httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r1328325 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_io.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Date Fri, 20 Apr 2012 11:21:13 GMT
Author: sf
Date: Fri Apr 20 11:21:12 2012
New Revision: 1328325

URL: http://svn.apache.org/viewvc?rev=1328325&view=rev
Log:
When receiving http on https, send the error response with http 1.0
    
It is important that we send a proper error status, or search engines
may index the error message.
    
PR: 50823

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1328325&r1=1328324&r2=1328325&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Apr 20 11:21:12 2012
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: Send the error message for speaking http to an https port using
+     HTTP/1.0 instead of HTTP/0.9. PR 50823. [Stefan Fritsch]
+
   *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
      PR 53048. [Stefan Fritsch]
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1328325&r1=1328324&r2=1328325&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Fri Apr 20 11:21:12 2012
@@ -813,12 +813,12 @@ static apr_status_t ssl_filter_write(ap_
 /* Just use a simple request.  Any request will work for this, because
  * we use a flag in the conn_rec->conn_vector now.  The fake request just
  * gets the request back to the Apache core so that a response can be sent.
- *
- * To avoid calling back for more data from the socket, use an HTTP/0.9
- * request, and tack on an EOS bucket.
+ * Since we use an HTTP/1.x request, we also have to inject the empty line
+ * that terminates the headers, or the core will read more data from the
+ * socket.
  */
 #define HTTP_ON_HTTPS_PORT \
-    "GET /" CRLF
+    "GET / HTTP/1.0" CRLF
 
 #define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
     apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
@@ -848,6 +848,7 @@ static apr_status_t ssl_io_filter_error(
 {
     SSLConnRec *sslconn = myConnConfig(f->c);
     apr_bucket *bucket;
+    int send_eos = 1;
 
     switch (status) {
     case MODSSL_ERROR_HTTP_ON_HTTPS:
@@ -857,11 +858,12 @@ static apr_status_t ssl_io_filter_error(
                          "trying to send HTML error page");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server);
 
-            sslconn->non_ssl_request = 1;
+            sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
             ssl_io_filter_disable(sslconn, f);
 
             /* fake the request line */
             bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
+            send_eos = 0;
             break;
 
     case MODSSL_ERROR_BAD_GATEWAY:
@@ -877,9 +879,10 @@ static apr_status_t ssl_io_filter_error(
     }
 
     APR_BRIGADE_INSERT_TAIL(bb, bucket);
-    bucket = apr_bucket_eos_create(f->c->bucket_alloc);
-    APR_BRIGADE_INSERT_TAIL(bb, bucket);
-
+    if (send_eos) {
+        bucket = apr_bucket_eos_create(f->c->bucket_alloc);
+        APR_BRIGADE_INSERT_TAIL(bb, bucket);
+    }
     return APR_SUCCESS;
 }
 
@@ -1282,6 +1285,13 @@ static apr_status_t ssl_io_filter_input(
     }
 
     if (!inctx->ssl) {
+        SSLConnRec *sslconn = myConnConfig(f->c);
+        if (sslconn->non_ssl_request == NON_SSL_SEND_HDR_SEP) {
+            apr_bucket *bucket = apr_bucket_immortal_create(CRLF, 2, f->c->bucket_alloc);
+            APR_BRIGADE_INSERT_TAIL(bb, bucket);
+            sslconn->non_ssl_request = NON_SSL_SET_ERROR_MSG;
+            return APR_SUCCESS;
+        }
         return ap_get_brigade(f->next, bb, mode, block, readbytes);
     }
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1328325&r1=1328324&r2=1328325&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Fri Apr 20 11:21:12 2012
@@ -140,7 +140,7 @@ int ssl_hook_ReadReq(request_rec *r)
         return DECLINED;
     }
 
-    if (sslconn->non_ssl_request) {
+    if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) {
         const char *errmsg;
         char *thisurl;
         char *thisport = "";
@@ -169,8 +169,7 @@ int ssl_hook_ReadReq(request_rec *r)
         /* Now that we have caught this error, forget it. we are done
          * with using SSL on this request.
          */
-        sslconn->non_ssl_request = 0;
-
+        sslconn->non_ssl_request = NON_SSL_OK;
 
         return HTTP_BAD_REQUEST;
     }

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1328325&r1=1328324&r2=1328325&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Fri Apr 20 11:21:12 2012
@@ -454,7 +454,11 @@ typedef struct {
     int verify_depth;
     int is_proxy;
     int disabled;
-    int non_ssl_request;
+    enum {
+        NON_SSL_OK = 0,        /* is SSL request, or error handling completed */
+        NON_SSL_SEND_HDR_SEP,  /* Need to send the header separator */
+        NON_SSL_SET_ERROR_MSG  /* Need to set the error message */
+    } non_ssl_request;
 
     /* Track the handshake/renegotiation state for the connection so
      * that all client-initiated renegotiations can be rejected, as a



Mime
View raw message