Commit 6a376838 authored by Yann Ylavic's avatar Yann Ylavic
Browse files

Merge r1663647, r1679182 from trunk. 


r1663647 | jkaluza | 2015-03-03 12:12:18 +0100 (Tue, 03 Mar 2015) | 3 lines

* mod_authn_dbd: apr_pstrdup dbd_password and dbd_hash to fix use-after-free
bug with postgresql


r1679182 | ylavic | 2015-05-13 13:35:22 +0200 (Wed, 13 May 2015) | 1 line

Follup up to r1679181: CHANGES entry.


Reviewed by: ylavic, rjung, wrowe
Backported by: ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1681044 13f79535-47bb-0310-9956-ffa450edef68
parent a25006db

CHANGES

+3 −0
Original line number Diff line number Diff line
@@ -43,6 +43,9 @@ Changes with Apache 2.2.30 
     conf/extra/httpd-ssl.conf file are now global in scope, affecting all

     VirtualHosts (matching 2.4 default configuration). [William Rowe]



  *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the

     selected DB engine.  PR 46421.  [Jan Kaluza].



  *) Turn static function get_server_name_for_url() into public

     ap_get_server_name_for_url() and use it where appropriate. This

     fixes mod_rewrite generating invalid URLs for redirects to IPv6

STATUS

+0 −8
Original line number Diff line number Diff line
@@ -101,14 +101,6 @@ RELEASE SHOWSTOPPERS: 
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

  [ start all new proposals below, under PATCHES PROPOSED. ]



   * mod_authn_dbd: Fix lifetime of DB lookup entries independently of the

     selected DB engine.  PR 46421.

     trunk patch: http://svn.apache.org/r1663647

                  http://svn.apache.org/r1679182

     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-apr_dbd_get_entry_lifetime.patch

                  (trunk works but the patch includes a CHANGES entry relative to 2.2.x only)

     +1: ylavic, rjung, wrowe



   * mpm_winnt service.c: Accept utf-8 service names/descriptions for i18n.

     trunk patches: http://svn.apache.org/r1611165

                    http://svn.apache.org/r1611169

modules/aaa/mod_authn_dbd.c

+4 −2
Original line number Diff line number Diff line
@@ -159,7 +159,8 @@ static authn_status authn_dbd_password(request_rec *r, const char *user, 
                i++;

            }

#endif

            dbd_password = apr_dbd_get_entry(dbd->driver, row, 0);

            dbd_password = apr_pstrdup(r->pool,

                                       apr_dbd_get_entry(dbd->driver, row, 0));

        }

        /* we can't break out here or row won't get cleaned up */

    }
@@ -249,7 +250,8 @@ static authn_status authn_dbd_realm(request_rec *r, const char *user, 
                i++;

            }

#endif

            dbd_hash = apr_dbd_get_entry(dbd->driver, row, 0);

            dbd_hash = apr_pstrdup(r->pool,

                                   apr_dbd_get_entry(dbd->driver, row, 0));

        }

        /* we can't break out here or row won't get cleaned up */

    }