Scratch another its - this patchs allows me to hugely simply auth modules
which use non 4xx methods for auth (such as cookies, referers ,etc).
Submitted by Sander van Zoest (for a slightly different reason) - see
explanation below.
From: Sander van Zoest
To: dev@httpd.apache.org
It is common practice to set Cookie's to pass along on HTTP
redirects for "login" authentication.
When implementing P3P <http://www.w3.org/P3P/> using
mod_headers.c the Header directive only sets r->headers_out
and does not pass the headers along for non-2XX responses
such as error pages and redirects.
To provide this functionality we added the ErrorHeader
directive which populates r->err_headers_out instead.
Below follows a patch for 1.3.X by Michael Radwin <radwin_at_yahoo-inc.com>.
I have some code that attempts to add Directive to 2.0.X, but
it seems that output_filters are shortcuted on 3XX responses.
While now by setting the Header directive it also passes the headers
along at for all non-2XX responses except 3XX responses.
Cheers,
--
Sander van Zoest
PR: 9181
Obtained from: Michael Radwin
Submitted by: Sander van Zoest
Reviewed by: Dirk-Willem van Gulik
Scratched a major itch - got bitten by config directory globbing sucking
in an editor backup file once too many. Applied the patch as submitted
by Sander van Zoest (Bug id 12712) whichs makes it possible to limit
the scope with simple but effective wild cards.
PR: 12712
Obtained from: Sander van Zoest
Submitted by: Sander van Zoest
Reviewed by: Dirk-Willem van Gulik
Scratched a major itch - got bitten by config directory globbing sucking
in an editor backup file once too many. Applied the patch as submitted
by Sander van Zoest (Bug id 12712) whichs makes it possible to limit
the scope with simple but effective wild cards.
Jim Jagielski [Sat, 21 Sep 2002 17:18:34 +0000 (17:18 +0000)]
Add the ShmemUIDisUser directive and logic. Apache does not require
that the SysV shared memory segment be reset to the uid/gid of
User/Group. In fact, it's not wise that it do so. However, there are
some 3rd party "add ons" that require/expect this behavior...
So allow admins to do so, assuming they know the impacts.
PR:
Obtained from:
Submitted by:
Reviewed by:
Jim Jagielski [Thu, 5 Sep 2002 19:53:35 +0000 (19:53 +0000)]
Hmm... We need to also address the fact that the response may have
no Content-Length at all, but the cached info does (think 304). We
also need to update the cache file if we update/use the old c-l
value (the previously stored values are bogus).
PR:
Obtained from:
Submitted by:
Reviewed by:
Jim Jagielski [Thu, 5 Sep 2002 14:19:19 +0000 (14:19 +0000)]
When the cache would validate 304 responses from back-end server, it would
incorrectly set the content-length value to 0 (from the 304 response)
instead of keeping the original value.
PR: Bugz 10128
Obtained from:
Submitted by: Paul Terry <paul.terry@gmx.net> and ast@domdv.de
Reviewed by:
Graham Leggett [Tue, 3 Sep 2002 07:12:46 +0000 (07:12 +0000)]
Fix a problem in proxy where headers from other modules were
added to the response headers when this was already done in the
core already. This resulted in header (and therefore cookie)
duplication.
PR:
Obtained from:
Submitted by: Martijn Schoemaker <martijn@osp.nl>
Reviewed by: Graham Leggett
- Fix segfault on strlen computation on the empty string in vlv case
- If the etag is "", don't set the ETag header to be "" - leave the
header NULL instead.
Andrew's patch would change ap_meets_condition to accept "", but Justin
thinks it would be better just to sidestep it all together and not set
ETag when it would be "".
(Backport of patch applied to httpd-2.0 as original 1.3 code has the
same flaws.)
PR: 12202
Submitted by: Andrew Ho <andrew@tellme.com>
Ken Coar [Mon, 12 Aug 2002 19:19:03 +0000 (19:19 +0000)]
Add a new environment variable to keep the charset from being
included on canned error documents. (Having it there make
some browsers apply it to the redirect target document.)
Reviewed by: Bill Stoddard, Jim Jagielski, Justin Erenkrantz, Cliff Woolley
Mark J. Cox [Tue, 30 Jul 2002 13:08:04 +0000 (13:08 +0000)]
Add 3 new CVE names for old (circa 2000) security issues; rearrange
security changes so they are consistant
PR:
Obtained from:
Submitted by:
Reviewed by:
Martin Kraemer [Mon, 22 Jul 2002 16:26:03 +0000 (16:26 +0000)]
Tomcat with mod_jk2 sometimes omits the Reason-Phrase from the
response line ("HTTP/1.1 200 \r\n"). It looks like RFC2616 allows this,
but ap_getline() strips the trailing blank, and that lead to
an error in ap_proxy_read_response_line() for proxy-requests to
Tomcat+mod_jk2 servers. (It replaced the NIL after the "200" by
a space, and so the resulting response line had an extra NL appended).
Now the SP character which was deleted by ap_getline() is reappended,
avoiding the erroneous '\0'->' ' change, and preserving RFC2616's
requirement
Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF
Reason-Phrase = *<TEXT, excluding CR, LF>
(thus there is now always a SP after the Status-Code).
Scratching an old itch. Rather than cause a WARNING: in the log
with the value at startup - have a method to find the value without
actually really running it (or binding ot ports, touching logs, etc).
Jim Jagielski [Tue, 9 Jul 2002 14:47:24 +0000 (14:47 +0000)]
Allow for null/all-whitespace C-L fields as we did pre-1.3.26. However,
we do not allow for the total bogusness of values for C-L, just this
one special case. IMO a C-L field of "iloveyou" is bogus as is one
of "123yabbadabbado", which older versions appear to have allowed
(and in the 1st case, assume 0 and in the 2nd assume 123). Didn't
make sense to make this runtime, but a documented special case
instead.
PR:
Obtained from:
Submitted by:
Reviewed by:
Jim Jagielski [Mon, 8 Jul 2002 18:06:55 +0000 (18:06 +0000)]
Add ProtocolReqCheck directive, which determines if Apache will
check for a valid protocol string in the request (eg: HTTP/1.1)
and return HTTP_BAD_REQUEST if not valid. Versions of Apache
prior to 1.3.26 would silently ignore bad protocol strings, but
1.3.26 included a more strict check. This makes it runtime
configurable. The default is On. This also removes the requirement
on an ANSI sscanf() implementation.
Mark J. Cox [Thu, 27 Jun 2002 11:01:57 +0000 (11:01 +0000)]
Be consistant when highlighting security changes, check the CVE names
and add some missing ones (I applied a while ago for the remaining
CVE names for older issues, but since these are pre-2000 they are low
priority)
PR:
Obtained from:
Submitted by:
Reviewed by:
Brian Havard [Tue, 18 Jun 2002 11:58:24 +0000 (11:58 +0000)]
OS/2: Fix linkage to ap_strtol() by making it a macro like on Win32. Modules
were failing to build because ap_strtol() wasn't being exported from the core.
This makes it unnecessary.
According to Watcom and other docs, it appears Netware users can trust
the clib to return ERANGE, so let's punt this to release, and let our
friends at Netware author any necessary patches down the line.
First, checking for typos like fF: instead of Ff: in the getopt list
would have been goodness. But this simply doesn't apply to win32,
we don't DETACH in the Unix-ish way of the world.
I don't even believe this applies to ANY user of the MULTITHREADed
code path [only Netware and Win32 use it, correct?] But I'll leave
the code in, and exclude only Win32 (where it was a noop anyways.)
Jim Jagielski [Mon, 3 Jun 2002 12:28:27 +0000 (12:28 +0000)]
Attached is a patch for allowing user changes on the cygwin platform
and a #define wrapper for the timeout singal we use to kill of pending
open childs that do not react on "usual" signals.
The signalling issue seems to be a problem on the Cygwin platform, but
it's abstracted, so other platforms may benefit from it. Again,
nothing else is changed in behaviour.
Changes are:
* src/include/ap_config.h: added the system uid for Cygwin that is
the "root" user on Cygwin
* src/main/http_main.c: some cygwin specific #defines around
setpgrp() and getuid() calls. Adding the #define SIG_TIMEOUT_KILL to
define which singal should be used to kill of timed out childs.
Defaulting to the know value for all other plaforms.
* src/modules/proxy/proxy_cache.c: cygwin specific #define around
setpgrp()
Jim Jagielski [Thu, 30 May 2002 13:05:40 +0000 (13:05 +0000)]
Push out the T&R 2 days to account for the latest additions to
the proxy code (for testing). Also, to allow time for one more
vote (or not) on the Bugz 9181 patch.
PR:
Obtained from:
Submitted by:
Reviewed by:
Graham Leggett [Thu, 30 May 2002 10:19:49 +0000 (10:19 +0000)]
Add X-Forwarded-Host and X-Forwarded-Server to X-Forwarded-For
to the proxy.
PR:
Obtained from:
Submitted by: Thomas Eibner <thomas@stderr.net>
Reviewed by: Graham Leggett
projects / thirdparty / apache / httpd.git / log
