Add patch58 to set worker secret passed to tomcat in mod_proxy_ajp (F…

…edora)
iusrepo · Mar 29, 2018 · eb2443b · eb2443b
1 parent 04fc916
commit eb2443b
Show file tree

Hide file tree

Showing 2 changed files with 141 additions and 0 deletions.
diff --git a/SOURCES/httpd-2.4.33-r1738878.patch b/SOURCES/httpd-2.4.33-r1738878.patch
@@ -0,0 +1,137 @@
+diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h
+index c119a7e..267150a 100644
+diff -uap httpd-2.4.33/modules/proxy/ajp_header.c.r1738878 httpd-2.4.33/modules/proxy/ajp_header.c
+--- httpd-2.4.33/modules/proxy/ajp_header.c.r1738878
++++ httpd-2.4.33/modules/proxy/ajp_header.c
+@@ -213,7 +213,8 @@
+
+ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,
+                                           request_rec *r,
+-                                          apr_uri_t *uri)
++                                          apr_uri_t *uri,
++                                          const char *secret)
+ {
+     int method;
+     apr_uint32_t i, num_headers = 0;
+@@ -293,17 +294,15 @@
+                    i, elts[i].key, elts[i].val);
+     }
+
+-/* XXXX need to figure out how to do this
+-    if (s->secret) {
++    if (secret) {
+         if (ajp_msg_append_uint8(msg, SC_A_SECRET) ||
+-            ajp_msg_append_string(msg, s->secret)) {
++            ajp_msg_append_string(msg, secret)) {
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228)
+-                   "Error ajp_marshal_into_msgb - "
++                   "ajp_marshal_into_msgb: "
+                    "Error appending secret");
+             return APR_EGENERAL;
+         }
+     }
+- */
+
+     if (r->user) {
+         if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) ||
+@@ -671,7 +670,8 @@
+ apr_status_t ajp_send_header(apr_socket_t *sock,
+                              request_rec *r,
+                              apr_size_t buffsize,
+-                             apr_uri_t *uri)
++                             apr_uri_t *uri,
++                             const char *secret)
+ {
+     ajp_msg_t *msg;
+     apr_status_t rc;
+@@ -683,7 +683,7 @@
+         return rc;
+     }
+
+-    rc = ajp_marshal_into_msgb(msg, r, uri);
++    rc = ajp_marshal_into_msgb(msg, r, uri, secret);
+     if (rc != APR_SUCCESS) {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988)
+                "ajp_send_header: ajp_marshal_into_msgb failed");
+diff -uap httpd-2.4.33/modules/proxy/ajp.h.r1738878 httpd-2.4.33/modules/proxy/ajp.h
+--- httpd-2.4.33/modules/proxy/ajp.h.r1738878
++++ httpd-2.4.33/modules/proxy/ajp.h
+@@ -413,12 +413,14 @@
+  * @param sock      backend socket
+  * @param r         current request
+  * @param buffsize  max size of the AJP packet.
++ * @param secret    authentication secret
+  * @param uri       requested uri
+  * @return          APR_SUCCESS or error
+  */
+ apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r,
+                              apr_size_t buffsize,
+-                             apr_uri_t *uri);
++                             apr_uri_t *uri,
++                             const char *secret);
+
+ /**
+  * Read the ajp message and return the type of the message.
+diff -uap httpd-2.4.33/modules/proxy/mod_proxy_ajp.c.r1738878 httpd-2.4.33/modules/proxy/mod_proxy_ajp.c
+--- httpd-2.4.33/modules/proxy/mod_proxy_ajp.c.r1738878
++++ httpd-2.4.33/modules/proxy/mod_proxy_ajp.c
+@@ -193,6 +193,7 @@
+     apr_off_t content_length = 0;
+     int original_status = r->status;
+     const char *original_status_line = r->status_line;
++    const char *secret = NULL;
+
+     if (psf->io_buffer_size_set)
+        maxsize = psf->io_buffer_size;
+@@ -202,12 +203,15 @@
+        maxsize = AJP_MSG_BUFFER_SZ;
+     maxsize = APR_ALIGN(maxsize, 1024);
+
++    if (*conn->worker->s->secret)
++        secret = conn->worker->s->secret;
++
+     /*
+      * Send the AJP request to the remote server
+      */
+
+     /* send request headers */
+-    status = ajp_send_header(conn->sock, r, maxsize, uri);
++    status = ajp_send_header(conn->sock, r, maxsize, uri, secret);
+     if (status != APR_SUCCESS) {
+         conn->close = 1;
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868)
+diff -uap httpd-2.4.33/modules/proxy/mod_proxy.c.r1738878 httpd-2.4.33/modules/proxy/mod_proxy.c
+--- httpd-2.4.33/modules/proxy/mod_proxy.c.r1738878
++++ httpd-2.4.33/modules/proxy/mod_proxy.c
+@@ -318,6 +318,12 @@
+                                 (int)sizeof(worker->s->upgrade));
+         }
+     }
++    else if (!strcasecmp(key, "secret")) {
++        if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) {
++            return apr_psprintf(p, "Secret length must be < %d characters",
++                                (int)sizeof(worker->s->secret));
++        }
++    }
+     else {
+         if (set_worker_hc_param_f) {
+             return set_worker_hc_param_f(p, s, worker, key, val, NULL);
+diff -uap httpd-2.4.33/modules/proxy/mod_proxy.h.r1738878 httpd-2.4.33/modules/proxy/mod_proxy.h
+--- httpd-2.4.33/modules/proxy/mod_proxy.h.r1738878
++++ httpd-2.4.33/modules/proxy/mod_proxy.h
+@@ -353,6 +353,7 @@
+ #define PROXY_WORKER_MAX_HOSTNAME_SIZE  64
+ #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE
+ #define PROXY_BALANCER_MAX_STICKY_SIZE  64
++#define PROXY_WORKER_MAX_SECRET_SIZE    64
+
+ #define PROXY_RFC1035_HOSTNAME_SIZE	256
+
+@@ -447,6 +448,7 @@
+     apr_interval_time_t interval;
+     char      upgrade[PROXY_WORKER_MAX_SCHEME_SIZE];/* upgrade protocol used by mod_proxy_wstunnel */
+     char      hostname_ex[PROXY_RFC1035_HOSTNAME_SIZE];  /* RFC1035 compliant version of the remote backend address */
++    char      secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */
+ } proxy_worker_shared;
+
+ #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared)))
diff --git a/SPECS/httpd24u.spec b/SPECS/httpd24u.spec
@@ -76,6 +76,8 @@ Patch30: httpd-2.4.4-cachehardmax.patch
 Patch34: httpd-2.4.17-socket-activation.patch
 
 # Bug fixes
+# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
+Patch58: httpd-2.4.33-r1738878.patch
 
 # Security fixes
 
@@ -283,6 +285,7 @@ interface for storing and accessing per-user session data.
 %{?with_systemd:%patch29 -p1 -b .systemd}
 %patch30 -p1 -b .cachehardmax
 %{?with_systemd:%patch34 -p1 -b .socketactivation}
+%patch58 -p1 -b .r1738878
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -807,6 +810,7 @@ exit $rv
 - Reduce suexec uidmin and gidmin to match RHEL
 - Drop NPN patch, no longer supported in major browsers
 - Obsolete httpd24u-mod_proxy_uwsgi, merged upstream and is now part of this package
+- Add patch58 to set worker secret passed to tomcat in mod_proxy_ajp (Fedora)
 
 * Mon Oct 23 2017 Carl George <carl@george.computer> - 2.4.29-1.ius
 - Latest upstream