Re: Time for new apr-* releases soon? Corrections inc for .vcproj conversion

2007-10-05 Thread Stefan Fritsch
On Friday 05 October 2007, Ruediger Pluem wrote: Once APR is out, I'll plan on a httpd release too. There are several backport proposals in the STATUS file missing only one vote. So I guess it is voting time :-). Maybe someone could also look at

prefork: hung processes on graceful reload

2007-10-31 Thread Stefan Fritsch
On Monday 08 October 2007, Jim Jagielski wrote: On Oct 5, 2007, at 2:07 PM, Stefan Fritsch wrote: Maybe someone could also look at http://issues.apache.org/bugzilla/show_bug.cgi?id=42829 A quick review seems to indicate that the suggested patch could result in a worker accepting

Apache memory usage

2007-12-03 Thread Stefan Fritsch
Hi, there is still the problem that during a request, many bucket brigades being created which are only cleaned up after the request is finished, see http://issues.apache.org/bugzilla/show_bug.cgi?id=23567 . There was some discussion about retaining ownership of a brigade when

Re: Apache memory usage

2007-12-09 Thread Stefan Fritsch
Hi, On Monday 03 December 2007, Stefan Fritsch wrote: But I found two locations where the creation of a new brigade could be avoided: - In buffer_output()/ap_old_write_filter(), it is possible to keep the brigade around and reuse it after the next flush. - In ap_http_chunk_filter(), a new

Re: Apache memory usage

2007-12-10 Thread Stefan Fritsch
On Sunday 09 December 2007, Ruediger Pluem wrote: But I think your patch to server/protocol.c can be done much simpler. Can you try the following and let us know if this helps as well: Index: server/protocol.c === ---

CVE-2007-6203

2007-12-16 Thread Stefan Fritsch
*) http_protocol: Escape request method in 413 error reporting. Determined to be not generally exploitable, but a flaw in any case. PR 44014 [Victor Stinner victor.stinner inl.fr] This is CVE-2007-6203. Maybe you should add the reference to the CHANGES file? Cheers, Stefan

Re: CVE-2007-6203

2007-12-17 Thread Stefan Fritsch
On Monday 17 December 2007, William A. Rowe, Jr. wrote: This is CVE-2007-6203. Maybe you should add the reference to the CHANGES file? I don't think that's a good idea since we don't want to mislead users into thinking a security issue exists here. it potentially does, just not of

PR42829: graceful restart with multiple listeners using prefork MPM can result in hung processes

2008-01-04 Thread Stefan Fritsch
Hi, this bug can be quite annoying because of the resources used by the hung processes. It happens e.g. under Linux when epoll is used. The patch from http://issues.apache.org/bugzilla/show_bug.cgi?id=42829#c14 has been in Debian unstable/Ubuntu hardy for several weeks and there have not been

Re: PR42829: graceful restart with multiple listeners using prefork MPM can result in hung processes

2008-02-01 Thread Stefan Fritsch
Joe Orton wrote: I mentioned in the bug that the signal handler could cause undefined behaviour, but I'm not sure now whether that is true. On Linux I can reproduce some cases where this will happen, which are all due to well-defined behaviour: 1) with some (default on Linux) accept mutex

RE: XSS vulnerability in mod_negotiation - status in 2.2.8?

2008-02-06 Thread Stefan Fritsch
Hi, On Wed, 6 Feb 2008, Boyle Owen wrote: It is clear to me now that this is a storm in a teacup. I note also that the vulnerability never made it to the CVE database so I think we can decide on no further action. That's not true. CVE-2008-0455 and CVE-2008-0456 have been assigned to this

Re: 2.2.9 status

2008-05-29 Thread Stefan Fritsch
Hi, for 2.2.9, it would be nice to fix the epoll issue PR 42829, IMHO. The patch in the bug report works, even if it may not be the perfect solution. Cheers, Stefan

PR42829 (was: 2.2.9 status)

2008-05-29 Thread Stefan Fritsch
On Thursday 29 May 2008, Jim Jagielski wrote: for 2.2.9, it would be nice to fix the epoll issue PR 42829, IMHO. The patch in the bug report works, even if it may not be the perfect solution. From what I can see, there is no real patch available or fully tested enough to warrant anything

Re: PR42829 (was: 2.2.9 status)

2008-05-29 Thread Stefan Fritsch
On Thursday 29 May 2008, Jim Jagielski wrote: https://issues.apache.org/bugzilla/attachment.cgi?id=21137 has been in Debian testing and unstable for about 6 months without problems. It is not an elegant solution but it works. Considering that is is not clear how an elegant solution would

Re: PR42829

2008-05-30 Thread Stefan Fritsch
On Friday 30 May 2008, Paul Querna wrote: https://issues.apache.org/bugzilla/attachment.cgi?id=21137 has been in Debian testing and unstable for about 6 months without problems. It is not an elegant solution but it works. Considering that is is not clear how an elegant solution would look

Re: PR42829

2008-05-30 Thread Stefan Fritsch
On Friday 30 May 2008, Nick Kew wrote: I don't think I share your implied view about how grave this is. I guess this is the main (or only?) problem with this patch/bug. I got quite a few people complaining about it and therefore I wanted to fix it. I respect your opinion, but when

Re: [PATCH] SIGBUS when compiled with gcc 4.3

2008-07-24 Thread Stefan Fritsch
Hi, On Wednesday 23 July 2008, Joe Orton wrote: when compiled with gcc 4.3 on Sparc under Linux, Apache 2.2.9 sometimes crashes with SIGBUS in the ssl shmcb code. Adding __attribute__((__noinline__)) (which is already present in ssl_scache_shmcb.c for the memset call) to the memcpy

PR 42829: apache prefork hanging in apr_pollset_poll() on graceful restarts or shutdowns

2008-09-05 Thread Stefan Fritsch
Hi, there is the problem that with prefork mpm, child processes can hang in apr_pollset_poll() on graceful restarts or shutdowns (https://issues.apache.org/bugzilla/show_bug.cgi?id=42829). This happens under Linux with epoll, and there is now also a report that the same problem exists with

Make RemoveType override TypesConfig mime.types?

2008-12-20 Thread Stefan Fritsch
Hi, for people who use a system wide mime.types as TypesConfig, it would be nice if there was a way to remove some type associations in the apache config. For example, nowadays .es seems to be ecmascript (according to RFC 4329), but it is also often used for spanish language encoding.

Re: Need suggestions for adding tproxy support to mod_proxy

2008-12-25 Thread Stefan Fritsch
Hi, On Wed, 17 Dec 2008, Pranav Desai wrote: I am trying to add tproxy4 (http://www.balabit.com/support/community/products/tproxy/) support to the mod_proxy to achieve transparency. It basically involves a kernel patch which allows binding of a socket to foreign address among other things. At

Re: Graceful restart not so graceful?

2009-01-11 Thread Stefan Fritsch
Hi, thanks for following up on this and sorry for the late response. On Wednesday 07 January 2009, Jeff Trawick wrote: Initial testing of your idea for a timeout was promising. I couldn't reproduce any hangs under linux with the patch you commited to trunk. In my patch I tried to avoid that

more apr_pollset_* error checking

2009-02-01 Thread Stefan Fritsch
Hi, the epoll limit in new linux kernels can cause problems because of insufficient error checking in httpd. The most obvious problem was fixed in https://issues.apache.org/bugzilla/show_bug.cgi?id=46467 in MPM prefork, but mod_cgi, mod_proxy_connect, and the other MPMs should also check for

Automatically fall back to read/write when sendfile fails?

2009-03-25 Thread Stefan Fritsch
Hi, is there any particular reason why httpd does not automatically fall back to read/write if sendfile failed [1]? Or is the only problem that nobody has written the code yet? I have googled a bit but have not found any discussion about this. Cheers, Stefan [1] The linux sendfile man page

Re: [RFC] A new hook: invoke_handler and web-application security

2009-04-09 Thread Stefan Fritsch
On Thursday 09 April 2009, Graham Dumpleton wrote: Only you would know that. But then, I could be pointing you at the wrong MPM. There is from memory another by another name developed outside of ASF which intends to do the same think. The way it is implemented is probably going to be different

mod_perl test failure with CVE-2009-1195 fix in 2.2.12

2009-06-01 Thread Stefan Fritsch
Hi, when backporting the CVE-2009-1195 fix in r773881+r779472 from branches/2.2.x to 2.2.9, I noticed that it causes a test failure when compiling mod_perl 2.0.4. Since I am neither familiar with mod_perl nor with the mod_include internals, maybe someone else can check if this is a necessary

Re: mod_perl test failure with CVE-2009-1195 fix in 2.2.12

2009-06-01 Thread Stefan Fritsch
On Monday 01 June 2009, Jeff Trawick wrote: This patch works for me; please try it with the Perl suite. That fixed it. Thanks Stefan

PR 38330: Make RemoveType override TypesConfig mime.types?

2009-06-23 Thread Stefan Fritsch
On Saturday 20 December 2008, Stefan Fritsch wrote: for people who use a system wide mime.types as TypesConfig, it would be nice if there was a way to remove some type associations in the apache config. For example, nowadays .es seems to be ecmascript (according to RFC 4329), but it is also

Re: mod_noloris: mitigating against slowloris-style attack

2009-06-25 Thread Stefan Fritsch
Nick Kew wrote: Is this worth hacking up, or more trouble than it saves? It seems it already exists (I haven't tested it, though): ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.3.tar.bz2

mod_deflate DoS

2009-06-28 Thread Stefan Fritsch
Hi, we have received a bug report [1] that a DoS is possible with mod_deflate since it does not stop to compress large files even after the network connection has been closed. This allows to use large amounts of CPU if there is a largish (10 MB) file available that has mod_deflate enabled.

Segfault with fix for CVE-2009-1891

2009-07-28 Thread Stefan Fritsch
Hi, I have backported r791454 to 2.2.3 in Debian 4.0 and have received a report [1] about segfaults with mod_deflate and mod_php (5.2.0). As far as I understand it, the reason is that mod_php uses ap_rwrite which creates transient buckets. When the connection is closed by the client, these

Re: Segfault with fix for CVE-2009-1891

2009-07-29 Thread Stefan Fritsch
Ruediger Pluem wrote: far as I understand it, the reason is that mod_php uses ap_rwrite which creates transient buckets. When the connection is closed by the client, these buckets sometimes stay in the bucket brigade when ap_pass_brigade returns an error for the compressed data of an earlier

Re: Segfault with fix for CVE-2009-1891

2009-07-29 Thread Stefan Fritsch
William A. Rowe, Jr. wrote: One helpful detail, Stefan, would be if this is worker-specific or can be reproduced with prefork. That helps narrow down the number of places to consider your question. This happened with prefork, Debian supports mod_php only with prefork. As I recall, we have

Re: Segfault with fix for CVE-2009-1891

2009-07-30 Thread Stefan Fritsch
Right, it is not really helpful, but as you seem to be able to reproduce the issue can you please create a backtrace on your own, preferably with an unstripped and -g compiled php (which doesn't seem to be the case in the current backtrace) . Backtrace is attached. Looking at it again, the

Changing the default algorithm in htpasswd

2009-07-30 Thread Stefan Fritsch
Hi, given that crypt() hashes can nowadays be brute-forced on commodity hardware (especially since the password length is limited to 8 characters), wouldn't it make sense for htpasswd to use something stronger by default? Cheers, Stefan

Re: Segfault with fix for CVE-2009-1891

2009-07-30 Thread Stefan Fritsch
Right, it is not really helpful, but as you seem to be able to reproduce the issue can you please create a backtrace on your own, preferably with an unstripped and -g compiled php (which doesn't seem to be the case in the current backtrace) . Backtrace is attached. I forgot to mention that

mod_reqtimeout: mitigating against slowloris-style attack (different approach)

2009-08-31 Thread Stefan Fritsch
Hi, since there was some doubt that the mod_antiloris and mod_noloris modules use the correct approach against slowloris type attacks, I hacked up something different. mod_reqtimeout allows to set timeouts for the reading request and reading body phases. It is implemented as an input

Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)

2009-09-01 Thread Stefan Fritsch
On Tuesday 01 September 2009, Nick Kew wrote: How does it relate to the Timeout directive? The Timeout directive sets the maximum time between two packets. mod_requtimeout will set the socket timeout to the minumum of {Timeout, time left for the current request}. You can set RequestTimeout to

Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)

2009-09-01 Thread Stefan Fritsch
On Tuesday 01 September 2009, Torsten Foertsch wrote: Just a few thoughts: - You use GLOBAL_ONLY in ap_check_cmd_context. That means the directive must not appear in vhost context. AFAIK, conn-base_server reflects the vhost in a pre connection hook if it is IP-based. So, why don't you allow

Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)

2009-09-01 Thread Stefan Fritsch
On Tuesday 01 September 2009, Ruediger Pluem wrote: On 09/01/2009 04:26 PM, Torsten Foertsch wrote: On Tue 01 Sep 2009, Stefan Fritsch wrote: http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c Any comments are welcome. Just a few thoughts: - You use GLOBAL_ONLY

Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)

2009-09-01 Thread Stefan Fritsch
On Tuesday 01 September 2009, Ruediger Pluem wrote: - Apache should respond with HTTP_REQUEST_TIME_OUT and not HTTP_BAD_REQUEST when there is a timeout reading the request. In the slowloris case, it needs to time out before there's any such thing as an HTTP request, so it won't be

Better logging for ssl configuration errors

2009-09-06 Thread Stefan Fritsch
Hi, it seems there are a number of configurations that used ssl name based virtual hosts with ssl that broke with 2.2.12. A frequent problem seems to be missing sslcertificate(key)file directives for some of the virtual hosts. The logged error message is not too helpful (at least if all virtual

Re: mod_reqtimeout: mitigating against slowloris-style attack (different approach)

2009-09-06 Thread Stefan Fritsch
On Tuesday 01 September 2009, Ruediger Pluem wrote: I guess reqtimeout_after_body also needs to be updated to the assert / do nothing if not configured logic like reqtimeout_after_headers Thanks, I missed that. I fixed it and also added support for minimum upload rates: This

CVE-2009-3094, CVE-2009-3095: mod_proxy_ftp issues

2009-09-10 Thread Stefan Fritsch
Hi, in case you haven't noticed yet, some new mod_proxy_ftp issues have been reported: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094 The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows

Re: CVE-2009-3094, CVE-2009-3095: mod_proxy_ftp issues

2009-09-12 Thread Stefan Fritsch
On Fri, 11 Sep 2009, Joe Orton wrote: +char *p = ap_strchr(reply, '('), *ep, *term; +long port; + +/* Reply syntax per RFC 2428: 229 blah blah (|||port|) where '|' + * can be any character in ASCII from 33-126, obscurely. Verify + * the syntax. */ +if (p == NULL || p[1]

Memory usage, core output filter, and apr_brigade_destroy

2009-09-13 Thread Stefan Fritsch
Hi, http://httpd.apache.org/docs/trunk/developer/output-filters.html recommends to reuse bucket brigades and to not use apr_brigade_destroy. However, both in 2.2 and in trunk, the core output filter sometimes calls apr_brigade_destroy on brigades that it has received down the chain from

Re: CVE-2009-3094, CVE-2009-3095: mod_proxy_ftp issues

2009-09-13 Thread Stefan Fritsch
Shouldn't you also check for p[1] != 0 before p[1] != p[2], to catch the case where reply ends after the opening bracket? This should be p[1] == 0, of course.

Re: Memory usage, core output filter, and apr_brigade_destroy

2009-09-13 Thread Stefan Fritsch
Hi Rüdiger, thanks for the response. On Sunday 13 September 2009, Ruediger Pluem wrote: On 09/13/2009 01:11 PM, Stefan Fritsch wrote: http://httpd.apache.org/docs/trunk/developer/output-filters.html recommends to reuse bucket brigades and to not use apr_brigade_destroy. However, both

Re: Memory usage, core output filter, and apr_brigade_destroy

2009-09-14 Thread Stefan Fritsch
On Sun, 13 Sep 2009, Ruediger Pluem wrote: But your patch is causing core dumps during the proxy tests when running the test suite :-(. I currently don't understand why. Hmmm... either ctx-tmp_flush_bb is NULL or, since it was added in the middle of the struct, you didn't do a make distclean

Re: Memory usage, core output filter, and apr_brigade_destroy

2009-09-22 Thread Stefan Fritsch
On Sunday 13 September 2009, Stefan Fritsch wrote: On Sunday 13 September 2009, Ruediger Pluem wrote: On 09/13/2009 01:11 PM, Stefan Fritsch wrote: http://httpd.apache.org/docs/trunk/developer/output-filters.htm l recommends to reuse bucket brigades and to not use apr_brigade_destroy

Re: Logging or not logging 408's

2009-09-29 Thread Stefan Fritsch
On Monday 28 September 2009, Dan Poirier wrote: Is there some good reason not to log the 408's in this case? I am +1 for logging the 408's. I also think in case of a timeout, 408 should be logged instead of 400. The attached patch does that. --- protocol.c.orig 2009-09-05 00:36:31.448689825

Re: Memory usage, core output filter, and apr_brigade_destroy

2009-10-04 Thread Stefan Fritsch
Thanks for your comments. On Wednesday 23 September 2009, Ruediger Pluem wrote: --- modules/http/chunk_filter.c (Revision 818232) +++ modules/http/chunk_filter.c (Arbeitskopie) @@ -49,11 +49,11 @@ #define ASCII_CRLF \015\012 #define ASCII_ZERO \060 conn_rec *c = f-r-connection; -

adding mod_reqtimeout to trunk?

2009-10-04 Thread Stefan Fritsch
Hi, I would like to add mod_reqtimeout [1,2] to trunk. Is this OK? Considering the positive comments it received, may I put it into modules/filter or should it go into modules/experimental first? Cheers, Stefan [1] http://www.sfritsch.de/mod_reqtimeout/mod_reqtimeout.c [2]

Re: svn commit: r821477 - in /httpd/httpd/trunk: CHANGES modules/http/byterange_filter.c modules/http/http_filters.c server/core_filters.c

2009-10-04 Thread Stefan Fritsch
On Sunday 04 October 2009, Paul Querna wrote: URL: http://svn.apache.org/viewvc?rev=821477view=rev Log: Make sure to not destroy bucket brigades that have been created by earlier filters. Otherwise the pool cleanups would be removed causing potential memory leaks later on. I am not

Re: svn commit: r821471 - in /httpd/httpd/trunk: CHANGES modules/filters/mod_deflate.c modules/filters/mod_sed.c modules/http/chunk_filter.c server/protocol.c

2009-10-04 Thread Stefan Fritsch
On Sunday 04 October 2009, Ruediger Pluem wrote: To be on the safe side we should do apr_brigade_cleanup(b) here. Thanks. Fixed in r821481

Re: svn commit: r821477 - in /httpd/httpd/trunk: CHANGES modules/http/byterange_filter.c modules/http/http_filters.c server/core_filters.c

2009-10-04 Thread Stefan Fritsch
On Sunday 04 October 2009, Ruediger Pluem wrote: --- httpd/httpd/trunk/server/core_filters.c (original) +++ httpd/httpd/trunk/server/core_filters.c Sun Oct 4 08:08:50 2009 @@ -392,19 +392,21 @@ } } +if (new_bb != NULL) { +bb = new_bb; +} +

Re: adding mod_reqtimeout to trunk?

2009-10-04 Thread Stefan Fritsch
On Sunday 04 October 2009, Jim Jagielski wrote: Personally, I'd like to see this as part of the actual code core, where we have several Timeouts, eg: Timeout 30 5 10 2 which define timeout as now, timeout before 1st byte, timeout between bytes timeout after etc... We've always

Re: adding mod_reqtimeout to trunk?

2009-10-04 Thread Stefan Fritsch
On Sunday 04 October 2009, Nick Kew wrote: FWIW, IMO it should go in modules/filters not experimental. +1. trunk is, by definition, experimental. But when we float off 2.3/4-branch, we should perhaps do some documentation of stability levels of different features and modules for users. I

Re: adding mod_reqtimeout to trunk?

2009-10-06 Thread Stefan Fritsch
On Monday 05 October 2009, Jim Jagielski wrote: Thx... I'm updating it with an eye to making it core, and therefore having ReqTimeout headerinit=5 headermax=10 As we also have RequestHeaders, maybe RequestTimeout would be better? Let me know if I can help w/ the docs. I have commited

Re: svn commit: r821477 - in /httpd/httpd/trunk: CHANGES modules/http/byterange_filter.c modules/http/http_filters.c server/core_filters.c

2009-10-07 Thread Stefan Fritsch
On Sunday 04 October 2009, Nick Kew wrote: Good summary. I have taken the absence of further replies as agreement and commited the patch to util_filter.h.

Re: svn commit: r822870 - in /httpd/httpd/trunk: CHANGES include/util_filter.h

2009-10-07 Thread Stefan Fritsch
On Wednesday 07 October 2009, Jim Jagielski wrote: Does this really require a CHANGES entry?? No. There is at least one other CHANGES entry about a changed comment, though.

Re: svn commit: r823337 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/http_core.h modules/loggers/mod_logio.c server/scoreboard.c

2009-10-08 Thread Stefan Fritsch
On Thursday 08 October 2009, s...@apache.org wrote: --- httpd/httpd/trunk/include/ap_mmn.h (original) +++ httpd/httpd/trunk/include/ap_mmn.h Thu Oct 8 21:42:13 2009 @@ -198,15 +198,17 @@ * 20090401.3 (2.3.3-dev) Added DAV options provider to mod_dav.h * 20090925.0 (2.3.3-dev) Added

Re: svn commit: r823337 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/http_core.h modules/loggers/mod_logio.c server/scoreboard.c

2009-10-08 Thread Stefan Fritsch
On Friday 09 October 2009, William A. Rowe, Jr. wrote: * 20090925.0 (2.3.3-dev) Added server_rec::context and added *server_rec * param to ap_wait_or_timeout() + * 20090925.1 (2.3.3-dev) Add optional function ap_logio_get_last_bytes() to + *

Re: client_ip vs remote_ip

2011-11-23 Thread Stefan Fritsch
On Wednesday 23 November 2011, Graham Leggett wrote: On 23 Nov 2011, at 8:22 PM, Nick Kew wrote: This has the additional advantage of *breaking* existing c-remote_ip references and forcing the module author to choose which they mean for their purposes (most would refer to the

Re: svn commit: r1205423 - in /httpd/httpd/trunk/modules: cache/mod_cache.c mappers/mod_negotiation.c

2011-11-23 Thread Stefan Fritsch
On Wed, 23 Nov 2011, j...@apache.org wrote: Author: jim Date: Wed Nov 23 15:01:42 2011 New Revision: 1205423 URL: http://svn.apache.org/viewvc?rev=1205423view=rev Log: Use ap_pass_brigade_fchk() Modified: httpd/httpd/trunk/modules/cache/mod_cache.c

Icons for 2.4

2011-11-27 Thread Stefan Fritsch
Hi, docs/icons/apache_pb2* contain the version number (2.2), in the case of docs/icons/apache_pb2_ani.gif it's even an animation. Any volunteers for changing these to 2.4? Cheers, Stefan

Re: svn commit: r1205894 - in /httpd/httpd/trunk: include/util_filter.h modules/cache/mod_cache.c server/util_filter.c

2011-11-27 Thread Stefan Fritsch
On Thu, 24 Nov 2011, j...@apache.org wrote: Author: jim Date: Thu Nov 24 15:53:16 2011 New Revision: 1205894 URL: http://svn.apache.org/viewvc?rev=1205894view=rev Log: Use varargs... Modified: httpd/httpd/trunk/include/util_filter.h httpd/httpd/trunk/modules/cache/mod_cache.c

Re: Proposal: error codes

2011-11-27 Thread Stefan Fritsch
On Sunday 27 November 2011, Rich Bowen wrote: At Apachecon several of us were discussing how error messages could be made more helpful without making them paragraphs. Two suggestions were made - adding a URL to the message or adding a number/code to each error that would then be looked up for

Can we be less forgiving about what we accept?

2011-11-27 Thread Stefan Fritsch
Hi, while browsing a bit through Michael Zalewski's new Tangled Web book, I was reminded again that we are very forgiving about what we accept as a request. Is this really a good idea in the time of lots of web security issues? Examples include: * in the request line, the protocol may be

Re: Can we be less forgiving about what we accept?

2011-11-28 Thread Stefan Fritsch
On Monday 28 November 2011, Nick Kew wrote: On 28 Nov 2011, at 00:37, Stefan Fritsch wrote: Hi, while browsing a bit through Michael Zalewski's new Tangled Web book, I was reminded again that we are very forgiving about what we accept as a request. Is this really a good idea

Re: mod_xml2enc comments

2011-11-28 Thread Stefan Fritsch
On Sunday 13 November 2011, Nick Kew wrote: Indeed, checking those return values would be better. May have been lost when I separated out the i18n code from its origins in markup filtering. I have added some error checks and a few ap_asserts(). Do you want to review it before I merge it into

Re: svn commit: r1207721 - in /httpd/httpd/branches/2.4.x: ./ build/rpm/httpd.spec.in

2011-11-29 Thread Stefan Fritsch
On Tuesday 29 November 2011, Igor Galić wrote: I hope that other vendors will pick up our packaging as the canonical way, and improve the way httpd is deployed out there. +1 sf - how are you planning to do this, btw ;) I think we are going to drop the separate MPM packages and build all

Re: Proposal: error codes

2011-11-29 Thread Stefan Fritsch
On Tuesday 29 November 2011, William A. Rowe Jr. wrote: On 11/27/2011 8:34 AM, Rich Bowen wrote: At Apachecon several of us were discussing how error messages could be made more helpful without making them paragraphs. Two suggestions were made - adding a URL to the message or adding a

Re: Test failures and libwww-perl 6.0.3

2011-11-29 Thread Stefan Fritsch
On Tuesday 29 November 2011, Kaspar Brand wrote: On 23.11.2011 15:06, Joe Orton wrote: On Wed, Nov 23, 2011 at 08:37:31AM +0100, Kaspar Brand wrote: There are two approaches to fix 1): a) turn off verify_hostname where needed (t/ssl/pr12355.t and t/ssl/pr43738.t are doing this right now)

Re: mod_xml2enc: warning: variable 'rv' set but not used

2011-11-29 Thread Stefan Fritsch
On Tuesday 29 November 2011, Graham Leggett wrote: Hi all, I've noticed some warnings in mod_xml2enc: mod_xml2enc.c: In function 'fix_skipto': mod_xml2enc.c:123:18: warning: variable 'rv' set but not used [-Wunused-but-set-variable] mod_xml2enc.c: In function 'sniff_encoding':

Re: Error codes

2011-11-29 Thread Stefan Fritsch
On Monday 28 November 2011, Rich Bowen wrote: On Nov 28, 2011, at 11:21 AM, Stefan Fritsch wrote: A question on procedure: Do you want to add all error codes at once and then fill in the descriptions or add the error codes as the documentation evolves? If the former, some scripting would

Re: Error codes

2011-11-30 Thread Stefan Fritsch
On Wednesday 30 November 2011, Guenter Knauf wrote: Am 30.11.2011 01:51, schrieb William A. Rowe Jr.: On 11/29/2011 5:30 PM, Stefan Fritsch wrote: Currently my scripts produces: http://people.apache.org/~sf/error-msg-numbers.diff http://people.apache.org/~sf/error-msg-numbers.list

Re: Error codes

2011-11-30 Thread Stefan Fritsch
On Wednesday 30 November 2011, Mikhail T. wrote: On 29.11.2011 23:30, William A. Rowe Jr. wrote: But my point remains, that we allocate each module a block of some 50 codes, such that mod_aaa gets AHM-0049 and mod_aab gets 50-99, etc. How will 3rd-party modules be getting their

Re: Proposal: error codes

2011-11-30 Thread Stefan Fritsch
On Wednesday 30 November 2011, Tim Bannister wrote: On 27 Nov 2011, at 17:14, Stefan Fritsch wrote: Yes, that would be a good idea and I agree with Daniel that we should use a distinct prefix or format. We currently have around 2700 calls to *_log_?error in trunk, so a 4-digit number should

Re: Error codes

2011-11-30 Thread Stefan Fritsch
On Wednesday 30 November 2011, Graham Leggett wrote: On 30 Nov 2011, at 9:21 PM, William A. Rowe Jr. wrote: I'm not suggesting changing the alpha prefix. Just block out ranges so that any listing of the codes is grouped by module that emits them. From my experience, any attempt at

Re: svn commit: r1209754 - in /httpd/httpd/trunk/modules/proxy: ./ balancers/

2011-12-02 Thread Stefan Fritsch
On Friday 02 December 2011, Graham Leggett wrote: On 03 Dec 2011, at 12:42 AM, minf...@apache.org wrote: Author: minfrin Date: Fri Dec 2 22:42:39 2011 New Revision: 1209754 URL: http://svn.apache.org/viewvc?rev=1209754view=rev Log: mod_proxy: Make ap_proxy_retry_worker() into

Re: Error codes

2011-12-02 Thread Stefan Fritsch
On Thursday 01 December 2011, Stefan Fritsch wrote: Any more comments/thoughts? As nobody disagreed, this is now in trunk. I intend to commit it to 2.4 tomorrow. It's already a big step forward and the finishing touches can be done in 2.4.1.

Are we there yet?

2011-12-02 Thread Stefan Fritsch
Hi, where are we WRT 2.4? Blockers: mod_proxy_scgi.c needs to be fixed for compilation with C89 (easy) The only blocker left in STATUS is this: * Modules that are not ready for production use must be removed. The same for modules without documentation. I think we have already removed

Re: Are we there yet?

2011-12-04 Thread Stefan Fritsch
On Saturday 03 December 2011, William A. Rowe Jr. wrote: On 12/3/2011 1:32 AM, Gregg L. Smith wrote: On 12/2/2011 3:48 PM, Stefan Fritsch wrote: - the follwing modules added since 2.2 lack documentation - mod_socache_dbm - mod_socache_memcache - mod_socache_shmcb

Re: svn commit: r1209777 - in /httpd/httpd/branches/2.4.x/include: ap_mmn.h http_log.h

2011-12-04 Thread Stefan Fritsch
On Saturday 03 December 2011, Nick Kew wrote: On 2 Dec 2011, at 23:19, s...@apache.org wrote: Modified: httpd/httpd/branches/2.4.x/include/ap_mmn.h httpd/httpd/branches/2.4.x/include/http_log.h [...] + * 20111202.1 (2.5.0-dev) add APLOGNO() 2.4 or 2.5? Changed it to 2.4. I

Re: Are we there yet?

2011-12-04 Thread Stefan Fritsch
On Sun, 4 Dec 2011, Jim Jagielski wrote: There seems to be a lot of renewed effort in getting 2.4/trunk is a really releasable state, which is all Goodness. Ideally, I'd like to release 2.4.0 before the end of the year, but starting off 2012 with a new httpd release also makes some sense as

Slotmem/socache module names vs. provider names

2011-12-04 Thread Stefan Fritsch
mod_slotmem_plain plain mod_slotmem_shm shared ! mod_socache_dbm dbm mod_socache_dc dc mod_socache_memcachemc ! mod_socache_shmcb shmcb Should we align the provider names with the module names? E.g. change shared to shm and mc to memcache?

Re: Are we there yet?

2011-12-04 Thread Stefan Fritsch
On Sunday 04 December 2011, Jim Jagielski wrote: I also need to look at the event changes as well in trunk to see if they are in 2.4.0 as well (or if they are something we could easily add post 2.4.0)... The event changes in trunk are not ready for 2.4, see

Re: svn commit: r1209766 [9/12] - in /httpd/httpd/trunk: docs/log-message-tags/ modules/aaa/ modules/apreq/ modules/arch/netware/ modules/arch/unix/ modules/arch/win32/ modules/cache/ modules/cluster/

2011-12-07 Thread Stefan Fritsch
On Wednesday 07 December 2011, Kaspar Brand wrote: These changes aren't doing the right thing, I think... both ssl_log_ssl_error() and ssl_log_cert_error() are basically wrappers for ap_log_*(), and are therefore called from various places in mod_ssl - i.e. the messages triggering them should

Re: Time for httpd 2.4.0-RC1 ??

2011-12-12 Thread Stefan Fritsch
On Sunday 11 December 2011, Graham Leggett wrote: On 11 Dec 2011, at 15:01, Jim Jagielski j...@jagunet.com wrote: Now that apu-1.4.1 is close to release, it looks like we are close to being able to have our 1st RC for 2.4.0... My plan is to TR sometime this week... +1. BTW, is there

Re: svn commit: r1210378 - /httpd/httpd/trunk/server/util_expr_eval.c

2011-12-12 Thread Stefan Fritsch
On Tuesday 13 December 2011, Guenter Knauf wrote: Hi Stefan, Am 05.12.2011 10:38, schrieb s...@apache.org: Author: sf Date: Mon Dec 5 09:38:44 2011 New Revision: 1210378 URL: http://svn.apache.org/viewvc?rev=1210378view=rev Log: Fix a few compiler warning reported by Steffen:

Re: [VOTE] Release 2.3.16-beta as beta

2011-12-18 Thread Stefan Fritsch
On Thursday 15 December 2011, Jim Jagielski wrote: The 2.3.16-beta (prerelease) tarballs are available for download at test: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as 2.3.16-beta BETA and, with luck, this IS our last beta and the next release in

Re: Win64 2.3.16 :: build warnings

2011-12-18 Thread Stefan Fritsch
Hi Steffen, On Saturday 17 December 2011, Steffen wrote: Here the Win64 warnings attached. Quite a lot, 442. Most of these are conversions between various integer types. I think the majority of these are in fact correct code. It would be quite a lot of worth to fix these and I am not sure

Re: [VOTE] Release 2.3.16-beta as beta

2011-12-18 Thread Stefan Fritsch
On Sunday 18 December 2011, Jim Jagielski wrote: On Dec 18, 2011, at 11:53 AM, Stefan Fritsch wrote: On Thursday 15 December 2011, Jim Jagielski wrote: The 2.3.16-beta (prerelease) tarballs are available for download at test: http://httpd.apache.org/dev/dist/ I'm calling

Re: CVE-2011-3607, int overflow ap_pregsub()

2011-12-22 Thread Stefan Fritsch
On Wed, 21 Dec 2011, Greg Ames wrote: On Tue, Dec 20, 2011 at 4:26 AM, William A. Rowe Jr. wr...@rowe-clan.net wrote: We should come to a conclusion on this. How about this for 2.2.x ? --- server/util.c (revision 1179624) +++ server/util.c (working copy) @@ -82,6 +82,8 @@

Looking for Windows testers for r1225199

2011-12-28 Thread Stefan Fritsch
Hi, Author: sf Date: Wed Dec 28 14:54:49 2011 New Revision: 1225199 URL: http://svn.apache.org/viewvc?rev=1225199view=rev Log: Check during configtest that the directories for error logs exist Testing under Windows is welcome PR: 29941 I think that the combination of

Re: Fwd: svn commit: r1225199 - in /httpd/httpd/trunk: docs/log-message-tags/next-number server/core.c

2011-12-28 Thread Stefan Fritsch
On Wednesday 28 December 2011, Rüdiger Plüm wrote: Author: sf Date: Wed Dec 28 14:54:49 2011 New Revision: 1225199 URL: http://svn.apache.org/viewvc?rev=1225199view=rev Log: Check during configtest that the directories for error logs exist Testing under Windows is welcome PR: 29941

Re: Looking for Windows testers for r1225199

2011-12-28 Thread Stefan Fritsch
On Wednesday 28 December 2011, Mario Brandt wrote: I guess it is now r1225223 ? Yes, r1225199 plus r1225223.

Re: Advanced status table?

2011-12-28 Thread Stefan Fritsch
On Wednesday 28 December 2011, Mario Brandt wrote: Since 2.3.? there is this nice overview table in the server-status page. http://www.images-hack.de/bild.php/15079,statusKCQ3G.png Since it shows the status for apache working with threads. Why I see that only with event mpm, and not with

Re: 2.3.15 RewriteRule P

2012-01-01 Thread Stefan Fritsch
On Wednesday 16 November 2011, Steffen wrote: What I noticed, it is connecting to a port by a formerly used proxied connection (port 7080 instead of 81); Summary log: [proxy:debug] [pid 8680:tid 2668] proxy_util.c(2140): proxy: HTTP: has acquired connection for (*) [proxy:debug] [pid

Re: [PATCH] mod_mbox: show list name in the h1/

2012-01-02 Thread Stefan Fritsch
On Monday 02 January 2012, Daniel Shahaf wrote: Henri Yandell (Created) (JIRA) wrote on Wed, Dec 21, 2011 at 06:03:30 +: Note list name on mail detail page -- Key: INFRA-4238 URL:

Re: 2.3.15 RewriteRule P

2012-01-02 Thread Stefan Fritsch
On Sun, 1 Jan 2012, Eric Covener wrote: Can anyone more familiar with the code verify this? Steffen, maybe you can try the change and see if it helps? I think there are a few additional wrinkles -- I couldn't repro after this but no confident about what's right with the addr handling:

  1   2   3   4   5   6   7   8   9   >