update to haproxy-1.6.6
from David Carlier
This commit is contained in:
parent
cb66762e23
commit
7fc676bcc9
@ -1,9 +1,8 @@
|
||||
# $OpenBSD: Makefile,v 1.30 2016/06/15 06:55:58 jasper Exp $
|
||||
# $OpenBSD: Makefile,v 1.31 2016/06/27 18:41:11 danj Exp $
|
||||
|
||||
COMMENT = reliable, high performance TCP/HTTP load balancer
|
||||
|
||||
DISTNAME = haproxy-1.6.5
|
||||
REVISION = 0
|
||||
DISTNAME = haproxy-1.6.6
|
||||
CATEGORIES = net www
|
||||
HOMEPAGE = http://www.haproxy.org/
|
||||
MAINTAINER = Daniel Jakots <obsd@chown.me>
|
||||
|
@ -1,2 +1,2 @@
|
||||
SHA256 (haproxy-1.6.5.tar.gz) = xLP7k4h0q7u9UngghxF8wlkCY694/c6G1k5KEaz+hd4=
|
||||
SIZE (haproxy-1.6.5.tar.gz) = 1563272
|
||||
SHA256 (haproxy-1.6.6.tar.gz) = /bA9YweMw8aIu205/HXcwVjWU1bkyOHEWQM+vt3/VfU=
|
||||
SIZE (haproxy-1.6.6.tar.gz) = 1565046
|
||||
|
@ -1,15 +0,0 @@
|
||||
$OpenBSD: patch-include_types_proto_http_h,v 1.1 2016/06/15 06:55:58 jasper Exp $
|
||||
|
||||
Security fix for CVE-2016-5360
|
||||
http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b
|
||||
|
||||
--- include/types/proto_http.h.orig Tue May 10 15:42:00 2016
|
||||
+++ include/types/proto_http.h Tue Jun 14 15:10:23 2016
|
||||
@@ -362,7 +362,6 @@ struct http_txn {
|
||||
unsigned int flags; /* transaction flags */
|
||||
enum http_meth_t meth; /* HTTP method */
|
||||
/* 1 unused byte here */
|
||||
- short rule_deny_status; /* HTTP status from rule when denying */
|
||||
short status; /* HTTP status from the server, negative if from proxy */
|
||||
|
||||
char *uri; /* first line if log needed, NULL otherwise */
|
@ -1,77 +0,0 @@
|
||||
$OpenBSD: patch-src_proto_http_c,v 1.3 2016/06/15 06:55:58 jasper Exp $
|
||||
|
||||
Security fix for CVE-2016-5360
|
||||
http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b
|
||||
|
||||
--- src/proto_http.c.orig Tue May 10 15:42:00 2016
|
||||
+++ src/proto_http.c Tue Jun 14 15:10:23 2016
|
||||
@@ -3490,10 +3490,12 @@ static int http_transform_header(struct stream* s, str
|
||||
* further processing of the request (auth, deny, ...), and defaults to
|
||||
* HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or
|
||||
* HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT
|
||||
- * on txn->flags if it encounters a tarpit rule.
|
||||
+ * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL
|
||||
+ * and a deny/tarpit rule is matched, it will be filled with this rule's deny
|
||||
+ * status.
|
||||
*/
|
||||
enum rule_result
|
||||
-http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s)
|
||||
+http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status)
|
||||
{
|
||||
struct session *sess = strm_sess(s);
|
||||
struct http_txn *txn = s->txn;
|
||||
@@ -3539,12 +3541,14 @@ resume_execution:
|
||||
return HTTP_RULE_RES_STOP;
|
||||
|
||||
case ACT_ACTION_DENY:
|
||||
- txn->rule_deny_status = rule->deny_status;
|
||||
+ if (deny_status)
|
||||
+ *deny_status = rule->deny_status;
|
||||
return HTTP_RULE_RES_DENY;
|
||||
|
||||
case ACT_HTTP_REQ_TARPIT:
|
||||
txn->flags |= TX_CLTARPIT;
|
||||
- txn->rule_deny_status = rule->deny_status;
|
||||
+ if (deny_status)
|
||||
+ *deny_status = rule->deny_status;
|
||||
return HTTP_RULE_RES_DENY;
|
||||
|
||||
case ACT_HTTP_REQ_AUTH:
|
||||
@@ -4303,6 +4307,7 @@ int http_process_req_common(struct stream *s, struct c
|
||||
struct redirect_rule *rule;
|
||||
struct cond_wordlist *wl;
|
||||
enum rule_result verdict;
|
||||
+ int deny_status = HTTP_ERR_403;
|
||||
|
||||
if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {
|
||||
/* we need more data */
|
||||
@@ -4323,7 +4328,7 @@ int http_process_req_common(struct stream *s, struct c
|
||||
|
||||
/* evaluate http-request rules */
|
||||
if (!LIST_ISEMPTY(&px->http_req_rules)) {
|
||||
- verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s);
|
||||
+ verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status);
|
||||
|
||||
switch (verdict) {
|
||||
case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */
|
||||
@@ -4369,7 +4374,7 @@ int http_process_req_common(struct stream *s, struct c
|
||||
|
||||
/* parse the whole stats request and extract the relevant information */
|
||||
http_handle_stats(s, req);
|
||||
- verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s);
|
||||
+ verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status);
|
||||
/* not all actions implemented: deny, allow, auth */
|
||||
|
||||
if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */
|
||||
@@ -4500,9 +4505,9 @@ int http_process_req_common(struct stream *s, struct c
|
||||
manage_client_side_cookies(s, req);
|
||||
|
||||
txn->flags |= TX_CLDENY;
|
||||
- txn->status = http_err_codes[txn->rule_deny_status];
|
||||
+ txn->status = http_err_codes[deny_status];
|
||||
s->logs.tv_request = now;
|
||||
- stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status));
|
||||
+ stream_int_retnclose(&s->si[0], http_error_message(s, deny_status));
|
||||
stream_inc_http_err_ctr(s);
|
||||
sess->fe->fe_counters.denied_req++;
|
||||
if (sess->fe != s->be)
|
Loading…
Reference in New Issue
Block a user