Further mitigation for the TLS renegotation attack, CVE-2009-3555:

* modules/ssl/ssl_engine_kernel.c (has_buffered_data): New function.
  (ssl_hook_Access): Forcibly disable keepalive for the connection if
  there is any buffered data readable from the input filter stack.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Ensure that the
  BIO uses blocking operations when invoked outside direct control of
  the httpd filter stack.

Thanks to Hartmut Keil <Hartmut.Keil adnovum.ch> for proposing this
technique.

Submitted by: jorton
Backport by: rjung
Reviewed by: pgollucci, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1002227 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Use memmove instead of memcpy for overlapping buffers

Submitted by: jorton
Reviewed by: sf, trawick



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001762 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001426 13f79535-47bb-0310-9956-ffa450edef68

SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other 
modules, by forcing the server to consume CPU time in compressing a 
large file after a client disconnects.  [Joe Orton, Ruediger Pluem]

Submitted by: jorton, rpluem
Reviewed by: pgollucci, poirier, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001425 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001424 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001403 13f79535-47bb-0310-9956-ffa450edef68

disabled by default until gen_test_char.c is modified to allow for cross-compile.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001396 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001392 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001311 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@996770 13f79535-47bb-0310-9956-ffa450edef68

by trawick.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@996743 13f79535-47bb-0310-9956-ffa450edef68

Promote, demote. Please look at this specific patch if you care that it just hit the 'going nowhere' category

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@996719 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@982705 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@979237 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@979187 13f79535-47bb-0310-9956-ffa450edef68

Translated by: Nilgün Belma Bugüner <nilgun belgeler.org>
Reviewed by:  Orhan Berent <berent belgeler.org>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@979186 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@966953 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@966949 13f79535-47bb-0310-9956-ffa450edef68

- removed obsolete -prefix compiler switch since already defined global for all files
- removed obsolete include paths
- changed include paths to use internal vars so hat apr/apr-util builds outside source tree
- removed trailing tabs and spaces, other minor cosmetic changes


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@966915 13f79535-47bb-0310-9956-ffa450edef68

I kept "back slash" when explicitely used in
comparison with "forward slash".

Backport of r965792 from trunk and of r965799
from 2.2.x.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@965803 13f79535-47bb-0310-9956-ffa450edef68

Thanks to Denis Howe for the hint.

PR49620.
Backport of r965798 from 2.2.x.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@965801 13f79535-47bb-0310-9956-ffa450edef68

been committed.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@944165 13f79535-47bb-0310-9956-ffa450edef68

CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton

Reviewed by: pgollucci, poirier, rjung, trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943980 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943977 13f79535-47bb-0310-9956-ffa450edef68

  *) SECURITY: CVE-2009-3094 (cve.mitre.org)
     mod_proxy_ftp: NULL pointer dereference on error paths.
     [Stefan Fritsch <sf fritsch.de>, Joe Orton]

Reviewed by: pgollucci, poirier, trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943925 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943923 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943882 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943880 13f79535-47bb-0310-9956-ffa450edef68

SECURITY: Partial fix for CVE-2009-3555:

Reject client-initiated renegotiations; this is sufficient to prevent
the attack for any configuration which does not require renegotiation
due to per-directory/per-location access control configuration.

Configuration with per-directory/per-location access control
requirements (such as "SSLVerifyClient require") are still vulnerable
to CVE-2009-3555 with this patch applied (if using OpenSSL != 0.9.8l).

* modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
  (ssl_callback_Info): Renamed from ssl_callback_LogTracingState.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
  the (renamed) info callback unconditionally.

* modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
  to SSLConnRec.
  (bio_filter_out_write, bio_filter_in_read): Fail with
  APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.

* modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
  of ssl_callback_LogTracingState.
  (ssl_callback_Info): New function.

Submitted by: jorton, rpluem, rjung
Reviewed by: rjung, rpluem, pgollucci


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943879 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943869 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943750 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943749 13f79535-47bb-0310-9956-ffa450edef68

I haven't properly reviewed/tested these yet myself, but I'd guess
that some among us may be in a good position to review.  (And I
should get to it eventually.)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943603 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@942939 13f79535-47bb-0310-9956-ffa450edef68

As previously discussed with wrowe, treast this the same way roy treats
mime.types



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@942211 13f79535-47bb-0310-9956-ffa450edef68

to 2.0.x.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@923801 13f79535-47bb-0310-9956-ffa450edef68

SECURITY: CVE-2010-0434 (cve.mitre.org)
Ensure each subrequest has a shallow copy of headers_in so that the
parent request headers are not corrupted.  Elimiates a problematic
optimization in the case of no request body.

PR: 48359
Submitted by: Jake Scott, William Rowe, Ruediger Pluem
Reviewed by: wrowe, trawick, rpluem



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@921910 13f79535-47bb-0310-9956-ffa450edef68

  *) SECURITY: CVE-2008-2364 (cve.mitre.org)
     mod_proxy_http: Better handling of excessive interim responses
     from origin server to prevent potential denial of service and high
     memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
     Joe Orton, Jim Jagielski]

Reviewed by: trawick, wrowe, rpluem



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@921908 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@921839 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@921303 13f79535-47bb-0310-9956-ffa450edef68