fielding 98/10/30 14:41:28
Modified: src CHANGES src/main http_config.c http_protocol.c src/modules/proxy mod_proxy.c Log: Disable sending of error-notes on a 500 (Internal Server Error) response since it often includes file path info. Enable sending of error-notes on a 501 (Method Not Implemented). http_config.c would respond with 501 (Method Not Implemented) if a content type handler was specified but could not be found, which should have been a 500 response. Likewise, mod_proxy.c would responsd with a 501 if the URI scheme is unrecognized instead of the correct response of 403 (Forbidden). PR: 3173 Revision Changes Path 1.1130 +10 -0 apache-1.3/src/CHANGES Index: CHANGES =================================================================== RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1129 retrieving revision 1.1130 diff -u -r1.1129 -r1.1130 --- CHANGES 1998/10/30 03:08:52 1.1129 +++ CHANGES 1998/10/30 22:41:21 1.1130 @@ -1,5 +1,15 @@ Changes with Apache 1.3.4 + *) Disable sending of error-notes on a 500 (Internal Server Error) response + since it often includes file path info. Enable sending of error-notes + on a 501 (Method Not Implemented). [Roy Fielding] PR#3173 + + *) http_config.c would respond with 501 (Method Not Implemented) if a + content type handler was specified but could not be found, which + should have been a 500 response. Likewise, mod_proxy.c would responsd + with a 501 if the URI scheme is unrecognized instead of the correct + response of 403 (Forbidden). [Roy Fielding] + *) SECURITY: Eliminate DoS attack when a bad URI path contains what looks like a printf format escape. [Marc Slemko, Studenten Net Twente] 1.135 +3 -3 apache-1.3/src/main/http_config.c Index: http_config.c =================================================================== RCS file: /home/cvs/apache-1.3/src/main/http_config.c,v retrieving revision 1.134 retrieving revision 1.135 diff -u -r1.134 -r1.135 --- http_config.c 1998/09/26 00:07:08 1.134 +++ http_config.c 1998/10/30 22:41:24 1.135 @@ -479,7 +479,7 @@ const char *handler; char *p; size_t handler_len; - int result = NOT_IMPLEMENTED; + int result = HTTP_INTERNAL_SERVER_ERROR; if (r->handler) { handler = r->handler; @@ -509,7 +509,7 @@ } } - if (result == NOT_IMPLEMENTED && r->handler) { + if (result == HTTP_INTERNAL_SERVER_ERROR && r->handler) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, r, "handler \"%s\" not found for: %s", r->handler, r->filename); } @@ -526,7 +526,7 @@ } } - return NOT_IMPLEMENTED; + return HTTP_INTERNAL_SERVER_ERROR; } /* One-time setup for precompiled modules --- NOT to be done on restart */ 1.247 +17 -4 apache-1.3/src/main/http_protocol.c Index: http_protocol.c =================================================================== RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.246 retrieving revision 1.247 diff -u -r1.246 -r1.247 --- http_protocol.c 1998/10/19 05:59:35 1.246 +++ http_protocol.c 1998/10/30 22:41:24 1.247 @@ -2297,10 +2297,13 @@ ap_escape_html(r->pool, r->uri), " evaluated to false.<P>\n", NULL); break; - case NOT_IMPLEMENTED: + case HTTP_NOT_IMPLEMENTED: ap_bvputs(fd, ap_escape_html(r->pool, r->method), " to ", ap_escape_html(r->pool, r->uri), " not supported.<P>\n", NULL); + if ((error_notes = ap_table_get(r->notes, "error-notes")) != NULL) { + ap_bvputs(fd, error_notes, "<P>\n", NULL); + } break; case BAD_GATEWAY: ap_bputs("The proxy server received an invalid\015\012", fd); @@ -2387,9 +2390,19 @@ "caused the error.<P>\n" "More information about this error may be available\n" "in the server error log.<P>\n", NULL); - if ((error_notes = ap_table_get(r->notes, "error-notes")) != NULL) { - ap_bvputs(fd, error_notes, "<P>\n", NULL); - } + /* + * It would be nice to give the user the information they need to + * fix the problem directly since many users don't have access to + * the error_log (think University sites) even though they can easily + * get this error by misconfiguring an htaccess file. However, the + * error notes tend to include the real file pathname in this case, + * which some people consider to be a breach of privacy. Until we + * can figure out a way to remove the pathname, leave this commented. + * + * if ((error_notes = ap_table_get(r->notes, "error-notes")) != NULL) { + * ap_bvputs(fd, error_notes, "<P>\n", NULL); + * } + */ break; } 1.63 +1 -1 apache-1.3/src/modules/proxy/mod_proxy.c Index: mod_proxy.c =================================================================== RCS file: /home/cvs/apache-1.3/src/modules/proxy/mod_proxy.c,v retrieving revision 1.62 retrieving revision 1.63 diff -u -r1.62 -r1.63 --- mod_proxy.c 1998/09/08 21:15:55 1.62 +++ mod_proxy.c 1998/10/30 22:41:27 1.63 @@ -397,7 +397,7 @@ if (strcasecmp(scheme, "ftp") == 0) return ap_proxy_ftp_handler(r, cr, url); else - return NOT_IMPLEMENTED; + return HTTP_FORBIDDEN; } /* -------------------------------------------------------------- */