Received: by taz.hyperreal.com (8.8.3/V2.0) id TAA28758;
 Sun, 12 Jan 1997 19:20:59 -0800 (PST)
Received: from sierra.zyzzyva.com by taz.hyperreal.com (8.8.3/V2.0) with ESMTP
 id TAA28753; Sun, 12 Jan 1997 19:20:51 -0800 (PST)
Received: from sierra (localhost [127.0.0.1]) by sierra.zyzzyva.com
 (8.8.4/8.8.2) with ESMTP id VAA03292 for <new-httpd@hyperreal.com>;
 Sun, 12 Jan 1997 21:21:59 -0600 (CST)
Message-Id: <199701130321.VAA03292@sierra.zyzzyva.com>
To: new-httpd@hyperreal.com
Subject: Re: [PATCH]es Re: Patches to be applied? 
In-reply-to: robh's message of Sun, 12 Jan 1997 22:05:05 +0000.
         <Pine.BSF.3.91.970112214524.15817B-100000@localhost>
X-uri: http://www.zyzzyva.com/
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 12 Jan 1997 21:21:59 -0600
From: Randy Terbush <randy@zyzzyva.com>
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com


#1 +1
#2 -1  It's my understanding that ScriptLog is for debugging.
#3 +1


> On Sun, 12 Jan 1997, Randy Terbush wrote:
> 
> > If anyone has submitted other patches, please resubmit them to the
> > list, and try adding the [PATCH] so I can try out my new procmail 
> > rules. :)
> 
> Here are some patches. I don't know if they should be commited or not.
> 
> 
> 	1) mod_access - Ben said the "user-agent" stuff should be removed
> 		if/when the "env=" check was added to replace it. It might
> 		be worth leaving the code #ifdef'd out for now.
> 
> Index: mod_access.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_access.c,v
> retrieving revision 1.3
> diff -u -r1.3 mod_access.c
> --- mod_access.c        1997/01/12 21:40:55     1.3
> +++ mod_access.c        1997/01/12 21:44:29
> @@ -188,7 +188,7 @@
>  
>         if (!strncmp(ap[i].from,"env=",4) && table_get(r->subprocess_env,ap[i].f
> rom+4))
>             return 1;
> -           
> +#ifdef USER_AGENTS_HACK
>          if (ap[i].from && !strcmp(ap[i].from, "user-agents")) {
>             char * this_agent = table_get(r->headers_in, "User-Agent");
>             int j;
> @@ -200,6 +200,7 @@
>             }
>             return 0;
>         }
> +#endif
>         
>         if (!strcmp (ap[i].from, "all"))
>             return 1;
> 
> 
> 
> 
> 
> 	2) ScriptLog security hole. Authorization headers need to be removed
> 
> 
> Index: mod_cgi.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
> retrieving revision 1.4
> diff -u -r1.4 mod_cgi.c
> --- mod_cgi.c   1997/01/02 03:34:57     1.4
> +++ mod_cgi.c   1997/01/12 01:29:12
> @@ -212,6 +212,7 @@
>      fputs("%request\n", f);
>      for (i = 0; i < hdrs_arr->nelts; ++i) {
>        if (!hdrs[i].key) continue;
> +      if (!strcmp(hdrs[i].key, "Authorization")) continue;
>        fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
>      }
>      if ((r->method_number == M_POST || r->method_number == M_PUT)
> 
> 
> 
> 	A reasonable solution to this might be to write out "XXXXX" if
> 	the "realm" is anything other than "log-test". A search on
> 	"log-test" would be adequate.
> 
> 	An untested patch:
> 
> 
> Index: mod_cgi.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
> retrieving revision 1.4
> diff -u -r1.4 mod_cgi.c
> --- mod_cgi.c   1997/01/02 03:34:57     1.4
> +++ mod_cgi.c   1997/01/12 21:53:49
> @@ -212,6 +212,12 @@
>      fputs("%request\n", f);
>      for (i = 0; i < hdrs_arr->nelts; ++i) {
>        if (!hdrs[i].key) continue;
> +      if (!strcmp(hdrs[i].key, "Authorization")) {
> +           if (!strstr(hdrs[i].val, "log-test")) {
> +                 fprintf(f, "%s: XXX use realm \"log-test\" to log unencrypted password here XXX\n", hdrs[i].key);
> +                continue;
> +           }
> +      }
>        fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
>      }
>      if ((r->method_number == M_POST || r->method_number == M_PUT)
> 
> 
> 
> 
> 	3) mod_expires is working hard to check sub-requests' expiration dates
> 		only for them to be ignored, it does the same for errors
> 
> 		I only remember support from Andy on an *earlier* version
> 		of this patch.
> 
> 
> Index: mod_expires.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_expires.c,v
> retrieving revision 1.2
> diff -u -r1.2 mod_expires.c
> --- mod_expires.c       1997/01/02 03:35:02     1.2
> +++ mod_expires.c       1997/01/12 21:57:55
> @@ -383,18 +383,24 @@
>  
>  int add_expires(request_rec *r)
>  {
> -    expires_dir_config *conf =
> -            (expires_dir_config *)get_module_config(r->per_dir_config, &expires
> _module);
> +    expires_dir_config *conf;
>      char *code;
>      time_t base; 
>      time_t additional; 
>      time_t expires; 
>  
> -    if ( r->finfo.st_mode == 0 )
> +    if (is_HTTP_ERROR(r->status)) {  /* Don't add Expires headers to errors */
>         return DECLINED;
> +    }
>  
> -    /* COMMA bites my ass...
> -     */
> +    if (r->main != NULL) {           /* Say no to subrequests */
> +       return DECLINED;
> +    }
> +
> +    if ( r->finfo.st_mode == 0 )     /* no file ? shame. */
> +       return DECLINED;
> +
> +    conf = (expires_dir_config *)get_module_config(r->per_dir_config, &expires_
> module);
>      if ( conf == NULL ) {
>          log_reason ("internal error in expires_module; add_expires(), conf == N
> ULL", r->filename, r);
>         return SERVER_ERROR;
> 
>