1 --- a/make/defines_COMMON.mk Thu May 07 03:20:10 2009 -0700
2 +++ b/make/defines_COMMON.mk Wed Sep 30 16:55:48 2009 +0530
3 @@ -156,6 +156,9 @@
4 SECURITY_COMMON_LIBS = ssl3 smime3 nss3 $(NSPR_LIB)
5
6 SECURITY_EXTRA_LIBS = nssckbi
7 +SECURITY_EXTRA_LIBS += nssutil3
8 +SECURITY_EXTRA_LIBS += nssdbm3
9 +SECURITY_EXTRA_LIBS += sqlite3
10 ifndef BUILD64
11 SECURITY_EXTRA_LIBS+=jss4
12 endif
1.1 --- a/schema/open-web-server_1_0.xsd Thu May 07 03:20:10 2009 -0700
1.2 +++ b/schema/open-web-server_1_0.xsd Wed Sep 30 16:55:48 2009 +0530
1.3 @@ -940,7 +940,7 @@
1.4 <xs:element name="request-header-timeout" type="timeoutType" minOccurs="0">
1.5 <xs:annotation>
1.6 <xs:appinfo>
1.7 - <appinfo:implicit>-1</appinfo:implicit>
1.8 + <appinfo:implicit>30</appinfo:implicit>
1.9 </xs:appinfo>
1.10 </xs:annotation>
1.11 </xs:element>
2.1 --- a/src/server/base/dbtbase.h Thu May 07 03:20:10 2009 -0700
2.2 +++ b/src/server/base/dbtbase.h Wed Sep 30 16:55:48 2009 +0530
2.3 @@ -385,6 +385,9 @@
2.4 ResDef( DBT_libsec_errors_164, 2164, "SEC_ERROR_FAILED_TO_ENCODE_DATA: Failed to encode data with ASN1 encoder" )
2.5 ResDef( DBT_libsec_errors_165, 2165, "SEC_ERROR_BAD_INFO_ACCESS_LOCATION: Bad information access location in cert extension" )
2.6 ResDef( DBT_libsec_errors_166, 2166, "SEC_ERROR_LIBPKIX_INTERNAL: Libpkix internal error occured during cert validation." )
2.7 + ResDef( DBT_libsec_errors_167, 2167, "SEC_ERROR_PKCS11_GENERAL_ERROR: PKCS11 general error occured during cert validation." )
2.8 + ResDef( DBT_libsec_errors_168, 2168, "SEC_ERROR_PKCS11_FUNCTION_FAILED: PKCS11 function failed." )
2.9 + ResDef( DBT_libsec_errors_169, 2169, "SEC_ERROR_PKCS11_DEVICE_ERROR: PKCS11 device error." )
2.10
2.11 /* DBT_libssl_errors: http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html */
2.12 ResDef( DBT_libssl_errors_0, 3000, "SSL_ERROR_EXPORT_ONLY_SERVER: Client does not support high-grade encryption." )
3.1 --- a/src/server/base/nscperror.c Thu May 07 03:20:10 2009 -0700
3.2 +++ b/src/server/base/nscperror.c Wed Sep 30 16:55:48 2009 +0530
3.3 @@ -95,7 +95,7 @@
3.4 };
3.5
3.6 #define NSCP_LIBSEC_ERROR_BASE (-8192)
3.7 -#define NSCP_LIBSEC_MAX_ERROR (NSCP_LIBSEC_ERROR_BASE + 166)
3.8 +#define NSCP_LIBSEC_MAX_ERROR (NSCP_LIBSEC_ERROR_BASE + 169)
3.9
3.10 int nscp_libsec_errors[NSCP_LIBSEC_MAX_ERROR - NSCP_LIBSEC_ERROR_BASE + 1] = {
3.11 DBT_libsec_errors_0,
3.12 @@ -264,7 +264,10 @@
3.13 DBT_libsec_errors_163,
3.14 DBT_libsec_errors_164,
3.15 DBT_libsec_errors_165,
3.16 - DBT_libsec_errors_166
3.17 + DBT_libsec_errors_166,
3.18 + DBT_libsec_errors_167,
3.19 + DBT_libsec_errors_168,
3.20 + DBT_libsec_errors_169
3.21 };
3.22
3.23 #define NSCP_LIBSSL_ERROR_BASE (-12288)
4.1 --- a/src/server/base/uri.cpp Thu May 07 03:20:10 2009 -0700
4.2 +++ b/src/server/base/uri.cpp Wed Sep 30 16:55:48 2009 +0530
4.3 @@ -105,6 +105,13 @@
4.4 if (!allow_tilde && (t[x] == '~')) {
4.5 return 1;
4.6 }
4.7 +
4.8 + // Do not allow ':' apart from drive letter. Windows filestream
4.9 + // will treat filename::$DATA as a plain file & display content.
4.10 + // So block it to prevent source viewing vulnerability.
4.11 + if ((t[x] == ':') && x > 1) {
4.12 + return 1;
4.13 + }
4.14
4.15 // On NT, the directory "abc...." is the same as "abc"
4.16 // The only cheap way to catch this globally is to disallow
5.1 --- a/src/server/ldaputil/LdapOps.cpp Thu May 07 03:20:10 2009 -0700
5.2 +++ b/src/server/ldaputil/LdapOps.cpp Wed Sep 30 16:55:48 2009 +0530
5.3 @@ -1027,6 +1027,7 @@
5.4 /* Check if the extended operation was successful */
5.5 lastbindrv = ldap_result2error(session, res, 0);
5.6 int rv = (lastbindrv == LDAP_SUCCESS) ? LDAPU_SUCCESS : lastbindrv;
5.7 + boundto = (lastbindrv == LDAP_SUCCESS) ? OTHER : NONE;
5.8
5.9 if (lastbindrv == LDAP_INVALID_CREDENTIALS)
5.10 return LDAPU_FAILED;
6.1 --- a/src/server/ldaputil/LdapSession.cpp Thu May 07 03:20:10 2009 -0700
6.2 +++ b/src/server/ldaputil/LdapSession.cpp Wed Sep 30 16:55:48 2009 +0530
6.3 @@ -323,7 +323,7 @@
6.4
6.5 if (retryCount > maxRetries)
6.6 return new LdapSearchResult(this, NULL, LDAP_CONNECT_ERROR);
6.7 - if (boundto != DEFAULT)
6.8 + if (boundto == NONE)
6.9 rv = bindAsDefault();
6.10 // Using async search instead of sync search see bug: 6295325
6.11 if (rv == LDAP_SUCCESS)
6.12 @@ -334,6 +334,10 @@
6.13 rv = lastoprv = ldap_search_ext_s(session, base, scope, filter,
6.14 attrs, attrsonly,
6.15 NULL, NULL, &time_out, LDAP_NO_LIMIT, &search_results);
6.16 + // Initialize boundto to NONE if ldap search fails for any reason
6.17 + // so that next request can do a fresh ldap bind.
6.18 + if (rv != LDAP_SUCCESS)
6.19 + boundto = NONE;
6.20 if (rv == LDAP_TIMEOUT)
6.21 ereport(LOG_VERBOSE, (char*)"Ldap Search Timeout");
6.22 }
6.23 @@ -357,11 +361,15 @@
6.24
6.25 if (retryCount > maxRetries)
6.26 return LDAP_CONNECT_ERROR;
6.27 - if (boundto != DEFAULT)
6.28 + if (boundto == NONE)
6.29 rv = bindAsDefault();
6.30 if (rv == LDAP_SUCCESS)
6.31 rv = lastoprv = ldap_compare_s(session, dn, attr, value);
6.32
6.33 + // Initialize boundto to NONE if ldap compare fails for any reason
6.34 + // so that next request can do a fresh ldap bind.
6.35 + if (rv != LDAP_SUCCESS)
6.36 + boundto = NONE;
6.37 if (!serverDown(rv))
6.38 return rv;
6.39
6.40 @@ -382,10 +390,15 @@
6.41 if (retryCount > maxRetries)
6.42 return LDAP_CONNECT_ERROR;
6.43 int rv = LDAP_SUCCESS;
6.44 - if (boundto != DEFAULT)
6.45 + if (boundto == NONE)
6.46 rv = bindAsDefault();
6.47 if (rv == LDAP_SUCCESS)
6.48 rv = lastoprv = ldap_add_ext_s(session, name, val, NULL, NULL);
6.49 +
6.50 + // Initialize boundto to NONE if ldap add fails for any reason
6.51 + // so that next request can do a fresh ldap bind.
6.52 + if (rv != LDAP_SUCCESS)
6.53 + boundto = NONE;
6.54 if (!serverDown(rv))
6.55 return rv;
6.56 if (reconnect(retryCount++) == LDAP_SUCCESS)
6.57 @@ -399,10 +412,15 @@
6.58 if (retryCount > maxRetries)
6.59 return LDAP_CONNECT_ERROR;
6.60 int rv = LDAP_SUCCESS;
6.61 - if (boundto != DEFAULT)
6.62 + if (boundto == NONE)
6.63 rv = bindAsDefault();
6.64 if (rv == LDAP_SUCCESS)
6.65 rv = lastoprv = ldap_modify_ext_s(session, name, val, NULL, NULL);
6.66 +
6.67 + // Initialize boundto to NONE if ldap modify fails for any reason
6.68 + // so that next request can do a fresh ldap bind.
6.69 + if (rv != LDAP_SUCCESS)
6.70 + boundto = NONE;
6.71 if (!serverDown(rv))
6.72 return rv;
6.73 if (reconnect(retryCount++) == LDAP_SUCCESS)
6.74 @@ -416,10 +434,15 @@
6.75 if (retryCount > maxRetries)
6.76 return LDAP_CONNECT_ERROR;
6.77 int rv = LDAP_SUCCESS;
6.78 - if (boundto != DEFAULT)
6.79 + if (boundto == NONE)
6.80 rv = bindAsDefault();
6.81 if (rv == LDAP_SUCCESS)
6.82 rv = lastoprv = ldap_delete_ext_s(session, name, NULL, NULL);
6.83 +
6.84 + // Initialize boundto to NONE if ldap delete fails for any reason
6.85 + // so that next request can do a fresh ldap bind.
6.86 + if (rv != LDAP_SUCCESS)
6.87 + boundto = NONE;
6.88 if (!serverDown(rv))
6.89 return rv;
6.90 if (reconnect(retryCount++) == LDAP_SUCCESS)
6.91 @@ -433,10 +456,14 @@
6.92 if (retryCount > maxRetries)
6.93 return LDAP_CONNECT_ERROR;
6.94 int rv = LDAP_SUCCESS;
6.95 - if (boundto != DEFAULT)
6.96 + if (boundto == NONE)
6.97 rv = bindAsDefault();
6.98 if (rv == LDAP_SUCCESS)
6.99 rv = lastoprv = ldap_rename_s(session, source, newrdn, NULL, delOld, NULL, NULL);
6.100 + // Initialize boundto to NONE if ldap rename fails for any reason
6.101 + // so that next request can do a fresh ldap bind.
6.102 + if (rv != LDAP_SUCCESS)
6.103 + boundto = NONE;
6.104 if (!serverDown(rv))
6.105 return rv;
6.106 if (reconnect(retryCount++) == LDAP_SUCCESS)
7.1 --- a/src/server/ldaputil/ldaputil.cpp Thu May 07 03:20:10 2009 -0700
7.2 +++ b/src/server/ldaputil/ldaputil.cpp Wed Sep 30 16:55:48 2009 +0530
7.3 @@ -759,13 +759,13 @@
7.4 int dnlen, suffixlen;
7.5
7.6 if (dn == NULL || suffix == NULL)
7.7 - return(0);
7.8 + return(-1);
7.9
7.10 suffixlen = strlen(suffix);
7.11 dnlen = strlen(dn);
7.12
7.13 if (suffixlen > dnlen) {
7.14 - return(0);
7.15 + return(-1);
7.16 }
7.17
7.18 // if it's a suffix, return the index where it begins in dn
8.1 --- a/src/server/plugins/fastcgi/fastcgistub.cpp Thu May 07 03:20:10 2009 -0700
8.2 +++ b/src/server/plugins/fastcgi/fastcgistub.cpp Wed Sep 30 16:55:48 2009 +0530
8.3 @@ -1186,13 +1186,31 @@
8.4 exit(-1);
8.5 }
8.6
8.7 +#ifdef LINUX
8.8 + // Change the umask so that unix domain socket is created with
8.9 + // permissions for all. This enables servers that run as nobody
8.10 + // to connect to this Fastcgistub channel (created by root)
8.11 + mode_t old_mask;
8.12 + if (geteuid() == 0)
8.13 + old_mask = umask(0);
8.14 +#endif
8.15 // Try to connect
8.16 if(PR_Bind(stubFd, &stubAddr) != PR_SUCCESS) {
8.17 +#ifdef LINUX
8.18 + // Restore the original umask
8.19 + if (geteuid() == 0)
8.20 + umask(old_mask);
8.21 +#endif
8.22 lastError = STUB_BIND_ERROR;
8.23 sendResponse();
8.24 printMsg("stub bind error");
8.25 exit(-1);
8.26 }
8.27 +#ifdef LINUX
8.28 + // Restore the original umask
8.29 + if (geteuid() == 0)
8.30 + umask(old_mask);
8.31 +#endif
8.32
8.33 if(PR_Listen(stubFd, DEFAULT_BACKLOG_SIZE) != PR_SUCCESS) {
8.34 lastError = STUB_LISTEN_ERROR;
9.1 --- a/src/server/safs/auth.cpp Thu May 07 03:20:10 2009 -0700
9.2 +++ b/src/server/safs/auth.cpp Wed Sep 30 16:55:48 2009 +0530
9.3 @@ -311,6 +311,8 @@
9.4 char *t, *u;
9.5 char line[AUTH_MAX_LINE];
9.6 char *groupnames = NULL;
9.7 + int empty = 1;
9.8 +
9.9
9.10 char *gfn = pblock_findval("groupdb", param);
9.11 char *user = pblock_findval("user", param);
9.12 @@ -340,6 +342,8 @@
9.13 if(!line[0]) {
9.14 if(eof) {
9.15 filebuf_close(buf);
9.16 + if(empty ==1)
9.17 + return REQ_PROCEED;
9.18 if(groupnames != NULL) {
9.19 /* Add comma seperated list of matched group
9.20 * names into auth-group.
9.21 @@ -356,6 +360,7 @@
9.22 continue;
9.23 }
9.24
9.25 + empty = 0;
9.26 for(t = line; *t && (*t != ':'); t++);
9.27 if(!(*t))
9.28 continue;
10.1 --- a/src/support/xp/amd64/atomic.S Thu May 07 03:20:10 2009 -0700
10.2 +++ b/src/support/xp/amd64/atomic.S Wed Sep 30 16:55:48 2009 +0530
10.3 @@ -74,7 +74,9 @@
10.4 /*
10.5 * Include the definitions for the libc weak aliases.
10.6 */
10.7 +#ifndef NO_INC_ATOMIC_ASM_WEAK
10.8 #include "../atomic_asm_weak.h"
10.9 +#endif
10.10 #endif
10.11
10.12 ENTRY(atomic_inc_8)
11.1 --- a/src/support/xp/sparc/atomic.S Thu May 07 03:20:10 2009 -0700
11.2 +++ b/src/support/xp/sparc/atomic.S Wed Sep 30 16:55:48 2009 +0530
11.3 @@ -75,7 +75,9 @@
11.4 /*
11.5 * Include the definitions for the libc weak aliases.
11.6 */
11.7 +#ifndef NO_INC_ATOMIC_ASM_WEAK
11.8 #include "../atomic_asm_weak.h"
11.9 +#endif
11.10 #endif
11.11
11.12 ENTRY(atomic_inc_8)
12.1 --- a/src/support/xp/sparcv9/atomic.S Thu May 07 03:20:10 2009 -0700
12.2 +++ b/src/support/xp/sparcv9/atomic.S Wed Sep 30 16:55:48 2009 +0530
12.3 @@ -75,7 +75,9 @@
12.4 /*
12.5 * Include the definitions for the libc weak aliases.
12.6 */
12.7 +#ifndef NO_INC_ATOMIC_ASM_WEAK
12.8 #include "../atomic_asm_weak.h"
12.9 +#endif
12.10 #endif
12.11
12.12 ENTRY(atomic_inc_8)
13.1 --- a/src/tools/httptest/nscperror.cpp Thu May 07 03:20:10 2009 -0700
13.2 +++ b/src/tools/httptest/nscperror.cpp Wed Sep 30 16:55:48 2009 +0530
13.3 @@ -44,7 +44,7 @@
13.4 #endif
13.5 #define NSCP_NSPR_MAX_ERROR (NSCP_NSPR_ERROR_BASE + 75)
13.6 #define NSCP_LIBSEC_ERROR_BASE (-8192)
13.7 -#define NSCP_LIBSEC_MAX_ERROR (NSCP_LIBSEC_ERROR_BASE + 166)
13.8 +#define NSCP_LIBSEC_MAX_ERROR (NSCP_LIBSEC_ERROR_BASE + 169)
13.9 #define NSCP_LIBSSL_ERROR_BASE (-12288)
13.10 #define NSCP_LIBSSL_MAX_ERROR (NSCP_LIBSSL_ERROR_BASE + 110)
13.11
13.12 @@ -306,7 +306,10 @@
13.13 { 163, "SEC_ERROR_BAD_LDAP_RESPONSE: Server returned bad LDAP response" },
13.14 { 164, "SEC_ERROR_FAILED_TO_ENCODE_DATA: Failed to encode data with ASN1 encoder" },
13.15 { 165, "SEC_ERROR_BAD_INFO_ACCESS_LOCATION: Bad information access location in cert extension" },
13.16 - { 166, "SEC_ERROR_LIBPKIX_INTERNAL: Libpkix internal error occured during cert validation." }
13.17 + { 166, "SEC_ERROR_LIBPKIX_INTERNAL: Libpkix internal error occured during cert validation." },
13.18 + { 167, "SEC_ERROR_PKCS11_GENERAL_ERROR: PKCS11 general error occured during cert validation." },
13.19 + { 168, "SEC_ERROR_PKCS11_FUNCTION_FAILED: PKCS11 function failed." },
13.20 + { 169, "SEC_ERROR_PKCS11_DEVICE_ERROR: PKCS11 device error." }
13.21
13.22 };
13.23