Blame SOURCES/httpd-2.4.6-CVE-2014-0231.patch

8d96ca
--- a/modules/generators/mod_cgid.c	2014/07/14 20:16:45	1610511
8d96ca
+++ b/modules/generators/mod_cgid.c	2014/07/14 20:18:26	1610512
8d96ca
@@ -97,6 +97,10 @@
8d96ca
 static pid_t parent_pid;
8d96ca
 static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 };
8d96ca
 
8d96ca
+typedef struct { 
8d96ca
+    apr_interval_time_t timeout;
8d96ca
+} cgid_dirconf;
8d96ca
+
8d96ca
 /* The APR other-child API doesn't tell us how the daemon exited
8d96ca
  * (SIGSEGV vs. exit(1)).  The other-child maintenance function
8d96ca
  * needs to decide whether to restart the daemon after a failure
8d96ca
@@ -968,7 +972,14 @@
8d96ca
     return overrides->logname ? overrides : base;
8d96ca
 }
8d96ca
 
8d96ca
+static void *create_cgid_dirconf(apr_pool_t *p, char *dummy)
8d96ca
+{
8d96ca
+    cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf));
8d96ca
+    return c;
8d96ca
+}
8d96ca
+
8d96ca
 static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg)
8d96ca
+
8d96ca
 {
8d96ca
     server_rec *s = cmd->server;
8d96ca
     cgid_server_conf *conf = ap_get_module_config(s->module_config,
8d96ca
@@ -1021,7 +1032,16 @@
8d96ca
 
8d96ca
     return NULL;
8d96ca
 }
8d96ca
+static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg)
8d96ca
+{
8d96ca
+    cgid_dirconf *dc = dummy;
8d96ca
 
8d96ca
+    if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { 
8d96ca
+        return "CGIDScriptTimeout has wrong format";
8d96ca
+    }
8d96ca
+ 
8d96ca
+    return NULL;
8d96ca
+}
8d96ca
 static const command_rec cgid_cmds[] =
8d96ca
 {
8d96ca
     AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF,
8d96ca
@@ -1033,6 +1053,10 @@
8d96ca
     AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF,
8d96ca
                   "the name of the socket to use for communication with "
8d96ca
                   "the cgi daemon."),
8d96ca
+    AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF,
8d96ca
+                  "The amount of time to wait between successful reads from "
8d96ca
+                  "the CGI script, in seconds."),
8d96ca
+                  
8d96ca
     {NULL}
8d96ca
 };
8d96ca
 
8d96ca
@@ -1356,12 +1380,16 @@
8d96ca
     apr_file_t *tempsock;
8d96ca
     struct cleanup_script_info *info;
8d96ca
     apr_status_t rv;
8d96ca
+    cgid_dirconf *dc;
8d96ca
 
8d96ca
     if (strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) {
8d96ca
         return DECLINED;
8d96ca
     }
8d96ca
 
8d96ca
     conf = ap_get_module_config(r->server->module_config, &cgid_module);
8d96ca
+    dc = ap_get_module_config(r->per_dir_config, &cgid_module);
8d96ca
+
8d96ca
+    
8d96ca
     is_included = !strcmp(r->protocol, "INCLUDED");
8d96ca
 
8d96ca
     if ((argv0 = strrchr(r->filename, '/')) != NULL) {
8d96ca
@@ -1441,6 +1469,12 @@
8d96ca
      */
8d96ca
 
8d96ca
     apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
8d96ca
+    if (dc->timeout > 0) { 
8d96ca
+        apr_file_pipe_timeout_set(tempsock, dc->timeout);
8d96ca
+    }
8d96ca
+    else { 
8d96ca
+        apr_file_pipe_timeout_set(tempsock, r->server->timeout);
8d96ca
+    }
8d96ca
     apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
8d96ca
 
8d96ca
     /* Transfer any put/post args, CERN style...
8d96ca
@@ -1517,6 +1551,10 @@
8d96ca
             if (rv != APR_SUCCESS) {
8d96ca
                 /* silly script stopped reading, soak up remaining message */
8d96ca
                 child_stopped_reading = 1;
8d96ca
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02651)
8d96ca
+                              "Error writing request body to script %s", 
8d96ca
+                              r->filename);
8d96ca
+
8d96ca
             }
8d96ca
         }
8d96ca
         apr_brigade_cleanup(bb);
8d96ca
@@ -1610,7 +1648,13 @@
8d96ca
             return HTTP_MOVED_TEMPORARILY;
8d96ca
         }
8d96ca
 
8d96ca
-        ap_pass_brigade(r->output_filters, bb);
8d96ca
+        rv = ap_pass_brigade(r->output_filters, bb);
8d96ca
+        if (rv != APR_SUCCESS) { 
8d96ca
+            /* APLOG_ERR because the core output filter message is at error,
8d96ca
+             * but doesn't know it's passing CGI output 
8d96ca
+             */
8d96ca
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02550) "Failed to flush CGI output to client");
8d96ca
+        }
8d96ca
     }
8d96ca
 
8d96ca
     if (nph) {
8d96ca
@@ -1741,6 +1785,8 @@
8d96ca
     request_rec *r = f->r;
8d96ca
     cgid_server_conf *conf = ap_get_module_config(r->server->module_config,
8d96ca
                                                   &cgid_module);
8d96ca
+    cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module);
8d96ca
+
8d96ca
     struct cleanup_script_info *info;
8d96ca
 
8d96ca
     add_ssi_vars(r);
8d96ca
@@ -1770,6 +1816,13 @@
8d96ca
      * get rid of the cleanup we registered when we created the socket.
8d96ca
      */
8d96ca
     apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
8d96ca
+    if (dc->timeout > 0) {
8d96ca
+        apr_file_pipe_timeout_set(tempsock, dc->timeout);
8d96ca
+    }
8d96ca
+    else {
8d96ca
+        apr_file_pipe_timeout_set(tempsock, r->server->timeout);
8d96ca
+    }
8d96ca
+
8d96ca
     apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
8d96ca
 
8d96ca
     APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock,
8d96ca
@@ -1875,7 +1928,7 @@
8d96ca
 
8d96ca
 AP_DECLARE_MODULE(cgid) = {
8d96ca
     STANDARD20_MODULE_STUFF,
8d96ca
-    NULL, /* dir config creater */
8d96ca
+    create_cgid_dirconf, /* dir config creater */
8d96ca
     NULL, /* dir merger --- default is to override */
8d96ca
     create_cgid_config, /* server config */
8d96ca
     merge_cgid_config, /* merge server config */