From: Luca Toscano <elukey@apache.org>
Date: Tue, 14 Jun 2016 10:35:23 +0000 (+0000)
Subject: Drop an invalid Last-Modified header value returned by a FCGI/CGI
X-Git-Tag: 2.5.0-alpha~1504
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2c1f268b06a7a7985051ead4094044c90603c59;p=thirdparty%2Fapache%2Fhttpd.git

Drop an invalid Last-Modified header value returned by a FCGI/CGI
script instead tranforming it to Unix Epoch.

This bug was mentioned in the users@ mailing list and outlined in
the following centos bug: https://bugs.centos.org/view.php?id=10940
To reproduce the issue it is sufficient to connect mod-fastcgi
to a PHP script that returns a HTTP response with
the header "Last-Modified: foo". The header will be modified by
script_util.c to "Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT".
Dropping an invalid header in this case seems to be the most
consistent and correct option in my opinion, plus it shouldn't
break existing configurations. Returning Unix Epoch might be
dangerous and should be avoided, but please let me know your opinions.
Moreover this is my first commit outside the documentation court,
I hope to have got the procedure right.
This fix has been tested also with the 2.4.x branch.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1748379 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 9999c76569d..485f1dfc767 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) core: Drop an invalid Last-Modified header value coming
+     from a FCGI/CGI script instead of replacing it with Unix epoch.
+     [Luca Toscano]
+
   *) mod_dav: Allow other modules to become providers and add ACLs
      to the DAV response.
      [Jari Urpalainen <jari.urpalainen nokia.com>, Graham Leggett]
diff --git a/server/util_script.c b/server/util_script.c
index c9201b49cf9..aa24518eaeb 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -662,11 +662,19 @@ AP_DECLARE(int) ap_scan_script_header_err_core_ex(request_rec *r, char *buffer,
         }
         /*
          * If the script gave us a Last-Modified header, we can't just
-         * pass it on blindly because of restrictions on future values.
+         * pass it on blindly because of restrictions on future or invalid values.
          */
         else if (!ap_cstr_casecmp(w, "Last-Modified")) {
-            ap_update_mtime(r, apr_date_parse_http(l));
-            ap_set_last_modified(r);
+            apr_time_t last_modified_date = apr_date_parse_http(l);
+            if (last_modified_date != APR_DATE_BAD) {
+                ap_update_mtime(r, last_modified_date);
+                ap_set_last_modified(r);
+            }
+            else {
+                if (APLOGrtrace1(r))
+                   ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
+                                 "Ignored invalid header value: Last-Modified: '%s'", l);
+            }
         }
         else if (!ap_cstr_casecmp(w, "Set-Cookie")) {
             apr_table_add(cookie_table, w, l);