Martin Kraemer [Tue, 21 May 2002 13:03:56 +0000 (13:03 +0000)]
Apply a stricter check to the request line syntax, in order to prevent
arbitrary user input to end up (unescaped) in the access_log and error_log
files. Until now, garbage could be injected to spoof accesses to nonexistent
(or inaccessible) resources -- of course without the client actually
getting access to them.
Now anything but whitespace following the "<method> <url> HTTP/x.y" request
line is disallowed, and special characters in the request are escaped
in the log.
Martin Kraemer [Tue, 21 May 2002 12:43:32 +0000 (12:43 +0000)]
John Von Essen <john at essenz.com> contributes the diskimg.gif icon:
> Hopefully this is the right place to send this comment. I have alot of
> disk images (.img) on my server. By default, there is no icon for a disk
> image.
>
> So I made one...
>
> AddIcon /icons/diskimg.gif .img
>
> The diskimg.gif can be found at:
>
> http://www.essenz.com/icons/diskimg.gif
>
> Could this be added into future releases? Disk images are fairly popular.
> Especially when making boot floppies or driver disks for linux.
Martin Kraemer [Tue, 21 May 2002 12:24:59 +0000 (12:24 +0000)]
Get rid of DEFAULT_XFERLOG as it is not used anywhere. It was
preserved by the build system, printed with "httpd -V", but
apart from that completely ignored: the default transfer log
is to not produce any transfer log.
At least on Win32 ... close the book on nice-to-haves with no patch,
or no point (.exe's available from 2.0 builds, duplicating ApacheMonitor
in both trees is a waste and a maintenance headache.)
Besides, we are -discouraging- future use. If 1.3.2x is 'initial release'
quality, 2.0 is much closer to fine.
I suspect this might be fixed by now, if anyone wants to test the
remaining half of this issue (IndexIgnore .foo .bar should hide both
.foo and .bar). Also interesting to determine if it's good in 2.0.
Jim Jagielski [Wed, 15 May 2002 14:13:29 +0000 (14:13 +0000)]
No doubt, people are already either handling
this themselves, by clearing out env or else it's not a concern
for many people, or whatever... No need to track this anymore
Adds a '-F' flag to httpd's main() - which causes the mother
or supervisor process to not fork&detach - as to allow integration
with deamontools (http://cr.yp.to/daemontools.html).
PR: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7628
Obtained from: http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=101467598720760&w=2
Michael Handler <handler-grendel.net>
Submitted by: http://www.catnook.com/patches/apache-1.3.24-daemontools.patch
Jos Backus <jos-catnook.com>
Reviewed by: Dirk-Willem van Gulik
Martin Kraemer [Mon, 13 May 2002 08:13:06 +0000 (08:13 +0000)]
Fix propagation of ${OPTIM} to subdirectories (which used to work in
early 1.3's at least), so that it is possible to do a
make OPTIM=-g
from the src/ directory to temporarily override the default
(e.g., for debugging).
Martin Kraemer [Mon, 6 May 2002 08:34:13 +0000 (08:34 +0000)]
src/support/apxs.pl: re-arranged things to handle DSO extensions
in a less hardcoded way. (.so) because the shared building chain would
fail for Cygwin which uses native Win32 extensions (.dll).
Jim Jagielski [Thu, 2 May 2002 13:28:46 +0000 (13:28 +0000)]
OK. This is admittedly anal. But the whole idea behind cpp macros
is to avoid things like "we know NSLINKMODULE_OPTION_NONE is 0"
and making such shortcuts as this. This makes it clear what exactly
we are setting, and though admittedly verbose, the tradeoff of a
few bytes of source is worth it :)
Jim Jagielski [Mon, 22 Apr 2002 12:36:18 +0000 (12:36 +0000)]
For supported versions of Darwin, place dynamically loaded
Apache extensions' public symbols into the global symbol
table. This allows dynamically loaded PHP extensions.
NOTE: this works as long as multiple modules don't
include overlapping symbols. Jim added the wrapper to
check for the existance of the option (which doesn't
exist in Rhapsody).
PR:
Obtained from:
Submitted by: Marko Karppinen <markonen@php.net>
Reviewed by: Jim Jagielski, Wilfredo Sanchez
Graham Leggett [Sun, 21 Apr 2002 21:16:39 +0000 (21:16 +0000)]
Add a FIXME note around some broken code. The write is writing a buffer
of bogus data with a length that was never initialised.
PR:
Obtained from:
Submitted by:
Reviewed by:
Graham Leggett [Fri, 19 Apr 2002 11:15:19 +0000 (11:15 +0000)]
Correct proxy to be able to handle the unexpected 100-continue
reponses sent during PUT or POST requests. (ie Hotmail works now)
PR:
Obtained from:
Submitted by:
Reviewed by:
Martin Kraemer [Mon, 15 Apr 2002 09:41:22 +0000 (09:41 +0000)]
Sometimes (when a read happened to end on a chunk boundary) the proxy
would just hang trying to read a CRLF that did not come (remaining==0
because end-of-chunk, not because chunksize==0). Also, when it
received its data from an upstream proxy which did not really support
HTTP/1.1 but claimed it did (ICS, Squid, both using nonstandard
Proxy-Connection: headers), Apache would not clear out the
"Transfer-Enconding: chunked" header and failed to correctly serve the
request.
First, use addition to test against an unsigned for chunk_start after
we are certain chunk_start is a positive value. Second, ap_bread
is prototyped as an -int- ... not a size_t, not an off_t.
These changes eliminate all mismatch type/sign errors on Win32.
Martin Kraemer [Tue, 9 Apr 2002 12:02:49 +0000 (12:02 +0000)]
Do a "proper" indent by moving some curly braces outside of #if's.
Fix an error message to print the correct filename (not tempfile).
Remove the tempfile for Win32 on a failed rename(2).
PR:
Obtained from:
Submitted by:
Reviewed by:
Graham Leggett [Sun, 7 Apr 2002 19:12:27 +0000 (19:12 +0000)]
Correct a timeout problem within proxy which would force long
or slow POST requests to close after 300 seconds.
PR: 7572
Obtained from:
Submitted by: Martin Lichtin <martin@lichtin.net>, Brian Bothwell <brian.bothwell@wisdomtools.com>
Reviewed by:
Graham Leggett [Sat, 6 Apr 2002 13:20:48 +0000 (13:20 +0000)]
Remove the last little bit of the multiple-headers bug in proxy. Before,
only the last instance of a header would have been cached.
PR:
Obtained from:
Submitted by:
Reviewed by:
Graham Leggett [Sat, 6 Apr 2002 13:12:36 +0000 (13:12 +0000)]
Fix a log line message to be clearer. There have been queries in the past
as to whether this message was an Apache problem, when it warns of a
downstream server problem.
PR:
Obtained from:
Submitted by:
Reviewed by:
Fixed incompliance of AB when used with a proxy as reported by
Taisuke Yamada <tai@iij.ad.jp>. Added error trapping to the
write function (important on systems with defered errors
after a connect). Documented the weakness of the write()
function - it assumes the whole RQ can always be fully
written to the socket. Fixed a compiler warning which
pointed out that 'bad' was both a label and a variable.
Joshua Slive [Thu, 28 Mar 2002 18:56:08 +0000 (18:56 +0000)]
Update the Redhat layout to match v7. I decided to just replace the old layout
on the principal that tracking every version of every os in config.layout would
be a nightmare.
Graham Leggett [Mon, 25 Mar 2002 22:45:05 +0000 (22:45 +0000)]
Tighten up the overridden-Server-header bugfix in the proxy, by
only overriding if the request is a proxy request. It has been
pointed out that the previous fix allows CGIs and modules to
override the Server header, which is change to previous behavior.
PR:
Obtained from:
Submitted by: Graham Leggett, Joshua Slive
Reviewed by:
Cliff Woolley [Thu, 21 Mar 2002 17:02:53 +0000 (17:02 +0000)]
Because of the if's I change to else if's, these continue's are now
functionally useless. This gets rid of them without changing the behavior
at all (ie, it doesn't matter if this change makes it in to 1.3.24 or not).
Cliff Woolley [Thu, 21 Mar 2002 16:48:46 +0000 (16:48 +0000)]
handle_if() and handle_elif() were now correctly checking return codes,
but send_parsed_content() was ignoring THEIR return codes, resulting in
another segfault in a related set of circumstances. In all cases we
should consider ret!=0 from any of the handle_foo() functions to mean
premature EOF was encountered.
Aaron Bannert [Thu, 21 Mar 2002 16:16:15 +0000 (16:16 +0000)]
Fix minor formatting error. Mention the default for CGICommandArgs.
Also mention isindex-style query argument passing, so we don't confuse
this with QUERY_STRING.
Introduce proper escaping of command.com and cmd.exe for Win32.
These patches close vulnerability CAN-2002-0061, identified and
reported by Ory Segal <ory.segal@sanctuminc> 13 Feb 2002, by which
any invocation of .bat or .cmd files permit system comprimize
when cmd.exe parsed the args passed from QUERY_STRING.
[William Rowe]
Patches of the set reviewed by Allan Edwards and Bill Stoddard,
while the security solutions were reviewed at length by the entire
security community at the ASF.
Share ap_double_quotes() code between OS2 and Win32 to use
for Win32's command.com, and introduce ap_caret_escape_args()
for Win32's cmd.exe. [William Rowe]
Graham Leggett [Thu, 21 Mar 2002 14:49:46 +0000 (14:49 +0000)]
When a proxied site was being served, Apache was replacing
the original site Server header with it's own, which is not
allowed by RFC2616. Fixed.
PR:
Obtained from:
Submitted by:
Reviewed by:
Graham Leggett [Thu, 21 Mar 2002 14:37:42 +0000 (14:37 +0000)]
Change ap_construct_url() so that the r->hostname is used in
the URL instead of the value of the ServerName directive. This
stops Apache redirecting to a different website name to the
one the user typed in, which can break cookies and javascript
handling on the client.
PR:
Obtained from:
Submitted by:
Reviewed by:
Graham Leggett [Thu, 21 Mar 2002 11:38:03 +0000 (11:38 +0000)]
Fixed the previous multiple-cookie fix in the proxy. Cookies
are broken in that they contain dates which in turn contain
commas - so merging and then unmerging them breaks Set-Cookie
headers. Sigh.
PR:
Obtained from:
Submitted by:
Reviewed by:
projects / thirdparty / apache / httpd.git / log
