Skip to content
  1. Jan 04, 2017
  2. Jan 03, 2017
  3. Jan 02, 2017
  4. Dec 23, 2016
  5. Dec 20, 2016
  6. Dec 07, 2016
  7. Dec 06, 2016
  8. Dec 03, 2016
  9. Dec 01, 2016
  10. Nov 27, 2016
  11. Oct 20, 2016
  12. Oct 05, 2016
  13. Sep 29, 2016
  14. Sep 28, 2016
  15. Sep 17, 2016
  16. Sep 13, 2016
  17. Aug 31, 2016
    • Yann Ylavic's avatar
      Backported. · 586cd4a9
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1758673 13f79535-47bb-0310-9956-ffa450edef68
      586cd4a9
    • Yann Ylavic's avatar
      Merge r1710095, r1727544 from trunk: · 51a5a8b2
      Yann Ylavic authored
      core: Limit to ten the number of tolerated empty lines between request,
      and consume them before the pipelining check to avoid possible response
      delay when reading the next request without flushing.
      
      Before this commit, the maximum number of empty lines was the same as
      configured LimitRequestFields, defaulting to 100, which was way too much.
      We now use a fixed/hard limit of 10 (DEFAULT_LIMIT_BLANK_LINES).
      
      check_pipeline() is changed to check for (up to the limit) and comsume the
      trailing [CR]LFs so that they won't be interpreted as pipelined requests,
      otherwise we would block on the next read without flushing data, and hence
      possibly delay pending response(s) until the next/real request comes in or
      the keepalive timeout expires.
       
      Finally, when the maximum number of empty line is reached in
      read_request_line(), or that request line does not contains at least a method
      and an (valid) URI, we can fail early and avoid some failure detected in
      further processing.
      
      
      * Ensure that proto_num and protocol is set in another "error out early" edge
        case. This can happen with invalid CONNECT requests as described in the PR.
      
      PR: 58929
      
      
      Submitted by: ylavic, rpluem
      Reviewed  by: wrowe, covener, ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1758672 13f79535-47bb-0310-9956-ffa450edef68
      51a5a8b2
    • Yann Ylavic's avatar
      Merge r892678, r1100511, r1102124 from trunk: · 27ca73eb
      Yann Ylavic authored
      Reject requests containing (invalid) NULL characters in request line
      or request headers.
      PR 43039
      
      
      use APR_STATUS_IS_TIMEUP() instead of direct comparison with APR_TIMEUP.
      
      
      Use APR_STATUS_IS_... in some more cases.
      
      While this is not strictly necessary everywhere, it makes it much easier
      to find the problematic cases.
      
      
      Submitted by: niq, covener, sf
      Reviewed  by: wrowe, covener, ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1758671 13f79535-47bb-0310-9956-ffa450edef68
      27ca73eb
    • Yann Ylavic's avatar
      Vote, promote, plus another patching failure. · a743f731
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1758668 13f79535-47bb-0310-9956-ffa450edef68
      a743f731