- Aug 29, 2016
-
-
Jacob Champion authored
The 'data' AcceptFilter optimization instructs Windows to wait until data is received on a connection before completing the AcceptEx operation. Unfortunately, it seems this isn't performed atomically -- AcceptEx "partially" accepts the incoming connection during the wait for data, leaving all other incoming connections in the accept queue. This opens the server to a denial of service. Since the fix for this requires a substantial rearchitecture (likely involving multiple outstanding calls to AcceptEx), disable the 'data' filter for now and replace it with 'connect', which uses the AcceptEx interface but does not wait for data. Users running prior releases of httpd on Windows should explicitly move to a 'connect' AcceptFilter in their configurations if they are currently using the default 'data' filter. Many thanks to mludha, Arthur Ramsey, Paul Spangler, and many others for their assistance in tracking down and diagnosing this issue. PR: 59970 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758307 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758305 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
created by overloading 'int fold' (1 or 0) as 'int flags', with the same value 1 for AP_GETLINE_FOLD (which httpd doesn't use), and a new value 2 for AP_GETLINE_CRLF Enforce CRLF when HttpProtocolOptions Strict is in force. Correctly introduces a new t/TEST fail. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758304 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758267 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758266 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
and reflecting the current implementation. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758265 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
based on the fact that bad whitespace shall not be permitted or corrected in any operating mode, while preserving the ability to extract bad method/uri/proto for later reporting and diagnostics. This change causes badwhitespace in the request line or any request field line to always fail, and not honor the setting of the HttpProtocolOptions Unsafe option. Mult SP characters or trailing SP characters in the request line are still permitted in Unsafe mode. Adjusted several error message emits to match these changes. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758263 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758227 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
This choice is unanimous, although StrictURI (a different RFC) still hasn't found absolute concensus. An ap_mmn bump will follow (major, this removes a struct elt) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758226 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 28, 2016
-
-
Lucien Gentis authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758115 13f79535-47bb-0310-9956-ffa450edef68
-
Lucien Gentis authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758114 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 27, 2016
-
-
Eric Covener authored
In some cases, a 2nd CGI using the same c->id can get into the mod_cgid handler before cleanups have been run, causing the new CGI pid to be used by the first CGI's cleanup function. Instead of stashing c->id in the request processing thread, just use it before leaving the handler to get the pid. May indirectly fix PR57771, but it must have a slightly different cause because stashing the conn_id slightly differently was supposed to be sufficient there. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758083 13f79535-47bb-0310-9956-ffa450edef68
-
Luca Toscano authored
Added William and Jacob to the list of authors to reflect their participation and suggestions given in the dev@'s email thread (thanks!). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758034 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758014 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758003 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757985 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 26, 2016
-
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757924 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757923 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
Drop the second reporting of HEAD over HTTP/0.9 requests, we short-circuit this early now in read_request_line() when presented anything other than the sole "GET" method permitted by spec. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757921 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
level, no louder. This patch intentionally dodges the Limit* constrained tests since administrators may shoot themselves in the foot, or be confronted with impossibly long cookie values, etc. Adjust the documentation to match. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757920 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
per http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#comment_5728 split list of flags out of the massive CondPattern list. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757838 13f79535-47bb-0310-9956-ffa450edef68
-
Luca Toscano authored
the admins about Last-Modified header violations rather than trying to interpret datestrings (like the ones not in GMT). I also added explicit comments to summarize the current assumptions, so it will be easier for somebody in the future to modify the code. The following use cases are covered: 1) (F)CGI backend sends a Last-Modified header not in GMT and considered in the future by httpd (like now() in the EU/Paris timezone) 2) (F)CGI backend sends a Last-Modified header not in GMT and not considered in the future by httpd (like now() + 2 hours in the PST timezone) 3) (F)CGI backend sends a Last-Modified header in GMT but with a datetime in the future Suggestions and opinion are really welcome. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757818 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 25, 2016
-
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757712 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757711 13f79535-47bb-0310-9956-ffa450edef68
-
Ruediger Pluem authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757663 13f79535-47bb-0310-9956-ffa450edef68
-
Ruediger Pluem authored
PR: 60038 Submitted by: zdeno <zdeno@scnet.sk> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757662 13f79535-47bb-0310-9956-ffa450edef68
-
Christophe Jaillet authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757599 13f79535-47bb-0310-9956-ffa450edef68
-
Christophe Jaillet authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757598 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
Also catch invalid spaces between the URI <> Protocol in StrictWhitespace mode. (matching the test for the Method <> URI) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757593 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757590 13f79535-47bb-0310-9956-ffa450edef68
-
William A. Rowe Jr authored
to the default behavior, after discussion with fielding et al about the purpose of section 3.5. Update the documentation to clarify this. This patch removes whitespace considerations from the Strict|Unsafe toggle and consolidates them all in the StrictWhitespace|UnsafeWhitespace toggle. Added a bunch of logic comments to read_request_line parsing. Dropped the badwhitespace list for an all-or-nothing toggle in rrl. Leading space before the method is optimized to be evaluated only once. Toggled the request from HTTP/0.9 to HTTP/1.0 for more BAD_REQUEST cases. Moved s/[\n\v\f\r]/ / cleanup logic earlier in the cycle, to operate on each individual line read, and catch bad whitespace errors earlier. This changes the obs-fold to more efficiently condense whitespace and forces concatinatination with a single SP, always. Overrides are not necessary since obs-fold is clearly deprecated. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757589 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 24, 2016
-
-
Stefan Eissing authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757540 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757534 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757524 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 23, 2016
-
-
Eric Covener authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757290 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
more PR60024 feedback re: consistent terminology. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757289 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 22, 2016
-
-
Jacob Champion authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757281 13f79535-47bb-0310-9956-ffa450edef68
-
Jacob Champion authored
The how-to was a little behind the times. Update to modern ciphersuite selections, and teach the reader more about *why* certain selections and settings are chosen. Try to future-proof a little bit by including the "last-reviewed" date and pointing to Mozilla's recommendation tool. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757280 13f79535-47bb-0310-9956-ffa450edef68
-
Joe Orton authored
if RAND_bytes() fails; possible per API, although not in practice with the OpenSSL implementation. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757147 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 21, 2016
-
-
Yann Ylavic authored
rpluem: The default is disablereuse=off and the code you removed makes the default disablereuse=on. ylavic: so right.. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757097 13f79535-47bb-0310-9956-ffa450edef68
-