www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

When receiving http on https, send the error response with http 1.0

Browse Source 
It is important that we send a proper error status, or search engines
may index the error message.
    
PR: 50823


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1328325 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Fritsch
2012-04-20 11:21:12 +00:00
parent 51504f8202
commit 43d54ae919
4 changed files with 28 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,6 +1,9 @@
-*- coding: utf-8 -*- -*- coding: utf-8 -*-
Changes with Apache 2.5.0 Changes with Apache 2.5.0
*) mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9. PR 50823. [Stefan Fritsch]
*) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>. *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
PR 53048. [Stefan Fritsch] PR 53048. [Stefan Fritsch]

22
modules/ssl/ssl_engine_io.c
View File

@@ -813,12 +813,12 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
/* Just use a simple request. Any request will work for this, because /* Just use a simple request. Any request will work for this, because
* we use a flag in the conn_rec->conn_vector now. The fake request just * we use a flag in the conn_rec->conn_vector now. The fake request just
* gets the request back to the Apache core so that a response can be sent. * gets the request back to the Apache core so that a response can be sent.
* * Since we use an HTTP/1.x request, we also have to inject the empty line
* To avoid calling back for more data from the socket, use an HTTP/0.9 * that terminates the headers, or the core will read more data from the
* request, and tack on an EOS bucket. * socket.
*/ */
#define HTTP_ON_HTTPS_PORT \ #define HTTP_ON_HTTPS_PORT \
"GET /" CRLF "GET / HTTP/1.0" CRLF
#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \ #define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \ apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
@@ -848,6 +848,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
{ {
SSLConnRec *sslconn = myConnConfig(f->c); SSLConnRec *sslconn = myConnConfig(f->c);
apr_bucket *bucket; apr_bucket *bucket;
int send_eos = 1;
switch (status) { switch (status) {
case MODSSL_ERROR_HTTP_ON_HTTPS: case MODSSL_ERROR_HTTP_ON_HTTPS:
@@ -857,11 +858,12 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
"trying to send HTML error page"); "trying to send HTML error page");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server); ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server);
sslconn->non_ssl_request = 1; sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
ssl_io_filter_disable(sslconn, f); ssl_io_filter_disable(sslconn, f);
/* fake the request line */ /* fake the request line */
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
send_eos = 0;
break; break;
case MODSSL_ERROR_BAD_GATEWAY: case MODSSL_ERROR_BAD_GATEWAY:
@@ -877,9 +879,10 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
} }
APR_BRIGADE_INSERT_TAIL(bb, bucket); APR_BRIGADE_INSERT_TAIL(bb, bucket);
if (send_eos) {
bucket = apr_bucket_eos_create(f->c->bucket_alloc); bucket = apr_bucket_eos_create(f->c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, bucket); APR_BRIGADE_INSERT_TAIL(bb, bucket);
}
return APR_SUCCESS; return APR_SUCCESS;
} }
@@ -1282,6 +1285,13 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
} }
if (!inctx->ssl) { if (!inctx->ssl) {
SSLConnRec *sslconn = myConnConfig(f->c);
if (sslconn->non_ssl_request == NON_SSL_SEND_HDR_SEP) {
apr_bucket *bucket = apr_bucket_immortal_create(CRLF, 2, f->c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, bucket);
sslconn->non_ssl_request = NON_SSL_SET_ERROR_MSG;
return APR_SUCCESS;
}
return ap_get_brigade(f->next, bb, mode, block, readbytes); return ap_get_brigade(f->next, bb, mode, block, readbytes);
} }

5
modules/ssl/ssl_engine_kernel.c
View File

@@ -140,7 +140,7 @@ int ssl_hook_ReadReq(request_rec *r)
return DECLINED; return DECLINED;
} }
if (sslconn->non_ssl_request) { if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) {
const char *errmsg; const char *errmsg;
char *thisurl; char *thisurl;
char *thisport = ""; char *thisport = "";
@@ -169,8 +169,7 @@ int ssl_hook_ReadReq(request_rec *r)
/* Now that we have caught this error, forget it. we are done /* Now that we have caught this error, forget it. we are done
* with using SSL on this request. * with using SSL on this request.
*/ */
sslconn->non_ssl_request = 0; sslconn->non_ssl_request = NON_SSL_OK;
return HTTP_BAD_REQUEST; return HTTP_BAD_REQUEST;
} }

6
modules/ssl/ssl_private.h
View File

@@ -454,7 +454,11 @@ typedef struct {
int verify_depth; int verify_depth;
int is_proxy; int is_proxy;
int disabled; int disabled;
int non_ssl_request; enum {
NON_SSL_OK = 0, /* is SSL request, or error handling completed */
NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */
NON_SSL_SET_ERROR_MSG /* Need to set the error message */
} non_ssl_request;
/* Track the handshake/renegotiation state for the connection so /* Track the handshake/renegotiation state for the connection so
* that all client-initiated renegotiations can be rejected, as a * that all client-initiated renegotiations can be rejected, as a