buffer overflow.
PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@97007 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96993 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96992 13f79535-47bb-0310-9956-ffa450edef68

PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96990 13f79535-47bb-0310-9956-ffa450edef68

which use non 4xx methods for auth (such as cookies, referers ,etc).

Submitted by Sander van Zoest (for a slightly different reason) - see
explanation below.

From: Sander van Zoest
To: dev@httpd.apache.org

It is common practice to set Cookie's to pass along on HTTP
redirects for "login" authentication.

When implementing P3P <http://www.w3.org/P3P/> using
mod_headers.c the Header directive only sets r->headers_out
and does not pass the headers along for non-2XX responses
such as error pages and redirects.

To provide this functionality we added the ErrorHeader
directive which populates r->err_headers_out instead.

Below follows a patch for 1.3.X by Michael Radwin <radwin_at_yahoo-inc.com>.

I have some code that attempts to add Directive to 2.0.X, but
it seems that output_filters are shortcuted on 3XX responses.
While now by setting the Header directive it also passes the headers
along at for all non-2XX responses except 3XX responses.

Cheers,

--
Sander van Zoest

PR: 9181
Obtained from: Michael Radwin
Submitted by: Sander van Zoest
Reviewed by: Dirk-Willem van Gulik


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96981 13f79535-47bb-0310-9956-ffa450edef68

Scratched a major itch - got bitten by config directory globbing sucking
in an editor backup file once too many. Applied the patch as submitted
by Sander van Zoest (Bug id 12712) whichs makes it possible to limit
the scope with simple but effective wild cards.


PR: 12712
Obtained from: Sander van Zoest
Submitted by: Sander van Zoest
Reviewed by: Dirk-Willem van Gulik


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96980 13f79535-47bb-0310-9956-ffa450edef68

Scratched a major itch - got bitten by config directory globbing sucking
in an editor backup file once too many. Applied the patch as submitted
by Sander van Zoest (Bug id 12712) whichs makes it possible to limit
the scope with simple but effective wild cards.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96979 13f79535-47bb-0310-9956-ffa450edef68

that the SysV shared memory segment be reset to the uid/gid of
User/Group. In fact, it's not wise that it do so. However, there are
some 3rd party "add ons" that require/expect this behavior...
So allow admins to do so, assuming they know the impacts.
PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96941 13f79535-47bb-0310-9956-ffa450edef68

System V semaphores on systems where sizeof(int) != sizeof(long).

PR:               12072
Submitted by:	  <winterling@de.ibm.com>
Reviewed by:	  Jeff Trawick, Justin Erenkrantz


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96927 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96874 13f79535-47bb-0310-9956-ffa450edef68

tagged as invalid if ProtocolReqCheck was active.

PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96856 13f79535-47bb-0310-9956-ffa450edef68

not seconds


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96795 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96755 13f79535-47bb-0310-9956-ffa450edef68

PR:
Obtained from:
Submitted by:	Henning Brauer henning@openbsd.org
Reviewed by:	Jeff Trawick, Jim Jagielski


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96751 13f79535-47bb-0310-9956-ffa450edef68

Thanks Roy for catching this one.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96749 13f79535-47bb-0310-9956-ffa450edef68

Make apache work with the iCal webdav client when using
DigestAuth. We propably should revisit mod_digest its parsing
at some point.

NOTE: - not yet done for EBCDIC !


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96743 13f79535-47bb-0310-9956-ffa450edef68

PR: 9932
Obtained from: APR Backport
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96712 13f79535-47bb-0310-9956-ffa450edef68

no Content-Length at all, but the cached info does (think 304). We
also need to update the cache file if we update/use the old c-l
value (the previously stored values are bogus).
PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96649 13f79535-47bb-0310-9956-ffa450edef68

incorrectly set the content-length value to 0 (from the 304 response)
instead of keeping the original value.

PR: Bugz 10128
Obtained from:
Submitted by:	Paul Terry <paul.terry@gmx.net> and  ast@domdv.de
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96647 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96633 13f79535-47bb-0310-9956-ffa450edef68

(could have sworn I committed this earlier this morning)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96630 13f79535-47bb-0310-9956-ffa450edef68

PR: 10993
Submitted by:	 Peter Bieringer <pb@bieringer.de>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96622 13f79535-47bb-0310-9956-ffa450edef68

added to the response headers when this was already done in the
core already. This resulted in header (and therefore cookie)
duplication.
PR:
Obtained from:
Submitted by:	Martijn Schoemaker <martijn@osp.nl>
Reviewed by:	Graham Leggett


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96620 13f79535-47bb-0310-9956-ffa450edef68

- Fix segfault on strlen computation on the empty string in vlv case
- If the etag is "", don't set the ETag header to be "" - leave the
  header NULL instead.

Andrew's patch would change ap_meets_condition to accept "", but Justin
thinks it would be better just to sidestep it all together and not set
ETag when it would be "".

(Backport of patch applied to httpd-2.0 as original 1.3 code has the
same flaws.)

PR: 12202
Submitted by: Andrew Ho <andrew@tellme.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96610 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96465 13f79535-47bb-0310-9956-ffa450edef68

has no '\r' or '\n' in the first 1023 bytes.

Reported by: Aaron Campbell


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96464 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96453 13f79535-47bb-0310-9956-ffa450edef68

that results in the over/underflow


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96450 13f79535-47bb-0310-9956-ffa450edef68

	Add a new environment variable to keep the charset from being
	included on canned error documents.  (Having it there make
	some browsers apply it to the redirect target document.)

Reviewed by:	Bill Stoddard, Jim Jagielski, Justin Erenkrantz, Cliff Woolley


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96362 13f79535-47bb-0310-9956-ffa450edef68

PR: 11626


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96354 13f79535-47bb-0310-9956-ffa450edef68

security changes so they are consistant
PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96235 13f79535-47bb-0310-9956-ffa450edef68

Submitted by:	Larry Rosenman <ler@lerctr.org>
Reviewed by:	Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96178 13f79535-47bb-0310-9956-ffa450edef68

response line ("HTTP/1.1 200 \r\n"). It looks like RFC2616 allows this,
but ap_getline() strips the trailing blank, and that lead to
an error in ap_proxy_read_response_line() for proxy-requests to
Tomcat+mod_jk2 servers. (It replaced the NIL after the "200" by
a space, and so the resulting response line had an extra NL appended).
Now the SP character which was deleted by ap_getline() is reappended,
avoiding the erroneous '\0'->' ' change, and preserving RFC2616's
requirement
     Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF
     Reason-Phrase = *<TEXT, excluding CR, LF>
(thus there is now always a SP after the Status-Code).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96144 13f79535-47bb-0310-9956-ffa450edef68

Submitted by:	Henning Brauer <hb-apache-dev@bsws.de>
Reviewed by:	Jim Jagielski, Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96096 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96095 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96078 13f79535-47bb-0310-9956-ffa450edef68

with the value at startup - have a method to find the value without
actually really running it (or binding ot ports, touching logs, etc).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96077 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@96032 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@95987 13f79535-47bb-0310-9956-ffa450edef68

we do not allow for the total bogusness of values for C-L, just this
one special case. IMO a C-L field of "iloveyou" is bogus as is one
of "123yabbadabbado", which older versions appear to have allowed
(and in the 1st case, assume 0 and in the 2nd assume 123). Didn't
make sense to make this runtime, but a documented special case
instead.
PR:
Obtained from:
Submitted by:
Reviewed by:


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@95986 13f79535-47bb-0310-9956-ffa450edef68