Sync from SUSE:SLFO:Main apache2 revision d5aa119141eedb6a8156b8b361bc099b
This commit is contained in:
parent
f52833938c
commit
fe7b02a989
@ -1,74 +0,0 @@
|
||||
Index: httpd-2.4.58/modules/http/http_filters.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/http/http_filters.c
|
||||
+++ httpd-2.4.58/modules/http/http_filters.c
|
||||
@@ -1353,6 +1353,9 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
|
||||
*/
|
||||
apr_table_clear(r->headers_out);
|
||||
apr_table_clear(r->err_headers_out);
|
||||
+ r->content_type = r->content_encoding = NULL;
|
||||
+ r->content_languages = NULL;
|
||||
+ r->clength = r->chunked = 0;
|
||||
apr_brigade_cleanup(b);
|
||||
|
||||
/* Don't recall ap_die() if we come back here (from its own internal
|
||||
@@ -1369,8 +1372,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
|
||||
APR_BRIGADE_INSERT_TAIL(b, e);
|
||||
e = apr_bucket_eos_create(c->bucket_alloc);
|
||||
APR_BRIGADE_INSERT_TAIL(b, e);
|
||||
- r->content_type = r->content_encoding = NULL;
|
||||
- r->content_languages = NULL;
|
||||
ap_set_content_length(r, 0);
|
||||
recursive_error = 1;
|
||||
}
|
||||
@@ -1397,6 +1398,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
|
||||
if (!apr_is_empty_table(r->err_headers_out)) {
|
||||
r->headers_out = apr_table_overlay(r->pool, r->err_headers_out,
|
||||
r->headers_out);
|
||||
+ apr_table_clear(r->err_headers_out);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1416,6 +1418,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
|
||||
fixup_vary(r);
|
||||
}
|
||||
|
||||
+
|
||||
+ /*
|
||||
+ * Control cachability for non-cacheable responses if not already set by
|
||||
+ * some other part of the server configuration.
|
||||
+ */
|
||||
+ if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
|
||||
+ char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
|
||||
+ ap_recent_rfc822_date(date, r->request_time);
|
||||
+ apr_table_addn(r->headers_out, "Expires", date);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Now remove any ETag response header field if earlier processing
|
||||
* says so (such as a 'FileETag None' directive).
|
||||
@@ -1428,6 +1441,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
|
||||
basic_http_header_check(r, &protocol);
|
||||
ap_set_keepalive(r);
|
||||
|
||||
+ /* 204/304 responses don't have content related headers */
|
||||
if (AP_STATUS_IS_HEADER_ONLY(r->status)) {
|
||||
apr_table_unset(r->headers_out, "Transfer-Encoding");
|
||||
apr_table_unset(r->headers_out, "Content-Length");
|
||||
@@ -1470,16 +1484,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
|
||||
apr_table_setn(r->headers_out, "Content-Language", field);
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Control cachability for non-cacheable responses if not already set by
|
||||
- * some other part of the server configuration.
|
||||
- */
|
||||
- if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
|
||||
- char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
|
||||
- ap_recent_rfc822_date(date, r->request_time);
|
||||
- apr_table_addn(r->headers_out, "Expires", date);
|
||||
- }
|
||||
-
|
||||
/* This is a hack, but I can't find anyway around it. The idea is that
|
||||
* we don't want to send out 0 Content-Lengths if it is a head request.
|
||||
* This happens when modules try to outsmart the server, and return
|
@ -1,191 +0,0 @@
|
||||
Index: httpd-2.4.58/include/util_script.h
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/include/util_script.h
|
||||
+++ httpd-2.4.58/include/util_script.h
|
||||
@@ -225,6 +225,8 @@ AP_DECLARE(int) ap_scan_script_header_er
|
||||
*/
|
||||
AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table);
|
||||
|
||||
+#define AP_TRUST_CGILIKE_CL_ENVVAR "ap_trust_cgilike_cl"
|
||||
+
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
Index: httpd-2.4.58/modules/aaa/mod_authnz_fcgi.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/aaa/mod_authnz_fcgi.c
|
||||
+++ httpd-2.4.58/modules/aaa/mod_authnz_fcgi.c
|
||||
@@ -571,6 +571,14 @@ static apr_status_t handle_response(cons
|
||||
"parsing -> %d/%d",
|
||||
fn, status, r->status);
|
||||
|
||||
+ /* FCGI has its own body framing mechanism which we don't
|
||||
+ * match against any provided Content-Length, so let the
|
||||
+ * core determine C-L vs T-E based on what's actually sent.
|
||||
+ */
|
||||
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
|
||||
+ apr_table_unset(r->headers_out, "Content-Length");
|
||||
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
|
||||
+
|
||||
if (rspbuf) { /* caller wants to see response body,
|
||||
* if any
|
||||
*/
|
||||
Index: httpd-2.4.58/modules/generators/mod_cgi.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/generators/mod_cgi.c
|
||||
+++ httpd-2.4.58/modules/generators/mod_cgi.c
|
||||
@@ -935,9 +935,18 @@ static int cgi_handler(request_rec *r)
|
||||
char sbuf[MAX_STRING_LEN];
|
||||
int ret;
|
||||
|
||||
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
|
||||
- APLOG_MODULE_INDEX)))
|
||||
- {
|
||||
+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
|
||||
+ APLOG_MODULE_INDEX);
|
||||
+
|
||||
+ /* xCGI has its own body framing mechanism which we don't
|
||||
+ * match against any provided Content-Length, so let the
|
||||
+ * core determine C-L vs T-E based on what's actually sent.
|
||||
+ */
|
||||
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
|
||||
+ apr_table_unset(r->headers_out, "Content-Length");
|
||||
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
|
||||
+
|
||||
+ if (ret != OK) {
|
||||
ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err);
|
||||
|
||||
/*
|
||||
Index: httpd-2.4.58/modules/generators/mod_cgid.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/generators/mod_cgid.c
|
||||
+++ httpd-2.4.58/modules/generators/mod_cgid.c
|
||||
@@ -1616,9 +1616,18 @@ static int cgid_handler(request_rec *r)
|
||||
b = apr_bucket_eos_create(c->bucket_alloc);
|
||||
APR_BRIGADE_INSERT_TAIL(bb, b);
|
||||
|
||||
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
|
||||
- APLOG_MODULE_INDEX)))
|
||||
- {
|
||||
+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
|
||||
+ APLOG_MODULE_INDEX);
|
||||
+
|
||||
+ /* xCGI has its own body framing mechanism which we don't
|
||||
+ * match against any provided Content-Length, so let the
|
||||
+ * core determine C-L vs T-E based on what's actually sent.
|
||||
+ */
|
||||
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
|
||||
+ apr_table_unset(r->headers_out, "Content-Length");
|
||||
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
|
||||
+
|
||||
+ if (ret != OK) {
|
||||
ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL);
|
||||
|
||||
/*
|
||||
Index: httpd-2.4.58/modules/proxy/ajp_header.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/proxy/ajp_header.c
|
||||
+++ httpd-2.4.58/modules/proxy/ajp_header.c
|
||||
@@ -17,6 +17,8 @@
|
||||
#include "ajp_header.h"
|
||||
#include "ajp.h"
|
||||
|
||||
+#include "util_script.h"
|
||||
+
|
||||
APLOG_USE_MODULE(proxy_ajp);
|
||||
|
||||
static const char *response_trans_headers[] = {
|
||||
@@ -669,6 +671,14 @@ static apr_status_t ajp_unmarshal_respon
|
||||
}
|
||||
}
|
||||
|
||||
+ /* AJP has its own body framing mechanism which we don't
|
||||
+ * match against any provided Content-Length, so let the
|
||||
+ * core determine C-L vs T-E based on what's actually sent.
|
||||
+ */
|
||||
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
|
||||
+ apr_table_unset(r->headers_out, "Content-Length");
|
||||
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
|
||||
+
|
||||
return APR_SUCCESS;
|
||||
}
|
||||
|
||||
Index: httpd-2.4.58/modules/proxy/mod_proxy_fcgi.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_fcgi.c
|
||||
+++ httpd-2.4.58/modules/proxy/mod_proxy_fcgi.c
|
||||
@@ -779,6 +779,15 @@ recv_again:
|
||||
|
||||
status = ap_scan_script_header_err_brigade_ex(r, ob,
|
||||
NULL, APLOG_MODULE_INDEX);
|
||||
+
|
||||
+ /* FCGI has its own body framing mechanism which we don't
|
||||
+ * match against any provided Content-Length, so let the
|
||||
+ * core determine C-L vs T-E based on what's actually sent.
|
||||
+ */
|
||||
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
|
||||
+ apr_table_unset(r->headers_out, "Content-Length");
|
||||
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
|
||||
+
|
||||
/* suck in all the rest */
|
||||
if (status != OK) {
|
||||
apr_bucket *tmp_b;
|
||||
Index: httpd-2.4.58/modules/proxy/mod_proxy_scgi.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_scgi.c
|
||||
+++ httpd-2.4.58/modules/proxy/mod_proxy_scgi.c
|
||||
@@ -390,6 +390,14 @@ static int pass_response(request_rec *r,
|
||||
return status;
|
||||
}
|
||||
|
||||
+ /* SCGI has its own body framing mechanism which we don't
|
||||
+ * match against any provided Content-Length, so let the
|
||||
+ * core determine C-L vs T-E based on what's actually sent.
|
||||
+ */
|
||||
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
|
||||
+ apr_table_unset(r->headers_out, "Content-Length");
|
||||
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
|
||||
+
|
||||
conf = ap_get_module_config(r->per_dir_config, &proxy_scgi_module);
|
||||
if (conf->sendfile && conf->sendfile != scgi_sendfile_off) {
|
||||
short err = 1;
|
||||
Index: httpd-2.4.58/modules/proxy/mod_proxy_uwsgi.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_uwsgi.c
|
||||
+++ httpd-2.4.58/modules/proxy/mod_proxy_uwsgi.c
|
||||
@@ -404,6 +404,12 @@ static int uwsgi_response(request_rec *r
|
||||
return HTTP_BAD_GATEWAY;
|
||||
}
|
||||
|
||||
+ /* T-E wins over C-L */
|
||||
+ if (apr_table_get(r->headers_out, "Transfer-Encoding")) {
|
||||
+ apr_table_unset(r->headers_out, "Content-Length");
|
||||
+ backend->close = 1;
|
||||
+ }
|
||||
+
|
||||
if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
|
||||
ap_set_content_type(r, apr_pstrdup(r->pool, buf));
|
||||
}
|
||||
Index: httpd-2.4.58/modules/http/http_filters.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/http/http_filters.c
|
||||
+++ httpd-2.4.58/modules/http/http_filters.c
|
||||
@@ -778,6 +778,18 @@ static APR_INLINE int check_headers(requ
|
||||
struct check_header_ctx ctx;
|
||||
core_server_config *conf =
|
||||
ap_get_core_module_config(r->server->module_config);
|
||||
+ const char *val;
|
||||
+
|
||||
+ if ((val = apr_table_get(r->headers_out, "Transfer-Encoding"))) {
|
||||
+ if (apr_table_get(r->headers_out, "Content-Length")) {
|
||||
+ apr_table_unset(r->headers_out, "Content-Length");
|
||||
+ r->connection->keepalive = AP_CONN_CLOSE;
|
||||
+ }
|
||||
+ if (!ap_is_chunked(r->pool, val)) {
|
||||
+ r->connection->keepalive = AP_CONN_CLOSE;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
ctx.r = r;
|
||||
ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE);
|
@ -1,45 +0,0 @@
|
||||
Index: modules/http2/h2_session.c
|
||||
===================================================================
|
||||
--- a/modules/http2/h2_session.c (revision 1916778)
|
||||
+++ b/modules/http2/h2_session.c (revision 1916779)
|
||||
@@ -319,9 +319,13 @@
|
||||
|
||||
status = h2_stream_add_header(stream, (const char *)name, namelen,
|
||||
(const char *)value, valuelen);
|
||||
- if (status != APR_SUCCESS
|
||||
- && (!stream->rtmp
|
||||
- || stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) {
|
||||
+ if (status != APR_SUCCESS &&
|
||||
+ (!stream->rtmp ||
|
||||
+ stream->rtmp->http_status == H2_HTTP_STATUS_UNSET ||
|
||||
+ /* We accept a certain amount of failures in order to reply
|
||||
+ * with an informative HTTP error response like 413. But if the
|
||||
+ * client is too wrong, we fail the request a RESET of the stream */
|
||||
+ stream->request_headers_failed > 100)) {
|
||||
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
|
||||
}
|
||||
return 0;
|
||||
Index: modules/http2/h2_stream.c
|
||||
===================================================================
|
||||
--- a/modules/http2/h2_stream.c (revision 1916778)
|
||||
+++ b/modules/http2/h2_stream.c (revision 1916779)
|
||||
@@ -813,6 +813,7 @@
|
||||
|
||||
cleanup:
|
||||
if (error) {
|
||||
+ ++stream->request_headers_failed;
|
||||
set_error_response(stream, error);
|
||||
return APR_EINVAL;
|
||||
}
|
||||
Index: modules/http2/h2_stream.h
|
||||
===================================================================
|
||||
--- a/modules/http2/h2_stream.h (revision 1916778)
|
||||
+++ b/modules/http2/h2_stream.h (revision 1916779)
|
||||
@@ -91,6 +91,7 @@
|
||||
struct h2_request *rtmp; /* request being assembled */
|
||||
apr_table_t *trailers_in; /* optional, incoming trailers */
|
||||
int request_headers_added; /* number of request headers added */
|
||||
+ int request_headers_failed; /* number of request headers failed to add */
|
||||
|
||||
#if AP_HAS_RESPONSE_BUCKETS
|
||||
ap_bucket_response *response; /* the final, non-interim response or NULL */
|
@ -1,30 +0,0 @@
|
||||
commit 62aa64e5aea21dd969db97aded4443c98c0735ac
|
||||
Author: Eric Covener <covener@apache.org>
|
||||
Date: Mon Jun 24 17:51:42 2024 +0000
|
||||
|
||||
Merge r1918548 from trunk:
|
||||
|
||||
mod_http2: early exit if bb is null
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918557 13f79535-47bb-0310-9956-ffa450edef68
|
||||
|
||||
diff --git a/modules/http2/h2_c2.c b/modules/http2/h2_c2.c
|
||||
index a955200944..c65a521ab8 100644
|
||||
--- a/modules/http2/h2_c2.c
|
||||
+++ b/modules/http2/h2_c2.c
|
||||
@@ -370,6 +370,13 @@ static apr_status_t h2_c2_filter_out(ap_filter_t* f, apr_bucket_brigade* bb)
|
||||
h2_conn_ctx_t *conn_ctx = h2_conn_ctx_get(f->c);
|
||||
apr_status_t rv;
|
||||
|
||||
+ if (bb == NULL) {
|
||||
+#if !AP_MODULE_MAGIC_AT_LEAST(20180720, 1)
|
||||
+ f->c->data_in_output_filters = 0;
|
||||
+#endif
|
||||
+ return APR_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
ap_assert(conn_ctx);
|
||||
#if AP_HAS_RESPONSE_BUCKETS
|
||||
if (!conn_ctx->has_final_response) {
|
@ -1,39 +0,0 @@
|
||||
From b10cb2d69184843832d501a615abe3e8e5e256dc Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Mon, 24 Jun 2024 17:52:31 +0000
|
||||
Subject: [PATCH] Merge r1918550 from trunk:
|
||||
|
||||
mod_proxy: escape for non-proxypass configuration
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918559 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/proxy/mod_proxy.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
|
||||
index c9cef7c44f5..17e39c95b8f 100644
|
||||
--- a/modules/proxy/mod_proxy.c
|
||||
+++ b/modules/proxy/mod_proxy.c
|
||||
@@ -1314,15 +1314,18 @@ static int proxy_handler(request_rec *r)
|
||||
}
|
||||
|
||||
if (!r->proxyreq) {
|
||||
+ rc = DECLINED;
|
||||
/* We may have forced the proxy handler via config or .htaccess */
|
||||
if (r->handler &&
|
||||
strncmp(r->handler, "proxy:", 6) == 0 &&
|
||||
strncmp(r->filename, "proxy:", 6) != 0) {
|
||||
r->proxyreq = PROXYREQ_REVERSE;
|
||||
r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
|
||||
+ /* Still need to fixup/canonicalize r->filename */
|
||||
+ rc = proxy_fixup(r);
|
||||
}
|
||||
- else {
|
||||
- return DECLINED;
|
||||
+ if (rc != OK) {
|
||||
+ return rc;
|
||||
}
|
||||
} else if (strncmp(r->filename, "proxy:", 6) != 0) {
|
||||
return DECLINED;
|
@ -1,208 +0,0 @@
|
||||
From 6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce Mon Sep 17 00:00:00 2001
|
||||
From: Yann Ylavic <ylavic@apache.org>
|
||||
Date: Wed, 26 Jun 2024 14:51:32 +0000
|
||||
Subject: [PATCH] mod_proxy: Fixup UDS filename for mod_proxy called through
|
||||
r->handler.
|
||||
|
||||
* modules/proxy/proxy_util.c:
|
||||
Export ap_proxy_fixup_uds_filename() from fix_uds_filename.
|
||||
Call it from ap_proxy_pre_request() even for rewritten balancer workers.
|
||||
|
||||
* modules/proxy/mod_proxy.h:
|
||||
Declare ap_proxy_fixup_uds_filename()
|
||||
|
||||
* modules/proxy/mod_proxy.c:
|
||||
Fixup UDS filename from r->handler in proxy_handler().
|
||||
|
||||
* include/ap_mmn.h:
|
||||
Bump MMN minor for ap_proxy_fixup_uds_filename()
|
||||
|
||||
|
||||
mod_proxy: follow up to r1918626: Simplify ap_proxy_fixup_uds_filename() and callers.
|
||||
|
||||
|
||||
Merges r1918626, r1918647 from trunk
|
||||
GH: closes #457
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918666 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
include/ap_mmn.h | 3 ++-
|
||||
modules/proxy/mod_proxy.c | 33 ++++++++++++++++++------------
|
||||
modules/proxy/mod_proxy.h | 8 ++++++++
|
||||
modules/proxy/proxy_util.c | 41 ++++++++++++++++++++++----------------
|
||||
4 files changed, 54 insertions(+), 31 deletions(-)
|
||||
|
||||
Index: httpd-2.4.58/modules/proxy/mod_proxy.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/proxy/mod_proxy.c
|
||||
+++ httpd-2.4.58/modules/proxy/mod_proxy.c
|
||||
@@ -1227,6 +1227,7 @@ static int proxy_fixup(request_rec *r)
|
||||
|
||||
return OK; /* otherwise; we've done the best we can */
|
||||
}
|
||||
+
|
||||
/* Send a redirection if the request contains a hostname which is not */
|
||||
/* fully qualified, i.e. doesn't have a domain name appended. Some proxy */
|
||||
/* servers like Netscape's allow this and access hosts from the local */
|
||||
@@ -1280,7 +1281,7 @@ static int proxy_handler(request_rec *r)
|
||||
ap_get_module_config(sconf, &proxy_module);
|
||||
apr_array_header_t *proxies = conf->proxies;
|
||||
struct proxy_remote *ents = (struct proxy_remote *) proxies->elts;
|
||||
- int i, rc, access_status;
|
||||
+ int rc = DECLINED, access_status, i;
|
||||
int direct_connect = 0;
|
||||
const char *str;
|
||||
apr_int64_t maxfwd;
|
||||
@@ -1295,22 +1296,28 @@ static int proxy_handler(request_rec *r)
|
||||
return DECLINED;
|
||||
}
|
||||
|
||||
- if (!r->proxyreq) {
|
||||
- rc = DECLINED;
|
||||
- /* We may have forced the proxy handler via config or .htaccess */
|
||||
- if (r->handler &&
|
||||
- strncmp(r->handler, "proxy:", 6) == 0 &&
|
||||
- strncmp(r->filename, "proxy:", 6) != 0) {
|
||||
- r->proxyreq = PROXYREQ_REVERSE;
|
||||
- r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
|
||||
- /* Still need to fixup/canonicalize r->filename */
|
||||
+ /* We may have forced the proxy handler via config or .htaccess */
|
||||
+ if (!r->proxyreq && r->handler && strncmp(r->handler, "proxy:", 6) == 0) {
|
||||
+ char *old_filename = r->filename;
|
||||
+
|
||||
+ r->proxyreq = PROXYREQ_REVERSE;
|
||||
+ r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
|
||||
+
|
||||
+ /* Still need to fixup/canonicalize r->filename */
|
||||
+ rc = ap_proxy_fixup_uds_filename(r);
|
||||
+ if (rc <= OK) {
|
||||
rc = proxy_fixup(r);
|
||||
}
|
||||
if (rc != OK) {
|
||||
- return rc;
|
||||
+ r->filename = old_filename;
|
||||
+ r->proxyreq = 0;
|
||||
}
|
||||
- } else if (strncmp(r->filename, "proxy:", 6) != 0) {
|
||||
- return DECLINED;
|
||||
+ }
|
||||
+ else if (r->proxyreq && strncmp(r->filename, "proxy:", 6) == 0) {
|
||||
+ rc = OK;
|
||||
+ }
|
||||
+ if (rc != OK) {
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
/* handle max-forwards / OPTIONS / TRACE */
|
||||
Index: httpd-2.4.58/modules/proxy/mod_proxy.h
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/proxy/mod_proxy.h
|
||||
+++ httpd-2.4.58/modules/proxy/mod_proxy.h
|
||||
@@ -993,6 +993,14 @@ PROXY_DECLARE(proxy_balancer_shared *) a
|
||||
proxy_balancer *balancer,
|
||||
unsigned int *index);
|
||||
|
||||
+/*
|
||||
+ * Strip the UDS part of r->filename if any, and put the UDS path in
|
||||
+ * r->notes ("uds_path")
|
||||
+ * @param r current request
|
||||
+ * @return OK if fixed up, DECLINED if not UDS, or an HTTP_XXX error
|
||||
+ */
|
||||
+PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r);
|
||||
+
|
||||
/**
|
||||
* Get the most suitable worker and/or balancer for the request
|
||||
* @param worker worker used for processing request
|
||||
Index: httpd-2.4.58/modules/proxy/proxy_util.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/proxy/proxy_util.c
|
||||
+++ httpd-2.4.58/modules/proxy/proxy_util.c
|
||||
@@ -2316,7 +2316,7 @@ static int ap_proxy_retry_worker(const c
|
||||
* were passed a UDS url (eg: from mod_proxy) and adjust uds_path
|
||||
* as required.
|
||||
*/
|
||||
-static int fix_uds_filename(request_rec *r, char **url)
|
||||
+PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r)
|
||||
{
|
||||
char *uds_url = r->filename + 6, *origin_url;
|
||||
|
||||
@@ -2324,7 +2324,6 @@ static int fix_uds_filename(request_rec
|
||||
!ap_cstr_casecmpn(uds_url, "unix:", 5) &&
|
||||
(origin_url = ap_strchr(uds_url + 5, '|'))) {
|
||||
char *uds_path = NULL;
|
||||
- apr_size_t url_len;
|
||||
apr_uri_t urisock;
|
||||
apr_status_t rv;
|
||||
|
||||
@@ -2339,20 +2338,20 @@ static int fix_uds_filename(request_rec
|
||||
if (!uds_path) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292)
|
||||
"Invalid proxy UDS filename (%s)", r->filename);
|
||||
- return 0;
|
||||
+ return HTTP_BAD_REQUEST;
|
||||
}
|
||||
apr_table_setn(r->notes, "uds_path", uds_path);
|
||||
|
||||
- /* Remove the UDS path from *url and r->filename */
|
||||
- url_len = strlen(origin_url);
|
||||
- *url = apr_pstrmemdup(r->pool, origin_url, url_len);
|
||||
- memcpy(uds_url, *url, url_len + 1);
|
||||
-
|
||||
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
||||
- "*: rewrite of url due to UDS(%s): %s (%s)",
|
||||
- uds_path, *url, r->filename);
|
||||
+ "*: fixup UDS from %s: %s (%s)",
|
||||
+ r->filename, origin_url, uds_path);
|
||||
+
|
||||
+ /* Overwrite the UDS part in place */
|
||||
+ memmove(uds_url, origin_url, strlen(origin_url) + 1);
|
||||
+ return OK;
|
||||
}
|
||||
- return 1;
|
||||
+
|
||||
+ return DECLINED;
|
||||
}
|
||||
|
||||
PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
|
||||
@@ -2371,9 +2370,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
|
||||
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
||||
"%s: found worker %s for %s",
|
||||
(*worker)->s->scheme, (*worker)->s->name_ex, *url);
|
||||
- if (!forward && !fix_uds_filename(r, url)) {
|
||||
- return HTTP_INTERNAL_SERVER_ERROR;
|
||||
- }
|
||||
access_status = OK;
|
||||
}
|
||||
else if (forward) {
|
||||
@@ -2403,9 +2399,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
|
||||
* regarding the Connection header in the request.
|
||||
*/
|
||||
apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1");
|
||||
- if (!fix_uds_filename(r, url)) {
|
||||
- return HTTP_INTERNAL_SERVER_ERROR;
|
||||
- }
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2415,6 +2408,20 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
|
||||
"all workers are busy. Unable to serve %s", *url);
|
||||
access_status = HTTP_SERVICE_UNAVAILABLE;
|
||||
}
|
||||
+
|
||||
+ if (access_status == OK && r->proxyreq == PROXYREQ_REVERSE) {
|
||||
+ int rc = ap_proxy_fixup_uds_filename(r);
|
||||
+ if (ap_is_HTTP_ERROR(rc)) {
|
||||
+ return rc;
|
||||
+ }
|
||||
+ /* If the URL has changed in r->filename, take everything after
|
||||
+ * the "proxy:" prefix.
|
||||
+ */
|
||||
+ if (rc == OK) {
|
||||
+ *url = apr_pstrdup(r->pool, r->filename + 6);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return access_status;
|
||||
}
|
||||
|
@ -1,51 +0,0 @@
|
||||
From cc00cf6b4e37370897daddc307bf1deecf8fedfa Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Tue, 25 Jun 2024 20:20:05 +0000
|
||||
Subject: [PATCH] Merge r1918623 from trunk:
|
||||
|
||||
fix comparison of local path on Windows
|
||||
|
||||
Submitted By: Yann Ylavic
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918625 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/mappers/mod_rewrite.c | 17 ++++++++++++++++-
|
||||
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
|
||||
index 46ea16c8c64..e0390768267 100644
|
||||
--- a/modules/mappers/mod_rewrite.c
|
||||
+++ b/modules/mappers/mod_rewrite.c
|
||||
@@ -653,6 +653,19 @@ static unsigned is_absolute_uri(char *uri, int *supportsqs)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int is_absolute_path(const char *path)
|
||||
+{
|
||||
+#ifndef WIN32
|
||||
+ return (path[0] == '/');
|
||||
+#else
|
||||
+#define IS_SLASH(c) ((c) == '/' || (c) == '\\')
|
||||
+ /* "//", "\\", "x:/" and "x:\" are absolute paths on Windows */
|
||||
+ return ((IS_SLASH(path[0]) && path[1] == path[0])
|
||||
+ || (apr_isalpha(path[0]) && path[1] == ':' && IS_SLASH(path[2])));
|
||||
+#undef IS_SLASH
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
static const char c2x_table[] = "0123456789abcdef";
|
||||
|
||||
static APR_INLINE unsigned char *c2x(unsigned what, unsigned char prefix,
|
||||
@@ -4351,7 +4364,9 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
|
||||
* (1) it's an absolute URL path and
|
||||
* (2) it's a full qualified URL
|
||||
*/
|
||||
- if (!is_proxyreq && *newuri != '/' && !is_absolute_uri(newuri, NULL)) {
|
||||
+ if (!is_proxyreq
|
||||
+ && !is_absolute_path(newuri)
|
||||
+ && !is_absolute_uri(newuri, NULL)) {
|
||||
if (ctx->perdir) {
|
||||
rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s",
|
||||
newuri, ctx->perdir, newuri));
|
@ -1,187 +0,0 @@
|
||||
From 4326d6b9041a3bcb9b529f9163d0761c2d760700 Mon Sep 17 00:00:00 2001
|
||||
From: Yann Ylavic <ylavic@apache.org>
|
||||
Date: Wed, 26 Jun 2024 14:56:47 +0000
|
||||
Subject: [PATCH] factor out IS_SLASH, perdir fix
|
||||
|
||||
in per-dir, the filename will be internally redirected, so / is OK too.
|
||||
|
||||
|
||||
don't add / to / in the non-perdir
|
||||
|
||||
|
||||
match AP_IS_SLASH macro
|
||||
|
||||
followup to 1918651
|
||||
|
||||
|
||||
Merges r1918651, r1918652, r1918663 from trunk
|
||||
Reviewed by: covener, ylavic, rpluem
|
||||
GH: close #458
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918668 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
include/ap_mmn.h | 3 ++-
|
||||
include/httpd.h | 11 +++++++++++
|
||||
modules/mappers/mod_rewrite.c | 11 ++++-------
|
||||
server/util.c | 31 ++++++++++---------------------
|
||||
4 files changed, 27 insertions(+), 29 deletions(-)
|
||||
|
||||
Index: httpd-2.4.58/include/httpd.h
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/include/httpd.h
|
||||
+++ httpd-2.4.58/include/httpd.h
|
||||
@@ -2663,6 +2663,17 @@ AP_DECLARE(const char *)ap_dir_fnmatch(a
|
||||
*/
|
||||
AP_DECLARE(int) ap_is_chunked(apr_pool_t *p, const char *line);
|
||||
|
||||
+/* Win32/NetWare/OS2 need to check for both forward and back slashes
|
||||
+ * in ap_normalize_path() and ap_escape_url().
|
||||
+ */
|
||||
+#ifdef CASE_BLIND_FILESYSTEM
|
||||
+#define AP_IS_SLASH(s) ((s == '/') || (s == '\\'))
|
||||
+#define AP_SLASHES "/\\"
|
||||
+#else
|
||||
+#define AP_IS_SLASH(s) (s == '/')
|
||||
+#define AP_SLASHES "/"
|
||||
+#endif
|
||||
+
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
Index: httpd-2.4.58/modules/mappers/mod_rewrite.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c
|
||||
+++ httpd-2.4.58/modules/mappers/mod_rewrite.c
|
||||
@@ -655,14 +655,11 @@ static unsigned is_absolute_uri(char *ur
|
||||
|
||||
static int is_absolute_path(const char *path)
|
||||
{
|
||||
-#ifndef WIN32
|
||||
+#ifndef CASE_BLIND_FILESYSTEM
|
||||
return (path[0] == '/');
|
||||
#else
|
||||
-#define IS_SLASH(c) ((c) == '/' || (c) == '\\')
|
||||
- /* "//", "\\", "x:/" and "x:\" are absolute paths on Windows */
|
||||
- return ((IS_SLASH(path[0]) && path[1] == path[0])
|
||||
- || (apr_isalpha(path[0]) && path[1] == ':' && IS_SLASH(path[2])));
|
||||
-#undef IS_SLASH
|
||||
+ return ((AP_IS_SLASH(path[0]) && path[1] == path[0])
|
||||
+ || (apr_isalpha(path[0]) && path[1] == ':' && AP_IS_SLASH(path[2])));
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -4366,11 +4363,11 @@ static rule_return_type apply_rewrite_ru
|
||||
*/
|
||||
if (!is_proxyreq
|
||||
&& !is_absolute_path(newuri)
|
||||
+ && !AP_IS_SLASH(*newuri)
|
||||
&& !is_absolute_uri(newuri, NULL)) {
|
||||
if (ctx->perdir) {
|
||||
rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s",
|
||||
newuri, ctx->perdir, newuri));
|
||||
-
|
||||
newuri = apr_pstrcat(r->pool, ctx->perdir, newuri, NULL);
|
||||
}
|
||||
else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) {
|
||||
Index: httpd-2.4.58/server/util.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/server/util.c
|
||||
+++ httpd-2.4.58/server/util.c
|
||||
@@ -75,17 +75,6 @@
|
||||
*/
|
||||
#include "test_char.h"
|
||||
|
||||
-/* Win32/NetWare/OS2 need to check for both forward and back slashes
|
||||
- * in ap_normalize_path() and ap_escape_url().
|
||||
- */
|
||||
-#ifdef CASE_BLIND_FILESYSTEM
|
||||
-#define IS_SLASH(s) ((s == '/') || (s == '\\'))
|
||||
-#define SLASHES "/\\"
|
||||
-#else
|
||||
-#define IS_SLASH(s) (s == '/')
|
||||
-#define SLASHES "/"
|
||||
-#endif
|
||||
-
|
||||
/* we know core's module_index is 0 */
|
||||
#undef APLOG_MODULE_INDEX
|
||||
#define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX
|
||||
@@ -492,7 +481,7 @@ AP_DECLARE(apr_status_t) ap_pregsub_ex(a
|
||||
/* Forward declare */
|
||||
static char x2c(const char *what);
|
||||
|
||||
-#define IS_SLASH_OR_NUL(s) (s == '\0' || IS_SLASH(s))
|
||||
+#define IS_SLASH_OR_NUL(s) (s == '\0' || AP_IS_SLASH(s))
|
||||
|
||||
/*
|
||||
* Inspired by mod_jk's jk_servlet_normalize().
|
||||
@@ -504,7 +493,7 @@ AP_DECLARE(int) ap_normalize_path(char *
|
||||
int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0;
|
||||
int merge_slashes = (flags & AP_NORMALIZE_MERGE_SLASHES) != 0;
|
||||
|
||||
- if (!IS_SLASH(path[0])) {
|
||||
+ if (!AP_IS_SLASH(path[0])) {
|
||||
/* Besides "OPTIONS *", a request-target should start with '/'
|
||||
* per RFC 7230 section 5.3, so anything else is invalid.
|
||||
*/
|
||||
@@ -545,12 +534,12 @@ AP_DECLARE(int) ap_normalize_path(char *
|
||||
}
|
||||
}
|
||||
|
||||
- if (w == 0 || IS_SLASH(path[w - 1])) {
|
||||
+ if (w == 0 || AP_IS_SLASH(path[w - 1])) {
|
||||
/* Collapse ///// sequences to / */
|
||||
- if (merge_slashes && IS_SLASH(path[l])) {
|
||||
+ if (merge_slashes && AP_IS_SLASH(path[l])) {
|
||||
do {
|
||||
l++;
|
||||
- } while (IS_SLASH(path[l]));
|
||||
+ } while (AP_IS_SLASH(path[l]));
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -579,7 +568,7 @@ AP_DECLARE(int) ap_normalize_path(char *
|
||||
if (w > 1) {
|
||||
do {
|
||||
w--;
|
||||
- } while (w && !IS_SLASH(path[w - 1]));
|
||||
+ } while (w && !AP_IS_SLASH(path[w - 1]));
|
||||
}
|
||||
else {
|
||||
/* Already at root, ignore and return a failure
|
||||
@@ -1915,7 +1904,7 @@ static int unescape_url(char *url, const
|
||||
char decoded;
|
||||
decoded = x2c(y + 1);
|
||||
if ((decoded == '\0')
|
||||
- || (forbid_slashes && IS_SLASH(decoded))
|
||||
+ || (forbid_slashes && AP_IS_SLASH(decoded))
|
||||
|| (forbid && ap_strchr_c(forbid, decoded))) {
|
||||
badpath = 1;
|
||||
*x = decoded;
|
||||
@@ -1923,7 +1912,7 @@ static int unescape_url(char *url, const
|
||||
}
|
||||
else if ((keep_unreserved && TEST_CHAR(decoded,
|
||||
T_URI_UNRESERVED))
|
||||
- || (keep_slashes && IS_SLASH(decoded))
|
||||
+ || (keep_slashes && AP_IS_SLASH(decoded))
|
||||
|| (reserved && ap_strchr_c(reserved, decoded))) {
|
||||
*x++ = *y++;
|
||||
*x++ = *y++;
|
||||
@@ -1950,7 +1939,7 @@ static int unescape_url(char *url, const
|
||||
AP_DECLARE(int) ap_unescape_url(char *url)
|
||||
{
|
||||
/* Traditional */
|
||||
- return unescape_url(url, SLASHES, NULL, 0);
|
||||
+ return unescape_url(url, AP_SLASHES, NULL, 0);
|
||||
}
|
||||
AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes)
|
||||
{
|
||||
@@ -1960,7 +1949,7 @@ AP_DECLARE(int) ap_unescape_url_keep2f(c
|
||||
return unescape_url(url, NULL, NULL, 0);
|
||||
} else {
|
||||
/* reserve (do not decode) encoded slashes */
|
||||
- return unescape_url(url, NULL, SLASHES, 0);
|
||||
+ return unescape_url(url, NULL, AP_SLASHES, 0);
|
||||
}
|
||||
}
|
||||
AP_DECLARE(int) ap_unescape_url_ex(char *url, unsigned int flags)
|
@ -1,17 +0,0 @@
|
||||
Index: httpd-2.4.58/modules/mappers/mod_rewrite.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c
|
||||
+++ httpd-2.4.58/modules/mappers/mod_rewrite.c
|
||||
@@ -4537,6 +4560,12 @@ static int apply_rewrite_list(request_re
|
||||
return ACTION_STATUS_SET;
|
||||
}
|
||||
|
||||
+
|
||||
+ /* Error while evaluating rule, r->status set */
|
||||
+ if (RULE_RC_STATUS_SET == rc) {
|
||||
+ return ACTION_STATUS_SET;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* The rule sets the response code (implies match-only)
|
||||
*/
|
@ -1,23 +0,0 @@
|
||||
Index: httpd-2.4.58/docs/manual/mod/mod_rewrite.html.en
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/docs/manual/mod/mod_rewrite.html.en
|
||||
+++ httpd-2.4.58/docs/manual/mod/mod_rewrite.html.en
|
||||
@@ -1451,6 +1451,18 @@ cannot use <code>$N</code> in the substi
|
||||
<td>Force the <a class="glossarylink" href="../glossary.html#mime-type" title="see glossary">MIME-type</a> of the target file
|
||||
to be the specified type. <em><a href="../rewrite/flags.html#flag_t">details ...</a></em></td>
|
||||
</tr>
|
||||
+ <tr>
|
||||
+ <td>UnsafeAllow3F</td>
|
||||
+ <td>Allows substitutions from URL's that may be unsafe.
|
||||
+ <em><a href="../rewrite/flags.html#flag_unsafe_allow_3f">details ...</a></em>
|
||||
+ </td>
|
||||
+ </tr>
|
||||
+ <tr>
|
||||
+ <td>UnsafePrefixStat</td>
|
||||
+ <td>Allows potentially unsafe substitutions from a leading variable or backreference to a filesystem path.</td>
|
||||
+ <em><a href="../rewrite/flags.html#flag_unsafe_prefix_stat">details ...</a></em>
|
||||
+ </td>
|
||||
+ </tr>
|
||||
</table>
|
||||
|
||||
<div class="note"><h3>Home directory expansion</h3>
|
@ -1,31 +0,0 @@
|
||||
Index: httpd-2.4.58/docs/manual/rewrite/flags.html.en
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/docs/manual/rewrite/flags.html.en
|
||||
+++ httpd-2.4.58/docs/manual/rewrite/flags.html.en
|
||||
@@ -820,8 +820,25 @@ otherwise the MIME-type set with this fl
|
||||
re-processing (including subsequent rounds of mod_rewrite processing).
|
||||
The <code>L</code> flag can be useful in this context to end the
|
||||
<em>current</em> round of mod_rewrite processing.</p>
|
||||
+</div>
|
||||
|
||||
-</div></div>
|
||||
+<div class="section">
|
||||
+ <h2><a name="flag_unsafe_allow_3f" id="flag_unsafe_allow_3f">UnsafeAllow3F</a></h2>
|
||||
+ <p> Setting this flag is required to allow a rewrite to continue If the
|
||||
+ HTTP request being written has an encoded question mark, '%3f', and the
|
||||
+ rewritten result has a '?' in the substiution. This protects from a malicious
|
||||
+ URL taking advantage of a capture and re-substitution of the encoded
|
||||
+ question mark.</p>
|
||||
+</div>
|
||||
+<div class="section" id="flag_unsafe_prefix_status">
|
||||
+ <h2><a name="flag_unsafe_prefix_status" id="flag_unsafe_prefix_status">UnsafePrefixStat</a></h2>
|
||||
+ <p> Setting this flag is required in server-scoped substitutions
|
||||
+ start with a variable or backreference and resolve to a filesystem path.
|
||||
+ These substitutions are not prefixed with the document root.
|
||||
+ This protects from a malicious URL causing the expanded substitution to
|
||||
+ map to an unexpected filesystem location.</p>
|
||||
+ </div>
|
||||
+</div>
|
||||
<div class="bottomlang">
|
||||
<p><span>Available Languages: </span><a href="../en/rewrite/flags.html" title="English"> en </a> |
|
||||
<a href="../fr/rewrite/flags.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
|
@ -1,383 +0,0 @@
|
||||
Index: httpd-2.4.58/modules/mappers/mod_rewrite.c
|
||||
===================================================================
|
||||
--- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c
|
||||
+++ httpd-2.4.58/modules/mappers/mod_rewrite.c
|
||||
@@ -177,6 +177,8 @@ static const char* really_last_key = "re
|
||||
#define RULEFLAG_QSLAST (1<<19)
|
||||
#define RULEFLAG_QSNONE (1<<20) /* programattic only */
|
||||
#define RULEFLAG_ESCAPECTLS (1<<21)
|
||||
+#define RULEFLAG_UNSAFE_PREFIX_STAT (1<<22)
|
||||
+#define RULEFLAG_UNSAFE_ALLOW3F (1<<23)
|
||||
|
||||
/* return code of the rewrite rule
|
||||
* the result may be escaped - or not
|
||||
@@ -184,7 +186,7 @@ static const char* really_last_key = "re
|
||||
#define ACTION_NORMAL (1<<0)
|
||||
#define ACTION_NOESCAPE (1<<1)
|
||||
#define ACTION_STATUS (1<<2)
|
||||
-
|
||||
+#define ACTION_STATUS_SET (1<<3)
|
||||
|
||||
#define MAPTYPE_TXT (1<<0)
|
||||
#define MAPTYPE_DBM (1<<1)
|
||||
@@ -208,6 +210,7 @@ static const char* really_last_key = "re
|
||||
#define OPTION_IGNORE_INHERIT (1<<8)
|
||||
#define OPTION_IGNORE_CONTEXT_INFO (1<<9)
|
||||
#define OPTION_LEGACY_PREFIX_DOCROOT (1<<10)
|
||||
+#define OPTION_UNSAFE_PREFIX_STAT (1<<12)
|
||||
|
||||
#ifndef RAND_MAX
|
||||
#define RAND_MAX 32767
|
||||
@@ -301,6 +304,14 @@ typedef enum {
|
||||
CONDPAT_AP_EXPR
|
||||
} pattern_type;
|
||||
|
||||
+typedef enum {
|
||||
+ RULE_RC_NOMATCH = 0, /* the rule didn't match */
|
||||
+ RULE_RC_MATCH = 1, /* a matching rule w/ substitution */
|
||||
+ RULE_RC_NOSUB = 2, /* a matching rule w/ no substitution */
|
||||
+ RULE_RC_STATUS_SET = 3 /* a matching rule that has set an HTTP error
|
||||
+ to be returned in r->status */
|
||||
+} rule_return_type;
|
||||
+
|
||||
typedef struct {
|
||||
char *input; /* Input string of RewriteCond */
|
||||
char *pattern; /* the RegExp pattern string */
|
||||
@@ -927,10 +938,15 @@ static void fully_qualify_uri(request_re
|
||||
return;
|
||||
}
|
||||
|
||||
+static int startsWith(request_rec *r, const char *haystack, const char *needle) {
|
||||
+ int rc = (ap_strstr_c(haystack, needle) == haystack);
|
||||
+ rewritelog((r, 5, NULL, "prefix_stat startsWith(%s, %s) %d", haystack, needle, rc));
|
||||
+ return rc;
|
||||
+}
|
||||
/*
|
||||
- * stat() only the first segment of a path
|
||||
+ * stat() only the first segment of a path, and only if it matches the output of the last matching rule
|
||||
*/
|
||||
-static int prefix_stat(const char *path, apr_pool_t *pool)
|
||||
+static int prefix_stat(request_rec *r, const char *path, apr_pool_t *pool, rewriterule_entry *lastsub)
|
||||
{
|
||||
const char *curpath = path;
|
||||
const char *root;
|
||||
@@ -964,10 +980,36 @@ static int prefix_stat(const char *path,
|
||||
apr_finfo_t sb;
|
||||
|
||||
if (apr_stat(&sb, statpath, APR_FINFO_MIN, pool) == APR_SUCCESS) {
|
||||
- return 1;
|
||||
+ if (!lastsub) {
|
||||
+ rewritelog((r, 3, NULL, "prefix_stat no lastsub subst prefix %s", statpath));
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
+ rewritelog((r, 3, NULL, "prefix_stat compare statpath %s and lastsub output %s STATOK %d ",
|
||||
+ statpath, lastsub->output, lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT));
|
||||
+ if (lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT) {
|
||||
+ return 1;
|
||||
+ }
|
||||
+ else {
|
||||
+ const char *docroot = ap_document_root(r);
|
||||
+ const char *context_docroot = ap_context_document_root(r);
|
||||
+ /*
|
||||
+ * As an example, path (r->filename) is /var/foo/bar/baz.html
|
||||
+ * even if the flag is not set, we can accept a rule that
|
||||
+ * began with a literal /var (stapath), or if the entire path
|
||||
+ * starts with the docroot or context document root
|
||||
+ */
|
||||
+ if (startsWith(r, lastsub->output, statpath) ||
|
||||
+ startsWith(r, path, docroot) ||
|
||||
+ ((docroot != context_docroot) &&
|
||||
+ startsWith(r, path, context_docroot))) {
|
||||
+ return 1;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
+ /* prefix will be added */
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -3072,6 +3114,9 @@ static const char *cmd_rewriteoptions(cm
|
||||
else if (!strcasecmp(w, "legacyprefixdocroot")) {
|
||||
options |= OPTION_LEGACY_PREFIX_DOCROOT;
|
||||
}
|
||||
+ else if (!strcasecmp(w, "UnsafePrefixStat")) {
|
||||
+ options |= OPTION_UNSAFE_PREFIX_STAT;
|
||||
+ }
|
||||
else {
|
||||
return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '",
|
||||
w, "'", NULL);
|
||||
@@ -3780,6 +3825,18 @@ static const char *cmd_rewriterule_setfl
|
||||
++error;
|
||||
}
|
||||
break;
|
||||
+ case 'u':
|
||||
+ case 'U':
|
||||
+ if (!strcasecmp(key, "nsafePrefixStat")){
|
||||
+ cfg->flags |= (RULEFLAG_UNSAFE_PREFIX_STAT);
|
||||
+ }
|
||||
+ else if(!strcasecmp(key, "nsafeAllow3F")) {
|
||||
+ cfg->flags |= RULEFLAG_UNSAFE_ALLOW3F;
|
||||
+ }
|
||||
+ else {
|
||||
+ ++error;
|
||||
+ }
|
||||
+ break;
|
||||
default:
|
||||
++error;
|
||||
break;
|
||||
@@ -4138,7 +4195,8 @@ static APR_INLINE void force_type_handle
|
||||
/*
|
||||
* Apply a single RewriteRule
|
||||
*/
|
||||
-static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
|
||||
+static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
|
||||
+ rewrite_ctx *ctx)
|
||||
{
|
||||
ap_regmatch_t regmatch[AP_MAX_REG_MATCH];
|
||||
apr_array_header_t *rewriteconds;
|
||||
@@ -4189,7 +4247,7 @@ static int apply_rewrite_rule(rewriterul
|
||||
rc = !ap_regexec(p->regexp, ctx->uri, AP_MAX_REG_MATCH, regmatch, 0);
|
||||
if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) ||
|
||||
(!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) {
|
||||
- return 0;
|
||||
+ return RULE_RC_NOMATCH;
|
||||
}
|
||||
|
||||
/* It matched, wow! Now it's time to prepare the context structure for
|
||||
@@ -4240,7 +4298,7 @@ static int apply_rewrite_rule(rewriterul
|
||||
}
|
||||
}
|
||||
else if (!rc) {
|
||||
- return 0;
|
||||
+ return RULE_RC_NOMATCH;
|
||||
}
|
||||
|
||||
/* If some HTTP header was involved in the condition, remember it
|
||||
@@ -4260,6 +4318,15 @@ static int apply_rewrite_rule(rewriterul
|
||||
newuri = do_expand(p->output, ctx, p);
|
||||
rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri,
|
||||
newuri));
|
||||
+ if (!(p->flags & RULEFLAG_UNSAFE_ALLOW3F) &&
|
||||
+ ap_strcasestr(r->unparsed_uri, "%3f") &&
|
||||
+ ap_strchr_c(newuri, '?')) {
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
|
||||
+ "Unsafe URL with %%3f URL rewritten without "
|
||||
+ "UnsafeAllow3F");
|
||||
+ r->status = HTTP_FORBIDDEN;
|
||||
+ return RULE_RC_STATUS_SET;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* expand [E=var:val] and [CO=<cookie>] */
|
||||
@@ -4277,7 +4344,7 @@ static int apply_rewrite_rule(rewriterul
|
||||
r->status = p->forced_responsecode;
|
||||
}
|
||||
|
||||
- return 2;
|
||||
+ return RULE_RC_NOSUB;
|
||||
}
|
||||
|
||||
/* Add the previously stripped per-directory location prefix, unless
|
||||
@@ -4343,7 +4410,7 @@ static int apply_rewrite_rule(rewriterul
|
||||
r->filename));
|
||||
|
||||
r->filename = apr_pstrcat(r->pool, "proxy:", r->filename, NULL);
|
||||
- return 1;
|
||||
+ return RULE_RC_MATCH;
|
||||
}
|
||||
|
||||
/* If this rule is explicitly forced for HTTP redirection
|
||||
@@ -4358,7 +4425,7 @@ static int apply_rewrite_rule(rewriterul
|
||||
r->filename));
|
||||
|
||||
r->status = p->forced_responsecode;
|
||||
- return 1;
|
||||
+ return RULE_RC_MATCH;
|
||||
}
|
||||
|
||||
/* Special Rewriting Feature: Self-Reduction
|
||||
@@ -4380,7 +4447,7 @@ static int apply_rewrite_rule(rewriterul
|
||||
"with %s", p->forced_responsecode, r->filename));
|
||||
|
||||
r->status = p->forced_responsecode;
|
||||
- return 1;
|
||||
+ return RULE_RC_MATCH;
|
||||
}
|
||||
|
||||
/* Finally remember the forced mime-type */
|
||||
@@ -4389,7 +4456,7 @@ static int apply_rewrite_rule(rewriterul
|
||||
/* Puuhhhhhhhh... WHAT COMPLICATED STUFF ;_)
|
||||
* But now we're done for this particular rule.
|
||||
*/
|
||||
- return 1;
|
||||
+ return RULE_RC_MATCH;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -4397,13 +4464,13 @@ static int apply_rewrite_rule(rewriterul
|
||||
* i.e. a list of rewrite rules
|
||||
*/
|
||||
static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules,
|
||||
- char *perdir)
|
||||
+ char *perdir, rewriterule_entry **lastsub)
|
||||
{
|
||||
rewriterule_entry *entries;
|
||||
rewriterule_entry *p;
|
||||
int i;
|
||||
int changed;
|
||||
- int rc;
|
||||
+ rule_return_type rc;
|
||||
int s;
|
||||
rewrite_ctx *ctx;
|
||||
int round = 1;
|
||||
@@ -4411,6 +4478,7 @@ static int apply_rewrite_list(request_re
|
||||
ctx = apr_palloc(r->pool, sizeof(*ctx));
|
||||
ctx->perdir = perdir;
|
||||
ctx->r = r;
|
||||
+ *lastsub = NULL;
|
||||
|
||||
/*
|
||||
* Iterate over all existing rules
|
||||
@@ -4438,7 +4506,12 @@ static int apply_rewrite_list(request_re
|
||||
ctx->vary = NULL;
|
||||
rc = apply_rewrite_rule(p, ctx);
|
||||
|
||||
- if (rc) {
|
||||
+ if (rc != RULE_RC_NOMATCH) {
|
||||
+
|
||||
+ if (!(p->flags & RULEFLAG_NOSUB)) {
|
||||
+ rewritelog((r, 2, perdir, "setting lastsub to rule with output %s", p->output));
|
||||
+ *lastsub = p;
|
||||
+ }
|
||||
|
||||
/* Catch looping rules with pathinfo growing unbounded */
|
||||
if ( strlen( r->filename ) > 2*r->server->limit_req_line ) {
|
||||
@@ -4458,6 +4531,12 @@ static int apply_rewrite_list(request_re
|
||||
apr_table_merge(r->headers_out, "Vary", ctx->vary);
|
||||
}
|
||||
|
||||
+
|
||||
+ /* Error while evaluating rule, r->status set */
|
||||
+ if (RULE_RC_STATUS_SET == rc) {
|
||||
+ return ACTION_STATUS_SET;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* The rule sets the response code (implies match-only)
|
||||
*/
|
||||
@@ -4468,7 +4547,7 @@ static int apply_rewrite_list(request_re
|
||||
/*
|
||||
* Indicate a change if this was not a match-only rule.
|
||||
*/
|
||||
- if (rc != 2) {
|
||||
+ if (rc != RULE_RC_NOSUB) {
|
||||
changed = ((p->flags & RULEFLAG_NOESCAPE)
|
||||
? ACTION_NOESCAPE : ACTION_NORMAL);
|
||||
}
|
||||
@@ -4657,6 +4736,7 @@ static int hook_uri2file(request_rec *r)
|
||||
int rulestatus;
|
||||
void *skipdata;
|
||||
const char *oargs;
|
||||
+ rewriterule_entry *lastsub = NULL;
|
||||
|
||||
/*
|
||||
* retrieve the config structures
|
||||
@@ -4768,7 +4848,7 @@ static int hook_uri2file(request_rec *r)
|
||||
/*
|
||||
* now apply the rules ...
|
||||
*/
|
||||
- rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL);
|
||||
+ rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL, &lastsub);
|
||||
apr_table_setn(r->notes, "mod_rewrite_rewritten",
|
||||
apr_psprintf(r->pool,"%d",rulestatus));
|
||||
}
|
||||
@@ -4806,6 +4886,9 @@ static int hook_uri2file(request_rec *r)
|
||||
r->status = HTTP_OK;
|
||||
return n;
|
||||
}
|
||||
+ else if (ACTION_STATUS_SET == rulestatus) {
|
||||
+ return r->status;
|
||||
+ }
|
||||
|
||||
if (to_proxyreq) {
|
||||
/* it should be go on as an internal proxy request */
|
||||
@@ -4925,23 +5008,29 @@ static int hook_uri2file(request_rec *r)
|
||||
return HTTP_BAD_REQUEST;
|
||||
}
|
||||
|
||||
- /* if there is no valid prefix, we call
|
||||
- * the translator from the core and
|
||||
- * prefix the filename with document_root
|
||||
+ /* We have r->filename as a path in a server-context rewrite without
|
||||
+ * the PT flag. The historical behavior is to treat it as a verbatim
|
||||
+ * filesystem path iff the first component of the path exists and is
|
||||
+ * readable by httpd. Otherwise, it is interpreted as DocumentRoot
|
||||
+ * relative.
|
||||
*
|
||||
* NOTICE:
|
||||
* We cannot leave out the prefix_stat because
|
||||
- * - when we always prefix with document_root
|
||||
- * then no absolute path can be created, e.g. via
|
||||
- * emulating a ScriptAlias directive, etc.
|
||||
- * - when we always NOT prefix with document_root
|
||||
+ * - If we always prefix with document_root
|
||||
+ * then no absolute path can could ever be used in
|
||||
+ * a substitution. e.g. emulating an Alias.
|
||||
+ * - If we never prefix with document_root
|
||||
* then the files under document_root have to
|
||||
* be references directly and document_root
|
||||
* gets never used and will be a dummy parameter -
|
||||
- * this is also bad
|
||||
+ * this is also bad.
|
||||
+ * - Later addition: This part is questionable.
|
||||
+ * If we had never prefixed, users would just
|
||||
+ * need %{DOCUMENT_ROOT} in substitutions or the
|
||||
+ * [PT] flag.
|
||||
*
|
||||
* BUT:
|
||||
- * Under real Unix systems this is no problem,
|
||||
+ * Under real Unix systems this is no perf problem,
|
||||
* because we only do stat() on the first directory
|
||||
* and this gets cached by the kernel for along time!
|
||||
*/
|
||||
@@ -4950,7 +5039,9 @@ static int hook_uri2file(request_rec *r)
|
||||
uri_reduced = apr_table_get(r->notes, "mod_rewrite_uri_reduced");
|
||||
}
|
||||
|
||||
- if (!prefix_stat(r->filename, r->pool) || uri_reduced != NULL) {
|
||||
+ if (!prefix_stat(r, r->filename, r->pool,
|
||||
+ conf->options & OPTION_UNSAFE_PREFIX_STAT ? NULL : lastsub)
|
||||
+ || uri_reduced != NULL) {
|
||||
int res;
|
||||
char *tmp = r->uri;
|
||||
|
||||
@@ -4995,6 +5086,7 @@ static int hook_fixup(request_rec *r)
|
||||
char *ofilename, *oargs;
|
||||
int is_proxyreq;
|
||||
void *skipdata;
|
||||
+ rewriterule_entry *lastsub;
|
||||
|
||||
dconf = (rewrite_perdir_conf *)ap_get_module_config(r->per_dir_config,
|
||||
&rewrite_module);
|
||||
@@ -5079,7 +5171,7 @@ static int hook_fixup(request_rec *r)
|
||||
/*
|
||||
* now apply the rules ...
|
||||
*/
|
||||
- rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory);
|
||||
+ rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory, &lastsub);
|
||||
if (rulestatus) {
|
||||
unsigned skip_absolute = is_absolute_uri(r->filename, NULL);
|
||||
int to_proxyreq = 0;
|
||||
@@ -5108,6 +5200,9 @@ static int hook_fixup(request_rec *r)
|
||||
r->status = HTTP_OK;
|
||||
return n;
|
||||
}
|
||||
+ else if (ACTION_STATUS_SET == rulestatus) {
|
||||
+ return r->status;
|
||||
+ }
|
||||
|
||||
if (to_proxyreq) {
|
||||
/* it should go on as an internal proxy request */
|
@ -1,20 +0,0 @@
|
||||
--- a/include/http_protocol.h 2024/06/24 17:52:31 1918559
|
||||
+++ b/include/http_protocol.h 2024/06/24 17:54:34 1918560
|
||||
@@ -439,6 +439,17 @@
|
||||
AP_DECLARE(void) ap_set_content_type(request_rec *r, const char *ct);
|
||||
|
||||
/**
|
||||
+ * Set the content type for this request (r->content_type).
|
||||
+ * @param r The current request
|
||||
+ * @param ct The new content type
|
||||
+ * @param trusted If non-zero, The content-type should come from a
|
||||
+ * trusted source such as server configuration rather
|
||||
+ * than application output.
|
||||
+ * for the AddOutputFilterByType directive to work correctly.
|
||||
+ */
|
||||
+AP_DECLARE(void) ap_set_content_type_ex(request_rec *r, const char *ct, int trusted);
|
||||
+
|
||||
+/**
|
||||
* Set the Accept-Ranges header for this response
|
||||
* @param r The current request
|
||||
*/
|
@ -1,11 +0,0 @@
|
||||
--- a/server/config.c 2024/06/24 17:52:31 1918559
|
||||
+++ b/server/config.c 2024/06/24 17:54:34 1918560
|
||||
@@ -418,7 +418,7 @@
|
||||
}
|
||||
|
||||
if (!r->handler) {
|
||||
- if (r->content_type) {
|
||||
+ if (r->content_type && AP_REQUEST_IS_TRUSTED_CT(r)) {
|
||||
handler = r->content_type;
|
||||
if ((p=ap_strchr_c(handler, ';')) != NULL) {
|
||||
char *new_handler = (char *)apr_pmemdup(r->pool, handler,
|
@ -1,11 +0,0 @@
|
||||
--- a/server/core.c 2024/06/24 17:52:31 1918559
|
||||
+++ b/server/core.c 2024/06/24 17:54:34 1918560
|
||||
@@ -4835,7 +4835,7 @@
|
||||
/* Check for overrides with ForceType / SetHandler
|
||||
*/
|
||||
if (conf->mime_type && strcmp(conf->mime_type, "none"))
|
||||
- ap_set_content_type(r, (char*) conf->mime_type);
|
||||
+ ap_set_content_type_ex(r, (char*) conf->mime_type, 1);
|
||||
|
||||
if (conf->expr_handler) {
|
||||
const char *err;
|
@ -1,23 +0,0 @@
|
||||
--- a/include/httpd.h 2024/06/24 17:52:31 1918559
|
||||
+++ b/include/httpd.h 2024/06/24 17:54:34 1918560
|
||||
@@ -667,6 +667,7 @@
|
||||
*
|
||||
*/
|
||||
#define AP_REQUEST_STRONG_ETAG 1 >> 0
|
||||
+#define AP_REQUEST_TRUSTED_CT 1 << 1
|
||||
|
||||
/**
|
||||
* This is a convenience macro to ease with getting specific request
|
||||
@@ -689,6 +690,12 @@
|
||||
AP_REQUEST_GET_BNOTE((r), AP_REQUEST_STRONG_ETAG)
|
||||
/** @} */
|
||||
|
||||
+/**
|
||||
+ * Returns true if the content-type field is from a trusted source
|
||||
+ */
|
||||
+#define AP_REQUEST_IS_TRUSTED_CT(r) \
|
||||
+ (!!AP_REQUEST_GET_BNOTE((r), AP_REQUEST_TRUSTED_CT))
|
||||
+/** @} */
|
||||
|
||||
/**
|
||||
* @defgroup module_magic Module Magic mime types
|
@ -1,17 +0,0 @@
|
||||
--- a/modules/http/http_protocol.c 2024/06/24 17:52:31 1918559
|
||||
+++ b/modules/http/http_protocol.c 2024/06/24 17:54:34 1918560
|
||||
@@ -1097,8 +1097,14 @@
|
||||
}
|
||||
else if (!r->content_type || strcmp(r->content_type, ct)) {
|
||||
r->content_type = ct;
|
||||
+ AP_REQUEST_SET_BNOTE(r, AP_REQUEST_TRUSTED_CT, 0);
|
||||
}
|
||||
}
|
||||
+AP_DECLARE(void) ap_set_content_type_ex(request_rec *r, const char *ct, int trusted)
|
||||
+{
|
||||
+ ap_set_content_type(r, ct);
|
||||
+ AP_REQUEST_SET_BNOTE(r, AP_REQUEST_TRUSTED_CT, trusted ? AP_REQUEST_TRUSTED_CT : 0);
|
||||
+}
|
||||
|
||||
AP_DECLARE(void) ap_set_accept_ranges(request_rec *r)
|
||||
{
|
@ -1,70 +0,0 @@
|
||||
--- a/modules/http/mod_mime.c 2024/06/24 17:52:31 1918559
|
||||
+++ b/modules/http/mod_mime.c 2024/06/24 17:54:34 1918560
|
||||
@@ -759,7 +759,7 @@
|
||||
int found_metadata = 0;
|
||||
|
||||
if (r->finfo.filetype == APR_DIR) {
|
||||
- ap_set_content_type(r, DIR_MAGIC_TYPE);
|
||||
+ ap_set_content_type_ex(r, DIR_MAGIC_TYPE, 1);
|
||||
return OK;
|
||||
}
|
||||
|
||||
@@ -850,7 +850,7 @@
|
||||
if (exinfo == NULL || !exinfo->forced_type) {
|
||||
if ((type = apr_hash_get(mime_type_extensions, ext,
|
||||
APR_HASH_KEY_STRING)) != NULL) {
|
||||
- ap_set_content_type(r, (char*) type);
|
||||
+ ap_set_content_type_ex(r, (char*) type, 1);
|
||||
found = 1;
|
||||
}
|
||||
}
|
||||
@@ -859,7 +859,7 @@
|
||||
|
||||
/* empty string is treated as special case for RemoveType */
|
||||
if (exinfo->forced_type && *exinfo->forced_type) {
|
||||
- ap_set_content_type(r, exinfo->forced_type);
|
||||
+ ap_set_content_type_ex(r, exinfo->forced_type, 1);
|
||||
found = 1;
|
||||
}
|
||||
|
||||
@@ -964,33 +964,33 @@
|
||||
memcpy(tmp, ctp->subtype, ctp->subtype_len);
|
||||
tmp += ctp->subtype_len;
|
||||
*tmp = 0;
|
||||
- ap_set_content_type(r, base_content_type);
|
||||
+ ap_set_content_type_ex(r, base_content_type, AP_REQUEST_IS_TRUSTED_CT(r));
|
||||
while (pp != NULL) {
|
||||
if (charset && !strcmp(pp->attr, "charset")) {
|
||||
if (!override) {
|
||||
- ap_set_content_type(r,
|
||||
+ ap_set_content_type_ex(r,
|
||||
apr_pstrcat(r->pool,
|
||||
r->content_type,
|
||||
"; charset=",
|
||||
charset,
|
||||
- NULL));
|
||||
+ NULL), AP_REQUEST_IS_TRUSTED_CT(r));
|
||||
override = 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
- ap_set_content_type(r,
|
||||
+ ap_set_content_type_ex(r,
|
||||
apr_pstrcat(r->pool,
|
||||
r->content_type,
|
||||
"; ", pp->attr,
|
||||
"=", pp->val,
|
||||
- NULL));
|
||||
+ NULL), AP_REQUEST_IS_TRUSTED_CT(r));
|
||||
}
|
||||
pp = pp->next;
|
||||
}
|
||||
if (charset && !override) {
|
||||
- ap_set_content_type(r, apr_pstrcat(r->pool, r->content_type,
|
||||
+ ap_set_content_type_ex(r, apr_pstrcat(r->pool, r->content_type,
|
||||
"; charset=", charset,
|
||||
- NULL));
|
||||
+ NULL), AP_REQUEST_IS_TRUSTED_CT(r));
|
||||
}
|
||||
}
|
||||
}
|
@ -1,15 +0,0 @@
|
||||
--- a/modules/mappers/mod_actions.c 2024/06/24 17:52:31 1918559
|
||||
+++ b/modules/mappers/mod_actions.c 2024/06/24 17:54:34 1918560
|
||||
@@ -182,8 +182,10 @@
|
||||
return DECLINED;
|
||||
|
||||
/* Second, check for actions (which override the method scripts) */
|
||||
- action = r->handler ? r->handler :
|
||||
- ap_field_noparam(r->pool, r->content_type);
|
||||
+ action = r->handler;
|
||||
+ if (!action && AP_REQUEST_IS_TRUSTED_CT(r)) {
|
||||
+ action = ap_field_noparam(r->pool, r->content_type);
|
||||
+ }
|
||||
|
||||
if (action && (t = apr_table_get(conf->action_types, action))) {
|
||||
int virtual = (*t++ == '0' ? 0 : 1);
|
@ -1,29 +0,0 @@
|
||||
--- a/modules/mappers/mod_negotiation.c 2024/06/24 17:52:31 1918559
|
||||
+++ b/modules/mappers/mod_negotiation.c 2024/06/24 17:54:34 1918560
|
||||
@@ -1167,7 +1167,7 @@
|
||||
* might be doing.
|
||||
*/
|
||||
if (sub_req->handler && !sub_req->content_type) {
|
||||
- ap_set_content_type(sub_req, CGI_MAGIC_TYPE);
|
||||
+ ap_set_content_type_ex(sub_req, CGI_MAGIC_TYPE, 1);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -3003,14 +3003,14 @@
|
||||
/* set MIME type and charset as negotiated */
|
||||
if (best->mime_type && *best->mime_type) {
|
||||
if (best->content_charset && *best->content_charset) {
|
||||
- ap_set_content_type(r, apr_pstrcat(r->pool,
|
||||
+ ap_set_content_type_ex(r, apr_pstrcat(r->pool,
|
||||
best->mime_type,
|
||||
"; charset=",
|
||||
best->content_charset,
|
||||
- NULL));
|
||||
+ NULL), 1);
|
||||
}
|
||||
else {
|
||||
- ap_set_content_type(r, apr_pstrdup(r->pool, best->mime_type));
|
||||
+ ap_set_content_type_ex(r, apr_pstrdup(r->pool, best->mime_type), 1);
|
||||
}
|
||||
}
|
||||
|
@ -1,11 +0,0 @@
|
||||
--- a/modules/mappers/mod_rewrite.c 2024/06/24 17:52:31 1918559
|
||||
+++ b/modules/mappers/mod_rewrite.c 2024/06/24 17:54:34 1918560
|
||||
@@ -5333,7 +5333,7 @@
|
||||
rewritelog((r, 1, NULL, "force filename %s to have MIME-type '%s'",
|
||||
r->filename, t));
|
||||
|
||||
- ap_set_content_type(r, t);
|
||||
+ ap_set_content_type_ex(r, t, 1);
|
||||
}
|
||||
|
||||
/* handler */
|
@ -1,28 +0,0 @@
|
||||
--- a/modules/metadata/mod_headers.c 2024/06/24 17:52:31 1918559
|
||||
+++ b/modules/metadata/mod_headers.c 2024/06/24 17:54:34 1918560
|
||||
@@ -783,14 +783,14 @@
|
||||
break;
|
||||
case hdr_set:
|
||||
if (!ap_cstr_casecmp(hdr->header, "Content-Type")) {
|
||||
- ap_set_content_type(r, process_tags(hdr, r));
|
||||
+ ap_set_content_type_ex(r, process_tags(hdr, r), 1);
|
||||
}
|
||||
apr_table_setn(headers, hdr->header, process_tags(hdr, r));
|
||||
break;
|
||||
case hdr_setifempty:
|
||||
if (NULL == apr_table_get(headers, hdr->header)) {
|
||||
if (!ap_cstr_casecmp(hdr->header, "Content-Type")) {
|
||||
- ap_set_content_type(r, process_tags(hdr, r));
|
||||
+ ap_set_content_type_ex(r, process_tags(hdr, r), 1);
|
||||
}
|
||||
apr_table_setn(headers, hdr->header, process_tags(hdr, r));
|
||||
}
|
||||
@@ -809,7 +809,7 @@
|
||||
const char *repl = process_regexp(hdr, r->content_type, r);
|
||||
if (repl == NULL)
|
||||
return 0;
|
||||
- ap_set_content_type(r, repl);
|
||||
+ ap_set_content_type_ex(r, repl, 1);
|
||||
}
|
||||
if (apr_table_get(headers, hdr->header)) {
|
||||
edit_do ed;
|
@ -1,20 +0,0 @@
|
||||
--- a/modules/metadata/mod_mime_magic.c 2024/06/24 17:52:31 1918559
|
||||
+++ b/modules/metadata/mod_mime_magic.c 2024/06/24 17:54:34 1918560
|
||||
@@ -788,7 +788,7 @@
|
||||
/* XXX: this could be done at config time I'm sure... but I'm
|
||||
* confused by all this magic_rsl stuff. -djg */
|
||||
ap_content_type_tolower(tmp);
|
||||
- ap_set_content_type(r, tmp);
|
||||
+ ap_set_content_type_ex(r, tmp, 1);
|
||||
|
||||
if (state == rsl_encoding) {
|
||||
tmp = rsl_strdup(r, encoding_frag,
|
||||
@@ -2326,7 +2326,7 @@
|
||||
|
||||
/* extract content type/encoding/language from sub-request */
|
||||
if (sub->content_type) {
|
||||
- ap_set_content_type(r, apr_pstrdup(r->pool, sub->content_type));
|
||||
+ ap_set_content_type_ex(r, apr_pstrdup(r->pool, sub->content_type), 1);
|
||||
#if MIME_MAGIC_DEBUG
|
||||
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01557)
|
||||
MODNAME ": subrequest %s got %s",
|
@ -1,27 +0,0 @@
|
||||
--- a/modules/proxy/proxy_util.c 2024/06/25 17:29:06 1918606
|
||||
+++ b/modules/proxy/proxy_util.c 2024/06/25 17:29:32 1918607
|
||||
@@ -3113,6 +3113,13 @@
|
||||
apr_pstrcat(p,"URI cannot be parsed: ", *url,
|
||||
NULL));
|
||||
}
|
||||
+
|
||||
+ if (!uri->hostname) {
|
||||
+ return ap_proxyerror(r, HTTP_BAD_REQUEST,
|
||||
+ apr_pstrcat(p,"URI has no hostname: ", *url,
|
||||
+ NULL));
|
||||
+ }
|
||||
+
|
||||
if (!uri->port) {
|
||||
uri->port = ap_proxy_port_of_scheme(uri->scheme);
|
||||
}
|
||||
@@ -4496,6 +4503,10 @@
|
||||
|
||||
/* Compute Host header */
|
||||
if (dconf->preserve_host == 0) {
|
||||
+ if (!uri->hostname) {
|
||||
+ rc = HTTP_BAD_REQUEST;
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
if (ap_strchr_c(uri->hostname, ':')) { /* if literal IPv6 address */
|
||||
if (uri->port_str && uri->port != DEFAULT_HTTP_PORT) {
|
||||
host = apr_pstrcat(r->pool, "[", uri->hostname, "]:",
|
@ -1,54 +0,0 @@
|
||||
--- a/modules/mappers/mod_rewrite.c 2024/06/25 15:22:28 1918599
|
||||
+++ b/modules/mappers/mod_rewrite.c 2024/06/25 15:28:00 1918600
|
||||
@@ -4347,6 +4347,32 @@
|
||||
return 2;
|
||||
}
|
||||
|
||||
+ /* Add the previously stripped per-directory location prefix, unless
|
||||
+ * (1) it's an absolute URL path and
|
||||
+ * (2) it's a full qualified URL
|
||||
+ */
|
||||
+ if (!is_proxyreq && *newuri != '/' && !is_absolute_uri(newuri, NULL)) {
|
||||
+ if (ctx->perdir) {
|
||||
+ rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s",
|
||||
+ newuri, ctx->perdir, newuri));
|
||||
+
|
||||
+ newuri = apr_pstrcat(r->pool, ctx->perdir, newuri, NULL);
|
||||
+ }
|
||||
+ else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) {
|
||||
+ /* Not an absolute URI-path and the scheme (if any) is unknown,
|
||||
+ * and it won't be passed to fully_qualify_uri() below either,
|
||||
+ * so add an implicit '/' prefix. This avoids potentially a common
|
||||
+ * rule like "RewriteRule ^/some/path(.*) $1" that is given a path
|
||||
+ * like "/some/pathscheme:..." to produce the fully qualified URL
|
||||
+ * "scheme:..." which could be misinterpreted later.
|
||||
+ */
|
||||
+ rewritelog((r, 3, ctx->perdir, "add root prefix: %s -> /%s",
|
||||
+ newuri, newuri));
|
||||
+
|
||||
+ newuri = apr_pstrcat(r->pool, "/", newuri, NULL);
|
||||
+ }
|
||||
|