Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Jul 2022 13:04:41 GMT
From:      "Sergey A. Osokin" <osa@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 0019e69cb98d - main - www/nginx-devel: fix segfaults in the third-party spnego module
Message-ID:  <202207141304.26ED4f2w005612@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by osa:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0019e69cb98de8981a18d5ec1222ebedec3df8cd

commit 0019e69cb98de8981a18d5ec1222ebedec3df8cd
Author:     Sergey A. Osokin <osa@FreeBSD.org>
AuthorDate: 2022-07-14 12:41:20 +0000
Commit:     Sergey A. Osokin <osa@FreeBSD.org>
CommitDate: 2022-07-14 13:04:34 +0000

    www/nginx-devel: fix segfaults in the third-party spnego module
    
    Reported by:    pluknet
    Patch from:     pluknet
    
    Bump PORTREVISION.
---
 www/nginx-devel/Makefile                           |  2 +-
 www/nginx-devel/Makefile.extmod                    |  3 +-
 .../extra-patch-ngx_http_auth_spnego_module.c      | 52 ++++++++++++++++++++++
 3 files changed, 55 insertions(+), 2 deletions(-)

diff --git a/www/nginx-devel/Makefile b/www/nginx-devel/Makefile
index 97ffd75d3384..5d983be2c571 100644
--- a/www/nginx-devel/Makefile
+++ b/www/nginx-devel/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME?=	nginx
 PORTVERSION=	1.23.0
-PORTREVISION=	13
+PORTREVISION=	14
 CATEGORIES=	www
 MASTER_SITES=	https://nginx.org/download/ \
 		LOCAL/osa
diff --git a/www/nginx-devel/Makefile.extmod b/www/nginx-devel/Makefile.extmod
index 1fb464d17cbf..6cd2533559f6 100644
--- a/www/nginx-devel/Makefile.extmod
+++ b/www/nginx-devel/Makefile.extmod
@@ -93,7 +93,8 @@ HTTP_AUTH_DIGEST_VARS=		DSO_EXTMODS+=auth_digest
 
 HTTP_AUTH_KRB5_GH_TUPLE=	stnoonan:spnego-http-auth-nginx-module:c626163:auth_krb5
 HTTP_AUTH_KRB5_VARS=		DSO_EXTMODS+=auth_krb5
-HTTP_AUTH_KRB5_EXTRA_PATCHES=	${PATCHDIR}/extra-patch-spnego-http-auth-nginx-module-config
+HTTP_AUTH_KRB5_EXTRA_PATCHES=	${PATCHDIR}/extra-patch-spnego-http-auth-nginx-module-config \
+				${PATCHDIR}/extra-patch-ngx_http_auth_spnego_module.c
 HTTP_AUTH_KRB5_USES=		gssapi:mit
 
 HTTP_AUTH_LDAP_GH_TUPLE=	kvspb:nginx-auth-ldap:83c059b:http_auth_ldap
diff --git a/www/nginx-devel/files/extra-patch-ngx_http_auth_spnego_module.c b/www/nginx-devel/files/extra-patch-ngx_http_auth_spnego_module.c
new file mode 100644
index 000000000000..40aea7e6e875
--- /dev/null
+++ b/www/nginx-devel/files/extra-patch-ngx_http_auth_spnego_module.c
@@ -0,0 +1,52 @@
+--- ../spnego-http-auth-nginx-module-c626163/ngx_http_auth_spnego_module.c.orig
++++ ../spnego-http-auth-nginx-module-c626163/ngx_http_auth_spnego_module.c
+@@ -502,6 +502,7 @@ ngx_http_auth_spnego_headers_basic_only(ngx_http_request_t *r,
+     }
+ 
+     r->headers_out.www_authenticate->hash = 1;
++    r->headers_out.www_authenticate->next = NULL;
+     r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1;
+     r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate";
+     r->headers_out.www_authenticate->value.len = value.len;
+@@ -538,6 +539,7 @@ ngx_http_auth_spnego_headers(ngx_http_request_t *r,
+     }
+ 
+     r->headers_out.www_authenticate->hash = 1;
++    r->headers_out.www_authenticate->next = NULL;
+     r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1;
+     r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate";
+     r->headers_out.www_authenticate->value.len = value.len;
+@@ -559,6 +561,7 @@ ngx_http_auth_spnego_headers(ngx_http_request_t *r,
+         }
+ 
+         r->headers_out.www_authenticate->hash = 2;
++        r->headers_out.www_authenticate->next = NULL;
+         r->headers_out.www_authenticate->key.len =
+             sizeof("WWW-Authenticate") - 1;
+         r->headers_out.www_authenticate->key.data =
+@@ -758,6 +761,12 @@ ngx_http_auth_spnego_store_delegated_creds(ngx_http_request_t *r,
+     char *ccname = NULL;
+     char *escaped = NULL;
+ 
++    if ((kerr = krb5_init_context(&kcontext))) {
++        spnego_log_error("Kerberos error: Cannot initialize kerberos context");
++        spnego_log_krb5_error(kcontext, kerr);
++        goto done;
++    }
++
+     if (!delegated_creds.data) {
+         spnego_log_error(
+             "ngx_http_auth_spnego_store_delegated_creds() NULL credentials");
+@@ -766,12 +775,6 @@ ngx_http_auth_spnego_store_delegated_creds(ngx_http_request_t *r,
+         goto done;
+     }
+ 
+-    if ((kerr = krb5_init_context(&kcontext))) {
+-        spnego_log_error("Kerberos error: Cannot initialize kerberos context");
+-        spnego_log_krb5_error(kcontext, kerr);
+-        goto done;
+-    }
+-
+     if ((kerr = krb5_parse_name(kcontext, (char *)principal_name->data,
+                                 &principal))) {
+         spnego_log_error("Kerberos error: Cannot parse principal %s",

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202207141304.26ED4f2w005612>