head	1.2;
access;
symbols;
locks; strict;
comment	@# @;


1.2
date	2007.09.16.20.05.48;	author dinoex;	state dead;
branches;
next	1.1;

1.1
date	2007.09.10.08.00.17;	author dinoex;	state Exp;
branches;
next	;


desc
@@


1.2
log
@- update to 2.8.28-1.3.37
- merge Configure patches
@
text
@--- src/CHANGES.orig	Thu Jul 27 20:19:46 2006
+++ src/CHANGES	Mon Sep 10 09:25:24 2007
@@@@ -1,3 +1,22 @@@@
+Changes with Apache 1.3.39
+
+  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+     mod_status: Fix a possible XSS attack against a site with a public
+     server-status page and ExtendedStatus enabled, for browsers which
+     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]
+
+  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
+     Ensure that the parent process cannot be forced to kill non-child
+     processes by checking scoreboard PID data with parent process
+     privately stored PID data. [Jim Jagielski]
+
+  *) mime.types: Many updates to sync with IANA registry and common
+     unregistered types that the owners refuse to register.  Admins
+     are encouraged to update their installed mime.types file.
+     PR: 35550, 37798, 39317, 31483 [Roy T. Fielding]
+
+There was no Apache 1.3.38
+
 Changes with Apache 1.3.37
 
   *) SECURITY: CVE-2006-3747 (cve.mitre.org)
@@@@ -25,10 +44,11 @@@@
   *) core: Allow usage of the "Include" configuration directive within
      previously "Include"d files. [Colm MacCarthaigh]
 
-  *) HTML-escape the Expect error message.  Not classed as security as
-     an attacker has no way to influence the Expect header a victim will
-     send to a target site.  Reported by Thiago Zaninotti 
-     <thiango nstalker.com>. [Mark Cox]
+  *) SECURITY: CVE-2006-3918 (cve.mitre.org)
+     HTML-escape the Expect error message.  Only a security issue if
+     an attacker can influence the Expect header a victim will send to a 
+     target site (it's known that some versions of Flash can do this)
+     Reported by Thiago Zaninotti <thiango nstalker.com>.  [Mark Cox]
 
   *) mod_cgi: Remove block on OPTIONS method so that scripts can
      respond to OPTIONS directly rather than via server default.
--- src/Configure.orig	Mon Sep 10 09:25:22 2007
+++ src/Configure	Mon Sep 10 09:25:24 2007
@@@@ -457,7 +457,7 @@@@
     	PLATOSVERS=`echo $PLAT | sed 's/^.*freebsd//'`
 	OS="FreeBSD $PLATOSVERS"
 	case "$PLATOSVERS" in
-	    [2345]*)
+	    [234567]*)
 		DEF_WANTHSREGEX=no
 		CFLAGS="$CFLAGS -funsigned-char"
 		;;
@@@@ -2002,7 +2002,7 @@@@
 	#    select the special subtarget for shared core generation
 	SUBTARGET=target_shared
 	#    determine additional suffixes for libhttpd.so
-	V=1 R=3 P=37
+	V=1 R=3 P=39
 	if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then
 	    SHLIB_SUFFIX_LIST=""
 	fi
--- src/include/httpd.h.orig	Mon Sep 10 09:25:22 2007
+++ src/include/httpd.h	Mon Sep 10 09:25:24 2007
@@@@ -419,7 +419,7 @@@@
 
 #define SERVER_BASEVENDOR   "Apache Group"
 #define SERVER_BASEPRODUCT  "Apache"
-#define SERVER_BASEREVISION "1.3.37"
+#define SERVER_BASEREVISION "1.3.39"
 #define SERVER_BASEVERSION  SERVER_BASEPRODUCT "/" SERVER_BASEREVISION
 
 #define SERVER_PRODUCT  SERVER_BASEPRODUCT
@@@@ -443,7 +443,7 @@@@
  * Always increases along the same track as the source branch.
  * For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
  */
-#define APACHE_RELEASE 10337100
+#define APACHE_RELEASE 10339100
 
 #define SERVER_PROTOCOL "HTTP/1.1"
 #ifndef SERVER_SUPPORT
--- src/main/NWGNUmakefile.mak.orig	Mon Oct 31 18:00:43 2005
+++ src/main/NWGNUmakefile.mak	Mon Sep 10 09:25:24 2007
@@@@ -39,10 +39,8 @@@@
 			$(EOLIST)
 
 ifdef MULTIPROC
-XLFLAGS		+= \
-		XDCData $(NWOS)\apache.xdc \
-		$(EOLIST)
-endif			
+XDCDATA		= $(NWOS)\apache.xdc
+endif
 
 #
 # These values will be appended to the correct variables based on the value of
--- src/NWGNUmakefile.mak.orig	Mon Oct 31 18:00:43 2005
+++ src/NWGNUmakefile.mak	Mon Sep 10 09:25:24 2007
@@@@ -40,10 +40,8 @@@@
 			$(EOLIST)
 
 ifdef MULTIPROC
-XLFLAGS		+= \
-		XDCData $(NWOS)\apache.xdc \
-		$(EOLIST)
-endif			
+XDCDATA		= $(NWOS)\apache.xdc
+endif
 
 #
 # These values will be appended to the correct variables based on the value of
--- src/main/http_main.c.orig	Mon Sep 10 09:25:22 2007
+++ src/main/http_main.c	Mon Sep 10 09:28:31 2007
@@@@ -357,9 +357,17 @@@@
 char tpf_mutex_key[TPF_MUTEX_KEY_SIZE];
 #endif /* TPF */
 
+/*
+ * Shared memory scoreboard
+ */
 scoreboard *ap_scoreboard_image = NULL;
 
 /*
+ * Parent process local storage of child pids
+ */
+static table *pid_table;
+
+/*
  * Pieces for managing the contents of the Server response header
  * field.
  */
@@@@ -375,6 +383,33 @@@@
 API_VAR_EXPORT int ap_change_shmem_uid = 0;
 
 /*
+ * Check the pid table to see if the actual pid exists
+ */
+
+static int in_pid_table(int pid) {
+    char apid[64];      /* WAY generous! */
+    const char *spid;
+    ap_snprintf(apid, sizeof(apid), "%d", pid);
+    spid = ap_table_get(pid_table, apid);
+    if (spid && spid[0] == '1' && spid[1] == '\0')
+        return 1;
+    else
+        return 0;
+}
+
+static void set_pid_table(int pid) {
+    char apid[64];
+    ap_snprintf(apid, sizeof(apid), "%d", pid);
+    ap_table_set(pid_table, apid, "1");
+}
+
+static void unset_pid_table(int pid) {
+    char apid[64];
+    ap_snprintf(apid, sizeof(apid), "%d", pid);
+    ap_table_unset(pid_table, apid);
+}
+
+/*
  * This routine is called when the pconf pool is vacuumed.  It resets the
  * server version string to a known value and [re]enables modifications
  * (which are disabled by configuration completion). 
@@@@ -2829,9 +2864,15 @@@@
 	    if (pid == my_pid || pid == 0)
 		continue;
 
+            if (!in_pid_table(pid)) {
+                ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
+                             "Bad pid (%d) in scoreboard slot %d", pid, i);
+                continue;
+            }
 	    waitret = waitpid(pid, &status, WNOHANG);
 	    if (waitret == pid || waitret == -1) {
 		ap_scoreboard_image->parent[i].pid = 0;
+                unset_pid_table(pid);
 		continue;
 	    }
 	    ++not_dead_yet;
@@@@ -2929,13 +2970,22 @@@@
 
     for (n = 0; n < max_daemons_limit; ++n) {
         ap_sync_scoreboard_image();
-	if (ap_scoreboard_image->servers[n].status != SERVER_DEAD &&
-		kill((pid = ap_scoreboard_image->parent[n].pid), 0) == -1) {
-	    ap_update_child_status(n, SERVER_DEAD, NULL);
-	    /* just mark it as having a successful exit status */
-	    bzero((char *) status, sizeof(ap_wait_t));
-	    return(pid);
-	}
+        pid = ap_scoreboard_image->parent[n].pid;
+        if (ap_scoreboard_image->servers[n].status != SERVER_DEAD) {
+            if (in_pid_table(pid)) {
+                if (kill(pid, 0) == -1) {
+                    ap_update_child_status(n, SERVER_DEAD, NULL);
+                    /* just mark it as having a successful exit status */
+                    bzero((char *) status, sizeof(ap_wait_t));
+                    unset_pid_table(pid);       /* to be safe */
+                    return(pid);
+                }
+            }
+            else {
+                ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
+                            "Bad pid (%d) in scoreboard slot %d", pid, n);
+            }
+        }
     }
     return 0;
 }
@@@@ -2958,15 +3008,21 @@@@
 #define MAXWAITOBJ MAXIMUM_WAIT_OBJECTS
     HANDLE h[MAXWAITOBJ];
     int e[MAXWAITOBJ];
-    int round, pi, hi, rv, err;
+    int round, pi, hi, rv, err, pid;
     for (round = 0; round <= (HARD_SERVER_LIMIT - 1) / MAXWAITOBJ + 1; round++) {
 	hi = 0;
 	for (pi = round * MAXWAITOBJ;
 	     (pi < (round + 1) * MAXWAITOBJ) && (pi < HARD_SERVER_LIMIT);
 	     pi++) {
 	    if (ap_scoreboard_image->servers[pi].status != SERVER_DEAD) {
-		e[hi] = pi;
-		h[hi++] = (HANDLE) ap_scoreboard_image->parent[pi].pid;
+                e[hi] = pi;
+                pid = ap_scoreboard_image->parent[pi].pid;
+                if (in_pid_table(pid))
+                    h[hi++] = (HANDLE) pid;
+                else {
+                    ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
+                                 "Bad pid (%d) in scoreboard slot %d", pid, pi);
+                }
 	    }
 
 	}
@@@@ -4408,6 +4464,8 @@@@
     ap_server_pre_read_config  = ap_make_array(pcommands, 1, sizeof(char *));
     ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *));
     ap_server_config_defines   = ap_make_array(pcommands, 1, sizeof(char *));
+    ap_server_config_defines   = ap_make_array(pcommands, 1, sizeof(char *));
+    pid_table                  = ap_make_table(pglobal, HARD_SERVER_LIMIT);
 
 #ifdef EAPI
     ap_hook_init();
@@@@ -5081,6 +5139,7 @@@@
     ap_scoreboard_image->parent[slot].last_rtime = now;
 #endif
     ap_scoreboard_image->parent[slot].pid = pid;
+    set_pid_table(pid);
 #ifdef SCOREBOARD_FILE
     lseek(scoreboard_fd, XtOffsetOf(scoreboard, parent[slot]), 0);
     force_write(scoreboard_fd, &ap_scoreboard_image->parent[slot],
@@@@ -5143,6 +5202,7 @@@@
     int i;
     int to_kill;
     int idle_count;
+    int pid;
     short_score *ss;
     time_t now = time(NULL);
     int free_length;
@@@@ -5207,8 +5267,15 @@@@
 		else if (ps->last_rtime + ss->timeout_len < now) {
 		    /* no progress, and the timeout length has been exceeded */
 		    ss->timeout_len = 0;
-		    kill(ps->pid, SIG_TIMEOUT_KILL);
-		}
+                    pid = ps->pid;
+                    if (in_pid_table(pid)) {
+                        kill(pid, SIG_TIMEOUT_KILL);
+                    }
+                    else {
+                        ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
+                            "Bad pid (%d) in scoreboard slot %d", pid, i);
+                    }
+                }
 	    }
 #endif
 	}
@@@@ -5220,11 +5287,18 @@@@
 	 * while we were counting. Use the define SIG_IDLE_KILL to reflect
 	 * which signal should be used on the specific OS.
 	 */
-	kill(ap_scoreboard_image->parent[to_kill].pid, SIG_IDLE_KILL);
-	idle_spawn_rate = 1;
+        pid = ap_scoreboard_image->parent[to_kill].pid;
+        if (in_pid_table(pid)) {
+            kill(pid, SIG_IDLE_KILL);
+            idle_spawn_rate = 1;
 #ifdef TPF
-        ap_update_child_status(to_kill, SERVER_DEAD, (request_rec *)NULL);
+            ap_update_child_status(to_kill, SERVER_DEAD, (request_rec *)NULL);
 #endif
+        }
+        else {
+            ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
+                         "Bad pid (%d) in scoreboard slot %d", pid, to_kill);
+        }
     }
     else if (idle_count < ap_daemons_min_free) {
 	/* terminate the free list */
@@@@ -5471,6 +5545,7 @@@@
             }
 #endif
 	    if (pid >= 0) {
+		unset_pid_table(pid);
 		process_child_status(pid, status);
 		/* non-fatal death... note that it's gone in the scoreboard. */
 		ap_sync_scoreboard_image();
@@@@ -5796,7 +5871,7 @@@@
     if (!tpf_child) {
         memcpy(tpf_server_name, input_parms.parent.servname,
                INETD_SERVNAME_LENGTH);
-        tpf_server_name[INETD_SERVNAME_LENGTH + 1] = '\0';
+        tpf_server_name[INETD_SERVNAME_LENGTH] = '\0';
         sprintf(tpf_mutex_key, "%.*x", (int) TPF_MUTEX_KEY_SIZE - 1, getpid());
         tpf_parent_pid = getppid();
         ap_open_logs(server_conf, plog);
--- src/modules/standard/mod_status.c.orig	Mon Sep 10 09:25:24 2007
+++ src/modules/standard/mod_status.c	Mon Sep 10 09:25:24 2007
@@@@ -221,7 +221,7 @@@@
     if (r->method_number != M_GET)
 	return DECLINED;
 
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
 
     /*
      * Simple table-driven form data set parser that lets you alter the header
@@@@ -247,7 +247,7 @@@@
 		    no_table_report = 1;
 		    break;
 		case STAT_OPT_AUTO:
-		    r->content_type = "text/plain";
+		    r->content_type = "text/plain; charset=ISO-8859-1";
 		    short_report = 1;
 		    break;
 		}
@@@@ -591,7 +591,8 @@@@
 			ap_rputs(")\n", r);
 			ap_rprintf(r, " <i>%s {%s}</i> <b>[%s]</b><br>\n\n",
 			    ap_escape_html(r->pool, score_record.client),
-			    ap_escape_html(r->pool, score_record.request),
+			    ap_escape_html(r->pool,
+                                           ap_escape_logitem(r->pool, score_record.request)),
 			    vhost ? ap_escape_html(r->pool, 
 				vhost->server_hostname) : "(unavailable)");
 		    }
@


1.1
log
@- merge security fiexs from apache 1.3.39
Security: CVE-2006-5752
Security: CVE-2007-3304
@
text
@@

