On 05/06/2011 03:14 PM, [email protected] wrote: > Author: covener > Date: Fri May 6 13:14:27 2011 > New Revision: 1100200 > > URL: http://svn.apache.org/viewvc?rev=1100200&view=rev > Log: > Merge r820760, r919323, r937858, r938265 from trunk: > > Reviewed By: sf, trawick, covener > > core: Treat timeout reading request as 408 error, not 400. > Log 408 errors in access log as was done in Apache 1.3.x. > > PR: 39785 > Submitted by: Nobutaka Mantani, Stefan Fritsch > Reviewed and added to by: Dan Poirier > > > * Only log a 408 if it is no keepalive timeout. > > PR: 39785 > Submitted by: Mark Montague <markmont umich.edu>, rpluem > Reviewed by: rpluem > > > PR49167, unexpected 413 and double-errordoc during a timeout reading a > chunk-size. > > > > Use the more specific 408 (timed out) instead of a generic 400 during a > timeout > reading a chunk-length. > > > > Modified: > httpd/httpd/branches/2.2.x/CHANGES > httpd/httpd/branches/2.2.x/STATUS > httpd/httpd/branches/2.2.x/modules/http/http_filters.c > httpd/httpd/branches/2.2.x/server/protocol.c >
> > Modified: httpd/httpd/branches/2.2.x/server/protocol.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/protocol.c?rev=1100200&r1=1100199&r2=1100200&view=diff > ============================================================================== > --- httpd/httpd/branches/2.2.x/server/protocol.c (original) > +++ httpd/httpd/branches/2.2.x/server/protocol.c Fri May 6 13:14:27 2011 > @@ -608,6 +608,9 @@ static int read_request_line(request_rec > r->proto_num = HTTP_VERSION(1,0); > r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); > } > + else if (rv == APR_TIMEUP) { As mentioned previously APR_STATUS_IS_TIMEUP should be used instead. Didn't we have a security issue on Windows and Netware because of this? *) SECURITY: CVE-2010-2068 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung] > + r->status = HTTP_REQUEST_TIME_OUT; > + } > return 0; > } > } while ((len <= 0) && (++num_blank_lines < max_blank_lines)); > @@ -691,7 +694,12 @@ AP_DECLARE(void) ap_get_mime_headers_cor > &len, r, 0, bb); > > if (rv != APR_SUCCESS) { > - r->status = HTTP_BAD_REQUEST; > + if (rv == APR_TIMEUP) { As mentioned previously APR_STATUS_IS_TIMEUP should be used instead. Didn't we have a security issue on Windows and Netware because of this? *) SECURITY: CVE-2010-2068 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung] > + r->status = HTTP_REQUEST_TIME_OUT; > + } > + else { > + r->status = HTTP_BAD_REQUEST; > + } > > /* ap_rgetline returns APR_ENOSPC if it fills up the buffer > before > * finding the end-of-line. This is only going to happen if it Regards RĂ¼diger
