You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/01/13 04:21:59 UTC

Re: [PATCH]es Re: Patches to be applied?

#1 +1
#2 -1  It's my understanding that ScriptLog is for debugging.
#3 +1


> On Sun, 12 Jan 1997, Randy Terbush wrote:
> 
> > If anyone has submitted other patches, please resubmit them to the
> > list, and try adding the [PATCH] so I can try out my new procmail 
> > rules. :)
> 
> Here are some patches. I don't know if they should be commited or not.
> 
> 
> 	1) mod_access - Ben said the "user-agent" stuff should be removed
> 		if/when the "env=" check was added to replace it. It might
> 		be worth leaving the code #ifdef'd out for now.
> 
> Index: mod_access.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_access.c,v
> retrieving revision 1.3
> diff -u -r1.3 mod_access.c
> --- mod_access.c        1997/01/12 21:40:55     1.3
> +++ mod_access.c        1997/01/12 21:44:29
> @@ -188,7 +188,7 @@
>  
>         if (!strncmp(ap[i].from,"env=",4) && table_get(r->subprocess_env,ap[i].f
> rom+4))
>             return 1;
> -           
> +#ifdef USER_AGENTS_HACK
>          if (ap[i].from && !strcmp(ap[i].from, "user-agents")) {
>             char * this_agent = table_get(r->headers_in, "User-Agent");
>             int j;
> @@ -200,6 +200,7 @@
>             }
>             return 0;
>         }
> +#endif
>         
>         if (!strcmp (ap[i].from, "all"))
>             return 1;
> 
> 
> 
> 
> 
> 	2) ScriptLog security hole. Authorization headers need to be removed
> 
> 
> Index: mod_cgi.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
> retrieving revision 1.4
> diff -u -r1.4 mod_cgi.c
> --- mod_cgi.c   1997/01/02 03:34:57     1.4
> +++ mod_cgi.c   1997/01/12 01:29:12
> @@ -212,6 +212,7 @@
>      fputs("%request\n", f);
>      for (i = 0; i < hdrs_arr->nelts; ++i) {
>        if (!hdrs[i].key) continue;
> +      if (!strcmp(hdrs[i].key, "Authorization")) continue;
>        fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
>      }
>      if ((r->method_number == M_POST || r->method_number == M_PUT)
> 
> 
> 
> 	A reasonable solution to this might be to write out "XXXXX" if
> 	the "realm" is anything other than "log-test". A search on
> 	"log-test" would be adequate.
> 
> 	An untested patch:
> 
> 
> Index: mod_cgi.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
> retrieving revision 1.4
> diff -u -r1.4 mod_cgi.c
> --- mod_cgi.c   1997/01/02 03:34:57     1.4
> +++ mod_cgi.c   1997/01/12 21:53:49
> @@ -212,6 +212,12 @@
>      fputs("%request\n", f);
>      for (i = 0; i < hdrs_arr->nelts; ++i) {
>        if (!hdrs[i].key) continue;
> +      if (!strcmp(hdrs[i].key, "Authorization")) {
> +           if (!strstr(hdrs[i].val, "log-test")) {
> +                 fprintf(f, "%s: XXX use realm \"log-test\" to log unencrypted password here XXX\n", hdrs[i].key);
> +                continue;
> +           }
> +      }
>        fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
>      }
>      if ((r->method_number == M_POST || r->method_number == M_PUT)
> 
> 
> 
> 
> 	3) mod_expires is working hard to check sub-requests' expiration dates
> 		only for them to be ignored, it does the same for errors
> 
> 		I only remember support from Andy on an *earlier* version
> 		of this patch.
> 
> 
> Index: mod_expires.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_expires.c,v
> retrieving revision 1.2
> diff -u -r1.2 mod_expires.c
> --- mod_expires.c       1997/01/02 03:35:02     1.2
> +++ mod_expires.c       1997/01/12 21:57:55
> @@ -383,18 +383,24 @@
>  
>  int add_expires(request_rec *r)
>  {
> -    expires_dir_config *conf =
> -            (expires_dir_config *)get_module_config(r->per_dir_config, &expires
> _module);
> +    expires_dir_config *conf;
>      char *code;
>      time_t base; 
>      time_t additional; 
>      time_t expires; 
>  
> -    if ( r->finfo.st_mode == 0 )
> +    if (is_HTTP_ERROR(r->status)) {  /* Don't add Expires headers to errors */
>         return DECLINED;
> +    }
>  
> -    /* COMMA bites my ass...
> -     */
> +    if (r->main != NULL) {           /* Say no to subrequests */
> +       return DECLINED;
> +    }
> +
> +    if ( r->finfo.st_mode == 0 )     /* no file ? shame. */
> +       return DECLINED;
> +
> +    conf = (expires_dir_config *)get_module_config(r->per_dir_config, &expires_
> module);
>      if ( conf == NULL ) {
>          log_reason ("internal error in expires_module; add_expires(), conf == N
> ULL", r->filename, r);
>         return SERVER_ERROR;
> 
>

Re: [PATCH]es Re: Patches to be applied?

Posted by Rob Hartill <ro...@imdb.com>.

On Sun, 12 Jan 1997, Randy Terbush wrote:

> #2 -1  It's my understanding that ScriptLog is for debugging.

my last word on this subject:

is it ok for "gdb" to have known security holes and rejected fixes because
it's only for debugging ?


do I shrug now ?

rob