Merge branch 'release/4.4.6'

Author: GrahamDumpleton

docs/release-notes/index.rst

@@ -5,6 +5,7 @@ Release Notes
 .. toctree::
    :maxdepth: 2
 
+   version-4.4.6.rst
    version-4.4.5.rst
    version-4.4.4.rst
    version-4.4.3.rst

docs/release-notes/version-4.4.6.rst

@@ -0,0 +1,64 @@
+=============
+Version 4.4.6
+=============
+
+Version 4.4.6 of mod_wsgi can be obtained from:
+
+  https://codeload.github.com/GrahamDumpleton/mod_wsgi/tar.gz/4.4.6
+
+For details on the availability of Windows binaries see:
+
+  https://github.com/GrahamDumpleton/mod_wsgi/tree/master/win32
+
+Bugs Fixed
+----------
+
+1. Apache 2.2.29 and 2.4.11 introduce additional fields to the request
+structure ``request_rec`` due to CVE-2013-5704. The addition of these
+fields will cause versions of mod_wsgi from 4.4.0-4.4.5 to crash when used
+in mod_wsgi daemon mode and mod_wsgi isn't initialising the new structure
+members.
+
+If you are upgrading your Apache installation to those versions or later
+versions, you must also update to mod_wsgi version 4.4.6. The mod_wsgi
+4.4.6 source code must have also been compiled against the newer Apache
+version.
+
+In recompiling mod_wsgi 4.4.6 source code against the newer Apache versions
+the source code is able to detect the new fields exist at compile time by
+checking a compile time version number.
+
+One problem that can arise is that where a CVE is raised for a security
+issue, Linux distributions will back port the change to older Apache
+versions. When they do this though, the compile time version number isn't
+changed, so mod_wsgi cannot detect at compile time when built against
+Apache versions with the backport that the additional fields exist.
+
+To combat this problem, mod_wsgi will do some runtime checks which look at
+the actual size of ``request_rec`` and calculate whether the additional
+fields have been added by way of a backported change. In this case mod_wsgi
+will then set the fields as necessary.
+
+As a final fail safe for forward compatibility. If the current mod_wsgi
+source code is compiled against a version of Apache which doesn't have the
+CVE change applied, it will pad the ``request_rec`` and optimistically set
+the fields anyway. This is to deal with the situation where mod_wsgi is
+compiled against an older Apache and then that Apache is upgraded to one
+with the CVE change, but mod_wsgi is not recompiled so that the additional
+fields can be detected at compile time.
+
+2. Override ``LC_ALL`` environment variable when ``locale`` option to the
+``WSGIDaemonProcess`` directive. It is not always sufficient to just call
+``setlocale()`` as some Python code, including interpreter initialisation
+can still consult the original ``LC_ALL`` environment variable. In this
+case this can result in an undesired file system encoding still being
+selected.
+
+New Features
+------------
+
+1. Added ``--enable-gdb`` option to ``mod_wsgi-express`` for when running
+in debug mode. With this option set, Apache will be started up within
+``gdb`` allowing the debug of process crashes on startup or while handling
+requests. If the ``gdb`` program is not in ``PATH``, the ``--gdb-executable``
+option can be set to give its location.

src/server/__init__.py

@@ -1333,7 +1333,10 @@ def generate_server_metrics_script(options):
 
 # %(sys_argv)s
 
-HTTPD="%(httpd_executable)s %(httpd_arguments)s"
+HTTPD="%(httpd_executable)s"
+HTTPD_ARGS="%(httpd_arguments)s"
+
+HTTPD_COMMAND="$HTTPD $HTTPD_ARGS"
 
 SHLIBPATH="%(shlibpath)s"
 
@@ -1382,20 +1385,28 @@ def generate_server_metrics_script(options):
     ARGV="-h"
 fi
 
+GDB="%(gdb_executable)s"
+ENABLE_GDB="%(enable_gdb)s"
+
 PROCESS_NAME="%(process_name)s"
 
 case $ACMD in
 start|stop|restart|graceful|graceful-stop)
-    exec -a "$PROCESS_NAME" $HTTPD -k $ARGV
+    if [ "x$ENABLE_GDB" != "xTrue" ]; then
+        exec -a "$PROCESS_NAME" $HTTPD_COMMAND -k $ARGV
+    else
+        echo "run $HTTPD_ARGS -k $ARGV" > %(server_root)s/gdb.cmds
+        gdb -x %(server_root)s/gdb.cmds $HTTPD
+    fi
     ;;
 configtest)
-    exec $HTTPD -t
+    exec $HTTPD_COMMAND -t
     ;;
 status)
     exec %(python_executable)s -m webbrowser -t $STATUSURL
     ;;
 *)
-    exec $HTTPD $ARGV
+    exec $HTTPD_COMMAND $ARGV
 esac
 """
 
@@ -1946,6 +1957,14 @@ def check_percentage(option, opt_str, value, parser):
             'which recorder data will be written when enabled under debug '
             'mode.'),
 
+    optparse.make_option('--enable-gdb', action='store_true',
+            default=False, help='Flag indicating whether Apache should '
+            'be run under \'gdb\' when running in debug mode. This '
+            'would be use to debug process crashes.'),
+    optparse.make_option('--gdb-executable', default='gdb',
+            metavar='FILE-PATH', help='Override the path to the gdb '
+            'executable.'),
+
     optparse.make_option('--setup-only', action='store_true', default=False,
             help='Flag indicating that after the configuration files have '
             'been setup, that the command should then exit and not go on '
@@ -2416,6 +2435,7 @@ def _cmd_setup_server(command, args, options):
         options['enable_coverage'] = False
         options['enable_profiler'] = False
         options['enable_recorder'] = False
+        options['enable_gdb'] = False
 
     options['parent_domain'] = 'unspecified'
 
@@ -2536,10 +2556,27 @@ def _cmd_setup_server(command, args, options):
             print('Environ Variables  :', options['server_root'] + '/envvars')
         print('Control Script     :', options['server_root'] + '/apachectl')
 
-    print('Locale Setting     :', options['locale'])
+    if options['processes'] == 1:
+        print('Request Capacity   : %s (%s process * %s threads)' % (
+                options['processes']*options['threads'],
+                options['processes'], options['threads']))
+    else:
+        print('Request Capacity   : %s (%s processes * %s threads)' % (
+                options['processes']*options['threads'],
+                options['processes'], options['threads']))
+
+    print('Request Timeout    : %s (seconds)' % options['request_timeout'])
 
-    print('Daemon Processes   :', options['processes'])
-    print('Daemon Threads     :', options['threads'])
+    print('Queue Backlog      : %s (connections)' % options['daemon_backlog'])
+
+    print('Queue Timeout      : %s (seconds)' % options['queue_timeout'])
+
+    print('Server Capacity    : %s (event/worker), %s (prefork)' % (
+            options['worker_max_clients'], options['prefork_max_clients']))
+
+    print('Server Backlog     : %s (connections)' % options['server_backlog'])
+
+    print('Locale Setting     :', options['locale'])
 
     return options
 

src/server/mod_wsgi.c

@@ -9206,13 +9206,17 @@ static int wsgi_start_process(apr_pool_t *p, WSGIDaemonProcess *daemon)
         }
 
         if (daemon->group->locale) {
+            char *envvar;
             char *result;
 
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, wsgi_server,
                          "mod_wsgi (pid=%d): Setting locale to %s for "
                          "daemon process group %s.", getpid(),
                          daemon->group->locale, daemon->group->name);
 
+            envvar = apr_pstrcat(p, "LC_ALL=", daemon->group->locale, NULL);
+            putenv(envvar);
+
             result = setlocale(LC_ALL, daemon->group->locale);
 
             if (!result) {
@@ -11368,6 +11372,27 @@ static apr_status_t wsgi_header_filter(ap_filter_t *f, apr_bucket_brigade *b)
     return ap_pass_brigade(f->next, b);
 }
 
+typedef struct cve_2013_5704_fields cve_2013_5704_fields;
+typedef struct cve_2013_5704_apache22 cve_2013_5704_apache22;
+typedef struct cve_2013_5704_apache24 cve_2013_5704_apache24;
+
+struct cve_2013_5704_fields {
+    apr_table_t *trailers_in;
+    apr_table_t *trailers_out;
+};
+
+struct cve_2013_5704_apache22 {
+    struct ap_filter_t *proto_input_filters;
+    int eos_sent;
+    cve_2013_5704_fields fields;
+};
+
+struct cve_2013_5704_apache24 {
+    apr_sockaddr_t *useragent_addr;
+    char *useragent_ip;
+    cve_2013_5704_fields fields;
+};
+
 static int wsgi_hook_daemon_handler(conn_rec *c)
 {
     apr_socket_t *csd;
@@ -11397,6 +11422,13 @@ static int wsgi_hook_daemon_handler(conn_rec *c)
 
     int queue_timeout_occurred = 0;
 
+#if ! (AP_MODULE_MAGIC_AT_LEAST(20120211, 37) || \
+    (AP_SERVER_MAJORVERSION_NUMBER == 2 && \
+     AP_SERVER_MINORVERSION_NUMBER <= 2 && \
+     AP_MODULE_MAGIC_AT_LEAST(20051115, 36)))
+    apr_size_t size = 0;
+#endif
+
     /* Don't do anything if not in daemon process. */
 
     if (!wsgi_daemon_pool)
@@ -11450,10 +11482,22 @@ static int wsgi_hook_daemon_handler(conn_rec *c)
             next = current->next;
     }
 
-    /* Create and populate our own request object. */
+    /*
+     * Create and populate our own request object. We allocate more
+     * memory than we require here for the request_rec in order to
+     * implement an opimistic hack for the case where mod_wsgi is built
+     * against an Apache version prior to CVE-2013-6704 being applied to
+     * it. If that Apache is upgraded but mod_wsgi not recompiled then
+     * it will crash in daemon mode. We therefore use the extra space to
+     * set the structure members which are added by CVE-2013-6704 to try
+     * and avoid that situation. Note that this is distinct from the
+     * hack down below to deal with where mod_wsgi was compiled against
+     * an Apache version which had CVE-2013-6704 backported.
+     */
 
     apr_pool_create(&p, c->pool);
-    r = apr_pcalloc(p, sizeof(request_rec));
+
+    r = apr_pcalloc(p, sizeof(request_rec)+sizeof(cve_2013_5704_fields));
 
     r->pool = p;
     r->connection = c;
@@ -11477,6 +11521,78 @@ static int wsgi_hook_daemon_handler(conn_rec *c)
     r->proto_input_filters = c->input_filters;
     r->input_filters = r->proto_input_filters;
 
+#if AP_MODULE_MAGIC_AT_LEAST(20120211, 37) || \
+    (AP_SERVER_MAJORVERSION_NUMBER == 2 && \
+     AP_SERVER_MINORVERSION_NUMBER <= 2 && \
+     AP_MODULE_MAGIC_AT_LEAST(20051115, 36))
+
+    /*
+     * New request_rec fields were added to Apache because of changes
+     * related to CVE-2013-5704. The change means that mod_wsgi version
+     * 4.4.0-4.4.5 will crash if run on the Apache versions with the
+     * addition fields if mod_wsgi daemon mode is used. If we are using
+     * Apache 2.2.29 or 2.4.11, we set the fields direct against the
+     * new structure members.
+     */
+
+    r->trailers_in = apr_table_make(r->pool, 5);
+    r->trailers_out = apr_table_make(r->pool, 5);
+#else
+    /*
+     * We use a huge hack here to try and identify when CVE-2013-5704
+     * has been back ported to older Apache version. This is necessary
+     * as when backported the Apache module magic number will not be
+     * updated and it isn't possible to determine from that at compile
+     * time if the new structure members exist and so that they should
+     * be set. We therefore try and work out whether the extra structure
+     * members exist through looking at the size of request_rec and
+     * whether memory has been allocated above what is known to be the
+     * last member in the structure before the new members were added.
+     */
+
+#if AP_SERVER_MINORVERSION_NUMBER <= 2
+    size = offsetof(request_rec, eos_sent);
+    size += sizeof(r->eos_sent);
+#else
+    size = offsetof(request_rec, useragent_ip);
+    size += sizeof(r->useragent_ip);
+#endif
+
+    /*
+     * Check whether request_rec is at least as large as minimal size
+     * plus the size of the extra fields. If it is, then we need to
+     * set the additional fields.
+     */
+
+    if (sizeof(request_rec) >= size + sizeof(cve_2013_5704_fields)) {
+#if AP_SERVER_MINORVERSION_NUMBER <= 2
+        cve_2013_5704_apache22 *rext;
+        rext = (cve_2013_5704_apache22 *)&r->proto_input_filters;
+#else
+        cve_2013_5704_apache24 *rext;
+        rext = (cve_2013_5704_apache24 *)&r->useragent_addr;
+#endif
+
+        rext->fields.trailers_in = apr_table_make(r->pool, 5);
+        rext->fields.trailers_out = apr_table_make(r->pool, 5);
+    }
+    else {
+        /*
+         * Finally, to allow forward portability of a compiled mod_wsgi
+         * binary from an Apache version without the CVE-2013-5704
+         * change to one where it is, without needing to recompile
+         * mod_wsgi, we set fields in the extra memory we added before
+         * the actual request_rec.
+         */
+
+        cve_2013_5704_fields *rext;
+        rext = (cve_2013_5704_fields *)(r+1);
+
+        rext->trailers_in = apr_table_make(r->pool, 5);
+        rext->trailers_out = apr_table_make(r->pool, 5);
+    }
+#endif
+
     r->per_dir_config  = r->server->lookup_defaults;
 
     r->sent_bodyct = 0;

src/server/wsgi_daemon.h

@@ -48,9 +48,12 @@
 #include "http_connection.h"
 #include "apr_poll.h"
 #include "apr_signal.h"
-#include "apr_support.h"
 #include "http_vhost.h"
 
+#if APR_MAJOR_VERSION < 2
+#include "apr_support.h"
+#endif
+
 #if APR_MAJOR_VERSION < 1
 #define apr_atomic_cas32 apr_atomic_cas
 #endif

src/server/wsgi_version.h

@@ -25,8 +25,8 @@
 
 #define MOD_WSGI_MAJORVERSION_NUMBER 4
 #define MOD_WSGI_MINORVERSION_NUMBER 4
-#define MOD_WSGI_MICROVERSION_NUMBER 5
-#define MOD_WSGI_VERSION_STRING "4.4.5"
+#define MOD_WSGI_MICROVERSION_NUMBER 6
+#define MOD_WSGI_VERSION_STRING "4.4.6"
 
 /* ------------------------------------------------------------------------- */
 

tests/environ.wsgi

@@ -72,6 +72,8 @@ def application(environ, start_response):
     print('LC_ALL: %s' % os.environ.get('LC_ALL'), file=output)
     print('sys.getdefaultencoding(): %s' % sys.getdefaultencoding(),
             file=output)
+    print('sys.getfilesystemencoding(): %s' % sys.getfilesystemencoding(),
+            file=output)
     print('locale.getlocale(): %s' % (locale.getlocale(),),
             file=output)
     print('locale.getdefaultlocale(): %s' % (locale.getdefaultlocale(),),