You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2004/08/27 11:03:24 UTC
cvs commit: httpd-2.0/server util_script.c
jorton 2004/08/27 02:03:24
Modified: . Tag: APACHE_2_0_BRANCH CHANGES STATUS
modules/mappers Tag: APACHE_2_0_BRANCH mod_rewrite.c
modules/ssl Tag: APACHE_2_0_BRANCH mod_ssl.h ssl_engine_io.c
ssl_engine_vars.c
os/unix Tag: APACHE_2_0_BRANCH unixd.c
server Tag: APACHE_2_0_BRANCH util_script.c
Log:
Backport from HEAD:
* os/unix/unixd.c (unixd_accept): Eliminate now-redundant call to
apr_os_sock_get(); let APR check for accept returning zero on TPF.
* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix rollback
handling for AP_MODE_SPECULATIVE.
* modules/mappers/mod_rewrite.c (post_config): Retrieve optional
functions from mod_ssl. (lookup_variable): Support SSL:...
and HTTPS variables via mod_ssl optional hooks, if available.
* server/util_script.c (ap_scan_script_header_err_core): Set
Content-Range in r->headers_out, so that the byterange filter knows to
do nothing for a CGI script which produced a content-range.
* modules/ssl/mod_ssl.h: Declare ssl_is_https optional function.
* modules/ssl/ssl_engine_vars.c (ssl_is_https): New function.
(ssl_var_register): Register it.
PR: 30134, 30464
Reviewed by: trawick, jerenkrantz, nd, stoddard
Revision Changes Path
No revision
No revision
1.988.2.338 +13 -0 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.988.2.337
retrieving revision 1.988.2.338
diff -d -w -u -r1.988.2.337 -r1.988.2.338
--- CHANGES 26 Aug 2004 22:16:52 -0000 1.988.2.337
+++ CHANGES 27 Aug 2004 09:03:21 -0000 1.988.2.338
@@ -1,5 +1,18 @@
Changes with Apache 2.0.51
+ *) SECURITY: CAN-2004-0751 (cve.mitre.org)
+ mod_ssl: Fix a segfault in the SSL input filter which could be
+ triggered if using "speculative" mode, for instance by a
+ proxy request to an SSL server. PR 30134. [Joe Orton]
+
+ *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
+ PR 30464. [Joe Orton]
+
+ *) mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton]
+
+ *) Prevent CGI script output which includes a Content-Range header
+ from being passed through the byterange filter. [Joe Orton]
+
*) Satisfy directives now can be influenced by a surrounding <Limit>
container. PR 14726. [Andr� Malo]
1.751.2.1024 +1 -23 httpd-2.0/STATUS
Index: STATUS
===================================================================
RCS file: /home/cvs/httpd-2.0/STATUS,v
retrieving revision 1.751.2.1023
retrieving revision 1.751.2.1024
diff -d -w -u -r1.751.2.1023 -r1.751.2.1024
--- STATUS 26 Aug 2004 22:21:33 -0000 1.751.2.1023
+++ STATUS 27 Aug 2004 09:03:22 -0000 1.751.2.1024
@@ -83,28 +83,6 @@
+1: stoddard, trawick
nd: I'd like to add 1.169
- *) [SECURITY] mod_ssl: Fix potential input filter segfaults in SPECULATIVE mode.
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126
- PR: 30134
- +1: jorton, trawick, jerenkrantz
-
- *) unixd_accept: Eliminate now-unnecessary apr_os_sock_get() call.
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/os/unix/unixd.c?r1=1.66&r2=1.67
- +1: jorton, trawick, jerenkrantz
-
- *) Prevent byterange filter doing its thang for a CGI which returns a Content-Range
- http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/util_script.c?r1=1.89&r2=1.90
- +1: jorton, trawick, nd, jerenkrantz
-
- *) mod_ssl: Add ssl_is_https optional hook.
- http://www.apache.org/~jorton/mod_ssl-2.0-ishttps.diff
- +1: jorton, stoddard, trawick, nd
-
- *) mod_rewrite: Add %{SSL:...} and %{HTTPS} support (regression from 1.3/mod_ssl).
- http://www.apache.org/~jorton/mod_rewrite-2.0-sslvar.diff
- PR: 30464
- +1: jorton, stoddard, nd
-
*) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap.
modules/experimental/mod_auth_ldap.c: 1.28
modules/experimental/util_ldap.c: 1.36
No revision
No revision
1.135.2.29 +24 -0 httpd-2.0/modules/mappers/mod_rewrite.c
Index: mod_rewrite.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/mappers/mod_rewrite.c,v
retrieving revision 1.135.2.28
retrieving revision 1.135.2.29
diff -d -w -u -r1.135.2.28 -r1.135.2.29
--- mod_rewrite.c 26 Aug 2004 21:53:24 -0000 1.135.2.28
+++ mod_rewrite.c 27 Aug 2004 09:03:23 -0000 1.135.2.29
@@ -73,6 +73,14 @@
#include "http_protocol.h"
#include "mod_rewrite.h"
+/* mod_ssl.h is not safe for inclusion in 2.0, so duplicate the
+ * optional function declarations. */
+APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+ (apr_pool_t *, server_rec *,
+ conn_rec *, request_rec *,
+ char *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
#include "unixd.h"
#define MOD_REWRITE_SET_MUTEX_PERMS /* XXX Apache should define something */
@@ -135,6 +143,10 @@
static apr_global_mutex_t *rewrite_mapr_lock_acquire = NULL;
static apr_global_mutex_t *rewrite_log_lock = NULL;
+/* Optional functions imported from mod_ssl when loaded: */
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *rewrite_ssl_lookup = NULL;
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *rewrite_is_https = NULL;
+
/*
** +-------------------------------------------------------+
** | |
@@ -1018,6 +1030,10 @@
}
}
}
+
+ rewrite_ssl_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+ rewrite_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+
return OK;
}
@@ -3902,6 +3918,11 @@
result = getenv(var+4);
}
}
+ else if (strlen(var) > 4 && !strncasecmp(var, "SSL:", 4)
+ && rewrite_ssl_lookup) {
+ result = rewrite_ssl_lookup(r->pool, r->server, r->connection, r,
+ var + 4);
+ }
#define LOOKAHEAD(subrecfunc) \
if ( \
@@ -3949,6 +3970,9 @@
if (r->finfo.valid & APR_FINFO_GROUP) {
apr_group_name_get((char **)&result, r->finfo.group, r->pool);
}
+ } else if (strcasecmp(var, "HTTPS") == 0) {
+ int flag = rewrite_is_https && rewrite_is_https(r->connection);
+ result = flag ? "on" : "off";
}
if (result == NULL) {
No revision
No revision
1.122.2.11 +4 -0 httpd-2.0/modules/ssl/mod_ssl.h
Index: mod_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.122.2.10
retrieving revision 1.122.2.11
diff -d -w -u -r1.122.2.10 -r1.122.2.11
--- mod_ssl.h 23 Aug 2004 15:18:54 -0000 1.122.2.10
+++ mod_ssl.h 27 Aug 2004 09:03:24 -0000 1.122.2.11
@@ -665,6 +665,10 @@
conn_rec *, request_rec *,
char *));
+/* An optional function which returns non-zero if the given connection
+ * is using SSL/TLS. */
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
/* Proxy Support */
int ssl_proxy_enable(conn_rec *c);
int ssl_engine_disable(conn_rec *c);
1.100.2.16 +6 -2 httpd-2.0/modules/ssl/ssl_engine_io.c
Index: ssl_engine_io.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.100.2.15
retrieving revision 1.100.2.16
diff -d -w -u -r1.100.2.15 -r1.100.2.16
--- ssl_engine_io.c 23 Aug 2004 14:59:52 -0000 1.100.2.15
+++ ssl_engine_io.c 27 Aug 2004 09:03:24 -0000 1.100.2.16
@@ -562,8 +562,12 @@
*len = bytes;
if (inctx->mode == AP_MODE_SPECULATIVE) {
/* We want to rollback this read. */
+ if (inctx->cbuf.length > 0) {
inctx->cbuf.value -= bytes;
inctx->cbuf.length += bytes;
+ } else {
+ char_buffer_write(&inctx->cbuf, buf, (int)bytes);
+ }
return APR_SUCCESS;
}
/* This could probably be *len == wanted, but be safe from stray
1.22.2.9 +7 -0 httpd-2.0/modules/ssl/ssl_engine_vars.c
Index: ssl_engine_vars.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_vars.c,v
retrieving revision 1.22.2.8
retrieving revision 1.22.2.9
diff -d -w -u -r1.22.2.8 -r1.22.2.9
--- ssl_engine_vars.c 9 Feb 2004 20:53:20 -0000 1.22.2.8
+++ ssl_engine_vars.c 27 Aug 2004 09:03:24 -0000 1.22.2.9
@@ -47,8 +47,15 @@
static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
+static int ssl_is_https(conn_rec *c)
+{
+ SSLConnRec *sslconn = myConnConfig(c);
+ return sslconn && sslconn->ssl;
+}
+
void ssl_var_register(void)
{
+ APR_REGISTER_OPTIONAL_FN(ssl_is_https);
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
return;
}
No revision
No revision
1.55.2.11 +1 -8 httpd-2.0/os/unix/unixd.c
Index: unixd.c
===================================================================
RCS file: /home/cvs/httpd-2.0/os/unix/unixd.c,v
retrieving revision 1.55.2.10
retrieving revision 1.55.2.11
diff -d -w -u -r1.55.2.10 -r1.55.2.11
--- unixd.c 26 May 2004 23:03:13 -0000 1.55.2.10
+++ unixd.c 27 Aug 2004 09:03:24 -0000 1.55.2.11
@@ -462,19 +462,12 @@
{
apr_socket_t *csd;
apr_status_t status;
- int sockdes;
*accepted = NULL;
status = apr_accept(&csd, lr->sd, ptrans);
if (status == APR_SUCCESS) {
*accepted = csd;
- apr_os_sock_get(&sockdes, csd);
-#ifdef TPF
- if (sockdes == 0) { /* 0 is invalid socket for TPF */
- return APR_EINTR;
- }
-#endif
- return status;
+ return APR_SUCCESS;
}
if (APR_STATUS_IS_EINTR(status)) {
No revision
No revision
1.80.2.6 +3 -0 httpd-2.0/server/util_script.c
Index: util_script.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/util_script.c,v
retrieving revision 1.80.2.5
retrieving revision 1.80.2.6
diff -d -w -u -r1.80.2.5 -r1.80.2.6
--- util_script.c 9 Feb 2004 20:59:46 -0000 1.80.2.5
+++ util_script.c 27 Aug 2004 09:03:24 -0000 1.80.2.6
@@ -556,6 +556,9 @@
else if (!strcasecmp(w, "Content-Length")) {
apr_table_set(r->headers_out, w, l);
}
+ else if (!strcasecmp(w, "Content-Range")) {
+ apr_table_set(r->headers_out, w, l);
+ }
else if (!strcasecmp(w, "Transfer-Encoding")) {
apr_table_set(r->headers_out, w, l);
}