On Tue, Jul 24, 2012 at 08:42:34AM +, Plüm, Rüdiger, Vodafone Group wrote:
So after this rant I come to the conclusion that your proposed approach is
the best:
Only compare the names and not the IP's in the proxy case.
Attached does this - any comments? I suppose this requires a major
On Tue, Jul 24, 2012 at 10:05:34AM +, Plüm, Rüdiger, Vodafone Group wrote:
Looks good. Slight optimization:
If addr == NULL we can just skip the whole while (conf_addr) {
loop.
Thanks to all for the feedback.
main fix: http://svn.apache.org/viewvc?rev=1365001view=rev
pool use fix:
The test case for PR 45434 seems to have regressed across 2.2-2.4.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45434
I have not tried to understand the mechanics here, but a dumb
side-by-side analysis found a missing piece, below. 2.2 hardcodes this
as real + 11 but 2.4 uses the
On Thu, Jul 19, 2012 at 04:17:44PM +0200, Steinar H. Gunderson wrote:
Furthermore, Fedora has recently accepted the mpm-itk patch into their Apache
packages.
For the record, that is not accurate. The Fedora httpd package does not
contain the mpm-itk patch, I have repeatedly refused to add it
On Mon, Jul 23, 2012 at 08:45:47AM -0400, Jim Jagielski wrote:
I for sure don't use 'svn merge' and am likely guilty (and the
orig post clearly indicates) of this... For awhile, svn merge
was as wonky as hell, so I simply skipped using it and instead
used the svn.merge script which, for the
Short question: should ProxyBlock apply to the hostname from the request
URI, or the hostname of the next hop?
Long question: the way ProxyBlock is documented does not make explicit
that it is applied to the next hop; it would be natural to expect it is
matched against the request URI
On Mon, Jul 23, 2012 at 03:41:19PM -0400, Eric Covener wrote:
b) if it's not the desired behaviour, that's a lot more messy.
I had assumed this was a bug in the checking but apparently never
brought it here correctly.
Ah ha! I hadn't checked the list archives, sorry - you did indeed post
Hi Jim,
On Thu, Jul 05, 2012 at 01:49:25PM +0200, Jim Meyering wrote:
This is my first httpd patch/report.
If you'd prefer that it go to a BZ or a different list, just let me know.
This is fine!
I found this by inspection: it appears that line[-1] (the heap) can be
corrupted. Is it
On Thu, Jun 07, 2012 at 01:23:29PM -0400, Eric Covener wrote:
e.g. RewriteOptions +I know I'm running this regex against something
that's not guaranteed to look like a URL-path, and I'll write a regex
that carefully matches/captures the input
How about this? I'm not sure how to put the right
On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote:
On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton jor...@redhat.com wrote:
I like Eric's suggestion of an opt-in RewriteOption. This will avoid
having to iterate yet again if the whitelist is either too broad or too
narrow, and can
On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote:
Here are some valid requests which fail the 4317 checks:
CONNECT foo.example.com[:port]
GET http://foo.example.com
GET proxy:http://foo.example.com/(rewriting something which was
already proxied internally)
I am leaning
On Fri, Jun 01, 2012 at 11:31:55AM +0200, Ruediger Pluem wrote:
jor...@apache.org wrote:
--- httpd/httpd/trunk/configure.in (original)
+++ httpd/httpd/trunk/configure.in Wed May 23 15:42:33 2012
@@ -703,7 +703,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
AC_ARG_WITH(suexec-logfile,
On Wed, May 30, 2012 at 07:50:44AM +0200, Kaspar Brand wrote:
Wouldn't it be preferrable to use LOG_AUTH/LOG_AUTHPRIV instead?
suexec's log messages are mostly about authorization, and sometimes
include information which should probably be hidden from the eyes of
unprivileged users.
Good
On Thu, May 24, 2012 at 12:22:43AM +0200, André Malo wrote:
* jor...@apache.org wrote:
Author: jorton
Date: Wed May 23 16:06:02 2012
New Revision: 1341930
URL: http://svn.apache.org/viewvc?rev=1341930view=rev
Log:
* docs/manual/suexec.html.en: Update for syslog logging.
Duh. Am
On Thu, Apr 19, 2012 at 11:54:00AM -, fua...@apache.org wrote:
Author: fuankg
Date: Thu Apr 19 11:53:59 2012
New Revision: 1327907
URL: http://svn.apache.org/viewvc?rev=1327907view=rev
...
--- httpd/httpd/trunk/server/Makefile.in (original)
+++ httpd/httpd/trunk/server/Makefile.in Thu
On Tue, Apr 17, 2012 at 11:48:03PM -0500, William Rowe wrote:
Odd... there is no language assurance that these statics remain static
across module reloads. A static var != static fn.
I don't know what you mean here, sorry. static/extern for global
variables does have basically the same
On Mon, Feb 13, 2012 at 08:56:28AM -0500, Jim Jagielski wrote:
The 2.4.1 (candidate) tarballs are available for download and test:
http://httpd.apache.org/dev/dist/
I'm calling a VOTE on releasing these as Apache httpd 2.4.1 GA.
NOTE: The -deps tarballs are included here *only* to
On Sun, Jan 29, 2012 at 08:53:09PM +0100, Stefan Fritsch wrote:
+ * Insert the network bucket into the core input filter's input brigade.
+ * This hook is intended for MPMs or protocol modules that need to do special
+ * socket setup.
+ * @param c The connection
+ * @param bb The brigade to
On Mon, Jan 23, 2012 at 09:39:38PM +0100, Stefan Fritsch wrote:
This patch allows us to later add members to core_ctx_t without
breaking binary compatibility to mod_ftp. Without such a patch, the
size of core_ctx_t is part of the ABI, which is bad.
Opinions?
After thinking about it more:
On Sun, Jan 22, 2012 at 12:12:09PM +0100, Stefan Fritsch wrote:
On Friday 20 January 2012, Joe Orton wrote:
If we assume that morphing buckets cannot be buffered, the code
could be adjusted to always place them in the to flush segment,
and then there is no need to read the buckets until
On Mon, Jan 23, 2012 at 05:15:08PM +0100, Stefan Fritsch wrote:
On Monday 23 January 2012, Joe Orton wrote:
I think I was not clear enough here: yes, the non-blocking read
must be followed by blocking reads.
Right, that makes sense.
Great. Many eyes on r1234848 and r1234899 rather
On Fri, Jan 20, 2012 at 08:56:28AM -0500, Jeff Trawick wrote:
On Fri, Jan 20, 2012 at 7:41 AM, jor...@apache.org wrote:
Author: jorton
Date: Fri Jan 20 12:41:18 2012
New Revision: 1233882
URL: http://svn.apache.org/viewvc?rev=1233882view=rev
Log:
* server/core_filters.c
The main loop in the core output filter (rewritten since 2.2) will try
to read the entire passed-in brigade into RAM for CGI/PIPE-like mutating
bucket types. :( :( We have trying to bash this kind of bug since 2.0.x
days, and now the *core output filter* itself is doing it, yegads.
The fix
On Wed, Jan 18, 2012 at 11:16:18AM -0500, Jeff Trawick wrote:
Following the thread
http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
and the related discussion in 2.2.x/STATUS, attached is a patch for
On Tue, Jan 17, 2012 at 09:12:19PM -, Graham Leggett wrote:
...
@@ -88,6 +96,9 @@ if test $apr_found = no; then
fi
if test $apr_found = reconfig; then
+ if test ! -d srclib/apr; then
+AC_MSG_ERROR([Bundled APR requested but not found at srclib/apr.
Download and unpack the
On Tue, Jan 17, 2012 at 01:39:09AM +0200, Graham Leggett wrote:
- All three of mod_bucketeer, mod_ case_filter and mod_ case_filter_in
are present during this test run, but for some reason we still have
skipped tests complaining about them.
Are those modules loaded in the httpd.conf? Unless
On Mon, Jan 16, 2012 at 12:50:05PM -0500, Jim Jagielski wrote:
The 2.4.0 (prerelease) tarballs are available for download and test:
http://httpd.apache.org/dev/dist/
I'm calling a VOTE on releasing these as Apache httpd 2.4.0 GA.
Vote will last the normal 72 hours... Can I get a
On Tue, Dec 20, 2011 at 03:25:09AM -0600, William Rowe wrote:
On 11/18/2011 4:38 PM, William A. Rowe Jr. wrote:
After several prods, it seems the security@ and hackathon participants
can't be drawn out of their shells on to dev@. So I'll simply call for
a majority vote on the following
On Thu, Dec 15, 2011 at 10:04:03AM -0500, Jeff Trawick wrote:
On Wed, Nov 23, 2011 at 9:23 AM, Joe Orton jor...@redhat.com wrote:
Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
against certain mod_proxy/mod_rewrite configurations. A new CVE name,
CVE-2011-4317
Sorry, I missed this earlier.
On Mon, Dec 12, 2011 at 01:24:51PM -0500, Jeff Trawick wrote:
The new code and the core translate name hook agree on something critical:
if it isn't * and it isn't a fully qualified path, return 400.
For proxy and rewrite to return 400 without knowing if these
Is heartbeat.h supposed to be part of the public API? It contains a
single structure, no explanation of what it is for. Joe
On Fri, Dec 02, 2011 at 06:08:53PM -0600, William Rowe wrote:
I suspect a single doc for mod_socache would probably be appropriate.
The API docs are in a single doc, ap_socache.h. They are marked up
using doxy syntax, if we want that in HTML can't we do that
automagically using doxygen?
On Wed, Nov 23, 2011 at 04:53:46PM +0100, Plüm, Rüdiger, VF-Group wrote:
One comment though: Shouldn't we check r-unparsed_uri as well (at least
in the proxy case, as it may be used by ap_proxy_trans_match instead of
r-uri)?
Thanks for looking at this!
I'm not sure how we could check
On Thu, Nov 24, 2011 at 11:37:34PM +0100, Rainer Jung wrote:
Don't know whether that could happen here, but could OPTIONS * be
a problem?
Hmmm, another good question.
What should mod_rewrite or mod_proxy's translate_name hook do for a
request-URI of *? 2616 says:
The asterisk *
On Wed, Nov 23, 2011 at 08:37:31AM +0100, Kaspar Brand wrote:
There are two approaches to fix 1): a) turn off verify_hostname
where needed (t/ssl/pr12355.t and t/ssl/pr43738.t are doing this
right now) or b) specify the CA cert (generated in t/conf/ca/...)
to make verification work/succeed.
Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attack
against certain mod_proxy/mod_rewrite configurations. A new CVE name,
CVE-2011-4317, has been assigned to this variant.
The configurations in question are the same as affected by -3368, e.g.:
RewriteRule ^(.*)
On Sun, Nov 13, 2011 at 03:42:07AM +, Nick Kew wrote:
Feel free to fix issues you find. That's the advantage of having it under
change control @apache.org.
I don't have time/inclination, thanks. If nobody has any interest in
maintaining this code, why has it been added to the tree? The
On Wed, Nov 23, 2011 at 03:38:19PM +, Nick Kew wrote:
On Wed, 23 Nov 2011 14:26:00 +
Joe Orton jor...@redhat.com wrote:
On Sun, Nov 13, 2011 at 03:42:07AM +, Nick Kew wrote:
Feel free to fix issues you find. That's the advantage of having it under
change control
On Fri, Nov 18, 2011 at 04:38:14PM -0600, William Rowe wrote:
After several prods, it seems the security@ and hackathon participants
can't be drawn out of their shells on to dev@. So I'll simply call for
a majority vote on the following statement...
Thanks for the prod!
Resource abuse of an
On Thu, Nov 10, 2011 at 06:28:00PM -0800, Jeff Trawick wrote:
* There should have been a discussion on dev@ before promoting a
subproject to the main distribution.
* Two weeks before 2.4 GA (well, that's the general desire of those of
the group that spoke up) and after the last planned beta
a) gcc warnings:
mod_xml2enc.c: In function 'fix_skipto':
mod_xml2enc.c:123:18: warning: variable 'rv' set but not used
[-Wunused-but-set-variable]
mod_xml2enc.c: In function 'sniff_encoding':
mod_xml2enc.c:167:18: warning: variable 'rv' set but not used
[-Wunused-but-set-variable]
b) code
- Forwarded message from halfdog m...@halfdog.net -
Date: Wed, 02 Nov 2011 11:55:26 +
From: halfdog m...@halfdog.net
To: full-disclos...@lists.grok.org.uk
CC: Joe Orton jor...@apache.org, secur...@httpd.apache.org
Subject: Integer Overflow in Apache ap_pregsub via mod-setenvif
User
On Tue, Oct 11, 2011 at 10:52:13AM +0200, Jan Kaluža wrote:
Hi,
attached patch against trunk adds new rotatelogs option -c to
create logs after tRotation time even if there are no messages to
log during tRotation time. This is achieved by calling apr_poll() on
stdin with proper timeout
On Thu, Sep 08, 2011 at 05:36:06PM -0400, Jeff Trawick wrote:
static apr_status_t base10_strtoff(apr_off_t *offset, const char *buf,
char **endptr)
{
const char *last;
*offset = apr_atoi64(buf);
I think this needs to DTRT with a 32-bit off_t.
How
On Thu, Sep 01, 2011 at 06:27:35PM +0200, Plüm, Rüdiger, VF-Group wrote:
Can't find the discussion either, but I remember that it was not seen
as a security issue. For those still concerned about this, the advice
was as you said FileETag -INode. So IMHO no need for a patch here
except for
On Wed, Aug 31, 2011 at 11:08:51PM +0200, Stefan Fritsch wrote:
On Wednesday 31 August 2011, Jim Jagielski wrote:
Looking at the patch in 2.2.x; there is a lot of effort expended
deadling with apr_bucket_split() returning ENOTIMPL - that looks
unnecessary; the filter will only handle
On Thu, Sep 01, 2011 at 02:47:19PM +0200, Plüm, Rüdiger, VF-Group wrote:
If we rip it out, we should replace it with ap_assert()s. And maybe
only do it in 2.3?
It would seem odd to have ENOTIMPL as a fatal error but other
real errors non-fatal. *No* error should occur here with
On Thu, Sep 01, 2011 at 02:39:11PM +0200, Marcus Meissner wrote:
Hi,
CVE-2003-1418, a minor security issue, is still affecting the current
codebase.
someone opened a tracker bug a year ago without feedback:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
Do you have a
On Tue, Aug 30, 2011 at 08:51:55PM +0200, Stefan Fritsch wrote:
The first regression report, though slightly too late for the vote:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825
The byterange_filter.c in the Debian update is exactly the one from
2.2.20. I will keep you updated.
Hi Kaspar,
On Wed, Aug 03, 2011 at 06:23:18PM +0200, Kaspar Brand wrote:
Ok, so the initial version of that patch became relatively large:
https://people.apache.org/~kbrand/mod_ssl-toolkit-support.v1.diff
Thanks so much for taking this on!
Even though trunk is CTR, I'm somewhat reluctant
On Thu, Jul 14, 2011 at 11:28:13PM +0200, Stefan Fritsch wrote:
I think AF_UNSPEC should be more correct. But there are so many
plattforms with different behaviour that it is impossible to say if it
will break something. Simply trying this out in a beta is not the
worst thing to do, IMHO.
On Wed, Jul 13, 2011 at 07:21:11PM -, s...@apache.org wrote:
Author: sf
Date: Wed Jul 13 19:21:11 2011
New Revision: 1146256
URL: http://svn.apache.org/viewvc?rev=1146256view=rev
Log:
Use APR_UNSPEC to allow startup on IP6-only systems.
PR: 50592
Submitted by: Joe Orton, 2510 root
On Sun, Jul 10, 2011 at 03:34:10PM -0700, Roy T. Fielding wrote:
Regardless of anyone else's opinion, the addition or deletion of a
new API to our product is a technical change that can be vetoed.
Likewise, the API being an incomplete abstraction that isn't
needed in httpd is a valid technical
On Thu, Jul 07, 2011 at 11:59:20PM +0200, Graham Leggett wrote:
On 04 Jul 2011, at 6:48 PM, Joe Orton wrote:
It's incumbent on you to provide specific technical objections if
vetoing code, not this hand-waving objections must exist because
of X.
I have already done so. If you disagree
On Mon, Jul 04, 2011 at 09:07:49PM +0200, Rainer Jung wrote:
Hi everyone,
a couple of modules have additional external dependencies:
mod_deflate: zlib
mod_lua: lua
mod_serf: serf
mod_socache_dc: distcache
At the moment, the compiled modules do not contain any RPATH/RUNPATH
info
On Tue, Jul 05, 2011 at 11:25:53AM +0200, Rainer Jung wrote:
I will think about a good way, how users can pass additional LDADD
flags. Putting the -R ... into the LDFLAGS seems to be too heavy,
because then the RPATH of every module etc. will contain the given
directory. The real
On Mon, Jun 27, 2011 at 03:19:37PM +0200, Graham Leggett wrote:
mod_ldap - An LDAP shared memory cache
mod_authnz_ldap - A user of the LDAP shared memory cache
The LDAP API exposes way more functionality than mod_ldap exposes,
so while you may have fixed the problem for the special case that
On Mon, Jul 04, 2011 at 11:43:33AM +0200, Graham Leggett wrote:
I have already stated the basis for the veto: every single apparent
flaw in the apr_ldap code that caused wrowe to remove it from APR is
still present in the code that wrowe dumped into httpd.
It's incumbent on you to provide
On Sat, Jun 25, 2011 at 10:11:20PM +0200, Graham Leggett wrote:
On 06 Jun 2011, at 11:53 PM, William A. Rowe Jr. wrote:
Since the move from apr-util-ldap to ap_ldap, mod_ldap needs to be
loaded before mod_authnz_ldap. This is somewhat annoying because the
default httpd.conf tries to load
On Mon, Jun 20, 2011 at 04:14:10PM +0200, Graham Leggett wrote:
On 20 Jun 2011, at 12:58 PM, Plüm, Rüdiger, VF-Group wrote:
more general
-p mode just added - is it worth keeping?
I think it is worth keeping for those people that only need the link.
Creating a post rotation script that
Dredging up an change from last year:
On Thu, Feb 25, 2010 at 06:00:43PM -, poir...@apache.org wrote:
Author: poirier
Date: Thu Feb 25 18:00:42 2010
New Revision: 916377
URL: http://svn.apache.org/viewvc?rev=916377view=rev
Log:
Add -L option to create a hard link to the current log
On Mon, Jun 06, 2011 at 04:53:13PM -0500, William Rowe wrote:
On 6/6/2011 4:17 PM, Stefan Fritsch wrote:
Since the move from apr-util-ldap to ap_ldap, mod_ldap needs to be
loaded before mod_authnz_ldap. This is somewhat annoying because the
default httpd.conf tries to load mod_authnz_ldap
mod_slotmem_shm is creating a subpool of pconf (gpool) in the
pre_config hook. It then hangs a cleanup off pconf in the post_config
hook, which uses something with the structures in gpool.
This doesn't work (and segfaults with APR pool debugging) because the
gpool contents are invalidated by
On Tue, May 03, 2011 at 09:39:56AM +0200, Dirk-Willem van Gulik wrote:
Can anyone remember why SSLRenegBufferSize is set at 128k (131072
bytes) currently by default ?
And if that is just an accidental default - or if deep thought has
gone into it ?
No deep thought, a fairly random number.
On Tue, Apr 19, 2011 at 12:55:00PM +0200, Torsten Förtsch wrote:
On Tuesday, April 19, 2011 10:59:45 Joe Orton wrote:
+# force HTTP/1.0 to work around LWP 6.x bug
+$req-protocol('HTTP/1.0');
At least for libwww-perl/6.02 that does not help. It sends HTTP/1.1 no matter
On Mon, Apr 18, 2011 at 08:46:15PM +0200, Stefan Fritsch wrote:
On Monday 18 April 2011, Torsten Förtsch wrote:
On Monday, April 18, 2011 10:36:13 Joe Orton wrote:
If you change the CGI script to send a 100 rather than 102, does
it work? LWP should treat all 1xx as interim responses so
On Sun, Apr 17, 2011 at 05:55:44PM +0200, Torsten Förtsch wrote:
t/apache/if_sections.t needs the proxy module, t/modules/filter.t needs
mod_case_filter.
Thanks, committed!
Regards, Joe
On Sun, Apr 17, 2011 at 05:51:42PM +0200, Torsten Förtsch wrote:
Hi,
t/modules/proxy.t of the test framework contains at line 32 the following 2
tests:
$r = GET(/reverse/modules/cgi/nph-102.pl);
ok t_cmp($r-code, 200, reverse proxy to nph-102);
ok t_cmp($r-content, this is
On Thu, Apr 14, 2011 at 03:57:32AM -0500, William Rowe wrote:
Looking at current 2.2.17 httpd with openssl 0.9.8o, and using 0.9.8o to
attempt
to 'R'enegotiate, the report appears accurate.
Yup, it's a legacy of the patch for CVE-2009-3555; the prevention of
client-initiated reneg has never
On Thu, Apr 14, 2011 at 04:41:01AM -0500, William Rowe wrote:
It seems like our directive is a serious misnomer, if it is required to
enable either legacy or new renegotiation. Before 2.2.18, it seems
prudent to make this a tristate (legacy or modern, modern only, or none)
and support it
Hi Daniel -
On Fri, Mar 11, 2011 at 05:47:15AM -0600, Daniel Ruggeri wrote:
Some high-level settings for the httpd configuration are bulleted
below, but otherwise this happens on an httpd 2.2.15 build for
Probably https://issues.apache.org/bugzilla/show_bug.cgi?id=39915 which
was fixed in
On Wed, Feb 09, 2011 at 09:39:36AM +, Rob Stradling wrote:
On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote:
On Friday 24 December 2010 16:24:03 Igor Galić wrote:
snip
If we want to see more extensive testing in the field,
then this is the right time to make 'On' the
On Thu, Feb 03, 2011 at 08:20:02PM -, s...@apache.org wrote:
Author: sf
Date: Thu Feb 3 20:20:02 2011
New Revision: 1066944
URL: http://svn.apache.org/viewvc?rev=1066944view=rev
Log:
Reload resolv.conf on graceful restarts
PR: 50619
Submitted by: Matt Miller m miller f5 com,
CC'ing test-dev@.
On Thu, Jan 20, 2011 at 12:00:41PM -0500, Jim Jagielski wrote:
On the latest Fedora, -times=X no longer works:
t/modules/rewrite.t .. ok
t/modules/rewrite.t .. ok
You already have a parser for (t/modules/rewrite.t). Perhaps you have run the
same test twice. at
On Sun, Jan 16, 2011 at 11:34:29AM +0100, Kaspar Brand wrote:
On 13.12.2010 15:24, Jim Jagielski wrote:
At this late in the game, I would prefer to do this post-2.3.10...
safer that way.
Polite reminder, according to [1]... :-) I feel it's important because
it addresses PR 49784 and a few
On Mon, Jan 17, 2011 at 04:14:24PM +0200, Graham Leggett wrote:
On 17 Jan 2011, at 3:14 PM, jor...@apache.org wrote:
Author: jorton
Date: Mon Jan 17 13:14:21 2011
New Revision: 1059910
URL: http://svn.apache.org/viewvc?rev=1059910view=rev
Log:
* modules/ssl/ssl_engine_io.c: Revamp
On Wed, Jan 12, 2011 at 03:30:01PM -0500, Jim Jagielski wrote:
My current migration of mod_proxy away from the scoreboard
and to slotmem is done. All that remains is some final
testing.
This will serve as the basis for adding in members during
runtime. Currently, the idea is that we only
On Thu, Jan 13, 2011 at 03:25:22PM +0100, Plüm, Rüdiger, VF-Group wrote:
Should I commit the patch below now to resolve the issue and address
your point?
Once again we are struggling with the ill-defined filtering API :(
You're proposing here to make the _GETLINE call return a partial read in
On Tue, Dec 21, 2010 at 11:43:42AM -, rpl...@apache.org wrote:
URL: http://svn.apache.org/viewvc?rev=1051468view=rev
Log:
* Do not drop contents of incomplete lines, but safe them for the next
round of reading.
PR: 50481
...
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
On Wed, Jan 12, 2011 at 03:29:45PM +0100, Plüm, Rüdiger, VF-Group wrote:
In that case the correct behaviour of the input filter is to return a
partial read with APR_SUCCESS (per AP_MODE_GETLINE semantics
described
in util_filter.h). So the data must *not* also be buffered in that
On Fri, Dec 03, 2010 at 09:52:06AM +0100, Guenter Knauf wrote:
Am 02.12.2010 10:39, schrieb Joe Orton:
On Mon, Nov 29, 2010 at 04:37:49PM -, fua...@apache.org wrote:
URL: http://svn.apache.org/viewvc?rev=1040177view=rev
Log:
Supress compiler warning
On Mon, Nov 29, 2010 at 04:37:49PM -, fua...@apache.org wrote:
URL: http://svn.apache.org/viewvc?rev=1040177view=rev
Log:
Supress compiler warning.
...
==
--- httpd/httpd/trunk/modules/http/http_protocol.c
On Fri, Nov 26, 2010 at 09:25:30PM +0100, Stefan Fritsch wrote:
On Friday 26 November 2010, Rainer Jung wrote:
On 26.11.2010 09:30, Gregg L. Smith wrote:
While you commit win3.diff, it seems mod_disk_cache was changed
to mod_cache_disk and I remember seeing mention of it. The patch
On Fri, Nov 19, 2010 at 07:13:01AM +0100, Kaspar Brand wrote:
On 17.11.2010 15:53, Igor Galić wrote:
it might be appropriate to ping dev@ with this problem
I'm not sure if it's a bug or a feature.
I'd call it a missing feature... the problem is that mod_ssl treats all
values of any DN
On Fri, Nov 19, 2010 at 05:17:06PM +0200, Graham Leggett wrote:
On 19 Nov 2010, at 3:19 PM, Plüm, Rüdiger, VF-Group wrote:
Does
RequestHeader add some_header %{SSL_ENVIRONMENT_VARIABLE}s
not work for you?
It could, but it isn't very clean at all. You are adding a KV pair
to one
mod_ssl's output buffering has been bothering me for a while.
1) it buffers the encrypted output stream (to some extent) coupled with
regular use of FLUSH buckets. This seems redundant/inefficient; the
core output filter should be doing this kind of thing optimally already.
2) it does /not/
On Fri, Nov 05, 2010 at 08:26:15PM +0100, Stefan Fritsch wrote:
I have put the current state of my work on ap_expr here and would
welcome feedback:
http://people.apache.org/~sf/ap_expr_ng_v0/
There are definitely some things left to do, like implementing regexp
backreferences and
On Thu, Nov 04, 2010 at 08:57:53PM +0100, Stefan Fritsch wrote:
On Thursday 04 November 2010, Jim Jagielski wrote:
Tested so +1
Yes, the latest round of fixes seems to have fixed all my problems.
Thanks.
I get a bunch of 404s in the aaa.t authz/form tests, did you forget to
check in
Generally no reason, no, there are lots of places in mod_ssl where
_cerror should be used but the code predates the existence of _cerror;
it's possible the SNI-related use of ap_log_error() in
ssl_hook_ReadReq() is deliberate, however, I'm guessing.
Regards, Joe
Response as requested ;)
On Tue, Oct 05, 2010 at 06:16:14PM -, William Rowe wrote:
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Tue Oct 5 18:16:14 2010
@@ -177,11 +177,14 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
PR: 43857
Trunk
On Thu, Oct 07, 2010 at 10:50:48AM +0100, Joe Orton wrote:
I've no strong objection to this but it deserves a comment in the code
describing why that apr_pool_clear call is redundant; a thorough
^NOT redundant
On Wed, Sep 29, 2010 at 11:07:14PM +0200, Stefan Fritsch wrote:
On Wednesday 29 September 2010, Nick Kew wrote:
It's been sitting in my to-do list to review mod_ssl's expression
parser, and see if we can't substitute ap_expr - with updates to
the latter if necessary.
Any thoughts on
On Wed, Sep 29, 2010 at 12:55:36PM +0200, Stefan Fritsch wrote:
Most of the changes are rather mechanical, because the state needs to
be passed as parameters instead of being stored in global variables.
The diffs are at
http://people.apache.org/~sf/ssl_expr_source.diff
On Thu, Sep 16, 2010 at 11:53:39AM +0200, Graham Leggett wrote:
On 16 Sep 2010, at 9:13 AM, Ruediger Pluem wrote:
+static apr_status_t file_cache_create(disk_cache_conf *conf,
disk_cache_file_t *file,
+ apr_pool_t *pool)
+{
+file-pool = pool;
+
On Tue, Aug 17, 2010 at 06:00:58PM +0200, Plüm, Rüdiger, VF-Group wrote:
I think you should use
((apr_table_get(r-headers_in, Content-Length) ||
apr_table_get(r-headers_in, Transfer-Encoding)))
as we only want do_100_continue to be true *if* we have a request body,
which means that
This fixes a slow memory leak in mod_proxy FYI. The sockaddr passed to
apr_socket_connect() is allocated out of worker-cp-pool. When a new
backend connection is created, core_create_conn extracts the address
from that socket to the conn_rec and it gets duped in that pool again.
On Mon, Aug
On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote:
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2
13:03:04 2010
@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks./
/criteria
On Thu, Jul 22, 2010 at 04:50:42PM +0200, Plüm, Rüdiger, VF-Group wrote:
What about these?
t/ssl/extlookup.t (Wstat: 0 Tests: 4 Failed: 1)
Failed test: 2
t/ssl/require.t
Jeremy Sowden discovered an information leak in mod_proxy affecting
httpd version 2.2.9 only. If a timeout occurred reading a response from
a backend on a persistent connection, the backend connection was not
closed. The response could subsequently be read and delivered to an
unrelated
On Wed, Jul 14, 2010 at 10:33:43PM +0100, Dr Stephen Henson wrote:
On 25/06/2010 08:10, Paul Querna wrote:
I was playing with OCSP Stapling in 2.3.6-alpha tonight, and I noticed
that in the common case path, we will always lock a global mutex.
I don't see why this is needed for the cache
501 - 600 of 1530 matches
Mail list logo