cvs commit: apache-1.3/src/modules/standard mod_digest.c
marc98/08/09 14:03:25 Modified:src/modules/standard mod_digest.c Log: Wrap line properly for 80 cols. Revision ChangesPath 1.39 +2 -1 apache-1.3/src/modules/standard/mod_digest.c Index: mod_digest.c === RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_digest.c,v retrieving revision 1.38 retrieving revision 1.39 diff -u -r1.38 -r1.39 --- mod_digest.c 1998/08/09 12:34:17 1.38 +++ mod_digest.c 1998/08/09 21:03:25 1.39 @@ -162,7 +162,8 @@ if (strcasecmp(scheme=ap_getword(r->pool, &auth_line, ' '), "Digest")) { /* Client tried to authenticate using wrong auth scheme */ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, - "client used wrong authentication scheme: %s for %s", scheme, r->uri); + "client used wrong authentication scheme: %s for %s", + scheme, r->uri); ap_note_digest_auth_failure(r); return AUTH_REQUIRED; }
cvs commit: apache-1.3/src/modules/proxy proxy_http.c proxy_util.c
dgaudet 98/08/09 10:39:36 Modified:src/modules/proxy proxy_http.c proxy_util.c Log: more comments Revision ChangesPath 1.56 +2 -0 apache-1.3/src/modules/proxy/proxy_http.c Index: proxy_http.c === RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v retrieving revision 1.55 retrieving revision 1.56 diff -u -r1.55 -r1.56 --- proxy_http.c 1998/08/09 17:36:27 1.55 +++ proxy_http.c 1998/08/09 17:39:25 1.56 @@ -427,6 +427,8 @@ ap_rvputs(r, hdr[i].field, ": ", hdr[i].value, CRLF, NULL); /* XXX: can't this be ap_table_setn? -djg */ ap_table_set(r->headers_out, hdr[i].field, hdr[i].value); + /* XXX: regardless, there's an O(n^2) attack here, which + * could be fixed with ap_overlap_tables */ } if (cache != NULL) if (ap_bvputs(cache, hdr[i].field, ": ", hdr[i].value, CRLF, 1.68 +1 -0 apache-1.3/src/modules/proxy/proxy_util.c Index: proxy_util.c === RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_util.c,v retrieving revision 1.67 retrieving revision 1.68 diff -u -r1.67 -r1.68 --- proxy_util.c 1998/08/09 17:36:28 1.67 +++ proxy_util.c 1998/08/09 17:39:25 1.68 @@ -643,6 +643,7 @@ ap_bvputs(fp, hdrs[i].field, ": ", hdrs[i].value, CRLF, NULL); /* XXX: can't this be ap_table_setn? -djg */ ap_table_set(r->headers_out, hdrs[i].field, hdrs[i].value); + /* XXX: another O(n^2) attack, fixed by ap_overlap_tables */ } ap_bputs(CRLF, fp);
cvs commit: apache-1.3/src/modules/standard mod_cern_meta.c mod_include.c
dgaudet 98/08/09 10:36:30 Modified:src/include alloc.h src/main http_protocol.c util_script.c src/modules/proxy proxy_http.c proxy_util.c src/modules/standard mod_cern_meta.c mod_include.c Log: Just some comments. Including a proposed ap_overlap_tables function which generalizes my new code in get_mime_headers(). Revision ChangesPath 1.62 +24 -0 apache-1.3/src/include/alloc.h Index: alloc.h === RCS file: /export/home/cvs/apache-1.3/src/include/alloc.h,v retrieving revision 1.61 retrieving revision 1.62 diff -u -r1.61 -r1.62 --- alloc.h 1998/06/27 18:09:28 1.61 +++ alloc.h 1998/08/09 17:36:24 1.62 @@ -192,6 +192,30 @@ API_EXPORT(table *) ap_overlay_tables(pool *p, const table *overlay, const table *base); +/* Conceptually, ap_overlap_tables does this: + +array_header *barr = ap_table_elts(b); +table_entry *belt = (table_entry *)barr->elts; +int i; + +for (i = 0; i < barr->nelts; ++i) { + if (merge) { + ap_table_mergen(a, belt[i].key, belt[i].val); + } + else { + ap_table_setn(a, belt[i].key, belt[i].val); + } +} + +Except that it is more efficient (less space and cpu-time) especially +when b has many elements. + +Notice the assumptions on the keys and values in b -- they must be +in an ancestor of a's pool. In practice b and a are usually from +the same pool. +*/ +API_EXPORT(void) ap_overlap_tables(table *a, const table *b, int merge); + /* XXX: these know about the definition of struct table in alloc.c. That * definition is not here because it is supposed to be private, and by not * placing it here we are able to get compile-time diagnostics from modules 1.235 +1 -0 apache-1.3/src/main/http_protocol.c Index: http_protocol.c === RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.234 retrieving revision 1.235 diff -u -r1.234 -r1.235 --- http_protocol.c 1998/08/09 16:57:29 1.234 +++ http_protocol.c 1998/08/09 17:36:26 1.235 @@ -739,6 +739,7 @@ return (signed)a->order - (signed)b->order; } +/* XXX: could use ap_overlap_tables here... which generalizes this code */ static void get_mime_headers(request_rec *r) { conn_rec *c = r->connection; 1.128 +2 -0 apache-1.3/src/main/util_script.c Index: util_script.c === RCS file: /export/home/cvs/apache-1.3/src/main/util_script.c,v retrieving revision 1.127 retrieving revision 1.128 diff -u -r1.127 -r1.128 --- util_script.c 1998/08/06 18:58:21 1.127 +++ util_script.c 1998/08/09 17:36:26 1.128 @@ -188,6 +188,7 @@ return env; } +/* XXX: this could use ap_overlap_tables */ API_EXPORT(void) ap_add_common_vars(request_rec *r) { table *e = r->subprocess_env; @@ -546,6 +547,7 @@ ap_table_add(r->err_headers_out, w, l); } else { + /* XXX: there is an O(n^2) space attack possible here */ ap_table_merge(r->err_headers_out, w, l); } } 1.55 +1 -0 apache-1.3/src/modules/proxy/proxy_http.c Index: proxy_http.c === RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v retrieving revision 1.54 retrieving revision 1.55 diff -u -r1.54 -r1.55 --- proxy_http.c 1998/08/06 17:30:43 1.54 +++ proxy_http.c 1998/08/09 17:36:27 1.55 @@ -425,6 +425,7 @@ continue; if (!r->assbackwards) { ap_rvputs(r, hdr[i].field, ": ", hdr[i].value, CRLF, NULL); + /* XXX: can't this be ap_table_setn? -djg */ ap_table_set(r->headers_out, hdr[i].field, hdr[i].value); } if (cache != NULL) 1.67 +1 -0 apache-1.3/src/modules/proxy/proxy_util.c Index: proxy_util.c === RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_util.c,v retrieving revision 1.66 retrieving revision 1.67 diff -u -r1.66 -r1.67 --- proxy_util.c 1998/08/06 17:30:44 1.66 +++ proxy_util.c 1998/08/09 17:36:28 1.67 @@ -641,6 +641,7 @@ if (hdrs[i].field == NULL) continue; ap_bvputs(fp, hdrs[i].field, ": ", hdrs[i].value, CRLF, NULL); + /* XXX: can't this be ap_table_setn? -djg */ ap_table_set(r->headers_out, hdrs[i].field, hdrs[i].value); } 1.34 +1 -0 apache-1.3/src/modules/standard/mod_cern_meta.c Index: mod_cern_meta.c ==
cvs commit: apache-1.3/src/main http_protocol.c
dgaudet 98/08/09 09:57:29 Modified:src/include httpd.h src/main http_protocol.c Log: Include everything in the limits, rather than having to remember to add 2 to some of them... which leads to off-by-1 errors like one I just committed. (I don't understand what the + 2 was all about. It doesn't fit \r\n\0...) Revision ChangesPath 1.232 +2 -2 apache-1.3/src/include/httpd.h Index: httpd.h === RCS file: /export/home/cvs/apache-1.3/src/include/httpd.h,v retrieving revision 1.231 retrieving revision 1.232 diff -u -r1.231 -r1.232 --- httpd.h 1998/08/09 06:37:16 1.231 +++ httpd.h 1998/08/09 16:57:28 1.232 @@ -551,13 +551,13 @@ * LimitRequestFieldSize, and LimitRequestBody configuration directives. */ #ifndef DEFAULT_LIMIT_REQUEST_LINE -#define DEFAULT_LIMIT_REQUEST_LINE 8190 +#define DEFAULT_LIMIT_REQUEST_LINE 8192 #endif /* default limit on bytes in Request-Line (Method+URI+HTTP-version) */ #ifndef DEFAULT_LIMIT_REQUEST_FIELDS #define DEFAULT_LIMIT_REQUEST_FIELDS 100 #endif /* default limit on number of header fields */ #ifndef DEFAULT_LIMIT_REQUEST_FIELDSIZE -#define DEFAULT_LIMIT_REQUEST_FIELDSIZE 8190 +#define DEFAULT_LIMIT_REQUEST_FIELDSIZE 8192 #endif /* default limit on bytes in any one field */ #ifndef DEFAULT_LIMIT_REQUEST_BODY #define DEFAULT_LIMIT_REQUEST_BODY 33554432ul 1.234 +5 -5 apache-1.3/src/main/http_protocol.c Index: http_protocol.c === RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.233 retrieving revision 1.234 diff -u -r1.233 -r1.234 --- http_protocol.c 1998/08/09 16:52:31 1.233 +++ http_protocol.c 1998/08/09 16:57:29 1.234 @@ -635,7 +635,7 @@ pool *tmp; tmp = ap_make_sub_pool(r->pool); -l = ap_palloc(tmp, r->server->limit_req_line + 2); +l = ap_palloc(tmp, r->server->limit_req_line); ll = l; /* Read past empty lines until we get a real request line, @@ -653,7 +653,7 @@ * have to block during a read. */ ap_bsetflag(conn->client, B_SAFEREAD, 1); -while ((len = getline(l, r->server->limit_req_line + 2, conn->client, 0)) <= 0) { +while ((len = getline(l, r->server->limit_req_line, conn->client, 0)) <= 0) { if ((len < 0) || ap_bgetflag(conn->client, B_EOF)) { ap_bsetflag(conn->client, B_SAFEREAD, 0); ap_destroy_pool(tmp); @@ -764,7 +764,7 @@ arr = ap_make_array(tmp, 50, sizeof(mime_key)); order = 0; -field = ap_palloc(tmp, r->server->limit_req_fieldsize + 2); +field = ap_palloc(tmp, r->server->limit_req_fieldsize); /* If headers_in is non-empty (i.e. we're parsing a trailer) then * we have to merge. Have I mentioned that I think this is a lame part @@ -794,7 +794,7 @@ * Read header lines until we get the empty separator line, a read error, * the connection closes (EOF), reach the server limit, or we timeout. */ -while ((len = getline(field, r->server->limit_req_fieldsize + 2, +while ((len = getline(field, r->server->limit_req_fieldsize, c->client, 1)) > 0) { if (++fields_read > r->server->limit_req_fields) { @@ -804,7 +804,7 @@ ap_destroy_pool(tmp); return; } -if (len >= r->server->limit_req_fieldsize + 1) { +if (len >= r->server->limit_req_fieldsize) { r->status = HTTP_BAD_REQUEST; ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool, "Size of a request header field exceeds server limit.\n"
cvs commit: apache-1.3/src/main http_protocol.c
dgaudet 98/08/09 09:52:32 Modified:src CHANGES src/main http_protocol.c Log: - fix ben's fix to roy's patch (sizeof(l) and sizeof(field) are meaningless) - put my qsort fix to get_mime_headers into the repository so I don't have to worry about someone else screwing around in the same routine. Revision ChangesPath 1.1013+3 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1012 retrieving revision 1.1013 diff -u -r1.1012 -r1.1013 --- CHANGES 1998/08/09 06:37:12 1.1012 +++ CHANGES 1998/08/09 16:52:29 1.1013 @@ -1,5 +1,8 @@ Changes with Apache 1.3.2 + *) SECURITY: Eliminate O(n^2) space DoS attacks (and other O(n^2) + cpu time attacks) in header parsing. [Dean Gaudet] + *) SECURITY: Added default limits for various aspects of reading a client request to avoid some simple denial of service attacks, including limits on maximum request-line size, number of header 1.233 +139 -9apache-1.3/src/main/http_protocol.c Index: http_protocol.c === RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.232 retrieving revision 1.233 diff -u -r1.232 -r1.233 --- http_protocol.c 1998/08/09 14:33:11 1.232 +++ http_protocol.c 1998/08/09 16:52:31 1.233 @@ -626,12 +626,18 @@ static int read_request_line(request_rec *r) { -char *l=alloca(r->server->limit_req_line + 2); -const char *ll = l, *uri; +char *l; +const char *ll; +const char *uri; conn_rec *conn = r->connection; int major = 1, minor = 0; /* Assume HTTP/1.0 if non-"HTTP" protocol */ int len; +pool *tmp; +tmp = ap_make_sub_pool(r->pool); +l = ap_palloc(tmp, r->server->limit_req_line + 2); +ll = l; + /* Read past empty lines until we get a real request line, * a read error, the connection closes (EOF), or we timeout. * @@ -647,9 +653,10 @@ * have to block during a read. */ ap_bsetflag(conn->client, B_SAFEREAD, 1); -while ((len = getline(l, sizeof(l), conn->client, 0)) <= 0) { +while ((len = getline(l, r->server->limit_req_line + 2, conn->client, 0)) <= 0) { if ((len < 0) || ap_bgetflag(conn->client, B_EOF)) { ap_bsetflag(conn->client, B_SAFEREAD, 0); + ap_destroy_pool(tmp); return 0; } } @@ -689,10 +696,11 @@ ap_parse_uri(r, uri); -if (len >= sizeof(l) - 1) { +if (len >= r->server->limit_req_line - 1) { r->status= HTTP_REQUEST_URI_TOO_LARGE; r->proto_num = HTTP_VERSION(1,0); r->protocol = ap_pstrdup(r->pool, "HTTP/1.0"); + ap_destroy_pool(tmp); return 0; } @@ -705,34 +713,103 @@ else r->proto_num = HTTP_VERSION(1,0); +ap_destroy_pool(tmp); return 1; } +/* Curse libc and the fact that it doesn't guarantee a stable sort. We + * have to enforce stability ourselves by using the order field. -djg + */ +typedef struct { +char *key; +char *val; +unsigned order; +} mime_key; + +static int sort_mime_headers(const void *va, const void *vb) +{ +const mime_key *a = va; +const mime_key *b = vb; +int r; + +r = strcasecmp(a->key, b->key); +if (r) { + return r; +} +return (signed)a->order - (signed)b->order; +} + static void get_mime_headers(request_rec *r) { conn_rec *c = r->connection; -char *value, *copy; +char *copy; int len; +char *value; unsigned int fields_read = 0; -char *field=alloca(r->server->limit_req_fieldsize + 2); +char *field; +array_header *arr; +pool *tmp; +mime_key *new_key; +unsigned order; +mime_key *first; +mime_key *last; +mime_key *end; +char *strp; + +/* The array will store the headers in a way that we can merge them + * later in O(n*lg(n))... rather than deal with various O(n^2) + * operations. + */ +tmp = ap_make_sub_pool(r->pool); +arr = ap_make_array(tmp, 50, sizeof(mime_key)); +order = 0; + +field = ap_palloc(tmp, r->server->limit_req_fieldsize + 2); + +/* If headers_in is non-empty (i.e. we're parsing a trailer) then + * we have to merge. Have I mentioned that I think this is a lame part + * of the HTTP standard? Anyhow, we'll cheat, and just pre-seed our + * array with the existing headers... and take advantage of the much + * faster merging here. -djg + */ +if (!ap_is_empty_table(r->headers_in)) { + array_hea
cvs commit: apache-1.3/src/modules/proxy ApacheModuleProxy.mak
ben 98/08/09 07:33:13 Modified:src ApacheCore.mak src/include http_protocol.h http_request.h src/main http_protocol.c http_request.c src/modules/proxy ApacheModuleProxy.mak Log: Make mod_proxy compile on Win32. Revision ChangesPath 1.39 +467 -277 apache-1.3/src/ApacheCore.mak Index: ApacheCore.mak === RCS file: /export/home/cvs/apache-1.3/src/ApacheCore.mak,v retrieving revision 1.38 retrieving revision 1.39 diff -u -r1.38 -r1.39 --- ApacheCore.mak1998/08/05 22:15:02 1.38 +++ ApacheCore.mak1998/08/09 14:33:09 1.39 @@ -28,10 +28,6 @@ NULL=nul !ENDIF -CPP=cl.exe -MTL=midl.exe -RSC=rc.exe - !IF "$(CFG)" == "ApacheCore - Win32 Release" OUTDIR=.\CoreR @@ -101,12 +97,46 @@ "$(OUTDIR)" : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" +CPP=cl.exe CPP_PROJ=/nologo /MD /W3 /GX /O2 /I ".\include" /D "WIN32" /D "NDEBUG" /D\ "_WINDOWS" /Fp"$(INTDIR)\ApacheCore.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\"\ /FD /c CPP_OBJS=.\CoreR/ CPP_SBRS=. + +.c{$(CPP_OBJS)}.obj:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.cpp{$(CPP_OBJS)}.obj:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.cxx{$(CPP_OBJS)}.obj:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.c{$(CPP_SBRS)}.sbr:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.cpp{$(CPP_SBRS)}.sbr:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.cxx{$(CPP_SBRS)}.sbr:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +MTL=midl.exe MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 +RSC=rc.exe BSC32=bscmake.exe BSC32_FLAGS=/nologo /o"$(OUTDIR)\ApacheCore.bsc" BSC32_SBRS= \ @@ -284,12 +314,46 @@ "$(OUTDIR)" : if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)" +CPP=cl.exe CPP_PROJ=/nologo /MDd /W3 /Gm /GX /Zi /Od /I ".\include" /D "WIN32" /D "_DEBUG"\ /D "_WINDOWS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\ApacheCore.pch" /YX\ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c CPP_OBJS=.\CoreD/ CPP_SBRS=.\CoreD/ + +.c{$(CPP_OBJS)}.obj:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.cpp{$(CPP_OBJS)}.obj:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.cxx{$(CPP_OBJS)}.obj:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.c{$(CPP_SBRS)}.sbr:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.cpp{$(CPP_SBRS)}.sbr:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +.cxx{$(CPP_SBRS)}.sbr:: + $(CPP) @<< + $(CPP_PROJ) $< +<< + +MTL=midl.exe MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 +RSC=rc.exe BSC32=bscmake.exe BSC32_FLAGS=/nologo /o"$(OUTDIR)\ApacheCore.bsc" BSC32_SBRS= \ @@ -401,36 +465,6 @@ !ENDIF -.c{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cpp{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cxx{$(CPP_OBJS)}.obj:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.c{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cpp{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - -.cxx{$(CPP_SBRS)}.sbr:: - $(CPP) @<< - $(CPP_PROJ) $< -<< - !IF "$(CFG)" == "ApacheCore - Win32 Release" || "$(CFG)" ==\ "ApacheCore - Win32 Debug" @@ -441,8 +475,9 @@ DEP_CPP_ALLOC=\ ".\include\alloc.h"\ ".\include\ap.h"\ + ".\include\ap_config.h"\ + ".\include\ap_ctype.h"\ ".\include\buff.h"\ - ".\include\conf.h"\ ".\include\hsregex.h"\ ".\include\http_log.h"\ ".\include\httpd.h"\ @@ -451,9 +486,6 @@ ".\os\win32\os.h"\ ".\os\win32\readdir.h"\ -NODEP_CPP_ALLOC=\ - ".\include\apctype.h"\ - "$(INTDIR)\alloc.obj" : $(SOURCE) $(DEP_CPP_ALLOC) "$(INTDIR)" $(CPP) $(CPP_PROJ) $(SOURCE) @@ -464,8 +496,9 @@ DEP_CPP_ALLOC=\ ".\include\alloc.h"\ ".\include\ap.h"\ + ".\include\ap_config.h"\ + ".\include\ap_ctype.h"\ ".\include\buff.h"\ - ".\include\conf.h"\ ".\include\hsregex.h"\ ".\include\http_log.h"\ ".\include\httpd.h"\ @@ -473,9 +506,14 @@ ".\include\util_uri.h"\ ".\os\win32\os.h"\ ".\os\win32\readdir.h"\ + {$(INCLUDE)}"sys\stat.h"\ + {$(INCLUDE)}"sys\types.h"\ NODEP_CPP_ALLOC=\ - ".\include\hide.h"\ + ".\include\ap_config_auto.h"\ + ".\include\ebcdic.h"\ + ".\include\os.h"\ + ".\include\sfio.h"\ "$(INTDIR)\alloc.obj""$(INTDIR)\alloc.sbr" : $(SOURCE) $(DEP_CPP_ALLOC)\ @@ -492,8 +530,9 @@ DEP_CPP_BUFF_=\ ".\include\alloc.h"\ ".\include\ap.h"\ + ".\include\ap_config.h"\ + ".\include\ap_ctype.h"\ ".\include\buff.h"\ - ".\include\conf.h"\ ".\include\hsregex.h"\
cvs commit: apache-1.3/src/main http_protocol.c
ben 98/08/09 05:36:33 Modified:src/main http_protocol.c Log: Exchange completely non-standard C that doesn't work for most C compilers for somewhat non-standard call (alloca) that probably does. Revision ChangesPath 1.231 +2 -2 apache-1.3/src/main/http_protocol.c Index: http_protocol.c === RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.230 retrieving revision 1.231 diff -u -r1.230 -r1.231 --- http_protocol.c 1998/08/09 06:37:17 1.230 +++ http_protocol.c 1998/08/09 12:36:32 1.231 @@ -626,7 +626,7 @@ static int read_request_line(request_rec *r) { -char l[r->server->limit_req_line + 2]; +char *l=alloca(r->server->limit_req_line + 2); const char *ll = l, *uri; conn_rec *conn = r->connection; int major = 1, minor = 0; /* Assume HTTP/1.0 if non-"HTTP" protocol */ @@ -714,7 +714,7 @@ char *value, *copy; int len; unsigned int fields_read = 0; -char field[r->server->limit_req_fieldsize + 2]; +char *field=alloca(r->server->limit_req_fieldsize + 2); /* * Read header lines until we get the empty separator line, a read error,
cvs commit: apache-1.3/src/modules/standard mod_digest.c
ben 98/08/09 05:34:18 Modified:src/modules/standard mod_digest.c Log: Improve logging. Revision ChangesPath 1.38 +4 -3 apache-1.3/src/modules/standard/mod_digest.c Index: mod_digest.c === RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_digest.c,v retrieving revision 1.37 retrieving revision 1.38 diff -u -r1.37 -r1.38 --- mod_digest.c 1998/08/06 17:30:57 1.37 +++ mod_digest.c 1998/08/09 12:34:17 1.38 @@ -143,6 +143,7 @@ int s, vk = 0, vv = 0; const char *t; char *key, *value; +const char *scheme; if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest")) return DECLINED; @@ -158,10 +159,10 @@ return AUTH_REQUIRED; } -if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Digest")) { +if (strcasecmp(scheme=ap_getword(r->pool, &auth_line, ' '), "Digest")) { /* Client tried to authenticate using wrong auth scheme */ - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, - "client used wrong authentication scheme: %s", r->uri); + ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, + "client used wrong authentication scheme: %s for %s", scheme, r->uri); ap_note_digest_auth_failure(r); return AUTH_REQUIRED; }
cvs commit: apache-1.3/src/main http_config.c http_protocol.c
fielding98/08/08 23:37:19 Modified:src CHANGES src/include http_config.h httpd.h src/main http_config.c http_protocol.c Log: Added default limits for various aspects of reading a client request to avoid some simple denial of service attacks, including limits on maximum request-line size, number of header fields, size of any one header field, and size of the request message body. Bumped MMN for addition of limit_req_line, limit_req_fields, limit_req_fieldsize and limit_req_body variables to server_rec. Revision ChangesPath 1.1012+6 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1011 retrieving revision 1.1012 diff -u -r1.1011 -r1.1012 --- CHANGES 1998/08/08 13:26:04 1.1011 +++ CHANGES 1998/08/09 06:37:12 1.1012 @@ -1,5 +1,11 @@ Changes with Apache 1.3.2 + *) SECURITY: Added default limits for various aspects of reading a + client request to avoid some simple denial of service attacks, + including limits on maximum request-line size, number of header + fields, size of any one header field, and size of the request + message body. [Roy Fielding] + *) Make status module aware of DNS and logging states, even if STATUS not defined. [Jim Jagielski] 1.92 +1 -1 apache-1.3/src/include/http_config.h Index: http_config.h === RCS file: /home/cvs/apache-1.3/src/include/http_config.h,v retrieving revision 1.91 retrieving revision 1.92 diff -u -r1.91 -r1.92 --- http_config.h 1998/08/06 17:30:23 1.91 +++ http_config.h 1998/08/09 06:37:15 1.92 @@ -275,7 +275,7 @@ * handle it back-compatibly, or at least signal an error). */ -#define MODULE_MAGIC_NUMBER 19980806 +#define MODULE_MAGIC_NUMBER 19980808 #define STANDARD_MODULE_STUFF MODULE_MAGIC_NUMBER, -1, __FILE__, NULL, NULL /* Generic accessors for other modules to get at their own module-specific 1.231 +29 -2 apache-1.3/src/include/httpd.h Index: httpd.h === RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v retrieving revision 1.230 retrieving revision 1.231 diff -u -r1.230 -r1.231 --- httpd.h 1998/08/06 19:13:52 1.230 +++ httpd.h 1998/08/09 06:37:16 1.231 @@ -541,6 +541,28 @@ #define REQUEST_CHUNKED_DECHUNK 2 #define REQUEST_CHUNKED_PASS 3 +/* Limits on the size of various request items. These limits primarily + * exist to prevent simple denial-of-service attacks on a server based + * on misuse of the protocol. The recommended values will depend on the + * nature of the server resources -- CGI scripts and database backends + * might require large values, but most servers could get by with much + * smaller limits than we use below. These limits can be reset on a + * per-server basis using the LimitRequestLine, LimitRequestFields, + * LimitRequestFieldSize, and LimitRequestBody configuration directives. + */ +#ifndef DEFAULT_LIMIT_REQUEST_LINE +#define DEFAULT_LIMIT_REQUEST_LINE 8190 +#endif /* default limit on bytes in Request-Line (Method+URI+HTTP-version) */ +#ifndef DEFAULT_LIMIT_REQUEST_FIELDS +#define DEFAULT_LIMIT_REQUEST_FIELDS 100 +#endif /* default limit on number of header fields */ +#ifndef DEFAULT_LIMIT_REQUEST_FIELDSIZE +#define DEFAULT_LIMIT_REQUEST_FIELDSIZE 8190 +#endif /* default limit on bytes in any one field */ +#ifndef DEFAULT_LIMIT_REQUEST_BODY +#define DEFAULT_LIMIT_REQUEST_BODY 33554432ul +#endif /* default limit on bytes in request body */ + /* Things which may vary per file-lookup WITHIN a request --- * e.g., state of MIME config. Basically, the name of an object, info * about the object, and any other info we may ahve which may need to @@ -821,9 +843,14 @@ array_header *names; /* Normal names for ServerAlias servers */ array_header *wild_names;/* Wildcarded names for ServerAlias servers */ + +uid_t server_uid;/* effective user id when calling exec wrapper */ +gid_t server_gid;/* effective group id when calling exec wrapper */ -uid_t server_uid;/* effective user id when calling exec wrapper */ -gid_t server_gid;/* effective group id when calling exec wrapper */ +unsigned int limit_req_line; /* limit on bytes in Request-Line */ +unsigned int limit_req_fields;/* limit on number of header fields */ +unsigned long limit_req_fieldsize; /* limit on bytes in any one field */ +unsigned long limit_req_body; /* limit on bytes in request body */ }; /* These a