From: Ruediger Pluem Date: Mon, 20 Jul 2020 05:58:49 +0000 (+0000) Subject: * Add the missing bits of backport commit r1879641: X-Git-Tag: 2.4.44~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab4ec8f3835b63be56328d090b02a6c73edb925d;p=thirdparty%2Fapache%2Fhttpd.git * Add the missing bits of backport commit r1879641: http://svn.apache.org/r1750747 http://svn.apache.org/r1750749 http://svn.apache.org/r1750953 http://svn.apache.org/r1751138 http://svn.apache.org/r1751139 http://svn.apache.org/r1751147 http://svn.apache.org/r1757818 http://svn.apache.org/r1879253 http://svn.apache.org/r1879348 *) core: Drop an invalid Last-Modified header value coming from a (F)CGI script instead of replacing it with Unix epoch. Warn the users about Last-Modified header value replacements and violations of the RFC. trunk patch: http://svn.apache.org/r1748379 http://svn.apache.org/r1750747 http://svn.apache.org/r1750749 http://svn.apache.org/r1750953 http://svn.apache.org/r1751138 http://svn.apache.org/r1751139 http://svn.apache.org/r1751147 http://svn.apache.org/r1757818 http://svn.apache.org/r1879253 http://svn.apache.org/r1879348 2.4.x: trunk patches work, final view: http://home.apache.org/~elukey/httpd-2.4.x-core-last_modified_tz_logging.patch svn merge -c 1748379,1750747,1750749,1750953,1751138,1751139,1751139,1757818,1879253,r1879348 ^/httpd/httpd/trunk . The code has been tested with a simple PHP script returning different Last-Modified headers (GMT now, GMT now Europe/Paris, GMT tomorrow, GMT yesterday, PST now). +1: elukey, jorton, jim jorton: +1 though I'd say log at WARN or INFO for the APR_BAD_DATE case rather than "silently" (at normal log-level) dropping the parsed header? [also nit: wrapping a lone ap_log_rerror(,APLOG_X) call in if (APLOGrX(..) is unnecessary/redundant] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1880060 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 57800b3161f..bd655168f23 100644 --- a/CHANGES +++ b/CHANGES @@ -17,7 +17,7 @@ Changes with Apache 2.4.44 *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. - [Luca Toscano] + [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] diff --git a/server/util_script.c b/server/util_script.c index 25c75dea1b1..a661dbcb589 100644 --- a/server/util_script.c +++ b/server/util_script.c @@ -672,15 +672,50 @@ AP_DECLARE(int) ap_scan_script_header_err_core_ex(request_rec *r, char *buffer, * pass it on blindly because of restrictions on future or invalid values. */ else if (!strcasecmp(w, "Last-Modified")) { - apr_time_t last_modified_date = apr_date_parse_http(l); - if (last_modified_date != APR_DATE_BAD) { - ap_update_mtime(r, last_modified_date); + apr_time_t parsed_date = apr_date_parse_http(l); + if (parsed_date != APR_DATE_BAD) { + ap_update_mtime(r, parsed_date); ap_set_last_modified(r); + if (APLOGrtrace1(r)) { + apr_time_t last_modified_date = apr_date_parse_http(apr_table_get(r->headers_out, + "Last-Modified")); + /* + * A Last-Modified header value coming from a (F)CGI source + * is considered HTTP input so we assume the GMT timezone. + * The following logs should inform the admin about violations + * and related actions taken by httpd. + * The apr_date_parse_rfc function is 'timezone aware' + * and it will be used to generate a more informative set of logs + * (we don't use it as a replacement of apr_date_parse_http + * for the aforementioned reason). + */ + apr_time_t parsed_date_tz_aware = apr_date_parse_rfc(l); + + /* + * The parsed Last-Modified header datestring has been replaced by httpd. + */ + if (parsed_date > last_modified_date) { + ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r, + "The Last-Modified header value %s (%s) " + "has been replaced with '%s'", l, + parsed_date != parsed_date_tz_aware ? "not in GMT" + : "in the future", + apr_table_get(r->headers_out, "Last-Modified")); + /* + * Last-Modified header datestring not in GMT and not considered in the future + * by httpd (like now() + 1 hour in the PST timezone). No action is taken but + * the admin is warned about the violation. + */ + } else if (parsed_date != parsed_date_tz_aware) { + ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r, + "The Last-Modified header value is not set " + "within the GMT timezone (as required)"); + } + } } else { - if (APLOGrtrace1(r)) - ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r, - "Ignored invalid header value: Last-Modified: '%s'", l); + ap_log_rerror(SCRIPT_LOG_MARK, APLOG_INFO, 0, r, APLOGNO(10247) + "Ignored invalid header value: Last-Modified: '%s'", l); } } else if (!strcasecmp(w, "Set-Cookie")) {