[pkgsrc/trunk]: pkgsrc/www/apache24 Fix httpoxy vulnerability.

[wiz <wiz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/2df15e7b99f5
branches:  trunk
changeset: 350537:2df15e7b99f5
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Fri Jul 29 11:11:24 2016 +0000

description:
Fix httpoxy vulnerability.

Bump PKGREVISION.

diffstat:

 www/apache24/Makefile                            |   4 ++--
 www/apache24/distinfo                            |   3 ++-
 www/apache24/patches/patch-server_util__script.c |  22 ++++++++++++++++++++++
 3 files changed, 26 insertions(+), 3 deletions(-)

diffs (58 lines):

diff -r 742e64d48f1c -r 2df15e7b99f5 www/apache24/Makefile
--- a/www/apache24/Makefile     Fri Jul 29 11:10:33 2016 +0000
+++ b/www/apache24/Makefile     Fri Jul 29 11:11:24 2016 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.47 2016/07/09 06:39:10 wiz Exp $
+# $NetBSD: Makefile,v 1.48 2016/07/29 11:11:24 wiz Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
@@ -7,7 +7,7 @@
 
 DISTNAME=      httpd-2.4.23
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/} \
                http://archive.apache.org/dist/httpd/ \
diff -r 742e64d48f1c -r 2df15e7b99f5 www/apache24/distinfo
--- a/www/apache24/distinfo     Fri Jul 29 11:10:33 2016 +0000
+++ b/www/apache24/distinfo     Fri Jul 29 11:11:24 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2016/07/05 16:13:53 taca Exp $
+$NetBSD: distinfo,v 1.26 2016/07/29 11:11:24 wiz Exp $
 
 SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f
 RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc
@@ -15,3 +15,4 @@
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
+SHA1 (patch-server_util__script.c) = e106f9d7157a5eaf34ef9b1fb445d517c7712aa2
diff -r 742e64d48f1c -r 2df15e7b99f5 www/apache24/patches/patch-server_util__script.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache24/patches/patch-server_util__script.c  Fri Jul 29 11:11:24 2016 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-server_util__script.c,v 1.1 2016/07/29 11:11:25 wiz Exp $
+
+Fix httpoxy vulnerability.
+https://www.apache.org/security/asf-httpoxy-response.txt
+
+--- server/util_script.c.orig  2016-04-27 13:03:00.000000000 +0000
++++ server/util_script.c
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them