cvs commit: apache-1.3/src/modules/standard mod_digest.c
marc98/08/09 14:03:25
Modified:src/modules/standard mod_digest.c
Log:
Wrap line properly for 80 cols.
Revision ChangesPath
1.39 +2 -1 apache-1.3/src/modules/standard/mod_digest.c
Index: mod_digest.c
===
RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_digest.c,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- mod_digest.c 1998/08/09 12:34:17 1.38
+++ mod_digest.c 1998/08/09 21:03:25 1.39
@@ -162,7 +162,8 @@
if (strcasecmp(scheme=ap_getword(r->pool, &auth_line, ' '), "Digest")) {
/* Client tried to authenticate using wrong auth scheme */
ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
- "client used wrong authentication scheme: %s for %s",
scheme, r->uri);
+ "client used wrong authentication scheme: %s for %s",
+ scheme, r->uri);
ap_note_digest_auth_failure(r);
return AUTH_REQUIRED;
}
cvs commit: apache-1.3/src/modules/proxy proxy_http.c proxy_util.c
dgaudet 98/08/09 10:39:36 Modified:src/modules/proxy proxy_http.c proxy_util.c Log: more comments Revision ChangesPath 1.56 +2 -0 apache-1.3/src/modules/proxy/proxy_http.c Index: proxy_http.c === RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v retrieving revision 1.55 retrieving revision 1.56 diff -u -r1.55 -r1.56 --- proxy_http.c 1998/08/09 17:36:27 1.55 +++ proxy_http.c 1998/08/09 17:39:25 1.56 @@ -427,6 +427,8 @@ ap_rvputs(r, hdr[i].field, ": ", hdr[i].value, CRLF, NULL); /* XXX: can't this be ap_table_setn? -djg */ ap_table_set(r->headers_out, hdr[i].field, hdr[i].value); + /* XXX: regardless, there's an O(n^2) attack here, which + * could be fixed with ap_overlap_tables */ } if (cache != NULL) if (ap_bvputs(cache, hdr[i].field, ": ", hdr[i].value, CRLF, 1.68 +1 -0 apache-1.3/src/modules/proxy/proxy_util.c Index: proxy_util.c === RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_util.c,v retrieving revision 1.67 retrieving revision 1.68 diff -u -r1.67 -r1.68 --- proxy_util.c 1998/08/09 17:36:28 1.67 +++ proxy_util.c 1998/08/09 17:39:25 1.68 @@ -643,6 +643,7 @@ ap_bvputs(fp, hdrs[i].field, ": ", hdrs[i].value, CRLF, NULL); /* XXX: can't this be ap_table_setn? -djg */ ap_table_set(r->headers_out, hdrs[i].field, hdrs[i].value); + /* XXX: another O(n^2) attack, fixed by ap_overlap_tables */ } ap_bputs(CRLF, fp);
cvs commit: apache-1.3/src/modules/standard mod_cern_meta.c mod_include.c
dgaudet 98/08/09 10:36:30
Modified:src/include alloc.h
src/main http_protocol.c util_script.c
src/modules/proxy proxy_http.c proxy_util.c
src/modules/standard mod_cern_meta.c mod_include.c
Log:
Just some comments. Including a proposed ap_overlap_tables function which
generalizes my new code in get_mime_headers().
Revision ChangesPath
1.62 +24 -0 apache-1.3/src/include/alloc.h
Index: alloc.h
===
RCS file: /export/home/cvs/apache-1.3/src/include/alloc.h,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- alloc.h 1998/06/27 18:09:28 1.61
+++ alloc.h 1998/08/09 17:36:24 1.62
@@ -192,6 +192,30 @@
API_EXPORT(table *) ap_overlay_tables(pool *p, const table *overlay, const
table *base);
+/* Conceptually, ap_overlap_tables does this:
+
+array_header *barr = ap_table_elts(b);
+table_entry *belt = (table_entry *)barr->elts;
+int i;
+
+for (i = 0; i < barr->nelts; ++i) {
+ if (merge) {
+ ap_table_mergen(a, belt[i].key, belt[i].val);
+ }
+ else {
+ ap_table_setn(a, belt[i].key, belt[i].val);
+ }
+}
+
+Except that it is more efficient (less space and cpu-time) especially
+when b has many elements.
+
+Notice the assumptions on the keys and values in b -- they must be
+in an ancestor of a's pool. In practice b and a are usually from
+the same pool.
+*/
+API_EXPORT(void) ap_overlap_tables(table *a, const table *b, int merge);
+
/* XXX: these know about the definition of struct table in alloc.c. That
* definition is not here because it is supposed to be private, and by not
* placing it here we are able to get compile-time diagnostics from modules
1.235 +1 -0 apache-1.3/src/main/http_protocol.c
Index: http_protocol.c
===
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.234
retrieving revision 1.235
diff -u -r1.234 -r1.235
--- http_protocol.c 1998/08/09 16:57:29 1.234
+++ http_protocol.c 1998/08/09 17:36:26 1.235
@@ -739,6 +739,7 @@
return (signed)a->order - (signed)b->order;
}
+/* XXX: could use ap_overlap_tables here... which generalizes this code */
static void get_mime_headers(request_rec *r)
{
conn_rec *c = r->connection;
1.128 +2 -0 apache-1.3/src/main/util_script.c
Index: util_script.c
===
RCS file: /export/home/cvs/apache-1.3/src/main/util_script.c,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -r1.127 -r1.128
--- util_script.c 1998/08/06 18:58:21 1.127
+++ util_script.c 1998/08/09 17:36:26 1.128
@@ -188,6 +188,7 @@
return env;
}
+/* XXX: this could use ap_overlap_tables */
API_EXPORT(void) ap_add_common_vars(request_rec *r)
{
table *e = r->subprocess_env;
@@ -546,6 +547,7 @@
ap_table_add(r->err_headers_out, w, l);
}
else {
+ /* XXX: there is an O(n^2) space attack possible here */
ap_table_merge(r->err_headers_out, w, l);
}
}
1.55 +1 -0 apache-1.3/src/modules/proxy/proxy_http.c
Index: proxy_http.c
===
RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- proxy_http.c 1998/08/06 17:30:43 1.54
+++ proxy_http.c 1998/08/09 17:36:27 1.55
@@ -425,6 +425,7 @@
continue;
if (!r->assbackwards) {
ap_rvputs(r, hdr[i].field, ": ", hdr[i].value, CRLF, NULL);
+ /* XXX: can't this be ap_table_setn? -djg */
ap_table_set(r->headers_out, hdr[i].field, hdr[i].value);
}
if (cache != NULL)
1.67 +1 -0 apache-1.3/src/modules/proxy/proxy_util.c
Index: proxy_util.c
===
RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_util.c,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -r1.66 -r1.67
--- proxy_util.c 1998/08/06 17:30:44 1.66
+++ proxy_util.c 1998/08/09 17:36:28 1.67
@@ -641,6 +641,7 @@
if (hdrs[i].field == NULL)
continue;
ap_bvputs(fp, hdrs[i].field, ": ", hdrs[i].value, CRLF, NULL);
+ /* XXX: can't this be ap_table_setn? -djg */
ap_table_set(r->headers_out, hdrs[i].field, hdrs[i].value);
}
1.34 +1 -0 apache-1.3/src/modules/standard/mod_cern_meta.c
Index: mod_cern_meta.c
==
cvs commit: apache-1.3/src/main http_protocol.c
dgaudet 98/08/09 09:57:29
Modified:src/include httpd.h
src/main http_protocol.c
Log:
Include everything in the limits, rather than having to remember to
add 2 to some of them... which leads to off-by-1 errors like one I just
committed. (I don't understand what the + 2 was all about. It doesn't
fit \r\n\0...)
Revision ChangesPath
1.232 +2 -2 apache-1.3/src/include/httpd.h
Index: httpd.h
===
RCS file: /export/home/cvs/apache-1.3/src/include/httpd.h,v
retrieving revision 1.231
retrieving revision 1.232
diff -u -r1.231 -r1.232
--- httpd.h 1998/08/09 06:37:16 1.231
+++ httpd.h 1998/08/09 16:57:28 1.232
@@ -551,13 +551,13 @@
* LimitRequestFieldSize, and LimitRequestBody configuration directives.
*/
#ifndef DEFAULT_LIMIT_REQUEST_LINE
-#define DEFAULT_LIMIT_REQUEST_LINE 8190
+#define DEFAULT_LIMIT_REQUEST_LINE 8192
#endif /* default limit on bytes in Request-Line (Method+URI+HTTP-version) */
#ifndef DEFAULT_LIMIT_REQUEST_FIELDS
#define DEFAULT_LIMIT_REQUEST_FIELDS 100
#endif /* default limit on number of header fields */
#ifndef DEFAULT_LIMIT_REQUEST_FIELDSIZE
-#define DEFAULT_LIMIT_REQUEST_FIELDSIZE 8190
+#define DEFAULT_LIMIT_REQUEST_FIELDSIZE 8192
#endif /* default limit on bytes in any one field */
#ifndef DEFAULT_LIMIT_REQUEST_BODY
#define DEFAULT_LIMIT_REQUEST_BODY 33554432ul
1.234 +5 -5 apache-1.3/src/main/http_protocol.c
Index: http_protocol.c
===
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.233
retrieving revision 1.234
diff -u -r1.233 -r1.234
--- http_protocol.c 1998/08/09 16:52:31 1.233
+++ http_protocol.c 1998/08/09 16:57:29 1.234
@@ -635,7 +635,7 @@
pool *tmp;
tmp = ap_make_sub_pool(r->pool);
-l = ap_palloc(tmp, r->server->limit_req_line + 2);
+l = ap_palloc(tmp, r->server->limit_req_line);
ll = l;
/* Read past empty lines until we get a real request line,
@@ -653,7 +653,7 @@
* have to block during a read.
*/
ap_bsetflag(conn->client, B_SAFEREAD, 1);
-while ((len = getline(l, r->server->limit_req_line + 2, conn->client,
0)) <= 0) {
+while ((len = getline(l, r->server->limit_req_line, conn->client, 0)) <=
0) {
if ((len < 0) || ap_bgetflag(conn->client, B_EOF)) {
ap_bsetflag(conn->client, B_SAFEREAD, 0);
ap_destroy_pool(tmp);
@@ -764,7 +764,7 @@
arr = ap_make_array(tmp, 50, sizeof(mime_key));
order = 0;
-field = ap_palloc(tmp, r->server->limit_req_fieldsize + 2);
+field = ap_palloc(tmp, r->server->limit_req_fieldsize);
/* If headers_in is non-empty (i.e. we're parsing a trailer) then
* we have to merge. Have I mentioned that I think this is a lame part
@@ -794,7 +794,7 @@
* Read header lines until we get the empty separator line, a read error,
* the connection closes (EOF), reach the server limit, or we timeout.
*/
-while ((len = getline(field, r->server->limit_req_fieldsize + 2,
+while ((len = getline(field, r->server->limit_req_fieldsize,
c->client, 1)) > 0) {
if (++fields_read > r->server->limit_req_fields) {
@@ -804,7 +804,7 @@
ap_destroy_pool(tmp);
return;
}
-if (len >= r->server->limit_req_fieldsize + 1) {
+if (len >= r->server->limit_req_fieldsize) {
r->status = HTTP_BAD_REQUEST;
ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool,
"Size of a request header field exceeds server limit.\n"
cvs commit: apache-1.3/src/main http_protocol.c
dgaudet 98/08/09 09:52:32
Modified:src CHANGES
src/main http_protocol.c
Log:
- fix ben's fix to roy's patch (sizeof(l) and sizeof(field) are meaningless)
- put my qsort fix to get_mime_headers into the repository so I don't have
to worry about someone else screwing around in the same routine.
Revision ChangesPath
1.1013+3 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1012
retrieving revision 1.1013
diff -u -r1.1012 -r1.1013
--- CHANGES 1998/08/09 06:37:12 1.1012
+++ CHANGES 1998/08/09 16:52:29 1.1013
@@ -1,5 +1,8 @@
Changes with Apache 1.3.2
+ *) SECURITY: Eliminate O(n^2) space DoS attacks (and other O(n^2)
+ cpu time attacks) in header parsing. [Dean Gaudet]
+
*) SECURITY: Added default limits for various aspects of reading a
client request to avoid some simple denial of service attacks,
including limits on maximum request-line size, number of header
1.233 +139 -9apache-1.3/src/main/http_protocol.c
Index: http_protocol.c
===
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.232
retrieving revision 1.233
diff -u -r1.232 -r1.233
--- http_protocol.c 1998/08/09 14:33:11 1.232
+++ http_protocol.c 1998/08/09 16:52:31 1.233
@@ -626,12 +626,18 @@
static int read_request_line(request_rec *r)
{
-char *l=alloca(r->server->limit_req_line + 2);
-const char *ll = l, *uri;
+char *l;
+const char *ll;
+const char *uri;
conn_rec *conn = r->connection;
int major = 1, minor = 0; /* Assume HTTP/1.0 if non-"HTTP" protocol */
int len;
+pool *tmp;
+tmp = ap_make_sub_pool(r->pool);
+l = ap_palloc(tmp, r->server->limit_req_line + 2);
+ll = l;
+
/* Read past empty lines until we get a real request line,
* a read error, the connection closes (EOF), or we timeout.
*
@@ -647,9 +653,10 @@
* have to block during a read.
*/
ap_bsetflag(conn->client, B_SAFEREAD, 1);
-while ((len = getline(l, sizeof(l), conn->client, 0)) <= 0) {
+while ((len = getline(l, r->server->limit_req_line + 2, conn->client,
0)) <= 0) {
if ((len < 0) || ap_bgetflag(conn->client, B_EOF)) {
ap_bsetflag(conn->client, B_SAFEREAD, 0);
+ ap_destroy_pool(tmp);
return 0;
}
}
@@ -689,10 +696,11 @@
ap_parse_uri(r, uri);
-if (len >= sizeof(l) - 1) {
+if (len >= r->server->limit_req_line - 1) {
r->status= HTTP_REQUEST_URI_TOO_LARGE;
r->proto_num = HTTP_VERSION(1,0);
r->protocol = ap_pstrdup(r->pool, "HTTP/1.0");
+ ap_destroy_pool(tmp);
return 0;
}
@@ -705,34 +713,103 @@
else
r->proto_num = HTTP_VERSION(1,0);
+ap_destroy_pool(tmp);
return 1;
}
+/* Curse libc and the fact that it doesn't guarantee a stable sort. We
+ * have to enforce stability ourselves by using the order field. -djg
+ */
+typedef struct {
+char *key;
+char *val;
+unsigned order;
+} mime_key;
+
+static int sort_mime_headers(const void *va, const void *vb)
+{
+const mime_key *a = va;
+const mime_key *b = vb;
+int r;
+
+r = strcasecmp(a->key, b->key);
+if (r) {
+ return r;
+}
+return (signed)a->order - (signed)b->order;
+}
+
static void get_mime_headers(request_rec *r)
{
conn_rec *c = r->connection;
-char *value, *copy;
+char *copy;
int len;
+char *value;
unsigned int fields_read = 0;
-char *field=alloca(r->server->limit_req_fieldsize + 2);
+char *field;
+array_header *arr;
+pool *tmp;
+mime_key *new_key;
+unsigned order;
+mime_key *first;
+mime_key *last;
+mime_key *end;
+char *strp;
+
+/* The array will store the headers in a way that we can merge them
+ * later in O(n*lg(n))... rather than deal with various O(n^2)
+ * operations.
+ */
+tmp = ap_make_sub_pool(r->pool);
+arr = ap_make_array(tmp, 50, sizeof(mime_key));
+order = 0;
+
+field = ap_palloc(tmp, r->server->limit_req_fieldsize + 2);
+
+/* If headers_in is non-empty (i.e. we're parsing a trailer) then
+ * we have to merge. Have I mentioned that I think this is a lame part
+ * of the HTTP standard? Anyhow, we'll cheat, and just pre-seed our
+ * array with the existing headers... and take advantage of the much
+ * faster merging here. -djg
+ */
+if (!ap_is_empty_table(r->headers_in)) {
+ array_hea
cvs commit: apache-1.3/src/modules/proxy ApacheModuleProxy.mak
ben 98/08/09 07:33:13
Modified:src ApacheCore.mak
src/include http_protocol.h http_request.h
src/main http_protocol.c http_request.c
src/modules/proxy ApacheModuleProxy.mak
Log:
Make mod_proxy compile on Win32.
Revision ChangesPath
1.39 +467 -277 apache-1.3/src/ApacheCore.mak
Index: ApacheCore.mak
===
RCS file: /export/home/cvs/apache-1.3/src/ApacheCore.mak,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- ApacheCore.mak1998/08/05 22:15:02 1.38
+++ ApacheCore.mak1998/08/09 14:33:09 1.39
@@ -28,10 +28,6 @@
NULL=nul
!ENDIF
-CPP=cl.exe
-MTL=midl.exe
-RSC=rc.exe
-
!IF "$(CFG)" == "ApacheCore - Win32 Release"
OUTDIR=.\CoreR
@@ -101,12 +97,46 @@
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+CPP=cl.exe
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I ".\include" /D "WIN32" /D "NDEBUG" /D\
"_WINDOWS" /Fp"$(INTDIR)\ApacheCore.pch" /YX /Fo"$(INTDIR)\\"
/Fd"$(INTDIR)\\"\
/FD /c
CPP_OBJS=.\CoreR/
CPP_SBRS=.
+
+.c{$(CPP_OBJS)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+MTL=midl.exe
MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
+RSC=rc.exe
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\ApacheCore.bsc"
BSC32_SBRS= \
@@ -284,12 +314,46 @@
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+CPP=cl.exe
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /Zi /Od /I ".\include" /D "WIN32" /D
"_DEBUG"\
/D "_WINDOWS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\ApacheCore.pch" /YX\
/Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
CPP_OBJS=.\CoreD/
CPP_SBRS=.\CoreD/
+
+.c{$(CPP_OBJS)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+MTL=midl.exe
MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
+RSC=rc.exe
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\ApacheCore.bsc"
BSC32_SBRS= \
@@ -401,36 +465,6 @@
!ENDIF
-.c{$(CPP_OBJS)}.obj::
- $(CPP) @<<
- $(CPP_PROJ) $<
-<<
-
-.cpp{$(CPP_OBJS)}.obj::
- $(CPP) @<<
- $(CPP_PROJ) $<
-<<
-
-.cxx{$(CPP_OBJS)}.obj::
- $(CPP) @<<
- $(CPP_PROJ) $<
-<<
-
-.c{$(CPP_SBRS)}.sbr::
- $(CPP) @<<
- $(CPP_PROJ) $<
-<<
-
-.cpp{$(CPP_SBRS)}.sbr::
- $(CPP) @<<
- $(CPP_PROJ) $<
-<<
-
-.cxx{$(CPP_SBRS)}.sbr::
- $(CPP) @<<
- $(CPP_PROJ) $<
-<<
-
!IF "$(CFG)" == "ApacheCore - Win32 Release" || "$(CFG)" ==\
"ApacheCore - Win32 Debug"
@@ -441,8 +475,9 @@
DEP_CPP_ALLOC=\
".\include\alloc.h"\
".\include\ap.h"\
+ ".\include\ap_config.h"\
+ ".\include\ap_ctype.h"\
".\include\buff.h"\
- ".\include\conf.h"\
".\include\hsregex.h"\
".\include\http_log.h"\
".\include\httpd.h"\
@@ -451,9 +486,6 @@
".\os\win32\os.h"\
".\os\win32\readdir.h"\
-NODEP_CPP_ALLOC=\
- ".\include\apctype.h"\
-
"$(INTDIR)\alloc.obj" : $(SOURCE) $(DEP_CPP_ALLOC) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
@@ -464,8 +496,9 @@
DEP_CPP_ALLOC=\
".\include\alloc.h"\
".\include\ap.h"\
+ ".\include\ap_config.h"\
+ ".\include\ap_ctype.h"\
".\include\buff.h"\
- ".\include\conf.h"\
".\include\hsregex.h"\
".\include\http_log.h"\
".\include\httpd.h"\
@@ -473,9 +506,14 @@
".\include\util_uri.h"\
".\os\win32\os.h"\
".\os\win32\readdir.h"\
+ {$(INCLUDE)}"sys\stat.h"\
+ {$(INCLUDE)}"sys\types.h"\
NODEP_CPP_ALLOC=\
- ".\include\hide.h"\
+ ".\include\ap_config_auto.h"\
+ ".\include\ebcdic.h"\
+ ".\include\os.h"\
+ ".\include\sfio.h"\
"$(INTDIR)\alloc.obj""$(INTDIR)\alloc.sbr" : $(SOURCE)
$(DEP_CPP_ALLOC)\
@@ -492,8 +530,9 @@
DEP_CPP_BUFF_=\
".\include\alloc.h"\
".\include\ap.h"\
+ ".\include\ap_config.h"\
+ ".\include\ap_ctype.h"\
".\include\buff.h"\
- ".\include\conf.h"\
".\include\hsregex.h"\
cvs commit: apache-1.3/src/main http_protocol.c
ben 98/08/09 05:36:33
Modified:src/main http_protocol.c
Log:
Exchange completely non-standard C that doesn't work for most C compilers for
somewhat non-standard call (alloca) that probably does.
Revision ChangesPath
1.231 +2 -2 apache-1.3/src/main/http_protocol.c
Index: http_protocol.c
===
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.230
retrieving revision 1.231
diff -u -r1.230 -r1.231
--- http_protocol.c 1998/08/09 06:37:17 1.230
+++ http_protocol.c 1998/08/09 12:36:32 1.231
@@ -626,7 +626,7 @@
static int read_request_line(request_rec *r)
{
-char l[r->server->limit_req_line + 2];
+char *l=alloca(r->server->limit_req_line + 2);
const char *ll = l, *uri;
conn_rec *conn = r->connection;
int major = 1, minor = 0; /* Assume HTTP/1.0 if non-"HTTP" protocol */
@@ -714,7 +714,7 @@
char *value, *copy;
int len;
unsigned int fields_read = 0;
-char field[r->server->limit_req_fieldsize + 2];
+char *field=alloca(r->server->limit_req_fieldsize + 2);
/*
* Read header lines until we get the empty separator line, a read error,
cvs commit: apache-1.3/src/modules/standard mod_digest.c
ben 98/08/09 05:34:18
Modified:src/modules/standard mod_digest.c
Log:
Improve logging.
Revision ChangesPath
1.38 +4 -3 apache-1.3/src/modules/standard/mod_digest.c
Index: mod_digest.c
===
RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_digest.c,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- mod_digest.c 1998/08/06 17:30:57 1.37
+++ mod_digest.c 1998/08/09 12:34:17 1.38
@@ -143,6 +143,7 @@
int s, vk = 0, vv = 0;
const char *t;
char *key, *value;
+const char *scheme;
if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest"))
return DECLINED;
@@ -158,10 +159,10 @@
return AUTH_REQUIRED;
}
-if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Digest")) {
+if (strcasecmp(scheme=ap_getword(r->pool, &auth_line, ' '), "Digest")) {
/* Client tried to authenticate using wrong auth scheme */
- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
- "client used wrong authentication scheme: %s", r->uri);
+ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server,
+ "client used wrong authentication scheme: %s for %s",
scheme, r->uri);
ap_note_digest_auth_failure(r);
return AUTH_REQUIRED;
}
cvs commit: apache-1.3/src/main http_config.c http_protocol.c
fielding98/08/08 23:37:19 Modified:src CHANGES src/include http_config.h httpd.h src/main http_config.c http_protocol.c Log: Added default limits for various aspects of reading a client request to avoid some simple denial of service attacks, including limits on maximum request-line size, number of header fields, size of any one header field, and size of the request message body. Bumped MMN for addition of limit_req_line, limit_req_fields, limit_req_fieldsize and limit_req_body variables to server_rec. Revision ChangesPath 1.1012+6 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1011 retrieving revision 1.1012 diff -u -r1.1011 -r1.1012 --- CHANGES 1998/08/08 13:26:04 1.1011 +++ CHANGES 1998/08/09 06:37:12 1.1012 @@ -1,5 +1,11 @@ Changes with Apache 1.3.2 + *) SECURITY: Added default limits for various aspects of reading a + client request to avoid some simple denial of service attacks, + including limits on maximum request-line size, number of header + fields, size of any one header field, and size of the request + message body. [Roy Fielding] + *) Make status module aware of DNS and logging states, even if STATUS not defined. [Jim Jagielski] 1.92 +1 -1 apache-1.3/src/include/http_config.h Index: http_config.h === RCS file: /home/cvs/apache-1.3/src/include/http_config.h,v retrieving revision 1.91 retrieving revision 1.92 diff -u -r1.91 -r1.92 --- http_config.h 1998/08/06 17:30:23 1.91 +++ http_config.h 1998/08/09 06:37:15 1.92 @@ -275,7 +275,7 @@ * handle it back-compatibly, or at least signal an error). */ -#define MODULE_MAGIC_NUMBER 19980806 +#define MODULE_MAGIC_NUMBER 19980808 #define STANDARD_MODULE_STUFF MODULE_MAGIC_NUMBER, -1, __FILE__, NULL, NULL /* Generic accessors for other modules to get at their own module-specific 1.231 +29 -2 apache-1.3/src/include/httpd.h Index: httpd.h === RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v retrieving revision 1.230 retrieving revision 1.231 diff -u -r1.230 -r1.231 --- httpd.h 1998/08/06 19:13:52 1.230 +++ httpd.h 1998/08/09 06:37:16 1.231 @@ -541,6 +541,28 @@ #define REQUEST_CHUNKED_DECHUNK 2 #define REQUEST_CHUNKED_PASS 3 +/* Limits on the size of various request items. These limits primarily + * exist to prevent simple denial-of-service attacks on a server based + * on misuse of the protocol. The recommended values will depend on the + * nature of the server resources -- CGI scripts and database backends + * might require large values, but most servers could get by with much + * smaller limits than we use below. These limits can be reset on a + * per-server basis using the LimitRequestLine, LimitRequestFields, + * LimitRequestFieldSize, and LimitRequestBody configuration directives. + */ +#ifndef DEFAULT_LIMIT_REQUEST_LINE +#define DEFAULT_LIMIT_REQUEST_LINE 8190 +#endif /* default limit on bytes in Request-Line (Method+URI+HTTP-version) */ +#ifndef DEFAULT_LIMIT_REQUEST_FIELDS +#define DEFAULT_LIMIT_REQUEST_FIELDS 100 +#endif /* default limit on number of header fields */ +#ifndef DEFAULT_LIMIT_REQUEST_FIELDSIZE +#define DEFAULT_LIMIT_REQUEST_FIELDSIZE 8190 +#endif /* default limit on bytes in any one field */ +#ifndef DEFAULT_LIMIT_REQUEST_BODY +#define DEFAULT_LIMIT_REQUEST_BODY 33554432ul +#endif /* default limit on bytes in request body */ + /* Things which may vary per file-lookup WITHIN a request --- * e.g., state of MIME config. Basically, the name of an object, info * about the object, and any other info we may ahve which may need to @@ -821,9 +843,14 @@ array_header *names; /* Normal names for ServerAlias servers */ array_header *wild_names;/* Wildcarded names for ServerAlias servers */ + +uid_t server_uid;/* effective user id when calling exec wrapper */ +gid_t server_gid;/* effective group id when calling exec wrapper */ -uid_t server_uid;/* effective user id when calling exec wrapper */ -gid_t server_gid;/* effective group id when calling exec wrapper */ +unsigned int limit_req_line; /* limit on bytes in Request-Line */ +unsigned int limit_req_fields;/* limit on number of header fields */ +unsigned long limit_req_fieldsize; /* limit on bytes in any one field */ +unsigned long limit_req_body; /* limit on bytes in request body */ }; /* These a
