You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2011/09/07 18:34:45 UTC

Re: svn commit: r1164894 - in /httpd/httpd/branches/2.2.x: CHANGES docs/conf/httpd.conf.in docs/manual/mod/core.xml include/ap_mmn.h include/http_core.h modules/http/byterange_filter.c server/core.c

On 9/3/2011 12:42 PM, covener@apache.org wrote:
> Author: covener
> Date: Sat Sep  3 17:42:56 2011
> New Revision: 1164894
> 
> URL: http://svn.apache.org/viewvc?rev=1164894&view=rev
> Log:
> backport revisions 1162584, 1164861, 1162587 from trunk:
> 
> Add MaxRanges directive and limit # of accepted ranges to 200 by default.

So this doesn't make sense in deploying a patch but seems appropriate to at
least allow for compiled-in settings...  For purposes of < 2.2.21 patching,
this would be my interpretation, using the same -Define as in the soon to be
released versions.  Comments?

> Modified: httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c?rev=1164894&r1=1164893&r2=1164894&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c (original)
> +++ httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c Sat Sep  3 17:42:56 2011
> @@ -55,6 +55,10 @@
>  #include <unistd.h>
>  #endif
>  
> +#ifndef DEFAULT_MAX_RANGES
> +#define DEFAULT_MAX_RANGES 200
> +#endif
> +
>  static int ap_set_byterange(request_rec *r, apr_off_t clength,
>                              apr_array_header_t **indexes);
>  
> @@ -290,7 +294,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
>      num_ranges = ap_set_byterange(r, clength, &indexes);
>  
>      /* We have nothing to do, get out of the way. */
> -    if (num_ranges == 0) {
> +    if (num_ranges == 0 || (DEFAULT_MAX_RANGES > 0 && num_ranges > DEFAULT_MAX_RANGES)) {
>          r->status = original_status;
>          ap_remove_output_filter(f);
>          return ap_pass_brigade(f->next, bb);
>

Re: svn commit: r1164894 - in /httpd/httpd/branches/2.2.x: CHANGES docs/conf/httpd.conf.in docs/manual/mod/core.xml include/ap_mmn.h include/http_core.h modules/http/byterange_filter.c server/core.c

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 9/7/2011 11:56 AM, Eric Covener wrote:
> 
> I think it's useful, but maybe not baked into the same patch as the fix?

Because of recent backchannel traffic on the topic, it's mandatory.

Committers to httpd, remember you may subscribe to security@h.a.o if you
have a history of contributing/intend to contribute to security fixes.

> Just noticing -- should the macro be AP_* before it ships in 2.2.21 or
> apply_to/?

Agree with you both... +1

Re: svn commit: r1164894 - in /httpd/httpd/branches/2.2.x: CHANGES docs/conf/httpd.conf.in docs/manual/mod/core.xml include/ap_mmn.h include/http_core.h modules/http/byterange_filter.c server/core.c

Posted by Jim Jagielski <ji...@apache.org>.

Seems to me the macro should be AP_

+1

On Sep 7, 2011, at 12:56 PM, Eric Covener wrote:

> 
> I think it's useful, but maybe not baked into the same patch as the fix?
> 
> Just noticing -- should the macro be AP_* before it ships in 2.2.21 or
> apply_to/?
> 
> -- 
> Eric Covener
> covener@gmail.com
>

Re: svn commit: r1164894 - in /httpd/httpd/branches/2.2.x: CHANGES docs/conf/httpd.conf.in docs/manual/mod/core.xml include/ap_mmn.h include/http_core.h modules/http/byterange_filter.c server/core.c

Posted by Eric Covener <co...@gmail.com>.

On Wed, Sep 7, 2011 at 12:34 PM, William A. Rowe Jr.
<wr...@rowe-clan.net> wrote:
> On 9/3/2011 12:42 PM, covener@apache.org wrote:
>> Author: covener
>> Date: Sat Sep  3 17:42:56 2011
>> New Revision: 1164894
>>
>> URL: http://svn.apache.org/viewvc?rev=1164894&view=rev
>> Log:
>> backport revisions 1162584, 1164861, 1162587 from trunk:
>>
>> Add MaxRanges directive and limit # of accepted ranges to 200 by default.
>
> So this doesn't make sense in deploying a patch but seems appropriate to at
> least allow for compiled-in settings...  For purposes of < 2.2.21 patching,
> this would be my interpretation, using the same -Define as in the soon to be
> released versions.  Comments?
>

>> Modified: httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c?rev=1164894&r1=1164893&r2=1164894&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c (original)
>> +++ httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c Sat Sep  3 17:42:56 2011
>> @@ -55,6 +55,10 @@
>>  #include <unistd.h>
>>  #endif
>>
>> +#ifndef DEFAULT_MAX_RANGES
>> +#define DEFAULT_MAX_RANGES 200
>> +#endif
>> +
>>  static int ap_set_byterange(request_rec *r, apr_off_t clength,
>>                              apr_array_header_t **indexes);
>>
>> @@ -290,7 +294,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
>>      num_ranges = ap_set_byterange(r, clength, &indexes);
>>
>>      /* We have nothing to do, get out of the way. */
>> -    if (num_ranges == 0) {
>> +    if (num_ranges == 0 || (DEFAULT_MAX_RANGES > 0 && num_ranges > DEFAULT_MAX_RANGES)) {
>>          r->status = original_status;
>>          ap_remove_output_filter(f);
>>          return ap_pass_brigade(f->next, bb);
>>
>
>

I think it's useful, but maybe not baked into the same patch as the fix?

Just noticing -- should the macro be AP_* before it ships in 2.2.21 or
apply_to/?

-- 
Eric Covener
covener@gmail.com