proxy configuration, a remote attacker could send a carefully crafted
request which could crash a server process, resulting in denial of
service.
Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
reporting this issue.
* server/util.c (ap_parse_token_list_strict): New function.
* modules/proxy/proxy_util.c (find_conn_headers): Use it here.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):
Send a 400 for a malformed Connection header.
Submitted by: Edward Lu, breser, covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1610674 13f79535-47bb-0310-9956-ffa450edef68
to the output filters, which is bogus in the proxy case. Create a
clean mapping from APR codes to HTTP status codes, and use it where
needed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1482522 13f79535-47bb-0310-9956-ffa450edef68
Password hash functions must be expensive in order to be secure. But
if they have to be re-evaluated for every request, performance
suffers.
As a minimal remedy, cache the most recent result for every
connection. This gives a great performance boost if a web browser
does many requests on the same connection with the same
user+password. In principle, this may keep the plain text password
around longer than before. But in practice, there won't be much
difference since user+password can already remain in some unused
data bucket for longer than the request duration.
A proper solution still needs to be found for connections from
proxies which may carry requests for many different users.
While it currently only requires the conn_rec, the new
ap_password_validate() function takes username and request_rec to
allow future extensions, like detection of brute-force attempts.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1427548 13f79535-47bb-0310-9956-ffa450edef68
This is a first stab, the checks will likely have to be revised.
For now, we check
* if the request line contains control characters
* if the request uri has fragment or username/password
* that the request method is standard or registered with RegisterHttpMethod
* that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
or missing for 0.9
* if there is garbage in the request line after the protocol
* if any request header contains control characters
* if any request header has an empty name
* for the host name in the URL or Host header:
- if an IPv4 dotted decimal address: Reject octal or hex values, require
exactly four parts
- if a DNS host name: Reject non-alphanumeric characters besides '.' and
'-'. As a side effect, this rejects multiple Host headers.
* if any response header contains control characters
* if any response header has an empty name
* that the Location response header (if present) has a valid scheme and is
absolute
If we have a host name both from the URL and the Host header, we replace the
Host header with the value from the URL to enforce RFC conformance.
There is a log-only mode, but the loglevels of the logged messages need some
thought/work. Currently, the checks for incoming data log for 'core' and the
checks for outgoing data log for 'http'. Maybe we need a way to configure the
loglevels separately from the core/http loglevels.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1426877 13f79535-47bb-0310-9956-ffa450edef68
of server loading for Apache. So create a struct that
holds some useful data. The hope is that for those
platforms that lack getloadavg(), people will write
replacements.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1389481 13f79535-47bb-0310-9956-ffa450edef68
Be less strict when checking whether Content-Type is set to "application/x-www-form-urlencoded"
when parsing POST data, or we risk losing data with an appended charset.
PR 53698
Reported by: Petter Berntsen < sluggr gmail.com >
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1372054 13f79535-47bb-0310-9956-ffa450edef68
ap_varbuf_pdup(): copying the whole buffer in case strlen ==
AP_VARBUF_UNKNOWN does not make sense as the caller can not set
the exact buffer size, only a minimum. No API change as previously
the behavior with AP_VARBUF_UNKNOWN was undocumented.
regsub_core(): Checking for vb->buf is useless, it cannot be NULL
unless ap_varbuf_init has not been called.
ap_varbuf_cfg_getline(): Initially, allocate enough memory to hold
an empty line. If strlen == AP_VARBUF_UNKNOWN, use strlen(buf) instead
of undefined behavior.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1359884 13f79535-47bb-0310-9956-ffa450edef68
r904765 only made half of the necessary changes to remove the use
of '&' as an alias for '$0' and allow to escape any character with a
backslash.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1307067 13f79535-47bb-0310-9956-ffa450edef68
excluded from this cleanup as they must be signature identical to the
clib functions, and although the definition of size_t has been flakey,
the definition of those functions appears to be generally clean since
ANSI C.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1228323 13f79535-47bb-0310-9956-ffa450edef68
- Introduce new ap_varbuf_pdup() and ap_varbuf_regsub() functions.
- Fix some bugs in ap_varbuf_strmemcat().
- Make ap_varbuf.buf point to an empty string if no buffer has been allocated,
yet.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1176018 13f79535-47bb-0310-9956-ffa450edef68
