On Tue, 28 Aug 2001, Jim Jagielski wrote:
> Anyone get a chance to look over and try out the latest patch?
Looking at it.. (And trying to compare it with what I've got here to make
sure I still have all the functionality I needed). Seems all cool sofar.
Dw
On Wed, 29 Aug 2001, Jim Jagielski wrote:
> Jeff Trawick wrote:
> >
> > how would it not work? fubar kernel?
>
> The trick would be in it *working*... NONE implies no mutexing
> at all, even for multiple listeners. And *that's* the exception.
In some environments - for example with a clever l
On Wed, 29 Aug 2001, Marc Slemko wrote:
> On Wed, 29 Aug 2001, Jim Jagielski wrote:
>
> > Marc Slemko wrote:
> > >
> > > So I don't see how "NONE" is viable on _ANY_ platform in the multiple
> > > listener case. It may seem to "mostly" work, but it is not reliable and
> > > can not be permitte
On Wed, 29 Aug 2001, Jim Jagielski wrote:
> Basically the patch creates a set method based on that, and *allows* it to
> be compiled in if desired. Nothing more. I'd like more people
> to test the OS X implementation out, because that's the only one
> so far that I've seen that appears to work
On Wed, 29 Aug 2001, Marc Slemko wrote:
> On Wed, 29 Aug 2001, Marc Slemko wrote:
>
> > On Wed, 29 Aug 2001, Jim Jagielski wrote:
> >
> > > Marc Slemko wrote:
> > > >
> > > > So I don't see how "NONE" is viable on _ANY_ platform in the multiple
> > > > listener case. It may seem to "mostly" wor
On Wed, 29 Aug 2001, Marc Slemko wrote:
> There is nothing to test. Using the 1.3 process based model, you need
> serialized accepts if you have multiple listening sockets. Period.
Unless your kernel socket or higher level accept filter's do the
serialization for you.
Dw
On Thu, 30 Aug 2001, Jim Jagielski wrote:
> To my mind, AcceptMutex is key, and if SingleListen needs to go
> then fine...
IMHO AcceptMutex already allows you to shoot yourself in the foot. On some
platforms also allowing SingleListen shooting would be fine.
I'am still trying to actually prove
On Fri, 14 Sep 2001, Sander Temme wrote:
> on 9/14/01 11:26 AM, Aaron Bannert at [EMAIL PROTECTED] wrote:
>
> > p.s. Are "GET ... HTTP/1.0" requests allowed to return "HTTP/1.1" responses?
Yes - normally but see below. The '1.1' reply signals that the server
would be able to talk 1.1(*) if requ
Did not someone make a patch for this early after the feature was in IE 4?
Dw
On Mon, 17 Sep 2001, Martin Kraemer wrote:
> I just noticed a feature of IIS 5.0 which is (if I am correct)
> impossible to do with Apache (1.3/2.0), albeit very useful. It
> is the the possibility to use multiple au
On Mon, 1 Oct 2001, William A. Rowe, Jr. wrote:
> We still have no mechanism to 'quantify' the quality of one handler or
> filter over another. Funny that
>
> index.html 4000 bytes
> index.cgi500 bytes
>
> will serve index.cgi, based on size, when the cpu impact of index.html is
> _signif
On Mon, 1 Oct 2001, William A. Rowe, Jr. wrote:
> We are discussing the effect of on
> negotiation. That handler isn't part of the calculation for negotation,
> therefore my patch from a few weeks ago stopped adding that extension to
> the list that was "automagically" acceptable to multivi
On Tue, 2 Oct 2001, Greg Stein wrote:
> So now the question arises, who is using the Expat that is included with
> Apache 1.3? Was the goal of enabling XML usage successful?
I am using it in a few modules; just simple read/parsing of for
example jabber queries.
It works for me gov.
Dw
Well, here it is, the late 1.3 going on 2.0. You know, so much of the
sites we see today are all file based basic auth, we never get a chance to
see strong auth practicing their craft anymore. By the year 2006, the
service known today as the web will exist only in the unsecured brochure
ware depa
yes please !
+1
> > redirect, and the redirect response's content-type includes a
> > charset, they remember the charset and apply it to the target
> > of the redirection -- overriding any charset the target's
> > response specifies.
> >
> > This gets tickled when the redirect is coming out of
Yes please ! And if you could also add a nice feature to be able to switch
logging on and off - that would be even nicer (i.e. rather than using
clever !env= conditional logging - just be able to say that for this
Vhost/Directory/File logging is 'off' (and not /dev/null or any hack)).
Dw.
On Sa
This look like a filter issue I've seen before; but never could not quite
reproduce. You may want to take this to [EMAIL PROTECTED]; as this is
most likely related to the filters in apache; and not proxy specific.
Dw.
On Tue, 27 Aug 2002, Peter Van Biesen wrote:
> Hello,
>
> I'm using an apach
On Mon, 26 Aug 2002, Justin Erenkrantz wrote:
> I need to be able to get at the authentication backends to implement
> some DAV enhancements - namely DAV has its own authentication model
> (DAV ACL support). My idea would be to allow mod_dav to reuse the
> aaa backends and just implement the c
> Yeah, you hit the problem with stacking - authoritative. I'm not
> sure how useful having multiple backends could be. I'd almost
> suggest that something like a PAM backend would be much better and
> allows a fairly standard configuration. (I know Dirk has a PAM
It is integrated into the PA
> I can't publicly post the source under the ASF license until it has been
> accepted (which is a chicken & egg issue). I can, however, distribute
> to individuals on a restricted basis for evaluation for acceptance.
There is little (except for a few upset board members) stopping Covalent
of po
On Tue, 27 Aug 2002, Jess M. Holle wrote:
> * recent Apache 1.3.x on Windows:
> o client on Solaris (8): 80K/sec
> o client on Linux or Windows: 8MB/sec
> * recent Apache 2.0.x on Windows:
> o client on Solaris (8): 120K/sec
> o client on Linux or
It would be nice if the client used was somehting like 'ab' - which comes
with apache ran at 1-100 concurrency; or something like fetch, curl or
wget to make the client identical on all platforms.
Dw
On Tue, 27 Aug 2002, Jess M. Holle wrote:
> Ian Holsman wrote:
>
> > Jess M. Holle wrote:
> >
> I was thinking mostly along the lines that under the "web server project"
> there exists the HTTP specific entities, and a HTML parser would
Well - I am not sure where this APR (portability) or HTTP (hypertext
protocol) focus comes from; we have umpteen parsers and processers and
dommers and t
> I don't want to add it in and then have to back it out because people
> didn't realize that it is going to hose existing configs.
Justin - you want me to commit this
http://www.webweaving.org/~dirkx/aaa.tgz simplication first ? I've held
back as we where releasing .40. That should make your li
> Hmm. Crap. I'm looking at mod_auth_dbm.c. Damn... it appears that *both*
> mod_auth and mod_auth_dbm define the AuthUserFile and AuthGroupFile
> directives.
Yes - this is the main reason I started the www.apache.org/~dirkx/aaa.tgz
simplification.
> Beats the crap outta me how that happens to
> branches in CVS are awful (perhaps not so with SVN though).
Actually - the branching is trivial - it is the merging or the MFC which
is a bit of a pain. I'd not worry about it. Take a look at the FreeBSD
crowd who maintains several stable/release/current branches with
relatively little overhea
> IMO, we shouldn't branch, and we shouldn't bother with a version bump. I
> think we can ensure backwards compat for the directives, and only minor
> changes in the modules which need to be LoadModule'd. That is quite fine for
Aye - it is more the API than the directives.
Dw
On Thu, 29 Aug 2002, Jon Travis wrote:
> Any word on this?
These things take time... and it pays off to do them well. There is
absolutely no rush.
Dw
On Fri, 30 Aug 2002, Justin Erenkrantz wrote:
> I don't think we have enough of a community to continue active
> development on two separate (but similar) trees. I don't want to
> start 2.1 and still see everyone adding features to 2.0. -- justin
Why not do a tiny temporary branch just for t
Aye ! Well said.
Dw.
On Tue, 3 Sep 2002, John K. Sterling wrote:
> Here we go.
>
> kitchen sink come on - we let a module into experimental (auth_ldap) and
> suddenly experimental will become the CPAN of apache.
>
> I think this is a silly idea personally. More cruft to maintain and to
>
On Wed, 4 Sep 2002, Peter Van Biesen wrote:
> how do you see this ? A core server with a bunch of .so's or hooks in
> the build process to statically link optional modules ?
Check out FreeBSD ports; basically a set of simple make files like:
ls /usr/ports//mod_*
mod_access_identd m
Works for me.
Dw
On Fri, 6 Sep 2002, Sander Temme wrote:
> All,
>
> The following patch allows MacOSX/Darwin to find the SSL library. With this
> patch, the current CVS HEAD of httpd-2.0 compiles with mod_ssl enabled and
> passes all ssl tests in the perl-framework (except for ssl/proxy since
We seem to be able to leak 401's without an
ap_note_digest_auth_failure(r); I'd like to track down from where :-)
Using MacOSX iCal (which does DAV publishing), DAV and Apache 1.3.26:
Config:
works fine; but adding
or
require valid-user...
gives me
Traced down to:
Authorization: Digest username="dirkx", realm="DAV", nonce="1031662894",
uri=/64Semantics.ics, response="99a6275793be28c31a5b6e4467fa4c79",
algorithm=MD5
where we get confused by the uri=/64... i.e. a non quoted value.
Dw
On Tue, 10 Sep 2002, Roy T. Fielding wrote:
> > + * Right now the parsing is very 'slack'. Actual rules from RFC
> > 2069 are:
>
> The relevant spec is RFC 2617. Were there significant changes since 2069?
THANKS ! My bad - missed that. Checking..
Dw
On Tue, 10 Sep 2002, Roy T. Fielding wrote:
> > +/* There's probably a better way to do this, but for the time
> > being...
> > + *
> > + * Right now the parsing is very 'slack'. Actual rules from RFC
> > 2069 are:
>
> The relevant spec is RFC 2617. Were there significant chan
On Thu, 12 Sep 2002, Aaron Bannert wrote:
> On Thu, Sep 12, 2002 at 04:26:02PM -0600, Jean-Jacques Clar wrote:
> > Why will I wouldn't see my allocated memory decrease if it has been
> > freed?
>
> That's just how unix works. When malloc() needs more memory it calls
> brk or sbrk to move the hea
>From the code in apxs; when one does an
apxs -ia mod_foobar.so
I get the error from below. Which can be easily fixed by using
the -n flag as advised.
Now naively this seems to be because by '1' we eat too much from the back
of the string (i.e. the full '.so') while we expect something
One for the libtool experts:
In instdso.sh we do a 'basename $2' - which I assume is intended to strip
of any .so ??
DSOARCHIVE=$2
DSOARCHIVE_BASENAME=`basename $2`
But should that not be:
DSOARCHIVE_BASENAME=`basename $2 .so`
Or are there platforms where basename str
On Tue, 24 Sep 2002, Sander Striker wrote:
> Nope. It is intented to remove any leading directory components.
Hmm - I do a normal install
cd apache-2.0.40
./configure --prefix=../a2
make && make install
And then try to install (on Solaris) a module as a .so:
On Tue, 24 Sep 2002, Dirk-Willem van Gulik wrote:
> mv: /disk/raid0/home/dirkx/tmp/a2/modules is a directory
> chmod 755 /disk/raid0/home/dirkx/tmp/a2/modules/mod_foo.so
> chmod: WARNING: can't access /disk/raid0/home/dirkx/tmp/a2/modules/mod_foo.so
>
On 24 Sep 2002, Jeff Trawick wrote:
> Dirk-Willem van Gulik <[EMAIL PROTECTED]> writes:
>
> > On Tue, 24 Sep 2002, Sander Striker wrote:
> >
> > > Nope. It is intented to remove any leading directory components.
> >
> > Hmm - I do
On 24 Sep 2002, Jeff Trawick wrote:
> > Ok - I get it - so that means that a sysadmin would need to keep/move both
> > files around as he or she installs some extra binary modules on a
> > machine.
>
> or tar up the .la file and the .libs subdirectory?
Well - just fishing the .so file out of .
> > And then try to install (on Solaris) a module as a .so:
> >
> > ../a2/bin/apxs -i -n mod_foo mod_foo.so
>
> I would suggest looking at HEAD rather than 2.0.40 as I made changes
> to instdso.sh to explicitly handle this case. instdso.sh will now
> emit a warning rather than error out if y
On Tue, 24 Sep 2002 [EMAIL PROTECTED] wrote:
> If you already have the .so, why would you use apxs? The whole point of
> apxs, is to build the module, and get it into the source tree. If all you
> are using apxs for, is to edit the config file, I would suggest that there
> are better tools a
Now this may be a bit linux specific - but I'd like to get something like
this in; if needed with a #ifdef DIAG or on a per platform basis.
It is just something I've found to come in handy at various times - in
particular on Linux and with lots of heavy PHP or mod_perl.
This patch does two thin
In the department of scratching old itches - any strong objections to me
adding the following patch which allows one to do things like
# httpd.conf
ServerRoot ${HOME}/apache
Port ${PORT:=80}
ErrorDocument 500 "Please contact ${CUSTOMER}
and then
[EMAIL P
On Wed, 25 Sep 2002, Justin Erenkrantz wrote:
> On Thu, Sep 26, 2002 at 02:11:59AM +0200, Dirk-Willem van Gulik wrote:
> > -> Makes the wait loop no longer endless - but causes it
> > to bail out (and emit some warnings ahead of time) after
> > a couple of thou
On Wed, 25 Sep 2002, Justin Erenkrantz wrote:
> to let the OS tell us when something has gone afoul rather than
> trying to second-guess it when the error only means "You were
> interrupted - try again." So, I don't think there is a metric
> that can work (without fail) for this case. -- just
On Thu, 26 Sep 2002, [ISO-8859-1] André Malo wrote:
> I'm note sure, but I'd guess this may cause conflicts with mod_rewrite.
Mod rewrite uses % rather than $ for variable names.
It does use $1, $2.. for back references. Which is not a problem as it is
not followed by a {.
It also uses the d
On Wed, 25 Sep 2002, William A. Rowe, Jr. wrote:
> Why did you principally credit Sander van Zoest for submitting the
> patch of Michael Radwin ?
Darn - not intentionally - I wanted to separate who wrote it and who
actually submitted it to the ASF into the (bug db) - i.e. there it said
that
> > I was wondering about the mime.types configuration file. There are what
> > appear to me to be a couple of omissions thus:
> >
> > application/x-pkcs7-certificates p7b
> > application/x-x509-email-certpem, cer
> >
> >
> > because these extensions and Mime Types do seem to be in us
Aye - no hurry with this one.
On Thu, 26 Sep 2002, Jim Jagielski wrote:
> I'd prefer this wait until after 1.3.27 is released.
>
>
On Thu, 26 Sep 2002, Jim Jagielski wrote:
> After 1.3.27 please :)
>
> I want as little "new stuff" in between now and the release (hopefully
> *very* soon) to avoid problems and complications ;)
No worries- no hurry :-)
Dw
On Thu, 26 Sep 2002, [iso-8859-1] fabio rohrich wrote:
> I'm going to develop this topic for thesis.
> Has anybody of you any suggest for it?
Apache 2.0 filtering is cool !
> Something to addin the development
Of course the 'right' place to do this is when the content is generated -
either b
> > http://www.apache.org/~trawick/gni_mapped.c
> > and see what happens? It should print
> >
> > look up via IPv4: 0/www.ibm.com
> > look up via IPv6: 0/www.ibm.com
>
[dyn-205:~/tmp/g] dirkx% gcc gni_mapped.c
gni_mapped.c: In function `main':
gni_mapped.c:35: warning: implicit
At least 0.9.6g
Dw.
On Fri, 4 Oct 2002, [ISO-8859-1] Günter Knauf wrote:
> Hi,
> can someone tell what's the recommended opensll version which is known to run with
>2.0.43?
> thanks, g.
>
>
On Mon, 14 Oct 2002, Ian Holsman wrote:
> I was wondering if anyone knows of something (preferably using openSSH)
> which would allow Apache to authenticate via a SSH keypair.
> what i would like ideally is for the browser to use the
> passwords/pass-phrases of the ssh-agent running on the loc
On Wed, 23 Oct 2002, Frederic DONNAT wrote:
> A few weeks ago, i see a cvs commit about this on mod-ssl mailing list.
> But i see that apache-2.0.x have not been updated.
Good that you noticed this ! Thoug there are many more experts on the
mod-ssl mailing list; this list can propably help you
In my ideal world every config directive would be able to advertize or
register an optional 'has changed' hook. Which, if present, would be
called in context whenever a value is somehow updated (through snmp, a
configd, signal, wathever). If there is no such hook; the old -update- on
graceful rest
On Wed, 6 Nov 2002, [iso-8859-1] fabio rohrich wrote:
> I'm starting to write the mod_blank (it'll interact
> with the response phase).
> I'm writing the module structures and in want to know
> if it works good. I mean, I 'll write a stupid
> functiuon that wiil add at the bottom of a web page a
Did you add it to modules.apache.org ? That is for sure a good place to
make sure you are found.
On Mon, 25 Nov 2002, [iso-8859-1] fabio rohrich wrote:
> And here I am! Hi my italian colleague! I'm stripping
> out the white spaces from HTML, it's true.
> It's not so easy to strip out the garbage
+1 - this one has been on my list for a long time to fix :-)
Dw
On Mon, 25 Nov 2002, William A. Rowe, Jr. wrote:
> Cool facility. Applied in 2.0 and 2.1. Care to author the docs patch?
>
> I looked for different places to 'stick' this logic, and didn't find a better
> alternative :-) Moving
Actually; if you check out (or move) the three into it's position
within the apache tree then you can tag and handle them as 'one'.
Dw
On Thu, 4 Oct 2001, Bill Stoddard wrote:
> My first inclination is to tag httpd-docs-1.3 separately from the rest of the tree.
>Wanted
> to query the list to
On Thu, 4 Oct 2001, Bill Stoddard wrote:
> Committed and tag moved to pick up the change in 1.3.21
Do you really really want to do this ?
In the past those sort of last minute changes have proven to cause endless
havoc - and it was easier to just skip a version number.
Dw
Fluff - no need to pause 1.3.21 or 22 release (though let me know if I
should press commit)..
Latest tarball (while trying to reproduce Ken's warnings); I found
that on some platforms (size_t) and that what sizeof() returns is
a long; and not an int.
Which gives a warning for the strings we pri
On Thu, 18 Oct 2001, Thomas Eibner wrote:
> To sum up, my only concern is that to many people would start changing
> the Server string and the Netcraft stats will start to drop (ugh!).
> I'm not against the feature itself, I'm just airing my concerns.
And that is a valid concern.
Dw
On Mon, 22 Oct 2001, Sander Temme wrote:
> on 10/22/01 9:17 PM, Stas Bekman at [EMAIL PROTECTED] wrote:
>
> > Either httpd returns a wrong status here (too early?):
> >
> > if $HTTPD ; then
> >echo "$0 $ARG: httpd started"
> >
> > or may be an additional check for pid file should be done and
On FreeBSD; do a
ulimit -a
to check the number of files you are allowed to have open. For a non
privilidged user the default is tipicallyy set to 64 or some similar low
number.
This is mainly to stop people from getting in each others way. I.e. one
user overloading the machine for some
On Sun, 28 Oct 2001, Philip Mak wrote:
> MaxClients is 50, so I'm guessing that the number of open files (1064) is
> definitely enough to handle that, right?
Your 'ab' tried to open a significantly higher number of connections if I
recall. You want both to be in the same order; and open files w
Anyone a good pointer as to where to snarf proper 'post' read code; i.e. I
need to get some post data processing done in a handler in a module - and
want to do it properly -i.e. through the filter chain etc.
Any place I can cut and paste this from :-)
Dw
);
rpos += rsize;
}
// ap_kill_timeout(r);
data[length] = '\0';
On Mon, 29 Oct 2001, Ryan Bloom wrote:
> On Monday 29 October 2001 12:05 pm, Dirk-Willem van Gulik wrote:
>
> Use the same code that you would have used in 1.3, namely ap_setup_client_block,
> a
On Mon, 29 Oct 2001, Ryan Bloom wrote:
> On Monday 29 October 2001 12:24 pm, Dirk-Willem van Gulik wrote:
>
> Timeouts are all handled by the server now. If you want to set a different
> timeout, you will have to call apr_set_socketopt on c->client.
Very neat. Is there somethi
On Mon, 29 Oct 2001, Greg Stein wrote:
> You can also toss a layer out (and a copy!) if you're willing to deal with
> brigades, and use ap_get_brigade().
Thanks - trying...
Dw
On Fri, 9 Nov 2001, Martin Kraemer wrote:
> Looks good (though xv could not display it -- but xpaint could).
> Isn't mrtg the right tool to visualize that? (I would have done it in
> php, probably). The drop between Jul and Nov is clearly visible (although
> two series are mixed, one with dates
On 13 Nov 2001, Jeff Trawick wrote:
> > global core file pattern: /coredumps/core.%f.%p
> >init core file pattern: /coredumps/init-core.%f.%p
Be *very* carefull about putting the pid in the coredump string on a
production machine. You may run out of diskspace quicker than you expec
Looks good. Keep up the good work.
Dw
On Sat, 17 Nov 2001, Marc Slemko wrote:
> (offtopic, but related...)
>
> is "http://%77ww.apache.org/"; a valid URL refering to the same resource
> that "http://www.apache.org/"; does?
>
> RFC 2616 section 3.2.3 seems to imply that, for comparison purposes,
> they are the same.
Though there ar
Confused about 2.0 - could someone who has stayed current with the tide
help me understand here :-)
When coming across a Listen: in the config we call ap_set_listener() which
calls (void) alloc_listener() to get the actual socket() opened:
const char *ap_set_listener(cmd_parms *cmd, void *dummy
And as a user - may I add that it works very well and holds up in
operational environment with little trouble. (Used for transferring
satellite images from remote ground stations to the DAAC's - acrross links
which for historic reasons do not have something like compression on the
HDLC/ppp like t
On Fri, 21 Dec 2001, David Reid wrote:
> Has anyone else been having trouble with IE6 and authorisations using Apache
> 1.3? I have a user who never sees a prompt, but the logs show 3 401
> rejecetd entries when he tries to view the page.
ISAIK It is not uncommon (depending what auth DLL's yo
On Sat, 9 Feb 2002, Joshua Slive wrote:
> On Fri, 8 Feb 2002, Marc Slemko wrote:
>
> > If I send:
> >
> > Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
> >
> > with no Accept-Language header, I get a page in french. That isn't right
> > is it?
> >
> > This is what Mozilla generates for me
Nice.
On Sun, 10 Feb 2002, Dave Dribin wrote:
> Hi,
>
> I've attached a patch against 1.3.23 that modifies ./configure to take
> a "--force-suffix" option as a solution to PR# 4634.
>
> http://bugs.apache.org/index.cgi/full/4634
>
> This keeps the default behavior as is, but allows people who
I was cleaning up some of our private code - and came across the patch below -
exposing the SHARED_CHIPHERs.
We scratch this itch in a few places to help force (or prevent) the forcing of
a protocol upgrade from application land.
No idea how common that is - any reason not to submit this as a s
> On 6 Mar 2023, at 13:32, Ruediger Pluem wrote:
>
>
>
> On 3/6/23 12:35 PM, Dirk-Willem van Gulik wrote:
>> I was cleaning up some of our private code - and came across the patch below
>> - exposing the SHARED_CHIPHERs.
>>
>> We scratch this itch in
On 21 Apr 2015, at 15:55, Jim Jagielski wrote:
> For comment: What do people think about adding the capability that
> when httpd is started, it tries to access http://httpd.apache.org/doap.rdf
> to check its version number with the latest one referred to in that
> file and, if a newer one exists,
> I still develop in what a lot of folks would consider a fairly "primitive"
> environment (vi) that doesn't do anything for style checking things like line
> width/spacing before and after control statements/indentation/variable
> declaration/etc. I know of the indent tool available on most un
Folks,
security@ got a notification of a potential side channel attack. The original
message is below (sans details on the poster who wants to remain private).
In short - we’re comparing the digest in mod-auth-digest in a manner that may
reveal how much is actually correct; leading potentially
Very quick and dirty list of the most obvious places where we compare stuff.
Currently trying to find some time to figure out if these are all vulnerable;
or if it is just the two outer ones.
Dw.
Index: modules/aaa/mod_auth_digest.c
==
Folks,
Did a scan through a fair bit of our code. mod_digest is not the only place;
e.g. in basic auth; we are also
not as careful in all cases as we could be.
So I think that what is needed are two (or three) functions
- A fairly mundane (binary) timing safe compare that compares two fi
> On 26 May 2015, at 17:22, Dirk-Willem van Gulik wrote:
..
> So I think that what is needed are two (or three) functions
...
> - A string comparison function; where at least one string is is under
> control of the attacker.
Now the issue here is that length is every easily re
> On 28 May 2015, at 16:25, Jim Jagielski wrote:
>
> One thing I've been thinking about, and there might even be some hooks
> in trunk for it, is the idea of slave connections (or sub-connections)
> which kind of *is* a pseudo connection. So one could create a connection
> and then a sub/slave c
> On 28 May 2015, at 17:03, William A Rowe Jr wrote:
>
>
> On May 26, 2015 10:31 AM, "Dirk-Willem van Gulik" <mailto:di...@webweaving.org>> wrote:
> >
> >
> > > On 26 May 2015, at 17:22, Dirk-Willem van Gulik > > <mailto:di...
> On 28 May 2015, at 17:24, Dirk-Willem van Gulik wrote:
>
>
>> On 28 May 2015, at 17:03, William A Rowe Jr > <mailto:wr...@rowe-clan.net>> wrote:
>>
>>
>> On May 26, 2015 10:31 AM, "Dirk-Willem van Gulik" > <mailto:di...@webw
>>> On 28 May 2015, at 17:03, William A Rowe Jr >> <mailto:wr...@rowe-clan.net>> wrote:
….
>>> > > On 26 May 2015, at 17:22, Dirk-Willem van Gulik >> > > <mailto:di...@webweaving.org>> wrote:
>>> > ..
>>> > >
> On 19 Nov 2015, at 10:07, Ewald Dieterich wrote:
>
> This is from mod_session_crypto.c, decrypt_string():
>
>/* strip base64 from the string */
>decoded = apr_palloc(r->pool, apr_base64_decode_len(in));
>decodedlen = apr_base64_decode(decoded, in);
>decoded[decodedlen] = '\0';
I ran into a snag(1) with Digest-Auth, mod_dav and dav_svn.
I understood from Sander that this was a known subrequest issue ? But have
not found any discussion Any pointers / message-ID's for me; I just need
to get it fixed and am poised to fire up vim^H.
Ta,
Dw
1: need to run Subversion repo
On Fri, 12 Dec 2003, Sander Striker wrote:
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25040
Excelent !
Dw.
Unless I missed something we nicely issue a nonce during digest auth
(based on r->request_time) - but when the reply comes in with an
(Proxy-)Authenticate header we use the nonce provided by the client; and
do not check if it was any where near reasonably likely that we issued it.
So I guess
->
I've just gotten bitten a few times by versions of
APR and 2.0 getting out of sync (i.e. the deprecated
interface removal and the FNM_PERIOD to APR_FNM_PERIOD
rename).
Does our 2.0 ./configure check (or know) in any way
the version (range/minumum) of APR it expects to be
in place ? Or are there f
We've just been looking at a case of an (admittently) doggy resolver
library which led through non-ASCII chars (as part of some i18n efford)
and hence allowed for alien chars to end up in the log files. Which
royally screwed the operator.
The patch below goes a bit further than the current escapi
1 - 100 of 389 matches
Mail list logo
