You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/01/13 04:21:59 UTC
Re: [PATCH]es Re: Patches to be applied?
#1 +1
#2 -1 It's my understanding that ScriptLog is for debugging.
#3 +1
> On Sun, 12 Jan 1997, Randy Terbush wrote:
>
> > If anyone has submitted other patches, please resubmit them to the
> > list, and try adding the [PATCH] so I can try out my new procmail
> > rules. :)
>
> Here are some patches. I don't know if they should be commited or not.
>
>
> 1) mod_access - Ben said the "user-agent" stuff should be removed
> if/when the "env=" check was added to replace it. It might
> be worth leaving the code #ifdef'd out for now.
>
> Index: mod_access.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_access.c,v
> retrieving revision 1.3
> diff -u -r1.3 mod_access.c
> --- mod_access.c 1997/01/12 21:40:55 1.3
> +++ mod_access.c 1997/01/12 21:44:29
> @@ -188,7 +188,7 @@
>
> if (!strncmp(ap[i].from,"env=",4) && table_get(r->subprocess_env,ap[i].f
> rom+4))
> return 1;
> -
> +#ifdef USER_AGENTS_HACK
> if (ap[i].from && !strcmp(ap[i].from, "user-agents")) {
> char * this_agent = table_get(r->headers_in, "User-Agent");
> int j;
> @@ -200,6 +200,7 @@
> }
> return 0;
> }
> +#endif
>
> if (!strcmp (ap[i].from, "all"))
> return 1;
>
>
>
>
>
> 2) ScriptLog security hole. Authorization headers need to be removed
>
>
> Index: mod_cgi.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
> retrieving revision 1.4
> diff -u -r1.4 mod_cgi.c
> --- mod_cgi.c 1997/01/02 03:34:57 1.4
> +++ mod_cgi.c 1997/01/12 01:29:12
> @@ -212,6 +212,7 @@
> fputs("%request\n", f);
> for (i = 0; i < hdrs_arr->nelts; ++i) {
> if (!hdrs[i].key) continue;
> + if (!strcmp(hdrs[i].key, "Authorization")) continue;
> fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
> }
> if ((r->method_number == M_POST || r->method_number == M_PUT)
>
>
>
> A reasonable solution to this might be to write out "XXXXX" if
> the "realm" is anything other than "log-test". A search on
> "log-test" would be adequate.
>
> An untested patch:
>
>
> Index: mod_cgi.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
> retrieving revision 1.4
> diff -u -r1.4 mod_cgi.c
> --- mod_cgi.c 1997/01/02 03:34:57 1.4
> +++ mod_cgi.c 1997/01/12 21:53:49
> @@ -212,6 +212,12 @@
> fputs("%request\n", f);
> for (i = 0; i < hdrs_arr->nelts; ++i) {
> if (!hdrs[i].key) continue;
> + if (!strcmp(hdrs[i].key, "Authorization")) {
> + if (!strstr(hdrs[i].val, "log-test")) {
> + fprintf(f, "%s: XXX use realm \"log-test\" to log unencrypted password here XXX\n", hdrs[i].key);
> + continue;
> + }
> + }
> fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
> }
> if ((r->method_number == M_POST || r->method_number == M_PUT)
>
>
>
>
> 3) mod_expires is working hard to check sub-requests' expiration dates
> only for them to be ignored, it does the same for errors
>
> I only remember support from Andy on an *earlier* version
> of this patch.
>
>
> Index: mod_expires.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_expires.c,v
> retrieving revision 1.2
> diff -u -r1.2 mod_expires.c
> --- mod_expires.c 1997/01/02 03:35:02 1.2
> +++ mod_expires.c 1997/01/12 21:57:55
> @@ -383,18 +383,24 @@
>
> int add_expires(request_rec *r)
> {
> - expires_dir_config *conf =
> - (expires_dir_config *)get_module_config(r->per_dir_config, &expires
> _module);
> + expires_dir_config *conf;
> char *code;
> time_t base;
> time_t additional;
> time_t expires;
>
> - if ( r->finfo.st_mode == 0 )
> + if (is_HTTP_ERROR(r->status)) { /* Don't add Expires headers to errors */
> return DECLINED;
> + }
>
> - /* COMMA bites my ass...
> - */
> + if (r->main != NULL) { /* Say no to subrequests */
> + return DECLINED;
> + }
> +
> + if ( r->finfo.st_mode == 0 ) /* no file ? shame. */
> + return DECLINED;
> +
> + conf = (expires_dir_config *)get_module_config(r->per_dir_config, &expires_
> module);
> if ( conf == NULL ) {
> log_reason ("internal error in expires_module; add_expires(), conf == N
> ULL", r->filename, r);
> return SERVER_ERROR;
>
>
Re: [PATCH]es Re: Patches to be applied?
Posted by Rob Hartill <ro...@imdb.com>.
On Sun, 12 Jan 1997, Randy Terbush wrote:
> #2 -1 It's my understanding that ScriptLog is for debugging.
my last word on this subject:
is it ok for "gdb" to have known security holes and rejected fixes because
it's only for debugging ?
do I shrug now ?
rob