On Tue, 27 Jul 2021 at 18:12, Paul Querna wrote:
> Years ago I started hacking on an "mpm fuzz":
> https://github.com/pquerna/httpd/compare/trunk...pquerna:mpm_fuzz
>
> The idea was to make a "fake" MPM, which could feed data from AFL directly
> into the network filter stack, in a super efficient
On Sun, 6 Oct 2019 at 17:52, Roy T. Fielding wrote:
> > On Oct 5, 2019, at 1:09 PM, Jim Jagielski wrote:
> >
> > Various PMCs have made their default/de-facto SCM git and have seen an
> increase in contributions and contributors...
> >
> > Is this something the httpd project should consider? Esp
Good grief. Yes! No-one uses svn these days. I can't even remember how to.
Literally everything I contribute to uses git.
On Sat, 5 Oct 2019 at 21:09, Jim Jagielski wrote:
> Various PMCs have made their default/de-facto SCM git and have seen an
> increase in contributions and contributors...
>
>
On 3 May 2017 at 09:03, Issac Goldstand wrote:
> What would work, in my eyes, if people are open to it, is treating the
> contents of these definitions/macros (and I'm all for the macros, just
> so that interested sysadmins can see *exactly* what the settings are on
> their setup) as apart from th
On Sat, 5 Sep 2015 at 09:32 Kaspar Brand wrote:
> On 04.09.2015 17:54, Rob Stradling wrote:
> > Today, roughly 25% of HTTPS servers on the Internet have OCSP stapling
> > enabled. Browsers aren't likely to start hard-failing by default until
> > that % is a lot higher.
> >
> > The vast majority
On 1 November 2014 at 09:05, Kaspar Brand wrote:
> On 30.10.2014 15:51, Jeff Trawick wrote:
>> IMO the present concerns with OCSP Stapling are:
>>
>> * not so clear that it has seen enough real-world testing; commented out
>> sample configs and better documentation will help, as will enabling by
>
On 12 June 2013 23:00, William A. Rowe Jr. wrote:
> On Wed, 12 Jun 2013 21:05:05 +0100
> Ben Laurie wrote:
>
>> On 12 June 2013 20:49, William A. Rowe Jr.
>> wrote:
>> > On Wed, 12 Jun 2013 21:24:31 +0200
>> > Reindl Harald wrote:
>> >>
>
On 12 June 2013 20:49, William A. Rowe Jr. wrote:
> On Wed, 12 Jun 2013 21:24:31 +0200
> Reindl Harald wrote:
>>
>> well, on Redhat systems in "/etc/sysconfig/httpd" put the line
>> "OPENSSL_NO_DEFAULT_ZLIB=1" did disable it before httpd
>> offered a option, but IHMO any server software should
>>
On 1 May 2013 11:11, Graham Leggett wrote:
> On 01 May 2013, at 11:34 AM, Marian Marinov wrote:
>
>> Actually, what we are observing is completely opposite to what you are
>> saying.
>> Delaying spam bots, brute force attacks, and vulnerability scanners
>> significantly decreases the amount of
On 1 May 2013 10:19, Tom Evans wrote:
> On Wed, May 1, 2013 at 1:47 AM, André Warnier wrote:
>> Christian Folini wrote:
>>>
>>> Hey André,
>>>
>>> I do not think your protection mechanism is very good (for reasons
>>> mentioned before) But you can try it out for yourself easily with 2-3
>>> ModSe
On 30 April 2013 11:29, Graham Leggett wrote:
> On 30 Apr 2013, at 12:03 PM, André Warnier wrote:
>
>> The only cost would a relatively small change to the Apache webservers,
>> which is what my
>> suggestion consists of : adding a variable delay (say between 100 ms and
>> 2000 ms) to any
>> 40
On 30 April 2013 11:14, Reindl Harald wrote:
> Am 30.04.2013 12:03, schrieb André Warnier:
>> As a general idea thus, anything which impacts the delay to obtain a 404
>> response, should
>> impact these bots much more than it impacts legitimate users/clients.
>>
>> How much ?
>>
>> Let us imagine
On Wed, Nov 7, 2012 at 1:34 PM, Stefan Fritsch wrote:
> On Wed, 7 Nov 2012, Jim Jagielski wrote:
>
>> Certainly once mod_lua is more "production ready", we could
>> use that, couldn't we?
>
>
> One could of course. But not everyone has lua, lua is slower than C, and
> even doing it in a module ins
On Sun, Sep 16, 2012 at 7:24 AM, Kaspar Brand wrote:
> On 16.09.2012 08:00, Kaspar Brand wrote:
>> I have committed an improved version in r1385214
>
> Um, make that read r1385216. I left out the acinclude.m4 changes in the
> first attempt, unfortunately.
OK, I just checked it out and tested it -
On Thu, Sep 13, 2012 at 12:48 PM, Eric Covener wrote:
> On Sat, Aug 11, 2012 at 3:51 AM, wrote:
>> Author: fielding
>> Date: Sat Aug 11 07:51:52 2012
>> New Revision: 1371878
>>
>> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev
>> Log:
>> Apache does not tolerate deliberate abuse of open
On Wed, Sep 5, 2012 at 12:02 PM, Tony Stevenson wrote:
>
> On 5 Sep 2012, at 11:57, Jim Jagielski wrote:
>
>> FWIW, I have time this week to impl this...
>>
>> Feedback/Concerns?
>
> Only the term 'nonce' - It has very unfortunate connotations from UK english.
> [1] :-)
Sadly, we lost that bat
On Wed, Sep 5, 2012 at 11:57 AM, Jim Jagielski wrote:
> FWIW, I have time this week to impl this...
>
> Feedback/Concerns?
I still want to know what the "nonce" is actually for! Are you going
to make me read the code and guess?
>
> On Sep 1, 2012, at 11:47 AM, Jim Jagielski wrote:
>
>> Another
On Sat, Sep 1, 2012 at 8:13 PM, Jim Jagielski wrote:
>
> On Sep 1, 2012, at 12:39 PM, Ben Laurie wrote:
>
>> On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski wrote:
>>> Another alternative would be to have the nonce also possibly
>>> set at config-time and, if u
On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski wrote:
> Another alternative would be to have the nonce also possibly
> set at config-time and, if unset, then use the uuid. That way
> it could also be used as a sort of shared-secret ;)
>
> ProxySet nonce="applepie!"
>
> Longer term, I think
On Thu, Aug 16, 2012 at 7:36 PM, Kaspar Brand wrote:
> On 12.8.12 20:01, Ben Laurie wrote:
>> On Sun, Aug 12, 2012 at 5:23 PM, Kaspar Brand
>> wrote:
>>> a workaround is to call configure with
>>> suitable {CPP,LD}FLAGS, i.e.
>>>
>>> CPPFLAG
On Sun, Aug 12, 2012 at 5:23 PM, Kaspar Brand wrote:
> On 10.08.2012 01:55, William A. Rowe Jr. wrote:
>> An openssl 'make localinstall' could trivially create the lib, include
>> trees consisting entirely of symlinks to the origin files in the same
>> build tree, and create an appropriate openssl
On Thu, Aug 9, 2012 at 9:42 AM, Joe Orton wrote:
> On Thu, Aug 09, 2012 at 04:56:03AM +0100, Ben Laurie wrote:
>> On Wed, Aug 8, 2012 at 5:03 PM, Joe Orton wrote:
>> > This all seems totally crazy to me. Why are we adding complexity to the
>> > httpd build system so o
On Wed, Aug 8, 2012 at 5:03 PM, Joe Orton wrote:
> On Wed, Aug 08, 2012 at 08:00:25AM +0200, Kaspar Brand wrote:
>> My thinking was that people should explicitly tell configure that they
>> want to link with the libs in a build directory (so that they don't
>> "accidentally" use a directory which
On Wed, Aug 8, 2012 at 2:47 AM, Guenter Knauf wrote:
> Am 08.08.2012 07:39, schrieb Kaspar Brand:
>
>> On 06.08.2012 22:08, William A. Rowe Jr. wrote:
>>>
>>> On 8/5/2012 10:10 PM, Kaspar Brand wrote:
On 05.08.2012 14:38, Guenter Knauf wrote:
>
> Am 05.08.2012 10:10, schrieb Kasp
On Sun, Aug 5, 2012 at 1:10 AM, Kaspar Brand wrote:
> On 08.07.2012 10:30, Kaspar Brand wrote:
>> On 06.07.2012 14:41, b...@apache.org wrote:
>>> Author: ben
>>> Date: Fri Jul 6 12:41:10 2012
>>> New Revision: 1358167
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1358167&view=rev
>>> Log:
>>> Wor
On Tue, Jul 10, 2012 at 3:16 PM, Jim Jagielski wrote:
> I'd like to propose an Apache httpd 2.4.3 release RSN... I'll RM.
Any chance of getting my RFC 5878 patch in?
I'm working on Certificate Transparency
(http://www.links.org/files/CertificateAuthorityTransparencyandAuditability.pdf).
TL;DNR: CAs are a mess, and we need to do something about it.
RFC 5878 adds a TLS extension which permits a server to send extra
"authorisation information" along with the cert
On Thu, Jun 21, 2012 at 10:53 AM, Issac Goldstand wrote:
> On 21/06/2012 12:40, Ben Laurie wrote:
>> 4. Use something that is hard to optimise in hardware (ideally).
> And what about massive sites that need the crypto HW to manage the
> concurrent logins?
I have never come acro
On Wed, Jun 20, 2012 at 1:25 PM, Nick Edwards wrote:
> Hello,
>
> I posted this to users list last week but no-one bit, so I'm trying here.
>
> With md5crypt no longer recommended for use by its author, will Apache
> soon support sha256/sha512 in basic authentication via MySQL.
>
> I understand th
On Wed, May 9, 2012 at 6:26 AM, Paul Querna wrote:
> Heya,
>
> A friend of mine is helping organizing the first "C Conf":
>
> http://www.cconf.org/
>
> I think it could be a very interesting conference for those of us that
> still enjoy coding C :-)
Not sure I can make it, but your friend might
Would anyone object to the NPN patch (r1332643) being backported to 2.2 and 2.4?
On Thu, Apr 5, 2012 at 8:34 PM, William A. Rowe Jr. wrote:
> On 4/5/2012 1:14 PM, Claudio Caldato wrote:
>> Hi William,
>>
>> We need more details in order to be able to figure out what is going on. Any
>> chance that you guys have an isolated repo we can use to investigate this
>> issue?
>
> Al
On Sun, Jan 8, 2012 at 4:20 PM, Jim Jagielski wrote:
> How much is "entirely"?
>
> Do the >80char lines in ap_listen.h, ap_mmn.h, ap_mpm.h, ap_provider.h,
> ap_regex.h, ap_regkey.h, ap_slotmem.h, http_core.h, http_protocol,h,
> etc etc etc etc also constitute a rating of "entirely"?
>
> I'd look f
On Wed, Aug 31, 2011 at 9:03 PM, Dirk-WIllem van Gulik
wrote:
> Suggestion for
>
> http://people.apache.org/~dirkx/CVE-2011-3192.txt
You probably mean "deprecated" not "desecrated", amusing though that is.
Plüm wrote:
> Please add it to the STATUS file of 2.2.x for voting.
Done.
>
> Regards
>
> Rüdiger
>
>> -Ursprüngliche Nachricht-
>> Von: Ben Laurie
>> Gesendet: Montag, 31. Juli 2006 16:13
>> An: Apache List
>> Betreff: Backport PCKS#7
Will it be OK to do this?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
William A. Rowe, Jr. wrote:
> Ben Laurie wrote:
>> Ruediger Pluem wrote:
>>> On 07/23/2006 02:10 PM, Ben Laurie wrote:
>>>>>
>>>>> [Sun Jul 23 10:25:14 2006] [info] Loading certificate & private key
>>>>> of SSL-aware server
>
Ruediger Pluem wrote:
>
> On 07/23/2006 02:10 PM, Ben Laurie wrote:
>> Joe Orton wrote:
>
>>
>>> - use APR apr_file_* not ANSI C fopen,
>>
>> I need a FILE *.
>
> Maybe you could use BIO_new_file / PEM_read_bio_PKCS7 as it is done in simil
Joe Orton wrote:
> On Sat, Jul 22, 2006 at 02:27:44PM -, [EMAIL PROTECTED] wrote:
>> Author: ben
>> Date: Sat Jul 22 07:27:43 2006
>> New Revision: 424584
>>
>> URL: http://svn.apache.org/viewvc?rev=424584&view=rev
>> Log:
>> Add PKCS#7 support.
>
> -1. We've had an RTC policy on the stable b
William A. Rowe, Jr. wrote:
> [EMAIL PROTECTED] wrote:
>> Author: ben
>> Date: Sat Jul 22 07:27:43 2006
>> New Revision: 424584
>>
>> URL: http://svn.apache.org/viewvc?rev=424584&view=rev
>> Log:
>> Add PKCS#7 support.
>>
>> Modified:
>> httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
>> h
Nick Kew wrote:
> We have grown accustomed to two separate trust mechanisms
> on the 'net; server certs signed by some authority, or the PGP
> web of trust.
>
> I would like to be able to use PGP trust over the web. That would
> mean (something like) installing a certificate on the server, and
>
David Reid wrote:
Joe Orton wrote:
On Fri, Aug 05, 2005 at 08:00:01PM +0200, Martin Kraemer wrote:
On Tue, Aug 02, 2005 at 07:14:10PM +0200, Martin Kraemer wrote:
I wanted something like
SSLRequire "committers" in SSLPeerExtList("1.3.6.1.4.1.18060.1");
to mean "at least one extension wi
Rian Hunter wrote:
Hi,
Currently there are two approaches we are looking at for mod_smtpd. We
can use the existing request_rec structure, and store smtp specific data
in a structure stucture in the r->request conf vector. With this we can
reuse some of the existing core hooks that make sense
Akins, Brian wrote:
On 6/21/05 5:29 PM, "Nick Kew" <[EMAIL PROTECTED]> wrote:
> (2) http://www.apachecon.com/ - come to our module developers tutorial
> and other talks.
When will there be another apachecon US?
December.
--
>>>ApacheCon Europe<<< http://www.apachecon
Joe Orton wrote:
On Thu, Jun 09, 2005 at 02:57:37PM -, [EMAIL PROTECTED] wrote:
Author: ben
Date: Thu Jun 9 07:57:36 2005
New Revision: 189761
URL: http://svn.apache.org/viewcvs?rev=189761&view=rev
Log:
Die properly when path is bollocks.
Did you mean to commit this to the branch? (giv
Paul Querna wrote:
So, here is my short-list-made-up-this-afternoon of things I would like
to look at doing after 2.2 is branched/released as GA. I welcome
additions too.
1) Eliminate the HTTP in HTTPD. I would like to be able to compile
httpd with --disable-http. Currently the 'http core' is ha
Stephane Bailliez wrote:
Hi,
I'm facing an annoying issue during a PKI deployment and integration
within an organization.
The CA is created with the authority key identifier set as a critical
extension.
OpenSSL (including 0.9.7g) chokes (voluntarily) on critical extensions
and as a default iss
Greg Stein wrote:
On Mon, Apr 04, 2005 at 01:03:27PM -0500, William A. Rowe, Jr. wrote:
At 09:37 AM 4/4/2005, Brad Nicholes wrote:
+1 to Greg's comment, I also think that for a new users, having a bunch of little .conf files will be more confusing. For experienced users, they will split up the .co
Greg Stein wrote:
Euh... don't we need one of those for proper operation? Or do they all
have defaults, so a .conf isn't really needed?
Dude, one of my biggest complaints with the whole httpd.conf we ship is
that we have defaults for _everything_. None of it is needed. And I find
it a major PITA
William A. Rowe, Jr. wrote:
Fascinating reading (see the bottom two tables of these pages:
http://www.securityspace.com/s_survey/data/man.200501/srvch.html?server=Apache&revision=Apache%2F1.3.33
http://www.securityspace.com/s_survey/data/man.200501/srvch.html?server=Apache&revision=Apache%2F2.0.52
Sarat S wrote:
Hi,
I apologize if this topic is not relevant to this forum. Please direct
me to the suitable list.
I'm working on a project that aims at augmenting the Apache Web Server
with Audit capability compatible with an audit-enabled operating
system(Mac OS X,Free BSD etc).
What is an "audit
Joe Orton wrote:
On Wed, Feb 02, 2005 at 11:09:47AM +, David Reid wrote:
Joe Orton wrote:
On Wed, Feb 02, 2005 at 10:17:04AM +, David Reid wrote:
Basically this allows us to gain access to the actual cert structure.
I don't like the idea of exposing the X509 * directly especially not
thro
Justin Erenkrantz wrote:
--On Saturday, January 8, 2005 10:43 PM + Ben Laurie
<[EMAIL PROTECTED]> wrote:
Errr... mod_backhand?
mod_backhand doesn't support Apache 2.x:
<http://www.backhand.org/mod_backhand/FAQ.shtml#question0>
Port it?
--
http://www.apache-ssl.org/be
Jim Jagielski wrote:
I'm currently working on code that extended the lb method
within the 2.1/2.2 proxy from what is basically a
weighted request count to also be a weighted
traffic count (as measured by bytes transferred)
and a weighted "load" count (as measured by response
time). The former is fu
Enrico Weigelt wrote:
* William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote:
http://www.ietf.org/rfc/rfc2817.txt
spells out methods that the server can -insist- that an upgraded
connection is used, and the client can instigate an upgraded
connection as well even if the server doesn't require it.
But un
William A. Rowe, Jr. wrote:
At 06:19 AM 12/11/2004, Dirk-Willem van Gulik wrote:
On Fri, 10 Dec 2004, Justin Erenkrantz wrote:
During ApacheCon, a number of us had talked about holding more frequent
face-to-face meetings (or summits or whatever). Fred is willing to find a
place for us at Apple w
Justin Erenkrantz wrote:
On Sat, 11 Dec 2004, Dirk-Willem van Gulik wrote:
Sounds a lot more feasible than travelling to .us for a hack.
But I'm wondering what this actually achieves? Sure, it gets people
to focus on Getting Things Done, but a *scheduled* IRC+pastebin-based
hackathon could do that
Jeff Trawick wrote:
pid_t is long on Solaris
+1
Index: src/modules/standard/mod_log_forensic.c
===
RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_lo
Jim Jagielski wrote:
On Apr 13, 2004, at 11:13 AM, Jim Jagielski wrote:
static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char
*name)
{
@@ -3395,6 +3446,9 @@
"An HTTP authorization type (e.g., \"Basic\")" },
{ "AuthName", set_authname, NULL, OR_AUTHCFG, TAKE1,
"The authen
Jeff Trawick wrote:
André Malo wrote:
* Jeff Trawick <[EMAIL PROTECTED]> wrote:
André Malo wrote:
* Jeff Trawick <[EMAIL PROTECTED]> wrote:
somehow I doubt there will be any problems at all getting it
approved, but
nobody acted as a champion thus far and asked for approval themselves
In
Jeff Trawick wrote:
2) Get approval to commit to stable branch
(no attempt made IIRC; typical action is to propose a vote in STATUS
file of stable branch and await comments or votes)
Done! Votes please...
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to
How come it wasn't in 2.0.49?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
Bojan Smojver wrote:
On Thu, 2004-03-18 at 06:35, Greg Stein wrote:
hehe... it's probably because I sympathize. Back in '96, when I went to
work for Microsoft, I caught some heat from some random guy in the Python
community. When Guido replied with, effectively, "oh, shut the hell up.
Greg's cont
Mathihalli, Madhusudan wrote:
Somehow the message just went to Sander !
-Madhu
-Original Message-
From: Mathihalli, Madhusudan
Sent: Friday, March 19, 2004 11:01 AM
To: 'Sander Striker'
Subject: RE: SEGV in allocator_free
-Original Message-
From: Sander Striker [mailto:[EMA
Justin Erenkrantz wrote:
--On Tuesday, March 16, 2004 8:19 PM + Ben Laurie
<[EMAIL PROTECTED]> wrote:
c) You appear to be assuming daily snapshots maintained forever in your
story - if so, how do you deal with network problems and the like? How
can you tell a commit that didn't
William A. Rowe, Jr. wrote:
At 11:27 AM 3/16/2004, Ben Laurie wrote:
Justin Erenkrantz wrote:
--On Monday, March 15, 2004 10:52 AM + Ben Laurie <[EMAIL PROTECTED]> wrote:
It is? How? Unless the committer signs (which ISTR was rejected as an option
when I suggested it, so I'
Justin Erenkrantz wrote:
--On Tuesday, March 16, 2004 5:27 PM + Ben Laurie
<[EMAIL PROTECTED]> wrote:
I don't see how this defends against a malicious user that has owned the
server for long enough for his changes to have been rsynced to the
"secure"
server?
Beca
Justin Erenkrantz wrote:
--On Monday, March 15, 2004 10:52 AM + Ben Laurie
<[EMAIL PROTECTED]> wrote:
It is? How? Unless the committer signs (which ISTR was rejected as an
option
when I suggested it, so I'm assuming that doesn't happen), then they
must be
signed b
Justin Erenkrantz wrote:
--On Sunday, March 14, 2004 11:18 PM -0600 "William A. Rowe, Jr."
<[EMAIL PROTECTED]> wrote:
as the GNU, ASF, and SF projects all discovered, full backups by third
parties are invaluable. What is the equivalent to rsync, and is it as
stable?
I think you mean cvsup not r
[EMAIL PROTECTED] wrote:
jorton 2004/03/10 13:54:17
Modified:modules/ssl ssl_engine_log.c
Log:
* modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation,
ssl_log_ssl_error): const-ify annotation strings and simplify
ssl_log_annotation.
-static char *ssl_log_annotatio
Ghanta, Bose wrote:
Dear Ben and OpenSSL Team members,
Could you kindly answer the following question from one of my group
members? I very much appreciate it.
I was working on what I originally thought was a bug in our FTP client.
Your ftp site has a very long banner (due to the crypto warnin
Roy T. Fielding wrote:
However I completely disagree that Python (or Perl or PHP) is
a good choice for use in build systems.
As part of the configure process, I would agree with you, but as part of
buildconf, I disagree--not everyone needs to run buildconf--only
developers, and if you're
Jeff Trawick wrote:
Jim Jagielski wrote:
I'd like to float the idea of releasing 1.3.30 "soonish".
Not only are there enough changes to warrant a release, but
also to coincide with the changeover to AL 2.0.
one question: who would support putting the 1.3 versions of
mod_backtrace and mod_whatk
[EMAIL PROTECTED] wrote:
Ben Laurie wrote:
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
or Joshua's "virtual" keyword on , which I like better
the more I think about it.
ooops... s/Joshua/André/
but Joshua has excellent points about "virtualness" being a
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
or Joshua's "virtual" keyword on , which I like better the
more I think about it.
ooops... s/Joshua/André/
but Joshua has excellent points about "virtualness" being a property of
the handler. Yes, the server-status handler should know that i
Colm MacCarthaigh wrote:
On Mon, Jan 26, 2004 at 06:28:03PM +, Colm MacCarthaigh wrote:
I'd love to find out what's causing your worker failures. Are you using
any thread-unsafe modules or libraries?
Not to my knowledge, I wasn't planning to do this till later, but
I've bumped to 2.1, I'll tr
Jeff Trawick wrote:
Ben Laurie wrote:
Jeff Trawick wrote:
See http://www.apache.org/~trawick/exception_hook_13.html
You should make the logged strings safe, like mod_log_forensic does,
and I think the format should be compatible (which means no space
after the colon).
Thanks for taking a
Jeff Trawick wrote:
See http://www.apache.org/~trawick/exception_hook_13.html
There is a small patch to Apache 1.3 required to make the sample modules
work. This is analogous to the toys using the Apache 2.1 exception hook
which are described at http://www.apache.org/~trawick/exception_hook.ht
Brad Nicholes wrote:
Broken??? jorton already fixed up the INCLUDE path.
Ooops. Guess I screwed up, it didn't build for me. Try again. Sorry.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who
[EMAIL PROTECTED] wrote:
bnicholes2004/01/03 11:18:53
Modified:modules/loggers mod_log_forensic.c
Log:
Don't hardcode the location of the test_char.h header. The path should be added to
the INCLUDE path.
This patch is broken. Don't make me reverse it.
--
http://www.apache-ssl.org/
Joe Orton wrote:
On Sat, Jan 03, 2004 at 04:31:32PM -, [EMAIL PROTECTED] wrote:
ben 2004/01/03 08:31:32
Modified:server gen_test_char.c
Log:
Make forensic logging safe for POST data. The issue with strchr and NUL is
a red herring.
I don't think this is a safe change: 0 is
André Malo wrote:
* [EMAIL PROTECTED] wrote:
/* e is the first _invalid_ location in q
N.B. returns the terminating NUL.
*/
static char *log_escape(char *q, const char *e, const char *p)
{
for ( ; *p ; ++p) {
assert(q < e);
if (*p < ' ' || *p >= 0x7f || *p == '|' |
[EMAIL PROTECTED] wrote:
nd 2004/01/02 15:35:59
Modified:modules/loggers mod_log_forensic.c
Log:
prevent module from segfaulting when not configured.
Ooops, forgot to bring that forward from 1.3. Thanks.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.the
[EMAIL PROTECTED] wrote:
nd 2004/01/01 05:26:26
Log:
update license to 2004.
Why? Unless the file changes in 2004, the copyright doesn't. And, in any
case, the earliest date applies, so it gets us nowhere.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunke
Sander Striker wrote:
On Tue, 2003-12-30 at 19:52, Ben Laurie wrote:
I realise that having the value of getpid() and time() to hand is useful
for forensic purposes, but a getpid():time():next_id++ will result in
duplicates accross even small clusters.
Ah, I see :-) does mod_unique_id handle that
Colm MacCarthaigh wrote:
On Tue, Dec 30, 2003 at 11:49:37AM +, Ben Laurie wrote:
Could the forensic_id be tied in with mod_unique_id? It seems confusing
to have two different methods to generate unique id's for requests. Also
with unique_id, I can see it being useful to make CGI'
Bill Stoddard wrote:
Bill Stoddard wrote:
Ben Laurie wrote:
Bill Stoddard wrote:
Ben Laurie wrote:
If it does nothing unless a file is specified, why not enable by
default?
Like Jeff, I am more interested in this for debugging process
crashes that are not necessarily related to attacks
for example:
* CustomLog logs/custom "%h %l %u %t \"%r\" %>s %b %{forensic-id}n"
*
* Credit is due to Tina Bird <[EMAIL PROTECTED]>, whose
* idea this module was.
*
* Ben Laurie 29/12/2003
*/
#include "httpd.h"
#include "http_config.h&q
David Reid wrote:
Colm MacCarthaigh wrote:
On Mon, Dec 29, 2003 at 01:39:28PM +, Ben Laurie wrote:
So, I've written a forensic logging module. What this does is log the
request as soon as all the headers have been read, then log again when
its complete. Any request that doesn'
Colm MacCarthaigh wrote:
On Mon, Dec 29, 2003 at 01:39:28PM +, Ben Laurie wrote:
So, I've written a forensic logging module. What this does is log the
request as soon as all the headers have been read, then log again when
its complete. Any request that doesn't complete should
Jeff Trawick wrote:
Ben Laurie wrote:
If it does nothing unless a file is specified, why not enable by default?
to avoid silent growth in the set of code built into somebody's
server... when does somebody have to add "--disable-foo" to create a
build compatible with what th
Bill Stoddard wrote:
Ben Laurie wrote:
If it does nothing unless a file is specified, why not enable by default?
Like Jeff, I am more interested in this for debugging process crashes
that are not necessarily related to attacks. Might be useful to enable
this function by default in a mode where
Jeff Trawick wrote:
Ben Laurie wrote:
One of the problems that crops up depressingly often is that someone
gets owned, and they can't find out why. This is generally because the
offending request didn't get logged, because the server died before it
logged it.
far more often th
bana-Champaign.
*/
/*
* See also support/check_forensic.
* Relate the forensic log to the transfer log by including
* %{forensic-id}n in the custom log format, for example:
* CustomLog logs/custom "%h %l %u %t \"%r\" %>s %b %{forensic-id}n"
* Ben Laurie 29/12/20
Dirk-Willem van Gulik wrote:
On Thu, 18 Dec 2003, Greg Marr wrote:
Couldn't the new member be placed at the end of the request rec so
that it's only a minor bump?
Sure - does that work across all compilers ?
Yes.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.
Dirk-Willem van Gulik wrote:
This doesn't appear to check that the timestamp is anywhere near now,
which would prevent same-site replays...
Correct - the trouble with timestap checks is that ?most/some? browsers
will NOT cache the password the user has entered; but the 'response' (i.e.
nonce+rea
Dirk-Willem van Gulik wrote:
Right now we do not verify the nonce using in digest. This means that
an attacker can replay the response from another site or section
on the web site if
-> the users username+password is the same across the site.
-> the realm name is the same
Unfortunately that is
Dirk-Willem van Gulik wrote:
Unless I missed something we nicely issue a nonce during digest auth
(based on r->request_time) - but when the reply comes in with an
(Proxy-)Authenticate header we use the nonce provided by the client; and
do not check if it was any where near reasonably likely that w
[EMAIL PROTECTED] wrote:
nd 2003/12/14 10:16:50
Modified:src CHANGES
src/include ap_mmn.h httpd.h
src/main http_log.c util.c
Log:
SECURITY [CAN-2003-0020]: escape arbitrary data before writing into the
errorlog.
Index: http_log.c
==
Aaron Bannert wrote:
On Thu, Dec 11, 2003 at 01:50:46PM -0600, William A. Rowe, Jr. wrote:
But the 2.0 architecture is entirely different. We need a poll but it's not entirely
obvious where to put one...
One suggestion raised in a poll bucket: when a connection level filter cannot
read anything
1 - 100 of 140 matches
Mail list logo
