* Add the missing bits of backport commit r1879641:

                  http://svn.apache.org/r1750747
                  http://svn.apache.org/r1750749
                  http://svn.apache.org/r1750953
                  http://svn.apache.org/r1751138
                  http://svn.apache.org/r1751139
                  http://svn.apache.org/r1751147
                  http://svn.apache.org/r1757818
                  http://svn.apache.org/r1879253
                  http://svn.apache.org/r1879348

  *) core: Drop an invalid Last-Modified header value coming
     from a (F)CGI script instead of replacing it with Unix epoch.
     Warn the users about Last-Modified header value replacements
     and violations of the RFC.
     trunk patch: http://svn.apache.org/r1748379
                  http://svn.apache.org/r1750747
                  http://svn.apache.org/r1750749
                  http://svn.apache.org/r1750953
                  http://svn.apache.org/r1751138
                  http://svn.apache.org/r1751139
                  http://svn.apache.org/r1751147
                  http://svn.apache.org/r1757818
                  http://svn.apache.org/r1879253
                  http://svn.apache.org/r1879348
     2.4.x: trunk patches work, final view:
            http://home.apache.org/~elukey/httpd-2.4.x-core-last_modified_tz_logging.patch
            svn merge -c 1748379,1750747,1750749,1750953,1751138,1751139,1751139,1757818,1879253,r1879348 ^/httpd/httpd/trunk .
     The code has been tested with a simple PHP script returning different Last-Modified
     headers (GMT now, GMT now Europe/Paris, GMT tomorrow, GMT yesterday, PST now).
     +1: elukey, jorton, jim
     jorton: +1 though I'd say log at WARN or INFO for the APR_BAD_DATE case
             rather than "silently" (at normal log-level) dropping the parsed header?
             [also nit: wrapping a lone ap_log_rerror(,APLOG_X) call in
             if (APLOGrX(..) is unnecessary/redundant]

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1880060 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 57800b3161f1dcc7a588b8630bb9b63da880a87f..bd655168f23a923c9520bfe135955a90fbc5278c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -17,7 +17,7 @@ Changes with Apache 2.4.44
 
   *) core: Drop an invalid Last-Modified header value coming
      from a FCGI/CGI script instead of replacing it with Unix epoch.
-     [Luca Toscano]
+     [Yann Ylavic, Luca Toscano]
 
   *) Add support for strict content-length parsing through addition of
      ap_parse_strict_length() [Yann Ylavic]

diff --git a/server/util_script.c b/server/util_script.c
index 25c75dea1b154cc1c90fb04f628f959974faf78a..a661dbcb589759d3890c2ffcbba858e2b4c13a16 100644 (file)
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -672,15 +672,50 @@ AP_DECLARE(int) ap_scan_script_header_err_core_ex(request_rec *r, char *buffer,
          * pass it on blindly because of restrictions on future or invalid values.
          */
         else if (!strcasecmp(w, "Last-Modified")) {
-            apr_time_t last_modified_date = apr_date_parse_http(l);
-            if (last_modified_date != APR_DATE_BAD) {
-                ap_update_mtime(r, last_modified_date);
+            apr_time_t parsed_date = apr_date_parse_http(l);
+            if (parsed_date != APR_DATE_BAD) {
+                ap_update_mtime(r, parsed_date);
                 ap_set_last_modified(r);
+                if (APLOGrtrace1(r)) {
+                    apr_time_t last_modified_date = apr_date_parse_http(apr_table_get(r->headers_out,
+                                                                                      "Last-Modified"));
+                    /*
+                     * A Last-Modified header value coming from a (F)CGI source
+                     * is considered HTTP input so we assume the GMT timezone.
+                     * The following logs should inform the admin about violations
+                     * and related actions taken by httpd.
+                     * The apr_date_parse_rfc function is 'timezone aware'
+                     * and it will be used to generate a more informative set of logs
+                     * (we don't use it as a replacement of apr_date_parse_http
+                     * for the aforementioned reason).
+                     */
+                    apr_time_t parsed_date_tz_aware = apr_date_parse_rfc(l);
+
+                    /* 
+                     * The parsed Last-Modified header datestring has been replaced by httpd.
+                     */
+                    if (parsed_date > last_modified_date) {
+                        ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
+                                      "The Last-Modified header value %s (%s) "
+                                      "has been replaced with '%s'", l,
+                                      parsed_date != parsed_date_tz_aware ? "not in GMT"
+                                                                          : "in the future",
+                                      apr_table_get(r->headers_out, "Last-Modified"));
+                    /* 
+                     * Last-Modified header datestring not in GMT and not considered in the future
+                     * by httpd (like now() + 1 hour in the PST timezone). No action is taken but
+                     * the admin is warned about the violation.
+                     */
+                    } else if (parsed_date != parsed_date_tz_aware) {
+                        ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
+                                      "The Last-Modified header value is not set "
+                                      "within the GMT timezone (as required)");
+                    }
+                }
             }
             else {
-                if (APLOGrtrace1(r))
-                   ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
-                                 "Ignored invalid header value: Last-Modified: '%s'", l);
+                ap_log_rerror(SCRIPT_LOG_MARK, APLOG_INFO, 0, r, APLOGNO(10247)
+                              "Ignored invalid header value: Last-Modified: '%s'", l);
             }
         }
         else if (!strcasecmp(w, "Set-Cookie")) {