--- a/components/apache2/patches/CVE-2014-0118.patch Fri Dec 05 14:56:34 2014 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,278 +0,0 @@
-Patch origin: upstream
-Patch status: will be part of next version
-
-http://svn.apache.org/viewvc?view=revision&revision=1611426
-
---- modules/filters/mod_deflate.c 2014/07/17 18:19:00 1611425
-+++ modules/filters/mod_deflate.c 2014/07/17 18:20:46 1611426
-@@ -37,6 +37,7 @@
- #include "httpd.h"
- #include "http_config.h"
- #include "http_log.h"
-+#include "http_core.h"
- #include "apr_lib.h"
- #include "apr_strings.h"
- #include "apr_general.h"
-@@ -51,6 +52,9 @@
- static const char deflateFilterName[] = "DEFLATE";
- module AP_MODULE_DECLARE_DATA deflate_module;
-
-+#define AP_INFLATE_RATIO_LIMIT 200
-+#define AP_INFLATE_RATIO_BURST 3
-+
- typedef struct deflate_filter_config_t
- {
- int windowSize;
-@@ -62,6 +66,12 @@
- char *note_output_name;
- } deflate_filter_config;
-
-+typedef struct deflate_dirconf_t {
-+ apr_off_t inflate_limit;
-+ int ratio_limit,
-+ ratio_burst;
-+} deflate_dirconf_t;
-+
- /* RFC 1952 Section 2.3 defines the gzip header:
- *
- * +---+---+---+---+---+---+---+---+---+---+
-@@ -193,6 +203,14 @@
- return c;
- }
-
-+static void *create_deflate_dirconf(apr_pool_t *p, char *dummy)
-+{
-+ deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc));
-+ dc->ratio_limit = AP_INFLATE_RATIO_LIMIT;
-+ dc->ratio_burst = AP_INFLATE_RATIO_BURST;
-+ return dc;
-+}
-+
- static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy,
- const char *arg)
- {
-@@ -284,6 +302,55 @@
- return NULL;
- }
-
-+
-+static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf,
-+ const char *arg)
-+{
-+ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
-+ char *errp;
-+
-+ if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) {
-+ return "DeflateInflateLimitRequestBody is not parsable.";
-+ }
-+ if (*errp || dc->inflate_limit < 0) {
-+ return "DeflateInflateLimitRequestBody requires a non-negative integer.";
-+ }
-+
-+ return NULL;
-+}
-+
-+static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd,
-+ void *dirconf,
-+ const char *arg)
-+{
-+ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
-+ int i;
-+
-+ i = atoi(arg);
-+ if (i <= 0)
-+ return "DeflateInflateRatioLimit must be positive";
-+
-+ dc->ratio_limit = i;
-+
-+ return NULL;
-+}
-+
-+static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd,
-+ void *dirconf,
-+ const char *arg)
-+{
-+ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
-+ int i;
-+
-+ i = atoi(arg);
-+ if (i <= 0)
-+ return "DeflateInflateRatioBurst must be positive";
-+
-+ dc->ratio_burst = i;
-+
-+ return NULL;
-+}
-+
- typedef struct deflate_ctx_t
- {
- z_stream stream;
-@@ -294,8 +361,26 @@
- unsigned char *validation_buffer;
- apr_size_t validation_buffer_length;
- int inflate_init;
-+ int ratio_hits;
-+ apr_off_t inflate_total;
- } deflate_ctx;
-
-+/* Check whether the (inflate) ratio exceeds the configured limit/burst. */
-+static int check_ratio(request_rec *r, deflate_ctx *ctx,
-+ const deflate_dirconf_t *dc)
-+{
-+ if (ctx->stream.total_in) {
-+ int ratio = ctx->stream.total_out / ctx->stream.total_in;
-+ if (ratio < dc->ratio_limit) {
-+ ctx->ratio_hits = 0;
-+ }
-+ else if (++ctx->ratio_hits > dc->ratio_burst) {
-+ return 0;
-+ }
-+ }
-+ return 1;
-+}
-+
- /* Number of validation bytes (CRC and length) after the compressed data */
- #define VALIDATION_SIZE 8
- /* Do not update ctx->crc, see comment in flush_libz_buffer */
-@@ -744,6 +829,8 @@
- int zRC;
- apr_status_t rv;
- deflate_filter_config *c;
-+ deflate_dirconf_t *dc;
-+ apr_off_t inflate_limit;
-
- /* just get out of the way of things we don't want. */
- if (mode != AP_MODE_READBYTES) {
-@@ -751,6 +838,7 @@
- }
-
- c = ap_get_module_config(r->server->module_config, &deflate_module);
-+ dc = ap_get_module_config(r->per_dir_config, &deflate_module);
-
- if (!ctx) {
- char deflate_hdr[10];
-@@ -803,11 +891,13 @@
- if (len != 10 ||
- deflate_hdr[0] != deflate_magic[0] ||
- deflate_hdr[1] != deflate_magic[1]) {
-+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: wrong/partial magic bytes");
- return APR_EGENERAL;
- }
-
- /* We can't handle flags for now. */
- if (deflate_hdr[3] != 0) {
-+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: cannot handle deflate flags");
- return APR_EGENERAL;
- }
-
-@@ -831,6 +921,12 @@
- apr_brigade_cleanup(ctx->bb);
- }
-
-+ inflate_limit = dc->inflate_limit;
-+ if (inflate_limit == 0) {
-+ /* The core is checking the deflated body, we'll check the inflated */
-+ inflate_limit = ap_get_limit_req_body(f->r);
-+ }
-+
- if (APR_BRIGADE_EMPTY(ctx->proc_bb)) {
- rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes);
-
-@@ -863,6 +959,17 @@
-
- ctx->stream.next_out = ctx->buffer;
- len = c->bufferSize - ctx->stream.avail_out;
-+
-+ ctx->inflate_total += len;
-+ if (inflate_limit && ctx->inflate_total > inflate_limit) {
-+ inflateEnd(&ctx->stream);
-+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
-+ "Inflated content length of %" APR_OFF_T_FMT
-+ " is larger than the configured limit"
-+ " of %" APR_OFF_T_FMT,
-+ ctx->inflate_total, inflate_limit);
-+ return APR_ENOSPC;
-+ }
-
- ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
- tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
-@@ -891,6 +998,26 @@
- ctx->stream.next_out = ctx->buffer;
- len = c->bufferSize - ctx->stream.avail_out;
-
-+ ctx->inflate_total += len;
-+ if (inflate_limit && ctx->inflate_total > inflate_limit) {
-+ inflateEnd(&ctx->stream);
-+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
-+ "Inflated content length of %" APR_OFF_T_FMT
-+ " is larger than the configured limit"
-+ " of %" APR_OFF_T_FMT,
-+ ctx->inflate_total, inflate_limit);
-+ return APR_ENOSPC;
-+ }
-+
-+ if (!check_ratio(r, ctx, dc)) {
-+ inflateEnd(&ctx->stream);
-+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
-+ "Inflated content ratio is larger than the "
-+ "configured limit %i by %i time(s)",
-+ dc->ratio_limit, dc->ratio_burst);
-+ return APR_EINVAL;
-+ }
-+
- ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
- tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
- NULL, f->c->bucket_alloc);
-@@ -1003,6 +1130,7 @@
- int zRC;
- apr_status_t rv;
- deflate_filter_config *c;
-+ deflate_dirconf_t *dc;
-
- /* Do nothing if asked to filter nothing. */
- if (APR_BRIGADE_EMPTY(bb)) {
-@@ -1010,6 +1138,7 @@
- }
-
- c = ap_get_module_config(r->server->module_config, &deflate_module);
-+ dc = ap_get_module_config(r->per_dir_config, &deflate_module);
-
- if (!ctx) {
-
-@@ -1272,6 +1401,14 @@
- while (ctx->stream.avail_in != 0) {
- if (ctx->stream.avail_out == 0) {
-
-+ if (!check_ratio(r, ctx, dc)) {
-+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
-+ "Inflated content ratio is larger than the "
-+ "configured limit %i by %i time(s)",
-+ dc->ratio_limit, dc->ratio_burst);
-+ return APR_EINVAL;
-+ }
-+
- ctx->stream.next_out = ctx->buffer;
- len = c->bufferSize - ctx->stream.avail_out;
-
-@@ -1346,12 +1483,20 @@
- "Set the Deflate Memory Level (1-9)"),
- AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF,
- "Set the Deflate Compression Level (1-9)"),
-+ AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL,
-+ "Set a limit on size of inflated input"),
-+ AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL,
-+ "Set the inflate ratio limit above which inflation is "
-+ "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"),
-+ AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL,
-+ "Set the maximum number of following inflate ratios above limit "
-+ "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"),
- {NULL}
- };
-
- module AP_MODULE_DECLARE_DATA deflate_module = {
- STANDARD20_MODULE_STUFF,
-- NULL, /* dir config creater */
-+ create_deflate_dirconf, /* dir config creater */
- NULL, /* dir merger --- default is to override */
- create_deflate_server_config, /* server config */
- NULL, /* merge server config */