of the backend connection, instead of misusing the pool of the frontend
request. Fixes a thread safety issue where buckets set aside in the
backend connection leak into other threads, and then disappear when
the frontend request is cleaned up, in turn causing corrupted buckets
to make other threads spin.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1055250 13f79535-47bb-0310-9956-ffa450edef68
2.2.x: If the SSL handshake to the backend fails we cannot even
sent an HTTP request. So the check needs to happen already when
we sent data not when we receive data.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1053584 13f79535-47bb-0310-9956-ffa450edef68
to the pool we cannot longer rely on it as another thread could have leased
the connection in the meantime and might have modified it.
BUT: We only use this flag once we returned the connection to the pool.
So signal that we returned the connection to the pool by something that is
local to the thread, in this case set backend to NULL if we already have
returende the connection.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1052314 13f79535-47bb-0310-9956-ffa450edef68
failed such that mod_proxy can put the worker in error state.
PR: 50332
Submitted by: Daniel Ruggeri <DRuggeri primary.net>
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1039304 13f79535-47bb-0310-9956-ffa450edef68
any buckets still outstanding to ensure they've been copied out of the
backend connection's pool and it is safe to release the backend connection.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1035605 13f79535-47bb-0310-9956-ffa450edef68
early by forcing a setaside on transient buckets placed in the brigade
by mod_ssl. This has the effect of extending the lifetime of buckets until
the end of the request. This is a variation on the original fix for this
problem, which added transient buckets to be setaside later in the process.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1035504 13f79535-47bb-0310-9956-ffa450edef68
from the origin server
apr_date_checkmask() already verified the expected text and digit
positions; all that is needed is to cheaply find which digits
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@999694 13f79535-47bb-0310-9956-ffa450edef68
canon function and use that for the 100-Continue OK
check.
Should likely also start using this in the various
other places we do this "have body" check thruout
the codebase...
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@986699 13f79535-47bb-0310-9956-ffa450edef68
be more safe on different platforms.
Note: This commit has an additional, platform-independent change to
mark the back-end connection for closing ("backend->close = 1;").
That code is not required to resolve CVE-2010-2068 on any platform.
PR: 49417
Addresses CVE-2010-2068
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@953418 13f79535-47bb-0310-9956-ffa450edef68
from a reverse proxied URL, that the subrequest respects the status
of the original request. This brings the behaviour of proxy_handler
in line with default_handler. PR 47106.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@909899 13f79535-47bb-0310-9956-ffa450edef68
* modules/proxy/mod_proxy_http.c (stream_reqbody_cl): Specify the base
passed to apr_strtoff, and validate the Content-Length in the same
way the HTTP_IN filter does. If the number of bytes streamed
exceeds the expected body length, bail out of the loop.
Thanks to: Toadie <toadie643 gmail.com> for reporting and diagnosis of
this issue.
Submitted by: niq, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@790587 13f79535-47bb-0310-9956-ffa450edef68
stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@760866 13f79535-47bb-0310-9956-ffa450edef68
backend connection bucket allocator and front end connection bucket allocator.
Instead copy the buckets from the backend over to ones that have been created
using the front end bucket allocator. For metabucket this is done by recreating
them, for data buckets this is done by reading them and putting the read data
in a transient bucket.
PR: 45792
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@712375 13f79535-47bb-0310-9956-ffa450edef68
pooled connections if the client connection is an initial connection.
This avoids the "proxy: error reading status line from remote server"
error caused by the race condition that the backend server closed the
connection after the connection check on our side and before our data
reached the backend. Yes, this downgrades performance, especially with
HTTP/1.0 clients. Hence it is configurable and off by default.
PR: 37770
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@684351 13f79535-47bb-0310-9956-ffa450edef68
