Add Apache developer fix for security vulnerability reported

in CVE-2013-1862.

3 files changed, 38 insertions, 3 deletions

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 750194cfb9f..cc4a533d98c 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.87 2013/03/03 20:05:03 tron Exp $
+# $NetBSD: Makefile,v 1.88 2013/05/30 22:58:14 tron Exp $
 
 DISTNAME=	httpd-2.2.24
-
 PKGNAME=	${DISTNAME:S/httpd/apache/}
+PKGREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/} \
 		http://archive.apache.org/dist/httpd/ \
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index 5f605d547a5..c9ae5f8efeb 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.54 2013/03/03 20:05:03 tron Exp $
+$NetBSD: distinfo,v 1.55 2013/05/30 22:58:14 tron Exp $
 
 SHA1 (httpd-2.2.24.tar.bz2) = f73bce14832ec40c1aae68f4f8c367cab2266241
 RMD160 (httpd-2.2.24.tar.bz2) = 4c31b23615236c407779a23cbfcc8e05ba011224
@@ -15,5 +15,6 @@ SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
 SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
 SHA1 (patch-docs_man_apxs.8) = 70797ea73ae6379492971bec1106a8427ae7fdaa
 SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
+SHA1 (patch-modules_mappers_mod_rewrite.c) = a1cee8c7c97936e15a1596a54ddc1839a5b1038d
 SHA1 (patch-modules_ssl_ssl__engine__kernel.c) = fd6f425d18231f0daca9fc2553638891a7241a4a
 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
diff --git a/www/apache22/patches/patch-modules_mappers_mod_rewrite.c b/www/apache22/patches/patch-modules_mappers_mod_rewrite.c
new file mode 100644
index 00000000000..37488a99703
--- /dev/null
+++ b/www/apache22/patches/patch-modules_mappers_mod_rewrite.c
@@ -0,0 +1,34 @@
+$NetBSD: patch-modules_mappers_mod_rewrite.c,v 1.3 2013/05/30 22:58:15 tron Exp $
+
+Fix for security vulnerability reported in CVE-2013-1862. Patch taken
+from here:
+
+http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch
+
+--- modules/mappers/mod_rewrite.c.orig	2013-02-18 21:31:42.000000000 +0000
++++ modules/mappers/mod_rewrite.c	2013-05-30 23:50:27.000000000 +0100
+@@ -500,11 +500,11 @@
+ 
+     logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
+                                     "(%d) %s%s%s%s" APR_EOL_STR,
+-                           rhost ? rhost : "UNKNOWN-HOST",
+-                           rname ? rname : "-",
+-                           r->user ? (*r->user ? r->user : "\"\"") : "-",
++                           rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
++                           rname ? ap_escape_logitem(r->pool, rname) : "-",
++                           r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
+                            current_logtime(r),
+-                           ap_get_server_name(r),
++                           ap_escape_logitem(r->pool, ap_get_server_name(r)),
+                            (void *)(r->server),
+                            (void *)r,
+                            r->main ? "subreq" : "initial",
+@@ -514,7 +514,7 @@
+                            perdir ? "[perdir " : "",
+                            perdir ? perdir : "",
+                            perdir ? "] ": "",
+-                           text);
++                           ap_escape_logitem(r->pool, text));
+ 
+     nbytes = strlen(logline);
+     apr_file_write(conf->rewritelogfp, logline, &nbytes);