security bug in some mass virtual hosting configurations
that can allow a remote attacker to retrieve some files
on the system that should be inaccessible. The problem
occured with requests including the line "Host: ..." --
the last dot is stripped and the remaining ".." then
reveals a parent directory.

Reported by: Peter Christoffersen <pch@mindpass.com>
Message-ID: <8quts6$2el$1@news.inet.tele.dk>
Newsgroups: comp.infosystems.www.servers.unix


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86637 13f79535-47bb-0310-9956-ffa450edef68

the buffer_filter, and where the core_filter gets data from the BUFF.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86635 13f79535-47bb-0310-9956-ffa450edef68

used although I have begun to test them on my machine.  The idea behind
these buckets is that data allocated out of a pool and put into a bucket
has to survive the death of the pool until the bucket is destroyed.  To
accomplish this, we register a cleanup when we create the bucket.  If the
pool is cleared, the cleanup converts the bucket to a heap bucket and
everything is good.  If the pool isn't cleared, then we kill the cleanup
when the bucket is destroyed.

With this bucket type, all of the core buckets that were listed have been
implemented.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86633 13f79535-47bb-0310-9956-ffa450edef68

before today) so that we don't have a growth of these across many
pipelined requests.

http_filter() uses one brigade per connection which it reads into.
As it needs to deliver buckets to the caller, they are removed from
its brigade into the caller's brigade.

Submitted by:	Ryan Bloom (but anything broken is my fault)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86632 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86631 13f79535-47bb-0310-9956-ffa450edef68

  get rid of an unnecessary condition where we set ctx->b to NULL;
  it was already NULL

ap_get_client_block():
  "fix" the pool for the brigade used by ap_get_client_block() to
  save its state; this allows pipelined requests to work


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86630 13f79535-47bb-0310-9956-ffa450edef68

if we drop one on the floor, it will get cleaned up when we clean the pool.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86629 13f79535-47bb-0310-9956-ffa450edef68

  when delivering body bytes, only deliver one block of data (however
  much is returned by bucket read) instead of delivering the entire
  body at once; this gets painful with a large body

  make a note of an issue with the blocking state of the socket;
  currently, the socket is non-blocking, but when reading body bytes
  we should feel free to wait for body bytes until a timeout occurs;


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86628 13f79535-47bb-0310-9956-ffa450edef68

it makes sense logically.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86627 13f79535-47bb-0310-9956-ffa450edef68

  Make things a little clearer in reaction to the _snames snafus.

Submitted by:	Greg Stein
Reviewed by:	William Rowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86626 13f79535-47bb-0310-9956-ffa450edef68

"output_filters" for consistency with the name of the input
filters field ("input_filters").


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86623 13f79535-47bb-0310-9956-ffa450edef68

This should have been committed with httpd.h a few minutes ago.
Submitted by:	Greg Stein


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86622 13f79535-47bb-0310-9956-ffa450edef68

if their forbearers (e.g., ap_assert()) did not.
Submitted by:	Greg Stein


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86621 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86620 13f79535-47bb-0310-9956-ffa450edef68

they are currently storing.  There is no way we can force them to flush,
but we can advise.  This also adds the code to ap_rflush to use flush
buckets, although it isn't enabled yet.  I will enable it once we remove
buff from the code.  I also removed all calls to ap_rflush that are either
immediately before or immediately after a call to ap_finalize_protocol.
ap_finalize_protocol sends an EOS bucket, which also advises filters to
flush their data, so having both calls right next to each other is
redundant.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86619 13f79535-47bb-0310-9956-ffa450edef68

brigade generated by the sub-request.  If this is not done, then the
main-request's core_output_filter will get very confused, as will any other
filter in the main-request filter-stack that looks for EOS.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86618 13f79535-47bb-0310-9956-ffa450edef68

(hopefully) be easier to understand in the future.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86617 13f79535-47bb-0310-9956-ffa450edef68

  Get rid of an assertion which assumed that HTTP_IN is the filter
  below us.  Some other filter may play the same role.
ap_setup_client_block():
  Get rid of a commented-out hack which was used to allow chunked
  transport encoding of a request body received by mod_cgi[d].
ap_get_client_block():
  Get rid of special handling for zero-length buckets...  The main
  loop handles that fine.
Submitted by:	Ryan Bloom


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86614 13f79535-47bb-0310-9956-ffa450edef68

  get dechunking working
  verify that infrastructure for input filters works
    (use existing AddInputFilter directive)

Unlike with my previous patch, ap_get_client_block() saves state between
calls in the core's per-request dir config.

Unlike with my previous patch, HTTP_IN keeps a count of remaining bytes
in the conn_rec.  Code that needs to prod it to deliver a certain amount
of request body plays with conn_rec->remain directly.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86613 13f79535-47bb-0310-9956-ffa450edef68

of protocol data and bodies was performed in the past.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86612 13f79535-47bb-0310-9956-ffa450edef68

  Fix compile break in Win32


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86611 13f79535-47bb-0310-9956-ffa450edef68

  Nice to see we build again on Win32


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86610 13f79535-47bb-0310-9956-ffa450edef68

  Renamed all MODULE_EXPORT symbols to AP_MODULE_DECLARE and all symbols
  for CORE_EXPORT to AP_CORE_DECLARE (namespace protecting the wrapper)
  and retitled API_EXPORT as AP_DECLARE and APR_EXPORT as APR_DECLARE.
  All _VAR_ flavors changes to _DATA to be absolutely clear.
  Thank you Greg, for the most obvious suggestion.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86609 13f79535-47bb-0310-9956-ffa450edef68

  Cleaning up a _Security_ concern - Please Review Carefully


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86608 13f79535-47bb-0310-9956-ffa450edef68

  More docs of oddities.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86607 13f79535-47bb-0310-9956-ffa450edef68

  Document more bad Win32 behavior... if the url isn't .exe, then don't
  throw an .exe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86606 13f79535-47bb-0310-9956-ffa450edef68

  Adds quick access to the must-haves (STATUS/CHANGES) and group the apr
  library in to functional units


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86605 13f79535-47bb-0310-9956-ffa450edef68

auto-computed string-length hash keys


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86604 13f79535-47bb-0310-9956-ffa450edef68

  Some issues with the dependencies that prevent a clean checkout from
  actually building under win32


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86603 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86602 13f79535-47bb-0310-9956-ffa450edef68

  This is a pretty significant cleanup of things already moved to OS2's
  APR - Brian, please review closely.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86601 13f79535-47bb-0310-9956-ffa450edef68

  Cleanup ap_os_kill from TPF and unix.  Maintainers please validate.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86600 13f79535-47bb-0310-9956-ffa450edef68

  Just some symbol cleanup from grep'ping sources.
  BS2000 maintainer please verify.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86599 13f79535-47bb-0310-9956-ffa450edef68

  Eliminating a bunch-o-junk from the Win32 os.h header that now lives
  in apr or isn't used.  Please review closely (every symbol removed was
  grep't for, and no references were found.)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86598 13f79535-47bb-0310-9956-ffa450edef68

a pointer to a static structure.  The ap_foo_type functions have also been
replaced with simple macro calls.  I am going to replace the
ap_bucket_(read|split|setaside|destroy) functions with macros soon.
Reviewed by:	Will Rowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86597 13f79535-47bb-0310-9956-ffa450edef68

support concurrency levels > 1 against the loopback on BONE and will
actually use all the connections it starts.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86595 13f79535-47bb-0310-9956-ffa450edef68

  Change to buckets for isapi output.  Still requires emulation of IO
  Completion/Async behavior, but a non-async REQ_HSE_TRANSMIT_FILE is
  now implemented.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86592 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86591 13f79535-47bb-0310-9956-ffa450edef68

doesn't actually do anything useful, it was meant to remove all zero
length buckets before trying to read from the brigade.  However, it is
perfectly fine to not do this, and to just read those buckets along with
the rest of them.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86589 13f79535-47bb-0310-9956-ffa450edef68

missing some major pieces that I only found after the commit.  This patch
fixes the problem, and makes sure that request bodies are always ended
with an EOS bucket.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86588 13f79535-47bb-0310-9956-ffa450edef68