Jim Jagielski [Thu, 5 Sep 2002 14:19:19 +0000 (14:19 +0000)]
When the cache would validate 304 responses from back-end server, it would
incorrectly set the content-length value to 0 (from the 304 response)
instead of keeping the original value.
PR: Bugz 10128
Obtained from:
Submitted by: Paul Terry <paul.terry@gmx.net> and ast@domdv.de
Reviewed by:
Graham Leggett [Tue, 3 Sep 2002 07:12:46 +0000 (07:12 +0000)]
Fix a problem in proxy where headers from other modules were
added to the response headers when this was already done in the
core already. This resulted in header (and therefore cookie)
duplication.
PR:
Obtained from:
Submitted by: Martijn Schoemaker <martijn@osp.nl>
Reviewed by: Graham Leggett
- Fix segfault on strlen computation on the empty string in vlv case
- If the etag is "", don't set the ETag header to be "" - leave the
header NULL instead.
Andrew's patch would change ap_meets_condition to accept "", but Justin
thinks it would be better just to sidestep it all together and not set
ETag when it would be "".
(Backport of patch applied to httpd-2.0 as original 1.3 code has the
same flaws.)
PR: 12202
Submitted by: Andrew Ho <andrew@tellme.com>
Ken Coar [Mon, 12 Aug 2002 19:19:03 +0000 (19:19 +0000)]
Add a new environment variable to keep the charset from being
included on canned error documents. (Having it there make
some browsers apply it to the redirect target document.)
Reviewed by: Bill Stoddard, Jim Jagielski, Justin Erenkrantz, Cliff Woolley
Mark J. Cox [Tue, 30 Jul 2002 13:08:04 +0000 (13:08 +0000)]
Add 3 new CVE names for old (circa 2000) security issues; rearrange
security changes so they are consistant
PR:
Obtained from:
Submitted by:
Reviewed by:
Martin Kraemer [Mon, 22 Jul 2002 16:26:03 +0000 (16:26 +0000)]
Tomcat with mod_jk2 sometimes omits the Reason-Phrase from the
response line ("HTTP/1.1 200 \r\n"). It looks like RFC2616 allows this,
but ap_getline() strips the trailing blank, and that lead to
an error in ap_proxy_read_response_line() for proxy-requests to
Tomcat+mod_jk2 servers. (It replaced the NIL after the "200" by
a space, and so the resulting response line had an extra NL appended).
Now the SP character which was deleted by ap_getline() is reappended,
avoiding the erroneous '\0'->' ' change, and preserving RFC2616's
requirement
Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF
Reason-Phrase = *<TEXT, excluding CR, LF>
(thus there is now always a SP after the Status-Code).
Scratching an old itch. Rather than cause a WARNING: in the log
with the value at startup - have a method to find the value without
actually really running it (or binding ot ports, touching logs, etc).
Jim Jagielski [Tue, 9 Jul 2002 14:47:24 +0000 (14:47 +0000)]
Allow for null/all-whitespace C-L fields as we did pre-1.3.26. However,
we do not allow for the total bogusness of values for C-L, just this
one special case. IMO a C-L field of "iloveyou" is bogus as is one
of "123yabbadabbado", which older versions appear to have allowed
(and in the 1st case, assume 0 and in the 2nd assume 123). Didn't
make sense to make this runtime, but a documented special case
instead.
PR:
Obtained from:
Submitted by:
Reviewed by:
Jim Jagielski [Mon, 8 Jul 2002 18:06:55 +0000 (18:06 +0000)]
Add ProtocolReqCheck directive, which determines if Apache will
check for a valid protocol string in the request (eg: HTTP/1.1)
and return HTTP_BAD_REQUEST if not valid. Versions of Apache
prior to 1.3.26 would silently ignore bad protocol strings, but
1.3.26 included a more strict check. This makes it runtime
configurable. The default is On. This also removes the requirement
on an ANSI sscanf() implementation.
Mark J. Cox [Thu, 27 Jun 2002 11:01:57 +0000 (11:01 +0000)]
Be consistant when highlighting security changes, check the CVE names
and add some missing ones (I applied a while ago for the remaining
CVE names for older issues, but since these are pre-2000 they are low
priority)
PR:
Obtained from:
Submitted by:
Reviewed by:
Brian Havard [Tue, 18 Jun 2002 11:58:24 +0000 (11:58 +0000)]
OS/2: Fix linkage to ap_strtol() by making it a macro like on Win32. Modules
were failing to build because ap_strtol() wasn't being exported from the core.
This makes it unnecessary.
According to Watcom and other docs, it appears Netware users can trust
the clib to return ERANGE, so let's punt this to release, and let our
friends at Netware author any necessary patches down the line.
First, checking for typos like fF: instead of Ff: in the getopt list
would have been goodness. But this simply doesn't apply to win32,
we don't DETACH in the Unix-ish way of the world.
I don't even believe this applies to ANY user of the MULTITHREADed
code path [only Netware and Win32 use it, correct?] But I'll leave
the code in, and exclude only Win32 (where it was a noop anyways.)
Jim Jagielski [Mon, 3 Jun 2002 12:28:27 +0000 (12:28 +0000)]
Attached is a patch for allowing user changes on the cygwin platform
and a #define wrapper for the timeout singal we use to kill of pending
open childs that do not react on "usual" signals.
The signalling issue seems to be a problem on the Cygwin platform, but
it's abstracted, so other platforms may benefit from it. Again,
nothing else is changed in behaviour.
Changes are:
* src/include/ap_config.h: added the system uid for Cygwin that is
the "root" user on Cygwin
* src/main/http_main.c: some cygwin specific #defines around
setpgrp() and getuid() calls. Adding the #define SIG_TIMEOUT_KILL to
define which singal should be used to kill of timed out childs.
Defaulting to the know value for all other plaforms.
* src/modules/proxy/proxy_cache.c: cygwin specific #define around
setpgrp()
Jim Jagielski [Thu, 30 May 2002 13:05:40 +0000 (13:05 +0000)]
Push out the T&R 2 days to account for the latest additions to
the proxy code (for testing). Also, to allow time for one more
vote (or not) on the Bugz 9181 patch.
PR:
Obtained from:
Submitted by:
Reviewed by:
Graham Leggett [Thu, 30 May 2002 10:19:49 +0000 (10:19 +0000)]
Add X-Forwarded-Host and X-Forwarded-Server to X-Forwarded-For
to the proxy.
PR:
Obtained from:
Submitted by: Thomas Eibner <thomas@stderr.net>
Reviewed by: Graham Leggett
Martin Kraemer [Wed, 29 May 2002 20:39:16 +0000 (20:39 +0000)]
Fix a problem in mod_proxy: it would not set the number of bytes
transferred, so other modules could not access the value from
the request_rec->bytes_sent field.
(And indeed, I also observed some time ago that the bytes_sent field was not set.)
PR: 6841
Submitted by: Anthony Howe <achowe (at) snert.com>
Reviewed by: Martin Kraemer
Doug MacEachern [Thu, 23 May 2002 03:25:20 +0000 (03:25 +0000)]
PR:
Obtained from:
Submitted by:
Reviewed by:
ap_escape_logitem referenced c2x() before it was declared, fatal error
with hpux cc. move c2x definition before ap_escape_logitem.
Martin Kraemer [Tue, 21 May 2002 13:03:56 +0000 (13:03 +0000)]
Apply a stricter check to the request line syntax, in order to prevent
arbitrary user input to end up (unescaped) in the access_log and error_log
files. Until now, garbage could be injected to spoof accesses to nonexistent
(or inaccessible) resources -- of course without the client actually
getting access to them.
Now anything but whitespace following the "<method> <url> HTTP/x.y" request
line is disallowed, and special characters in the request are escaped
in the log.
Martin Kraemer [Tue, 21 May 2002 12:43:32 +0000 (12:43 +0000)]
John Von Essen <john at essenz.com> contributes the diskimg.gif icon:
> Hopefully this is the right place to send this comment. I have alot of
> disk images (.img) on my server. By default, there is no icon for a disk
> image.
>
> So I made one...
>
> AddIcon /icons/diskimg.gif .img
>
> The diskimg.gif can be found at:
>
> http://www.essenz.com/icons/diskimg.gif
>
> Could this be added into future releases? Disk images are fairly popular.
> Especially when making boot floppies or driver disks for linux.
Martin Kraemer [Tue, 21 May 2002 12:24:59 +0000 (12:24 +0000)]
Get rid of DEFAULT_XFERLOG as it is not used anywhere. It was
preserved by the build system, printed with "httpd -V", but
apart from that completely ignored: the default transfer log
is to not produce any transfer log.
projects / thirdparty / apache / httpd.git / log
