This is a first stab, the checks will likely have to be revised.
For now, we check
* if the request line contains control characters
* if the request uri has fragment or username/password
* that the request method is standard or registered with RegisterHttpMethod
* that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
or missing for 0.9
* if there is garbage in the request line after the protocol
* if any request header contains control characters
* if any request header has an empty name
* for the host name in the URL or Host header:
- if an IPv4 dotted decimal address: Reject octal or hex values, require
exactly four parts
- if a DNS host name: Reject non-alphanumeric characters besides '.' and
'-'. As a side effect, this rejects multiple Host headers.
* if any response header contains control characters
* if any response header has an empty name
* that the Location response header (if present) has a valid scheme and is
absolute
If we have a host name both from the URL and the Host header, we replace the
Host header with the value from the URL to enforce RFC conformance.
There is a log-only mode, but the loglevels of the logged messages need some
thought/work. Currently, the checks for incoming data log for 'core' and the
checks for outgoing data log for 'http'. Maybe we need a way to configure the
loglevels separately from the core/http loglevels.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1426877 13f79535-47bb-0310-9956-ffa450edef68
This reverts r1407643, but changes the syntax of HttpProtocol to
min=0.9|1.0, which is less ambiguous than the previous +0.9|-0.9.
Allowing to configure an arbitrary version range was a bad idea,
because it only checked the version in the request line, without
affecting the semantics of the headers, etc.
A tighter restriction off the version in the request line is still
possible with <If "%{SERVER_PROTOCOL_NUM} ..."> .
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1425366 13f79535-47bb-0310-9956-ffa450edef68
* server/core.c: add 'Warning' directive by extending the 'Error'
directive implementation. The 'Error' behavior is slightly changed
so as to use verbose ap_log_error instead of returning the message.
* docs/manual/mod/core.xml: add documentation for 'Warning'.
* server/config.c: add comment about syntax vs configuration errors.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1418677 13f79535-47bb-0310-9956-ffa450edef68
This is necessary to properly disallow directives that don't work in
<If>.
A separate NOT_IN_IF flag may be nicer, but would create much more
hassle when being backported to 2.4.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1406495 13f79535-47bb-0310-9956-ffa450edef68
other directive notice that they are in a config section.
This fixes LogLevel not working in <If> sections that are not in
Location/Directory/File sections.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1406493 13f79535-47bb-0310-9956-ffa450edef68
excluded from this cleanup as they must be signature identical to the
clib functions, and although the definition of size_t has been flakey,
the definition of those functions appears to be generally clean since
ANSI C.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1228323 13f79535-47bb-0310-9956-ffa450edef68
* start at 0 instead of 1
* don't increment until after pconf cleanups run, in case a
cleanup needs to check the related config generation
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1200147 13f79535-47bb-0310-9956-ffa450edef68
from the parsed (or default) config. This is useful for init scripts that
need to setup temporary directories and permissions, for example if those
temporary directories are located on a ram disk.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1180681 13f79535-47bb-0310-9956-ffa450edef68
use in mod_lbmethod_heartbeat and mod_serf to
- replace some needles use of apr_generate_random_bytes
- remove code duplication
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1171247 13f79535-47bb-0310-9956-ffa450edef68
- add new NOT_IN_HTACCESS flag for ap_check_cmd_context()
- describe the need for this in new_api_2_4.xml
- forbid Define and UnDefine in .htaccess
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1153676 13f79535-47bb-0310-9956-ffa450edef68
