-*- coding: utf-8 -*-
Changes with Apache 2.2.12
+ *) SECURITY: CVE-2009-1191 (cve.mitre.org)
+ mod_proxy_ajp: Avoid delivering content from a previous request which
+ failed to send a request body. PR 46949 [Ruediger Pluem]
+
*) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
to enable stricter checking of remote server certificates.
[Ruediger Pluem]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
-* mod_proxy_ajp: Avoid delivering content from a previous request which failed
- to send a request body by closing the connection to the backend in this case
- instead of reusing it.
- PR: 46949
- Trunk version of patch:
- http://svn.apache.org/viewvc?rev=763394&view=rev
- Backport version for 2.2.x of patch:
- Trunk version of patch works
- +1: rpluem, wrowe, jfclere
-
* mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol.
Trunk version of patch:
http://svn.apache.org/viewvc?rev=764239&view=rev
"proxy: read zero bytes, expecting"
" %" APR_OFF_T_FMT " bytes",
content_length);
- status = ajp_send_data_msg(conn->sock, msg, 0);
- if (status != APR_SUCCESS) {
- /* We had a failure: Close connection to backend */
- conn->close++;
- ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server,
- "proxy: send failed to %pI (%s)",
- conn->worker->cp->addr,
- conn->worker->hostname);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- else {
- /* Client send zero bytes with C-L > 0
- */
- return HTTP_BAD_REQUEST;
- }
+ /*
+ * We can only get here if the client closed the connection
+ * to us without sending the body.
+ * Now the connection is in the wrong state on the backend.
+ * Sending an empty data msg doesn't help either as it does
+ * not move this connection to the correct state on the backend
+ * for later resusage by the next request again.
+ * Close it to clean things up.
+ */
+ conn->close++;
+ return HTTP_BAD_REQUEST;
}
}
projects / thirdparty / apache / httpd.git / commitdiff
