Re: svn commit: r1764961 - in /httpd/httpd/trunk: docs/manual/mod/core.xml modules/http/http_filters.c server/core.c server/gen_test_char.c server/protocol.c server/util.c

2016-10-14 Thread Roy T. Fielding 
Right, though several people have requested it now as errata. Seems likely to 
be in the final update for STD.

Roy


> On Oct 14, 2016, at 2:16 PM, William A Rowe Jr  wrote:
> 
>> On Fri, Oct 14, 2016 at 3:48 PM,  wrote:
>> Author: wrowe
>> Date: Fri Oct 14 20:48:43 2016
>> New Revision: 1764961
>> 
>> URL: http://svn.apache.org/viewvc?rev=1764961=rev
>> Log:
>> [...]
>> Apply HttpProtocolOptions Strict to chunk header parsing, invalid
>> whitespace is invalid, line termination must follow CRLF convention.
>> 
>> [...]
>  
>> static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
>> [...]
>  
>> -else if (c == ' ' || c == '\t') {
>> +else if (!strict && (c == ' ' || c == '\t')) {
>>  /* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3).
>>   */
>>  ctx->state = BODY_CHUNK_CR;
> 
> I'm not sure where this myth came from... 
> 
> https://tools.ietf.org/html/rfc7230#section-4.1
> 
> has *NO* provision for BWS in the chunk size.

Re: svn commit: r1764961 - in /httpd/httpd/trunk: docs/manual/mod/core.xml modules/http/http_filters.c server/core.c server/gen_test_char.c server/protocol.c server/util.c

2016-10-14 Thread William A Rowe Jr 
On Fri, Oct 14, 2016 at 3:48 PM,  wrote:

> Author: wrowe
> Date: Fri Oct 14 20:48:43 2016
> New Revision: 1764961
>
> URL: http://svn.apache.org/viewvc?rev=1764961=rev
> Log:
> [...]
> Apply HttpProtocolOptions Strict to chunk header parsing, invalid
> whitespace is invalid, line termination must follow CRLF convention.
>
> [...]



> static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
> [...]



> -else if (c == ' ' || c == '\t') {
> +else if (!strict && (c == ' ' || c == '\t')) {
>  /* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3).
>   */
>  ctx->state = BODY_CHUNK_CR;
>

I'm not sure where this myth came from...

https://tools.ietf.org/html/rfc7230#section-4.1

has *NO* provision for BWS in the chunk size.

Re: svn commit: r1688399 - /httpd/httpd/trunk/modules/metadata/mod_remoteip.c

2016-10-14 Thread William A Rowe Jr 
On Fri, Oct 14, 2016 at 11:16 AM, Eric Covener  wrote:

> This was not backported and popped up in PR60251.
>
> Bill, can you have a look including my guess that it really should
> just be "temp_sa = r->useragent_addr;"?


While that code should *not* be triggered before r->useragent_addr
has been populated, some off-beat perl code causes these phases
to run out-of-sequence and we segfault not long after if this is run
without a post read request hook.

I blame a bad mod_perl example, but the cycle wasted to confirm
that useragent_addr is non-null isn't worth trimming.

Re: svn commit: r1688399 - /httpd/httpd/trunk/modules/metadata/mod_remoteip.c

2016-10-14 Thread Eric Covener 
This was not backported and popped up in PR60251.

Bill, can you have a look including my guess that it really should
just be "temp_sa = r->useragent_addr;"?

On Tue, Jun 30, 2015 at 4:40 AM,   wrote:
> Author: jkaluza
> Date: Tue Jun 30 08:40:17 2015
> New Revision: 1688399
>
> URL: http://svn.apache.org/r1688399
> Log:
> mod_remoteip: Use r->useragent_addr as the root trusted address for verifying.
>
> This fixes issue resulting in setting of bad useragent_ip when internal
> redirection has been generated as response to the request (typically as
> result of "ErrorDocument 40x").
>
> In this case, the original request has been handled by mod_remoteip and its
> useragent_ip has been changed properly, but when internal redirection
> to ErrorDocument has been generated later, the mod_remoteip's handler has been
> executed again with *the same* c->client_addr as in the original request. If
> c->client_addr IP is trusted, this results in bad useragent_ip being set.
>
> When using r->useragent_addr as the root trusted address instead of
> c->client_addr, the internal redirection uses the first non-trusted
> IP in this particular case, so it won't change the r->useragent_ip during
> the internal redirection to ErrorDocument.
>
> Modified:
> httpd/httpd/trunk/modules/metadata/mod_remoteip.c
>
> Modified: httpd/httpd/trunk/modules/metadata/mod_remoteip.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_remoteip.c?rev=1688399=1688398=1688399=diff
> ==
> --- httpd/httpd/trunk/modules/metadata/mod_remoteip.c (original)
> +++ httpd/httpd/trunk/modules/metadata/mod_remoteip.c Tue Jun 30 08:40:17 2015
> @@ -255,7 +255,7 @@ static int remoteip_modify_request(reque
>  }
>  remote = apr_pstrdup(r->pool, remote);
>
> -temp_sa = c->client_addr;
> +temp_sa = r->useragent_addr ? r->useragent_addr : c->client_addr;
>
>  while (remote) {
>
>
>



-- 
Eric Covener
cove...@gmail.com