Re: svn commit: r1610339 - in /httpd/httpd/trunk: docs/manual/mod/mod_journald.xml modules/loggers/config.m4 modules/loggers/mod_journald.c
jkal...@apache.org wrote: Author: jkaluza Date: Mon Jul 14 05:52:45 2014 New Revision: 1610339 URL: http://svn.apache.org/r1610339 Log: mod_journald: New module implementing error_log provider for systemd-journald. Added: httpd/httpd/trunk/docs/manual/mod/mod_journald.xml (with props) httpd/httpd/trunk/modules/loggers/mod_journald.c Modified: httpd/httpd/trunk/modules/loggers/config.m4 Added: httpd/httpd/trunk/modules/loggers/mod_journald.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_journald.c?rev=1610339view=auto == --- httpd/httpd/trunk/modules/loggers/mod_journald.c (added) +++ httpd/httpd/trunk/modules/loggers/mod_journald.c Mon Jul 14 05:52:45 2014 +static apr_status_t journald_log_writer(request_rec *r, + void *handle, + const char **strs, + int *strl, + int nelts, + apr_size_t len) + +{ +char *str; +char *s; +int i; +apr_status_t rv = APR_SUCCESS; + +str = apr_palloc(r-pool, len + 1); Why +1? Regards Rüdiger
Re: svn commit: r1610339 - in /httpd/httpd/trunk: docs/manual/mod/mod_journald.xml modules/loggers/config.m4 modules/loggers/mod_journald.c
On 07/14/2014 09:52 AM, Ruediger Pluem wrote: jkal...@apache.org wrote: Author: jkaluza Date: Mon Jul 14 05:52:45 2014 New Revision: 1610339 URL: http://svn.apache.org/r1610339 Log: mod_journald: New module implementing error_log provider for systemd-journald. Added: httpd/httpd/trunk/docs/manual/mod/mod_journald.xml (with props) httpd/httpd/trunk/modules/loggers/mod_journald.c Modified: httpd/httpd/trunk/modules/loggers/config.m4 Added: httpd/httpd/trunk/modules/loggers/mod_journald.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_journald.c?rev=1610339view=auto == --- httpd/httpd/trunk/modules/loggers/mod_journald.c (added) +++ httpd/httpd/trunk/modules/loggers/mod_journald.c Mon Jul 14 05:52:45 2014 +static apr_status_t journald_log_writer(request_rec *r, + void *handle, + const char **strs, + int *strl, + int nelts, + apr_size_t len) + +{ +char *str; +char *s; +int i; +apr_status_t rv = APR_SUCCESS; + +str = apr_palloc(r-pool, len + 1); Why +1? That's taken from ap_default_log_writer(...) and it's also in ap_buffered_log_writer(...). When thinking about it now, it's probably useless, because len is sum of strlen() of each string in strs, so it does not include '\0', but my log_writer (and also the ap_default_log_writer/ap_buffered_log_writer) does not actually use/set that last zero byte. I think we can remove that len + 1 in all three cases then? Jan Kaluza Regards Rüdiger
Re: svn commit: r1610509 - /httpd/httpd/trunk/modules/generators/mod_cgid.c
Hi, no APLOGNO ? Best regards, CJ Le 14/07/2014 22:08, cove...@apache.org a écrit : Author: covener Date: Mon Jul 14 20:08:25 2014 New Revision: 1610509 URL: http://svn.apache.org/r1610509 Log: *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. [Rainer Jung, Eric Covener, Yann Ylavic] Submitted By: rjung, covener, ylavic Reviewed By: trawick, jorton, covener, jim Modified: httpd/httpd/trunk/modules/generators/mod_cgid.c Modified: httpd/httpd/trunk/modules/generators/mod_cgid.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c?rev=1610509r1=1610508r2=1610509view=diff == --- httpd/httpd/trunk/modules/generators/mod_cgid.c (original) +++ httpd/httpd/trunk/modules/generators/mod_cgid.c Mon Jul 14 20:08:25 2014 @@ -1551,6 +1551,10 @@ static int cgid_handler(request_rec *r) if (rv != APR_SUCCESS) { /* silly script stopped reading, soak up remaining message */ child_stopped_reading = 1; +ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + Error writing request body to script %s, + r-filename); + }
Re: svn commit: r1610509 - /httpd/httpd/trunk/modules/generators/mod_cgid.c
On Mon, Jul 14, 2014 at 4:27 PM, Marion Christophe JAILLET christophe.jail...@wanadoo.fr wrote: Hi, no APLOGNO ? ty, can you help remedy in trunk and 2.4?
Re: svn commit: r1610509 - /httpd/httpd/trunk/modules/generators/mod_cgid.c
Le 14/07/2014 22:28, Eric Covener a écrit : On Mon, Jul 14, 2014 at 4:27 PM, Marion Christophe JAILLET christophe.jail...@wanadoo.fr wrote: Hi, no APLOGNO ? ty, can you help remedy in trunk and 2.4? np. I also have added empty APLOGNO in mod_deflate + fix a comment. r1610518 in trunk r1610522 in 2.4.x CJ
Question on ap_method_* functions
Hi, I was about to submit a patch in order to remove the 'register' keyword in a variable declaration in 'modules/http/http_protocol.c'. See 'ap_method_list_remove()' I also wanted to simplify code in the surrounding ap_method_* functions. However, I think that: - in 'ap_method_list_add()', l-method_mask |= (AP_METHOD_BIT methnum); should be in the if (methnum != M_INVALID) { ... } block - in 'ap_method_list_remove()', l-method_mask |= ~(AP_METHOD_BIT methnum); should be in the if (methnum != M_INVALID) { ... } block Do you agree ? Best regards, CJ
[PATCH] did I understand the mod_cgid fix properly?
Index: CHANGES === --- CHANGES (revision 1610531) +++ CHANGES (working copy) @@ -16,8 +16,10 @@ *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes - filling up the scoreboard and eventually hanging the server. Adds - CGIDScriptTimeout directive. + filling up the scoreboard and eventually hanging the server. By + default, the client I/O timeout (Timeout directive) now applies to + communication with scripts. The CGIDScriptTimeout directive can be + used to set a different timeout for communication with scripts. [Rainer Jung, Eric Covener, Yann Ylavic] *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions Make sense? -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [PATCH] did I understand the mod_cgid fix properly?
On Mon, Jul 14, 2014 at 5:18 PM, Jeff Trawick traw...@gmail.com wrote: Index: CHANGES === --- CHANGES (revision 1610531) +++ CHANGES (working copy) @@ -16,8 +16,10 @@ *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes - filling up the scoreboard and eventually hanging the server. Adds - CGIDScriptTimeout directive. + filling up the scoreboard and eventually hanging the server. By + default, the client I/O timeout (Timeout directive) now applies to + communication with scripts. The CGIDScriptTimeout directive can be + used to set a different timeout for communication with scripts. [Rainer Jung, Eric Covener, Yann Ylavic] *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions Make sense? +1