RubyGems - passenger - Versions diffs - 5.0.30 → 5.1.0 - Mend

passenger 5.0.30 → 5.1.0

Potentially problematic release.

This version of passenger might be problematic. Click here for more details.

Files changed (131) hide show

checksums.yaml +4 -4
data/CHANGELOG +30 -1
data/CONTRIBUTING.md +1 -1
data/CONTRIBUTORS +2 -0
data/bin/passenger-install-nginx-module +18 -13
data/build/agent.rb +1 -0
data/build/basics.rb +1 -0
data/build/cxx_tests.rb +6 -1
data/build/misc.rb +3 -0
data/build/packaging.rb +5 -17
data/build/support/cxx_dependency_map.rb +100 -0
data/build/support/vendor/cxxcodebuilder/lib/cxxcodebuilder/builder.rb +4 -1
data/build/test_basics.rb +12 -2
data/dev/ci/run_travis.sh +6 -2
data/doc/Users guide Apache.html +7 -2
data/doc/Users guide Apache.txt +4 -0
data/resources/templates/error_layout.css +70 -84
data/resources/templates/error_layout.html.template +84 -93
data/resources/templates/standalone/http.erb +17 -13
data/resources/templates/standalone/server.erb +2 -1
data/resources/templates/undisclosed_error.html.template +52 -51
data/resources/update_check_client_cert.p12 +0 -0
data/resources/update_check_client_cert.pem +89 -0
data/resources/update_check_server_pubkey.pem +14 -0
data/src/agent/Core/ApplicationPool/ErrorRenderer.h +15 -1
data/src/agent/Core/Controller.h +3 -2
data/src/agent/Core/Controller/CheckoutSession.cpp +5 -4
data/src/agent/Core/Controller/ForwardResponse.cpp +1 -1
data/src/agent/Core/Controller/InitRequest.cpp +2 -0
data/src/agent/Core/Controller/InitializationAndShutdown.cpp +1 -0
data/src/agent/Core/Controller/Request.h +1 -0
data/src/agent/Core/CoreMain.cpp +99 -2
data/src/agent/Core/OptionParser.h +18 -1
data/src/agent/Core/SecurityUpdateChecker.h +559 -0
data/src/agent/Shared/Base.cpp +6 -1
data/src/agent/TempDirToucher/TempDirToucherMain.cpp +52 -0
data/src/agent/Watchdog/InstanceDirToucher.cpp +1 -2
data/src/agent/Watchdog/WatchdogMain.cpp +31 -40
data/src/apache2_module/Configuration.cpp +12 -0
data/src/apache2_module/Configuration.hpp +5 -0
data/src/apache2_module/ConfigurationCommands.cpp +19 -19
data/src/apache2_module/ConfigurationCommands.cpp.cxxcodebuilder +2 -2
data/src/apache2_module/ConfigurationFields.hpp +19 -19
data/src/apache2_module/ConfigurationFields.hpp.cxxcodebuilder +2 -2
data/src/apache2_module/ConfigurationSetters.cpp +19 -19
data/src/apache2_module/ConfigurationSetters.cpp.cxxcodebuilder +2 -2
data/src/apache2_module/CreateDirConfig.cpp +19 -19
data/src/apache2_module/CreateDirConfig.cpp.cxxcodebuilder +2 -2
data/src/apache2_module/Hooks.cpp +10 -1
data/src/apache2_module/MergeDirConfig.cpp +19 -19
data/src/apache2_module/MergeDirConfig.cpp.cxxcodebuilder +2 -2
data/src/apache2_module/SetHeaders.cpp +19 -19
data/src/apache2_module/SetHeaders.cpp.cxxcodebuilder +2 -2
data/src/cxx_supportlib/Constants.h +22 -22
data/src/cxx_supportlib/Constants.h.cxxcodebuilder +4 -1
data/src/cxx_supportlib/Crypto.cpp +977 -0
data/src/cxx_supportlib/Crypto.h +147 -0
data/src/cxx_supportlib/InstanceDirectory.h +55 -2
data/src/cxx_supportlib/Utils/Curl.h +24 -10
data/src/cxx_supportlib/Utils/JsonUtils.h +1 -1
data/src/cxx_supportlib/oxt/detail/spin_lock_darwin.hpp +2 -0
data/src/cxx_supportlib/vendor-modified/boost/system/error_code.hpp +3 -3
data/src/cxx_supportlib/vendor-modified/jsoncpp/json-forwards.h +167 -92
data/src/cxx_supportlib/vendor-modified/jsoncpp/json.h +1827 -1542
data/src/cxx_supportlib/vendor-modified/jsoncpp/jsoncpp.cpp +4705 -3652
data/src/cxx_supportlib/vendor-modified/libev/Changes +46 -15
data/src/cxx_supportlib/vendor-modified/libev/LICENSE +1 -1
data/src/cxx_supportlib/vendor-modified/libev/Makefile.in +215 -128
data/src/cxx_supportlib/vendor-modified/libev/aclocal.m4 +466 -275
data/src/cxx_supportlib/vendor-modified/libev/config.guess +312 -418
data/src/cxx_supportlib/vendor-modified/libev/config.sub +246 -105
data/src/cxx_supportlib/vendor-modified/libev/configure +276 -72
data/src/cxx_supportlib/vendor-modified/libev/configure.ac +2 -1
data/src/cxx_supportlib/vendor-modified/libev/depcomp +346 -185
data/src/cxx_supportlib/vendor-modified/libev/ev++.h +1 -1
data/src/cxx_supportlib/vendor-modified/libev/ev.c +530 -190
data/src/cxx_supportlib/vendor-modified/libev/ev.h +23 -14
data/src/cxx_supportlib/vendor-modified/libev/ev_epoll.c +12 -6
data/src/cxx_supportlib/vendor-modified/libev/ev_kqueue.c +9 -5
data/src/cxx_supportlib/vendor-modified/libev/ev_poll.c +6 -3
data/src/cxx_supportlib/vendor-modified/libev/ev_port.c +8 -4
data/src/cxx_supportlib/vendor-modified/libev/ev_select.c +4 -2
data/src/cxx_supportlib/vendor-modified/libev/ev_vars.h +3 -2
data/src/cxx_supportlib/vendor-modified/libev/ev_win32.c +3 -4
data/src/cxx_supportlib/vendor-modified/libev/install-sh +433 -219
data/src/cxx_supportlib/vendor-modified/libev/libev.m4 +6 -6
data/src/cxx_supportlib/vendor-modified/libev/ltmain.sh +2 -2
data/src/cxx_supportlib/vendor-modified/libev/missing +167 -288
data/src/cxx_supportlib/vendor-modified/libev/mkinstalldirs +72 -21
data/src/cxx_supportlib/vendor-modified/modp_b64.cpp +4 -106
data/src/cxx_supportlib/vendor-modified/modp_b64_data.h +37 -1
data/src/cxx_supportlib/vendor-modified/modp_b64_strict_aliasing.cpp +119 -0
data/src/helper-scripts/node-loader.js +72 -1
data/src/nginx_module/CacheLocationConfig.c +52 -19
data/src/nginx_module/CacheLocationConfig.c.cxxcodebuilder +2 -2
data/src/nginx_module/Configuration.c +26 -1
data/src/nginx_module/Configuration.h +2 -0
data/src/nginx_module/ConfigurationCommands.c +35 -19
data/src/nginx_module/ConfigurationCommands.c.cxxcodebuilder +2 -2
data/src/nginx_module/ContentHandler.c +1 -1
data/src/nginx_module/CreateLocationConfig.c +22 -19
data/src/nginx_module/CreateLocationConfig.c.cxxcodebuilder +2 -2
data/src/nginx_module/LocationConfig.h +21 -19
data/src/nginx_module/LocationConfig.h.cxxcodebuilder +2 -2
data/src/nginx_module/MergeLocationConfig.c +25 -19
data/src/nginx_module/MergeLocationConfig.c.cxxcodebuilder +2 -2
data/src/nginx_module/ngx_http_passenger_module.c +8 -4
data/src/ruby_supportlib/phusion_passenger.rb +9 -4
data/src/ruby_supportlib/phusion_passenger/admin_tools/instance.rb +2 -2
data/src/ruby_supportlib/phusion_passenger/admin_tools/instance_registry.rb +1 -1
data/src/ruby_supportlib/phusion_passenger/common_library.rb +13 -0
data/src/ruby_supportlib/phusion_passenger/config/nginx_engine_compiler.rb +5 -2
data/src/ruby_supportlib/phusion_passenger/constants.rb +1 -1
data/src/ruby_supportlib/phusion_passenger/nginx/config_options.rb +15 -3
data/src/ruby_supportlib/phusion_passenger/platform_info/crypto.rb +51 -0
data/src/ruby_supportlib/phusion_passenger/platform_info/depcheck_specs/apache2.rb +7 -0
data/src/ruby_supportlib/phusion_passenger/standalone/config_options_list.rb +17 -0
data/src/ruby_supportlib/phusion_passenger/standalone/start_command.rb +4 -2
data/src/ruby_supportlib/phusion_passenger/standalone/start_command/builtin_engine.rb +4 -0
data/src/ruby_supportlib/phusion_passenger/standalone/start_command/nginx_engine.rb +5 -0
data/src/ruby_supportlib/phusion_passenger/vendor/crash_watch/app.rb +19 -10
data/src/ruby_supportlib/phusion_passenger/vendor/crash_watch/base.rb +25 -0
data/src/ruby_supportlib/phusion_passenger/vendor/crash_watch/gdb_controller.rb +38 -103
data/src/ruby_supportlib/phusion_passenger/vendor/crash_watch/lldb_controller.rb +178 -0
data/src/ruby_supportlib/phusion_passenger/vendor/crash_watch/utils.rb +94 -0
data/src/ruby_supportlib/phusion_passenger/vendor/crash_watch/version.rb +2 -2
data/src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_core/lib/union_station_hooks_core.rb +2 -2
data/src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_core/lib/union_station_hooks_core/version_data.rb +2 -2
data/src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_core/ruby_versions.yml.travis +5 -3
data/src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_core/ruby_versions.yml.travis-with-sudo +9 -7
metadata +14 -4

data/resources/templates/standalone/server.erb CHANGED

@@ -25,7 +25,7 @@ passenger_enabled on;
     union_station_key <%= app[:union_station_key] %>;
 <% end %>
 <% app[:envvars].each_pair do |name, value| %>
-    passenger_env_var '<%= name %>' '<%= value %>';
+    passenger_env_var '<%= name %>' '<%= json_config_value(value) %>';
 <% end %>
 <% if app[:concurrency_model] && app[:concurrency_model] != DEFAULT_CONCURRENCY_MODEL %>
     passenger_concurrency_model <%= app[:concurrency_model] %>;
@@ -53,6 +53,7 @@ passenger_enabled on;
 <%= nginx_option(app, :friendly_error_pages) %>
 <%= nginx_option(app, :abort_websockets_on_process_shutdown) %>
 <%= nginx_option(app, :force_max_concurrent_requests_per_process) %>
+<%= nginx_option(app, :max_requests) %>
 <%= nginx_option(app, :rolling_restarts) %>
 <%= nginx_option(app, :resist_deployment_errors) %>

data/resources/templates/undisclosed_error.html.template CHANGED

@@ -1,55 +1,56 @@
 <!DOCTYPE html>
 <html>
-<head>
-  <title>We're sorry, but something went wrong (500)</title>
-  <style type="text/css">
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
-    .dialog {
-      width: 25em;
-      padding: 0 4em;
-      margin: 4em auto 0 auto;
-      border: 1px solid #ccc;
-      border-right-color: #999;
-      border-bottom-color: #999;
-    }
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
-    #operator_info_panel {
-      width: 27em;
-      margin: 4em auto 0 auto;
-      line-height: 1.2em;
-    }
-    #show_operator_info { text-decoration: none; color: #99f; font-size: smaller; }
-    #show_operator_info:hover { text-decoration: underline; }
-    #operator_info { color: #444; text-align: justify; }
-  </style>
-</head>
-<body>
-  <div class="dialog">
-    <h1>We're sorry, but something went wrong.</h1>
-    <p>We've been notified about this issue and we'll take a look at it shortly.</p>
-  </div>
-  <div id="operator_info_panel">
-    <a id="show_operator_info" href="javascript:void(showOperatorInfo())">Information for the administrator of this website</a>
-    <div id="operator_info" style="display: none">
-      <p>The {{PROGRAM_NAME}} application server encountered an error while starting your web application.
-        Because you are running this web application in staging or production mode, the details of the error
-        have been omitted from this web page for security reasons.</p>
-      <p><strong>Please read <a href="https://www.phusionpassenger.com/library/admin/log_file/">the Passenger log file</a> to find the details of the error.</strong></p>
-      <p>Alternatively, you can turn on the "friendly error pages" feature (see below), which will make {{PROGRAM_NAME}} show many details about the error right in the browser.</p>
-      <p>To turn on friendly error pages:</p>
-      <ul>
-        <li><a href="https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_friendly_error_pages">Nginx integration mode</a></li>
-        <li><a href="https://www.phusionpassenger.com/library/config/apache/reference/#passengerfriendlyerrorpages">Apache integration mode</a></li>
-        <li><a href="https://www.phusionpassenger.com/library/config/standalone/reference/#--friendly-error-pages---no-friendly-error-pages-friendly_error_pages">Standalone mode</a></li>
-      </ul>
+  <head>
+    <title>We're sorry, but something went wrong: {{TITLE}}</title>
+    <style type="text/css">
+      {{CSS|raw}}
+    </style>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <meta name="generator" content="Phusion Passenger">
+  </head>
+  <body>
+    <header>
+      <div class="column">
+        <svg width="50" height="50" viewBox="0 0 64 64" xmlns="http://www.w3.org/2000/svg"><path d="m731.234002 153.838666v-18.841339c0-4.417534-3.577416-7.997327-7.990382-7.997327h-6.414571c-4.417012 0-7.990383 3.580525-7.990383 7.997327v18.841339h-18.841339c-4.417534 0-7.997327 3.577416-7.997327 7.990383v6.414571c0 4.417011 3.580525 7.990382 7.997327 7.990382h18.841339v18.841339c0 4.417534 3.577416 7.997328 7.990383 7.997328h6.414571c4.417011 0 7.990382-3.580526 7.990382-7.997328v-18.841339h18.841339c4.417534 0 7.997328-3.577416 7.997328-7.990382v-6.414571c0-4.417012-3.580526-7.990383-7.997328-7.990383z" fill="#f87575" transform="matrix(.70710678 -.70710678 .70710678 .70710678 -593.80455139 424.48059756)"/></svg>
+        <h1>We're sorry, but something went wrong.</h1>
+        <p class="subtitle">The issue has been logged for investigation. Please try again later.</p>
+      </div>
+    </header>
+    <div class="column">
+      <a id="show_operator_info" href="#" onclick="showOperatorInfo()">Technical details for the administrator of this website</a>
+      <div id="operator_info">
+        <div class="left">
+          <h3>Error:</h3>
+          <span class="error">{{TITLE}}</span>
+          <h3>Error ID:</h3>
+          <span class="error">{{ERROR_ID}}</span>
+          <h3>Details:</h3>
+          <p>Web application could not be started by the {{PROGRAM_NAME}} application server.</p>
+          <p class="bold">Please read <a href="https://www.phusionpassenger.com/library/admin/log_file/" class="plain">the Passenger log file</a> (search for the Error ID) to find the details of the error.</p>
+          <p>You can also get a detailed report to appear directly on this page, but for security reasons it is only provided if {{PROGRAM_NAME}} is run with <i>environment</i> set to <i>development</i> and/or with the <i>friendly error pages</i> option set to <i>on</i>.</p>
+          <p>For more information about configuring environment and friendly error pages, see:</p>
+          <ul>
+            <li><a href="https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_friendly_error_pages">Nginx integration mode</a></li>
+            <li><a href="https://www.phusionpassenger.com/library/config/apache/reference/#passengerfriendlyerrorpages">Apache integration mode</a></li>
+            <li><a href="https://www.phusionpassenger.com/library/config/standalone/reference/#--friendly-error-pages---no-friendly-error-pages-friendly_error_pages">Standalone mode</a></li>
+          </ul>
+        </div>
+      </div>
     </div>
-  </div>
-  <script>
-    function showOperatorInfo() {
-      document.getElementById('operator_info').style.display = 'block';
-    }
-  </script>
-</body>
+    <footer>
+      <!--
+       You are free to modify the footer as you see fit,
+       but we kindly ask of you to preserve the following
+       text. Thank you.
+       -->
+      <div class="column">
+        This website is powered by <b>Passenger</b>&reg;, a rock-solid, feature-rich web application server that integrates with Apache and Nginx.
+      </div>
+    </footer>
+    <script>
+      function showOperatorInfo() {
+        document.getElementById('operator_info').style.display = 'block';
+      }
+    </script>
+  </body>
 </html>

data/resources/update_check_client_cert.p12 ADDED

Binary file

data/resources/update_check_client_cert.pem ADDED

@@ -0,0 +1,89 @@
+Bag Attributes
+    localKeyID: 00 3F 90 FE DE D7 C2 FF EC 81 5D 3E 39 0A 8D 6B 3F 8A A3 E7
+subject=/C=NL/L=Amsterdam/O=Phusion B.V./CN=Phusion Passenger Open Source
+issuer=/C=NL/L=Amsterdam/O=Phusion B.V./CN=Phusion Passenger Security Check
+-----BEGIN CERTIFICATE-----
+MIIFNzCCAx8CAQEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCTkwxEjAQBgNV
+BAcMCUFtc3RlcmRhbTEVMBMGA1UECgwMUGh1c2lvbiBCLlYuMSkwJwYDVQQDDCBQ
+aHVzaW9uIFBhc3NlbmdlciBTZWN1cml0eSBDaGVjazAeFw0xNjA5MjAxMDU4NTJa
+Fw00NDAyMDUxMDU4NTJaMGAxCzAJBgNVBAYTAk5MMRIwEAYDVQQHDAlBbXN0ZXJk
+YW0xFTATBgNVBAoMDFBodXNpb24gQi5WLjEmMCQGA1UEAwwdUGh1c2lvbiBQYXNz
+ZW5nZXIgT3BlbiBTb3VyY2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQClDUeyOXtB9e+W5oPXfcLBBZgzUVf1EX+/nbb7EdqduAVoEzlK2Ii3s+Rm/f6E
+TRroqvKhufYfqpJ5n2zLCCRse+7k7hcZuHASlZijt0AqH6IvB3gCwWl0UDy/99hD
+usLzHREtG098l366II41ctNhFLbZXK+lws5kr5lQzfXRSOjasfMSFJklbKzp/req
+r4tpSSTNkEIg2stKABEJMTB5vWcFWc6kSTYyaZUquhN9vFRrHV2RVvDDNAHcYf+8
+xwZUpoCBUkaBCdzVMhYfHRRHlXIjK0Zffz8TCiFIQCAawUcIsldA+N80EuGwuXw2
+3Kp3vP6ArPrp857RqA8kKjADB8WqAuonpBvb/KikKN0QyDtsL8Uqx5YSwuyzzSkC
+Pk24Qd0NTICnALeGBVmAOGAl/ktYbEi5iwvZVIA1Nlc8TUdSavxaEZZe65pif3DK
+J88PchBUrrpoyqzSdBXxDmyRyy2ddNhde5/5e0X9AyqajPxlzwmMGUuGVVQZIev1
+4cX/olAxTiCAxA7meMaK/QqDgoxMn0SpwfKJElidUC+QzL+/wVZiDUSYMyZVAwBc
+/jpimwr9XZ3AJoDbvHHtTWA2m/navkayGEwXkF6KoZt4LgP87XCBKth4/ME62c35
+LXadbHPh+OTgPtKRMURjQ+RZrATI7/aZPGN5PU8Xm3tzrQIDAQABMA0GCSqGSIb3
+DQEBCwUAA4ICAQAGQjmbMIy8DFTBD84vqBw6Ai1X9syM6fJmqZynaSYw0xCQidzn
+mt/iyOGrtgzN4Q56H1GHqOuTEfRqyepgjWjQHNXicWI/5yIiOvpRaJ9xHg+ipEb6
+V+m3WSNxA0KlB6tjkJS2FJE6GWUqy44s4CzX830lA1g6F/5/3ybOPdbdiAiKVgpN
+4QHJyInguh7g/bJ/1Q7G+/my6dawhJOmLiULOJZmaXUWwDp4Sm7khtYwJvefT7qF
+oA9U2k14HGDZvKIjwaxRhSGpUnRntOgiomXtTZBZeN7SxNt9+cHBsQXiDfE1Vx2E
+jvawvGTxjDsQlTYPXtkCAKO2FTplB+HRAqGIN4G/umuzDwS9VIIRpoCylCmjbCDP
+EC9CITsiLVMNu3ig3ZYBQHFmO65QPxomxqJ+0WbFLgQPIw75miyuALTJ6gIWYquT
+FlMwbx8yG8xTZ3vDc0tY4H6NdanUxtolBSPQ/MOD6xfwBN0u/CszcKXTyGYtbV74
+lACauhEq1XI4zheTpuTxiEefjj9aJRfiSvIa51fcyezjK6gI6auGnkBCI/UlQJDu
+9Kx8jBfwkQTIBaESREY/zNmvZV1H28XOxFMKKfzguNbRE0ZLMPNVTuxa6JbWtL55
+0JHGueYtlIRmYe7YFawFg9xAEns3mr28BPAywE5+SdEJwE8G8IPfxaWAkA==
+-----END CERTIFICATE-----
+Bag Attributes
+    localKeyID: 00 3F 90 FE DE D7 C2 FF EC 81 5D 3E 39 0A 8D 6B 3F 8A A3 E7
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQClDUeyOXtB9e+W
+5oPXfcLBBZgzUVf1EX+/nbb7EdqduAVoEzlK2Ii3s+Rm/f6ETRroqvKhufYfqpJ5
+n2zLCCRse+7k7hcZuHASlZijt0AqH6IvB3gCwWl0UDy/99hDusLzHREtG098l366
+II41ctNhFLbZXK+lws5kr5lQzfXRSOjasfMSFJklbKzp/reqr4tpSSTNkEIg2stK
+ABEJMTB5vWcFWc6kSTYyaZUquhN9vFRrHV2RVvDDNAHcYf+8xwZUpoCBUkaBCdzV
+MhYfHRRHlXIjK0Zffz8TCiFIQCAawUcIsldA+N80EuGwuXw23Kp3vP6ArPrp857R
+qA8kKjADB8WqAuonpBvb/KikKN0QyDtsL8Uqx5YSwuyzzSkCPk24Qd0NTICnALeG
+BVmAOGAl/ktYbEi5iwvZVIA1Nlc8TUdSavxaEZZe65pif3DKJ88PchBUrrpoyqzS
+dBXxDmyRyy2ddNhde5/5e0X9AyqajPxlzwmMGUuGVVQZIev14cX/olAxTiCAxA7m
+eMaK/QqDgoxMn0SpwfKJElidUC+QzL+/wVZiDUSYMyZVAwBc/jpimwr9XZ3AJoDb
+vHHtTWA2m/navkayGEwXkF6KoZt4LgP87XCBKth4/ME62c35LXadbHPh+OTgPtKR
+MURjQ+RZrATI7/aZPGN5PU8Xm3tzrQIDAQABAoICAGmmLIR6otk/8ZLoDvB7AZTI
+XfpLUT//aYRgEeZ4MTXPuzY5R+0O2cStE8CRSL+rE1RnSFQZUuBGMOhFEkCL/7Sp
+R+umM4c1NhfPRhtVi27rPMdZwooQ/82CJsDCht4jx/ISYxI6bxDTcDz35c90prV3
+qutLlutF3RM6C6tbisPiJZsHWQ3zvWvlOnG1qB9LqrNELJighJO/OW0uybjWka77
+e9xC9jDW5Cg0yVTGMv/C8051R5Vmz0pEGgTVfft6ciTxR0SAQ70JcR/OpbZYyMhh
+cuPsKWmra9ZmH5O96E739N4uOgfOxiDxDSIwOMBtU3i9szLuhtYGKV0OdFKz5nKi
+4A4f/nmO8oNBlGtmCNo7j701qnsObtT0f1JiQyPqlTIPEpOmAoVw6h7BpTPIm7lP
+xG9diJJy3ahjV1FMBQnhMJ0may2OaOgkr6yg3D46ks80xtQhyyoyY11ZbgrVoZRK
+Y1GIoikK+nYXwaL0yzd9FOs9Bwg3ynTtabVgPQx8YNdCborZstb57Y0YuTI/XLVs
+dzYOHgaddT6ZFP2Wupd5h/YXFa689z1pmxKHmPfM8BpVEos+gkT9EnMuYbiZPCvb
+I3B+0jblAgUYmDMbO4vKOxSEjcTl+FGoAHLbI8Uxg7hyGJPU44+I6Ytr6/7f2cKO
+8fjQ0mQjGyQjO2tTVBpJAoIBAQDTP2doE09PHHm7A5YPO2/cTXyzLr0hDm8sQFUs
+YSdu2rLwYMjM8K4GZTUC51+P25qMIcNMyJFv5IuIdQKfC/LADEmIDQAn7tDjARUR
+OGldZQzvVzsg0K2RkQsPtmEGUz5y9XZpcAp15JlP1hTobY+5AwUDc7sbdFA39kk1
+2MJqWz3eJ2LS1i+cHuP+BcopR7Ejf9SzQD6MDT+e8uzZGaIN3BXwl6uczsjrZe2l
+qb4BMOZp4/RKVyqc+0BNYHaCGsg6I1iWATpMGW80Tyu2B+MJFGdQZK2anccilqqH
+I38impGk6b2+e8v64BmqPe001mHYRf9/myRHit/dXnQgQUMDAoIBAQDIBIoNeim3
+8XHH1zxwlAr0xzqNFBYvEWNxckS4J/rypEnZB8QyGJ+H4L0ZOHl/6ioBGMgRIr1a
+MRWsHgOLdAQakuJflSsoaOpUkFxBoUkh5Kvk7J+yHgrEDY/H/of9k2BIOJFmNvHg
+NF6bKdVXvO5EOJkcBtn+bCHqjZoo0RUEuw5Ly3qxWSE45jcLd0Xue/FHhpnLgKxp
+rq5u2OaF2kX2PhFxFWGozHNiNYWtgQAg7rx39eiK40NKq2eOuPWlo3Ou8PV7Fxc2
+RBkUz793HMK4GTksy4WGs7KLwrsEvs7ofzPpHx3DRNcEj1kXZt0YKvb0zi3ImrKF
+hDTEQXHNa1ePAoIBAFuw45Na/kuaUoQH9HQ8GjuHLp8fpFvaxgpxCgcvTExjhNOt
+TrsVpJOGDlJqVyI78YLtjLWhQO9ORfo+v5qFNyKAstHowq6Si/xcFebZk3JEUC76
+r+F4cj4CtMhnIwn5y9teC72MMh4l0R3EEGMqWv20/9IVw5sRC1ie//vtT8WWQO5S
+LiTRbuzWw6MYpDzyr0J3U71SH1Pu1DSLwJ4i8CIP6z34tzZi0vbJ0TLc0Gn37ar8
+lKZH22kz7R8oxYeHVG1XtjW15rXtPEV6L8Dc/4CLaKSOboP0A+FRgEcT8zTz3k+0
+XPV3CnykFL++DV2nx+R1zYZ3snGTJ8QQIVt2uD0CggEAbMXLLbkZpuausbbjL3XS
+33rY5I/f4IjcQ32Y0W0sk3e0kUof7/5kA0i8jVKhAGcfoKkRZAA4aSv4VTmdQ+E7
+uhfW85PzfG5RwNsg0LAdTUlGEaB82ChuQl/9qQ1KdyQGYEAjEisfLoZMTKVbV/Nu
+v7rnyM4RDsNPTnbjNv89Ju1ywNVPS9LktkS7+ohKh37vn64bRQgcuvw78BwUgQZK
+tbbbVVwDWACXXvksUUauAzrRU4tvgthEZ/7+uibrr8BL0P9JAD92aBRwb1jrDqOd
+YPCWnz2ux6pBlq+3dMUvUFCcslIxpVdydxBdqtRNuC7lTgwx6b33B5T1/SR59vRB
+EQKCAQEAqpq24bAdw7vVXdqNUR7tr0gj3YWo3WcDA+kQ0fXqK6i+WtM0lE9knD1W
+/tp8NGKXIv5xX36NTTIvObpDacbP8nktVPp9/AFWLe/JMNpNtBtAx7XVx6+gM9BN
+GOwQJUkwBVaHk+otkjUEa9b9+c6AWPAnQYL1ZDtJI39mgKL16oxGGqGlsz0bQ5hM
+tQN9SdtbKk6tuRRMVePFqF4SfXcQhh0xFVVMhMLennahh+clga/QAZE06chqUC4y
+BvYuUFTYGX3ruN7R2MVr37Q25W2ft3+rMgwSxnqk3sQpu3GJadZu7RsAII9pcO/T
+R3q+XeN5nwMR795lnml9VOQpDNKEkQ==
+-----END PRIVATE KEY-----

data/resources/update_check_server_pubkey.pem ADDED

@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7C9EFcv3muAvBkqsNd+j
+kKt3BPCYlccGogmRupyTEqURSB3dqOp9w2V8bbFxaCZf+74Nfb5KCuSW1Qbsrm4Z
+3F42eDCs+O7Q/kQ8WghulLMyuNi/7puRlNXjCqQ3gMcnxtSHeoG+2Rh/uVGOxBfq
+MA9xg4M7zeU3Rcmyu5AHyKn/LeTrkJPYaaipCKC/l8TKfThD01wdmsY2jmrCA5JF
+hzPNTUcXKDj0xnK2SEELei+dpRQCEjjk7v+9/eLqPRnuYwmSHgv4KFwGYsLM+ra+
+rC/0GMCgv46YTt4rnhd6EicGUJSf5GnlM9lCp3eQoCdJJ0jrC6KuPhhyliF4BEXN
+rgDfLR3RMQRQ3uJ7x+1uJ5kNsJhObEFBRFjLB2B8BQJoKdCToZXh0as7jG/jMLQQ
+5ZiUJZwJTZxyj4A8tQy96ePamz4VPNE29OHLL++hXVrOYGaRyL3MRam4CQG0jU6R
+WqlVwTJdyMaSIM4FLPgA5H8ob1mq9M9nU1IMS++8SaM8AFdwvJvNdCGsZtmnk20e
+DqDUfYmLw9PWpRgVfoE8rgTiSAnQL/161Mnbq10335ZaRTv8WDsvqeAc2tD9vgSi
+fpuJZuMeqh+tPp2vyxGRjV0M3j0WoWmSMnD9lI4ua/rZxiRBvk2X6IlxAdAd+CI0
+DW8UYooAygpzviU/V09vY1sCAwEAAQ==
+-----END PUBLIC KEY-----

data/src/agent/Core/ApplicationPool/ErrorRenderer.h CHANGED

@@ -100,12 +100,26 @@ public:
 		return Template::apply(readAll(errorLayoutFile), params);
 	}
-	string renderWithoutDetails() const {
+	string renderWithoutDetails(const SpawnException *e = NULL) const {
 		string templateFile = templatesDir + "/undisclosed_error.html.template";
+		string css = readAll(cssFile);
 		StringMap<StaticString> params;
 		params.set("PROGRAM_NAME", PROGRAM_NAME);
+		params.set("CSS", css);
+		params.set("TITLE", "Web application could not be started");
+		if (e != NULL) {
+			const map<string, string> &annotations = e->getAnnotations();
+			map<string, string>::const_iterator it = annotations.find("error_id");
+			if (it != annotations.end()) {
+				params.set("ERROR_ID", it->second);
+			} else {
+				params.set("ERROR_ID", "not available");
+			}
+		} else {
+			params.set("ERROR_ID", "not available");
+		}
 		return Template::apply(readAll(templateFile), params);
 	}
 };

data/src/agent/Core/Controller.h CHANGED

@@ -149,6 +149,7 @@ private:
 	HashedStaticString PASSENGER_APP_GROUP_NAME;
 	HashedStaticString PASSENGER_ENV_VARS;
 	HashedStaticString PASSENGER_MAX_REQUESTS;
+	HashedStaticString PASSENGER_SHOW_VERSION_IN_HEADER;
 	HashedStaticString PASSENGER_STICKY_SESSIONS;
 	HashedStaticString PASSENGER_STICKY_SESSIONS_COOKIE_NAME;
 	HashedStaticString PASSENGER_REQUEST_OOB_WORK;
@@ -181,7 +182,7 @@ private:
 	#endif
-	/****** Stage: initiatelize request ******/
+	/****** Stage: initialize request ******/
 	struct RequestAnalysis;
@@ -363,7 +364,7 @@ private:
 protected:
-	/****** Stage: initiatelize request ******/
+	/****** Stage: initialize request ******/
 	virtual void onRequestBegin(Client *client, Request *req);

data/src/agent/Core/Controller/CheckoutSession.cpp CHANGED

@@ -290,17 +290,18 @@ void
 Controller::writeOtherExceptionErrorResponse(Client *client, Request *req, const ExceptionPtr &e) {
 	TRACE_POINT();
 	string typeName;
+	const oxt::tracable_exception &eptr = *e;
 	#ifdef CXX_ABI_API_AVAILABLE
 		int status;
-		char *tmp = abi::__cxa_demangle(typeid(*e).name(), 0, 0, &status);
+		char *tmp = abi::__cxa_demangle(typeid(eptr).name(), 0, 0, &status);
 		if (tmp != NULL) {
 			typeName = tmp;
 			free(tmp);
 		} else {
-			typeName = typeid(*e).name();
+			typeName = typeid(eptr).name();
 		}
 	#else
-		typeName = typeid(*e).name();
+		typeName = typeid(eptr).name();
 	#endif
 	const unsigned int exceptionMessageLen = strlen(e->what());
@@ -362,7 +363,7 @@ Controller::endRequestWithErrorResponse(Client **c, Request **r, const StaticStr
 		}
 	} else {
 		try {
-			data = renderer.renderWithoutDetails();
+			data = renderer.renderWithoutDetails(e);
 		} catch (const SystemException &e2) {
 			SKC_ERROR(client, "Cannot render an error page: " << e2.what() <<
 				"\n" << e2.backtrace());

data/src/agent/Core/Controller/ForwardResponse.cpp CHANGED

@@ -767,7 +767,7 @@ Controller::constructHeaderBuffersForResponse(Request *req, struct iovec *buffer
 		PUSH_STATIC_BUFFER("\r\n");
 	}
-	if (showVersionInHeader) {
+	if (req->showVersionInHeader) {
 		#ifdef PASSENGER_IS_ENTERPRISE
 			PUSH_STATIC_BUFFER("X-Powered-By: " PROGRAM_NAME " Enterprise " PASSENGER_VERSION "\r\n\r\n");
 		#else

data/src/agent/Core/Controller/InitRequest.cpp CHANGED

@@ -489,6 +489,8 @@ Controller::onRequestBegin(Client *client, Request *req) {
 			&& getBoolOption(req, UNION_STATION_SUPPORT, false);
 		req->stickySession = getBoolOption(req, PASSENGER_STICKY_SESSIONS,
 			this->stickySessions);
+		req->showVersionInHeader = getBoolOption(req, PASSENGER_SHOW_VERSION_IN_HEADER,
+			this->showVersionInHeader);
 		req->host = req->headers.lookup(HTTP_HOST);
 		/***************/

data/src/agent/Core/Controller/InitializationAndShutdown.cpp CHANGED

@@ -64,6 +64,7 @@ Controller::Controller(ServerKit::Context *context, const VariantMap *_agentsOpt
 	  PASSENGER_APP_GROUP_NAME("!~PASSENGER_APP_GROUP_NAME"),
 	  PASSENGER_ENV_VARS("!~PASSENGER_ENV_VARS"),
 	  PASSENGER_MAX_REQUESTS("!~PASSENGER_MAX_REQUESTS"),
+	  PASSENGER_SHOW_VERSION_IN_HEADER("!~PASSENGER_SHOW_VERSION_IN_HEADER"),
 	  PASSENGER_STICKY_SESSIONS("!~PASSENGER_STICKY_SESSIONS"),
 	  PASSENGER_STICKY_SESSIONS_COOKIE_NAME("!~PASSENGER_STICKY_SESSIONS_COOKIE_NAME"),
 	  PASSENGER_REQUEST_OOB_WORK("!~Request-OOB-Work"),

data/src/agent/Core/Controller/Request.h CHANGED

@@ -72,6 +72,7 @@ public:
 	bool dechunkResponse: 1;
 	bool requestBodyBuffering: 1;
 	bool https: 1;
+	bool showVersionInHeader: 1;
 	bool stickySession: 1;
 	// Range: 0..MAX_SESSION_CHECKOUT_TRY

data/src/agent/Core/CoreMain.cpp CHANGED

@@ -59,6 +59,8 @@
 #include <sstream>
 #include <stdexcept>
+#include <curl/curl.h>
 #include <boost/thread.hpp>
 #include <boost/shared_ptr.hpp>
 #include <boost/make_shared.hpp>
@@ -89,6 +91,7 @@
 #include <Core/ApiServer.h>
 #include <Core/ApplicationPool/Pool.h>
 #include <Core/UnionStation/Context.h>
+#include <Core/SecurityUpdateChecker.h>
 using namespace boost;
 using namespace oxt;
@@ -151,11 +154,15 @@ namespace Core {
 		boost::atomic<unsigned int> shutdownCounter;
 		oxt::thread *prestarterThread;
+		SecurityUpdateChecker *securityUpdateChecker;
 		WorkingObjects()
 			: exitEvent(__FILE__, __LINE__, "WorkingObjects: exitEvent"),
 			  allClientsDisconnectedEvent(__FILE__, __LINE__, "WorkingObjects: allClientsDisconnectedEvent"),
 			  terminationCount(0),
-			  shutdownCounter(0)
+			  shutdownCounter(0),
+			  prestarterThread(NULL),
+			  securityUpdateChecker(NULL)
 		{
 			for (unsigned int i = 0; i < SERVER_KIT_MAX_SERVER_ENDPOINTS; i++) {
 				serverFds[i] = -1;
@@ -165,6 +172,9 @@ namespace Core {
 		~WorkingObjects() {
 			delete prestarterThread;
+			if (securityUpdateChecker) {
+				delete securityUpdateChecker;
+			}
 			vector<ThreadWorkingObjects>::iterator it, end = threadWorkingObjects.end();
 			for (it = threadWorkingObjects.begin(); it != end; it++) {
@@ -294,7 +304,9 @@ makeFileWorldReadableAndWritable(const string &path) {
 }
 #ifdef USE_SELINUX
-	// Set next socket context to *:system_r:passenger_instance_httpd_socket_t
+	// Set next socket context to *:system_r:passenger_instance_httpd_socket_t.
+	// Note that this only sets the context of the socket file descriptor,
+	// not the socket file on the filesystem. This is why we need selinuxRelabelFile().
 	static void
 	setSelinuxSocketContext() {
 		security_context_t currentCon;
@@ -332,6 +344,40 @@ makeFileWorldReadableAndWritable(const string &path) {
 	resetSelinuxSocketContext() {
 		setsockcreatecon(NULL);
 	}
+	static void
+	selinuxRelabelFile(const string &path, const char *newLabel) {
+		security_context_t currentCon;
+		string newCon;
+		int e;
+		if (getfilecon(path.c_str(), &currentCon) == -1) {
+			e = errno;
+			P_DEBUG("Unable to obtain SELinux context for file " <<
+				path <<": " << strerror(e) << " (errno=" << e << ")");
+			return;
+		}
+		P_DEBUG("SELinux context for " << path << ": " << currentCon);
+		if (strstr(currentCon, ":object_r:passenger_instance_content_t:") == NULL) {
+			goto cleanup;
+		}
+		newCon = replaceString(currentCon,
+			":object_r:passenger_instance_content_t:",
+			StaticString(":object_r:") + newLabel + ":");
+		P_DEBUG("Relabeling " << path << " to: " << newCon);
+		if (setfilecon(path.c_str(), (security_context_t) newCon.c_str()) == -1) {
+			e = errno;
+			P_WARN("Cannot set SELinux context for " << path <<
+				" to " << newCon << ": " << strerror(e) <<
+				" (errno=" << e << ")");
+		}
+		cleanup:
+		freecon(currentCon);
+	}
 #endif
 static void
@@ -352,6 +398,13 @@ startListening() {
 			__FILE__, __LINE__);
 		#ifdef USE_SELINUX
 			resetSelinuxSocketContext();
+			if (i == 0 && getSocketAddressType(addresses[0]) == SAT_UNIX) {
+				// setSelinuxSocketContext() sets the context of the
+				// socket file descriptor but not the file on the filesystem.
+				// So we relabel the socket file here.
+				selinuxRelabelFile(parseUnixSocketAddress(addresses[0]),
+					"passenger_instance_httpd_socket_t");
+			}
 		#endif
 		P_LOG_FILE_DESCRIPTOR_PURPOSE(wo->serverFds[i],
 			"Server address: " << addresses[i]);
@@ -542,6 +595,16 @@ spawningKitErrorHandler(const SpawningKit::ConfigPtr &config, SpawnException &e,
 	ApplicationPool2::processAndLogNewSpawnException(e, options, config);
 }
+static void
+initializeCurl() {
+	TRACE_POINT();
+	CURLcode code = curl_global_init(CURL_GLOBAL_ALL); // Initializes underlying TLS stack
+	if (code != CURLE_OK) {
+		P_CRITICAL("Could not initialize libcurl: " << curl_easy_strerror(code));
+		exit(1);
+	}
+}
 static void
 initializeNonPrivilegedWorkingObjects() {
 	TRACE_POINT();
@@ -709,6 +772,28 @@ initializeNonPrivilegedWorkingObjects() {
 	}
 }
+static void
+initializeSecurityUpdateChecker() {
+	TRACE_POINT();
+	VariantMap &options = *agentsOptions;
+	if (options.getBool("disable_security_update_check", false, false)) {
+		P_NOTICE("Security update check disabled.");
+	} else {
+		string proxy = options.get("security_update_check_proxy", false);
+		string serverIntegration = options.get("integration_mode"); // nginx / apache / standalone
+		string standaloneEngine = options.get("standalone_engine", false); // nginx / builtin
+		if (!standaloneEngine.empty()) {
+			serverIntegration.append(" " + standaloneEngine);
+		}
+		string serverVersion = options.get("server_version", false); // not set in case of standalone / builtin
+		workingObjects->securityUpdateChecker = new SecurityUpdateChecker(workingObjects->resourceLocator, proxy, serverIntegration, serverVersion);
+		workingObjects->securityUpdateChecker->start(24 * 60 * 60);
+	}
+}
 static void
 prestartWebApps() {
 	TRACE_POINT();
@@ -989,7 +1074,9 @@ runCore() {
 		startListening();
 		createPidFile();
 		lowerPrivilege();
+		initializeCurl();
 		initializeNonPrivilegedWorkingObjects();
+		initializeSecurityUpdateChecker();
 		prestartWebApps();
 		UPDATE_TRACE_POINT();
@@ -1073,6 +1160,10 @@ setAgentsOptionsDefaults() {
 		options.set("default_group",
 			inferDefaultGroup(options.get("default_user")));
 	}
+	options.setDefault("integration_mode", "standalone");
+	if (options.get("integration_mode") == "standalone" && !options.has("standalone_engine")) {
+		options.set("standalone_engine", "builtin");
+	}
 	options.setDefaultStrSet("core_addresses", defaultAddress);
 	options.setDefaultInt("socket_backlog", DEFAULT_SOCKET_BACKLOG);
 	options.setDefaultBool("multi_app", false);
@@ -1193,6 +1284,12 @@ sanityCheckOptions() {
 			ok = false;
 		#endif
 	}
+	if (options.has("max_requests")) {
+		if (options.getInt("max_requests", false, 0) < 0) {
+			fprintf(stderr, "ERROR: the value passed to --max-requests must be at least 0.\n");
+			ok = false;
+		}
+	}
 	if (options.has("max_request_time")) {
 		if (options.getInt("max_request_time", false, 0) < 1) {
 			fprintf(stderr, "ERROR: the value passed to --max-request-time must be at least 1.\n");