- -*- coding: utf-8 -*-
+ -*- coding: utf-8 -*-
Changes with Apache 2.2.15
- *) Ensure each subrequest has a shallow copy of headers_in so that the
- parent request headers are not corrupted. Elimiates a problematic
- optimization in the case of no request body. PR 48359
- [Jake Scott, William Rowe, Ruediger Pluem]
-
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
A partial fix for the TLS renegotiation prefix injection attack by
rejecting any client-initiated renegotiations. Forcibly disable keepalive
return r;
}
-/* if a request with a body creates a subrequest, remove original request's
- * input headers which pertain to the body which has already been read.
- * out-of-line helper function for ap_set_sub_req_protocol.
+/* if a request with a body creates a subrequest, clone the original request's
+ * input headers minus any headers pertaining to the body which has already
+ * been read. out-of-line helper function for ap_set_sub_req_protocol.
*/
-static void strip_headers_request_body(request_rec *rnew)
+static void clone_headers_no_body(request_rec *rnew,
+ const request_rec *r)
{
+ rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in);
apr_table_unset(rnew->headers_in, "Content-Encoding");
apr_table_unset(rnew->headers_in, "Content-Language");
apr_table_unset(rnew->headers_in, "Content-Length");
rnew->status = HTTP_OK;
- rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in);
-
/* did the original request have a body? (e.g. POST w/SSI tags)
* if so, make sure the subrequest doesn't inherit body headers
*/
if (apr_table_get(r->headers_in, "Content-Length")
|| apr_table_get(r->headers_in, "Transfer-Encoding")) {
- strip_headers_request_body(rnew, r);
+ clone_headers_no_body(rnew, r);
+ } else {
+ /* no body (common case). clone headers the cheap way */
+ rnew->headers_in = r->headers_in;
}
rnew->subprocess_env = apr_table_copy(rnew->pool, r->subprocess_env);
rnew->headers_out = apr_table_make(rnew->pool, 5);
projects / thirdparty / apache / httpd.git / commitdiff
