Skip to content
GitLab
  1. 09 Nov, 2016 5 commits
  3. 04 Nov, 2016 4 commits
    • William A. Rowe Jr's avatar
      ap_rgetline_core() now pulls from r->proto_input_filters · 1ddf815e
      William A. Rowe Jr authored 
      for better input filtering behavior during chunked trailer
processing by ap_http_filter().
Backports: r1446421
Submitted by: joes



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1768093 13f79535-47bb-0310-9956-ffa450edef68
      1ddf815e
    • William A. Rowe Jr's avatar
      Stupid CodeWarrior compiler cant take vars with struct inits. · bd6a3d15
      William A. Rowe Jr authored 
      Ensure that is_v6literal is always initialized

Backports: r1428145, r1436457
Submitted by: fuankg, rpluem



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1768090 13f79535-47bb-0310-9956-ffa450edef68
      bd6a3d15
    • William A. Rowe Jr's avatar
      Add an option to enforce stricter HTTP conformance · c8e1f5ae
      William A. Rowe Jr authored 
      This is a first stab, the checks will likely have to be revised.
For now, we check

 * if the request line contains control characters
 * if the request uri has fragment or username/password
 * that the request method is standard or registered with RegisterHttpMethod
 * that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
   or missing for 0.9
 * if there is garbage in the request line after the protocol
 * if any request header contains control characters
 * if any request header has an empty name
 * for the host name in the URL or Host header:
   - if an IPv4 dotted decimal address: Reject octal or hex values, require
     exactly four parts
   - if a DNS host name: Reject non-alphanumeric characters besides '.' and
     '-'. As a side effect, this rejects multiple Host headers.
 * if any response header contains control characters
 * if any response header has an empty name
 * that the Location response header (if present) has a valid scheme and is
   absolute

If we have a host name both from the URL and the Host header, we replace the
Host header with the value from the URL to enforce RFC conformance.

There is a log-only mode, but the loglevels of the logged messages need some
thought/work. Currently, the  checks for incoming data log for 'core' and the
checks for outgoing data log for 'http'. Maybe we need a way to configure the
loglevels separately from the core/http loglevels.

change protocol number parsing in strict mode according to HTTPbis draft
- only accept single digit version components
- don't accept white-space after protocol specification

Clean up comment, fix log tags.
Submitted by: sf
Backports: r1426877, r1426879, r1426988, r1426992



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1768036 13f79535-47bb-0310-9956-ffa450edef68
      c8e1f5ae
    • William A. Rowe Jr's avatar
      Correctly parse an IPv6 literal host specification in an absolute URL · 6dbeba9d
      William A. Rowe Jr authored 
      in the request line.

- Fix handling of brackets [ ] surrounding the IPv6 address.
- Skip parsing r->hostname again if not necessary.
- Do some checks that the IPv6 address is sane. This is not done by
  apr_parse_addr_port().

log client error at level debug, log broken Host header value

Backports: r1407006, r1426827
Submitted by: sf



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict@1768035 13f79535-47bb-0310-9956-ffa450edef68
      6dbeba9d
  5. 03 Nov, 2016 5 commits
  7. 02 Nov, 2016 6 commits
  9. 01 Nov, 2016 5 commits
  11. 28 Oct, 2016 1 commit
  13. 27 Oct, 2016 3 commits
  15. 26 Oct, 2016 1 commit
    • Jim Jagielski's avatar
      Merge r1764040 from trunk: · 6d57c7e3
      Jim Jagielski authored 
      mod_dav: Fix a potential cause of unbounded memory usage or incorrect
behavior in a routine that sends <DAV:response>'s to the output filters.

The dav_send_one_response() function accepts the current head of the output
filter list as an argument, but the actual head can change between calls to
ap_pass_brigade().  This can happen with self-removing filters, e.g., with
the filter from mod_headers or mod_deflate.  Consequently, executing an
already removed filter can either cause unwanted memory usage or incorrect
behavior.

This patch changes the signature of the existing mod_dav's public API,
dav_send_one_response(), because this API is not yet a part of any 2.4.x
release.

* modules/dav/main/mod_dav.c
  (dav_send_one_response): Accept a request_rec instead of an ap_filter_t.
   Write the response to r->output_filters.
  (dav_send_multistatus, dav_stream_response): Update these calling sites
   of dav_send_one_response().

* modules/dav/main/mod_dav.h
  (dav_send_one_response): ...
      6d57c7e3
  17. 24 Oct, 2016 6 commits
  19. 23 Oct, 2016 1 commit
  21. 22 Oct, 2016 2 commits
  23. 21 Oct, 2016 1 commit