Password hash functions must be expensive in order to be secure. But
if they have to be re-evaluated for every request, performance
suffers.
As a minimal remedy, cache the most recent result for every
connection. This gives a great performance boost if a web browser
does many requests on the same connection with the same
user+password. In principle, this may keep the plain text password
around longer than before. But in practice, there won't be much
difference since user+password can already remain in some unused
data bucket for longer than the request duration.
A proper solution still needs to be found for connections from
proxies which may carry requests for many different users.
While it currently only requires the conn_rec, the new
ap_password_validate() function takes username and request_rec to
allow future extensions, like detection of brute-force attempts.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1427548 13f79535-47bb-0310-9956-ffa450edef68
This is a first stab, the checks will likely have to be revised.
For now, we check
* if the request line contains control characters
* if the request uri has fragment or username/password
* that the request method is standard or registered with RegisterHttpMethod
* that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
or missing for 0.9
* if there is garbage in the request line after the protocol
* if any request header contains control characters
* if any request header has an empty name
* for the host name in the URL or Host header:
- if an IPv4 dotted decimal address: Reject octal or hex values, require
exactly four parts
- if a DNS host name: Reject non-alphanumeric characters besides '.' and
'-'. As a side effect, this rejects multiple Host headers.
* if any response header contains control characters
* if any response header has an empty name
* that the Location response header (if present) has a valid scheme and is
absolute
If we have a host name both from the URL and the Host header, we replace the
Host header with the value from the URL to enforce RFC conformance.
There is a log-only mode, but the loglevels of the logged messages need some
thought/work. Currently, the checks for incoming data log for 'core' and the
checks for outgoing data log for 'http'. Maybe we need a way to configure the
loglevels separately from the core/http loglevels.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1426877 13f79535-47bb-0310-9956-ffa450edef68
of server loading for Apache. So create a struct that
holds some useful data. The hope is that for those
platforms that lack getloadavg(), people will write
replacements.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1389481 13f79535-47bb-0310-9956-ffa450edef68
Be less strict when checking whether Content-Type is set to "application/x-www-form-urlencoded"
when parsing POST data, or we risk losing data with an appended charset.
PR 53698
Reported by: Petter Berntsen < sluggr gmail.com >
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1372054 13f79535-47bb-0310-9956-ffa450edef68
ap_varbuf_pdup(): copying the whole buffer in case strlen ==
AP_VARBUF_UNKNOWN does not make sense as the caller can not set
the exact buffer size, only a minimum. No API change as previously
the behavior with AP_VARBUF_UNKNOWN was undocumented.
regsub_core(): Checking for vb->buf is useless, it cannot be NULL
unless ap_varbuf_init has not been called.
ap_varbuf_cfg_getline(): Initially, allocate enough memory to hold
an empty line. If strlen == AP_VARBUF_UNKNOWN, use strlen(buf) instead
of undefined behavior.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1359884 13f79535-47bb-0310-9956-ffa450edef68
r904765 only made half of the necessary changes to remove the use
of '&' as an alias for '$0' and allow to escape any character with a
backslash.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1307067 13f79535-47bb-0310-9956-ffa450edef68
excluded from this cleanup as they must be signature identical to the
clib functions, and although the definition of size_t has been flakey,
the definition of those functions appears to be generally clean since
ANSI C.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1228323 13f79535-47bb-0310-9956-ffa450edef68
- Introduce new ap_varbuf_pdup() and ap_varbuf_regsub() functions.
- Fix some bugs in ap_varbuf_strmemcat().
- Make ap_varbuf.buf point to an empty string if no buffer has been allocated,
yet.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1176018 13f79535-47bb-0310-9956-ffa450edef68
situations. Use them in most places where malloc, and friends are used.
This results in clean error messages in an out of memory situation instead of
segfaulting or silently malfunctioning. In some places, it just allows to
remove some logging code.
PR 51568, PR 51569, PR 51571.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1172686 13f79535-47bb-0310-9956-ffa450edef68
Increase length limit of lines in the configuration file to 16MB.
Increase length limit of lines in the group file to 16MB.
PR: 45888, 50824, 43084
Windows and Netware build changes are untested.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1157354 13f79535-47bb-0310-9956-ffa450edef68
everywhere.
We know that the core module has module_index 0. Therefore we can save
some pointer operations in ap_get_module_config(cv, &core_module) and
ap_set_module_config(cv, &core_module, val). As these are called rather often,
this may actually have some (small) measurable effect.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1132781 13f79535-47bb-0310-9956-ffa450edef68
Also:
- Make ap_cfg_getline() return APR_ENOSPC if a config line is too long.
- Add ap_pcfg_strerror() function to convert ap_cfg_getline's return value
into a nice message.
- Adjust definition of ap_configfile_t accordingly.
Not bumping MMN because it has already been bumped today.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1086756 13f79535-47bb-0310-9956-ffa450edef68
in request URL path info but not decode them. Change behavior of option
"On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256,
PR 46830.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1082196 13f79535-47bb-0310-9956-ffa450edef68
