MSVSphere Packaging Team
3 days ago
parent
2a06ec2d28
commit
f458dd9711
GPG Key ID:
B2B0B9F29E528FE8
@ -0,0 +1,64 @@
|
||||
Index: modules/ssl/ssl_engine_pphrase.c
|
||||
===================================================================
|
||||
--- modules/ssl/ssl_engine_pphrase.c (revision 1920590)
|
||||
+++ modules/ssl/ssl_engine_pphrase.c (working copy)
|
||||
@@ -806,6 +806,9 @@
|
||||
return APR_SUCCESS;
|
||||
}
|
||||
|
||||
+/* Tries to load the key and optionally certificate via the ENGINE
|
||||
+ * API. Returns APR_ENOTIMPL if the keypair could not be loaded via an
|
||||
+ * ENGINE implementation. */
|
||||
static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
|
||||
apr_pool_t *ptemp,
|
||||
const char *vhostid,
|
||||
@@ -831,7 +834,7 @@
|
||||
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
|
||||
"Init: Unrecognized private key identifier `%s'",
|
||||
keyid);
|
||||
- return ssl_die(s);
|
||||
+ return APR_ENOTIMPL;
|
||||
}
|
||||
|
||||
scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
|
||||
@@ -839,8 +842,8 @@
|
||||
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
|
||||
"Init: Failed to load engine for private key %s",
|
||||
keyid);
|
||||
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
|
||||
- return ssl_die(s);
|
||||
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s);
|
||||
+ return APR_ENOTIMPL;
|
||||
}
|
||||
|
||||
if (!ENGINE_init(e)) {
|
||||
@@ -996,15 +999,21 @@
|
||||
X509 **pubkey, EVP_PKEY **privkey)
|
||||
{
|
||||
#if MODSSL_HAVE_ENGINE_API
|
||||
- SSLModConfigRec *mc = myModConfig(s);
|
||||
+ apr_status_t rv;
|
||||
|
||||
- /* For OpenSSL 3.x, use the STORE-based API if either ENGINE
|
||||
- * support was not present compile-time, or if it's built but
|
||||
- * SSLCryptoDevice is not configured. */
|
||||
- if (mc->szCryptoDevice)
|
||||
- return modssl_load_keypair_engine(s, pconf, ptemp,
|
||||
- vhostid, certid, keyid,
|
||||
- pubkey, privkey);
|
||||
+ rv = modssl_load_keypair_engine(s, pconf, ptemp,
|
||||
+ vhostid, certid, keyid,
|
||||
+ pubkey, privkey);
|
||||
+ if (rv == APR_SUCCESS) {
|
||||
+ return rv;
|
||||
+ }
|
||||
+ /* If STORE support is not present, all errors are fatal here; if
|
||||
+ * STORE is present and the ENGINE could not be loaded, ignore the
|
||||
+ * error and fall through to try loading via the STORE API. */
|
||||
+ else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) {
|
||||
+ return ssl_die(s);
|
||||
+ }
|
||||
+
|
||||
#endif
|
||||
#if MODSSL_HAVE_OPENSSL_STORE
|
||||
return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,
|
||||
@ -0,0 +1,133 @@
|
||||
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
|
||||
index 53fb1e9..f735c50 100644
|
||||
--- a/modules/mappers/mod_rewrite.c
|
||||
+++ b/modules/mappers/mod_rewrite.c
|
||||
@@ -4477,20 +4477,6 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
|
||||
* ourself).
|
||||
*/
|
||||
if (p->flags & RULEFLAG_PROXY) {
|
||||
- /* For rules evaluated in server context, the mod_proxy fixup
|
||||
- * hook can be relied upon to escape the URI as and when
|
||||
- * necessary, since it occurs later. If in directory context,
|
||||
- * the ordering of the fixup hooks is forced such that
|
||||
- * mod_proxy comes first, so the URI must be escaped here
|
||||
- * instead. See PR 39746, 46428, and other headaches. */
|
||||
- if (ctx->perdir && (p->flags & RULEFLAG_NOESCAPE) == 0) {
|
||||
- char *old_filename = r->filename;
|
||||
-
|
||||
- r->filename = ap_escape_uri(r->pool, r->filename);
|
||||
- rewritelog((r, 2, ctx->perdir, "escaped URI in per-dir context "
|
||||
- "for proxy, %s -> %s", old_filename, r->filename));
|
||||
- }
|
||||
-
|
||||
fully_qualify_uri(r);
|
||||
|
||||
rewritelog((r, 2, ctx->perdir, "forcing proxy-throughput with %s",
|
||||
@@ -5013,7 +4999,7 @@ static int hook_uri2file(request_rec *r)
|
||||
}
|
||||
if ((r->args != NULL)
|
||||
&& ((r->proxyreq == PROXYREQ_PROXY)
|
||||
- || (rulestatus == ACTION_NOESCAPE))) {
|
||||
+ || apr_table_get(r->notes, "proxy-nocanon"))) {
|
||||
/* see proxy_http:proxy_http_canon() */
|
||||
r->filename = apr_pstrcat(r->pool, r->filename,
|
||||
"?", r->args, NULL);
|
||||
@@ -5304,13 +5290,28 @@ static int hook_fixup(request_rec *r)
|
||||
if (to_proxyreq) {
|
||||
/* it should go on as an internal proxy request */
|
||||
|
||||
- /* make sure the QUERY_STRING and
|
||||
- * PATH_INFO parts get incorporated
|
||||
+ /* check if the proxy module is enabled, so
|
||||
+ * we can actually use it!
|
||||
+ */
|
||||
+ if (!proxy_available) {
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10160)
|
||||
+ "attempt to make remote request from mod_rewrite "
|
||||
+ "without proxy enabled: %s", r->filename);
|
||||
+ return HTTP_FORBIDDEN;
|
||||
+ }
|
||||
+
|
||||
+ if (rulestatus == ACTION_NOESCAPE) {
|
||||
+ apr_table_setn(r->notes, "proxy-nocanon", "1");
|
||||
+ }
|
||||
+
|
||||
+ /* make sure the QUERY_STRING gets incorporated in the case
|
||||
+ * [NE] was specified on the Proxy rule. We are preventing
|
||||
+ * mod_proxy canon handler from incorporating r->args as well
|
||||
+ * as escaping the URL.
|
||||
* (r->path_info was already appended by the
|
||||
* rewriting engine because of the per-dir context!)
|
||||
*/
|
||||
- if (r->args != NULL) {
|
||||
- /* see proxy_http:proxy_http_canon() */
|
||||
+ if ((r->args != NULL) && apr_table_get(r->notes, "proxy-nocanon")) {
|
||||
r->filename = apr_pstrcat(r->pool, r->filename,
|
||||
"?", r->args, NULL);
|
||||
}
|
||||
@@ -5610,10 +5611,7 @@ static void ap_register_rewrite_mapfunc(char *name, rewrite_mapfunc_t *func)
|
||||
|
||||
static void register_hooks(apr_pool_t *p)
|
||||
{
|
||||
- /* fixup after mod_proxy, so that the proxied url will not
|
||||
- * escaped accidentally by mod_proxy's fixup.
|
||||
- */
|
||||
- static const char * const aszPre[]={ "mod_proxy.c", NULL };
|
||||
+ static const char * const aszModProxy[] = { "mod_proxy.c", NULL };
|
||||
|
||||
/* make the hashtable before registering the function, so that
|
||||
* other modules are prevented from accessing uninitialized memory.
|
||||
@@ -5625,10 +5623,12 @@ static void register_hooks(apr_pool_t *p)
|
||||
ap_hook_pre_config(pre_config, NULL, NULL, APR_HOOK_MIDDLE);
|
||||
ap_hook_post_config(post_config, NULL, NULL, APR_HOOK_MIDDLE);
|
||||
ap_hook_child_init(init_child, NULL, NULL, APR_HOOK_MIDDLE);
|
||||
-
|
||||
- ap_hook_fixups(hook_fixup, aszPre, NULL, APR_HOOK_FIRST);
|
||||
+
|
||||
+ /* allow to change the uri before mod_proxy takes over it */
|
||||
+ ap_hook_translate_name(hook_uri2file, NULL, aszModProxy, APR_HOOK_FIRST);
|
||||
+ /* fixup before mod_proxy so that a [P] URL gets fixed up there */
|
||||
+ ap_hook_fixups(hook_fixup, NULL, aszModProxy, APR_HOOK_FIRST);
|
||||
ap_hook_fixups(hook_mimetype, NULL, NULL, APR_HOOK_LAST);
|
||||
- ap_hook_translate_name(hook_uri2file, NULL, NULL, APR_HOOK_FIRST);
|
||||
}
|
||||
|
||||
/* the main config structure */
|
||||
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
|
||||
index 8f13e68..bd0aa68 100644
|
||||
--- a/modules/proxy/mod_proxy.c
|
||||
+++ b/modules/proxy/mod_proxy.c
|
||||
@@ -3344,27 +3344,26 @@ static int proxy_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
|
||||
}
|
||||
static void register_hooks(apr_pool_t *p)
|
||||
{
|
||||
- /* fixup before mod_rewrite, so that the proxied url will not
|
||||
- * escaped accidentally by our fixup.
|
||||
- */
|
||||
- static const char * const aszSucc[] = { "mod_rewrite.c", NULL};
|
||||
/* Only the mpm_winnt has child init hook handler.
|
||||
* make sure that we are called after the mpm
|
||||
* initializes.
|
||||
*/
|
||||
static const char *const aszPred[] = { "mpm_winnt.c", "mod_proxy_balancer.c",
|
||||
"mod_proxy_hcheck.c", NULL};
|
||||
+ static const char * const aszModRewrite[] = { "mod_rewrite.c", NULL };
|
||||
+
|
||||
/* handler */
|
||||
ap_hook_handler(proxy_handler, NULL, NULL, APR_HOOK_FIRST);
|
||||
/* filename-to-URI translation */
|
||||
ap_hook_pre_translate_name(proxy_pre_translate_name, NULL, NULL,
|
||||
APR_HOOK_MIDDLE);
|
||||
- ap_hook_translate_name(proxy_translate_name, aszSucc, NULL,
|
||||
+ /* mod_rewrite has a say on the uri before proxy translation */
|
||||
+ ap_hook_translate_name(proxy_translate_name, aszModRewrite, NULL,
|
||||
APR_HOOK_FIRST);
|
||||
/* walk <Proxy > entries and suppress default TRACE behavior */
|
||||
ap_hook_map_to_storage(proxy_map_location, NULL,NULL, APR_HOOK_FIRST);
|
||||
- /* fixups */
|
||||
- ap_hook_fixups(proxy_fixup, NULL, aszSucc, APR_HOOK_FIRST);
|
||||
+ /* fixup after mod_rewrite so that a [P] URL from there gets fixed up */
|
||||
+ ap_hook_fixups(proxy_fixup, aszModRewrite, NULL, APR_HOOK_FIRST);
|
||||
/* post read_request handling */
|
||||
ap_hook_post_read_request(proxy_detect, NULL, NULL, APR_HOOK_FIRST);
|
||||
/* pre config handling */
|
||||
Loading…
Reference in new issue