Re: [External] Re: Apache HTTP Server dependency on OpenSSL

On 09.11.2022 08:39, Payyavula, Manjula Vani via dev wrote: Hi Team, We are facing security vulnerability with "faterxml jackson databind" dependency 2.13.3, 1.13.4, .. so on. Even if we used latest 2.14.0-rc2 version also did not resolve the "CVE-.." type vulnerabilities. Could you please

Re: CVE-2022-1388

Am 18.05.2022 um 14:50 schrieb Ruediger Pluem: On 5/18/22 2:31 PM, Eric Covener wrote: Given the above, I believe the interpretation of X-F5-Auth-Token should be that it is an end-to-end header, and should therefore NOT be removed from the proxied request. The text does say "All other

Fwd: Working Group Last Call: HTTP Core Documents

(FYI) Weitergeleitete Nachricht Betreff:Working Group Last Call: HTTP Core Documents Weitersenden-Datum: Thu, 14 Jan 2021 17:49:41 + Weitersenden-Von: ietf-http...@w3.org Datum: Thu, 14 Jan 2021 09:49:22 -0800 Von:Tommy Pauly An: HTTP Working

Re: Reject HTTP protocols >= 2.0 in ap_parse_request_line?

On 08.06.2020 16:59, Yann Ylavic wrote: On Mon, Jun 8, 2020 at 9:56 AM Ruediger Pluem wrote: I came across the question if we should not reject HTTP protocols >= 2.0 in the request line when we parse it in ap_parse_request_line. Why not >= 1.2 ? In *theory*, there could a future HTTP/1.2

Re: keep-alive and vary in 304 responses

On 10.04.2019 16:10, Stefan Eissing wrote: Am 10.04.2019 um 15:57 schrieb Julian Reschke : On 10.04.2019 14:53, Plüm, Rüdiger, Vodafone Group wrote: ... Not sure about this. I guess with TE each hop could be different in what it accepts and generates. This is different from CE. As far as I

Re: AW: keep-alive and vary in 304 responses

On 10.04.2019 14:53, Plüm, Rüdiger, Vodafone Group wrote: ... Not sure about this. I guess with TE each hop could be different in what it accepts and generates. This is different from CE. As far as I understand the accept-encoding header is only for CE not for TE. ... Right (that would be

Re: keep-alive and vary in 304 responses

On 10.04.2019 12:49, Yann Ylavic wrote: On Wed, Apr 10, 2019 at 12:10 PM Stefan Eissing wrote: Am 09.04.2019 um 18:48 schrieb Roy T. Fielding : 2. Validation responses lose the "Vary" header from the unconditional response. This happens on resources where mod_deflate is active. The 200

Re: keep-alive and vary in 304 responses

On 10.04.2019 09:24, Mario Brandt wrote: On Tue, 9 Apr 2019 at 12:31, Stefan Eissing wrote: I just did some tests with https://redbot.org/ (the site tester by Mark Nottingham) against our server and it notifies of 2 things: 1. The "Keep-Alive" header is deprecated. I tried to "Header unset

Re: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

On 9/25/2018 4:26 PM, Barry Pollard wrote: I'm confused. Why are there no changes to mod_http2 mentioned in: http://www.apache.org/dist//httpd/CHANGES_2.4.35  to presumably address this CVE? Or does one of the other changes

Re: RFC 7230..7235 Parsing Conformance?

On 2016-05-17 19:01, Graham Leggett wrote: On 17 May 2016, at 6:43 PM, William A Rowe Jr wrote: Wondering what other contributors are thinking on this topic. We have a number of changes in the ABNF grammar between RFC2616 and RFC7230..7235. Do we want trunk 2.6/3.0 to be

Re: doubly defined extensions in mime.types

On 2013-03-20 11:16, Nick Kew wrote: On 20 Mar 2013, at 03:47, Chris Darroch wrote: Hi -- I notice we have the .wmz and .sub file extentions each defined twice in trunk mime.types: .wmz: application/x-msmetafile, application/x-ms-wmz Couldn't tell you how those arise. Should we really

Re: If-Match not supported with PROPFIND?

On 2012-09-25 04:38, Timothy Wood wrote: My reading of the WebDAV spec leads me to believe that PROPFIND should support If-Match, but trying it and looking at the code for dav_method_propfind() I don't see a call to dav_validate_request(), dav_meets_conditions() or ap_meets_conditions(). Is

Re: Time for Apache httpd 2.4.3 ??

On 2012-07-13 18:02, Jim Jagielski wrote: If these can be added somewhat quickly, I'm willing to fast-track them into 2.4.3. ... I'm currently challenged by Cygwin so I can't make the changes myself (well, unless somebody wants to do the hand-holding to get my build working). Can we get

Re: Time for Apache httpd 2.4.3 ??

On 2012-07-13 23:02, Rainer Jung wrote: ... If noone objects, I'll commit during the weekend. ... Sounds good to me, and many thanks! Best regards, Julian

Re: Time for Apache httpd 2.4.3 ??

On 2012-07-11 19:15, Roy T. Fielding wrote: I don't know of any issues with 308, and Julian generally knows what he is doing with regard to HTTP. In general, we should consider Thanks :-) the IANA registry to be authoritative unless it is a known bug, In which case we should fix the

Re: Time for Apache httpd 2.4.3 ??

On 2012-07-11 05:09, Jim Jagielski wrote: Just how supported and standard is this? Chrome seems to use it for something else: http://code.google.com/p/gears/wiki/ResumableHttpRequestsProposal I was told by Google that they are phasing this out (this may already have happened), and

Re: Time for Apache httpd 2.4.3 ??

On 2012-07-10 16:16, Jim Jagielski wrote: I'd like to propose an Apache httpd 2.4.3 release RSN... I'll RM. Would be awesome to get https://issues.apache.org/bugzilla/show_bug.cgi?id=53292 into both trunk and 2.4.*... Best regards, Julian

build problems

Hi there, I was trying to build trunk, and encountered the following problem (after running autoconf; assuming that was right): $ ./configure --prefix=/srv ./configure: line 2909: syntax error near unexpected token `Apache,' ./configure: line 2909: `APR_ENABLE_LAYOUT(Apache, errordir

Re: build problems

On 2012-07-05 14:17, Plüm, Rüdiger, Vodafone Group wrote: You don't need to run autoconf. If you want to rebuild configure please run buildconf in the same directory as configure. ... I don't want to *re*build configure, I just want to *build* it. It's not in SVN, after all. So what are

Re: build problems

On 2012-07-05 14:57, Plüm, Rüdiger, Vodafone Group wrote: Then you need to execute buildconf. It is mandatory in this case. Regards Rüdiger ... I see; thanks for the help!

Re: TRACE still enabled by default

On 2012-03-20 20:04, Stefan Fritsch wrote: ... It can also compound security issues in webapps. In general, one can ^^^ How so? When you say webapps, are you referring to something not running via script/XHR? Best regards, Julian

Re: ACL changes in mod_dav

On 22.02.2010 19:25, Brian J. France wrote: On Feb 20, 2010, at 11:23 PM,markus.l...@dlr.de markus.l...@dlr.de wrote: I have added ACL features to the mod_dav module. Could you tell me the correct way to get this changes reviewed and into to official mod_dav-source? Did you use any of the

Re: mod_dav inconsistent behaviour for GET requests

Stefan Fritsch wrote: Hi, mod_dav doesn't handle GET requests in a consistent way: If a repos provider has handle_get == 1, mod_dav will handle GET requests by itself. This means no other handler will get a chance to interpret the file as script or SSI. On the other hand, if the repos

Re: DAV Option Patch

Brian J. France wrote: ... There is one draw back to this patch in that there could be duplicated values in the headers. Both mod_dav_acl and mod_caldav want to add the REPORT in the Allow header, so it would show up twice in the list. I am not sure if this is a major problem, but wanted to

Re: WebDav MOVE/COPY between servers

Rafa%u0142 wrote: Hello! I've done first part of the job - there is now a FETCH method that works in that way: FETCH /destination/path HTTP/1.1 Source: http://webdav.example.com/webdav-resource-to-fetch ... I'm not sure it's a good idea to define a new method for that. If people *really*

DefaultType None directive

Hi, looking at https://issues.apache.org/bugzilla/show_bug.cgi?id=13986#c64: --- Comment #64 From Phil Ringnalda 2008-07-03 00:07:23 PST [reply] --- While I don't have any real expectation of action coming from a comment on a resolved bug, I still want to mention that the fix

Re: WebDav MOVE/COPY between servers

Rafa%u0142 wrote: Hello. My name is Rafał Malinowski. I want (really, I have to) add one feature to WebDav: support for MOVE/COPY with remote servers as 'Destination'. Why? Do you have any clients that would use it? As I looked into code and into specification such thing is allowed, but

Re: WebDav MOVE/COPY between servers

Rafa%u0142 wrote: Dnia 3-07-2008 o godz. 13:22 Julian Reschke napisał(a): Rafał wrote: Hello. My name is Rafał Malinowski. I want (really, I have to) add one feature to WebDav: support for MOVE/COPY with remote servers as 'Destination'. Why? Do you have any clients that would use it? I

Re: Expect: non-100 messages

Charles Fry wrote: Greetings Apache Developers, We have implemented an Apache module which needs to process incoming Expect headers for non-100-expectations. The version of server/protocol.c currently in the trunk has a hard-coded Expect header check that handles Expect: 100-continue, but fails

Re: Expect: non-100 messages

Charles Fry wrote: Well, I guess that partly depends on how deployed proxies deal with unrecognized Expect headers. Do any of you have any practical knowledge of how current proxies deal with new Expect headers? There does at least seem to be a precedent with WebDAV sending 102 status codes

Re: new mime type needed?

Guenter Knauf wrote: Hi, just another compression utility is going to become very popular: http://www.7-zip.org/ and there's also a commandline for Unix / Win32: http://sourceforge.net/projects/p7zip/ maybe we should add the .7z extension to the httpd mime.types file? perhaps something like:

Re: thoughts on ETags and mod_dav

Chris Darroch wrote: Hi -- 1) Per #38034, it appears that ap_meets_conditions() treats * incorrectly. More precisely, I should say that ap_meets_conditions() isn't designed to support the NULL resources of RFC 2518 (WebDAV). I'm certainly no expert on these issues, so guidance is

Re: ETag and Content-Encoding

Henrik Nordstrom wrote: On ons, 2007-10-03 at 13:29 -0700, Justin Erenkrantz wrote: The issue here is that mod_dav_svn generates an ETag (based off rev num and path) and that ETag can be later used to check for conditional requests. But, if mod_deflate always strips a 'special' tag from the

Re: updated mime.types

Roy T. Fielding wrote: Please check out the updated mime.types file and, if possible, see if it breaks anything on a real site. http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types Technically, it is docs, but I am blurry-eyed at the moment and need to do *something* for my

Re: Reverse proxy mode and DAV protocol

Eygene Ryabinkin schrieb: Julian, good day. Tue, Apr 03, 2007 at 06:52:59PM +0200, Julian Reschke wrote: Eygene Ryabinkin schrieb: Good day! Sorry for rather long letter, but this is the summary from numerous discuissions and I really tried to make it short. ... Hi. RFC2518bis allows

Re: Reverse proxy mode and DAV protocol

Eygene Ryabinkin schrieb: Julian, Wed, Apr 04, 2007 at 01:12:54PM +0200, Julian Reschke wrote: Pardon for my stupideness, but what 'that reason' you are talking about? The previous letter was rather long and I fail to identify the exact point you're commenting. Could you, please, elaborate

Re: Reverse proxy mode and DAV protocol

Eygene Ryabinkin schrieb: Julian, Wed, Apr 04, 2007 at 03:22:53PM +0200, Julian Reschke wrote: So, your point is that Apache should make no attempts to rewrite the 'Destination' header for DAV and clients should use absolute paths for DAV. Or we still need 'Destination' rewriting

Re: Reverse proxy mode and DAV protocol

Eygene Ryabinkin schrieb: Good day! Sorry for rather long letter, but this is the summary from numerous discuissions and I really tried to make it short. ... Hi. RFC2518bis allows the Destination header to be just an absolute path for exactly that reason (see

Re: 4GB File size limit

[EMAIL PROTECTED] wrote: Hmmm, I wonder if the problem is the browser? I've tried downloading that file with Opera and IE and on both browsers, it says the file is 75,673,600 bytes, which is wrong. So does Firefox. However, Live HTTP Headers shows: GET

Re: 4GB File size limit

Julian Reschke wrote: 4370640896 is 0x10482B000 and 75673600 is 0x482B000, so this is almost certainly a 32-bit integer overflow. Somebody should open an issue on the Mozilla bug tracker https://bugzilla.mozilla.org/show_bug.cgi?id=276927 -- green/bytes GmbH -- http://www.greenbytes.de

Re: Any plans for RFC3744

Bennett, Tony - CNF wrote: ... Also...One question I had about 3744... the RFC says in the Introduction: ...The operations you can perform are determined by a single access control list (ACL) associated with a resource. This seems to mirror UNIX's file mode... ...however, in UNIX if a

Re: mod_proxy distinguish cookies?

FYI: I recently had a long exchange with Microsoft's support regarding the Vary header, and the outcome was that they have at least *documented* their RFC2616 compliance issue: http://support.microsoft.com/default.aspx?scid=kb;en-us;824847 Best regards, Julian -- green/bytes GmbH --

Re: cvs commit: httpd-2.0 STATUS

Joe Orton wrote: On Sat, Jan 24, 2004 at 12:48:33AM +0100, André Malo wrote: * Greg Stein [EMAIL PROTECTED] wrote: On Fri, Jan 23, 2004 at 11:28:28PM +0100, André Malo wrote: Hmm, and then? I'd see it as a workaround for buggy clients like the redirect-carefully variable. It's a matter of

httpd 2.1 project plan vs LINK method

From...: http://httpd.apache.org/dev/project-plan.html - Implementation of the LINK Method Can anybody tell me what this is? Regards, Julian -- green/bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760

Re: httpd 2.1 project plan vs LINK method

Roy T. Fielding wrote: On Wednesday, January 14, 2004, at 01:04 PM, Julian Reschke wrote: From...: http://httpd.apache.org/dev/project-plan.html - Implementation of the LINK Method Can anybody tell me what this is? See RFC 2068, section 19.6.1.2 and 19.6.2.4 (you might want to look