1;
+     unsigned int     was_malloced:1;
+     unsigned int     is_name_matchable:1;
++    char      secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */
+ } proxy_worker_shared;
+ 
+ #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared)))
+--- a/modules/proxy/mod_proxy_ajp.c 2016/04/12 22:47:36 1738877
++++ b/modules/proxy/mod_proxy_ajp.c 2016/04/12 23:09:07 1738878
+@@ -193,6 +193,7 @@
+     apr_off_t content_length = 0;
+     int original_status = r->status;
+     const char *original_status_line = r->status_line;
++    const char *secret = NULL;
+ 
+     if (psf->io_buffer_size_set)
+        maxsize = psf->io_buffer_size;
+@@ -202,12 +203,15 @@
+        maxsize = AJP_MSG_BUFFER_SZ;
+     maxsize = APR_ALIGN(maxsize, 1024);
+ 
++    if (*conn->worker->s->secret)
++        secret = conn->worker->s->secret;
++
+     /*
+      * Send the AJP request to the remote server
+      */
+ 
+     /* send request headers */
+-    status = ajp_send_header(conn->sock, r, maxsize, uri);
++    status = ajp_send_header(conn->sock, r, maxsize, uri, secret);
+     if (status != APR_SUCCESS) {
+         conn->close = 1;
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868)
diff --git a/httpd.spec b/httpd.spec
index 49d12c2..c91e4ea 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.25
-Release: 6%{?dist}
+Release: 7%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -68,6 +68,8 @@ Patch57: httpd-2.4.10-sigint.patch
 Patch58: httpd-2.4.25-r1778319+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1434916
 Patch59: httpd-2.4.25-r1787141.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
+Patch60: httpd-2.4.25-r1738878.patch
 # Security fixes
 
 License: ASL 2.0
@@ -215,7 +217,8 @@ interface for storing and accessing per-user session data.
 %patch56 -p1 -b .uniqueid
 %patch57 -p1 -b .sigint
 %patch58 -p1 -b .r1778319+
-%patch59 -p1 -b .č1787141
+%patch59 -p1 -b .r1787141
+%patch60 -p1 -b .r1738878
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -687,6 +690,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Wed Mar 29 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.25-7
+- Resolves: #1397243 - Backport Apache Bug 53098 - mod_proxy_ajp:
+  patch to set worker secret passed to tomcat
+
 * Tue Mar 28 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.25-6
 - Resolves: #1434916 - httpd.service: Failed with result timeout
author	Luboš Uhliarik <luhliari@redhat.com>	2017-03-30 15:32:35 +0200
committer	Luboš Uhliarik <luhliari@redhat.com>	2017-03-30 15:32:35 +0200
commit	c58fda3be9f940c95777808718708cf2b1601502 (patch)
tree	afb76595121c098e8f8c5b22406a371a46daa04b
parent	c79ba20a8d846af5f884ec33930d234bab667899 (diff)
download	httpd-c58fda3be9f940c95777808718708cf2b1601502.tar.gz httpd-c58fda3be9f940c95777808718708cf2b1601502.tar.xz httpd-c58fda3be9f940c95777808718708cf2b1601502.zip