Skip to content
  1. Nov 04, 2016
    • William A. Rowe Jr's avatar
      Add an option to enforce stricter HTTP conformance · c8e1f5ae
      William A. Rowe Jr authored
      This is a first stab, the checks will likely have to be revised.
      For now, we check
      
       * if the request line contains control characters
       * if the request uri has fragment or username/password
       * that the request method is standard or registered with RegisterHttpMethod
       * that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
         or missing for 0.9
       * if there is garbage in the request line after the protocol
       * if any request header contains control characters
       * if any request header has an empty name
       * for the host name in the URL or Host header:
         - if an IPv4 dotted decimal address: Reject octal or hex values, require
           exactly four parts
         - if a DNS host name: Reject non-alphanumeric characters besides '.' and
           '-'. As a side effect, this rejects multiple Host headers.
       * if any response header contains control characters
       * if any response header has an empty name
       * that the Location response header (if present) has a valid scheme and is
         absolute
      
      If we have a host name both from the URL and the Host header, we replace the
      Host header with the value from the URL to enforce RFC conformance.
      
      There is a log-only mode, but the loglevels of the logged messages need some
      thought/work. Currently, the  checks for incoming data log for 'core' and the
      checks for outgoing data log for 'http'. Maybe we need a way to configure the
      loglevels separately from the core/http loglevels.
      
      change protocol number parsing in strict mode according to HTTPbis draft
      - only accept single digit version components
      - don't accept white-space after protocol specification
      
      Clean up comment, fix log tags.
      Submitted by: sf
      Backports: r1426877, r1426879, r1426988, r1426992
      
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1768036 13f79535-47bb-0310-9956-ffa450edef68
      c8e1f5ae
    • William A. Rowe Jr's avatar
      Correctly parse an IPv6 literal host specification in an absolute URL · 6dbeba9d
      William A. Rowe Jr authored
      in the request line.
      
      - Fix handling of brackets [ ] surrounding the IPv6 address.
      - Skip parsing r->hostname again if not necessary.
      - Do some checks that the IPv6 address is sane. This is not done by
        apr_parse_addr_port().
      
      log client error at level debug, log broken Host header value
      
      Backports: r1407006, r1426827
      Submitted by: sf
      
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1768035 13f79535-47bb-0310-9956-ffa450edef68
      6dbeba9d
  2. Nov 03, 2016
  3. Nov 02, 2016
  4. Nov 01, 2016
  5. Oct 28, 2016
  6. Oct 27, 2016
  7. Oct 26, 2016
    • Jim Jagielski's avatar
      Merge r1764040 from trunk: · 6d57c7e3
      Jim Jagielski authored
      mod_dav: Fix a potential cause of unbounded memory usage or incorrect
      behavior in a routine that sends <DAV:response>'s to the output filters.
      
      The dav_send_one_response() function accepts the current head of the output
      filter list as an argument, but the actual head can change between calls to
      ap_pass_brigade().  This can happen with self-removing filters, e.g., with
      the filter from mod_headers or mod_deflate.  Consequently, executing an
      already removed filter can either cause unwanted memory usage or incorrect
      behavior.
      
      This patch changes the signature of the existing mod_dav's public API,
      dav_send_one_response(), because this API is not yet a part of any 2.4.x
      release.
      
      * modules/dav/main/mod_dav.c
        (dav_send_one_response): Accept a request_rec instead of an ap_filter_t.
         Write the response to r->output_filters.
        (dav_send_multistatus, dav_stream_response): Update these calling sites
         of dav_send_one_response().
      
      * modules/dav/main/mod_dav.h
        (dav_send_one_response): Adjust definition.
      
      Submitted by: kotkov
      Reviewed/backported by: jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766683 13f79535-47bb-0310-9956-ffa450edef68
      6d57c7e3
  8. Oct 24, 2016
  9. Oct 23, 2016
  10. Oct 22, 2016
  11. Oct 21, 2016