httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c server/util.c server/vhost.c
Date Fri, 04 Nov 2016 14:20:16 GMT
Author: wrowe
Date: Fri Nov  4 14:20:16 2016
New Revision: 1768036

URL: http://svn.apache.org/viewvc?rev=1768036&view=rev
Log:
Add an option to enforce stricter HTTP conformance

This is a first stab, the checks will likely have to be revised.
For now, we check

 * if the request line contains control characters
 * if the request uri has fragment or username/password
 * that the request method is standard or registered with RegisterHttpMethod
 * that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
   or missing for 0.9
 * if there is garbage in the request line after the protocol
 * if any request header contains control characters
 * if any request header has an empty name
 * for the host name in the URL or Host header:
   - if an IPv4 dotted decimal address: Reject octal or hex values, require
     exactly four parts
   - if a DNS host name: Reject non-alphanumeric characters besides '.' and
     '-'. As a side effect, this rejects multiple Host headers.
 * if any response header contains control characters
 * if any response header has an empty name
 * that the Location response header (if present) has a valid scheme and is
   absolute

If we have a host name both from the URL and the Host header, we replace the
Host header with the value from the URL to enforce RFC conformance.

There is a log-only mode, but the loglevels of the logged messages need some
thought/work. Currently, the  checks for incoming data log for 'core' and the
checks for outgoing data log for 'http'. Maybe we need a way to configure the
loglevels separately from the core/http loglevels.

change protocol number parsing in strict mode according to HTTPbis draft
- only accept single digit version components
- don't accept white-space after protocol specification

Clean up comment, fix log tags.
Submitted by: sf
Backports: r1426877, r1426879, r1426988, r1426992


Modified:
    httpd/httpd/branches/2.4.x-merge-http-strict/   (props changed)
    httpd/httpd/branches/2.4.x-merge-http-strict/CHANGES
    httpd/httpd/branches/2.4.x-merge-http-strict/include/ap_mmn.h
    httpd/httpd/branches/2.4.x-merge-http-strict/include/http_core.h
    httpd/httpd/branches/2.4.x-merge-http-strict/include/httpd.h
    httpd/httpd/branches/2.4.x-merge-http-strict/modules/http/http_filters.c
    httpd/httpd/branches/2.4.x-merge-http-strict/server/core.c
    httpd/httpd/branches/2.4.x-merge-http-strict/server/protocol.c
    httpd/httpd/branches/2.4.x-merge-http-strict/server/util.c
    httpd/httpd/branches/2.4.x-merge-http-strict/server/vhost.c

Propchange: httpd/httpd/branches/2.4.x-merge-http-strict/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Nov  4 14:20:16 2016
@@ -2,4 +2,4 @@
 /httpd/httpd/branches/2.4.17-protocols-http2:1701609-1705681
 /httpd/httpd/branches/revert-ap-ldap:1150158-1150173
 /httpd/httpd/branches/wombat-integration:723609-723841
-/httpd/httpd/trunk:1200475,1200478,1200482,1200491,1200496,1200513,1200550,1200556,1200580,1200605,1200612,1200614,1200639,1200646,1200656,1200667,1200679,1200699,1200702,1200955,1200957,1200961,1200963,1200968,1200975,1200977,1201032,1201042,1201111,1201194,1201198,1201202,1201443,1201450,1201460,1201956,1202236,1202453,1202456,1202886,1203400,1203491,1203632,1203714,1203859,1203980,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206472,1206587,1206850,1206940,1206978,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210067,1210080,1210120,1210124,1210130,1210148,1210219,1210221,1210252,1210284,1210336,1210378,1210725,1210892,1210951,1210954,1211351-1211352,1211364,1211490,1211495,1211528,1211663,1211680,1212872,1212883,1213338,1213380-1213381,1213391,1213399,1213567,1214003,1214005,1214015,12
 15514,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221205,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1222930,1223048,1225060,1225197-1225199,1225223,1225380,1225476,1225478,1225791,1225795-1225796,1226339,1226375,1227910,1228700,1228816,1229024,1229059,1229099,1229116,1229134,1229136,1229930,1230286,1231255,1231257,1231442,1231446,1231508,1231510,1231518,1232575,1232594,1232630,1232838,1234180,1234297,1234479,1234511,1234565,1234574,1234642-1234643,1234876,1234899,1235019,1236122,1236701,1237407,1238545,1238768,1239029-1239030,1239071,1239565,1240315,1240470,1240778,1241069,1241071,1242089,1242798,1242967,1243176,1243246,1243797,1243799,1244211,1245717,1290823,1290835,1291819-1291820,1291834,1291840,1292043,1293405,1293534-1293535,1293658,1293678,1293708,1294306,1294349,1294356,1294358,1294372,1294471,1297560,1299718,1299786,1300766,1301111,1301725,1302444,1302483,1302653,1302665,1302674,1303201,1303435,1303827,1304087,1304874-1304875,1305167
 ,1305586,1306350,1306409,1306426,1306841,1307790,1308327,1308459,1309536,1309567,1311468,1324760,1325218,1325227,1325250,1325265,1325275,1325632,1325724,1326980,1326984,1326991,1327689,1328325-1328326,1328339,1328345,1328950,1330189,1330964,1331110,1331115,1331942,1331977,1332378,1333969,1334343,1335882,1337344,1341906,1341913,1343085,1343087,1343094,1343099,1343109,1343935,1345319,1345329,1346905,1347980,1348036,1348653,1348656,1348660,1349905,1351012-1351020,1351071-1351072,1351074,1351737,1352047,1352534,1352909-1352912,1357685,1358061,1359057,1359881,1359884,1361153,1361298,1361766,1361773,1361778,1361784,1361791-1361792,1361801,1361803,1362020,1362538,1362707,1363035,1363183,1363186,1363312,1363440,1363557,1363589,1363829,1363832,1363836-1363837,1363853,1364133,1364138,1364229,1364601,1364695,1365001,1365020,1365029,1365479,1366319,1366344,1366621,1367778,1367819,1368053,1368058,1368094,1368121,1368131,1368393,1368396,1369419,1369568,1369604,1369618,1369904,1369995,1369999,1370
 001,1370466,1370592,1370615-1370616,1370763,1371387,1371791,1371801,1371878,1371903,1373270,1373447,1373898,1373955,1374157,1374199,1374247,1374874,1374877,1374880,1375006,1375009,1375011,1375013,1375584,1376695,1376700,1378178,1383490,1384408,1384913,1386576,1386578,1386726,1386822,1386880,1386913,1387085,1387088,1387110,1387389,1387444,1387603,1387607,1387633,1387693,1387979,1388029,1388445,1388447,1388648,1388660,1388825,1388899,1389316,1389339,1389481,1389506,1389564,1389566-1389569,1390562,1390564,1391396,1391398,1391771,1392120,1392122,1392150,1392214,1392345-1392347,1392850,1393033,1393058,1393152,1393338,1393564,1394079,1395225,1395253-1395256,1395792,1396440,1397172,1397320,1397636,1397687,1397710,1397716,1398025,1398040,1398066,1398478,1398480-1398481,1398970,1399413,1399687,1399708,1400700,1401448,1402924,1403476,1403483,1403492,1404653,1405407,1405856,1405973,1406068,1406493,1406495,1406616,1406646,1406719,1406760,1407004,1407006,1407085,1407088,1407248,1407381,1407459-1
 407460,1407528,1407599,1407643,1407853,1407965,1408093,1408402,1408958,1408961,1409170,1409437,1409726,1409800,1410681,1410954,1411862,1412278,1413732,1414094,1415008,1415023,1415075,1416121,1416150,1416278,1417197,1417440,1417529,1418524,1418556,1418648,1418655,1418703,1418721,1418752,1418769,1419084,1419719,1419726,1419755,1419781,1419796,1420120,1420124,1420149,1420184,1420644,1420685-1420686,1420975,1421288,1421323,1421851,1421912,1421953,1422135,1422549,1422594,1422712,1422855,1422937,1422943,1422980,1423353,1423933,1425360,1425366,1425771-1425772,1425775,1425777,1425874,1426827,1426850,1426975,1427546,1428184,1428280,1428916,1429228,1429559,1429561,1429564,1429582,1430575,1430814,1430869,1433001,1433613,1433682,1433861,1433988,1435178,1435811,1436058,1436401,1439083,1439106,1439114,1439404,1439623,1442309,1442320,1442326,1442412,1442759,1442865,1447993,1448171,1448453,1451478,1451484,1451633,1451849,1451905,1451921,1452128,1452195,1452259,1452281,1452551,1452911,1452949,145295
 4,1453022,1453574,1453604,1453875-1453876,1453963,1453981,1454386,1454414-1454415,1454888,1457437,1457450,1457471,1457504,1457520-1457521,1457610,1457995,1458003-1458004,1458020,1458285,1458447,1458456,1462266,1462269,1462643,1463044-1463047,1463052,1463056,1463455,1463736,1463750,1463754,1464675,1464721,1464762,1465115-1465116,1465190,1467765,1468581,1470183,1470679,1470940,1471449,1475878,1476604,1476621,1476642,1476644-1476645,1476652,1476680,1477094,1477530,1478382,1478748,1479117,1479216,1479222,1479411,1479528,1479905,1479966,1480046,1480627,1481197,1481302,1481306,1481396-1481397,1481891,1482041,1482075,1482170,1482555,1482859,1482996,1483005,1483027,1483190,1484343,1484398,1484832,1484910,1484914,1485409,1485668,1486490,1487528,1487530,1488158,1488164,1488296,1488471,1488492,1488644,1490493,1490507,1490550,1490761,1490994,1491155,1491221,1491234,1491458,1491479,1491538,1491564,1491724,1492663,1492710,1492782,1493330,1493921,1493925,1494536,1495501,1496194,1496338,1496429,149
 6709,1497371,1497588,1498880,1499679,1500323,1500345,1500362,1500423,1500437,1500483,1500519,1501294,1501369,1501399,1501913,1502665,1502772,1503680,1503866,1503990-1503991,1504276,1506474,1506714,1509872,1509983,1510084-1510085,1510098,1510588,1510707,1511093,1513492,1513508,1514039,1514064,1514214-1514215,1514255,1514267,1514617,1515050,1515162,1515403,1515411,1515420,1517025,1517045,1517175,1517366,1517386,1517388,1518265,1518269,1519475,1520368,1520445,1520760,1520908,1521909,1523235,1523239,1523281,1523387,1524101,1524158,1524192,1524368,1524388,1524770,1525276,1525280-1525281,1525931,1526168,1526189,1526647,1526666,1527008,1527220,1527291,1527294-1527295,1527509,1527925-1527926,1528143,1528718,1529014,1529277,1529449,1529559,1529988,1529991,1530793,1531340,1531370,1531505,1531672,1531961-1531962,1532746,1532816,1533065,1533224,1534321,1534754,1534890,1534892,1536310,1537535,1538490,1540051-1540052,1541181,1541270,1541368,1542338,1542379,1542533,1542562,1542615,1543020,1543147,
 1543149,1543174,1544381,1544774,1544784,1544812,1544820,1545286,1545292,1545325,1545364,1545408,1545411,1546692-1546693,1546730,1546759-1546760,1546801,1546804-1546805,1546835-1546836,1547845,1550061,1550302,1550307,1551685,1551714,1551802,1552130,1552227,1553204,1553824,1554161,1554168,1554170,1554175-1554176,1554179,1554181,1554184,1554188,1554192,1554195,1554276,1554281,1554300-1554301,1554994-1554995,1555240,1555259,1555266,1555423-1555424,1555463-1555464,1555467,1555555,1555569,1556206,1556428,1556911-1556912,1556914,1556937,1557317,1557617,1558483,1559351,1559828,1560367,1560546,1560679,1560689,1560729,1560977,1560979,1561137,1561262,1561385,1561660,1561923,1562472,1563193,1563379,1563381,1563417-1563418,1563420,1564052,1564437,1564475,1564756,1564760,1565081,1565711,1568404,1569615,1570288,1570598,1571369,1572092,1572198,1572543,1572561,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572905,1572911,1572967,1573224,1573229,1573626,1574151,1575400,1576233,1576741,15787
 60,1578762,1580568,1583005,1583007-1583008,1583027,1583175,1583191,1584098,1584430,1584434,1584572,1584653,1584658,1584665,1584703,1584878,1584884,1584896,1585054,1585072,1585090,1585435,1585609,1585824,1585918-1585919,1586745,1586827,1587036,1587040,1587053,1587255,1587594,1587607,1587639,1587654,1588054,1588065,1588213,1588330,1588427,1588519,1588527,1588704,1588851,1588853,1588868,1589413,1590437,1590509,1591143,1591320,1591322,1591328,1591390,1591394,1591401,1591472,1591508,1592032,1592037,1592500,1592511,1592514,1592529,1592615,1592632,1593745,1594625,1594643,1594648,1595305,1595321,1595426,1597182,1597349,1597352,1597639,1597642,1598107,1598946,1599535,1601076,1601184-1601185,1601274,1601291,1601624,1601630,1601919,1601995,1602338,1602978,1602989,1603027,1603029,1603122,1603156,1603915,1604382,1604461,1604631,1605207,1605827,1605829,1607960,1608284,1608785,1608999,1609914,1609936,1609938,1610207,1610311,1610353,1610366,1610491,1610652,1610674,1611165,1611169,1611244,1611600,16
 11871,1611978,1612068,1615026,1615289,1617018,1618401,1618541,1619297,1619383,1619444,1619483,1619835,1620324,1620461,1620932,1621367,1621372,1621417,1621453,1621806,1622450,1624234,1624349,1625196,1625952,1626050,1626978,1628104,1628918-1628919,1628924,1628950,1629235,1629239,1629244,1629250,1629372,1629440-1629441,1629485,1629507-1629508,1629519,1629577,1629652,1629916,1631885,1632454,1632740,1632742,1633730-1633731,1633793,1634120,1634237,1634425,1634736,1634836,1635510,1635558,1635644-1635645,1635762,1637112,1638072-1638073,1638879,1639614,1640031,1640036,1640040,1640042,1640331,1641077,1641095,1641376,1642099,1642484,1642499,1642847,1642868,1643034,1643284,1643537,1643825,1644245,1646282,1646724,1647035,1648201,1648394,1648433,1648719,1648840,1649001,1649043,1649632,1649966,1650047,1650061,1650309-1650310,1650320,1651088,1652829,1652929,1652931,1652955,1652982,1652985,1652989,1653941,1653978,1653997,1656225,1656669,1657256,1657261,1657636,1657638,1657685,1657881,1657897,1658760
 ,1658765,1661067,1661258,1661448,1661464,1661486,1662245-1662246,1663017,1663647,1664071,1664133,1664205,1664299,1664709,1665215,1665218,1665625,1665643,1665721,1666297,1666361,1666363,1666468,1666618,1666998,1667385-1667386,1668532,1668535,1668553,1669130,1669289,1669292,1670434,1671364,1671396-1671397,1671918,1672289,1672453,1672466,1672480,1672483,1672564,1672757,1672985,1672989,1673113,1673155,1673368,1673455,1673769,1674056,1674538,1674542,1674606,1674632,1674697,1675103,1675410,1675533,1676085,1676654,1676709,1676842,1677096,1677143-1677146,1677149,1677151,1677153-1677156,1677159,1677339,1677462,1677702,1677830,1677832,1677834-1677835,1678763,1679032,1679181-1679182,1679192,1679428,1679432,1679470,1679620,1679712,1680276,1680895,1680900,1680942,1681037,1681424,1681440,1681685,1681694,1681795,1682482,1682816,1682819,1682907,1682923,1682937,1682979,1682988,1683044,1683047,1683123,1683881,1683884,1684057,1684171,1684900,1685069,1685339,1685345,1685347,1685349-1685350,1685650,1685
 659,1685779,1686085,1686853,1686856,1687539,1687680,1687980,1688274,1688331,1688339-1688341,1688343,1688399,1688474-1688475,1688536,1688538,1688660,1689325,1689605,1689694,1689698,1690120,1690137,1690248,1691374,1691582,1691592,1691819,1691908,1692285,1692432,1692486,1692516,1693792,1693918-1693919,1693963,1694903,1694936,1694950-1694951,1695170,1695727,1695874,1695885,1695920,1696105,1696264,1696266,1696279,1696428,1696442,1696565,1696592,1696607,1696755,1696881,1697013,1697015,1697051,1697323,1697339,1697370,1697389,1697446,1697543,1697634,1697855,1698023,1698103,1698107,1698116,1698133,1698330,1700271,1700275,1700317-1700322,1700326,1700328,1700330-1700332,1700334,1700336,1700338,1700418,1700514,1700777,1700851,1700917,1700925,1700968,1701005,1701145,1701178,1701204,1701347,1701436,1701545,1701717,1702643,1702919,1703152,1703417,1703642,1703807,1703813,1703822,1703871,1703902,1703952,1704099,1704241,1704262,1704797,1704799,1704826,1705099,1705134,1705194,1705217,1705257,1705749,1
 705776,1705823,1705826,1705828,1705833,1705983,1706275,1706627,1706635,1706637,1706640,1706918,1706942,1706989,1707002,1707230-1707231,1707497,1707519,1707591,1707626-1707627,1707640,1707831,1707883,1707889,1708107,1709008,1709587,1709596,1709602,1709995,1710095,1710105,1710231,1710380,1710391,1710419,1710572,1710583,1710723,1711479,1711553,1711648,1711728,1711902,1712382,1713040,1713209,1713937,1715023,1715255,1715273,1715567-1715568,1715570-1715572,1715576,1715581-1715585,1715886,1716211,1716388,1716460,1716487,1716660,1716940,1717063,1717086,1717639,1717816,1717934,1717958,1717975,1717985,1718314,1718338,1718400,1718514,1718556,1718569,1718598,1719016,1719018,1719189-1719190,1719252,1719254-1719255,1719257,1719967,1720129,1720996,1721313,1721685,1721899,1722137,1722154,1722177,1722195,1722229,1722320,1722328,1722334,1722350-1722351,1722358,1722377,1722572,1722701,1723122,1723143,1723284,1723295,1723567,1723953,1724847,1724857,1724879,1724992-1724993,1724995,1725018,1725031,172509
 0,1725120,1725149,1725325,1725328,1725387,1725392,1725394-1725395,1725445,1725468,1725485,1725489,1725498-1725499,1725516,1725523,1725545,1725567,1725581,1725602,1725822,1725940,1725967,1726009,1726026,1726038,1726049,1726051-1726052,1726055,1726086,1726167,1726233,1726798,1726881,1726888,1727071,1727111,1727317,1727544,1727573,1727603,1727842,1728326,1728804,1729208,1729374,1729376,1729826,1729847,1729929-1729931,1729960,1730297,1730640,1730723,1730865,1731929,1732228,1732252,1732353,1732369,1732716,1732954,1732986,1733056,1733064,1733068,1733088-1733089,1733275,1733523,1733537,1733691,1734006,1734125,1734239,1734294,1734412,1734561,1734807,1734817,1734947,1734955,1734989,1735088,1735159,1735337,1735608-1735609,1735611,1735668,1735786,1735931,1735935,1735942,1735952,1736156,1736243,1736250,1736463,1736681,1736686,1737006,1737014,1737020-1737021,1737102,1737114,1737125,1737254,1737256,1737265,1737447,1737449,1737451,1737476,1738217,1738331,1738333,1738563,1739008,1739146,1739151,173
 9193,1739303,1739312,1739738,1739932,1740075,1740084,1740108,1740110,1740155,1740735,1741045,1741065,1741112,1741115,1741268,1741310,1741392,1741414,1741446,1741461,1741557,1741564,1741596,1741621,1741648,1741934,1742005,1742135,1742260,1742359,1742444-1742447,1742460,1742791-1742792,1743335,1743517,1743699,1743788,1743816,1744203-1744204,1744206,1744283,1744415,1744421,1744458-1744459,1744712,1744751,1744767,1744778,1744980,1745034,1745175,1745767,1745835,1746207,1746647,1746988,1747170,1747531,1747550,1747735,1747808,1747810,1747946,1748047,1748155,1748368,1748448,1748531,1748653,1748888,1749151,1749401,1749404,1749505,1749658-1749659,1749676,1749678,1749695,1749924-1749925,1750043,1750218,1750335,1750392,1750407,1750412,1750416,1750420,1750474,1750494,1750507-1750508,1750553,1750567,1750750,1750779,1750854-1750855,1750947,1750955,1750960,1751970,1752087,1752096,1752145,1752347,1752415,1753167,1753224,1753228-1753229,1753257,1753315-1753316,1753498,1753541,1753592,1753594,1753777,
 1754129,1754391,1754399,1754414,1754534,1755323,1756038,1756611,1756844,1756846,1756852-1756853,1757010-1757011,1757524,1757534,1757540,1757662-1757663,1757985,1758003,1758083,1758307-1758311,1758446,1758558,1759984,1760018,1761434,1761477,1761479,1761548,1762517,1762703,1763158,1763246,1763613,1764005,1764040,1764236,1764243,1764255,1765318,1765328,1765357,1765420,1766097,1766129,1766308,1766424,1766691,1766851,1766857,1767128,1767180-1767181,1767553,1767564,1767803
+/httpd/httpd/trunk:1200475,1200478,1200482,1200491,1200496,1200513,1200550,1200556,1200580,1200605,1200612,1200614,1200639,1200646,1200656,1200667,1200679,1200699,1200702,1200955,1200957,1200961,1200963,1200968,1200975,1200977,1201032,1201042,1201111,1201194,1201198,1201202,1201443,1201450,1201460,1201956,1202236,1202453,1202456,1202886,1203400,1203491,1203632,1203714,1203859,1203980,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206472,1206587,1206850,1206940,1206978,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601,1209603,1209618,1209623,1209741,1209754,1209766,1209776,1209797-1209798,1209811-1209812,1209814,1209908,1209910,1209913,1209916-1209917,1209947,1209952,1210067,1210080,1210120,1210124,1210130,1210148,1210219,1210221,1210252,1210284,1210336,1210378,1210725,1210892,1210951,1210954,1211351-1211352,1211364,1211490,1211495,1211528,1211663,1211680,1212872,1212883,1213338,1213380-1213381,1213391,1213399,1213567,1214003,1214005,1214015,12
 15514,1220462,1220467,1220493,1220524,1220570,1220768,1220794,1220826,1220846,1221205,1221292,1222335,1222370,1222473,1222915,1222917,1222921,1222930,1223048,1225060,1225197-1225199,1225223,1225380,1225476,1225478,1225791,1225795-1225796,1226339,1226375,1227910,1228700,1228816,1229024,1229059,1229099,1229116,1229134,1229136,1229930,1230286,1231255,1231257,1231442,1231446,1231508,1231510,1231518,1232575,1232594,1232630,1232838,1234180,1234297,1234479,1234511,1234565,1234574,1234642-1234643,1234876,1234899,1235019,1236122,1236701,1237407,1238545,1238768,1239029-1239030,1239071,1239565,1240315,1240470,1240778,1241069,1241071,1242089,1242798,1242967,1243176,1243246,1243797,1243799,1244211,1245717,1290823,1290835,1291819-1291820,1291834,1291840,1292043,1293405,1293534-1293535,1293658,1293678,1293708,1294306,1294349,1294356,1294358,1294372,1294471,1297560,1299718,1299786,1300766,1301111,1301725,1302444,1302483,1302653,1302665,1302674,1303201,1303435,1303827,1304087,1304874-1304875,1305167
 ,1305586,1306350,1306409,1306426,1306841,1307790,1308327,1308459,1309536,1309567,1311468,1324760,1325218,1325227,1325250,1325265,1325275,1325632,1325724,1326980,1326984,1326991,1327689,1328325-1328326,1328339,1328345,1328950,1330189,1330964,1331110,1331115,1331942,1331977,1332378,1333969,1334343,1335882,1337344,1341906,1341913,1343085,1343087,1343094,1343099,1343109,1343935,1345319,1345329,1346905,1347980,1348036,1348653,1348656,1348660,1349905,1351012-1351020,1351071-1351072,1351074,1351737,1352047,1352534,1352909-1352912,1357685,1358061,1359057,1359881,1359884,1361153,1361298,1361766,1361773,1361778,1361784,1361791-1361792,1361801,1361803,1362020,1362538,1362707,1363035,1363183,1363186,1363312,1363440,1363557,1363589,1363829,1363832,1363836-1363837,1363853,1364133,1364138,1364229,1364601,1364695,1365001,1365020,1365029,1365479,1366319,1366344,1366621,1367778,1367819,1368053,1368058,1368094,1368121,1368131,1368393,1368396,1369419,1369568,1369604,1369618,1369904,1369995,1369999,1370
 001,1370466,1370592,1370615-1370616,1370763,1371387,1371791,1371801,1371878,1371903,1373270,1373447,1373898,1373955,1374157,1374199,1374247,1374874,1374877,1374880,1375006,1375009,1375011,1375013,1375584,1376695,1376700,1378178,1383490,1384408,1384913,1386576,1386578,1386726,1386822,1386880,1386913,1387085,1387088,1387110,1387389,1387444,1387603,1387607,1387633,1387693,1387979,1388029,1388445,1388447,1388648,1388660,1388825,1388899,1389316,1389339,1389481,1389506,1389564,1389566-1389569,1390562,1390564,1391396,1391398,1391771,1392120,1392122,1392150,1392214,1392345-1392347,1392850,1393033,1393058,1393152,1393338,1393564,1394079,1395225,1395253-1395256,1395792,1396440,1397172,1397320,1397636,1397687,1397710,1397716,1398025,1398040,1398066,1398478,1398480-1398481,1398970,1399413,1399687,1399708,1400700,1401448,1402924,1403476,1403483,1403492,1404653,1405407,1405856,1405973,1406068,1406493,1406495,1406616,1406646,1406719,1406760,1407004,1407006,1407085,1407088,1407248,1407381,1407459-1
 407460,1407528,1407599,1407643,1407853,1407965,1408093,1408402,1408958,1408961,1409170,1409437,1409726,1409800,1410681,1410954,1411862,1412278,1413732,1414094,1415008,1415023,1415075,1416121,1416150,1416278,1417197,1417440,1417529,1418524,1418556,1418648,1418655,1418703,1418721,1418752,1418769,1419084,1419719,1419726,1419755,1419781,1419796,1420120,1420124,1420149,1420184,1420644,1420685-1420686,1420975,1421288,1421323,1421851,1421912,1421953,1422135,1422549,1422594,1422712,1422855,1422937,1422943,1422980,1423353,1423933,1425360,1425366,1425771-1425772,1425775,1425777,1425874,1426827,1426850,1426877,1426879,1426975,1426988,1426992,1427546,1428184,1428280,1428916,1429228,1429559,1429561,1429564,1429582,1430575,1430814,1430869,1433001,1433613,1433682,1433861,1433988,1435178,1435811,1436058,1436401,1439083,1439106,1439114,1439404,1439623,1442309,1442320,1442326,1442412,1442759,1442865,1447993,1448171,1448453,1451478,1451484,1451633,1451849,1451905,1451921,1452128,1452195,1452259,145228
 1,1452551,1452911,1452949,1452954,1453022,1453574,1453604,1453875-1453876,1453963,1453981,1454386,1454414-1454415,1454888,1457437,1457450,1457471,1457504,1457520-1457521,1457610,1457995,1458003-1458004,1458020,1458285,1458447,1458456,1462266,1462269,1462643,1463044-1463047,1463052,1463056,1463455,1463736,1463750,1463754,1464675,1464721,1464762,1465115-1465116,1465190,1467765,1468581,1470183,1470679,1470940,1471449,1475878,1476604,1476621,1476642,1476644-1476645,1476652,1476680,1477094,1477530,1478382,1478748,1479117,1479216,1479222,1479411,1479528,1479905,1479966,1480046,1480627,1481197,1481302,1481306,1481396-1481397,1481891,1482041,1482075,1482170,1482555,1482859,1482996,1483005,1483027,1483190,1484343,1484398,1484832,1484910,1484914,1485409,1485668,1486490,1487528,1487530,1488158,1488164,1488296,1488471,1488492,1488644,1490493,1490507,1490550,1490761,1490994,1491155,1491221,1491234,1491458,1491479,1491538,1491564,1491724,1492663,1492710,1492782,1493330,1493921,1493925,1494536,149
 5501,1496194,1496338,1496429,1496709,1497371,1497588,1498880,1499679,1500323,1500345,1500362,1500423,1500437,1500483,1500519,1501294,1501369,1501399,1501913,1502665,1502772,1503680,1503866,1503990-1503991,1504276,1506474,1506714,1509872,1509983,1510084-1510085,1510098,1510588,1510707,1511093,1513492,1513508,1514039,1514064,1514214-1514215,1514255,1514267,1514617,1515050,1515162,1515403,1515411,1515420,1517025,1517045,1517175,1517366,1517386,1517388,1518265,1518269,1519475,1520368,1520445,1520760,1520908,1521909,1523235,1523239,1523281,1523387,1524101,1524158,1524192,1524368,1524388,1524770,1525276,1525280-1525281,1525931,1526168,1526189,1526647,1526666,1527008,1527220,1527291,1527294-1527295,1527509,1527925-1527926,1528143,1528718,1529014,1529277,1529449,1529559,1529988,1529991,1530793,1531340,1531370,1531505,1531672,1531961-1531962,1532746,1532816,1533065,1533224,1534321,1534754,1534890,1534892,1536310,1537535,1538490,1540051-1540052,1541181,1541270,1541368,1542338,1542379,1542533,
 1542562,1542615,1543020,1543147,1543149,1543174,1544381,1544774,1544784,1544812,1544820,1545286,1545292,1545325,1545364,1545408,1545411,1546692-1546693,1546730,1546759-1546760,1546801,1546804-1546805,1546835-1546836,1547845,1550061,1550302,1550307,1551685,1551714,1551802,1552130,1552227,1553204,1553824,1554161,1554168,1554170,1554175-1554176,1554179,1554181,1554184,1554188,1554192,1554195,1554276,1554281,1554300-1554301,1554994-1554995,1555240,1555259,1555266,1555423-1555424,1555463-1555464,1555467,1555555,1555569,1556206,1556428,1556911-1556912,1556914,1556937,1557317,1557617,1558483,1559351,1559828,1560367,1560546,1560679,1560689,1560729,1560977,1560979,1561137,1561262,1561385,1561660,1561923,1562472,1563193,1563379,1563381,1563417-1563418,1563420,1564052,1564437,1564475,1564756,1564760,1565081,1565711,1568404,1569615,1570288,1570598,1571369,1572092,1572198,1572543,1572561,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572905,1572911,1572967,1573224,1573229,1573626,15741
 51,1575400,1576233,1576741,1578760,1578762,1580568,1583005,1583007-1583008,1583027,1583175,1583191,1584098,1584430,1584434,1584572,1584653,1584658,1584665,1584703,1584878,1584884,1584896,1585054,1585072,1585090,1585435,1585609,1585824,1585918-1585919,1586745,1586827,1587036,1587040,1587053,1587255,1587594,1587607,1587639,1587654,1588054,1588065,1588213,1588330,1588427,1588519,1588527,1588704,1588851,1588853,1588868,1589413,1590437,1590509,1591143,1591320,1591322,1591328,1591390,1591394,1591401,1591472,1591508,1592032,1592037,1592500,1592511,1592514,1592529,1592615,1592632,1593745,1594625,1594643,1594648,1595305,1595321,1595426,1597182,1597349,1597352,1597639,1597642,1598107,1598946,1599535,1601076,1601184-1601185,1601274,1601291,1601624,1601630,1601919,1601995,1602338,1602978,1602989,1603027,1603029,1603122,1603156,1603915,1604382,1604461,1604631,1605207,1605827,1605829,1607960,1608284,1608785,1608999,1609914,1609936,1609938,1610207,1610311,1610353,1610366,1610491,1610652,1610674,16
 11165,1611169,1611244,1611600,1611871,1611978,1612068,1615026,1615289,1617018,1618401,1618541,1619297,1619383,1619444,1619483,1619835,1620324,1620461,1620932,1621367,1621372,1621417,1621453,1621806,1622450,1624234,1624349,1625196,1625952,1626050,1626978,1628104,1628918-1628919,1628924,1628950,1629235,1629239,1629244,1629250,1629372,1629440-1629441,1629485,1629507-1629508,1629519,1629577,1629652,1629916,1631885,1632454,1632740,1632742,1633730-1633731,1633793,1634120,1634237,1634425,1634736,1634836,1635510,1635558,1635644-1635645,1635762,1637112,1638072-1638073,1638879,1639614,1640031,1640036,1640040,1640042,1640331,1641077,1641095,1641376,1642099,1642484,1642499,1642847,1642868,1643034,1643284,1643537,1643825,1644245,1646282,1646724,1647035,1648201,1648394,1648433,1648719,1648840,1649001,1649043,1649632,1649966,1650047,1650061,1650309-1650310,1650320,1651088,1652829,1652929,1652931,1652955,1652982,1652985,1652989,1653941,1653978,1653997,1656225,1656669,1657256,1657261,1657636,1657638
 ,1657685,1657881,1657897,1658760,1658765,1661067,1661258,1661448,1661464,1661486,1662245-1662246,1663017,1663647,1664071,1664133,1664205,1664299,1664709,1665215,1665218,1665625,1665643,1665721,1666297,1666361,1666363,1666468,1666618,1666998,1667385-1667386,1668532,1668535,1668553,1669130,1669289,1669292,1670434,1671364,1671396-1671397,1671918,1672289,1672453,1672466,1672480,1672483,1672564,1672757,1672985,1672989,1673113,1673155,1673368,1673455,1673769,1674056,1674538,1674542,1674606,1674632,1674697,1675103,1675410,1675533,1676085,1676654,1676709,1676842,1677096,1677143-1677146,1677149,1677151,1677153-1677156,1677159,1677339,1677462,1677702,1677830,1677832,1677834-1677835,1678763,1679032,1679181-1679182,1679192,1679428,1679432,1679470,1679620,1679712,1680276,1680895,1680900,1680942,1681037,1681424,1681440,1681685,1681694,1681795,1682482,1682816,1682819,1682907,1682923,1682937,1682979,1682988,1683044,1683047,1683123,1683881,1683884,1684057,1684171,1684900,1685069,1685339,1685345,1685
 347,1685349-1685350,1685650,1685659,1685779,1686085,1686853,1686856,1687539,1687680,1687980,1688274,1688331,1688339-1688341,1688343,1688399,1688474-1688475,1688536,1688538,1688660,1689325,1689605,1689694,1689698,1690120,1690137,1690248,1691374,1691582,1691592,1691819,1691908,1692285,1692432,1692486,1692516,1693792,1693918-1693919,1693963,1694903,1694936,1694950-1694951,1695170,1695727,1695874,1695885,1695920,1696105,1696264,1696266,1696279,1696428,1696442,1696565,1696592,1696607,1696755,1696881,1697013,1697015,1697051,1697323,1697339,1697370,1697389,1697446,1697543,1697634,1697855,1698023,1698103,1698107,1698116,1698133,1698330,1700271,1700275,1700317-1700322,1700326,1700328,1700330-1700332,1700334,1700336,1700338,1700418,1700514,1700777,1700851,1700917,1700925,1700968,1701005,1701145,1701178,1701204,1701347,1701436,1701545,1701717,1702643,1702919,1703152,1703417,1703642,1703807,1703813,1703822,1703871,1703902,1703952,1704099,1704241,1704262,1704797,1704799,1704826,1705099,1705134,1
 705194,1705217,1705257,1705749,1705776,1705823,1705826,1705828,1705833,1705983,1706275,1706627,1706635,1706637,1706640,1706918,1706942,1706989,1707002,1707230-1707231,1707497,1707519,1707591,1707626-1707627,1707640,1707831,1707883,1707889,1708107,1709008,1709587,1709596,1709602,1709995,1710095,1710105,1710231,1710380,1710391,1710419,1710572,1710583,1710723,1711479,1711553,1711648,1711728,1711902,1712382,1713040,1713209,1713937,1715023,1715255,1715273,1715567-1715568,1715570-1715572,1715576,1715581-1715585,1715886,1716211,1716388,1716460,1716487,1716660,1716940,1717063,1717086,1717639,1717816,1717934,1717958,1717975,1717985,1718314,1718338,1718400,1718514,1718556,1718569,1718598,1719016,1719018,1719189-1719190,1719252,1719254-1719255,1719257,1719967,1720129,1720996,1721313,1721685,1721899,1722137,1722154,1722177,1722195,1722229,1722320,1722328,1722334,1722350-1722351,1722358,1722377,1722572,1722701,1723122,1723143,1723284,1723295,1723567,1723953,1724847,1724857,1724879,1724992-172499
 3,1724995,1725018,1725031,1725090,1725120,1725149,1725325,1725328,1725387,1725392,1725394-1725395,1725445,1725468,1725485,1725489,1725498-1725499,1725516,1725523,1725545,1725567,1725581,1725602,1725822,1725940,1725967,1726009,1726026,1726038,1726049,1726051-1726052,1726055,1726086,1726167,1726233,1726798,1726881,1726888,1727071,1727111,1727317,1727544,1727573,1727603,1727842,1728326,1728804,1729208,1729374,1729376,1729826,1729847,1729929-1729931,1729960,1730297,1730640,1730723,1730865,1731929,1732228,1732252,1732353,1732369,1732716,1732954,1732986,1733056,1733064,1733068,1733088-1733089,1733275,1733523,1733537,1733691,1734006,1734125,1734239,1734294,1734412,1734561,1734807,1734817,1734947,1734955,1734989,1735088,1735159,1735337,1735608-1735609,1735611,1735668,1735786,1735931,1735935,1735942,1735952,1736156,1736243,1736250,1736463,1736681,1736686,1737006,1737014,1737020-1737021,1737102,1737114,1737125,1737254,1737256,1737265,1737447,1737449,1737451,1737476,1738217,1738331,1738333,173
 8563,1739008,1739146,1739151,1739193,1739303,1739312,1739738,1739932,1740075,1740084,1740108,1740110,1740155,1740735,1741045,1741065,1741112,1741115,1741268,1741310,1741392,1741414,1741446,1741461,1741557,1741564,1741596,1741621,1741648,1741934,1742005,1742135,1742260,1742359,1742444-1742447,1742460,1742791-1742792,1743335,1743517,1743699,1743788,1743816,1744203-1744204,1744206,1744283,1744415,1744421,1744458-1744459,1744712,1744751,1744767,1744778,1744980,1745034,1745175,1745767,1745835,1746207,1746647,1746988,1747170,1747531,1747550,1747735,1747808,1747810,1747946,1748047,1748155,1748368,1748448,1748531,1748653,1748888,1749151,1749401,1749404,1749505,1749658-1749659,1749676,1749678,1749695,1749924-1749925,1750043,1750218,1750335,1750392,1750407,1750412,1750416,1750420,1750474,1750494,1750507-1750508,1750553,1750567,1750750,1750779,1750854-1750855,1750947,1750955,1750960,1751970,1752087,1752096,1752145,1752347,1752415,1753167,1753224,1753228-1753229,1753257,1753315-1753316,1753498,
 1753541,1753592,1753594,1753777,1754129,1754391,1754399,1754414,1754534,1755323,1756038,1756611,1756844,1756846,1756852-1756853,1757010-1757011,1757524,1757534,1757540,1757662-1757663,1757985,1758003,1758083,1758307-1758311,1758446,1758558,1759984,1760018,1761434,1761477,1761479,1761548,1762517,1762703,1763158,1763246,1763613,1764005,1764040,1764236,1764243,1764255,1765318,1765328,1765357,1765420,1766097,1766129,1766308,1766424,1766691,1766851,1766857,1767128,1767180-1767181,1767553,1767564,1767803

Modified: httpd/httpd/branches/2.4.x-merge-http-strict/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-merge-http-strict/CHANGES?rev=1768036&r1=1768035&r2=1768036&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-merge-http-strict/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x-merge-http-strict/CHANGES [utf-8] Fri Nov  4 14:20:16 2016
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.24
 
+  *) core, http: Extend HttpProtocol with an option to enforce stricter HTTP
+     conformance or to only log the found problems. [Stefan Fritsch]
+
   *) core: Correctly parse an IPv6 literal host specification in an absolute
      URL in the request line. [Stefan Fritsch]
 

Modified: httpd/httpd/branches/2.4.x-merge-http-strict/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-merge-http-strict/include/ap_mmn.h?rev=1768036&r1=1768035&r2=1768036&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-merge-http-strict/include/ap_mmn.h (original)
+++ httpd/httpd/branches/2.4.x-merge-http-strict/include/ap_mmn.h Fri Nov  4 14:20:16 2016
@@ -488,6 +488,8 @@
  * 20120211.66 (2.4.24-dev) Rename ap_proxy_check_backend() to
  *                          ap_proxy_check_connection().
  * 20120211.67 (2.5.0-dev)  Add http09_enable to core_server_config
+ *                          Add http_conformance to core_server_config,
+ *                          add ap_has_cntrl()
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */

Modified: httpd/httpd/branches/2.4.x-merge-http-strict/include/http_core.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-merge-http-strict/include/http_core.h?rev=1768036&r1=1768035&r2=1768036&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-merge-http-strict/include/http_core.h (original)
+++ httpd/httpd/branches/2.4.x-merge-http-strict/include/http_core.h Fri Nov  4 14:20:16 2016
@@ -731,6 +731,11 @@ typedef struct {
 #define AP_HTTP09_DISABLE 2
     char http09_enable;
 
+#define AP_HTTP_CONFORMANCE_UNSET     0
+#define AP_HTTP_CONFORMANCE_LIBERAL   1
+#define AP_HTTP_CONFORMANCE_STRICT    2
+#define AP_HTTP_CONFORMANCE_LOGONLY   4
+    char http_conformance;
 } core_server_config;
 
 /* for AddOutputFiltersByType in core.c */

Modified: httpd/httpd/branches/2.4.x-merge-http-strict/include/httpd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-merge-http-strict/include/httpd.h?rev=1768036&r1=1768035&r2=1768036&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-merge-http-strict/include/httpd.h (original)
+++ httpd/httpd/branches/2.4.x-merge-http-strict/include/httpd.h Fri Nov  4 14:20:16 2016
@@ -2317,6 +2317,15 @@ AP_DECLARE(char *) ap_get_exec_line(apr_
                                     const char *cmd,
                                     const char * const *argv);
 
+/**
+ * Check if string contains a control character
+ * @param str the string to check
+ * @param srclen length of the data
+ * @return 1 if yes, 0 if no control characters
+ */
+AP_DECLARE(int) ap_has_cntrl(const char *str)
+                AP_FN_ATTR_NONNULL_ALL;
+
 #define AP_NORESTART APR_OS_START_USEERR + 1
 
 /**

Modified: httpd/httpd/branches/2.4.x-merge-http-strict/modules/http/http_filters.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-merge-http-strict/modules/http/http_filters.c?rev=1768036&r1=1768035&r2=1768036&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-merge-http-strict/modules/http/http_filters.c (original)
+++ httpd/httpd/branches/2.4.x-merge-http-strict/modules/http/http_filters.c Fri Nov  4 14:20:16 2016
@@ -668,14 +668,91 @@ apr_status_t ap_http_filter(ap_filter_t
     return APR_SUCCESS;
 }
 
+struct check_header_ctx {
+    request_rec *r;
+    int error;
+};
+
+/* check a single header, to be used with apr_table_do() */
+static int check_header(void *arg, const char *name, const char *val)
+{
+    struct check_header_ctx *ctx = arg;
+    if (name[0] == '\0') {
+        ctx->error = 1;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02428)
+                      "Empty response header name, aborting request");
+        return 0;
+    }
+    if (ap_has_cntrl(name)) {
+        ctx->error = 1;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02429)
+                      "Response header name '%s' contains control "
+                      "characters, aborting request",
+                      name);
+        return 0;
+    }
+    if (ap_has_cntrl(val)) {
+        ctx->error = 1;
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02430)
+                      "Response header '%s' contains control characters, "
+                      "aborting request: %s",
+                      name, val);
+        return 0;
+    }
+    return 1;
+}
+
+/**
+ * Check headers for HTTP conformance
+ * @return 1 if ok, 0 if bad
+ */
+static APR_INLINE int check_headers(request_rec *r)
+{
+    const char *loc;
+    struct check_header_ctx ctx = { r, 0 };
+
+    apr_table_do(check_header, &ctx, r->headers_out, NULL);
+    if (ctx.error)
+        return 0; /* problem has been logged by check_header() */
+
+    if ((loc = apr_table_get(r->headers_out, "Location")) != NULL) {
+        const char *scheme_end = ap_strchr_c(loc, ':');
+        const char *s = loc;
+
+        /*
+         * Check that the URI has a valid scheme and is absolute
+         * XXX Should we do a full uri parse here?
+         */
+        if (scheme_end == NULL || scheme_end == loc)
+            goto bad;
+
+        do {
+            if ((!apr_isalnum(*s) && *s != '.' && *s != '+' && *s != '-')
+                || !apr_isascii(*s) ) {
+                goto bad;
+            }
+        } while (++s < scheme_end);
+
+        if (scheme_end[1] != '/' || scheme_end[2] != '/')
+            goto bad;
+    }
+
+    return 1;
+
+bad:
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02431)
+                  "Bad Location header in response: '%s', aborting request",
+                  loc);
+    return 0;
+}
+
 typedef struct header_struct {
     apr_pool_t *pool;
     apr_bucket_brigade *bb;
 } header_struct;
 
 /* Send a single HTTP header field to the client.  Note that this function
- * is used in calls to table_do(), so their interfaces are co-dependent.
- * In other words, don't change this one without checking table_do in alloc.c.
+ * is used in calls to apr_table_do(), so don't change its interface.
  * It returns true unless there was a write error of some kind.
  */
 static int form_header_field(header_struct *h,
@@ -1175,6 +1252,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
     header_filter_ctx *ctx = f->ctx;
     const char *ctype;
     ap_bucket_error *eb = NULL;
+    core_server_config *conf;
 
     AP_DEBUG_ASSERT(!r->main);
 
@@ -1230,6 +1308,15 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
                                            r->headers_out);
     }
 
+    conf = ap_get_core_module_config(r->server->module_config);
+    if (conf->http_conformance & AP_HTTP_CONFORMANCE_STRICT) {
+        int ok = check_headers(r);
+        if (!ok && !(conf->http_conformance & AP_HTTP_CONFORMANCE_LOGONLY)) {
+            ap_die(HTTP_INTERNAL_SERVER_ERROR, r);
+            return AP_FILTER_ERROR;
+        }
+    }
+
     /*
      * Remove the 'Vary' header field if the client can't handle it.
      * Since this will have nasty effects on HTTP/1.1 caches, force

Modified: httpd/httpd/branches/2.4.x-merge-http-strict/server/core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-merge-http-strict/server/core.c?rev=1768036&r1=1768035&r2=1768036&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-merge-http-strict/server/core.c (original)
+++ httpd/httpd/branches/2.4.x-merge-http-strict/server/core.c Fri Nov  4 14:20:16 2016
@@ -522,6 +522,9 @@ static void *merge_core_server_configs(a
     if (virt->http09_enable != AP_HTTP09_UNSET)
         conf->http09_enable = virt->http09_enable;
 
+    if (virt->http_conformance != AP_HTTP_CONFORMANCE_UNSET)
+        conf->http_conformance = virt->http_conformance;
+
     /* no action for virt->accf_map, not allowed per-vhost */
 
     if (virt->protocol)
@@ -3911,10 +3914,27 @@ static const char *set_http_protocol(cmd
         else if (strcmp(arg, "1.0") == 0)
             conf->http09_enable = AP_HTTP09_DISABLE;
         else
-            return "HttpProtocol min must be one of '0.9' and '1.0'";
-	return NULL;
+            return "HttpProtocol 'min' must be one of '0.9' and '1.0'";
+        return NULL;
+    }
+
+    if (strcmp(arg, "strict") == 0)
+        conf->http_conformance = AP_HTTP_CONFORMANCE_STRICT;
+    else if (strcmp(arg, "strict,log-only") == 0)
+        conf->http_conformance = AP_HTTP_CONFORMANCE_STRICT|
+                                 AP_HTTP_CONFORMANCE_LOGONLY;
+    else if (strcmp(arg, "liberal") == 0)
+        conf->http_conformance = AP_HTTP_CONFORMANCE_LIBERAL;
+    else
+        return "HttpProtocol accepts 'min=0.9', 'min=1.0', 'liberal', "
+               "'strict', 'strict,log-only'";
+
+    if ((conf->http_conformance & AP_HTTP_CONFORMANCE_STRICT) &&
+        (conf->http_conformance & AP_HTTP_CONFORMANCE_LIBERAL)) {
+        return "HttpProtocol 'strict' and 'liberal' are mutually exclusive";
     }
-    return "HttpProtocol must be min=0.9|1.0";
+
+    return NULL;
 }
 
 static const char *set_http_method(cmd_parms *cmd, void *conf, const char *arg)
@@ -4450,8 +4470,9 @@ AP_INIT_ITERATE("Protocols", set_protoco
 AP_INIT_TAKE1("ProtocolsHonorOrder", set_protocols_honor_order, NULL, RSRC_CONF,
               "'off' (default) or 'on' to respect given order of protocols, "
               "by default the client specified order determines selection"),
-AP_INIT_TAKE1("HttpProtocol", set_http_protocol, NULL, RSRC_CONF,
-              "'min=0.9' (default) or 'min=1.0' to allow/deny HTTP/0.9"),
+AP_INIT_ITERATE("HttpProtocol", set_http_protocol, NULL, RSRC_CONF,
+              "'min=0.9' (default) or 'min=1.0' to allow/deny HTTP/0.9; "
+              "'liberal', 'strict', 'strict,log-only'"),
 AP_INIT_ITERATE("RegisterHttpMethod", set_http_method, NULL, RSRC_CONF,
                 "Registers non-standard HTTP methods"),
 { NULL }

Modified: httpd/httpd/branches/2.4.x-merge-http-strict/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-merge-http-strict/server/protocol.c?rev=1768036&r1=1768035&r2=1768036&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-merge-http-strict/server/protocol.c (original)
+++ httpd/httpd/branches/2.4.x-merge-http-strict/server/protocol.c Fri Nov  4 14:20:16 2016
@@ -562,6 +562,9 @@ static int read_request_line(request_rec
     char http[5];
     apr_size_t len;
     int num_blank_lines = DEFAULT_LIMIT_BLANK_LINES;
+    core_server_config *conf = ap_get_core_module_config(r->server->module_config);
+    int strict = conf->http_conformance & AP_HTTP_CONFORMANCE_STRICT;
+    int enforce_strict = !(conf->http_conformance & AP_HTTP_CONFORMANCE_LOGONLY);
 
     /* Read past empty lines until we get a real request line,
      * a read error, the connection closes (EOF), or we timeout.
@@ -648,8 +651,6 @@ static int read_request_line(request_rec
         pro = ll;
         len = strlen(ll);
     } else {
-        core_server_config *conf;
-        conf = ap_get_core_module_config(r->server->module_config);
         r->assbackwards = 1;
         pro = "HTTP/0.9";
         len = 8;
@@ -674,12 +675,59 @@ static int read_request_line(request_rec
         && apr_isdigit(pro[7])) {
         r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0');
     }
-    else if (3 == sscanf(r->protocol, "%4s/%u.%u", http, &major, &minor)
-             && (strcasecmp("http", http) == 0)
-             && (minor < HTTP_VERSION(1, 0)) ) /* don't allow HTTP/0.1000 */
-        r->proto_num = HTTP_VERSION(major, minor);
-    else
-        r->proto_num = HTTP_VERSION(1, 0);
+    else {
+        if (strict) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02418)
+                          "Invalid protocol '%s'", r->protocol);
+            if (enforce_strict) {
+                r->status = HTTP_BAD_REQUEST;
+                return 0;
+            }
+        }
+        if (3 == sscanf(r->protocol, "%4s/%u.%u", http, &major, &minor)
+            && (strcasecmp("http", http) == 0)
+            && (minor < HTTP_VERSION(1, 0)) ) { /* don't allow HTTP/0.1000 */
+            r->proto_num = HTTP_VERSION(major, minor);
+        }
+        else {
+            r->proto_num = HTTP_VERSION(1, 0);
+        }
+    }
+
+    if (strict) {
+        int err = 0;
+        if (ap_has_cntrl(r->the_request)) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02420)
+                          "Request line must not contain control characters");
+            err = HTTP_BAD_REQUEST;
+        }
+        if (r->parsed_uri.fragment) {
+            /* RFC3986 3.5: no fragment */
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02421)
+                          "URI must not contain a fragment");
+            err = HTTP_BAD_REQUEST;
+        }
+        else if (r->parsed_uri.user || r->parsed_uri.password) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02422)
+                          "URI must not contain a username/password");
+            err = HTTP_BAD_REQUEST;
+        }
+        else if (r->method_number == M_INVALID) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02423)
+                          "Invalid HTTP method string: %s", r->method);
+            err = HTTP_NOT_IMPLEMENTED;
+        }
+        else if (r->assbackwards == 0 && r->proto_num < HTTP_VERSION(1, 0)) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02424)
+                          "HTTP/0.x does not take a protocol");
+            err = HTTP_BAD_REQUEST;
+        }
+
+        if (err && enforce_strict) {
+            r->status = err;
+            return 0;
+        }
+    }
 
     return 1;
 }
@@ -723,6 +771,7 @@ AP_DECLARE(void) ap_get_mime_headers_cor
     apr_size_t len;
     int fields_read = 0;
     char *tmp_field;
+    core_server_config *conf = ap_get_core_module_config(r->server->module_config);
 
     /*
      * Read header lines until we get the empty separator line, a read error,
@@ -876,6 +925,33 @@ AP_DECLARE(void) ap_get_mime_headers_cor
                     *tmp_field-- = '\0';
                 }
 
+                if (conf->http_conformance & AP_HTTP_CONFORMANCE_STRICT) {
+                    int err = 0;
+
+                    if (*last_field == '\0') {
+                        err = HTTP_BAD_REQUEST;
+                        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02425)
+                                      "Empty request header field name not allowed");
+                    }
+                    else if (ap_has_cntrl(last_field)) {
+                        err = HTTP_BAD_REQUEST;
+                        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02426)
+                                      "[HTTP strict] Request header field name contains "
+                                      "control character: %.*s",
+                                      (int)LOG_NAME_MAX_LEN, last_field);
+                    }
+                    else if (ap_has_cntrl(value)) {
+                        err = HTTP_BAD_REQUEST;
+                        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02427)
+                                      "Request header field '%.*s' contains"
+                                      "control character", (int)LOG_NAME_MAX_LEN,
+                                      last_field);
+                    }
+                    if (err && !(conf->http_conformance & AP_HTTP_CONFORMANCE_LOGONLY)) {
+                        r->status = err;
+                        return;
+                    }
+                }
                 apr_table_addn(r->headers_in, last_field, value);
 
                 /* reset the alloc_len so that we'll allocate a new
@@ -925,7 +1001,7 @@ request_rec *ap_read_request(conn_rec *c
     request_rec *r;
     apr_pool_t *p;
     const char *expect;
-    int access_status = HTTP_OK;
+    int access_status;
     apr_bucket_brigade *tmp_bb;
     apr_socket_t *csd;
     apr_interval_time_t cur_timeout;
@@ -984,9 +1060,11 @@ request_rec *ap_read_request(conn_rec *c
 
     /* Get the request... */
     if (!read_request_line(r, tmp_bb)) {
-        if (r->status == HTTP_REQUEST_URI_TOO_LARGE
-            || r->status == HTTP_BAD_REQUEST
-            || r->status == HTTP_VERSION_NOT_SUPPORTED) {
+        switch (r->status) {
+        case HTTP_REQUEST_URI_TOO_LARGE:
+        case HTTP_BAD_REQUEST:
+        case HTTP_VERSION_NOT_SUPPORTED:
+        case HTTP_NOT_IMPLEMENTED:
             if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
                 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00565)
                               "request failed: client's request-line exceeds LimitRequestLine (longer than %d)",
@@ -1004,19 +1082,17 @@ request_rec *ap_read_request(conn_rec *c
             r = NULL;
             apr_brigade_destroy(tmp_bb);
             goto traceout;
-        }
-        else if (r->status == HTTP_REQUEST_TIME_OUT) {
+        case HTTP_REQUEST_TIME_OUT:
             ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, NULL);
-            if (!r->connection->keepalives) {
+            if (!r->connection->keepalives)
                 ap_run_log_transaction(r);
-            }
             apr_brigade_destroy(tmp_bb);
             goto traceout;
+        default:
+            apr_brigade_destroy(tmp_bb);
+            r = NULL;
+            goto traceout;
         }
-
-        apr_brigade_destroy(tmp_bb);
-        r = NULL;
-        goto traceout;
     }
 
     /* We may have been in keep_alive_timeout mode, so toggle back
@@ -1101,6 +1177,7 @@ request_rec *ap_read_request(conn_rec *c
      * now read. may update status.
      */
     ap_update_vhost_from_headers(r);
+    access_status = r->status;
 
     /* Toggle to the Host:-based vhost's timeout mode to fetch the
      * request body and send the response body, if needed.

Modified: httpd/httpd/branches/2.4.x-merge-http-strict/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-merge-http-strict/server/util.c?rev=1768036&r1=1768035&r2=1768036&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-merge-http-strict/server/util.c (original)
+++ httpd/httpd/branches/2.4.x-merge-http-strict/server/util.c Fri Nov  4 14:20:16 2016
@@ -2189,6 +2189,16 @@ AP_DECLARE(void) ap_bin2hex(const void *
     *dest = '\0';
 }
 
+AP_DECLARE(int) ap_has_cntrl(const char *str)
+{
+    while (*str) {
+        if (apr_iscntrl(*str))
+            return 1;
+        str++;
+    }
+    return 0;
+}
+
 AP_DECLARE(int) ap_is_directory(apr_pool_t *p, const char *path)
 {
     apr_finfo_t finfo;

Modified: httpd/httpd/branches/2.4.x-merge-http-strict/server/vhost.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x-merge-http-strict/server/vhost.c?rev=1768036&r1=1768035&r2=1768036&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x-merge-http-strict/server/vhost.c (original)
+++ httpd/httpd/branches/2.4.x-merge-http-strict/server/vhost.c Fri Nov  4 14:20:16 2016
@@ -747,6 +747,59 @@ static apr_status_t fix_hostname_non_v6(
     return APR_SUCCESS;
 }
 
+/*
+ * If strict mode ever becomes the default, this should be folded into
+ * fix_hostname_non_v6()
+ */
+static apr_status_t strict_hostname_check(request_rec *r, char *host,
+                                          int logonly)
+{
+    char *ch;
+    int is_dotted_decimal = 1, leading_zeroes = 0, dots = 0;
+
+    for (ch = host; *ch; ch++) {
+        if (!apr_isascii(*ch)) {
+            goto bad;
+        }
+        else if (apr_isalpha(*ch) || *ch == '-') {
+            is_dotted_decimal = 0;
+        }
+        else if (ch[0] == '.') {
+            dots++;
+            if (ch[1] == '0' && apr_isdigit(ch[2]))
+                leading_zeroes = 1;
+        }
+        else if (!apr_isdigit(*ch)) {
+           /* also takes care of multiple Host headers by denying commas */
+            goto bad;
+        }
+    }
+    if (is_dotted_decimal) {
+        if (host[0] == '.' || (host[0] == '0' && apr_isdigit(host[1])))
+            leading_zeroes = 1;
+        if (leading_zeroes || dots != 3) {
+            /* RFC 3986 7.4 */
+            goto bad;
+        }
+    }
+    else {
+        /* The top-level domain must start with a letter (RFC 1123 2.1) */
+        while (ch > host && *ch != '.')
+            ch--;
+        if (ch[0] == '.' && ch[1] != '\0' && !apr_isalpha(ch[1]))
+            goto bad;
+    }
+    return APR_SUCCESS;
+
+bad:
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02415)
+                  "[strict] Invalid host name '%s'%s%.6s",
+                  host, *ch ? ", problem near: " : "", ch);
+    if (logonly)
+        return APR_SUCCESS;
+    return APR_EINVAL;
+}
+
 /* Lowercase and remove any trailing dot and/or :port from the hostname,
  * and check that it is sane.
  *
@@ -760,22 +813,23 @@ static apr_status_t fix_hostname_non_v6(
  * Instead we just check for filesystem metacharacters: directory
  * separators / and \ and sequences of more than one dot.
  */
-static void fix_hostname(request_rec *r, const char *host_header)
+static int fix_hostname(request_rec *r, const char *host_header,
+                        unsigned http_conformance)
 {
     const char *src;
     char *host, *scope_id;
     apr_port_t port;
     apr_status_t rv;
     const char *c;
+    int is_v6literal = 0;
+    int strict = http_conformance & AP_HTTP_CONFORMANCE_STRICT;
+    int strict_logonly = http_conformance & AP_HTTP_CONFORMANCE_LOGONLY;
 
     src = host_header ? host_header : r->hostname;
 
-    /* According to RFC 2616, Host header field CAN be blank.
-     * XXX But only 'if the requested URI does not include an Internet host
-     * XXX name'. Can this happen?
-     */
+    /* According to RFC 2616, Host header field CAN be blank */
     if (!*src) {
-        return;
+        return is_v6literal;
     }
 
     /* apr_parse_addr_port will interpret a bare integer as a port
@@ -784,8 +838,16 @@ static void fix_hostname(request_rec *r,
     for (c = src; apr_isdigit(*c); ++c);
     if (!*c) {
         /* pure integer */
+        if (strict) {
+            /* RFC 3986 7.4 */
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02416)
+                         "[strict] purely numeric host names not allowed: %s",
+                         src);
+            if (!strict_logonly)
+                goto bad_nolog;
+        }
         r->hostname = src;
-        return;
+        return is_v6literal;
     }
 
     if (host_header) {
@@ -802,9 +864,7 @@ static void fix_hostname(request_rec *r,
             r->parsed_uri.port_str = apr_itoa(r->pool, (int)port);
         }
         if (host_header[0] == '[')
-            rv = fix_hostname_v6_literal(r, host);
-        else
-            rv = fix_hostname_non_v6(r, host);
+            is_v6literal = 1;
     }
     else {
         /*
@@ -813,24 +873,32 @@ static void fix_hostname(request_rec *r,
          */
         host = apr_pstrdup(r->pool, r->hostname);
         if (ap_strchr(host, ':') != NULL)
-            rv = fix_hostname_v6_literal(r, host);
-        else
-            rv = fix_hostname_non_v6(r, host);
+            is_v6literal = 1;
+    }
+
+    if (is_v6literal) {
+        rv = fix_hostname_v6_literal(r, host);
+    }
+    else {
+        rv = fix_hostname_non_v6(r, host);
+        if (strict && rv == APR_SUCCESS)
+            rv = strict_hostname_check(r, host, strict_logonly);
     }
     if (rv != APR_SUCCESS)
         goto bad;
+
     r->hostname = host;
-    return;
+    return is_v6literal;
 
 bad:
-    r->status = HTTP_BAD_REQUEST;
     ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00550)
                   "Client sent malformed Host header: %s",
-                  r->hostname);
-    return;
+                  src);
+bad_nolog:
+    r->status = HTTP_BAD_REQUEST;
+    return is_v6literal;
 }
 
-
 /* return 1 if host matches ServerName or ServerAliases */
 static int matches_aliases(server_rec *s, const char *host)
 {
@@ -1040,23 +1108,79 @@ static void check_serverpath(request_rec
     }
 }
 
+static APR_INLINE const char *construct_host_header(request_rec *r,
+                                                    int is_v6literal)
+{
+    struct iovec iov[5];
+    apr_size_t nvec = 0;
+    /*
+     * We cannot use ap_get_server_name/port here, because we must
+     * ignore UseCanonicalName/Port.
+     */
+    if (is_v6literal) {
+        iov[nvec].iov_base = "[";
+        iov[nvec].iov_len = 1;
+        nvec++;
+    }
+    iov[nvec].iov_base = (void *)r->hostname;
+    iov[nvec].iov_len = strlen(r->hostname);
+    nvec++;
+    if (is_v6literal) {
+        iov[nvec].iov_base = "]";
+        iov[nvec].iov_len = 1;
+        nvec++;
+    }
+    if (r->parsed_uri.port_str) {
+        iov[nvec].iov_base = ":";
+        iov[nvec].iov_len = 1;
+        nvec++;
+        iov[nvec].iov_base = r->parsed_uri.port_str;
+        iov[nvec].iov_len = strlen(r->parsed_uri.port_str);
+        nvec++;
+    }
+    return apr_pstrcatv(r->pool, iov, nvec, NULL);
+}
 
 AP_DECLARE(void) ap_update_vhost_from_headers(request_rec *r)
 {
-    const char *host_header;
+    core_server_config *conf = ap_get_core_module_config(r->server->module_config);
+    const char *host_header = apr_table_get(r->headers_in, "Host");
+    int is_v6literal, have_hostname_from_url = 0;
 
     if (r->hostname) {
         /*
          * If there was a host part in the Request-URI, ignore the 'Host'
          * header.
          */
-        fix_hostname(r, NULL);
+        have_hostname_from_url = 1;
+        is_v6literal = fix_hostname(r, NULL, conf->http_conformance);
     }
-    else if ((host_header = apr_table_get(r->headers_in, "Host")) != NULL ) {
-        fix_hostname(r, host_header);
+    else if (host_header != NULL) {
+        is_v6literal = fix_hostname(r, host_header, conf->http_conformance);
     }
     if (r->status != HTTP_OK)
         return;
+
+    if (conf->http_conformance & AP_HTTP_CONFORMANCE_STRICT) {
+        /*
+         * If we have both hostname from an absoluteURI and a Host header,
+         * we must ignore the Host header (RFC 2616 5.2).
+         * To enforce this, we reset the Host header to the value from the
+         * request line.
+         */
+        if (have_hostname_from_url && host_header != NULL) {
+            const char *info = "Would replace";
+            const char *new = construct_host_header(r, is_v6literal);
+            if (!(conf->http_conformance & AP_HTTP_CONFORMANCE_LOGONLY)) {
+                apr_table_set(r->headers_in, "Host", r->hostname);
+                info = "Replacing";
+            }
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02417)
+                          "%s Host header '%s' with host from request uri: "
+                          "'%s'", info, host_header, new);
+        }
+    }
+
     /* check if we tucked away a name_chain */
     if (r->connection->vhost_lookup_data) {
         if (r->hostname)



Mime
View raw message