- Nov 04, 2016
-
-
William A. Rowe Jr authored
This is a first stab, the checks will likely have to be revised. For now, we check * if the request line contains control characters * if the request uri has fragment or username/password * that the request method is standard or registered with RegisterHttpMethod * that the request protocol is of the form HTTP/[1-9]+.[0-9]+, or missing for 0.9 * if there is garbage in the request line after the protocol * if any request header contains control characters * if any request header has an empty name * for the host name in the URL or Host header: - if an IPv4 dotted decimal address: Reject octal or hex values, require exactly four parts - if a DNS host name: Reject non-alphanumeric characters besides '.' and '-'. As a side effect, this rejects multiple Host headers. * if any response header contains control characters * if any response header has an empty name * that the Location response header (if present) has a valid scheme and is absolute If we have a host name both from the URL and the Host header, we replace the Host header with the value from the URL to enforce RFC conformance. There is a log-only mode, but the loglevels of the logged messages need some thought/work. Currently, the checks for incoming data log for 'core' and the checks for outgoing data log for 'http'. Maybe we need a way to configure the loglevels separately from the core/http loglevels. change protocol number parsing in strict mode according to HTTPbis draft - only accept single digit version components - don't accept white-space after protocol specification Clean up comment, fix log tags. Submitted by: sf Backports: r1426877, r1426879, r1426988, r1426992 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1768036 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
in the request line. - Fix handling of brackets [ ] surrounding the IPv6 address. - Skip parsing r->hostname again if not necessary. - Do some checks that the IPv6 address is sane. This is not done by apr_parse_addr_port(). log client error at level debug, log broken Host header value Backports: r1407006, r1426827 Submitted by: sf git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1768035 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 03, 2016
-
-
William A. Rowe Jr authored
directive. Backports: r1407599 Submitted by: sf git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1767942 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
with min=0.9|1.0 syntax. A tighter restriction off the version in the request line is still possible with <If "%{SERVER_PROTOCOL_NUM} ..."> . Submitted by: sf Backports: r1406719, r1407643, r1425366 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1767941 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1767912 13f79535-47bb-0310-9956-ffa450edef68
-
Luis Gil authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767869 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
mod_http2: fix for beam double cleanup crashes introduced in 1.7.7 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767805 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 02, 2016
-
-
Eric Covener authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767655 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
re-propose PR58292 with the revision that was sitting in trunk. e--This line, and those below, will be ignored-- M STATUS git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767651 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767650 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767649 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767648 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
cleanup next git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767647 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 01, 2016
-
-
Stefan Eissing authored
mod_http2/mod_proxy_http2 improvments as in CHANGES git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767563 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_remoteip: Use r->useragent_addr as the root trusted address for verifying. This fixes issue resulting in setting of bad useragent_ip when internal redirection has been generated as response to the request (typically as result of "ErrorDocument 40x"). In this case, the original request has been handled by mod_remoteip and its useragent_ip has been changed properly, but when internal redirection to ErrorDocument has been generated later, the mod_remoteip's handler has been executed again with *the same* c->client_addr as in the original request. If c->client_addr IP is trusted, this results in bad useragent_ip being set. When using r->useragent_addr as the root trusted address instead of c->client_addr, the internal redirection uses the first non-trusted IP in this particular case, so it won't change the r->useragent_ip during the internal redirection to ErrorDocument. Submitted by: jkaluza Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767483 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767482 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767481 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767480 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 28, 2016
-
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766909 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 27, 2016
-
-
Yann Ylavic authored
Add mod_proxy_hcheck to the Netware build system. Contributed by NormW. Submitted by: rjung git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766906 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
Proposed by Norm. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766905 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
mod_http2: v1.7.7, connection shutdown revisited, AP_DEBUG_ASSERT transformed to real asserts git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766856 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 26, 2016
-
-
Jim Jagielski authored
mod_dav: Fix a potential cause of unbounded memory usage or incorrect behavior in a routine that sends <DAV:response>'s to the output filters. The dav_send_one_response() function accepts the current head of the output filter list as an argument, but the actual head can change between calls to ap_pass_brigade(). This can happen with self-removing filters, e.g., with the filter from mod_headers or mod_deflate. Consequently, executing an already removed filter can either cause unwanted memory usage or incorrect behavior. This patch changes the signature of the existing mod_dav's public API, dav_send_one_response(), because this API is not yet a part of any 2.4.x release. * modules/dav/main/mod_dav.c (dav_send_one_response): Accept a request_rec instead of an ap_filter_t. Write the response to r->output_filters. (dav_send_multistatus, dav_stream_response): Update these calling sites of dav_send_one_response(). * modules/dav/main/mod_dav.h (dav_send_one_response): Adjust definition. Submitted by: kotkov Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766683 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 24, 2016
-
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766447 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766446 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766381 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766373 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data available before the request is sent. PR 57832. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766372 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766369 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 23, 2016
-
-
Stefan Eissing authored
mod_http2: fixed potential crash in beam memory handling introduced in 1.7.x changes git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766311 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 22, 2016
-
-
Lucien Gentis authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766212 13f79535-47bb-0310-9956-ffa450edef68
-
Lucien Gentis authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766211 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 21, 2016
-
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766162 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766144 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766139 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
Fix -Wunused-but-set-variable warnings. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766130 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766107 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Fine tune description Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766106 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Fine tune description Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766104 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766101 13f79535-47bb-0310-9956-ffa450edef68
-