You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rb...@apache.org on 2002/06/04 09:12:27 UTC
cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h ssl_engine_io.c ssl_engine_kernel.c
rbb 2002/06/04 00:12:27
Modified: . CHANGES
modules/ssl mod_ssl.c mod_ssl.h ssl_engine_io.c
ssl_engine_kernel.c
Log:
Remove all special mod_ssl URIs. This also fixes the bug where
redirecting (.*) will allow an SSL protected page to be viewed
without SSL.
Revision Changes Path
1.807 +4 -0 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.806
retrieving revision 1.807
diff -u -r1.806 -r1.807
--- CHANGES 3 Jun 2002 18:06:26 -0000 1.806
+++ CHANGES 4 Jun 2002 07:12:25 -0000 1.807
@@ -1,5 +1,9 @@
Changes with Apache 2.0.37
+ *) Remove all special mod_ssl URIs. This also fixes the bug where
+ redirecting (.*) will allow an SSL protected page to be viewed
+ without SSL. [Ryan Bloom]
+
*) Fix the binary build install script so that the build logic
created by "apxs -g" will work when the user has a binary
build. [Jeff Trawick]
1.69 +0 -1 httpd-2.0/modules/ssl/mod_ssl.c
Index: mod_ssl.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.68
retrieving revision 1.69
diff -u -r1.68 -r1.69
--- mod_ssl.c 17 May 2002 11:24:17 -0000 1.68
+++ mod_ssl.c 4 Jun 2002 07:12:26 -0000 1.69
@@ -583,7 +583,6 @@
ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_handler (ssl_hook_Handler, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
1.119 +1 -0 httpd-2.0/modules/ssl/mod_ssl.h
Index: mod_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.118
retrieving revision 1.119
diff -u -r1.118 -r1.119
--- mod_ssl.h 4 Jun 2002 02:19:32 -0000 1.118
+++ mod_ssl.h 4 Jun 2002 07:12:26 -0000 1.119
@@ -414,6 +414,7 @@
int verify_depth;
int is_proxy;
int disabled;
+ int non_ssl_request;
} SSLConnRec;
typedef struct {
1.78 +14 -2 httpd-2.0/modules/ssl/ssl_engine_io.c
Index: ssl_engine_io.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.77
retrieving revision 1.78
diff -u -r1.77 -r1.78
--- ssl_engine_io.c 17 May 2002 11:24:17 -0000 1.77
+++ ssl_engine_io.c 4 Jun 2002 07:12:26 -0000 1.78
@@ -741,8 +741,17 @@
return APR_SUCCESS;
}
+/* Just use a simple request. Any request will work for this, because
+ * we use a flag in the conn_rec->conn_vector now. The fake request just
+ * gets the request back to the Apache core so that a response can be sent.
+ *
+ * We should probably use a 0.9 request, but the BIO bucket code is calling
+ * socket_bucket_read one extra time with all 0.9 requests from the client.
+ * Until that is resolved, continue to use a 1.0 request, just like we
+ * always have.
+ */
#define HTTP_ON_HTTPS_PORT \
- "GET /mod_ssl:error:HTTP-request HTTP/1.0"
+ "GET / HTTP/1.0"
#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
@@ -760,6 +769,7 @@
apr_bucket_brigade *bb,
apr_status_t status)
{
+ SSLConnRec *sslconn = myConnConfig(f->c);
apr_bucket *bucket;
switch (status) {
@@ -771,9 +781,11 @@
"trying to send HTML error page");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
+ sslconn->non_ssl_request = 1;
+ ssl_io_filter_disable(f);
+
/* fake the request line */
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
- ssl_io_filter_disable(f);
break;
default:
1.72 +28 -50 httpd-2.0/modules/ssl/ssl_engine_kernel.c
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -r1.71 -r1.72
--- ssl_engine_kernel.c 17 May 2002 11:24:17 -0000 1.71
+++ ssl_engine_kernel.c 4 Jun 2002 07:12:26 -0000 1.72
@@ -174,6 +174,34 @@
return DECLINED;
}
+ if (sslconn->non_ssl_request) {
+ const char *errmsg;
+ char *thisurl;
+ char *thisport = "";
+ int port = ap_get_server_port(r);
+
+ if (!ap_is_default_port(port, r)) {
+ thisport = apr_psprintf(r->pool, ":%u", port);
+ }
+
+ thisurl = ap_escape_html(r->pool,
+ apr_psprintf(r->pool, "https://%s%s/",
+ ap_get_server_name(r),
+ thisport));
+
+ errmsg = apr_psprintf(r->pool,
+ "Reason: You're speaking plain HTTP "
+ "to an SSL-enabled server port.<br />\n"
+ "Instead use the HTTPS scheme to access "
+ "this URL, please.<br />\n"
+ "<blockquote>Hint: "
+ "<a href=\"%s\"><b>%s</b></a></blockquote>",
+ thisurl, thisurl);
+
+ apr_table_setn(r->notes, "error-notes", errmsg);
+ return HTTP_BAD_REQUEST;
+ }
+
/*
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
@@ -182,13 +210,6 @@
SSL_set_app_data2(ssl, r);
}
- /*
- * Force the mod_ssl content handler when URL indicates this
- */
- if (strEQn(r->uri, "/mod_ssl:", 9)) {
- r->handler = "mod_ssl:content-handler";
- }
-
return DECLINED;
}
@@ -262,49 +283,6 @@
}
return DECLINED;
-}
-
-/*
- * Content Handler
- */
-int ssl_hook_Handler(request_rec *r)
-{
- if (strNE(r->handler, "mod_ssl:content-handler")) {
- return DECLINED;
- }
-
- if (strNEn(r->uri, "/mod_ssl:", 9)) {
- return DECLINED;
- }
-
- if (strEQ(r->uri, "/mod_ssl:error:HTTP-request")) {
- const char *errmsg;
- char *thisurl;
- char *thisport = "";
- int port = ap_get_server_port(r);
-
- if (!ap_is_default_port(port, r)) {
- thisport = apr_psprintf(r->pool, ":%u", port);
- }
-
- thisurl = ap_escape_html(r->pool,
- apr_psprintf(r->pool, "https://%s%s/",
- ap_get_server_name(r),
- thisport));
-
- errmsg = apr_psprintf(r->pool,
- "Reason: You're speaking plain HTTP "
- "to an SSL-enabled server port.<br />\n"
- "Instead use the HTTPS scheme to access "
- "this URL, please.<br />\n"
- "<blockquote>Hint: "
- "<a href=\"%s\"><b>%s</b></a></blockquote>",
- thisurl, thisurl);
-
- apr_table_setn(r->notes, "error-notes", errmsg);
- }
-
- return HTTP_BAD_REQUEST;
}
/*