This has no security impact since the browser cannot be tricked
into sending arbitrary method strings.
(words from jorton)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@603346 13f79535-47bb-0310-9956-ffa450edef68
Determined to be not generally exploitable, but a flaw in any case.
PR: 44014
Submitted by: Victor Stinner <victor.stinner inl.fr>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@600645 13f79535-47bb-0310-9956-ffa450edef68
that the connection is not persistent if the MPM process handling
the request is already exiting when the response header is built.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@594839 13f79535-47bb-0310-9956-ffa450edef68
cross-site scripting flaw because the Expect header error message isn't
escaped. We couldn't find a way that this could be used by an attacker
however, as they can't influence the Expect header a victim will send to a
target site. Thiago agreed and we're therefore not treating this as a
security flaw, but it is a bug that ought to get fixed. I'll add to
STATUS for 1.3/2.0/2.2 shortly for acks.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@394965 13f79535-47bb-0310-9956-ffa450edef68
It still is not 'correct' until REQUEST_CHUNKED_PASS is reimplemented
and passes some chunk headers, since we aren't echoing the entire
request. But it gets me further on testing 1.3 -> 2.0 -> 2.1 -> 2.0 -> 1.3
proxy behaviors.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@208787 13f79535-47bb-0310-9956-ffa450edef68
With Apache 1.3.x, it is a bit simpler as the request does
not go through ap_make_content_type().
Modules can set custom error responses but not be able to
set the charset, so they have to code the charset in the
html. Thus, it is useful to preserve 1.3.x behavior exactly.
PR: 26467
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@170354 13f79535-47bb-0310-9956-ffa450edef68
* modules/http/http_protocol.c
(ap_meets_conditions): Allow If-None-Modified and If-Modified-Since
to interact as described in RFC2616, sections 14.26 and 13.3.4.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@153270 13f79535-47bb-0310-9956-ffa450edef68
* Makefile.in: Change order of dependencies to bring in exports.o first so that
we have every symbol 'used' before the linker starts processing.
* build/rules.mk.in: Add a 'program-install' target which just copies httpd.
* server/Makefile.in, modules/http/config2.m4: Add in new file targets.
* NWGNUmakefile, libhttpd.dsp: Blind updates for Netware and Win32. (I tried.)
* server/core.c: Move core_input_filter, net_time_filter, and core_output_filter and all supporting functions to...
* server/core_filters.c (copied): ...here.
* modules/http/http_protocol.c: Move functions from here to there...namely:
* modules/http/byterange_filter.c (copied): Relocate ap_byterange_filter() and
friends.
* modules/http/chunk_filter.c (copied): Relocate chunk_filter().
* modules/http/http_etag.c (copied): Relocate ap_set_etag and ap_make_etag().
* modules/http/http_filters.c (copied): Relocate ap_http_filter(),
ap_http_header_filter(), ap_discard_request_body(), ap_setup_client_block(),
ap_should_client_block(), and ap_get_client_block().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@106692 13f79535-47bb-0310-9956-ffa450edef68
bottom (APR/system) up -- we can't give the client a 64bit API and
then cast it to 32bits internally without introducing security holes
on other platforms.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105572 13f79535-47bb-0310-9956-ffa450edef68
ap_http_filter): Use new apr_strtoff() to support request bodies as
large as apr_off_t allows (rather than as large as 'long' allows), and
simplify error handling.
PR: 27866
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103756 13f79535-47bb-0310-9956-ffa450edef68
themselves during processing of error responses. Enable mod_expires
to use the new hook to include Expires headers in valid error
responses. This addresses an RFC violation. It fixes PRs 19794,
24884, and 25123. [Paul J. Reder]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102038 13f79535-47bb-0310-9956-ffa450edef68
As with 1.3, for proxy requests any such field is from the origin
server; otherwise it will have our server info as controlled by
the ServerTokens directive.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100182 13f79535-47bb-0310-9956-ffa450edef68
this value was ignored in favour of the current time. This meant
that Date headers on proxied requests where rewritten when they
should not have been.
PR: 14376
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99370 13f79535-47bb-0310-9956-ffa450edef68
Also, uncomment a line of code that the last commit should have uncommented.
Randall found this line and the fix, but I forgot to uncomment this line
along with the fix.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97179 13f79535-47bb-0310-9956-ffa450edef68
