From: Joe Orton <jorton@apache.org>
Date: Fri, 27 Aug 2004 09:03:24 +0000 (+0000)
Subject: Backport from HEAD:
X-Git-Tag: STRIKER_2_0_51_RC1^2~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a31292a03aede7d26c2d42e2e611404f3a21f78;p=thirdparty%2Fapache%2Fhttpd.git

Backport from HEAD:

* os/unix/unixd.c (unixd_accept): Eliminate now-redundant call to
apr_os_sock_get(); let APR check for accept returning zero on TPF.

* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix rollback
handling for AP_MODE_SPECULATIVE.

* modules/mappers/mod_rewrite.c (post_config): Retrieve optional
functions from mod_ssl.  (lookup_variable): Support SSL:...
and HTTPS variables via mod_ssl optional hooks, if available.

* server/util_script.c (ap_scan_script_header_err_core): Set
Content-Range in r->headers_out, so that the byterange filter knows to
do nothing for a CGI script which produced a content-range.

* modules/ssl/mod_ssl.h: Declare ssl_is_https optional function.

* modules/ssl/ssl_engine_vars.c (ssl_is_https): New function.
(ssl_var_register): Register it.

PR: 30134, 30464
Reviewed by: trawick, jerenkrantz, nd, stoddard


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@104851 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index d2ddd1d96b6..7420d9d4cbd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,18 @@
 Changes with Apache 2.0.51
 
+  *) SECURITY: CAN-2004-0751 (cve.mitre.org)
+     mod_ssl: Fix a segfault in the SSL input filter which could be
+     triggered if using "speculative" mode, for instance by a 
+     proxy request to an SSL server.  PR 30134.  [Joe Orton]
+
+  *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
+     PR 30464.  [Joe Orton]
+
+  *) mod_ssl: Add new 'ssl_is_https' optional function.  [Joe Orton]
+
+  *) Prevent CGI script output which includes a Content-Range header
+     from being passed through the byterange filter.  [Joe Orton]
+
   *) Satisfy directives now can be influenced by a surrounding <Limit>
      container.  PR 14726.  [André Malo]
 
diff --git a/STATUS b/STATUS
index c0552f7e35a..9594fe710fb 100644
--- a/STATUS
+++ b/STATUS
@@ -1,5 +1,5 @@
 APACHE 2.0 STATUS:                                              -*-text-*-
-Last modified at [$Date: 2004/08/26 22:21:33 $]
+Last modified at [$Date: 2004/08/27 09:03:22 $]
 
 Release:
 
@@ -83,28 +83,6 @@ PATCHES TO BACKPORT FROM 2.1
        +1: stoddard, trawick
        nd: I'd like to add 1.169
 
-    *) [SECURITY] mod_ssl: Fix potential input filter segfaults in SPECULATIVE mode.
-       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126
-       PR: 30134
-       +1: jorton, trawick, jerenkrantz
-
-    *) unixd_accept: Eliminate now-unnecessary apr_os_sock_get() call.
-       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/os/unix/unixd.c?r1=1.66&r2=1.67
-       +1: jorton, trawick, jerenkrantz
-
-    *) Prevent byterange filter doing its thang for a CGI which returns a Content-Range
-       http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/util_script.c?r1=1.89&r2=1.90
-       +1: jorton, trawick, nd, jerenkrantz
-
-    *) mod_ssl: Add ssl_is_https optional hook.
-       http://www.apache.org/~jorton/mod_ssl-2.0-ishttps.diff
-       +1: jorton, stoddard, trawick, nd
-
-    *) mod_rewrite: Add %{SSL:...} and %{HTTPS} support (regression from 1.3/mod_ssl).
-       http://www.apache.org/~jorton/mod_rewrite-2.0-sslvar.diff
-       PR: 30464
-       +1: jorton, stoddard, nd
-
     *) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap.
          modules/experimental/mod_auth_ldap.c: 1.28
          modules/experimental/util_ldap.c: 1.36
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 71cd0b61ac3..6e9eddbe69c 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -73,6 +73,14 @@
 #include "http_protocol.h"
 #include "mod_rewrite.h"
 
+/* mod_ssl.h is not safe for inclusion in 2.0, so duplicate the
+ * optional function declarations. */
+APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+                        (apr_pool_t *, server_rec *,
+                         conn_rec *, request_rec *,
+                         char *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
 #if !defined(OS2) && !defined(WIN32) && !defined(BEOS)  && !defined(NETWARE)
 #include "unixd.h"
 #define MOD_REWRITE_SET_MUTEX_PERMS /* XXX Apache should define something */
@@ -135,6 +143,10 @@ static const char *lockname;
 static apr_global_mutex_t *rewrite_mapr_lock_acquire = NULL;
 static apr_global_mutex_t *rewrite_log_lock = NULL;
 
+/* Optional functions imported from mod_ssl when loaded: */
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *rewrite_ssl_lookup = NULL;
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *rewrite_is_https = NULL;
+
 /*
 ** +-------------------------------------------------------+
 ** |                                                       |
@@ -1018,6 +1030,10 @@ static int post_config(apr_pool_t *p,
             }
         }
     }
+
+    rewrite_ssl_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+    rewrite_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+
     return OK;
 }
 
@@ -3902,6 +3918,11 @@ static char *lookup_variable(request_rec *r, char *var)
             result = getenv(var+4);
         }
     }
+    else if (strlen(var) > 4 && !strncasecmp(var, "SSL:", 4) 
+             && rewrite_ssl_lookup) {
+        result = rewrite_ssl_lookup(r->pool, r->server, r->connection, r, 
+                                    var + 4);
+    }
 
 #define LOOKAHEAD(subrecfunc) \
         if ( \
@@ -3949,6 +3970,9 @@ static char *lookup_variable(request_rec *r, char *var)
         if (r->finfo.valid & APR_FINFO_GROUP) {
             apr_group_name_get((char **)&result, r->finfo.group, r->pool);
         }
+    } else if (strcasecmp(var, "HTTPS") == 0) {
+        int flag = rewrite_is_https && rewrite_is_https(r->connection);
+        result = flag ? "on" : "off";
     }
 
     if (result == NULL) {
diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index e9db89768ca..2ffc4d4fcaa 100644
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -665,6 +665,10 @@ APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
                          conn_rec *, request_rec *,
                          char *));
 
+/* An optional function which returns non-zero if the given connection
+ * is using SSL/TLS. */
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
 /* Proxy Support */
 int ssl_proxy_enable(conn_rec *c);
 int ssl_engine_disable(conn_rec *c);
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index ff8eb81b45f..974c07126f3 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -562,8 +562,12 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
         *len = bytes;
         if (inctx->mode == AP_MODE_SPECULATIVE) {
             /* We want to rollback this read. */
-            inctx->cbuf.value -= bytes;
-            inctx->cbuf.length += bytes;
+            if (inctx->cbuf.length > 0) {
+                inctx->cbuf.value -= bytes;
+                inctx->cbuf.length += bytes;
+            } else {
+                char_buffer_write(&inctx->cbuf, buf, (int)bytes);
+            }
             return APR_SUCCESS;
         }
         /* This could probably be *len == wanted, but be safe from stray
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 76b35461a68..55db837fcda 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -47,8 +47,15 @@ static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
 static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
 static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
 
+static int ssl_is_https(conn_rec *c)
+{
+    SSLConnRec *sslconn = myConnConfig(c);
+    return sslconn && sslconn->ssl;
+}
+
 void ssl_var_register(void)
 {
+    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
     return;
 }
diff --git a/os/unix/unixd.c b/os/unix/unixd.c
index f308667d289..c64543a8b64 100644
--- a/os/unix/unixd.c
+++ b/os/unix/unixd.c
@@ -462,19 +462,12 @@ AP_DECLARE(apr_status_t) unixd_accept(void **accepted, ap_listen_rec *lr,
 {
     apr_socket_t *csd;
     apr_status_t status;
-    int sockdes;
 
     *accepted = NULL;
     status = apr_accept(&csd, lr->sd, ptrans);
     if (status == APR_SUCCESS) { 
         *accepted = csd;
-        apr_os_sock_get(&sockdes, csd);
-#ifdef TPF
-        if (sockdes == 0) {                  /* 0 is invalid socket for TPF */
-            return APR_EINTR;
-        }
-#endif
-        return status;
+        return APR_SUCCESS;
     }
 
     if (APR_STATUS_IS_EINTR(status)) {
diff --git a/server/util_script.c b/server/util_script.c
index a1d8b946b7a..28989476c93 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -556,6 +556,9 @@ AP_DECLARE(int) ap_scan_script_header_err_core(request_rec *r, char *buffer,
 	else if (!strcasecmp(w, "Content-Length")) {
 	    apr_table_set(r->headers_out, w, l);
 	}
+        else if (!strcasecmp(w, "Content-Range")) {
+            apr_table_set(r->headers_out, w, l);
+        }
 	else if (!strcasecmp(w, "Transfer-Encoding")) {
 	    apr_table_set(r->headers_out, w, l);
 	}