[polipo: 1/2] - add daily cache cleanup - fix missing creation of /var/run directory (bz #755198) - make sure log
Bernard Johnson
bjohnson at fedoraproject.org
Mon Jan 23 02:33:04 UTC 2012
commit 3ee24a0f96543481c82e99dc90db0ac8bbdc6837
Author: Bernard Johnson <bjohnson at symetrix.com>
Date: Sun Jan 22 19:26:58 2012 -0700
- add daily cache cleanup
- fix missing creation of /var/run directory (bz #755198)
- make sure log directory context is set correctly (bz #741779)
- fix denial of service vulnerability CVE-2011-3596 (bz #742897)
http-assertion-failure.patch | 213 ++++++++++++++++++++++++++++++++++++++++++
polipo.cron | 21 ++++
polipo.spec | 21 +++-
3 files changed, 250 insertions(+), 5 deletions(-)
---
diff --git a/http-assertion-failure.patch b/http-assertion-failure.patch
new file mode 100644
index 0000000..07ca0d4
--- /dev/null
+++ b/http-assertion-failure.patch
@@ -0,0 +1,213 @@
+From 0e2b44af619e46e365971ea52b97457bc0778cd3 Mon Sep 17 00:00:00 2001
+From: Christopher Davis <chrisd at mangrin.org>
+Date: Mon, 11 Jan 2010 18:55:41 -0800
+Subject: [PATCH] Try to read POST requests to local configuration interface correctly.
+
+---
+ client.c | 1 -
+ local.c | 113 +++++++++++++++++++++++++++++++++++++++++--------------------
+ 2 files changed, 76 insertions(+), 38 deletions(-)
+
+diff --git a/client.c b/client.c
+index 18f1d72..2404c81 100644
+--- a/client.c
++++ b/client.c
+@@ -987,7 +987,6 @@ httpClientDiscardBody(HTTPConnectionPtr connection)
+ connection->reqlen = 0;
+ httpConnectionDestroyReqbuf(connection);
+ }
+- connection->reqte = TE_UNKNOWN;
+
+ if(connection->bodylen > 0) {
+ httpSetTimeout(connection, clientTimeout);
+diff --git a/local.c b/local.c
+index 82106c4..f59ab63 100644
+--- a/local.c
++++ b/local.c
+@@ -67,8 +67,8 @@ httpLocalRequest(ObjectPtr object, int method, int from, int to,
+ requestor, closure);
+
+ if(method >= METHOD_POST) {
++ httpClientDiscardBody(requestor->connection);
+ httpClientError(requestor, 405, internAtom("Method not allowed"));
+- requestor->connection->flags &= ~CONN_READER;
+ return 1;
+ }
+
+@@ -295,11 +295,47 @@ httpSpecialRequest(ObjectPtr object, int method, int from, int to,
+ return 1;
+ }
+
++#define MAXBODY(c) (((c)->flags & CONN_BIGREQBUF)? bigBufferSize : CHUNK_SIZE)
++
++static void
++writeContinue(HTTPConnectionPtr client)
++{
++ static char httpContinue[] = "HTTP/1.1 100 Continue\r\n\r\n";
++
++ /* don't bother writing continue if the post is already completed */
++ if (client->reqlen - client->reqbegin < client->bodylen) {
++ do_stream(IO_WRITE, client->fd, 0, httpContinue, 25,
++ httpErrorNofinishStreamHandler, client);
++ }
++}
++
++static int
++validateRequest(HTTPConnectionPtr client)
++{
++ ObjectPtr object = client->request->object;
++
++ if (disableConfiguration) {
++ abortObject(object, 403, internAtom("Action not allowed"));
++ } else if (client->bodylen > MAXBODY(client)) {
++ abortObject(object, 411, internAtom("POST too large"));
++ } else if (!matchUrl("/polipo/status", object) &&
++ !matchUrl("/polipo/config", object)) {
++ abortObject(object, 404, internAtom("Not found"));
++ } else
++ return 0;
++
++ httpClientDiscardBody(client);
++ notifyObject(object);
++
++ return -1;
++}
++
+ int
+ httpSpecialSideRequest(ObjectPtr object, int method, int from, int to,
+ HTTPRequestPtr requestor, void *closure)
+ {
+ HTTPConnectionPtr client = requestor->connection;
++ int waiting = 0;
+
+ assert(client->request == requestor);
+
+@@ -309,13 +345,24 @@ httpSpecialSideRequest(ObjectPtr object, int method, int from, int to,
+ return 1;
+ }
+
++ if (requestor->flags & REQUEST_WAIT_CONTINUE) {
++ requestor->flags &= ~REQUEST_WAIT_CONTINUE;
++ waiting = 1;
++ }
++
++ if (validateRequest(client) < 0)
++ return 1;
++
++ if (waiting)
++ writeContinue(client);
++
+ return httpSpecialDoSide(requestor);
+ }
+
+-int
+-httpSpecialDoSide(HTTPRequestPtr requestor)
++static int
++readFinished(HTTPConnectionPtr client)
+ {
+- HTTPConnectionPtr client = requestor->connection;
++ HTTPRequestPtr request = client->request;
+
+ if(client->reqlen - client->reqbegin >= client->bodylen) {
+ AtomPtr data;
+@@ -325,19 +372,25 @@ httpSpecialDoSide(HTTPRequestPtr requestor)
+ client->reqlen = 0;
+ if(data == NULL) {
+ do_log(L_ERROR, "Couldn't allocate data.\n");
+- httpClientError(requestor, 500,
++ httpClientError(request, 500,
+ internAtom("Couldn't allocate data"));
+ return 1;
+ }
+- httpSpecialDoSideFinish(data, requestor);
++ httpSpecialDoSideFinish(data, request);
+ return 1;
+ }
+
+- if(client->reqlen - client->reqbegin >= CHUNK_SIZE) {
+- httpClientError(requestor, 500, internAtom("POST too large"));
+- return 1;
+- }
++ return 0;
++}
+
++int
++httpSpecialDoSide(HTTPRequestPtr requestor)
++{
++ HTTPConnectionPtr client = requestor->connection;
++
++ if (readFinished(client))
++ return 1;
++
+ if(client->reqbegin > 0 && client->reqlen > client->reqbegin) {
+ memmove(client->reqbuf, client->reqbuf + client->reqbegin,
+ client->reqlen - client->reqbegin);
+@@ -346,7 +399,7 @@ httpSpecialDoSide(HTTPRequestPtr requestor)
+ client->reqbegin = 0;
+
+ do_stream(IO_READ | IO_NOTNOW, client->fd,
+- client->reqlen, client->reqbuf, CHUNK_SIZE,
++ client->reqlen, client->reqbuf, MAXBODY(client),
+ httpSpecialClientSideHandler, client);
+ return 1;
+ }
+@@ -358,36 +411,22 @@ httpSpecialClientSideHandler(int status,
+ {
+ HTTPConnectionPtr connection = srequest->data;
+ HTTPRequestPtr request = connection->request;
+- int push;
+
+- if((request->object->flags & OBJECT_ABORTED) ||
+- !(request->object->flags & OBJECT_INPROGRESS)) {
+- httpClientDiscardBody(connection);
+- httpClientError(request, 503, internAtom("Post aborted"));
+- return 1;
+- }
+-
+- if(status < 0) {
+- do_log_error(L_ERROR, -status, "Reading from client");
+- if(status == -EDOGRACEFUL)
+- httpClientFinish(connection, 1);
+- else
+- httpClientFinish(connection, 2);
++ if(status) {
++ connection->flags &= ~CONN_READER;
++ if (request->chandler) {
++ unregisterConditionHandler(request->chandler);
++ request->chandler = NULL;
++ }
++ do_log(L_ERROR, "Incomplete client request.\n");
++ httpClientRawError(connection, 502,
++ internAtom("Incomplete client request"), 1);
+ return 1;
+ }
+
+- push = MIN(srequest->offset - connection->reqlen,
+- connection->bodylen - connection->reqoffset);
+- if(push > 0) {
+- connection->reqlen += push;
+- httpSpecialDoSide(request);
+- }
++ connection->reqlen = srequest->offset;
+
+- do_log(L_ERROR, "Incomplete client request.\n");
+- connection->flags &= ~CONN_READER;
+- httpClientRawError(connection, 502,
+- internAtom("Incomplete client request"), 1);
+- return 1;
++ return readFinished(connection);
+ }
+
+ int
+@@ -480,7 +519,7 @@ httpSpecialDoSideFinish(AtomPtr data, HTTPRequestPtr requestor)
+ object->flags &= ~OBJECT_INITIAL;
+ object->length = 0;
+ } else {
+- abortObject(object, 405, internAtom("Method not allowed"));
++ abortObject(object, 404, internAtom("Not found"));
+ }
+
+ out:
+--
+1.7.2.5
+
diff --git a/polipo.cron b/polipo.cron
new file mode 100755
index 0000000..dfd7b16
--- /dev/null
+++ b/polipo.cron
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# flush polipo disk cache
+#
+FORBIDDEN_FILE=/etc/polipo/forbidden
+CONFIG_FILE=/etc/polipo/config
+
+if [ ! -x /usr/bin/polipo ]; then
+ exit 0
+fi
+
+if [ ! -f $FORBIDDEN_FILE ]; then
+ FORBIDDEN_FILE=/dev/null
+fi
+
+PIDFILE=/var/run/polipo/polipo.pid
+[ -f "$PIDFILE" ] && kill -USR1 $(cat "$PIDFILE")
+su -s /bin/sh -c \
+ "nice polipo -x -c $CONFIG_FILE forbiddenFile=$FORBIDDEN_FILE > /dev/null" \
+ polipo
+[ -f "$PIDFILE" ] && kill -USR2 $(cat "$PIDFILE")
diff --git a/polipo.spec b/polipo.spec
index 24e5899..7211a1c 100644
--- a/polipo.spec
+++ b/polipo.spec
@@ -10,7 +10,7 @@
Name: polipo
Version: 1.0.4.1
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: Lightweight caching web proxy
License: MIT
Source0: http://freehaven.net/~chrisd/%{name}/%{name}-%{version}.tar.gz
@@ -21,6 +21,8 @@ Source4: %{name}.logrotate
Source5: %{name}.nm
Source6: %{name}.tmpfiles
Source7: %{name}.service
+Source8: %{name}.cron
+Patch0: http-assertion-failure.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Group: System Environment/Daemons
URL: http://www.pps.jussieu.fr/~jch/software/%{name}/
@@ -57,6 +59,8 @@ server.
%prep
%setup -q
+%patch0 -p1 -b .http-assertion-failure
+
%build
make %{?_smp_mflags} PREFIX=%{_prefix} BINDIR=%{_bindir} CDEBUGFLAGS="%{optflags}"
@@ -70,12 +74,12 @@ install -D -p -m 0644 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/config
install -D -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/forbidden
install -D -p -m 0644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/%{name}
install -D -p -m 0755 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/NetworkManager/dispatcher.d/25-%{name}
+install -D -p -m 0755 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/cron.daily/%{name}
%if 0%{?_with_tmpfilesd}
install -D -p -m 0644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/tmpfiles.d/%{name}.conf
-%else
-install -d -m 0755 $RPM_BUILD_ROOT/%{_localstatedir}/run/%{name}
%endif
+install -d -m 0755 $RPM_BUILD_ROOT/%{_localstatedir}/run/%{name}
%if 0%{?_with_systemd}
install -D -p -m 0644 %{SOURCE7} $RPM_BUILD_ROOT/%{_unitdir}/%{name}.service
@@ -106,6 +110,7 @@ exit 0
[ -e %{_localstatedir}/log/%{name} ] || /bin/touch %{_localstatedir}/log/%{name}
/bin/chmod -f 0640 %{_localstatedir}/log/%{name}
/bin/chown -f %{name}:%{name} %{_localstatedir}/log/%{name}
+/sbin/restorecon /var/log/polipo || :
/sbin/install-info --quiet --info-dir=%{_infodir} %{_infodir}/%{name}.info.gz || :
@@ -172,6 +177,7 @@ fi
%config(noreplace) %{_sysconfdir}/%{name}/forbidden
%attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/*
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
+%attr(0755,root,root) %{_sysconfdir}/cron.daily/%{name}
%if 0%{?_with_systemd}
%{_unitdir}/%{name}.service
@@ -181,11 +187,16 @@ fi
%if 0%{?_with_tmpfilesd}
%config(noreplace) %{_sysconfdir}/tmpfiles.d/%{name}.conf
-%else
-%attr(0755,%{name},%{name}) %dir %{_localstatedir}/run/%{name}
%endif
+%attr(0755,%{name},%{name}) %dir %{_localstatedir}/run/%{name}
%changelog
+* Sun Jan 22 2012 Bernard Johnson <bjohnson at symetrix.com> - 1.0.4.1-5
+- add daily cache cleanup
+- fix missing creation of /var/run directory (bz #755198)
+- make sure log directory context is set correctly (bz #741779)
+- fix denial of service vulnerability CVE-2011-3596 (bz #742897)
+
* Mon Sep 26 2011 Bernard Johnson <bjohnson at symetrix.com> - 1.0.4.1-4
- take file / dir creation & testing out of initscript (bz #708814)
- remove log file / dir creation in spec too
More information about the scm-commits
mailing list