Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 266EC200B7D for ; Sat, 10 Sep 2016 13:58:38 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 25100160ABE; Sat, 10 Sep 2016 11:58:38 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 461E0160AB2 for ; Sat, 10 Sep 2016 13:58:37 +0200 (CEST) Received: (qmail 18813 invoked by uid 500); 10 Sep 2016 11:58:36 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 18803 invoked by uid 99); 10 Sep 2016 11:58:36 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 Sep 2016 11:58:36 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 91852C1DE3 for ; Sat, 10 Sep 2016 11:58:35 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.748 X-Spam-Level: X-Spam-Status: No, score=0.748 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KAM_ASCII_DIVIDERS=0.8, KAM_INFOUSMEBIZ=0.75, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id EYB4UM4FcPuY for ; Sat, 10 Sep 2016 11:58:32 +0000 (UTC) Received: from mail-qk0-f175.google.com (mail-qk0-f175.google.com [209.85.220.175]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 4C4AE5FD4D for ; Sat, 10 Sep 2016 11:58:32 +0000 (UTC) Received: by mail-qk0-f175.google.com with SMTP id v123so107566145qkh.2 for ; Sat, 10 Sep 2016 04:58:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=JDznQS7npL0ZpFClXECESKgFH9nb2Y6xBN+TUfz0hQg=; b=Gf2Pm1+FZU0Bfsipna9vZwlTZAeBAF+mkO6X7Rg9Dr1K/duUDLwyylSB6zrRWNx/P0 GQ/erkDG4PX1U+m2pgmGd9TAUeBjUJXz1U+5wNyM+G5JOJ5l594vB30xG4wiz6FfDYx/ tPB5khmx5bCUQ11x8rkt2y/znlkDLq3cwvELUH/zcEDL7Ze1A9Wf6ODX8TZ6g0VsDDgE LUmX/XlYyeCSpHGi+cxqMRK8b0xFbs5lkM8C0do+7SCYTSdBZvFf185mYbof5fU8wpIt NuwLTTv7bn25SGIU2N7xFnAMLKihsf/iuoGmHfX1ModZVZFGbxMvEu770DAdzz5oR35W zqdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=JDznQS7npL0ZpFClXECESKgFH9nb2Y6xBN+TUfz0hQg=; b=U9UQoe8wNowhgTxHNqmRqIe9H1cq0ING4O3W+G37mWTq7swD5D6/7YoFixYZ+5v7XK e07+MRlNAVp//WYleGfyC55+Eo6N25Ze4PVAmrPCgpWPbumA8AC47g3Mn9dOxWXIx6tH dA/NZIF3nbz+d5XZvF+zpmHzrVKuUd7mxUMFMBh2gqjlncTl6FOvN93CKBWz/yzM14xw pQrN+Ukl8dLrnLK/oiRcJFR3puUiFj3TtqR7SlQxfr/lOf+iUmOLQJ6hZSv7kOUvQG/U 52KZ28ivOIfSgTq3VyWHtexyySXt819xWl5sJhfVhFv9vd7woQ4ujqJ56qmY7Ts/xtuq ZWsw== X-Gm-Message-State: AE9vXwMlxteondAd/FDLWicObb5llwf7RBVgC49y7G2cUOwoOaA0Wd6GspU2PVdszTVRk49oI7IwYspnzual4w== X-Received: by 10.55.100.207 with SMTP id y198mr9195850qkb.281.1473508705981; Sat, 10 Sep 2016 04:58:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.17.23 with HTTP; Sat, 10 Sep 2016 04:58:25 -0700 (PDT) In-Reply-To: References: <20160827101224.2B0063A0ED1@svn01-us-west.apache.org> From: Yann Ylavic Date: Sat, 10 Sep 2016 13:58:25 +0200 Message-ID: Subject: Re: svn commit: r1757982 - /httpd/httpd/branches/2.4.x/STATUS To: httpd-dev Content-Type: text/plain; charset=UTF-8 archived-at: Sat, 10 Sep 2016 11:58:38 -0000 Hi Luca, On Sat, Sep 10, 2016 at 12:07 PM, Luca Toscano wrote: > > 2016-09-10 1:13 GMT+02:00 Yann Ylavic : >> >> As read it, this proposal (http://apaste.info/FCs) does not enforce >> GMT date and will treat any other timezone as if it were GMT (per >> apr_date_parse_http(), which does not look for "GMT" anywhere), right? > > Yes, it leaves the current behavior unaltered (except for APR_DATE_BAD). So we still may change the Last-Modified sent by a CGI... >> >> Shouldn't we either ignore (i.e. not forward) non-GMT, or change it to >> GMT if it's a valid timezone? >> >> The only way to do this would be to use apr_date_parse_rfc() in the first >> place. >> If we'd want to ignore non-GMT, compare it to apr_date_parse_http(). >> And only otherwise or if it matches, let it go through ap_update_mtime(). > > My decision to not use apr_date_parse_rfc came after the long discussion in > dev@ about whether or not a Last-Modified header coming from a CGI backend > should be considered HTTP input (so assuming GMT IIUC) or not. Since we > didn't reach a complete agreement on how to proceed I thought to propose a > light change as starter (to answer a question raised in users@ a while back > about warning admins on httpd modifications of the Last-Modified header > value) and think about more invasive changes in the future, like dropping a > non GMT header or converting it in GMT if on a valid timezone. If we really didn't want to modify the (semantic of the )header, we'd accept other timezones and convert it to GMT. But dropping or interpreting it as GMT when it's not (i.e. s//GMT/ without changing the date) is a modification anyway. So if we want to stick to the RFC (and it's very strict interpretation, which I'm not sure it's that strict), either we ignore or we error on non-GMT (the latter would be an unacceptable change in behaviour IMHO). > >> >> >> I don't the difference between this proposal and the current code (but >> TRACEs), ap_update_mtime() is a noop with APR_DATE_BAD. >> Did I miss something? > > > This is a very good point, I didn't notice an important part. From what I > can see ap_update_mtime is indeed not updating anything, but r->mtime is > already 0 and the ap_set_last_modified picks it up and use it (ending up > with a Unix epoch datetime string). My check on APR_DATE_BAD avoids the call > to ap_set_last_modified, this is why the header is dropped. Yes, I missed ap_set_last_modified() was using ~now when given zero. > Maybe we also > need something like the following? > > AP_DECLARE(void) ap_set_last_modified(request_rec *r) > { > - if (!r->assbackwards) { > + if (!r->assbackwards && r->mtime > 0) { > apr_time_t mod_time = ap_rationalize_mtime(r, r->mtime); > char *datestr = apr_palloc(r->pool, APR_RFC822_DATE_LEN); That'd change its behaviour, one may currently use it to set Last-Modified to now, w/o calling ap_update_mtime(), and it used to work... Anyway, my personal preference would be to tolerate a different timezone (than GMT), or at at worse ignore the header (if not GMT). So I think the patch (against 2.4.x) would be something like : Index: server/util_script.c =================================================================== --- server/util_script.c (revision 1760114) +++ server/util_script.c (working copy) @@ -670,11 +670,26 @@ AP_DECLARE(int) ap_scan_script_header_err_core_ex( } /* * If the script gave us a Last-Modified header, we can't just - * pass it on blindly because of restrictions on future values. + * pass it on blindly (RFC mandates GMT). Future values are + * handled by ap_set_last_modified() and changed to now. */ else if (!strcasecmp(w, "Last-Modified")) { - ap_update_mtime(r, apr_date_parse_http(l)); - ap_set_last_modified(r); + apr_time_t parsed_date = apr_date_parse_rfc(l); + if (parsed_date == APR_DATE_BAD) { + ap_log_rerror(SCRIPT_LOG_MARK, APLOG_DEBUG, 0, r, + "Ignored Last-Modified header value: '%s'", + l); + } + else if(parsed_date != apr_date_parse_http(l)) { + ap_log_rerror(SCRIPT_LOG_MARK, APLOG_DEBUG, 0, r, + "Ignored Last-Modified header value (not " + "within the GMT timezone, as required): '%s'", + l); + } + else { + ap_update_mtime(r, parsed_date); + ap_set_last_modified(r); + } } else if (!strcasecmp(w, "Set-Cookie")) { apr_table_add(cookie_table, w, l); _ Or the lenient mode : Index: server/util_script.c =================================================================== --- server/util_script.c (revision 1760114) +++ server/util_script.c (working copy) @@ -670,11 +670,21 @@ AP_DECLARE(int) ap_scan_script_header_err_core_ex( } /* * If the script gave us a Last-Modified header, we can't just - * pass it on blindly because of restrictions on future values. + * pass it on blindly (RFC mandates GMT, but be lenient and + * transform other timezones to GMT). Future values are handled + * by ap_set_last_modified() and changed to now. */ else if (!strcasecmp(w, "Last-Modified")) { - ap_update_mtime(r, apr_date_parse_http(l)); - ap_set_last_modified(r); + apr_time_t parsed_date = apr_date_parse_rfc(l); + if (parsed_date == APR_DATE_BAD) { + ap_log_rerror(SCRIPT_LOG_MARK, APLOG_DEBUG, 0, r, + "Ignored Last-Modified header value: '%s'", + l); + } + else { + ap_update_mtime(r, parsed_date); + ap_set_last_modified(r); + } } else if (!strcasecmp(w, "Set-Cookie")) { apr_table_add(cookie_table, w, l); _ Regards, Yann.