* os/unix/unixd.c (unixd_accept): Eliminate now-redundant call to
apr_os_sock_get(); let APR check for accept returning zero on TPF.
* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix rollback
handling for AP_MODE_SPECULATIVE.
* modules/mappers/mod_rewrite.c (post_config): Retrieve optional
functions from mod_ssl. (lookup_variable): Support SSL:...
and HTTPS variables via mod_ssl optional hooks, if available.
* server/util_script.c (ap_scan_script_header_err_core): Set
Content-Range in r->headers_out, so that the byterange filter knows to
do nothing for a CGI script which produced a content-range.
* modules/ssl/mod_ssl.h: Declare ssl_is_https optional function.
* modules/ssl/ssl_engine_vars.c (ssl_is_https): New function.
(ssl_var_register): Register it.
PR: 30134, 30464
Reviewed by: trawick, jerenkrantz, nd, stoddard
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@104851
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.0.51
+ *) SECURITY: CAN-2004-0751 (cve.mitre.org)
+ mod_ssl: Fix a segfault in the SSL input filter which could be
+ triggered if using "speculative" mode, for instance by a
+ proxy request to an SSL server. PR 30134. [Joe Orton]
+
+ *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
+ PR 30464. [Joe Orton]
+
+ *) mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton]
+
+ *) Prevent CGI script output which includes a Content-Range header
+ from being passed through the byterange filter. [Joe Orton]
+
*) Satisfy directives now can be influenced by a surrounding <Limit>
container. PR 14726. [André Malo]
APACHE 2.0 STATUS: -*-text-*-
-Last modified at [$Date: 2004/08/26 22:21:33 $]
+Last modified at [$Date: 2004/08/27 09:03:22 $]
Release:
+1: stoddard, trawick
nd: I'd like to add 1.169
- *) [SECURITY] mod_ssl: Fix potential input filter segfaults in SPECULATIVE mode.
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126
- PR: 30134
- +1: jorton, trawick, jerenkrantz
-
- *) unixd_accept: Eliminate now-unnecessary apr_os_sock_get() call.
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/os/unix/unixd.c?r1=1.66&r2=1.67
- +1: jorton, trawick, jerenkrantz
-
- *) Prevent byterange filter doing its thang for a CGI which returns a Content-Range
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/util_script.c?r1=1.89&r2=1.90
- +1: jorton, trawick, nd, jerenkrantz
-
- *) mod_ssl: Add ssl_is_https optional hook.
- http://www.apache.org/~jorton/mod_ssl-2.0-ishttps.diff
- +1: jorton, stoddard, trawick, nd
-
- *) mod_rewrite: Add %{SSL:...} and %{HTTPS} support (regression from 1.3/mod_ssl).
- http://www.apache.org/~jorton/mod_rewrite-2.0-sslvar.diff
- PR: 30464
- +1: jorton, stoddard, nd
-
*) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap.
modules/experimental/mod_auth_ldap.c: 1.28
modules/experimental/util_ldap.c: 1.36
#include "http_protocol.h"
#include "mod_rewrite.h"
+/* mod_ssl.h is not safe for inclusion in 2.0, so duplicate the
+ * optional function declarations. */
+APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+ (apr_pool_t *, server_rec *,
+ conn_rec *, request_rec *,
+ char *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
#include "unixd.h"
#define MOD_REWRITE_SET_MUTEX_PERMS /* XXX Apache should define something */
static apr_global_mutex_t *rewrite_mapr_lock_acquire = NULL;
static apr_global_mutex_t *rewrite_log_lock = NULL;
+/* Optional functions imported from mod_ssl when loaded: */
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *rewrite_ssl_lookup = NULL;
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *rewrite_is_https = NULL;
+
/*
** +-------------------------------------------------------+
** | |
}
}
}
+
+ rewrite_ssl_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+ rewrite_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+
return OK;
}
result = getenv(var+4);
}
}
+ else if (strlen(var) > 4 && !strncasecmp(var, "SSL:", 4)
+ && rewrite_ssl_lookup) {
+ result = rewrite_ssl_lookup(r->pool, r->server, r->connection, r,
+ var + 4);
+ }
#define LOOKAHEAD(subrecfunc) \
if ( \
if (r->finfo.valid & APR_FINFO_GROUP) {
apr_group_name_get((char **)&result, r->finfo.group, r->pool);
}
+ } else if (strcasecmp(var, "HTTPS") == 0) {
+ int flag = rewrite_is_https && rewrite_is_https(r->connection);
+ result = flag ? "on" : "off";
}
if (result == NULL) {
conn_rec *, request_rec *,
char *));
+/* An optional function which returns non-zero if the given connection
+ * is using SSL/TLS. */
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
/* Proxy Support */
int ssl_proxy_enable(conn_rec *c);
int ssl_engine_disable(conn_rec *c);
*len = bytes;
if (inctx->mode == AP_MODE_SPECULATIVE) {
/* We want to rollback this read. */
- inctx->cbuf.value -= bytes;
- inctx->cbuf.length += bytes;
+ if (inctx->cbuf.length > 0) {
+ inctx->cbuf.value -= bytes;
+ inctx->cbuf.length += bytes;
+ } else {
+ char_buffer_write(&inctx->cbuf, buf, (int)bytes);
+ }
return APR_SUCCESS;
}
/* This could probably be *len == wanted, but be safe from stray
static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
+static int ssl_is_https(conn_rec *c)
+{
+ SSLConnRec *sslconn = myConnConfig(c);
+ return sslconn && sslconn->ssl;
+}
+
void ssl_var_register(void)
{
+ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
return;
}
{
apr_socket_t *csd;
apr_status_t status;
- int sockdes;
*accepted = NULL;
status = apr_accept(&csd, lr->sd, ptrans);
if (status == APR_SUCCESS) {
*accepted = csd;
- apr_os_sock_get(&sockdes, csd);
-#ifdef TPF
- if (sockdes == 0) { /* 0 is invalid socket for TPF */
- return APR_EINTR;
- }
-#endif
- return status;
+ return APR_SUCCESS;
}
if (APR_STATUS_IS_EINTR(status)) {
else if (!strcasecmp(w, "Content-Length")) {
apr_table_set(r->headers_out, w, l);
}
+ else if (!strcasecmp(w, "Content-Range")) {
+ apr_table_set(r->headers_out, w, l);
+ }
else if (!strcasecmp(w, "Transfer-Encoding")) {
apr_table_set(r->headers_out, w, l);
}
projects / thirdparty / apache / httpd.git / commitdiff
