www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-05 16:55:50 +03:00
Code Activity
34,172 Commits 62 Branches 304 Tags
trunk
Commit Graph

672 Commits

Author SHA1 Message Date
Joe Orton
bb2749fd6e SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse 
proxy configuration, a remote attacker could send a carefully crafted
request which could crash a server process, resulting in denial of
service.

Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
reporting this issue.

* server/util.c (ap_parse_token_list_strict): New function.

* modules/proxy/proxy_util.c (find_conn_headers): Use it here.

* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):
  Send a 400 for a malformed Connection header.

Submitted by: Edward Lu, breser, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1610674 13f79535-47bb-0310-9956-ffa450edef68
 2014-07-15 12:27:00 +00:00
Jan Kaluža
c0a52f109d mod_proxy: add ap_proxy_define_match_worker() and use it for ProxyPassMatch 
and ProxyMatch section to distinguish between normal workers and workers
with regex substitutions in the name. Implement handling of such workers
in ap_proxy_get_worker(). PR 43513


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1609680 13f79535-47bb-0310-9956-ffa450edef68
 2014-07-11 10:36:15 +00:00
Yann Ylavic
4f08f4008a Fix C99 (or later only) comment. 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1609101 13f79535-47bb-0310-9956-ffa450edef68
 2014-07-09 11:11:23 +00:00
Yann Ylavic
ec95d72c5a mod_proxy: Don't limit the size of the connectable Unix Domain Socket paths. 
Since connect() to UDS path is used at several places, introduce
ap_proxy_connect_uds() in proxy_util.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1602989 13f79535-47bb-0310-9956-ffa450edef68
 2014-06-16 20:26:24 +00:00
Jim Jagielski
637f263141 revert 1602523, until there is understanding 
about what the actual issue and "requirement" are.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1602697 13f79535-47bb-0310-9956-ffa450edef68
 2014-06-15 13:54:55 +00:00
Jim Jagielski
74820dfc57 Allow for "magic" scheme "auto" which makes the scheme of 
the backend worker match whatever the scheme of the
incoming request was...

For example:

   ProxyPass / auto://foo.example.com/

If the incoming request is http:.../lala then
the resultant will be http://foo.example.com/lala

If it's wws:.../lolo then we'd send
wws://foo.example.com/lolo

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1602523 13f79535-47bb-0310-9956-ffa450edef68
 2014-06-13 21:10:51 +00:00
Yann Ylavic
3dd42c024f mod_proxy: follow up to r1601291. 
Since deferred_write_pool is needed by the core_output_filter and is a subpool
of the connection, shutdown in a pre_cleanup of the connection's pool to avoid
a freed memory access (SEGV).

Reported By: takashi


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1601630 13f79535-47bb-0310-9956-ffa450edef68
 2014-06-10 13:23:20 +00:00
Yann Ylavic
5cc5869ea4 mod_proxy: Shutdown (eg. SSL close notify) the backend connection 
before closing.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1601291 13f79535-47bb-0310-9956-ffa450edef68
 2014-06-09 01:03:39 +00:00
Yann Ylavic
bac2d32f4c Revert r1601285 and r1601283. 
Shouldn't have commited the latter without disussing it on dev@.
Since the former creates upper APLOGNOs, revert and then recommit with the reverted next tag number.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1601290 13f79535-47bb-0310-9956-ffa450edef68
 2014-06-09 00:59:04 +00:00
Yann Ylavic
9f43505e4d mod_proxy: Shutdown (eg. close notify) the backend connection before closing. 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1601285 13f79535-47bb-0310-9956-ffa450edef68
 2014-06-09 00:23:16 +00:00
Jeff Trawick
65341f92bc Follow-up to r1592529: 
Define default port for "scgi" schemes (as chosen by
mod_proxy_scgi) in a common location.

Suggested by: jailletc36


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1592615 13f79535-47bb-0310-9956-ffa450edef68
 2014-05-05 19:26:33 +00:00
Jeff Trawick
dafc97aa81 mod_proxy_scgi: Support Unix sockets. 
ap_proxy_port_of_scheme(): Support default SCGI port (4000).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1592529 13f79535-47bb-0310-9956-ffa450edef68
 2014-05-05 14:02:48 +00:00
Jeff Trawick
a306773aa4 Clarify an existing requirement of the server_portstr parameter 
to ap_proxy_determine_connection(): it must be a buffer of at
least one byte in size.

(And don't bother with using strcpy in order to zap a string.)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1592514 13f79535-47bb-0310-9956-ffa450edef68
 2014-05-05 12:47:18 +00:00
Jeff Trawick
19b5b85316 reformat only (get rid of unnecessary block scope) 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1592511 13f79535-47bb-0310-9956-ffa450edef68
 2014-05-05 12:40:47 +00:00
Jim Jagielski
2aa898bb2f strncmp(r->filename, "proxy:", 6) is faster than a 
note. Plus, allows for checking even if not due to
rewrite.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1588544 13f79535-47bb-0310-9956-ffa450edef68
 2014-04-18 19:21:35 +00:00
Yann Ylavic
9ba346e885 mod_proxy: Preserve original request headers even if they differ 
from the ones to be forwarded to the backend. PR 45387.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1588527 13f79535-47bb-0310-9956-ffa450edef68
 2014-04-18 17:38:15 +00:00
Yann Ylavic
987c973aaa mod_proxy: When ping/pong is configured for a worker, don't send or forward 
"100 Continue" (interim) response to the client if it does not
           expect one.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1588519 13f79535-47bb-0310-9956-ffa450edef68
 2014-04-18 17:17:06 +00:00
Yann Ylavic
1e9f5c99cf mod_proxy: Add comment and avoid ternary operator as condition (no functional change). 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1573229 13f79535-47bb-0310-9956-ffa450edef68
 2014-03-01 21:36:27 +00:00
Yann Ylavic
d29ce4b047 mod_proxy: follows up r1572630. 
Don't reuse a SSL backend connection with no SNI for a request requiring SNI.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1572967 13f79535-47bb-0310-9956-ffa450edef68
 2014-02-28 14:46:50 +00:00
Yann Ylavic
fb3ff3e754 Redo what was reverted in r1572627. 
Don't reuse a SSL backend connection whose SNI differs. PR 55782.
This may happen when ProxyPreserveHost is on and the proxy-worker
handles connections to different Hosts.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1572630 13f79535-47bb-0310-9956-ffa450edef68
 2014-02-27 15:40:01 +00:00
Yann Ylavic
dc560db2e9 Revert r1572606 for the time being since backport would conflict with 2.4.x's proxy_conn_rec. 
The uds_path field is at the end of the struct in 2.4.x but not in trunk.
Fix that first, then recommit.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1572627 13f79535-47bb-0310-9956-ffa450edef68
 2014-02-27 15:31:58 +00:00
Yann Ylavic
93a607e6f2 Don't reuse a SSL backend connection whose SNI differs. PR 55782. 
This may happen when ProxyPreserveHost is on and the proxy-worker
handles connections to different Hosts.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1572606 13f79535-47bb-0310-9956-ffa450edef68
 2014-02-27 14:52:12 +00:00
Yann Ylavic
739dc00ca9 Avoid useless functions calls. 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1572561 13f79535-47bb-0310-9956-ffa450edef68
 2014-02-27 13:39:25 +00:00
Yann Ylavic
42b77650ae Cleanup the client to backend brigade before returning an error (if any) to avoid buckets lifetime issues (backend connection's pool destroyed before request's one). PR 50335. 
Suggested by rpluem.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1572543 13f79535-47bb-0310-9956-ffa450edef68
 2014-02-27 13:05:24 +00:00
Ruediger Pluem
82bb21ba2e * Do not parse URL in case of regular expression as they likely do not follow 
the URL syntax.

PR: 56074


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1564437 13f79535-47bb-0310-9956-ffa450edef68
 2014-02-04 19:36:50 +00:00
Jim Jagielski
c9acc73574 r->filename should maintain the proxy: prefix for PHP-FPM 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1561660 13f79535-47bb-0310-9956-ffa450edef68
 2014-01-27 13:09:11 +00:00
Jim Jagielski
ee7cbbac67 handle leak. thx to Y^2 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1561137 13f79535-47bb-0310-9956-ffa450edef68
 2014-01-24 20:01:47 +00:00
Jim Jagielski
0662e2e64d Reflow logic... pull UDS stuff out 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1560979 13f79535-47bb-0310-9956-ffa450edef68
 2014-01-24 13:06:40 +00:00
Jim Jagielski
e614823e31 Tuck away UDS path in request-rec, since worker isn't 
thread-safe. Protect from NULL refs.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1560689 13f79535-47bb-0310-9956-ffa450edef68
 2014-01-23 14:09:40 +00:00
Jim Jagielski
7651045da6 Adjust url as required, following what we did to r->filename. 
Save some cycles when searching...

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1560546 13f79535-47bb-0310-9956-ffa450edef68
 2014-01-22 22:26:49 +00:00
Jim Jagielski
72df6b36bf make mod_rewrite and mod_proxy UDS work together... 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1560367 13f79535-47bb-0310-9956-ffa450edef68
 2014-01-22 14:54:21 +00:00
Jim Jagielski
0315a2d929 Correct logic... if this is a UDS socket, then bypass all 
this.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1543174 13f79535-47bb-0310-9956-ffa450edef68
 2013-11-18 21:37:05 +00:00
Jim Jagielski
bb76893cfb We were not being consistent between http and others 
if we added the default port or not during the canonizing
phase... Baseline the http method (don't add unless the
port provided isn't the default).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1542562 13f79535-47bb-0310-9956-ffa450edef68
 2013-11-16 20:13:48 +00:00
Jim Jagielski
7634e2e342 UDS urls need to be desockified when configuring... 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1540052 13f79535-47bb-0310-9956-ffa450edef68
 2013-11-08 14:30:12 +00:00
Ruediger Pluem
69bc7d594e * Fix logical flaw introduced in r1531340. We checked for the opposite. 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1533444 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-18 13:30:52 +00:00
Jim Jagielski
d897f098f9 Rüdiger and Yann suggestions 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1533440 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-18 13:10:45 +00:00
Jim Jagielski
c418702714 another suggestion by Yann... use a shorter lifetime pool 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1533272 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-17 22:04:31 +00:00
Jim Jagielski
b71b312095 typo 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1533170 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-17 17:21:37 +00:00
Jim Jagielski
0b4520d54c from an idea by Yann Ylavic <ylavic.dev@gmail.com> 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1533169 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-17 17:21:04 +00:00
Jim Jagielski
27b314b4e6 move pool creation to the single instance when we need it... 
but be pool aware anyway, just in case.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1533153 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-17 16:52:04 +00:00
Jim Jagielski
d152f386a0 Only assume localhost in the special case where the person 
just has the lone scheme after the |

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1533113 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-17 15:24:44 +00:00
Jim Jagielski
81e827c11c ap_proxy_strncpy should correctly handle src being NULL. 
Actually, apr_cpystrn() should as well...

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1533100 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-17 15:02:04 +00:00
Jim Jagielski
347c75b3c5 Put the uds path in its own field, and adjust the logic 
to look for an empty string rather than a flag.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1533087 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-17 14:10:43 +00:00
Jim Jagielski
a00a928dd2 don't use what could have been freed... 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1532507 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-15 20:02:30 +00:00
Jim Jagielski
bfa6d07466 Update LOGNO 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1532456 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-15 17:45:47 +00:00
Jim Jagielski
9b6fb3d615 Standardize on: 
unix:/path/to/socket|scheme://ignored

for ProxyPass UDS.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1532394 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-15 15:38:09 +00:00
Jim Jagielski
e8d701a8ed check that we have a pool... 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1531971 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-14 16:38:52 +00:00
Jim Jagielski
3af21fb887 Just use the def global... consistency is important 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1531969 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-14 16:31:17 +00:00
Jim Jagielski
c984a2e5f3 Ensure that userland format of UDS is the same as how it is 
configured, no matter how we store and use it internally.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1531962 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-14 16:12:30 +00:00
Jim Jagielski
76927e7a34 clean up socket definition... just the sock: path matters, 
and we adjust relative to DefaultRuntimeDir

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1531929 13f79535-47bb-0310-9956-ffa450edef68
 2013-10-14 14:59:38 +00:00