mirror of
https://github.com/apache/httpd.git
synced 2025-08-08 15:02:10 +03:00
Remove all special mod_ssl URIs. This also fixes the bug where
redirecting (.*) will allow an SSL protected page to be viewed without SSL. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95501 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Ryan Bloom
4
CHANGES
4
CHANGES
@@ -1,5 +1,9 @@
|
|||||||
Changes with Apache 2.0.37
|
Changes with Apache 2.0.37
|
||||||
|
|
||||||
|
*) Remove all special mod_ssl URIs. This also fixes the bug where
|
||||||
|
redirecting (.*) will allow an SSL protected page to be viewed
|
||||||
|
without SSL. [Ryan Bloom]
|
||||||
|
|
||||||
*) Fix the binary build install script so that the build logic
|
*) Fix the binary build install script so that the build logic
|
||||||
created by "apxs -g" will work when the user has a binary
|
created by "apxs -g" will work when the user has a binary
|
||||||
build. [Jeff Trawick]
|
build. [Jeff Trawick]
|
||||||
|
|||||||
@@ -583,7 +583,6 @@ static void ssl_register_hooks(apr_pool_t *p)
|
|||||||
ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
|
ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
|
||||||
ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE);
|
ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE);
|
||||||
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
|
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
|
||||||
ap_hook_handler (ssl_hook_Handler, NULL,NULL, APR_HOOK_MIDDLE);
|
|
||||||
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
|
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
|
||||||
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
|
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
|
||||||
ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
|
ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
|
||||||
|
|||||||
@@ -414,6 +414,7 @@ typedef struct {
|
|||||||
int verify_depth;
|
int verify_depth;
|
||||||
int is_proxy;
|
int is_proxy;
|
||||||
int disabled;
|
int disabled;
|
||||||
|
int non_ssl_request;
|
||||||
} SSLConnRec;
|
} SSLConnRec;
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
|
|||||||
@@ -741,8 +741,17 @@ static apr_status_t ssl_io_input_getline(ssl_io_input_ctx_t *ctx,
|
|||||||
return APR_SUCCESS;
|
return APR_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Just use a simple request. Any request will work for this, because
|
||||||
|
* we use a flag in the conn_rec->conn_vector now. The fake request just
|
||||||
|
* gets the request back to the Apache core so that a response can be sent.
|
||||||
|
*
|
||||||
|
* We should probably use a 0.9 request, but the BIO bucket code is calling
|
||||||
|
* socket_bucket_read one extra time with all 0.9 requests from the client.
|
||||||
|
* Until that is resolved, continue to use a 1.0 request, just like we
|
||||||
|
* always have.
|
||||||
|
*/
|
||||||
#define HTTP_ON_HTTPS_PORT \
|
#define HTTP_ON_HTTPS_PORT \
|
||||||
"GET /mod_ssl:error:HTTP-request HTTP/1.0"
|
"GET / HTTP/1.0"
|
||||||
|
|
||||||
#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
|
#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
|
||||||
apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
|
apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
|
||||||
@@ -760,6 +769,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
|
|||||||
apr_bucket_brigade *bb,
|
apr_bucket_brigade *bb,
|
||||||
apr_status_t status)
|
apr_status_t status)
|
||||||
{
|
{
|
||||||
|
SSLConnRec *sslconn = myConnConfig(f->c);
|
||||||
apr_bucket *bucket;
|
apr_bucket *bucket;
|
||||||
|
|
||||||
switch (status) {
|
switch (status) {
|
||||||
@@ -771,9 +781,11 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
|
|||||||
"trying to send HTML error page");
|
"trying to send HTML error page");
|
||||||
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
|
||||||
|
|
||||||
|
sslconn->non_ssl_request = 1;
|
||||||
|
ssl_io_filter_disable(f);
|
||||||
|
|
||||||
/* fake the request line */
|
/* fake the request line */
|
||||||
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
|
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
|
||||||
ssl_io_filter_disable(f);
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
|
|||||||
@@ -174,6 +174,34 @@ int ssl_hook_ReadReq(request_rec *r)
|
|||||||
return DECLINED;
|
return DECLINED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (sslconn->non_ssl_request) {
|
||||||
|
const char *errmsg;
|
||||||
|
char *thisurl;
|
||||||
|
char *thisport = "";
|
||||||
|
int port = ap_get_server_port(r);
|
||||||
|
|
||||||
|
if (!ap_is_default_port(port, r)) {
|
||||||
|
thisport = apr_psprintf(r->pool, ":%u", port);
|
||||||
|
}
|
||||||
|
|
||||||
|
thisurl = ap_escape_html(r->pool,
|
||||||
|
apr_psprintf(r->pool, "https://%s%s/",
|
||||||
|
ap_get_server_name(r),
|
||||||
|
thisport));
|
||||||
|
|
||||||
|
errmsg = apr_psprintf(r->pool,
|
||||||
|
"Reason: You're speaking plain HTTP "
|
||||||
|
"to an SSL-enabled server port.<br />\n"
|
||||||
|
"Instead use the HTTPS scheme to access "
|
||||||
|
"this URL, please.<br />\n"
|
||||||
|
"<blockquote>Hint: "
|
||||||
|
"<a href=\"%s\"><b>%s</b></a></blockquote>",
|
||||||
|
thisurl, thisurl);
|
||||||
|
|
||||||
|
apr_table_setn(r->notes, "error-notes", errmsg);
|
||||||
|
return HTTP_BAD_REQUEST;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Get the SSL connection structure and perform the
|
* Get the SSL connection structure and perform the
|
||||||
* delayed interlinking from SSL back to request_rec
|
* delayed interlinking from SSL back to request_rec
|
||||||
@@ -182,13 +210,6 @@ int ssl_hook_ReadReq(request_rec *r)
|
|||||||
SSL_set_app_data2(ssl, r);
|
SSL_set_app_data2(ssl, r);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
* Force the mod_ssl content handler when URL indicates this
|
|
||||||
*/
|
|
||||||
if (strEQn(r->uri, "/mod_ssl:", 9)) {
|
|
||||||
r->handler = "mod_ssl:content-handler";
|
|
||||||
}
|
|
||||||
|
|
||||||
return DECLINED;
|
return DECLINED;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -264,49 +285,6 @@ int ssl_hook_Translate(request_rec *r)
|
|||||||
return DECLINED;
|
return DECLINED;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
* Content Handler
|
|
||||||
*/
|
|
||||||
int ssl_hook_Handler(request_rec *r)
|
|
||||||
{
|
|
||||||
if (strNE(r->handler, "mod_ssl:content-handler")) {
|
|
||||||
return DECLINED;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (strNEn(r->uri, "/mod_ssl:", 9)) {
|
|
||||||
return DECLINED;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (strEQ(r->uri, "/mod_ssl:error:HTTP-request")) {
|
|
||||||
const char *errmsg;
|
|
||||||
char *thisurl;
|
|
||||||
char *thisport = "";
|
|
||||||
int port = ap_get_server_port(r);
|
|
||||||
|
|
||||||
if (!ap_is_default_port(port, r)) {
|
|
||||||
thisport = apr_psprintf(r->pool, ":%u", port);
|
|
||||||
}
|
|
||||||
|
|
||||||
thisurl = ap_escape_html(r->pool,
|
|
||||||
apr_psprintf(r->pool, "https://%s%s/",
|
|
||||||
ap_get_server_name(r),
|
|
||||||
thisport));
|
|
||||||
|
|
||||||
errmsg = apr_psprintf(r->pool,
|
|
||||||
"Reason: You're speaking plain HTTP "
|
|
||||||
"to an SSL-enabled server port.<br />\n"
|
|
||||||
"Instead use the HTTPS scheme to access "
|
|
||||||
"this URL, please.<br />\n"
|
|
||||||
"<blockquote>Hint: "
|
|
||||||
"<a href=\"%s\"><b>%s</b></a></blockquote>",
|
|
||||||
thisurl, thisurl);
|
|
||||||
|
|
||||||
apr_table_setn(r->notes, "error-notes", errmsg);
|
|
||||||
}
|
|
||||||
|
|
||||||
return HTTP_BAD_REQUEST;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Access Handler
|
* Access Handler
|
||||||
*/
|
*/
|
||||||
|
|||||||
Reference in New Issue
Block a user