is active
(so method is available as an env var). Certainly
on the radar.
is of course a crusty old relative.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
dir config.
> Maybe no need for Directory, location, etc, either...
>
I'm thinking more of displacing tortuous mod_rewrite-based
configs than any of the old containers (except possibly
the much-misunderstood-and-abused ).
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
#x27;ve got.
I don't see any such vision in this discussion.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
l need to do the previous check.
No. The other check applies to / sections,
whose code path I've hijacked for . The two are mutually exclusive.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
s there before I go, I'll take a look en route.
See you at the hackathon?
One more point. Stepping up a level, the session management
wants to be unified with other logins, even those that don't need it.
Especially those popular amongst SSO folks, like LDAP.
Hopefully that'll come
nicely as an apr_sed module. But that's a whole other
discussion.
Please have a look into the code and provide your comments.
Well, I've had a preview of this, and it's good :-)
--
Nick Kew
#x27;s being dropped into httpd.
--
Nick Kew
gets there first, I might try that
myself
when I've recovered from the apachecon backlog.
As for sed-vs-simple-substitution, if the performance is no worse
than a tie,
then sed looks like a winner by virtue of power and versatility.
--
Nick Kew
n 1.3
that falls way short of what wants to go into a packaged products.
Example: apr_dbd_freetds is wide open to SQL injection if used
as you would use AN Other driver, because of the prepared statements
implementation.
--
Nick Kew
the response will not be compressed,
regardless of the Accept-Encoding header. So it doesn't vary.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
database
engines, and in some cases are not good for once-only use.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
ng them on
> another box the reason we have members on this one is so the darn box
> actually does some work :)
Can you devise a single statement you could set at top-level for
all your hosts? Perhaps with the hostname as an argument to
the SQL query.
If that doesn't work as-is, then a
runk version of docs). APR-UTIL 1.2 excludes
the dangerous driver; 1.3 includes it.
Can we enumerate other potentially-serious issues?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
es
the need for further review. What is unclear about
¨The underlying library doesn't support prepared statements,
so the driver emulates them, and the untrusted input is
merged into the SQL statement.¨
?
--
Nick Kew
TED] ("apr_reslist
semantics"). This could enable you to configure apache
to avoid this problem without sacrificing backend keepalives
altogether.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
ib/apr-util/apu-${apu_version}-config"
>
> Intentional?
>
Nope, must've been in my local version without knowing it. Bah.
Seeing that reminds me there was some bug with srcdir/srclib.
The above was either an uncommitted fix or an experiment that
should've been rever
w I remember: I'd test-driven the patch, and tried to ping the
original reporter (who is a regular on IRC) to clarify things
before committing. But pinging him failed, and I forgot about it.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
ocument it references.
I guess that's the trouble with supporting elasticated specs.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
ent is in the patch
> for mod_rewrite.xml (which can be easily fixed of course).
> So what is your exact point of concern now?
Comparing not to "HttpOnly" but to "true" and "1". AKA cut&paste.
ObPedant - strcasecomp for "1" seems OTT.
--
N
...
CONFORMING TO
SVr4, SVID, 4.4BSD, X/OPEN.
How many unix platforms support none of the above?
Would #ifdef HAVE_UNISTD_H be an appropriate wrapper for this,
or could you have a unistd without chroot?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
he's not the only one doing that,
and our license clearly allows it. Licenses that restrict such
things seem to be widely disliked: c.f. DJB/qmail.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
"secure") and "HttpOnly"?
If so, that's probably the best option. Descriptive values are
nice and less easy to confuse, but rejecting spec values true/1
would seem perverse. Ugh.
But (2) would be fine. As would (true|1) and HttpOnly. IMHO.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
s own cache,
which is less efficient than you hoped, but only by O(1).
Note that you shouldn't use pconf when processing a request.
Your module can create its own private pool. You'll still
need to take care with memory use and thread-safety when
using it.
--
Nick Kew
Application Dev
31 33.33% 3
Investigating those.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
On Wed, 11 Jun 2008 22:33:47 +0100
Nick Kew <[EMAIL PROTECTED]> wrote:
> Failed TestStat Wstat Total Fail Failed List of
> Failed
> ---
> t/security/CVE-2004-0959.t2 512??
sor suite shows three new failures (note - failures
mean tests that don't complete successfully; protocol
violations are a different classification altogether).
These are tests involving sending 17 interim responses,
which we now reject, so I'm satisfied it's not a regression.
--
Ni
If you try building from svn, buildconf complains of no
apr/apr-util source.
Why does buildconf actually need the sources?
Shouldn't an installed version be sufficient?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
ning it (insofar as
noone else steps forward)?
I could be a provisional +1, if IP and maintenance are sorted.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
ere is to avoid creating a useless fork.
If the original developer is still doing active development on
the module, we should either merge that effort with ours or
leave well alone. In practice, a merge would imply development
moving to this list.
If David is happy to subscribe to this list
w? Are you putting yourself at
risk of it consuming all your memory over time?
> 3. Is there a better way?
Chapter 4.
Or memcache, if your overhead is so big as to merit it.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
re incompatible
with your module.
BTW, I think this belongs more on the modules list than here.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
rg/message/43rw3yi5nxj6bqbs ). And also there is a
> mention of such kind of a feature in the future releases of Apache in
> this article :
> http://people.apache.org/~mturk/docs/article/ftwai.html.
2.2.9 supports variable interpolation in proxy configuration.
Now please use the users list in
ldn't it guard against this by reporting a syntax error if
secure (or indeed httponly) is set to an unrecognised value?
Or have I just been staring at a screen for too long?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
an just register a different authn_provider
> struct and not put a reference to its own own get_realm_hash() in it)
As Rüdiger just said, Hmm?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
On Mon, 21 Jul 2008 08:51:54 -0400
"Eric Covener" <[EMAIL PROTECTED]> wrote:
> On Mon, Jul 21, 2008 at 8:37 AM, Nick Kew <[EMAIL PROTECTED]> wrote:
> > On Mon, 21 Jul 2008 08:09:23 -0400
> > "Eric Covener" <[EMAIL PROTECTED]> wrote:
> >
- Trunk version of patch(es) works
> - +1: tdonovan
That's actually different: only the first patch was already proposed.
Maybe you'd like to clarify?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
On Thu, 07 Aug 2008 08:09:56 -0400
Tom Donovan <[EMAIL PROTECTED]> wrote:
> Nick Kew wrote:
> > On Thu, 07 Aug 2008 01:30:49 -
> > [EMAIL PROTECTED] wrote:
> >
> >> remove proposal accidentally added twice
> >
> > I was about to ask whether
gurable:
e.g. add a const char *sep argument to the function.
--
Nick Kew
sonableVO rely).
Not sure about Mandriva, but it's surely better than nothing.
It seems clear that users *really* want it. I'd say that adds
weight to the argument for including it and taking the risk.
It might be worth a --with-SNI configuration option, which
would label it as an experim
entry/using_mod_sed_to_filter
I happen to know that Basant and Sun will be happy for us
to adopt mod_sed, and I think that with that blog entry
reworked into a howto doc, it'll add real value to httpd.
Any thoughts on dropping it in to trunk, with a view
to including it as standard in 2.4 in due course?
--
e request headers
(that's what processing hooks are for), and the sysop shouldn't
have to configure it.
Does something bad happen if you put the check in a post_read_request
hook instead?
--
Nick Kew
what substitute
provides seems to be a strict subset of mod_sed ?
That's a decision that can wait for 2.4, by which time we should have
more user feedback to base it on.
--
Nick Kew
assuming I understand your meaning aright)
--
Nick Kew
On 21 Aug 2008, at 13:28, Jim Jagielski wrote:
On Aug 20, 2008, at 6:53 PM, Nick Kew wrote:
A little while ago, Basant Kukreja published mod_sed under the
Apache license. He's now also written a blog entry that could
become the basis for a tutorial into how mod_sed is much more
than a
kind-of describe it, but as of
now it would seem lonely there. I wonder if there's a case for
modules/misc/ ?
--
Nick Kew
atches, the lower the barrier to those round tuits.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
On Tue, 26 Aug 2008 23:31:25 +0200
Ruediger Pluem <[EMAIL PROTECTED]> wrote:
> [chop]
Bah. Thanks for spotting that.
Just trying to clean up my repo here - going through differences
between /trunk/ and mine and either committing or abandoning
local variants.
--
Nick Kew
Ap
- were propagated to the backend appserver?
If so, I'd think that a nicer solution than a new directive.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
ement a different
> interface, if a suitable one can be found.
There isn't a problem with new directives. I merely suggested an
alternative that I think makes sense in this instance. Evidently
not everyone agrees. Bottom line: if you're doing the work, then
you decide what approach you prefer.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
esp regarding efficient use of buckets,
> is lacking in mod_sed...
Anecdotal and benchmark data suggest that it's competitive
in performance terms. Now that it's in svn, we can further
improve it. Ruediger's comments look like a start on that.
--
Nick Kew
Applicati
On Fri, 5 Sep 2008 11:07:25 +0100
"Armando Oliveira" <[EMAIL PROTECTED]> wrote:
> Hello
>
>
> In the context of CVE-2008-2364 what is the meaning of interim
> responses ? How can this affect apache ?
Section 10.1 of RFC2616.
--
Nick Kew
Application Devel
k_pre_connection(utf8_pre_conn, NULL, NULL,
> APR_HOOK_MIDDLE); +
> +ap_register_input_filter(utf8_filter_name, utf8_in_filter, NULL,
> + AP_FTYPE_NETWORK - 1);
Huh? Isn't that before mod_ssl, let alone mod_deflate, mod_charset?
And no excape path
right. The justification for the RFC-breaking
connection
drop is IIRC that it's merely propagating the same from the backend
to the client. That doesn't apply in the case of a timeout.
--
Nick Kew
ikely huge problems with this, but I would like
to see how far
we can push the Event MPM, figure out what to do better, if there
is anything,
and then really dive into the 3.0 development before ApacheCon.
Damn. I'll hafta try & look at this.
--
Nick Kew
doing mass hosting.
We have a start on enabling this with the expression parser, which
enables configuration sections to be applied conditionally on an
expression evaluated at runtime. That's work-in-progress and needs
revisiting, but it can use env vars in its expression evaluation,
and templating with them should be a natural future direction.
(and of course, you can always use mod_rewrite).
--
Nick Kew
ATE_WRITE_COMPLETION;
-check_pipeline(c);
-if (ap_extended_status)
-ap_time_process_request(c->sbh, STOP_PREQUEST);
+return ap_process_request_after_handler(r);
}
This is a compile error in a void function.
What exactly was intended here?
--
Nick Kew
hing with attached patch.
At a glance, this looks like more than one patch. The proxy_http
patch looks straightforward, but does the event MPM fix do anything?
I mean, does the scoreboard allocate memory per-request within
a connection? And if so, how does this affect other MPMs?
--
Nick Kew
ry that exports
the symbols you need.
For future reference, the modules-dev list would be more on-topic
for this kind of question.
You might also want to check whether mod_session and family could be
relevant to your needs.
--
Nick Kew
Application Development with Apache - the Apache Mo
s, and whatever
is the equivalent on other platforms.
But is there any reason we shouldn't replace *each of* the above
functions with a hook?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
status: 1
rebuilding configure
NONE:0: m4: ERROR: EOF in string
autom4te: m4 failed with exit status: 1
A bit of googling suggests the culprit may be unbalanced
brackets or quotes somewhere in the M4, but I'm struggling
to find out where to look.
Any clues for hunting down the cause of this?
--
Nick Kew
and it was local to me. I had a modified
server/mpm/config.m4 which I´d used for my own MPM.
¨svn up¨ with Paul´s changes broke it.
When svn up breaks a source file, at least you get a
meaningful error message pointing to exactly what needs fixing.
This m4 is nasty!
--
Nick Kew
if we adopt mpm-simple we´ll want comparable system modules
for non-unixlike platforms there too.
--
Nick Kew
on over whether everything goes into
the module, or some stuff remains in the old unixd. Just about to look
at Paul's update to that.
Simple MPM was just a good cue to actually do something. When simple
told me the "User" directive in httpd.conf was unrecognised
--
Nick Kew
doing for the
prefork/worker/event MPMs. Hacking on it now, but breakage is
likely for a while longer.
--
Nick Kew
On Tue, 4 Nov 2008 00:27:24 +
Nick Kew <[EMAIL PROTECTED]> wrote:
> On Mon, 03 Nov 2008 14:49:21 -0800
> Chris Darroch <[EMAIL PROTECTED]> wrote:
>
> > Hi --
> >
> >I've been trying to get trunk to compile and run today, and
> > if I com
gt; the userid / groupid.
I deliberately avoided that, because I'm planning updates that
may not apply to mod_cgid.
But on further thought, I can work around that, and it's cleaner
to take it out of unixd.h as you've just done.
--
Nick Kew
Application Development
work with a new
conventional module under arch/unix instead.
At least, that's the general idea.
--
Nick Kew
that, what remains in os/unix is just whatever doesn't
belong in mod_unixd.
--
Nick Kew
lternatives to
mod_unixd, that can either work alongside it (additional functions)
or replace it entirely (other platforms under simple MPM, or
alternative security models such as perchild).
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
dules/arch/unix/mod_privileges.c
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_privileges.xml
--
Nick Kew
Title: mod_privileges - Apache HTTP Server
Modules | Directives | FAQ | Glossary | Sitemap
Apache HTTP Server Version 2.3
Apache > HTTP Server > Documentation &g
hen you find time :-)
> Before I jump in too deep, Nick is there any particular reason that
> you think that a backport should NOT be attempted?
No reason at all ... see above.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
ork privileges
> enforced by operating system is more worthwhile feature.
>
> A security focused MPM is a key facility to enable the idea.
> I assume it does not give first priority for performances,
> but it enables to resolves some kinds of security nightmares.
Thanks for telling us
Not sure what happened to this yesterday ... reposting.
Begin forwarded message:
Date: Fri, 28 Nov 2008 17:32:50 +
From: Nick Kew <[EMAIL PROTECTED]>
To: dev@httpd.apache.org
Subject: Re: Intent to Roll 2.3.0-alpha
Paul Querna wrote:
> Hi dev@,
>
> FYI, I intend to roll 2
rror bucket when we encounter
it in ap_http_header_filter. But I wonder if there are any
other edge-cases that might arise from that? If so, we
could perhaps _only_ delete a bucket if it is an
AP_FILTER_ERROR.
Thoughts?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
On Sun, 30 Nov 2008 18:22:39 -0500
"Eric Covener" <[EMAIL PROTECTED]> wrote:
> On Sun, Nov 30, 2008 at 5:20 PM, Nick Kew <[EMAIL PROTECTED]> wrote:
> > In practice, the proposed fix looks good, and I want to
> > vote +1. I'm just a little concerned over
chain] {
log this
type = HTTP_INTERNAL_SERVER_ERROR;
}
else {
return;
}
}
That looks good, too.
But do you see any objection to the (IMHO simpler) fix of
removing error buckets as we detect them?
--
Nick Kew
On 1 Dec 2008, at 08:17, Paul Querna wrote:
I've committed a few new modules to trunk tonight:
Interesting.
Are we expecting docs anytime soon?
--
Nick Kew
apr_bucket_delete(e);
continue;
}
/*
--
Nick Kew
On 1 Dec 2008, at 10:19, Ruediger Pluem wrote:
if (eb) {
-ap_die(eb->status, r);
+int status;
+
+status = eb->status;
+apr_brigade_cleanup(b);
+ap_die(status, r);
return AP_FILTER_ERROR;
}
Good call. +1 to that.
--
Nick Kew
nk I've
figured out more in trying to reply than I had before :-)
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
raising it.
--
Nick Kew
bout some ballpark figures for the footprint - both disc and
memory - of this proposal? That is, mod_wombat taken together with
lua and any other dependencies like apreq if used.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
, as a complete
replacement for mod_unixd.
Seems like they would be good general statically linked defaults.
It needs to know there is *some* system privileges scheme in
operation and isn't running as unprotected root. But that's all.
--
Nick Kew
*plog,
apr_pool_t *ptemp)
{
win_nt = (osver.dwPlatformId != VER_PLATFORM_WIN32_WINDOWS);
+ap_sys_privileges_handlers(1);
return OK;
}
--
Nick Kew
with him?
Contact other contributors as a courtesy, but not let it worry us if
some of them prove uncontactable, only if someone actually objects?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
On Tue, 9 Dec 2008 21:56:43 +
Nick Kew <[EMAIL PROTECTED]> wrote:
> Does anyone have a complete list of people who have made nontrivial
> contributions, such that their IP might be affected?
Ignore that - I meant to chop those lines when I read (as opposed
to skimmed) t
}_core.
> - rename mod_wombat to mod_luau
> - more documentation :)
>
> Anything else anyone thinks would be good to get in?
Ensure non-*X platforms not only compile, but stand some
chance of running. As noted in
http://marc.info/?l=apache-httpd-dev&m=122878524712562&w=2
--
Nick Kew
ile to show every modification to
> > every ChangeLog entry. (If anyone think any change is major, please
> > let me know)
>
>On a quick skim-through, what looks like the only large patch here
> belongs to Nick Kew, who's also an active httpd committer.
Hmmm, I know I'
nal
one, and managed to commit the wrong one in r729438 (I
blame the lurgy - just on the mend). Fixed in r729439.
mod_sed is shaping up to be one of the best new goodies
in 2.4!
--
Nick Kew
some users,
then on balance it's a Good Thing.
--
Nick Kew
a CLA or software grant.
+1. This is in the same ballpark as third-party patches we routinely
accept, e.g. from reports in bugzilla.
--
Nick Kew
ntation or the code is wrong.
Fixed in r731388, which is included in the backport proposal.
Thanks for reviewing.
--
Nick Kew
Ruediger Pluem wrote:
On 01/05/2009 02:16 PM, Nick Kew wrote:
Ruediger Pluem wrote:
Hm. I am slightly confused here. The documentation states that "abort"
should be
the default behaviour (that is the else branch), but if nothing is set
in the config
onfail defaults to -1 which woul
struct iovec
{
char *iov_base;
size_t iov_len;
};
#endif
--
Nick Kew
rpose.
Sorry, yes, Jeff was right. Looking at what gets passed to the
vararg-consuming function, that's apr_size_t.
Jeff, you have my +1 to add r731965 to my backport proposal in STATUS.
--
Nick Kew
m the upstream server or application."
r732504
--
Nick Kew
nal Server Error. But a script
that generates
garbage is an External Server Error, and a 502 response would be in
order.
It would be no bad thing to point the finger of blame at broken scripts
rather than confuse the authors with "internal" errors.
--
Nick Kew
traw...@gmail.com wrote:
[+1] Accept mod_fcgid into httpd
+1
And "Thanks!" to the mod_fcgid author and contributors!
+1 to that, too.
--
Nick Kew
n.apache.org/viewvc?rev=733219&view=rev
-2.2.x:
- trunk works
-+1: covener, niq, rpluem
--
Nick Kew
be affected and misleading?
--
Nick Kew
901 - 1000 of 1350 matches
Mail list logo