- Yet Another Plist Fix [1]

- Completely shut up rc.d script when no profiles are enabled
  (add add support to disable profiles) [2]
- Fix CVE-2008-2939 for mod_proxy_ftp
  (XSS attacks when using wildcards in the path of the FTP URL)
- Add "apache22_fib" to start apache22 prefixed by
  "setfib -F ${apache22_fib}", so apache can use an alternate
  network view (not carefully tested yet)
- Revert previous patch to "fix" missing rc.d scripts. It
  actually breaks profiles.
- Bump PORTREVISION

PR:             ports/126670 [1],
                ports/116627 [2]
Submitted by:   Joseph S. Atkinson [1],
                Eygene Ryabinkin [2]
Security:       CVE-2008-2939

Special thanks to: pgollucci@

www/apache22/Makefile

@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.2.9
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD}
 DISTNAME=	httpd-${PORTVERSION}
@@ -42,7 +42,7 @@ USE_ICONV=		yes
 USE_AUTOTOOLS=		autoconf:262 libtool:15
 USE_PERL5=		yes
 USE_RC_SUBR=		apache22.sh htcacheclean.sh
-#SUB_LIST+=		RC_SUBR_SUFFIX=${RC_SUBR_SUFFIX}
+SUB_LIST+=		RC_SUBR_SUFFIX=${RC_SUBR_SUFFIX}
 LIBTOOLFILES=		configure
 
 # for slave ports
@@ -230,7 +230,9 @@ post-install:
 	@${MKDIR} ${PREFIX}/etc/apache22/Includes
 	@${INSTALL_DATA} ${FILESDIR}/no-accf.conf ${PREFIX}/etc/apache22/Includes
 .if !defined(NOPORTDOCS)
-	@[ -d ${DOCSDIR}/style/lang/ ] && ${TOUCH} ${DOCSDIR}/style/lang/.keepme
+.for dir in style/lang style/xsl/util style/xsl
+	@[ -d ${DOCSDIR}/${dir}/ ] && ${TOUCH} ${DOCSDIR}/${dir}/.keepme
+.endfor
 .endif
 	@${CAT} ${PKGMESSAGE}
 

www/apache22/files/apache22.sh.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: /tmp/pcvs/ports/www/apache22/files/Attic/apache22.sh.in,v 1.5 2007-09-18 20:03:15 clement Exp $
+# $FreeBSD: /tmp/pcvs/ports/www/apache22/files/Attic/apache22.sh.in,v 1.6 2008-08-31 23:00:27 clement Exp $
 #
 
 # PROVIDE: apache22
@@ -23,12 +23,14 @@
 # apache22_http_accept_enable (bool): Set to "NO" by default.
 #                             Set to yes to check for accf_http kernel
 #                             module on start up and load if not loaded.
+# apache22_fib (str):	      Set an altered default network view for apache
+
 . %%RC_SUBR%%
 
 name="apache22"
 rcvar=`set_rcvar`
 
-start_precmd="apache22_precmd"
+start_precmd="apache22_prestart"
 restart_precmd="apache22_checkconfig"
 reload_precmd="apache22_checkconfig"
 reload_cmd="apache22_graceful"
@@ -46,6 +48,7 @@ required_files=%%PREFIX%%/etc/apache22/httpd.conf
 [ -z "$apache22limits_enable" ] && apache22limits_enable="NO"
 [ -z "$apache22limits_args" ]   && apache22limits_args="-e -C daemon"
 [ -z "$apache22_http_accept_enable" ] && apache22_http_accept_enable="NO"
+[ -z "$apache22_fib" ] && apache22_fib="NO"
 
 apache22_accf() {
 	retcode=0
@@ -82,6 +85,7 @@ if [ -n "$2" ]; then
 		eval apache22_http_accept_enable="\${apache22_${profile}_http_accept_enable:-${apache22_http_accept_enable}}"
 		eval apache22limits_enable="\${apache22limits_${profile}_enable:-${apache22limits_enable}}"
 		eval apache22limits_args="\${apache22limits_${profile}_args:-${apache22limits_args}}"
+		eval apache22_fib="\${apache22_${profile}_fib:-${apache22_fib}}"
 		apache22_flags="-f ${apache22_configfile} -c \"PidFile ${pidfile}\" ${apache22_flags}"
 	else
 		echo "$0: extra argument ignored"
@@ -89,6 +93,26 @@ if [ -n "$2" ]; then
 else
 	if [ "x${apache22_profiles}" != "x" -a "x$1" != "x" ]; then
 		for profile in ${apache22_profiles}; do
+			eval _enable="\${apache22_${profile}_enable}"
+			case "x${_enable:-${apache22_enable}}" in
+			x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee])
+				continue
+				;;
+			x[Yy][Ee][Ss])
+				;;
+			*)
+				if test -z "$_enable"; then
+					_var=apache22_enable
+				else
+					_var=apache22_"${profile}"_enable
+				fi
+				echo "Bad value" \
+				    "'${_enable:-${apache22_enable}}'" \
+				    "for ${_var}. " \
+				    "Profile ${profile} skipped."
+				continue
+				;;
+			esac
 			echo "===> apache22 profile: ${profile}"
 			%%PREFIX%%/etc/rc.d/apache22%%RC_SUBR_SUFFIX%% $1 ${profile}
 			retcode="$?"
@@ -152,5 +176,22 @@ apache22_precmd()
 
 }
 
+apache22_checkfib () {
+	sysctl net.fibs 2>&1 > /dev/null
+	ret=$? 
+ 	[ $ret -gt 0 ] && return 0 
+	if [ "x$apache22_fib" != "xNO" ]
+	then 
+		command="setfib -F ${apache22_fib} ${command}"
+	else
+		return	0
+	fi
+}
+
+apache22_prestart() {
+	apache22_precmd
+	apache22_checkfib
+}
+
 extra_commands="reload graceful gracefulstop configtest"
 run_rc_command "$1"

www/apache22/files/patch-CVE-2008-2939

@@ -0,0 +1,11 @@
+--- modules/proxy/mod_proxy_ftp.c	2008/08/05 19:00:05	682869
++++ modules/proxy/mod_proxy_ftp.c	2008/08/05 19:01:50	682870
+@@ -383,6 +383,7 @@
+                                                            c->bucket_alloc));
+         }
+         if (wildcard != NULL) {
++            wildcard = ap_escape_html(p, wildcard);
+             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
+                                                            strlen(wildcard), p,
+                                                            c->bucket_alloc));
+

www/apache22/pkg-plist

@@ -1,4 +1,5 @@
 @comment $FreeBSD$
+%%APR_PORTS%%@exec mkdir -p %D/lib/apr-util-1
 @exec mkdir -p %D/etc/apache22/extra 2> /dev/null
 @exec mkdir -p %D/etc/apache22/Includes 2> /dev/null || true
 @exec mkdir -p %D/etc/apache22/envvars.d 2> /dev/null || true
@@ -533,7 +534,7 @@ www/apache22/icons/world2.png
 @dirrmtry www/apache22/cgi-bin
 @dirrm %%EXAMPLESDIR%%/extra
 @dirrm %%EXAMPLESDIR%%
-@dirrm %%DOCSDIR%%
+@dirrmtry %%DOCSDIR%%
 @dirrm share/apache22/build
 @dirrm share/apache22
 %%APR_PORTS%%@dirrm include/apr-1