You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2020/07/20 05:58:50 UTC
svn commit: r1880060 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
server/util_script.c
Author: rpluem
Date: Mon Jul 20 05:58:49 2020
New Revision: 1880060
URL: http://svn.apache.org/viewvc?rev=1880060&view=rev
Log:
* Add the missing bits of backport commit r1879641:
http://svn.apache.org/r1750747
http://svn.apache.org/r1750749
http://svn.apache.org/r1750953
http://svn.apache.org/r1751138
http://svn.apache.org/r1751139
http://svn.apache.org/r1751147
http://svn.apache.org/r1757818
http://svn.apache.org/r1879253
http://svn.apache.org/r1879348
*) core: Drop an invalid Last-Modified header value coming
from a (F)CGI script instead of replacing it with Unix epoch.
Warn the users about Last-Modified header value replacements
and violations of the RFC.
trunk patch: http://svn.apache.org/r1748379
http://svn.apache.org/r1750747
http://svn.apache.org/r1750749
http://svn.apache.org/r1750953
http://svn.apache.org/r1751138
http://svn.apache.org/r1751139
http://svn.apache.org/r1751147
http://svn.apache.org/r1757818
http://svn.apache.org/r1879253
http://svn.apache.org/r1879348
2.4.x: trunk patches work, final view:
http://home.apache.org/~elukey/httpd-2.4.x-core-last_modified_tz_logging.patch
svn merge -c 1748379,1750747,1750749,1750953,1751138,1751139,1751139,1757818,1879253,r1879348 ^/httpd/httpd/trunk .
The code has been tested with a simple PHP script returning different Last-Modified
headers (GMT now, GMT now Europe/Paris, GMT tomorrow, GMT yesterday, PST now).
+1: elukey, jorton, jim
jorton: +1 though I'd say log at WARN or INFO for the APR_BAD_DATE case
rather than "silently" (at normal log-level) dropping the parsed header?
[also nit: wrapping a lone ap_log_rerror(,APLOG_X) call in
if (APLOGrX(..) is unnecessary/redundant]
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/server/util_script.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1750747,1750749,1750953,1751138-1751139,1757818,1879253,1879348
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1880060&r1=1880059&r2=1880060&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jul 20 05:58:49 2020
@@ -17,7 +17,7 @@ Changes with Apache 2.4.44
*) core: Drop an invalid Last-Modified header value coming
from a FCGI/CGI script instead of replacing it with Unix epoch.
- [Luca Toscano]
+ [Yann Ylavic, Luca Toscano]
*) Add support for strict content-length parsing through addition of
ap_parse_strict_length() [Yann Ylavic]
Modified: httpd/httpd/branches/2.4.x/server/util_script.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/util_script.c?rev=1880060&r1=1880059&r2=1880060&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/server/util_script.c (original)
+++ httpd/httpd/branches/2.4.x/server/util_script.c Mon Jul 20 05:58:49 2020
@@ -672,15 +672,50 @@ AP_DECLARE(int) ap_scan_script_header_er
* pass it on blindly because of restrictions on future or invalid values.
*/
else if (!strcasecmp(w, "Last-Modified")) {
- apr_time_t last_modified_date = apr_date_parse_http(l);
- if (last_modified_date != APR_DATE_BAD) {
- ap_update_mtime(r, last_modified_date);
+ apr_time_t parsed_date = apr_date_parse_http(l);
+ if (parsed_date != APR_DATE_BAD) {
+ ap_update_mtime(r, parsed_date);
ap_set_last_modified(r);
+ if (APLOGrtrace1(r)) {
+ apr_time_t last_modified_date = apr_date_parse_http(apr_table_get(r->headers_out,
+ "Last-Modified"));
+ /*
+ * A Last-Modified header value coming from a (F)CGI source
+ * is considered HTTP input so we assume the GMT timezone.
+ * The following logs should inform the admin about violations
+ * and related actions taken by httpd.
+ * The apr_date_parse_rfc function is 'timezone aware'
+ * and it will be used to generate a more informative set of logs
+ * (we don't use it as a replacement of apr_date_parse_http
+ * for the aforementioned reason).
+ */
+ apr_time_t parsed_date_tz_aware = apr_date_parse_rfc(l);
+
+ /*
+ * The parsed Last-Modified header datestring has been replaced by httpd.
+ */
+ if (parsed_date > last_modified_date) {
+ ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
+ "The Last-Modified header value %s (%s) "
+ "has been replaced with '%s'", l,
+ parsed_date != parsed_date_tz_aware ? "not in GMT"
+ : "in the future",
+ apr_table_get(r->headers_out, "Last-Modified"));
+ /*
+ * Last-Modified header datestring not in GMT and not considered in the future
+ * by httpd (like now() + 1 hour in the PST timezone). No action is taken but
+ * the admin is warned about the violation.
+ */
+ } else if (parsed_date != parsed_date_tz_aware) {
+ ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
+ "The Last-Modified header value is not set "
+ "within the GMT timezone (as required)");
+ }
+ }
}
else {
- if (APLOGrtrace1(r))
- ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
- "Ignored invalid header value: Last-Modified: '%s'", l);
+ ap_log_rerror(SCRIPT_LOG_MARK, APLOG_INFO, 0, r, APLOGNO(10247)
+ "Ignored invalid header value: Last-Modified: '%s'", l);
}
}
else if (!strcasecmp(w, "Set-Cookie")) {