httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject [PATCH]es Re: Patches to be applied?
Date Sun, 12 Jan 1997 22:05:05 GMT
On Sun, 12 Jan 1997, Randy Terbush wrote:

> If anyone has submitted other patches, please resubmit them to the
> list, and try adding the [PATCH] so I can try out my new procmail 
> rules. :)

Here are some patches. I don't know if they should be commited or not.


	1) mod_access - Ben said the "user-agent" stuff should be removed
		if/when the "env=" check was added to replace it. It might
		be worth leaving the code #ifdef'd out for now.

Index: mod_access.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_access.c,v
retrieving revision 1.3
diff -u -r1.3 mod_access.c
--- mod_access.c        1997/01/12 21:40:55     1.3
+++ mod_access.c        1997/01/12 21:44:29
@@ -188,7 +188,7 @@
 
        if (!strncmp(ap[i].from,"env=",4) && table_get(r->subprocess_env,ap[i].f
rom+4))
            return 1;
-           
+#ifdef USER_AGENTS_HACK
         if (ap[i].from && !strcmp(ap[i].from, "user-agents")) {
            char * this_agent = table_get(r->headers_in, "User-Agent");
            int j;
@@ -200,6 +200,7 @@
            }
            return 0;
        }
+#endif
        
        if (!strcmp (ap[i].from, "all"))
            return 1;





	2) ScriptLog security hole. Authorization headers need to be removed


Index: mod_cgi.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
retrieving revision 1.4
diff -u -r1.4 mod_cgi.c
--- mod_cgi.c   1997/01/02 03:34:57     1.4
+++ mod_cgi.c   1997/01/12 01:29:12
@@ -212,6 +212,7 @@
     fputs("%request\n", f);
     for (i = 0; i < hdrs_arr->nelts; ++i) {
       if (!hdrs[i].key) continue;
+      if (!strcmp(hdrs[i].key, "Authorization")) continue;
       fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
     }
     if ((r->method_number == M_POST || r->method_number == M_PUT)



	A reasonable solution to this might be to write out "XXXXX" if
	the "realm" is anything other than "log-test". A search on
	"log-test" would be adequate.

	An untested patch:


Index: mod_cgi.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
retrieving revision 1.4
diff -u -r1.4 mod_cgi.c
--- mod_cgi.c   1997/01/02 03:34:57     1.4
+++ mod_cgi.c   1997/01/12 21:53:49
@@ -212,6 +212,12 @@
     fputs("%request\n", f);
     for (i = 0; i < hdrs_arr->nelts; ++i) {
       if (!hdrs[i].key) continue;
+      if (!strcmp(hdrs[i].key, "Authorization")) {
+           if (!strstr(hdrs[i].val, "log-test")) {
+                 fprintf(f, "%s: XXX use realm \"log-test\" to log unencrypted password here
XXX\n", hdrs[i].key);
+                continue;
+           }
+      }
       fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
     }
     if ((r->method_number == M_POST || r->method_number == M_PUT)




	3) mod_expires is working hard to check sub-requests' expiration dates
		only for them to be ignored, it does the same for errors

		I only remember support from Andy on an *earlier* version
		of this patch.


Index: mod_expires.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_expires.c,v
retrieving revision 1.2
diff -u -r1.2 mod_expires.c
--- mod_expires.c       1997/01/02 03:35:02     1.2
+++ mod_expires.c       1997/01/12 21:57:55
@@ -383,18 +383,24 @@
 
 int add_expires(request_rec *r)
 {
-    expires_dir_config *conf =
-            (expires_dir_config *)get_module_config(r->per_dir_config, &expires
_module);
+    expires_dir_config *conf;
     char *code;
     time_t base; 
     time_t additional; 
     time_t expires; 
 
-    if ( r->finfo.st_mode == 0 )
+    if (is_HTTP_ERROR(r->status)) {  /* Don't add Expires headers to errors */
        return DECLINED;
+    }
 
-    /* COMMA bites my ass...
-     */
+    if (r->main != NULL) {           /* Say no to subrequests */
+       return DECLINED;
+    }
+
+    if ( r->finfo.st_mode == 0 )     /* no file ? shame. */
+       return DECLINED;
+
+    conf = (expires_dir_config *)get_module_config(r->per_dir_config, &expires_
module);
     if ( conf == NULL ) {
         log_reason ("internal error in expires_module; add_expires(), conf == N
ULL", r->filename, r);
        return SERVER_ERROR;




Mime
View raw message