httpd-2.0.61
You'll note there is a -very- short list of remaining patches to consider for the 2.0 branch, and the logging stderr pool in particular would be good to backport. Because there is no shell, we forcefully kill the stderr pipe logger on pool cleanup before we start launching the new logs. In 2.2/trunk this wasn't a noticeable, we forcefully kill the shell, but the log program it launches keeps running in some cases. Bill
[PATCH] mod_ssl: Stricter directive context checking
In mod_ssl's directive parser, many directives do not check the allowed
contexts, thus misleading the user that, e.g., in the configuration...
LimitExcept GET OPTIONS
Require valid-user
IfModule ssl_module
SSLRequireSSL
/IfModule
/LimitExcept
the SSLRequireSSL directive indeed applies only to the destructive
methods (PUT, PROPSET, ...), while in fact it applies to all methods.
The patch is just a start: more ap_check_cmd_context() calls were
desirable...
Martin
--
[EMAIL PROTECTED]| Fujitsu Siemens
http://www.fujitsu-siemens.com/imprint.html | 81730 Munich, Germany
diff -burp httpd-2.2.4.old5/modules/ssl/ssl_engine_config.c
httpd-2.2.4/modules/ssl/ssl_engine_config.c
--- httpd-2.2.4.old5/modules/ssl/ssl_engine_config.c2006-07-23
13:11:58.0 +0200
+++ httpd-2.2.4/modules/ssl/ssl_engine_config.c 2007-08-29 19:32:59.000686000
+0200
@@ -1159,6 +1159,11 @@ const char *ssl_cmd_SSLOptions(cmd_parms
const char *ssl_cmd_SSLRequireSSL(cmd_parms *cmd, void *dcfg)
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+const char *err = ap_check_cmd_context(cmd,
NOT_IN_LIMIT|NOT_IN_LOCATION|NOT_IN_FILES);
+
+if (err != NULL) {
+return err;
+}
dc-bSSLRequired = TRUE;
@@ -1172,6 +1177,11 @@ const char *ssl_cmd_SSLRequire(cmd_parms
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
ssl_expr *expr;
ssl_require_t *require;
+const char *err = ap_check_cmd_context(cmd,
NOT_IN_LIMIT|NOT_IN_LOCATION|NOT_IN_FILES);
+
+if (err != NULL) {
+return err;
+}
if (!(expr = ssl_expr_comp(cmd-pool, (char *)arg))) {
return apr_pstrcat(cmd-pool, SSLRequire: ,
Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
Since a few regressions and other issues popped up the last go around, I cancelled release of 1.3.38, 2.0.60 and 2.2.5... I think we are close, *very* close to being at the point to try this all again. 1.3.39 looks stable enough that a TR has no open issues at all. So it's a no-brainer. 2.0.61 also looks the same, although we do have a bundled later version of apr/apu. 2.2.6 has a few items still in STATUS which lack a single vote to be backported. Now I'm not asking that people just vote, but I am asking that people take a good look at the proposals, test them out and vote as they see fit. I don't want to delay 2.2.6 any more than it needs to be, yet on the other hand it would be a shame not to release 2.2.6 with as many improvements and fixes as possible. My intent is to TR all 3 tomorrow (Friday, the 31st) with a potential announcement Wednesday, Sept 5th. This is because Monday is a holiday in the states, so that means mostly a 3 day weekend for most people...
Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote: Since a few regressions and other issues popped up the last go around, I cancelled release of 1.3.38, 2.0.60 and 2.2.5... I think we are close, *very* close to being at the point to try this all again. Can we move the SECURITY stuff back up to the top and remove the 2.2.5 heading - it would just be confusing to users since 2.2.5 doen't really exist? i.e. below, which adds the CVE name for the autoindex issue too. Index: CHANGES === --- CHANGES (revision 571136) +++ CHANGES (working copy) @@ -1,11 +1,37 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.6 - *) mod_autoindex: Add in Type and Charset options to IndexOptions + *) SECURITY: CVE-2007-4465 (cve.mitre.org) + mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page. [Jim Jagielski] + *) SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + [Davi Arnaut, Nick Kew] + + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent a segmentation fault if attributes are listed in a + Cache-Control header without any value. + [Niklas Edmundsson nikke acc.umu.se] + + *) SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker, event MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + [Joe Orton, Jim Jagielski] + + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset detection. Reported by Stefan Esser. [Joe Orton] + + *) SECURITY: CVE-2007-1862 (cve.mitre.org) + mod_mem_cache: Copy headers into longer lived storage; header names and + values could previously point to cleaned up storage. PR 41551. + [Davi Arnaut davi haxent.com.br] + *) log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, until the time the open_logs hook is called again. [William Rowe] @@ -70,33 +96,6 @@ improper merging of the cache lock in vhost config PR 43164 [Eric Covener] -Changes with Apache 2.2.5 - - *) SECURITY: CVE-2007-3847 (cve.mitre.org) - mod_proxy: Prevent reading past the end of a buffer when parsing - date-related headers. PR 41144. - [Davi Arnaut, Nick Kew] - - *) SECURITY: CVE-2007-1863 (cve.mitre.org) - mod_cache: Prevent a segmentation fault if attributes are listed in a - Cache-Control header without any value. - [Niklas Edmundsson nikke acc.umu.se] - - *) SECURITY: CVE-2007-3304 (cve.mitre.org) - prefork, worker, event MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. - [Joe Orton, Jim Jagielski] - - *) SECURITY: CVE-2006-5752 (cve.mitre.org) - mod_status: Fix a possible XSS attack against a site with a public - server-status page and ExtendedStatus enabled, for browsers which - perform charset detection. Reported by Stefan Esser. [Joe Orton] - - *) SECURITY: CVE-2007-1862 (cve.mitre.org) - mod_mem_cache: Copy headers into longer lived storage; header names and - values could previously point to cleaned up storage. PR 41551. - [Davi Arnaut davi haxent.com.br] - *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] *) mod_deflate: fix protocol handling in deflate input filter
Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
Yes, the CHANGES file will be updated to reflect any and all security issues for that release... On Aug 30, 2007, at 8:38 AM, Joe Orton wrote: On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote: Since a few regressions and other issues popped up the last go around, I cancelled release of 1.3.38, 2.0.60 and 2.2.5... I think we are close, *very* close to being at the point to try this all again. Can we move the SECURITY stuff back up to the top and remove the 2.2.5 heading - it would just be confusing to users since 2.2.5 doen't really exist? i.e. below, which adds the CVE name for the autoindex issue too. Index: CHANGES === --- CHANGES (revision 571136) +++ CHANGES (working copy) @@ -1,11 +1,37 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.6 - *) mod_autoindex: Add in Type and Charset options to IndexOptions + *) SECURITY: CVE-2007-4465 (cve.mitre.org) + mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page. [Jim Jagielski] + *) SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + [Davi Arnaut, Nick Kew] + + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent a segmentation fault if attributes are listed in a + Cache-Control header without any value. + [Niklas Edmundsson nikke acc.umu.se] + + *) SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker, event MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + [Joe Orton, Jim Jagielski] + + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset detection. Reported by Stefan Esser. [Joe Orton] + + *) SECURITY: CVE-2007-1862 (cve.mitre.org) + mod_mem_cache: Copy headers into longer lived storage; header names and + values could previously point to cleaned up storage. PR 41551. + [Davi Arnaut davi haxent.com.br] + *) log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, until the time the open_logs hook is called again. [William Rowe] @@ -70,33 +96,6 @@ improper merging of the cache lock in vhost config PR 43164 [Eric Covener] -Changes with Apache 2.2.5 - - *) SECURITY: CVE-2007-3847 (cve.mitre.org) - mod_proxy: Prevent reading past the end of a buffer when parsing - date-related headers. PR 41144. - [Davi Arnaut, Nick Kew] - - *) SECURITY: CVE-2007-1863 (cve.mitre.org) - mod_cache: Prevent a segmentation fault if attributes are listed in a - Cache-Control header without any value. - [Niklas Edmundsson nikke acc.umu.se] - - *) SECURITY: CVE-2007-3304 (cve.mitre.org) - prefork, worker, event MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. - [Joe Orton, Jim Jagielski] - - *) SECURITY: CVE-2006-5752 (cve.mitre.org) - mod_status: Fix a possible XSS attack against a site with a public - server-status page and ExtendedStatus enabled, for browsers which - perform charset detection. Reported by Stefan Esser. [Joe Orton] - - *) SECURITY: CVE-2007-1862 (cve.mitre.org) - mod_mem_cache: Copy headers into longer lived storage; header names and - values could previously point to cleaned up storage. PR 41551. - [Davi Arnaut davi haxent.com.br] - *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] *) mod_deflate: fix protocol handling in deflate input filter
RE: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
Jim, Is that EST or PST ?? Cheers, Cameron -Original Message- From: Jim Jagielski [mailto:[EMAIL PROTECTED] Sent: Thursday, 30 August 2007 23:02 To: dev@httpd.apache.org Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :) Yes, the CHANGES file will be updated to reflect any and all security issues for that release... On Aug 30, 2007, at 8:38 AM, Joe Orton wrote: On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote: Since a few regressions and other issues popped up the last go around, I cancelled release of 1.3.38, 2.0.60 and 2.2.5... I think we are close, *very* close to being at the point to try this all again. Can we move the SECURITY stuff back up to the top and remove the 2.2.5 heading - it would just be confusing to users since 2.2.5 doen't really exist? i.e. below, which adds the CVE name for the autoindex issue too. Index: CHANGES === --- CHANGES (revision 571136) +++ CHANGES (working copy) @@ -1,11 +1,37 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.6 - *) mod_autoindex: Add in Type and Charset options to IndexOptions + *) SECURITY: CVE-2007-4465 (cve.mitre.org) + mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page. [Jim Jagielski] + *) SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + [Davi Arnaut, Nick Kew] + + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent a segmentation fault if attributes are listed in a + Cache-Control header without any value. + [Niklas Edmundsson nikke acc.umu.se] + + *) SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker, event MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + [Joe Orton, Jim Jagielski] + + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset detection. Reported by Stefan Esser. [Joe Orton] + + *) SECURITY: CVE-2007-1862 (cve.mitre.org) + mod_mem_cache: Copy headers into longer lived storage; header names and + values could previously point to cleaned up storage. PR 41551. + [Davi Arnaut davi haxent.com.br] + *) log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, until the time the open_logs hook is called again. [William Rowe] @@ -70,33 +96,6 @@ improper merging of the cache lock in vhost config PR 43164 [Eric Covener] -Changes with Apache 2.2.5 - - *) SECURITY: CVE-2007-3847 (cve.mitre.org) - mod_proxy: Prevent reading past the end of a buffer when parsing - date-related headers. PR 41144. - [Davi Arnaut, Nick Kew] - - *) SECURITY: CVE-2007-1863 (cve.mitre.org) - mod_cache: Prevent a segmentation fault if attributes are listed in a - Cache-Control header without any value. - [Niklas Edmundsson nikke acc.umu.se] - - *) SECURITY: CVE-2007-3304 (cve.mitre.org) - prefork, worker, event MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. - [Joe Orton, Jim Jagielski] - - *) SECURITY: CVE-2006-5752 (cve.mitre.org) - mod_status: Fix a possible XSS attack against a site with a public - server-status page and ExtendedStatus enabled, for browsers which - perform charset detection. Reported by Stefan Esser. [Joe Orton] - - *) SECURITY: CVE-2007-1862 (cve.mitre.org) - mod_mem_cache: Copy headers into longer lived storage; header names and - values could previously point to cleaned up storage. PR 41551. - [Davi Arnaut davi haxent.com.br] - *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] *) mod_deflate: fix protocol handling in deflate input filter
Re: Blackdot.be (ApacheMon ApacheMobile) - Questions sparked by the ApacheLounge fuss
Mail prc-at-apache.org but not reply yet but I'm in the process of renaming all the stuff, If they don't agree with the new name I'll do it again. But I have a few question. --- readme.txt extract --- What is it? - HTTP Server On USB is a self contained webserver. Based on Apache HTTPD Server. It comes with php, mod_ssl, mod_perl and mod_security. Simply drop your files into wwwroot, then your good to go! --- end extract --- I'd like to add an additional note to this but I'm unsure in how to phrase it. What I want to say is: That I take the source tarball's that are posted e.g. httpd-2.2.4-win32-src.zip (only official release no TR, svn etc). I'd also like to knew if I need to add an additional disclaimer that I don't offer any warranties if somehow (unlikely) manage to cost a company huge sums of money and they want to sue me. I presume that since I compiled the code itself they can't point the finger at the ASF so will come looking for me. (since my of my personal info is on my CV on my site they'll find me in seconds). Thanks for you time Jorge On 8/24/07, Lars Eilebrecht [EMAIL PROTECTED] wrote: According to Jorge: Should I change these names to other things too to be safe? If so any ideas? I can see ApacheMobile being something like ServerOnAStick or something. But if I need to change them I have no idea what to call ApacheMon. Any comments on this are welcome. This FAQ entry may answer your question: http://www.apache.org/foundation/licence-FAQ.html#Name-changes But you ask the public relations committee for permission (prc-at-apache.org). ciao... -- Lars Eilebrecht [EMAIL PROTECTED] -- ~Jorge Version 2.6b: - Renamed to HTTP Server On USB to not break the ASF Licensing terms Version 2.6: --- - Fixed bug in ApacheMobile.exe where minimalization would fail - Updated HTTPD to 2.2.4 - Updated PHP to 5.2.3 - Added xdebug to php Version 2.5 rev2: --- - Fix a bug in ApacheMobile.exe - Updated to layout to match ltie edition - Disabled APC (cause random crashes on shutdown) Version 2.5: --- - Updated HTTPD to 2.2.2 - Updated PHP to 5.1.4 - Enabled APC (Adance PHP Cache) Version 2.4: --- - Updated HTTPD to 2.2.1 - Updated php to 5.1.2 - Added mod_security # HTTP Server On USB # # # # By Jorge Schrauwen 2006 # # http://www.blackdot.be # What is it? - HTTP Server On USB is a self contained webserver. Based on Apache HTTPD Server. It comes with php, mod_ssl, mod_perl and mod_security. Simply drop your files into wwwroot, then your good to go! Installation: - Unpack this archive into the root of an empty USB-Key, 128mb is the minimum size, 256mb is recommended if you'll be placing some larger files on there. Usage: - Simple start HTTPServerOnUSB.exe You can then use the tray icon to start/stop Apache Mobile. Make sure to select Exit from the trayicon before removing your USB-Key! You can change the some settings in HTTPServerOnUSB.ini DAV - 0 = off, 1 = On (Default=1) SSL - 0 = off, 1 = On (Default=0) PHP - 0 = off, 1 = On (Default=1) SSI - 0 = off, 1 = On (Default=1) PERL- 0 = off, 1 = On (Default=1) DEFLATE - 0 = off, 1 = On (Default=0) User Management: - The default admin user account: UID: admin PW: apachemobile You can only change this by resetting the user database. To do so run %drive%:\Apache2\conf\database\restore.cmd, You will be promted for the new password. You can add aditional Users (for DAV) by running %drive%:\Apache2\conf\database\add_user.cmd usernamehere, from the command line. DAV Server: - There are no default DAV users. So you must use the admin UID and PW. Use a DAV client to access it or use IE: File-Open-http://127.0.0.1:81, check Open as Web Folder-OK
Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
Well... I'm east coast :) On Aug 30, 2007, at 9:48 AM, Cameron J. Young ((Personal)) wrote: Jim, Is that EST or PST ?? Cheers, Cameron -Original Message- From: Jim Jagielski [mailto:[EMAIL PROTECTED] Sent: Thursday, 30 August 2007 23:02 To: dev@httpd.apache.org Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :) Yes, the CHANGES file will be updated to reflect any and all security issues for that release... On Aug 30, 2007, at 8:38 AM, Joe Orton wrote: On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote: Since a few regressions and other issues popped up the last go around, I cancelled release of 1.3.38, 2.0.60 and 2.2.5... I think we are close, *very* close to being at the point to try this all again. Can we move the SECURITY stuff back up to the top and remove the 2.2.5 heading - it would just be confusing to users since 2.2.5 doen't really exist? i.e. below, which adds the CVE name for the autoindex issue too. Index: CHANGES === --- CHANGES (revision 571136) +++ CHANGES (working copy) @@ -1,11 +1,37 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.6 - *) mod_autoindex: Add in Type and Charset options to IndexOptions + *) SECURITY: CVE-2007-4465 (cve.mitre.org) + mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page. [Jim Jagielski] + *) SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + [Davi Arnaut, Nick Kew] + + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent a segmentation fault if attributes are listed in a + Cache-Control header without any value. + [Niklas Edmundsson nikke acc.umu.se] + + *) SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker, event MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + [Joe Orton, Jim Jagielski] + + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset detection. Reported by Stefan Esser. [Joe Orton] + + *) SECURITY: CVE-2007-1862 (cve.mitre.org) + mod_mem_cache: Copy headers into longer lived storage; header names and + values could previously point to cleaned up storage. PR 41551. + [Davi Arnaut davi haxent.com.br] + *) log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, until the time the open_logs hook is called again. [William Rowe] @@ -70,33 +96,6 @@ improper merging of the cache lock in vhost config PR 43164 [Eric Covener] -Changes with Apache 2.2.5 - - *) SECURITY: CVE-2007-3847 (cve.mitre.org) - mod_proxy: Prevent reading past the end of a buffer when parsing - date-related headers. PR 41144. - [Davi Arnaut, Nick Kew] - - *) SECURITY: CVE-2007-1863 (cve.mitre.org) - mod_cache: Prevent a segmentation fault if attributes are listed in a - Cache-Control header without any value. - [Niklas Edmundsson nikke acc.umu.se] - - *) SECURITY: CVE-2007-3304 (cve.mitre.org) - prefork, worker, event MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. - [Joe Orton, Jim Jagielski] - - *) SECURITY: CVE-2006-5752 (cve.mitre.org) - mod_status: Fix a possible XSS attack against a site with a public - server-status page and ExtendedStatus enabled, for browsers which - perform charset detection. Reported by Stefan Esser. [Joe Orton] - - *) SECURITY: CVE-2007-1862 (cve.mitre.org) - mod_mem_cache: Copy headers into longer lived storage; header names and - values could previously point to cleaned up storage. PR 41551. - [Davi Arnaut davi haxent.com.br] - *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] *) mod_deflate: fix protocol handling in deflate input filter
Re: Blackdot.be (ApacheMon ApacheMobile) - Questions sparked by the ApacheLounge fuss
Sorry for the delay (with my PRC hat on). You should see a reply as we speak :) On Aug 30, 2007, at 10:00 AM, Jorge Schrauwen wrote: Mail prc-at-apache.org but not reply yet but I'm in the process of renaming all the stuff, If they don't agree with the new name I'll do it again.
RE: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
Thanks Jim. Allows me to do the correct maths. I'm in Australia (East Coast). Cheers, Cameron -Original Message- From: Jim Jagielski [mailto:[EMAIL PROTECTED] Sent: Friday, 31 August 2007 00:13 To: dev@httpd.apache.org Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :) Well... I'm east coast :) On Aug 30, 2007, at 9:48 AM, Cameron J. Young ((Personal)) wrote: Jim, Is that EST or PST ?? Cheers, Cameron -Original Message- From: Jim Jagielski [mailto:[EMAIL PROTECTED] Sent: Thursday, 30 August 2007 23:02 To: dev@httpd.apache.org Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :) Yes, the CHANGES file will be updated to reflect any and all security issues for that release... On Aug 30, 2007, at 8:38 AM, Joe Orton wrote: On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote: Since a few regressions and other issues popped up the last go around, I cancelled release of 1.3.38, 2.0.60 and 2.2.5... I think we are close, *very* close to being at the point to try this all again. Can we move the SECURITY stuff back up to the top and remove the 2.2.5 heading - it would just be confusing to users since 2.2.5 doen't really exist? i.e. below, which adds the CVE name for the autoindex issue too. Index: CHANGES === --- CHANGES (revision 571136) +++ CHANGES (working copy) @@ -1,11 +1,37 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.6 - *) mod_autoindex: Add in Type and Charset options to IndexOptions + *) SECURITY: CVE-2007-4465 (cve.mitre.org) + mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page. [Jim Jagielski] + *) SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + [Davi Arnaut, Nick Kew] + + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent a segmentation fault if attributes are listed in a + Cache-Control header without any value. + [Niklas Edmundsson nikke acc.umu.se] + + *) SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker, event MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + [Joe Orton, Jim Jagielski] + + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset detection. Reported by Stefan Esser. [Joe Orton] + + *) SECURITY: CVE-2007-1862 (cve.mitre.org) + mod_mem_cache: Copy headers into longer lived storage; header names and + values could previously point to cleaned up storage. PR 41551. + [Davi Arnaut davi haxent.com.br] + *) log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, until the time the open_logs hook is called again. [William Rowe] @@ -70,33 +96,6 @@ improper merging of the cache lock in vhost config PR 43164 [Eric Covener] -Changes with Apache 2.2.5 - - *) SECURITY: CVE-2007-3847 (cve.mitre.org) - mod_proxy: Prevent reading past the end of a buffer when parsing - date-related headers. PR 41144. - [Davi Arnaut, Nick Kew] - - *) SECURITY: CVE-2007-1863 (cve.mitre.org) - mod_cache: Prevent a segmentation fault if attributes are listed in a - Cache-Control header without any value. - [Niklas Edmundsson nikke acc.umu.se] - - *) SECURITY: CVE-2007-3304 (cve.mitre.org) - prefork, worker, event MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. - [Joe Orton, Jim Jagielski] - - *) SECURITY: CVE-2006-5752 (cve.mitre.org) - mod_status: Fix a possible XSS attack against a site with a public - server-status page and ExtendedStatus enabled, for browsers which - perform charset detection. Reported by Stefan Esser. [Joe Orton] - - *) SECURITY: CVE-2007-1862 (cve.mitre.org) - mod_mem_cache: Copy headers into longer lived storage; header names and - values could previously point to cleaned up storage. PR 41551. - [Davi Arnaut davi haxent.com.br] - *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] *) mod_deflate: fix protocol handling in deflate input filter
Re: [PATCH] proxy/ajp_header.c: Fix header detection
Yeah, all this is being fixed in the mod_jk code as
well...
On Aug 30, 2007, at 6:55 AM, Martin Kraemer wrote:
Hi.
While looking at ajp_header.c, I realized that its method of parsing
the header line tokens is flakey: it uses memcmp() to check, e.g.,
whether the header token is Accept-Charset:, by uppercasing the
token name (- ACCEPT-CHARSET), then compares the initial ACCEPT-
prefix, and then tests:
if (memcmp(p, CHARSET, 7) == 0) return SC_ACCEPT_CHARSET;
but does not verify that the end of the token has been reached.
Thus, a header
Accept-CharsetXXX-Blah: utf-8
would be mistaken for an Accept-Charset: utf-8.
Same goes for a couple of other header names.
The patch replaces the memcmp by a strcmp to check for the trailing
NIL character, too.
Also, IMO it is better to replace memcmp by strncasecmp in the test
-if (memcmp(stringname, Content-Type, 12) == 0) {
+if (strncasecmp(stringname, Content-Type, 12) == 0) {
WDYT?
Martin
--
[EMAIL PROTECTED]| Fujitsu Siemens
http://www.fujitsu-siemens.com/imprint.html | 81730 Munich, Germany
ajp_header.c.diff
Re: Blackdot.be (ApacheMon ApacheMobile) - Questions sparked by the ApacheLounge fuss
On 8/30/07, Jim Jagielski [EMAIL PROTECTED] wrote: Sorry for the delay (with my PRC hat on). You should see a reply as we speak :) No worries, but while I have attention let me hold on to it for a bit longer ;) Regarding the disclaimer I asked about in my previous message. Since you didn't give an answer to that in other message. Kind Regards Jorge On Aug 30, 2007, at 10:00 AM, Jorge Schrauwen wrote: Mail prc-at-apache.org but not reply yet but I'm in the process of renaming all the stuff, If they don't agree with the new name I'll do it again. -- ~Jorge
Re: Blackdot.be (ApacheMon ApacheMobile) - Questions sparked by the ApacheLounge fuss
On Aug 30, 2007, at 10:39 AM, Jorge Schrauwen wrote: On 8/30/07, Jim Jagielski [EMAIL PROTECTED] wrote: Sorry for the delay (with my PRC hat on). You should see a reply as we speak :) No worries, but while I have attention let me hold on to it for a bit longer ;) Regarding the disclaimer I asked about in my previous message. Since you didn't give an answer to that in other message. Regarding the disclaimer: the ASF (nor the httpd project nor the PRC) can give you legal advice on how to craft your disclaimer... It's really beyond our scope.
Re: [PATCH] proxy/ajp_header.c: Fix header detection
I committed Martins patch to mod_jk a couple of minutes ago.
Thanks Martin!
The Content-Type part of the patch didn't apply to mod_jk though.
Regards,
Rainer
Jim Jagielski wrote:
Yeah, all this is being fixed in the mod_jk code as
well...
On Aug 30, 2007, at 6:55 AM, Martin Kraemer wrote:
Hi.
While looking at ajp_header.c, I realized that its method of parsing
the header line tokens is flakey: it uses memcmp() to check, e.g.,
whether the header token is Accept-Charset:, by uppercasing the
token name (- ACCEPT-CHARSET), then compares the initial ACCEPT-
prefix, and then tests:
if (memcmp(p, CHARSET, 7) == 0) return SC_ACCEPT_CHARSET;
but does not verify that the end of the token has been reached.
Thus, a header
Accept-CharsetXXX-Blah: utf-8
would be mistaken for an Accept-Charset: utf-8.
Same goes for a couple of other header names.
The patch replaces the memcmp by a strcmp to check for the trailing
NIL character, too.
Also, IMO it is better to replace memcmp by strncasecmp in the test
-if (memcmp(stringname, Content-Type, 12) == 0) {
+if (strncasecmp(stringname, Content-Type, 12) == 0) {
WDYT?
Martin
--
[EMAIL PROTECTED]| Fujitsu Siemens
http://www.fujitsu-siemens.com/imprint.html | 81730 Munich, Germany
ajp_header.c.diff
Re: Blackdot.be (ApacheMon ApacheMobile) - Questions sparked by the ApacheLounge fuss
On 8/30/07, Jim Jagielski [EMAIL PROTECTED] wrote: On Aug 30, 2007, at 10:39 AM, Jorge Schrauwen wrote: On 8/30/07, Jim Jagielski [EMAIL PROTECTED] wrote: Sorry for the delay (with my PRC hat on). You should see a reply as we speak :) No worries, but while I have attention let me hold on to it for a bit longer ;) Regarding the disclaimer I asked about in my previous message. Since you didn't give an answer to that in other message. Regarding the disclaimer: the ASF (nor the httpd project nor the PRC) can give you legal advice on how to craft your disclaimer... It's really beyond our scope. I'll just copy and past the one I have on the x64 binaries I have on there then. -- ~Jorge
Any interest in the ApacheMon source code?
Hi dev's, I used to maintain ApacheMon (now removed from blackdot.be) I no longer have the time to keep updating and fixing it. I started working on this a few years ago because I wasn't (still not actually) satisfied with the bundled ApacheMonitor.exe So I started working a replacement. First version had a few form to use bundled tools like ab etc. It also offered limited remote support. I lost that code and started inquiring to the users what they liked most about it before I started recreating it. The all seem to like the remote support. I've made a lot of improvements but its far far and the current version is rather buggy. I someday wish to work on it again but I just don't have the time to do it now. So if there is interest in this I'd like to donate the code that I have to the ASF. Sadly I didn't know C back then (and still don't) so its all written in Delphi. Jorge Schrauwen
Re: authnz_ldap in 2.2.x
On 8/29/2007 at 7:51 PM, in message
[EMAIL PROTECTED], Eric Covener
[EMAIL PROTECTED] wrote:
In 2.2.x If authz_XXX are one of dbm, owner, or groupfile they track
the list of requires and decline if they don't see any they're
responsible for -- this isn't a crap shoot of module ordering in this
case.
$ grep \!required *.c
mod_authz_dbm.c:if (!required_group || !conf-authoritative) {
mod_authz_groupfile.c:if (!required_group || !conf-authoritative) {
mod_authz_owner.c:if (!required_owner || !conf-authoritative) {
mod_authz_user.c:if (!required_user) {
That roughly leaves authz_host, authz_default, and authnz_ldap.
authz_host has a built-in default based on Order, and authz_default
doesn't have any Requires to check -- leaving authnz_ldap as the odd
man out.
True, so that brings up the question of what does AuthzXXXAuthoritative really
mean? Does it mean that if set to ON, this module is authoritatively
responsible for authorization and if it can't (whatever the reason including no
require statement), then authorization fails? Or does it mean that the module
is only authoritatively responsible for authorization if a matching require
statement exists? According to what you are saying as well as what the code is
currently saying in the other authz modules, the latter is true. And if that
is really the definition of AuthzXXXAuthoritative, then it appears that
authnz_ldap needs to be fixed.
Brad
Re: svn commit: r571209 - /httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
Are these really candidates for bypassing the
normal backport process from trunk??
[EMAIL PROTECTED] wrote:
Author: martin
Date: Thu Aug 30 08:29:27 2007
New Revision: 571209
URL: http://svn.apache.org/viewvc?rev=571209view=rev
Log:
Convert just the message text to EBCDIC, and not the (already EBCDIC) status
code
Modified:
httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
Modified: httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c?rev=571209r1=571208r2=571209view=diff
==
--- httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c Thu Aug 30 08:29:27
2007
@@ -473,10 +473,11 @@
rc = ajp_msg_get_string(msg, ptr);
if (rc == APR_SUCCESS) {
-r-status_line = apr_psprintf(r-pool, %d %s, status, ptr);
-#if defined(AS400) || defined(_OSD_POSIX)
-ap_xlate_proto_from_ascii(r-status_line, strlen(r-status_line));
+#if defined(AS400) || defined(_OSD_POSIX) /* EBCDIC platforms */
+ptr = apr_pstrdup(r-pool, ptr);
+ap_xlate_proto_from_ascii(ptr, strlen(ptr));
#endif
+r-status_line = apr_psprintf(r-pool, %d %s, status, ptr);
} else {
r-status_line = NULL;
}
--
===
Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/
If you can dodge a wrench, you can dodge a ball.
Re: svn commit: r571203 - /httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
Ummm 2 things:
First of all, this is not even patched in trunk yet.
Secondly, this completely bypasses the normal backporting
process that everyone is required to use.
Please revert these patches, patch trunk and submit these
patches for backport.
[EMAIL PROTECTED] wrote:
Author: martin
Date: Thu Aug 30 08:22:58 2007
New Revision: 571203
URL: http://svn.apache.org/viewvc?rev=571203view=rev
Log:
Add missing end-of-string checks by using strcmp in place of memcmp
Modified:
httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
Modified: httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c?rev=571203r1=571202r2=571203view=diff
==
--- httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c Thu Aug 30 08:22:58
2007
@@ -51,7 +51,7 @@
const char *p = header_name;
int i = 0;
-/* ACCEPT-LANGUAGE is the longest headeer
+/* ACCEPT-LANGUAGE is the longest header
* that is of interest.
*/
if (len 4 || len 15)
@@ -69,11 +69,11 @@
return SC_ACCEPT;
else if (header[6] == '-') {
p += 6;
-if (memcmp(p, CHARSET, 7) == 0)
+if (strcmp(p, CHARSET) == 0)
return SC_ACCEPT_CHARSET;
-else if (memcmp(p, ENCODING, 8) == 0)
+else if (strcmp(p, ENCODING) == 0)
return SC_ACCEPT_ENCODING;
-else if (memcmp(p, LANGUAGE, 8) == 0)
+else if (strcmp(p, LANGUAGE) == 0)
return SC_ACCEPT_LANGUAGE;
else
return UNKNOWN_METHOD;
@@ -81,45 +81,45 @@
else
return UNKNOWN_METHOD;
}
-else if (memcmp(p, UTHORIZATION, 12) == 0)
+else if (strcmp(p, UTHORIZATION) == 0)
return SC_AUTHORIZATION;
else
return UNKNOWN_METHOD;
break;
case 'C':
-if(memcmp(p, OOKIE2, 6) == 0)
+if(strcmp(p, OOKIE2) == 0)
return SC_COOKIE2;
- else if (memcmp(p, OOKIE, 5) == 0)
+ else if (strcmp(p, OOKIE) == 0)
return SC_COOKIE;
-else if(memcmp(p, ONNECTION, 9) == 0)
+else if(strcmp(p, ONNECTION) == 0)
return SC_CONNECTION;
-else if(memcmp(p, ONTENT-TYPE, 11) == 0)
+else if(strcmp(p, ONTENT-TYPE) == 0)
return SC_CONTENT_TYPE;
-else if(memcmp(p, ONTENT-LENGTH, 13) == 0)
+else if(strcmp(p, ONTENT-LENGTH) == 0)
return SC_CONTENT_LENGTH;
else
return UNKNOWN_METHOD;
break;
case 'H':
-if(memcmp(p, OST, 3) == 0)
+if(strcmp(p, OST) == 0)
return SC_HOST;
else
return UNKNOWN_METHOD;
break;
case 'P':
-if(memcmp(p, RAGMA, 5) == 0)
+if(strcmp(p, RAGMA) == 0)
return SC_PRAGMA;
else
return UNKNOWN_METHOD;
break;
case 'R':
-if(memcmp(p, EFERER, 6) == 0)
+if(strcmp(p, EFERER) == 0)
return SC_REFERER;
else
return UNKNOWN_METHOD;
break;
case 'U':
-if(memcmp(p, SER-AGENT, 9) == 0)
+if(strcmp(p, SER-AGENT) == 0)
return SC_USER_AGENT;
else
return UNKNOWN_METHOD;
@@ -561,7 +561,7 @@
apr_table_add(r-headers_out, stringname, value);
/* Content-type needs an additional handling */
-if (memcmp(stringname, Content-Type, 12) == 0) {
+if (strncasecmp(stringname, Content-Type, 12) == 0) {
/* add corresponding filter */
ap_set_content_type(r, apr_pstrdup(r-pool, value));
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r-server,
--
===
Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/
If you can dodge a wrench, you can dodge a ball.
Re: svn commit: r571203 - /httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
On 8/30/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Author: martin Date: Thu Aug 30 08:22:58 2007 New Revision: 571203 URL: http://svn.apache.org/viewvc?rev=571203view=rev Log: Add missing end-of-string checks by using strcmp in place of memcmp memcmp() is not needed when you know the length of one of the strings; there's no missing check. The style on the other hand is subject to debate. Meanwhile there may be a bug fix buried in here -- using case-insignificant comparison for a HTTP header field name.
Re: svn commit: r571203 - /httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
On Aug 30, 2007, at 11:39 AM, Jim Jagielski wrote:
Ummm 2 things:
First of all, this is not even patched in trunk yet.
Secondly, this completely bypasses the normal backporting
process that everyone is required to use.
Please revert these patches, patch trunk and submit these
patches for backport.
By these I mean:
http://svn.apache.org/viewvc?rev=571203view=rev
http://svn.apache.org/viewvc?rev=571209view=rev
I think once applied to trunk then proposed, we
should see a quick set of 3 +1s for backport
in order to make it for 2.2.6...
[EMAIL PROTECTED] wrote:
Author: martin
Date: Thu Aug 30 08:22:58 2007
New Revision: 571203
URL: http://svn.apache.org/viewvc?rev=571203view=rev
Log:
Add missing end-of-string checks by using strcmp in place of memcmp
Modified:
httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
Modified: httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/
modules/proxy/ajp_header.c?rev=571203r1=571202r2=571203view=diff
=
=
--- httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c Thu Aug
30 08:22:58 2007
@@ -51,7 +51,7 @@
const char *p = header_name;
int i = 0;
-/* ACCEPT-LANGUAGE is the longest headeer
+/* ACCEPT-LANGUAGE is the longest header
* that is of interest.
*/
if (len 4 || len 15)
@@ -69,11 +69,11 @@
return SC_ACCEPT;
else if (header[6] == '-') {
p += 6;
-if (memcmp(p, CHARSET, 7) == 0)
+if (strcmp(p, CHARSET) == 0)
return SC_ACCEPT_CHARSET;
-else if (memcmp(p, ENCODING, 8) == 0)
+else if (strcmp(p, ENCODING) == 0)
return SC_ACCEPT_ENCODING;
-else if (memcmp(p, LANGUAGE, 8) == 0)
+else if (strcmp(p, LANGUAGE) == 0)
return SC_ACCEPT_LANGUAGE;
else
return UNKNOWN_METHOD;
@@ -81,45 +81,45 @@
else
return UNKNOWN_METHOD;
}
-else if (memcmp(p, UTHORIZATION, 12) == 0)
+else if (strcmp(p, UTHORIZATION) == 0)
return SC_AUTHORIZATION;
else
return UNKNOWN_METHOD;
break;
case 'C':
-if(memcmp(p, OOKIE2, 6) == 0)
+if(strcmp(p, OOKIE2) == 0)
return SC_COOKIE2;
- else if (memcmp(p, OOKIE, 5) == 0)
+ else if (strcmp(p, OOKIE) == 0)
return SC_COOKIE;
-else if(memcmp(p, ONNECTION, 9) == 0)
+else if(strcmp(p, ONNECTION) == 0)
return SC_CONNECTION;
-else if(memcmp(p, ONTENT-TYPE, 11) == 0)
+else if(strcmp(p, ONTENT-TYPE) == 0)
return SC_CONTENT_TYPE;
-else if(memcmp(p, ONTENT-LENGTH, 13) == 0)
+else if(strcmp(p, ONTENT-LENGTH) == 0)
return SC_CONTENT_LENGTH;
else
return UNKNOWN_METHOD;
break;
case 'H':
-if(memcmp(p, OST, 3) == 0)
+if(strcmp(p, OST) == 0)
return SC_HOST;
else
return UNKNOWN_METHOD;
break;
case 'P':
-if(memcmp(p, RAGMA, 5) == 0)
+if(strcmp(p, RAGMA) == 0)
return SC_PRAGMA;
else
return UNKNOWN_METHOD;
break;
case 'R':
-if(memcmp(p, EFERER, 6) == 0)
+if(strcmp(p, EFERER) == 0)
return SC_REFERER;
else
return UNKNOWN_METHOD;
break;
case 'U':
-if(memcmp(p, SER-AGENT, 9) == 0)
+if(strcmp(p, SER-AGENT) == 0)
return SC_USER_AGENT;
else
return UNKNOWN_METHOD;
@@ -561,7 +561,7 @@
apr_table_add(r-headers_out, stringname, value);
/* Content-type needs an additional handling */
-if (memcmp(stringname, Content-Type, 12) == 0) {
+if (strncasecmp(stringname, Content-Type, 12) == 0) {
/* add corresponding filter */
ap_set_content_type(r, apr_pstrdup(r-pool, value));
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r-server,
--
==
=
Jim Jagielski [|] [EMAIL PROTECTED] [|] http://
www.jaguNET.com/
If you can dodge a wrench, you can dodge a ball.
Re: svn commit: r571203 - /httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
On 8/30/07, Jeff Trawick [EMAIL PROTECTED] wrote: On 8/30/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Author: martin Date: Thu Aug 30 08:22:58 2007 New Revision: 571203 URL: http://svn.apache.org/viewvc?rev=571203view=rev Log: Add missing end-of-string checks by using strcmp in place of memcmp memcmp() is not needed when you know the length of one of the strings; there's no missing check. The style on the other hand is subject to debate. Meanwhile there may be a bug fix buried in here -- using case-insignificant comparison for a HTTP header field name. I guess it is shame on me for not reading prior [EMAIL PROTECTED] posts to understand the commit message.
Re: svn commit: r571209 - /httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
On Thu, Aug 30, 2007 at 11:36:18AM -0400, Jim Jagielski wrote:
Are these really candidates for bypassing the
normal backport process from trunk??
--- httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c Thu Aug 30
08:29:27 2007
@@ -473,10 +473,11 @@
rc = ajp_msg_get_string(msg, ptr);
if (rc == APR_SUCCESS) {
-r-status_line = apr_psprintf(r-pool, %d %s, status, ptr);
-#if defined(AS400) || defined(_OSD_POSIX)
-ap_xlate_proto_from_ascii(r-status_line, strlen(r-status_line));
+#if defined(AS400) || defined(_OSD_POSIX) /* EBCDIC platforms */
+ptr = apr_pstrdup(r-pool, ptr);
+ap_xlate_proto_from_ascii(ptr, strlen(ptr));
#endif
+r-status_line = apr_psprintf(r-pool, %d %s, status, ptr);
} else {
r-status_line = NULL;
This patch is already in trunk:
104711jfclere rc = ajp_msg_get_string(msg, ptr);
104711jfclere if (rc == APR_SUCCESS) {
409709trawick #if APR_CHARSET_EBCDIC /* copy only if we have to */
357699 martin ptr = apr_pstrdup(r-pool, ptr);
357699 martin ap_xlate_proto_from_ascii(ptr, strlen(ptr));
104711jfclere #endif
357022jfclere r-status_line = apr_psprintf(r-pool, %d %s,
status, ptr);
It was committed by jfclere in rev. 357022:
r357022 | jfclere | 2005-12-15 15:44:39 +0100 (Do, 15 Dez 2005) | 2 lines
The string comming from TC is in ASCII and the string returned by apr_psprintf
isn't.
svn diff -r357021:357022 modules/proxy/ajp_header.c
Index: modules/proxy/ajp_header.c
===
--- modules/proxy/ajp_header.c (Revision 357021)
+++ modules/proxy/ajp_header.c (Revision 357022)
@@ -473,10 +473,12 @@
rc = ajp_msg_get_string(msg, ptr);
if (rc == APR_SUCCESS) {
-r-status_line = apr_psprintf(r-pool, %d %s, status, ptr);
#if defined(AS400) || defined(_OSD_POSIX)
-ap_xlate_proto_from_ascii(r-status_line, strlen(r-status_line));
+char *tmp = ap_pstrdup(r-pool, ptr);
+ap_xlate_proto_from_ascii(tmp, strlen(tmp));
+ptr = tmp
#endif
+r-status_line = apr_psprintf(r-pool, %d %s, status, ptr);
} else {
r-status_line = NULL;
}
Later I had fixed it to eliminate the redundant tmp variable.
Apparently, it was never backported.
Martin
--
[EMAIL PROTECTED]| Fujitsu Siemens
http://www.fujitsu-siemens.com/imprint.html | 81730 Munich, Germany
Re: svn commit: r571209 - /httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
On Thu, Aug 30, 2007 at 11:36:18AM -0400, Jim Jagielski wrote: Are these really candidates for bypassing the normal backport process from trunk?? I committed the other change (memcmp-strcmp) righty now on trunk. And yes, I am aware that I should have done that first, sorry. Martin -- [EMAIL PROTECTED]| Fujitsu Siemens http://www.fujitsu-siemens.com/imprint.html | 81730 Munich, Germany
Re: svn commit: r571209 - /httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
On Aug 30, 2007, at 11:54 AM, Martin Kraemer wrote:
On Thu, Aug 30, 2007 at 11:36:18AM -0400, Jim Jagielski wrote:
Are these really candidates for bypassing the
normal backport process from trunk??
--- httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c Thu Aug
30 08:29:27 2007
@@ -473,10 +473,11 @@
rc = ajp_msg_get_string(msg, ptr);
if (rc == APR_SUCCESS) {
-r-status_line = apr_psprintf(r-pool, %d %s, status,
ptr);
-#if defined(AS400) || defined(_OSD_POSIX)
-ap_xlate_proto_from_ascii(r-status_line, strlen(r-
status_line));
+#if defined(AS400) || defined(_OSD_POSIX) /* EBCDIC platforms */
+ptr = apr_pstrdup(r-pool, ptr);
+ap_xlate_proto_from_ascii(ptr, strlen(ptr));
#endif
+r-status_line = apr_psprintf(r-pool, %d %s, status,
ptr);
} else {
r-status_line = NULL;
This patch is already in trunk:
Later I had fixed it to eliminate the redundant tmp variable.
Apparently, it was never backported.
But you just don't backport to the 2.2 branch. It's the
stable branch and it is RTC. Backports are proposed in
STATUS, voted on and then applied. None of that was done in
this case...
Re: svn commit: r571209 - /httpd/httpd/branches/2.2.x/modules/proxy/ajp_header.c
On Aug 30, 2007, at 11:56 AM, Martin Kraemer wrote: On Thu, Aug 30, 2007 at 11:36:18AM -0400, Jim Jagielski wrote: Are these really candidates for bypassing the normal backport process from trunk?? I committed the other change (memcmp-strcmp) righty now on trunk. And yes, I am aware that I should have done that first, sorry. I'll wait for you to read my other Email... we seem to be out of phase :) Basically: you cannot patch 2.2 directly without proposing patches in STATUS and having them voted on, since 2.2 is the stable branch and is RTC.
Re: [PATCH] proxy/ajp_header.c: Fix header detection
Hi Martin, Martin Kraemer wrote: Hi. While looking at ajp_header.c, I realized that its method of parsing the header line tokens is flakey: it uses memcmp() to check, e.g., whether the header token is Accept-Charset:, by uppercasing the token name (- ACCEPT-CHARSET), then compares the initial ACCEPT- prefix, and then tests: if (memcmp(p, CHARSET, 7) == 0) return SC_ACCEPT_CHARSET; but does not verify that the end of the token has been reached. Thus, a header Accept-CharsetXXX-Blah: utf-8 would be mistaken for an Accept-Charset: utf-8. Same goes for a couple of other header names. The patch replaces the memcmp by a strcmp to check for the trailing NIL character, too. For mod_jk the problem you found here is the same. Thanks for finding it! We finally applied a slightly different patch, by keeping the memcmp, but simply incrementing the number of bytes to compare by one. This should work for mod_proxy also. Why is it OK? - the variable header name is inside an array of length 16, which is big enough to hold the longest string we want to compare to - the variable header names are \0-terminated - the string constants we compare to are always \0-terminated - so increasing the number of bytes to do memcmp() on by one will correctly include a compare on the terminating \0. Our variant of the patch is at http://marc.info/?l=tomcat-devm=118849057126771w=2 Regards, Rainer
Re: [PATCH] proxy/ajp_header.c: Fix header detection
On Thu, Aug 30, 2007 at 04:45:38PM +0200, Rainer Jung wrote:
I committed Martins patch to mod_jk a couple of minutes ago.
Thanks Martin!
The Content-Type part of the patch didn't apply to mod_jk though.
...
-if (memcmp(stringname, Content-Type, 12) == 0) {
+if (strncasecmp(stringname, Content-Type, 12) == 0) {
That is good, because it was wrong... Of course we need the
normal strcasecmp(stringname, Content-Type), not the one limited
to 12 chars (think of Content-TypeXYZ).
Already committed to trunk.
Martin
--
[EMAIL PROTECTED]| Fujitsu Siemens
http://www.fujitsu-siemens.com/imprint.html | 81730 Munich, Germany
Re: [PATCH] proxy/ajp_header.c: Fix header detection
Martin Kraemer wrote:
On Thu, Aug 30, 2007 at 04:45:38PM +0200, Rainer Jung wrote:
I committed Martins patch to mod_jk a couple of minutes ago.
Thanks Martin!
The Content-Type part of the patch didn't apply to mod_jk though.
...
-if (memcmp(stringname, Content-Type, 12) == 0) {
+if (strncasecmp(stringname, Content-Type, 12) == 0) {
That is good, because it was wrong... Of course we need the
normal strcasecmp(stringname, Content-Type), not the one limited
to 12 chars (think of Content-TypeXYZ).
Already committed to trunk.
Backporting to 2.2.x?
--
Jess Holle
Re: [PATCH] proxy/ajp_header.c: Fix header detection
Martin Kraemer wrote:
Hi.
While looking at ajp_header.c, I realized that its method of parsing
the header line tokens is flakey: it uses memcmp() to check, e.g.,
whether the header token is Accept-Charset:, by uppercasing the
token name (- ACCEPT-CHARSET), then compares the initial ACCEPT-
prefix, and then tests:
if (memcmp(p, CHARSET, 7) == 0) return SC_ACCEPT_CHARSET;
but does not verify that the end of the token has been reached.
Thus, a header
Accept-CharsetXXX-Blah: utf-8
would be mistaken for an Accept-Charset: utf-8.
Same goes for a couple of other header names.
The patch replaces the memcmp by a strcmp to check for the trailing
NIL character, too.
Also, IMO it is better to replace memcmp by strncasecmp in the test
-if (memcmp(stringname, Content-Type, 12) == 0) {
+if (strncasecmp(stringname, Content-Type, 12) == 0) {
WDYT?
+1 mod_jk fixed it by additing one to each length, that is probably more
efficent, no?
Cheers
Jean-Frederic
Martin
Re: Blackdot.be (ApacheMon ApacheMobile) - Questions sparked by the ApacheLounge fuss
Jorge Schrauwen wrote: I'd like to add an additional note to this but I'm unsure in how to phrase it. What I want to say is: That I take the source tarball's that are posted e.g. httpd-2.2.4-win32-src.zip (only official release no TR, svn etc). I'd also like to knew if I need to add an additional disclaimer that I don't offer any warranties if somehow (unlikely) manage to cost a company huge sums of money and they want to sue me. If you simply note these are the officially released sources and you provide compiled binaries under the Apache License 2.0 (with no warranty as spelled out under that license), you should be in reasonably good shape. If you export from a country that has cryptographic export controls (e.g. computer programs-as-munitions) you should either avoid shipping any SSL components or be very careful to follow the export regulations. Bill
Re: Blackdot.be (ApacheMon ApacheMobile) - Questions sparked by the ApacheLounge fuss
William A. Rowe, Jr. wrote: Jorge Schrauwen wrote: I'd like to add an additional note to this but I'm unsure in how to phrase it. What I want to say is: That I take the source tarball's that are posted e.g. httpd-2.2.4-win32-src.zip (only official release no TR, svn etc). I'd also like to knew if I need to add an additional disclaimer that I don't offer any warranties if somehow (unlikely) manage to cost a company huge sums of money and they want to sue me. If you simply note these are the officially released sources and you provide compiled binaries under the Apache License 2.0 (with no warranty as spelled out under that license), you should be in reasonably good shape. If you export from a country that has cryptographic export controls (e.g. computer programs-as-munitions) you should either avoid shipping any SSL components or be very careful to follow the export regulations. And as Jim says, don't take this as legal advise, you are best to consult with a lawyer, or a software redistributor in your country who's thoroughly reviewed the issue of redistributing or building binaries of open source software. Note there can be legal differences between a program source code and a functioning, compiled program, depending on your jursidiction ;-) Bill
Re: authnz_ldap in 2.2.x
On 8/30/07, Brad Nicholes [EMAIL PROTECTED] wrote:
On 8/29/2007 at 7:51 PM, in message
[EMAIL PROTECTED], Eric Covener
[EMAIL PROTECTED] wrote:
In 2.2.x If authz_XXX are one of dbm, owner, or groupfile they track
the list of requires and decline if they don't see any they're
responsible for -- this isn't a crap shoot of module ordering in this
case.
$ grep \!required *.c
mod_authz_dbm.c:if (!required_group || !conf-authoritative) {
mod_authz_groupfile.c:if (!required_group || !conf-authoritative) {
mod_authz_owner.c:if (!required_owner || !conf-authoritative) {
mod_authz_user.c:if (!required_user) {
That roughly leaves authz_host, authz_default, and authnz_ldap.
authz_host has a built-in default based on Order, and authz_default
doesn't have any Requires to check -- leaving authnz_ldap as the odd
man out.
True, so that brings up the question of what does AuthzXXXAuthoritative
really mean? Does it mean that if set to ON, this module is authoritatively
responsible for authorization and if it can't (whatever the reason including
no require statement), then authorization fails? Or does it mean that the
module is only authoritatively responsible for authorization if a matching
require statement exists? According to what you are saying as well as what
the code is currently saying in the other authz modules, the latter is true.
And if that is really the definition of AuthzXXXAuthoritative, then it
appears that authnz_ldap needs to be fixed.
Brad
For the ones in the list above it seems to roughly be:
if an authz_XXX require is satisfied, return OK
If authz_XXX is authoritative, and any authz_XXX require directives
were present, return HTTP_UNAUTHORIZED
else return DECLINED
Any clue from a development process POV how I'd propose such a thing
for backport since it doesn't apply to trunk? I was also hoping
some more people might weigh in on the behavior change for
mod_authnz_ldap in a stable release.
--
Eric Covener
[EMAIL PROTECTED]
updated mime.types
Please check out the updated mime.types file and, if possible, see if it breaks anything on a real site. http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types Technically, it is docs, but I am blurry-eyed at the moment and need to do *something* for my wedding anniversary today. If it seems okay, we should backport it to all versions prior to the release. Roy
