CVS commit: pkgsrc/www/apache22

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Fri Jul 29 11:10:24 UTC 2016

Modified Files:
        pkgsrc/www/apache22: Makefile distinfo
Added Files:
        pkgsrc/www/apache22/patches: patch-server_util__script.c

Log Message:
Fix httpoxy vulnerability.
Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.109 -r1.110 pkgsrc/www/apache22/Makefile
cvs rdiff -u -r1.64 -r1.65 pkgsrc/www/apache22/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/www/apache22/patches/patch-server_util__script.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/apache22/Makefile
diff -u pkgsrc/www/apache22/Makefile:1.109 pkgsrc/www/apache22/Makefile:1.110
--- pkgsrc/www/apache22/Makefile:1.109  Sat Jul  9 06:39:10 2016
+++ pkgsrc/www/apache22/Makefile        Fri Jul 29 11:10:24 2016
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.109 2016/07/09 06:39:10 wiz Exp $
+# $NetBSD: Makefile,v 1.110 2016/07/29 11:10:24 wiz Exp $
 
 DISTNAME=      httpd-2.2.31
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/} \
                http://archive.apache.org/dist/httpd/ \

Index: pkgsrc/www/apache22/distinfo
diff -u pkgsrc/www/apache22/distinfo:1.64 pkgsrc/www/apache22/distinfo:1.65
--- pkgsrc/www/apache22/distinfo:1.64   Thu Nov 12 15:21:51 2015
+++ pkgsrc/www/apache22/distinfo        Fri Jul 29 11:10:24 2016
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.64 2015/11/12 15:21:51 prlw1 Exp $
+$NetBSD: distinfo,v 1.65 2016/07/29 11:10:24 wiz Exp $
 
 SHA1 (httpd-2.2.31.tar.bz2) = e3b55387112206307ba76526820a2627472f3787
 RMD160 (httpd-2.2.31.tar.bz2) = 5b073f5f556c74e19eba8e40faa5c5fa308e018a
@@ -22,3 +22,4 @@ SHA1 (patch-modules_proxy_mod_proxy.h) =
 SHA1 (patch-modules_proxy_mod_proxy_connect.c) = b2b5d0242a92c7bf20b14c16d8cd3abae42f3746
 SHA1 (patch-modules_proxy_proxy_util.c) = 1368694ef3141c3a1e9a1ddd73664bbb33465271
 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
+SHA1 (patch-server_util__script.c) = 770f773ba278ec774f1f5a812fa9956fad9cc3f8

Added files:

Index: pkgsrc/www/apache22/patches/patch-server_util__script.c
diff -u /dev/null pkgsrc/www/apache22/patches/patch-server_util__script.c:1.1
--- /dev/null   Fri Jul 29 11:10:24 2016
+++ pkgsrc/www/apache22/patches/patch-server_util__script.c     Fri Jul 29 11:10:24 2016
@@ -0,0 +1,22 @@
+$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:10:24 wiz Exp $
+
+Fix httpoxy vulnerability.
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+--- server/util_script.c.orig  2012-08-21 17:42:49.000000000 +0000
++++ server/util_script.c
+@@ -165,6 +165,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them