You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1997/01/12 23:05:05 UTC
[PATCH]es Re: Patches to be applied?
On Sun, 12 Jan 1997, Randy Terbush wrote:
> If anyone has submitted other patches, please resubmit them to the
> list, and try adding the [PATCH] so I can try out my new procmail
> rules. :)
Here are some patches. I don't know if they should be commited or not.
1) mod_access - Ben said the "user-agent" stuff should be removed
if/when the "env=" check was added to replace it. It might
be worth leaving the code #ifdef'd out for now.
Index: mod_access.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_access.c,v
retrieving revision 1.3
diff -u -r1.3 mod_access.c
--- mod_access.c 1997/01/12 21:40:55 1.3
+++ mod_access.c 1997/01/12 21:44:29
@@ -188,7 +188,7 @@
if (!strncmp(ap[i].from,"env=",4) && table_get(r->subprocess_env,ap[i].f
rom+4))
return 1;
-
+#ifdef USER_AGENTS_HACK
if (ap[i].from && !strcmp(ap[i].from, "user-agents")) {
char * this_agent = table_get(r->headers_in, "User-Agent");
int j;
@@ -200,6 +200,7 @@
}
return 0;
}
+#endif
if (!strcmp (ap[i].from, "all"))
return 1;
2) ScriptLog security hole. Authorization headers need to be removed
Index: mod_cgi.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
retrieving revision 1.4
diff -u -r1.4 mod_cgi.c
--- mod_cgi.c 1997/01/02 03:34:57 1.4
+++ mod_cgi.c 1997/01/12 01:29:12
@@ -212,6 +212,7 @@
fputs("%request\n", f);
for (i = 0; i < hdrs_arr->nelts; ++i) {
if (!hdrs[i].key) continue;
+ if (!strcmp(hdrs[i].key, "Authorization")) continue;
fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
}
if ((r->method_number == M_POST || r->method_number == M_PUT)
A reasonable solution to this might be to write out "XXXXX" if
the "realm" is anything other than "log-test". A search on
"log-test" would be adequate.
An untested patch:
Index: mod_cgi.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
retrieving revision 1.4
diff -u -r1.4 mod_cgi.c
--- mod_cgi.c 1997/01/02 03:34:57 1.4
+++ mod_cgi.c 1997/01/12 21:53:49
@@ -212,6 +212,12 @@
fputs("%request\n", f);
for (i = 0; i < hdrs_arr->nelts; ++i) {
if (!hdrs[i].key) continue;
+ if (!strcmp(hdrs[i].key, "Authorization")) {
+ if (!strstr(hdrs[i].val, "log-test")) {
+ fprintf(f, "%s: XXX use realm \"log-test\" to log unencrypted password here XXX\n", hdrs[i].key);
+ continue;
+ }
+ }
fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
}
if ((r->method_number == M_POST || r->method_number == M_PUT)
3) mod_expires is working hard to check sub-requests' expiration dates
only for them to be ignored, it does the same for errors
I only remember support from Andy on an *earlier* version
of this patch.
Index: mod_expires.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_expires.c,v
retrieving revision 1.2
diff -u -r1.2 mod_expires.c
--- mod_expires.c 1997/01/02 03:35:02 1.2
+++ mod_expires.c 1997/01/12 21:57:55
@@ -383,18 +383,24 @@
int add_expires(request_rec *r)
{
- expires_dir_config *conf =
- (expires_dir_config *)get_module_config(r->per_dir_config, &expires
_module);
+ expires_dir_config *conf;
char *code;
time_t base;
time_t additional;
time_t expires;
- if ( r->finfo.st_mode == 0 )
+ if (is_HTTP_ERROR(r->status)) { /* Don't add Expires headers to errors */
return DECLINED;
+ }
- /* COMMA bites my ass...
- */
+ if (r->main != NULL) { /* Say no to subrequests */
+ return DECLINED;
+ }
+
+ if ( r->finfo.st_mode == 0 ) /* no file ? shame. */
+ return DECLINED;
+
+ conf = (expires_dir_config *)get_module_config(r->per_dir_config, &expires_
module);
if ( conf == NULL ) {
log_reason ("internal error in expires_module; add_expires(), conf == N
ULL", r->filename, r);
return SERVER_ERROR;