Bug 272170 - www/mod_auth_cookie_mysql2 is not thread-safe
Summary: www/mod_auth_cookie_mysql2 is not thread-safe
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-apache (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-23 22:16 UTC by Bob Bishop
Modified: 2023-06-26 09:33 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (apache)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bob Bishop 2023-06-23 22:16:18 UTC 
When using apache with a threaded MPM, this module can crash under certain conditions. Crash is dependent on the way apache assigns work to workers/threads, and can be influenced eg by moving resources within the site file structure causing symptoms to be obscure and mysterious; we ran this in production for nearly a year before a site reorganisation provoked the bug.

I'll add a patch RSN but this should be fixed upstream.
Comment 1 Bob Bishop 2023-06-26 09:33:15 UTC 
It seems to be sufficient to add a mutex around the call to check_valid_cookie() in mod_auth_cookie_sql2.c (and link with a thread-safe mysql client library of course). Or avoid the problem by using the prefork MPM if that works for you.