From: Graham Leggett <minfrin@apache.org>
Date: Wed, 8 Jul 2020 11:39:12 +0000 (+0000)
Subject:   *) core: Drop an invalid Last-Modified header value coming
X-Git-Tag: 2.4.44~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a4960e8b9d8879b497f3afddf2faa71573b5fcb;p=thirdparty%2Fapache%2Fhttpd.git

  *) core: Drop an invalid Last-Modified header value coming
     from a (F)CGI script instead of replacing it with Unix epoch.
     Warn the users about Last-Modified header value replacements
     and violations of the RFC.
     trunk patch: http://svn.apache.org/r1748379
                  http://svn.apache.org/r1750747
                  http://svn.apache.org/r1750749
                  http://svn.apache.org/r1750953
                  http://svn.apache.org/r1751138
                  http://svn.apache.org/r1751139
                  http://svn.apache.org/r1751147
                  http://svn.apache.org/r1757818
                  http://svn.apache.org/r1879253
                  http://svn.apache.org/r1879348
     2.4.x: trunk patches work, final view:
            http://home.apache.org/~elukey/httpd-2.4.x-core-last_modified_tz_logging.patch
            svn merge -c 1748379,1750747,1750749,1750953,1751138,1751139,1751139,1757818,1879253,r1879348 ^/httpd/httpd/trunk .
     The code has been tested with a simple PHP script returning different Last-Modified
     headers (GMT now, GMT now Europe/Paris, GMT tomorrow, GMT yesterday, PST now).
     +1: elukey, jorton, jim
     jorton: +1 though I'd say log at WARN or INFO for the APR_BAD_DATE case
             rather than "silently" (at normal log-level) dropping the parsed header?
             [also nit: wrapping a lone ap_log_rerror(,APLOG_X) call in
             if (APLOGrX(..) is unnecessary/redundant]


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1879641 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 71ba9b1055a..50432a7ca09 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.44
 
+  *) core: Drop an invalid Last-Modified header value coming
+     from a FCGI/CGI script instead of replacing it with Unix epoch.
+     [Luca Toscano]
+
   *) Add support for strict content-length parsing through addition of
      ap_parse_strict_length() [Yann Ylavic]
 
diff --git a/STATUS b/STATUS
index a834eb789db..c4d0dde0534 100644
--- a/STATUS
+++ b/STATUS
@@ -135,31 +135,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) core: Drop an invalid Last-Modified header value coming
-     from a (F)CGI script instead of replacing it with Unix epoch.
-     Warn the users about Last-Modified header value replacements
-     and violations of the RFC.
-     trunk patch: http://svn.apache.org/r1748379
-                  http://svn.apache.org/r1750747
-                  http://svn.apache.org/r1750749
-                  http://svn.apache.org/r1750953
-                  http://svn.apache.org/r1751138
-                  http://svn.apache.org/r1751139
-                  http://svn.apache.org/r1751147
-                  http://svn.apache.org/r1757818
-                  http://svn.apache.org/r1879253
-                  http://svn.apache.org/r1879348
-     2.4.x: trunk patches work, final view:
-            http://home.apache.org/~elukey/httpd-2.4.x-core-last_modified_tz_logging.patch
-            svn merge -c 1748379,1750747,1750749,1750953,1751138,1751139,1751139,1757818,1879253,r1879348 ^/httpd/httpd/trunk .
-     The code has been tested with a simple PHP script returning different Last-Modified
-     headers (GMT now, GMT now Europe/Paris, GMT tomorrow, GMT yesterday, PST now).
-     +1: elukey, jorton, jim
-     jorton: +1 though I'd say log at WARN or INFO for the APR_BAD_DATE case
-             rather than "silently" (at normal log-level) dropping the parsed header?
-             [also nit: wrapping a lone ap_log_rerror(,APLOG_X) call in
-             if (APLOGrX(..) is unnecessary/redundant]
-
   *) mod_http2: connection terminology renamed to master/secondary.
      trunk patch: http://svn.apache.org/r1878926
                   http://svn.apache.org/r1879156
diff --git a/server/util_script.c b/server/util_script.c
index 6956db7bc8d..25c75dea1b1 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -669,11 +669,19 @@ AP_DECLARE(int) ap_scan_script_header_err_core_ex(request_rec *r, char *buffer,
         }
         /*
          * If the script gave us a Last-Modified header, we can't just
-         * pass it on blindly because of restrictions on future values.
+         * pass it on blindly because of restrictions on future or invalid values.
          */
         else if (!strcasecmp(w, "Last-Modified")) {
-            ap_update_mtime(r, apr_date_parse_http(l));
-            ap_set_last_modified(r);
+            apr_time_t last_modified_date = apr_date_parse_http(l);
+            if (last_modified_date != APR_DATE_BAD) {
+                ap_update_mtime(r, last_modified_date);
+                ap_set_last_modified(r);
+            }
+            else {
+                if (APLOGrtrace1(r))
+                   ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
+                                 "Ignored invalid header value: Last-Modified: '%s'", l);
+            }
         }
         else if (!strcasecmp(w, "Set-Cookie")) {
             apr_table_add(cookie_table, w, l);