Return-Path: 
 <cvs-return-28926-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 37357 invoked from network); 4 Jan 2008 10:04:29 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 4 Jan 2008 10:04:29 -0000
Received: (qmail 69060 invoked by uid 500); 4 Jan 2008 10:04:18 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 69011 invoked by uid 500); 4 Jan 2008 10:04:18 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
List-Post: <mailto:cvs@httpd.apache.org>
List-Id: <cvs.httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 69000 invoked by uid 99); 4 Jan 2008 10:04:18 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Jan 2008 02:04:18 -0800
X-ASF-Spam-Status: No, hits=-100.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Jan 2008 10:03:53 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
	id F28621A9832; Fri,  4 Jan 2008 02:03:53 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r608787 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS
 modules/ssl/ssl_engine_io.c
Date: Fri, 04 Jan 2008 10:03:53 -0000
To: cvs@httpd.apache.org
From: jorton@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20080104100353.F28621A9832@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: jorton
Date: Fri Jan  4 02:03:49 2008
New Revision: 608787

URL: http://svn.apache.org/viewvc?rev=608787&view=rev
Log:
Merge r591393 from trunk:

Fix handling of buffered request body for per-location SSL
renegotiation when an internal redirect occurs:

* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Remove
protocol-level filters before inserting the buffering filter.
(ssl_io_filter_buffer): Return an EOS if invoked with an empty
brigade; do not remove the filter after exhausting the buffer.
(ssl_io_filter_buffer): Increase the type of the buffer filter to be
AP_FTYPE_PROTOCOL.

PR: 43738
Reviewed by: rpluem, wrowe, jorton

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=608787&r1=608786&r2=608787&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Fri Jan  4 02:03:49 2008
@@ -28,6 +28,10 @@
      and etag. PR 44152.
      [Michael Clark <michael metaparadigm.com>, Ruediger Pluem]
 
+  *) mod_ssl: Fix handling of the buffered request body during a per-location
+     renegotiation, when an internal redirect occurs.  PR 43738.
+     [Joe Orton]
+
   *) mod_ldap: Try to establish a new backend LDAP connection when the
      Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the
      LDAP server has closed the connection due to a timeout.

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=608787&r1=608786&r2=608787&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Jan  4 02:03:49 2008
@@ -138,14 +138,6 @@
      rpluem: I am +1 once we have a confirmation from Werner that this patch fixes
      his problem as this patch has some differences to his original patch.
 
-  * mod_ssl: Fix handling of buffered request body for per-location SSL
-    renegotiation when an internal redirect occurs. PR 43738. [Joe Orton]
-      Trunk version of patch:
-         http://svn.apache.org/viewvc?rev=591393&view=rev
-      Backport version for 2.2.x of patch:
-         Trunk version of patch works
-      +1: rpluem, wrowe
-
   * various modules: Silence some compiler warnings
       Trunk version of patch:
          http://svn.apache.org/viewvc?rev=599651&view=rev

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=608787&r1=608786&r2=608787&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Fri Jan  4 02:03:49 2008
@@ -1541,14 +1541,25 @@
 
     apr_brigade_destroy(tempb);
 
-    /* Insert the filter which will supply the buffered data. */
+    /* After consuming all protocol-level input, remove all protocol-level
+     * filters.  It should strictly only be necessary to remove filters
+     * at exactly ftype == AP_FTYPE_PROTOCOL, since this filter will 
+     * precede all > AP_FTYPE_PROTOCOL anyway. */
+    while (r->proto_input_filters->frec->ftype < AP_FTYPE_CONNECTION) {
+        ap_remove_input_filter(r->proto_input_filters);
+    }
+
+    /* Insert the filter which will supply the buffered content. */
     ap_add_input_filter(ssl_io_buffer, ctx, r, c);
 
     return 0;
 }
 
 /* This input filter supplies the buffered request body to the caller
- * from the brigade stored in f->ctx. */
+ * from the brigade stored in f->ctx.  Note that the placement of this
+ * filter in the filter stack is important; it must be the first
+ * r->proto_input_filter; lower-typed filters will not be preserved
+ * across internal redirects (see PR 43738).  */
 static apr_status_t ssl_io_filter_buffer(ap_filter_t *f,
                                          apr_bucket_brigade *bb,
                                          ap_input_mode_t mode,
@@ -1567,6 +1578,19 @@
         return APR_ENOTIMPL;
     }
 
+    if (APR_BRIGADE_EMPTY(ctx->bb)) {
+        /* Suprisingly (and perhaps, wrongly), the request body can be
+         * pulled from the input filter stack more than once; a
+         * handler may read it, and ap_discard_request_body() will
+         * attempt to do so again after *every* request.  So input
+         * filters must be prepared to give up an EOS if invoked after
+         * initially reading the request. The HTTP_IN filter does this
+         * with its ->eos_sent flag. */
+
+        APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_eos_create(f->c->bucket_alloc));
+        return APR_SUCCESS;
+    }
+
     if (mode == AP_MODE_READBYTES) {
         apr_bucket *e;
 
@@ -1621,8 +1645,9 @@
         }
 
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, f->c,
-                      "buffered SSL brigade now exhausted; removing filter");
-        ap_remove_input_filter(f);
+                      "buffered SSL brigade exhausted");
+        /* Note that the filter must *not* be removed here; it may be
+         * invoked again, see comment above. */
     }
 
     return APR_SUCCESS;
@@ -1694,7 +1719,7 @@
     ap_register_input_filter  (ssl_io_filter, ssl_io_filter_input,  NULL, AP_FTYPE_CONNECTION + 5);
     ap_register_output_filter (ssl_io_filter, ssl_io_filter_output, NULL, AP_FTYPE_CONNECTION + 5);
 
-    ap_register_input_filter  (ssl_io_buffer, ssl_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL - 1);
+    ap_register_input_filter  (ssl_io_buffer, ssl_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL);
 
     return;
 }