CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2024/12/09 17:18:16
Modified files:
devel/apr : Makefile
devel/apr/patches: patch-network_io_unix_sockets_c
Log message:
remove a workaround in apr_socket_connect()
the comment on the workaround is:
* OpenBSD doesn't support connect() to INADDR_ANY so convert to
* INADDR_LOOPBACK to emulate what is expected.
the conversion modifies the sockaddr that was passed to apr_socket_connect,
replacing 0.0.0.0 with 127.0.0.1.
this is a very old workaround, but our best guess for why it exists
is that apache sometimes connects to the listening socket on worker
processes to push them out of their wait loop and do some processing.
workers can listen on wildcard addresses though (ie, 0.0.0.0), which
openbsd does not accept as a destination address in connect() calls.
replacing it with 127.0.0.1 allowed it to work.
the problem with this workaround is that it modifies the sockaddr.
in apache httpd, the sockaddr is the same one that records the
address the listener was bound to, which is involved in determining
the local address/port for client connections. if you're using a
connections local ip in a module or log, you can end up with the
local address on a remote connection looking like 127.0.0.1, which
isn't helpful.
there's been reecent issues on other systems where the use of 0.0.0.0
as an implicit alias for the local system has allowed security
policy to be bypassed. this workaround in apr makes me feel twitchy.
however, removing this workaround means the thing apache httpd does
by connecting to the workers listening socket is broken. my experience
so far is that it adds noise to log files, but doesn't actually
break anything. it's also a httpd problem that should be fixed in
httpd, not an apr or openbsd problem.
ok sthen@ stsp@
