www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Remove all special mod_ssl URIs. This also fixes the bug where

Browse Source 
redirecting (.*) will allow an SSL protected page to be viewed
without SSL.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95501 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Ryan Bloom
2002-06-04 07:12:26 +00:00
parent fcb0beca86
commit 37f858acc6
5 changed files with 47 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,5 +1,9 @@
Changes with Apache 2.0.37
*) Remove all special mod_ssl URIs. This also fixes the bug where
redirecting (.*) will allow an SSL protected page to be viewed
without SSL. [Ryan Bloom]
*) Fix the binary build install script so that the build logic
created by "apxs -g" will work when the user has a binary
build. [Jeff Trawick]

1
modules/ssl/mod_ssl.c
View File

@@ -583,7 +583,6 @@ static void ssl_register_hooks(apr_pool_t *p)
ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_handler (ssl_hook_Handler, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);

1
modules/ssl/mod_ssl.h
View File

@@ -414,6 +414,7 @@ typedef struct {
int verify_depth;
int is_proxy;
int disabled;
int non_ssl_request;
} SSLConnRec;
typedef struct {

16
modules/ssl/ssl_engine_io.c
View File

@@ -741,8 +741,17 @@ static apr_status_t ssl_io_input_getline(ssl_io_input_ctx_t *ctx,
return APR_SUCCESS;
}
/* Just use a simple request. Any request will work for this, because
* we use a flag in the conn_rec->conn_vector now. The fake request just
* gets the request back to the Apache core so that a response can be sent.
*
* We should probably use a 0.9 request, but the BIO bucket code is calling
* socket_bucket_read one extra time with all 0.9 requests from the client.
* Until that is resolved, continue to use a 1.0 request, just like we
* always have.
*/
#define HTTP_ON_HTTPS_PORT \
"GET /mod_ssl:error:HTTP-request HTTP/1.0"
"GET / HTTP/1.0"
#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
@@ -760,6 +769,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
apr_bucket_brigade *bb,
apr_status_t status)
{
SSLConnRec *sslconn = myConnConfig(f->c);
apr_bucket *bucket;
switch (status) {
@@ -771,9 +781,11 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
"trying to send HTML error page");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
sslconn->non_ssl_request = 1;
ssl_io_filter_disable(f);
/* fake the request line */
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
ssl_io_filter_disable(f);
break;
default:

78
modules/ssl/ssl_engine_kernel.c
View File

@@ -174,6 +174,34 @@ int ssl_hook_ReadReq(request_rec *r)
return DECLINED;
}
if (sslconn->non_ssl_request) {
const char *errmsg;
char *thisurl;
char *thisport = "";
int port = ap_get_server_port(r);
if (!ap_is_default_port(port, r)) {
thisport = apr_psprintf(r->pool, ":%u", port);
}
thisurl = ap_escape_html(r->pool,
apr_psprintf(r->pool, "https://%s%s/",
ap_get_server_name(r),
thisport));
errmsg = apr_psprintf(r->pool,
"Reason: You're speaking plain HTTP "
"to an SSL-enabled server port.<br />\n"
"Instead use the HTTPS scheme to access "
"this URL, please.<br />\n"
"<blockquote>Hint: "
"<a href=\"%s\"><b>%s</b></a></blockquote>",
thisurl, thisurl);
apr_table_setn(r->notes, "error-notes", errmsg);
return HTTP_BAD_REQUEST;
}
/*
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
@@ -182,13 +210,6 @@ int ssl_hook_ReadReq(request_rec *r)
SSL_set_app_data2(ssl, r);
}
/*
* Force the mod_ssl content handler when URL indicates this
*/
if (strEQn(r->uri, "/mod_ssl:", 9)) {
r->handler = "mod_ssl:content-handler";
}
return DECLINED;
}
@@ -264,49 +285,6 @@ int ssl_hook_Translate(request_rec *r)
return DECLINED;
}
/*
* Content Handler
*/
int ssl_hook_Handler(request_rec *r)
{
if (strNE(r->handler, "mod_ssl:content-handler")) {
return DECLINED;
}
if (strNEn(r->uri, "/mod_ssl:", 9)) {
return DECLINED;
}
if (strEQ(r->uri, "/mod_ssl:error:HTTP-request")) {
const char *errmsg;
char *thisurl;
char *thisport = "";
int port = ap_get_server_port(r);
if (!ap_is_default_port(port, r)) {
thisport = apr_psprintf(r->pool, ":%u", port);
}
thisurl = ap_escape_html(r->pool,
apr_psprintf(r->pool, "https://%s%s/",
ap_get_server_name(r),
thisport));
errmsg = apr_psprintf(r->pool,
"Reason: You're speaking plain HTTP "
"to an SSL-enabled server port.<br />\n"
"Instead use the HTTPS scheme to access "
"this URL, please.<br />\n"
"<blockquote>Hint: "
"<a href=\"%s\"><b>%s</b></a></blockquote>",
thisurl, thisurl);
apr_table_setn(r->notes, "error-notes", errmsg);
}
return HTTP_BAD_REQUEST;
}
/*
* Access Handler
*/