What would happen in this case httpd would infer a body while no body
would be
found there?
* In the case of a 'connection close' nothing, empty body would be
found.
* In the case of a 'persistent connection':
* RFC2616 section 8.1.2.1:
In order to remain persistent, all messages on
On Saturday, August 7, 2004, at 01:17 PM, André Malo wrote:
* Nick Kew [EMAIL PROTECTED] wrote:
It occurs to me that a similar situation arises with CGI and chunked
input. The CGI spec guarantees a content-length header,
ah, no.
| * CONTENT_LENGTH
|
| The length of the said content as given by
Thanks for the great support - httpd-2.0 HEAD 2004-08-07 really fixes
it.
It even provides env variable proxy-sendchunks to select between
compatible
Content-Length (default) and performance-wise chunked.
Sounds pretty complete to me. Of course you'd need to stick to C-L
unless
you *know* the
If the client sent chunks, then it is safe to assume that the proxy
can send chunks as well. Generally speaking, user agents only send
chunks to applications that they know will accept chunks.
The client could be sending chunks precisely because it's designed to
work with a proxy that is known to
CGI would happen after mod_deflate. If mod_deflate changes the
request
body without also (un)setting content-length, then it is broken.
Huh? Input filters are pulled, so they run *after* the handler has been
started. And - CONTENT_LENGTH (if any - It's unset for chunked as
well) still
reflects
A CGI script therefore should never trust Content-Length, but just
read
stdin until it meets an EOF.
That is well-known to fail in CGI. A CGI must use Content-Length.
Hmm. any pointers where this is specified? I didn't have any problems
with
this until now - but in trusting the C-L variable.
On the contrary! I myself have done a great deal of work on a proxy
for mobile devices, for a household-name Client. The client software
makes certain assumptions of the proxy that would not be valid on the
Web at large. But the backend *is* the web at large.
But then the client is either using
Since the Apache server can not know if CGI requires C-L, I conclude
that CGI scripts are broken if they require C-L and do not return
411 Length Required when the CGI/1.1 CONTENT_LENGTH environment
variable is not present. It's too bad that CGI.pm and cgi-lib.pl
are both broken in this respect.
On Saturday, August 7, 2004, at 05:21 PM, Jan Kratochvil wrote:
This whole thread started due to a commercial GSM mobile phone:
User-Agent: SonyEricssonP900/R102 Profile/MIDP-2.0
Configuration/CLDC-1.0 Rev/MR4
, it sends HTTP/1.1 chunked requests to its HTTP proxy although you
will
access
On Monday, August 2, 2004, at 10:55 AM, Justin Erenkrantz wrote:
Avoid confusion when reading mod_cache code. write_ and read_ often
imply
network code; save_ and load_ are more understandable prefixes in this
context.
Hmm, IIRC, loading a cache means writing to it, not reading from it.
Why
On Thursday, July 29, 2004, at 05:58 AM, André Malo wrote:
* Mladen Turk [EMAIL PROTECTED] wrote:
William A. Rowe, Jr. wrote:
/* Scoreboard file, if there is one */
#ifndef DEFAULT_SCOREBOARD
@@ -118,6 +119,7 @@
typedef struct {
int server_limit;
int
Rather just use URL parameters. As I recall RFC2616 does not consider
a
request with a different cookie a different variant, so even if you
patch your server to allow it to differentiate between cookies,
neither
the browsers nor the transparent proxies in the path of the request
will
do what
Ugg... fix_hostname() in 1.3.30-dev (and previous) are
broken such that it does *not* update parsed_uri with
the port and port_str value from the Host header.
This means that with a request like:
% telnet localhost
GET / HTTP/1.1
Host: foo:
that the '' port value from the
That is a common thread on http-wg. Spaces are allowed after the
chunk-size, or at least will be allowed by future specs. The whole
HTTP BNF needs to be revamped, eventually.
Roy
However I completely disagree that Python (or Perl or PHP) is
a good choice for use in build systems.
As part of the configure process, I would agree with you, but as part
of
buildconf, I disagree--not everyone needs to run buildconf--only
developers, and if you're a developer, it's
-1. Reject the request with a 400 error instead.
Roy
+1, though it would probably be better to add a parameter to err
to pass errno (or 0) rather than using the global in this way.
Roy
On Wednesday, January 14, 2004, at 01:04 PM, Julian Reschke wrote:
From...:
http://httpd.apache.org/dev/project-plan.html
- Implementation of the LINK Method
Can anybody tell me what this is?
See RFC 2068, section 19.6.1.2 and 19.6.2.4
(you might want to look at the description of PATCH as
On Saturday, January 3, 2004, at 11:10 AM, William A. Rowe, Jr. wrote:
At 06:32 AM 1/2/2004, you wrote:
[EMAIL PROTECTED] wrote:
update license to 2004.
Why? Unless the file changes in 2004, the copyright doesn't. And, in
any case, the earliest date applies, so it gets us nowhere.
In fairness
one of the issues that needed working out was dealing with multiple
ETag
headers. my original idea was to have ap_weaken_etag guarantee that
ETag
headers would be weak. with ETag headers entering err_headers_out via
a
third party, there exists the possibility that the server would send
RFC 2616, section 3.11, BNF does not allow multiple ETag header fields.
^
^14.19 + 3.11
Roy
BTW, an entity tag does not identify the entity -- it merely
acts as a key for cache and range request handling.
right. and what I was trying to do was make it possible for
content-altering filters to handle that key a bit more intelligently
than
just removing it altogether. the situation I
-1. I'm still of the mind that _every_ release should be recreatable.
Anything we put out there is going to be at least perceived as
official,
and we should take that into account.
Every release is tagged. A tarball is not a release. Nothing is a
release until AFTER the associated tarball has
So your basically saying that we retag a release candidate tag with the
final release tagname, when a tarball rolled from such a tag receives
three +1s for release?
I am saying that the contents of a release tarball must match the tag
of that release in cvs. How that happens will depend on the
at http://cvs.apache.org/~kess/programs/ you'll find a draft for a
configure script documentation. There are still some open ends - mostly
commented within the xml file - and there might be a lot of typos and
spelling mistakes, but it is ready for a review now...
It would be fine, if someone could
On Friday, October 17, 2003, at 12:27 PM, Jeff Trawick wrote:
For ErrorDocument nnn http://url;, ap_die() will respond with 302
redirect, and r-status will be updated to indicate that. But the
original error could have been one that keeps us from being able to
process subsequent requests on
On Tue, Jul 08, 2003 at 12:41:09AM -0400, Glenn wrote:
With the talk about a minor MMN bump, I put together this patch which
adds a flag at the end of server_rec. This also changes ErrorLog to
a TAKE12, with an optional style of default or vhosts, where the
vhosts includes the server name and
Patch to add Subversion .svn directories to the default IndexIgnore in
httpd-[std|win].conf.
I'd rather you explain why the first entry (.??*) is not sufficient:
-IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
+IndexIgnore .??* *~ *# HEADER* README* .svn RCS CVS *,v *,t
It should
The recent changes to the mime.types file for apache 1.3 causes
mod_mime to throw warnings due to the inline comments. It now throws a
warning each time it hits # unregistered or # invalid while parsing
the file.
Warnings? In error_log? Hmmm, I must have tested under the wrong log
level.
There is one final commit which we are waiting for before the
TR of 1.3.28. It's to close a bug in one of our support
programs distributed with Apache and affects Win32 and OS/2.
Whoa, sorry, I didn't realize that we were in just-before-release mode
on 1.3.x. Are the mime types config changes I
-#AddType image/x-icon .ico
Though it's an x-type, I'd suggest not to remove it from the default
config.
It matches the default user needs very well.
I added it to the default mime.types first, where it belongs.
Roy
The tarball checks out okay, verifies with signature and md5, and all
of my simple tests on OS X 10.2.6 seem to work great.
+1
I have a few corrections to make on the conf files, but those can wait
until the next release.
Roy
On Saturday, March 22, 2003, at 07:15 AM, Brass, Phil (ISS Atlanta)
wrote:
The point of stripping Date and Last-modified headers is that HTTP
fingerprinting tools look at things like header order, the formatting
of
dates and times, etc.
So change the format and order. Stripping them is a
The patches at http://www.rtr.com/fpsupport/ for including
FrontPage support in Apache modify the request_rec to add an
execfilename field in the *middle* of the structure, thus
blowing binary compatibility with all other Apache modules.
Move the execfilename to the end of the request_rec to avoid
There is no reason to discuss this on the security or pmc lists.
Which brings us back to the start... How should we address this, umm...
concern. Seems to me the 3 options are:
1. (continue to) Ignore it.
As far as the XSS concern, I'd ignore it. However, it is perfectly
reasonable for
change optional function to return the previous writer, allowing to
have mutliple types
of writers in the same server. (previously you could only have one)
it needs a mmn bump.. sorry guys
Umm, okay, I give up... why does it need a major bump? Would older
modules
really blow up because
Allow mod_dav to do weak entity comparison function rather than a
strong
entity comparison function. (i.e. it will optionally strip the W/
prefix.)
That doesn't really follow the spirit of etag validation in HTTP.
In theory, the client is not allowed to use weak etags for anything
other
First, the NETWARE part has to be above your additions.
The reason I put the NETWARE part below the first new code was because
I assumed (perhaps incorrectly) that there was no way that Apache or
library functions it called were going to mess with the value returned
by WSAGetLastError(), but
I can certainly understand that :) Here is a new patch along those
lines.
+1, but you might want to reduce the severity on those error messages
if this is actually a common occurrence. After all, there is nothing
that the server can do about it, and the client won't be complaining,
though it
Private tags are getting pretty annoying. You should only use one
and only one private tag per RM (without a version number) and just
move it around to reflect the state of your private tree.
On a related note, I would like to remove all of the non-official
tags that are older than a few months.
On Monday, November 25, 2002, at 04:58 PM, Aaron Bannert wrote:
I guess I just didn't read that much in to it. I just want
to see us move forward without getting bogged down in
misinterpreted emails and already acknowledged mistakes,
and to do that I'm trying to stay objective (eg. a Vote).
To
So you suggest initially populating old/ and then symlinking the
now-current version in the main download directory at the old/
target, instead? It would still initially download the package
twice, and then simply unlink it later on, right?
Or what's the right approach here?
I suggest moving
Since we renamed the repository to httpd from httpd-2.0 (there is
a symlink for now), the CVSROOT/avail file doesn't match
the repository name, and therefore I can't commit. Can we
fix that so I can commit to the new httpd repository directly?
Why the heck was that done? Too many things get
Does anyone know what the behaviour of Apache 1.3 is
under the circumstances where the HTTP request or
response contains an invalid request header?
Specifically, when the Connection header contains
something other than 'close'?
There is nothing invalid about that -- connection is completely
Your patch will simply let the %2F through, but then a later section
of code will translate them to / and we've opened a security hole
in the main server. I'd rather move the rejection code to the
place where a decision has to be made (like the directory walk),
but I have no time to do it myself.
One of them is probably here (in function ap_meets_conditions). Is there
any
reason we cannot use r-request_time here?
I can't tell for sure right now, but the original concern was that
dynamically generated pages that are forked into a cache (something
done by RobH for IMDB) would have a
I'm sure there's a great reason for setting B_EOUT flag here, but it
sure does suck if you have data waiting to be sent to the client since
setting B_EOUT convinces ap_bclose() not to write any more data.
It is only set when the connection is aborted or the fd is gone,
both indicating that we
On Friday, October 18, 2002, at 07:44 PM, Roy T. Fielding wrote:
I'm sure there's a great reason for setting B_EOUT flag here, but it
sure does suck if you have data waiting to be sent to the client since
setting B_EOUT convinces ap_bclose() not to write any more data.
It is only set when
Ryan asked for a clarification about whether or not we have the ability
to redistribute SSL binaries for win32.
Last year, the board hired a lawyer to give us an opinion on whether
we can distribute encryption software, or hooks to such software.
The exact opinion we got back is, unfortunately,
At first glance, I think there's an even more fundamental problem:
the code in ap_cache_check_freshness() appears to be mixing times
measured in microseconds (the result of ap_cache_current_age())
with times measured in seconds (everything that it gets from the
HTTP header).
And does that
Output filters cannot handle methods -- only input filters can do that.
It sounds to me like you guys are just arguing past each other -- the
architecture is broken, not the individual modules. Just fix it.
Greg is right -- the default handler is incapable of supporting any
method other than
On Wednesday, September 11, 2002, at 06:04 PM, Graham Leggett wrote:
Kris Verbeeck wrote:
The response:
HTTP/1.0 200
Date: Tue, 10 Sep 2002 09:45:39 GMT
Server: web server
Connection: close
etag: b9829-2269-3cd12aa1
Another bug - why is an HTTP/1.1 response
+/* There's probably a better way to do this, but for the time
being...
+ *
+ * Right now the parsing is very 'slack'. Actual rules from RFC
2069 are:
The relevant spec is RFC 2617. Were there significant changes since 2069?
Roy
Not in this section. Comma separation made clearer (but no explicit
wording on white space eating) - and our old code was still at fault
when isinsting that any non alpanumeric MUST be quoted.
Odd that the BNF doesn't require that -- it cannot be parsed
unambiguously without the quotes.
-1. Please revert the change. The purpose of the check is to identify
incompatible APIs, not security holes.
Roy
-1. Please revert the change. The purpose of the check is to identify
incompatible APIs, not security holes.
should apache be allowed to be built against a version of OpenSSL that
has a
known problem - I don't think so. But if everybody thinks against - then,
so
be it.
People need to
-1. Please revert the change. The purpose of the check is to identify
incompatible APIs, not security holes.
I have a patch to turn it into a warning -- will commit once tested.
Roy
Cool. I believe something is better than nothing :).
(I'm sure you're already aware of this - but thought it'd be better to let
you know)
I believe my patch went into r1.127 - and has been labelled for the 2.0.40
release. So, you might want to bump the label before it's released.
It has
On Thursday, July 18, 2002, at 12:49 PM, [EMAIL PROTECTED] wrote:
}
-if (sconf-max_cache_object_size = sconf-max_cache_size) {
+if (sconf-max_cache_object_size = sconf-max_cache_size*1000) {
ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
WTF? -1 Jim, that code is doing an error check prior to the
strtol. It is not looking for the start of the number, but
ensuring that the number is non-negative and all digits prior
to calling the library routine. A simple check of *lenp would
have been sufficient for the blank case.
I need
That's true. But is definitely the one used by convention. (Maybe it'
s
in the CGI spec? Not sure on that one.) And that doesn't change the fact
that this in this case ':' was used in place of both the '?' and the
'', which is definitely wrong.
No, it's just a different way of naming
On Tuesday, June 25, 2002, at 02:05 PM, Arliss, Noah wrote:
Hopefully this is not a redundant question.. Does this patch cover issues
in
mod_proxy as well, or were the issues introduced in 1.3.23 and later?
They were introduced later. The patch says that it is not sufficient for
the
User rasmus already has karma. apache-2.0 is not what you are looking for,
try the module httpd-2.0.
Roy
On Sunday, June 23, 2002, at 05:30 PM, Rasmus Lerdorf wrote:
Could someone karma me for apache-2.0 please?
-Rasmus
I don't remember seeing any +1's for this patch on the list.
I don't remember needing any. There were no -1 with explanations.
There certainly hasn't been any effort spent, aside from my own, to
address the needs of those who cannot upgrade. You guys punted, so
I picked up the ball and
This patch should be sufficient to fix the security hole for most
versions of Apache httpd 1.2. Should we put it up on dist/httpd?
It turns out that this small patch is sufficient to plug the hole
on all 1.2 and 1.3.* versions up until 1.3.24 if mod_proxy is in use.
I have placed it in the
This patch should be sufficient to fix the security hole for most
versions of Apache httpd 1.2. Should we put it up on dist/httpd?
Roy
--- apache-1.2/src/http_protocol.c Thu Jan 4 01:21:10 2001
+++ apache-1.2/src/patched_http_protocol.c Thu Jun 20 18:13:04 2002
-1535,6
There is no reason for them to be all-uppercase. I hate it when people
use uppercase for functions, including macro functions. All-uppercase
is a convention for symbolic constants, not functions.
Roy
Why do that when it is more effective to just blow away apr_time_t and
use the already-portable time_t when we want to store seconds? I have
no need for microseconds outside of struct tm (which does need a more
portable apr structure type).
Roy
On Monday, June 10, 2002, at 03:22 PM, Cliff Woolley wrote:
On Mon, 10 Jun 2002, Roy T. Fielding wrote:
I know of one existing bug in httpd that I would consider a
showstopper, if I were RM, due to the way APR handles time.
Are you going to tell me what it is? :)
If-Modified-Since
If-Modified-Since doesn't work because an HTTP time based on
seconds x10 is being compared to a file modification time
based directly on microseconds.
I thought I fixed that already!? Oh boy, did the patch not get
committed?
It might be sitting in the PR waiting for somebody to test
if (ap_status_drops_connection(r-status) ||
(r-main ap_status_drops_connection(r-main-status))) {
return OK;
}
The idea is that if our status code is such that we're trying to
avoid reading the body, we shouldn't actually read it. We need
the r-main trick as well
Sounds good, but I disagree with your STATUS code. It is a 400, not a
413. The request is completely invalid, not too large. It would be too
large if we had set a limit on the size of requests, but that isn't the
problem. The problem is that they have sent an invalid chunk.
No, it is a
On Sunday, May 5, 2002, at 11:25 AM, Justin Erenkrantz wrote:
On Sun, May 05, 2002 at 08:03:24PM +0200, Graham Leggett wrote:
I understand the Content Length filter is responsible for sorting out
Content-Length, and that chunked encoding will be enabled should the
length be
I do not believe that the Server string should be used to describe
implementation details of the server software. I know we already
do that, over my objections.
Roy
On Wednesday, May 1, 2002, at 01:49 PM, Aaron Bannert wrote:
And, consider my position on your calloc change in this patch as a
veto. If you want to remove calloc, then you should do so throughout
the code rather than in sporadic places that may make maintaining the
code a nightmare if we
Well then why are the patches in the tree??? I'm not sure I like the
idea of
tagging and then tagging just some files. Seems like if we haven't got a
stable HEAD we shouldn't be tagging. We got into this whole business of
tagging often as a way of avoiding having this sort of thing. Ifw e
I don't understand why you didn't simply reverse the test and
enclose the frequent case inside the if {} block. I assume it
was just to avoid indenting a large block of code, which is not
sufficient justification for a goto.
A goto often has unforeseen effects on high-level optimizations
that
On Thursday, April 25, 2002, at 03:27 PM, Justin Erenkrantz wrote:
On Thu, Apr 25, 2002 at 04:39:18PM -0400, Bill Stoddard wrote:
From http_protocol.c...
* 1. Call setup_client_block() near the beginning of the request
*handler. This will set up all the necessary properties, and will
On Monday, April 22, 2002, at 11:11 AM, Joshua Slive wrote:
Bill Stoddard wrote:
SetEnv force-response-1.0
According to the docs here:
http://httpd.apache.org/docs/env.html#special
The point of that was to deal with silly proxies that belched when they
saw HTTP/1.1 (regardless of the
Nice article. However, looking at their test results, I'd say they
are only measuring the limits of their test tool. At least it is nice
to see that they have similar performance up to the test limitation.
Roy
http://www.eweek.com/article/0,3658,s=702a=25458,00.asp
+1
Roy
We have to do more work than this. The 100 has to be sent before
attempting
to read the first chunk (if chunked) or only if C-L 0 (if length).
Also, the code that reads the chunk length is failing to check for errors.
Also, the code that reads the chunk end is failing to read the trailers.
Ok, now we're on the same page. I see this as a problem as well, but I
don't think this is what is causing the problem described earlier in this
thread. Considering how unlikely it is that all of the threads on one
process are on long-lived connections, I don't see this as a critical
Tarball tested on RH Linux 2.2.16-22 with no problems. +1
Roy
We're upgraded to the latest PCRE now (thanks for Cliff to fixing the
Win32 build).
Thanks.
I checked with the PCRE maintainer and learned that the next release is
several months away. In the meantime, that leaves me with two options
for speeding up ap_regexec():
* Commit a change
On Tue, Mar 19, 2002 at 06:07:05PM -0800, Brian Pane wrote:
Is the copy of PCRE within httpd-2.0 a separately maintained fork
of PCRE, or is it supposed to be an unmodified copy? (The one in
the httpd tree appears to be a few releases out of date.)
It is supposed to be maintained up to date
Apache 1.3 on Win32 assumes that the names of files served are comprised
solely of characters from character sets which are a superset of ASCII,
such as UTF-8 or ISO-8859-1. It has no logic to determine whether or not
You wanted to say from character encodings that are a superset.
A
On Sat, Mar 09, 2002 at 12:20:23PM +0800, Stas Bekman wrote:
Sander Striker wrote:
Hi,
Should we bump the copyright year on all the files?
Anyone have a script handy?
find . -type f -exec perl -pi -e 's|2000-2001|2000-2002|' {} \;
That would change a lot more, and a lot less, than we
On Tue, Mar 12, 2002 at 10:57:50AM -0800, Brian Pane wrote:
Aaron Bannert wrote:
Is it valid for Content-length to be returned from these types
of requests? daedalus is showing it, and I'm seeing it in current CVS.
-aaron
I don't think so, unless it's Content-Length: 0, due to this
On Wed, Mar 13, 2002 at 01:09:27PM -0500, Jeff Trawick wrote:
short form:
I want to move config_vars.mk from top_builddir to
top_builddir/build/config_vars.mk. Okay?
+1
Roy
On Wed, Mar 13, 2002 at 02:12:18PM -0500, Jeff Trawick wrote:
Jeff Trawick [EMAIL PROTECTED] writes:
This function is checking for several characters which, at least in
ASCII, are supposedly not valid characters for filenames. But some of
these same characters can appear in valid
Regarding your key comment treats all file names as raw bytes,
regardless of charset...
I would agree with that for Unix, but on Win32, in an attempt to match
the semantics of the native filesystem (case preserving but not case
significant), Apache will perform case transformations on
Should I just create a new section labled Layout SuSE7?
No, just replace it The worst that could happen is the man directory not
being found on an old SuSE 6x, which is an easy fix to the user Keep in
mind that the layout is normally only used by the package installers prior
to burning the CD
As far as having no responsibility to the people/companies that USE
Apache, I put forth this argument. When a company bases it's business
or a person bases their career on a program, in MY OPINION, there then
springs into a being an implied responsibility on the development team
to support
I think you may have done the opposite of what you expected..
Aren't NOTICE messages *always* logged, regardless of LogLevel?
Oh, man. That sucks. It's #defined to be priority 5 in http_log.h,
but we ignore that level. Bah. That's bogus. NOTICE should be
priority 0 if we always
A showstopper, aside from a yet-to-be-reverted veto, can be moved from
one section of STATUS to another by the RM (or anyone, for that matter)
whenever they want. It is only a showstopper if we ALL agree it is.
The category only exists to simply remind us of what needs to be fixed.
Roy
Nobody can veto a release, period. It is therefore impossible for
anything to be a showstopper unless it is a pending veto of a commit
or the group makes a decision by majority of -1 on any release until
the problem is fixed. If the RM doesn't think that is the case,
then they should move the
On Wed, Feb 06, 2002 at 03:33:04PM -0500, Rodent of Unusual Size wrote:
Roy T. Fielding wrote:
A showstopper, aside from a yet-to-be-reverted veto, can be
moved from one section of STATUS to another by the RM (or
anyone, for that matter) whenever they want. It is only
a showstopper
I add a showstopper to STATUS. One other person says -1, that's
not a showstopper. By my interpretation of the rules, they CANNOT
demote it from showstopper until there are enough people who would
vote to release (more +1s than -1s). This means that in order to
demote it, there would have to
On Tue, Feb 05, 2002 at 12:58:35PM -0800, Ryan Bloom wrote:
Rodent of Unusual Size wrote:
When enabled, UseCanonicalName causes the server to
create any server-self-referential URLs using the name
by which it knows itself -- as opposed to what the client
may have called it. In
401 - 500 of 552 matches
Mail list logo