--On Friday, November 01, 2002 16:02:45 -0800 Rob Emanuele <[EMAIL PROTECTED]>
wrote:
So I took the mod_auth_digest code and munged it to use mysql for
authentication. Swell. It works great and we're heavily using it.
You might be interested in the new auth provider API which allows precisely
So I took the mod_auth_digest code and munged it to use mysql for
authentication. Swell. It works great and we're heavily using it.
I'd like to give it back to the open souce community. Right now its
just a patch file for mod_auth_digest.c in Apache 2.0.40. I was
wondering what was the best wa
Your patch will simply let the %2F through, but then a later section
of code will translate them to / and we've opened a security hole
in the main server. I'd rather move the rejection code to the
place where a decision has to be made (like the directory walk),
but I have no time to do it myself.
Rodent of Unusual Size wrote:
>
> based on some offline discussion, i am going to table this
> for now and try suitably modified versions of the %5c attack
> against the patched server.
without a demonstrable technical justification, i still consider
it an invalid veto, but the concerns and consi
based on some offline discussion, i am going to table this
for now and try suitably modified versions of the %5c attack
against the patched server.
"William A. Rowe, Jr." wrote:
>
> Yes, it's a veto to introduce a security hole as a 'starting point' that
> someone might get around to cleaning up later.
demonstrate that it is a security hole in the server.
if you cannot demonstrate that this opens the server to
client-side attack, i do not re
On Fri, Nov 01, 2002 at 06:07:53PM -, [EMAIL PROTECTED] wrote:
>...
> +++ BaseAddr.ref1 Nov 2002 18:07:52 - 1.22
> @@ -60,3 +60,4 @@
>mod_authz_groupfile 0x6FB10x0001
>mod_authz_host 0x6FB00x0001
>mod_authz_user 0x6FAF0x
What about listing this book at
http://httpd.apache.org/info/apache_books.html,
it seems to be the one which
covers only Apache2 (here in Germany)?
In my opinion books published by
addison&wesley are quite good, or?
But anyway, there a lot more books
available about the apache here
in Germany and
According to Werner Schalk:
> for the german speaking people: According
> to the website addison-wesley.de there
> will be a german (sorry!) book at the
> end of this month.
Other books are listed at
http://httpd.apache.org/info/apache_books.html
ciao...
--
Lars Eilebrecht - "No m
At 11:59 AM 11/1/2002, Rodent of Unusual Size wrote:
>"Roy T. Fielding" wrote:
>>
>> Your patch will simply let the %2F through, but then a later section
>> of code will translate them to / and we've opened a security hole
>> in the main server. I'd rather move the rejection code to the
>> place
At 04:27 AM 11/1/2002, Justin Erenkrantz wrote:
>I have a distinct feeling that it might ease our sanity if we split the SSL input and
>output filter code in ssl_engine_io.c into separate files.
Between the input and output, or between the decoded text filter logic
and the bio network filter logi
"Roy T. Fielding" wrote:
>
> Your patch will simply let the %2F through, but then a later section
> of code will translate them to / and we've opened a security hole
> in the main server. I'd rather move the rejection code to the
> place where a decision has to be made (like the directory walk),
* André Malo wrote:
> * Rodent of Unusual Size wrote:
>
>> http://www.apache.org/dist/httpd/patches/apply_to_2.0.43/
>> that appears on
>> http://www.apache.org/dist/httpd/
>> doesn't work = (
>
> right. But the link appears on http://httpd.apache.org/download.cgi
^
Aymerick:
I am wondering why you want to support UDP in apache... I see you
mention discussions in Aug/Sept.. that i missed.. I will hvae
to go dig in the archive..
My take on UDP is it is very very dangerous to enable http over
UDP.. if UDP were every had a wide scale deployment the internet
it
Wow.. lots of good changes. I think the whole ssl-engine_io.c looks a lot
cleaner now (and thanks for the info regarding how the SSL filter works).
I'm still looking through the changes..
As regards splitting ssl_engine_io.c for input/output filter stuff, I'm +1
for it.
-Madhu
> -Original Me
Hi all:
Attached is a patch to add support for SCTP to apache for those
O/S's that have it.
Now a note about this patch..
The idea behind this is that SCTP is automatically enabled if
available... i.e. there is no flag to turn it on/off.. if you say
listen 80
and have sctp.. you get a listener
* Rodent of Unusual Size wrote:
> http://www.apache.org/dist/httpd/patches/apply_to_2.0.43/
> that appears on
> http://www.apache.org/dist/httpd/
> doesn't work = (
right. But the link appears on http://httpd.apache.org/download.cgi
* Apache 2.0.43 is the best available version
[...]
For deta
Justin Erenkrantz <[EMAIL PROTECTED]> writes:
> I think your commits to check c->aborted in various filters should be
> replaced by getting core_input_filter to return APR_ECONNABORTED.
The only filter I changed was the content-length filter.
But yes I would agree that in a commit which fixes ou
not acked
--
#kenP-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"Millennium hand and shrimp!"
--- Begin Message ---
Hi!
The link:
http://www.apache.org/dist/httpd/patches/apply_to_2.0.43/
that appears on
http://ww
Hello,
for the german speaking people: According
to the website addison-wesley.de there
will be a german (sorry!) book at the
end of this month. The book seems to be
quite interesting, does somebody know
something about it?
Bye and thanks,
Werner.
Greg Stein <[EMAIL PROTECTED]> writes:
> On Fri, Nov 01, 2002 at 03:27:20AM -, [EMAIL PROTECTED] wrote:
> >...
> > +++ request.c 1 Nov 2002 03:27:20 - 1.118
> > @@ -924,6 +924,8 @@
> >/* That temporary trailing slash was useful, now drop it.
> >
> > i have been asked to recommend a book about apache version 2
> > that would give useful background and reference information
> > for people providing support to customers using it. so, probably
> > along the lines of 'apache server unleashed' rather than an
> > internals reference.
> >
> > any
"William A. Rowe, Jr." <[EMAIL PROTECTED]> writes:
> Folks, this looks wrong after consideration. If someone is familiar
> with the Linux gcc optimizer, please see my last comments in
>
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14147
>
> I'm starting to feel like the optimizer bit us
On Fri, Nov 01, 2002 at 10:42:09AM +0100, Sander Striker wrote:
> Thought this might be something for you...
>
> [08:56] hey folks, dav_new_error question for the svn'ers
> [08:57] anyone noticed the int save_errno = errno; bogosity within
>dav_new_error?
> [08:57] and has anyone suggested a g
On Fri, Nov 01, 2002 at 03:27:20AM -, [EMAIL PROTECTED] wrote:
>...
> +++ request.c 1 Nov 2002 03:27:20 - 1.118
> @@ -924,6 +924,8 @@
>/* That temporary trailing slash was useful, now drop it.
> */
>if (temp_slash) {
> +
I have a distinct feeling that it might ease our sanity if we split
the SSL input and output filter code in ssl_engine_io.c into separate
files.
Or, am I just nuts? Perhaps a rename to ssl_engine_filter.c could
also be goodness. (If OtherBill is going to revamp the output
section, perhaps no
--On Thursday, October 31, 2002 4:58 PM -0500 Jeff Trawick
<[EMAIL PROTECTED]> wrote:
default_handler(), which should be returning HTTP status code,
returns whatever ap_pass_brigade() returns. default_handler()
would have to change too. Any other handlers as well (In the
thread I pointed to, Ry
27 matches
Mail list logo
