Ken Coar [Mon, 12 Aug 2002 19:19:03 +0000 (19:19 +0000)]
Add a new environment variable to keep the charset from being
included on canned error documents. (Having it there make
some browsers apply it to the redirect target document.)
Reviewed by: Bill Stoddard, Jim Jagielski, Justin Erenkrantz, Cliff Woolley
Mark J. Cox [Tue, 30 Jul 2002 13:08:04 +0000 (13:08 +0000)]
Add 3 new CVE names for old (circa 2000) security issues; rearrange
security changes so they are consistant
PR:
Obtained from:
Submitted by:
Reviewed by:
Martin Kraemer [Mon, 22 Jul 2002 16:26:03 +0000 (16:26 +0000)]
Tomcat with mod_jk2 sometimes omits the Reason-Phrase from the
response line ("HTTP/1.1 200 \r\n"). It looks like RFC2616 allows this,
but ap_getline() strips the trailing blank, and that lead to
an error in ap_proxy_read_response_line() for proxy-requests to
Tomcat+mod_jk2 servers. (It replaced the NIL after the "200" by
a space, and so the resulting response line had an extra NL appended).
Now the SP character which was deleted by ap_getline() is reappended,
avoiding the erroneous '\0'->' ' change, and preserving RFC2616's
requirement
Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF
Reason-Phrase = *<TEXT, excluding CR, LF>
(thus there is now always a SP after the Status-Code).
Scratching an old itch. Rather than cause a WARNING: in the log
with the value at startup - have a method to find the value without
actually really running it (or binding ot ports, touching logs, etc).
Jim Jagielski [Tue, 9 Jul 2002 14:47:24 +0000 (14:47 +0000)]
Allow for null/all-whitespace C-L fields as we did pre-1.3.26. However,
we do not allow for the total bogusness of values for C-L, just this
one special case. IMO a C-L field of "iloveyou" is bogus as is one
of "123yabbadabbado", which older versions appear to have allowed
(and in the 1st case, assume 0 and in the 2nd assume 123). Didn't
make sense to make this runtime, but a documented special case
instead.
PR:
Obtained from:
Submitted by:
Reviewed by:
Jim Jagielski [Mon, 8 Jul 2002 18:06:55 +0000 (18:06 +0000)]
Add ProtocolReqCheck directive, which determines if Apache will
check for a valid protocol string in the request (eg: HTTP/1.1)
and return HTTP_BAD_REQUEST if not valid. Versions of Apache
prior to 1.3.26 would silently ignore bad protocol strings, but
1.3.26 included a more strict check. This makes it runtime
configurable. The default is On. This also removes the requirement
on an ANSI sscanf() implementation.
Mark J. Cox [Thu, 27 Jun 2002 11:01:57 +0000 (11:01 +0000)]
Be consistant when highlighting security changes, check the CVE names
and add some missing ones (I applied a while ago for the remaining
CVE names for older issues, but since these are pre-2000 they are low
priority)
PR:
Obtained from:
Submitted by:
Reviewed by:
Brian Havard [Tue, 18 Jun 2002 11:58:24 +0000 (11:58 +0000)]
OS/2: Fix linkage to ap_strtol() by making it a macro like on Win32. Modules
were failing to build because ap_strtol() wasn't being exported from the core.
This makes it unnecessary.
According to Watcom and other docs, it appears Netware users can trust
the clib to return ERANGE, so let's punt this to release, and let our
friends at Netware author any necessary patches down the line.
First, checking for typos like fF: instead of Ff: in the getopt list
would have been goodness. But this simply doesn't apply to win32,
we don't DETACH in the Unix-ish way of the world.
I don't even believe this applies to ANY user of the MULTITHREADed
code path [only Netware and Win32 use it, correct?] But I'll leave
the code in, and exclude only Win32 (where it was a noop anyways.)
Jim Jagielski [Mon, 3 Jun 2002 12:28:27 +0000 (12:28 +0000)]
Attached is a patch for allowing user changes on the cygwin platform
and a #define wrapper for the timeout singal we use to kill of pending
open childs that do not react on "usual" signals.
The signalling issue seems to be a problem on the Cygwin platform, but
it's abstracted, so other platforms may benefit from it. Again,
nothing else is changed in behaviour.
Changes are:
* src/include/ap_config.h: added the system uid for Cygwin that is
the "root" user on Cygwin
* src/main/http_main.c: some cygwin specific #defines around
setpgrp() and getuid() calls. Adding the #define SIG_TIMEOUT_KILL to
define which singal should be used to kill of timed out childs.
Defaulting to the know value for all other plaforms.
* src/modules/proxy/proxy_cache.c: cygwin specific #define around
setpgrp()
Jim Jagielski [Thu, 30 May 2002 13:05:40 +0000 (13:05 +0000)]
Push out the T&R 2 days to account for the latest additions to
the proxy code (for testing). Also, to allow time for one more
vote (or not) on the Bugz 9181 patch.
PR:
Obtained from:
Submitted by:
Reviewed by:
Graham Leggett [Thu, 30 May 2002 10:19:49 +0000 (10:19 +0000)]
Add X-Forwarded-Host and X-Forwarded-Server to X-Forwarded-For
to the proxy.
PR:
Obtained from:
Submitted by: Thomas Eibner <thomas@stderr.net>
Reviewed by: Graham Leggett
Martin Kraemer [Wed, 29 May 2002 20:39:16 +0000 (20:39 +0000)]
Fix a problem in mod_proxy: it would not set the number of bytes
transferred, so other modules could not access the value from
the request_rec->bytes_sent field.
(And indeed, I also observed some time ago that the bytes_sent field was not set.)
PR: 6841
Submitted by: Anthony Howe <achowe (at) snert.com>
Reviewed by: Martin Kraemer
Doug MacEachern [Thu, 23 May 2002 03:25:20 +0000 (03:25 +0000)]
PR:
Obtained from:
Submitted by:
Reviewed by:
ap_escape_logitem referenced c2x() before it was declared, fatal error
with hpux cc. move c2x definition before ap_escape_logitem.
Martin Kraemer [Tue, 21 May 2002 13:03:56 +0000 (13:03 +0000)]
Apply a stricter check to the request line syntax, in order to prevent
arbitrary user input to end up (unescaped) in the access_log and error_log
files. Until now, garbage could be injected to spoof accesses to nonexistent
(or inaccessible) resources -- of course without the client actually
getting access to them.
Now anything but whitespace following the "<method> <url> HTTP/x.y" request
line is disallowed, and special characters in the request are escaped
in the log.
Martin Kraemer [Tue, 21 May 2002 12:43:32 +0000 (12:43 +0000)]
John Von Essen <john at essenz.com> contributes the diskimg.gif icon:
> Hopefully this is the right place to send this comment. I have alot of
> disk images (.img) on my server. By default, there is no icon for a disk
> image.
>
> So I made one...
>
> AddIcon /icons/diskimg.gif .img
>
> The diskimg.gif can be found at:
>
> http://www.essenz.com/icons/diskimg.gif
>
> Could this be added into future releases? Disk images are fairly popular.
> Especially when making boot floppies or driver disks for linux.
Martin Kraemer [Tue, 21 May 2002 12:24:59 +0000 (12:24 +0000)]
Get rid of DEFAULT_XFERLOG as it is not used anywhere. It was
preserved by the build system, printed with "httpd -V", but
apart from that completely ignored: the default transfer log
is to not produce any transfer log.
At least on Win32 ... close the book on nice-to-haves with no patch,
or no point (.exe's available from 2.0 builds, duplicating ApacheMonitor
in both trees is a waste and a maintenance headache.)
Besides, we are -discouraging- future use. If 1.3.2x is 'initial release'
quality, 2.0 is much closer to fine.
I suspect this might be fixed by now, if anyone wants to test the
remaining half of this issue (IndexIgnore .foo .bar should hide both
.foo and .bar). Also interesting to determine if it's good in 2.0.
Jim Jagielski [Wed, 15 May 2002 14:13:29 +0000 (14:13 +0000)]
No doubt, people are already either handling
this themselves, by clearing out env or else it's not a concern
for many people, or whatever... No need to track this anymore
projects / thirdparty / apache / httpd.git / log
