Re: Re: Re: CVE-2013-5704 fix breaks mod_wsgi

On 14 January 2015 at 09:10, wrote: > > > > - Original Message - > Subject: Re: Re: CVE-2013-5704 fix breaks mod_wsgi > From: "Graham Dumpleton" > Date: 1/12/15 11:34 pm > To: "dev@httpd.apache.org" > > > But the damage has

Re: Re: CVE-2013-5704 fix breaks mod_wsgi

If interested, my initial blog post about the issue in relation to mod_wsgi is now posted at: * http://blog.dscpl.com.au/2015/01/important-modwsgi-information-about.html The link to that has also been posted on the mod_wsgi mailing list and Twitter. Graham On 13 January 2015 at 16:34, Graham

Re: Re: CVE-2013-5704 fix breaks mod_wsgi

> But the damage has been done for some months on 2.2, and we are noticing this, now? All distros still shipping Apache 2.2 still are using older mod_wsgi 3.X versions which I don't at this point believe are affected by this issue. People who build stuff from source code themselves would be using

Re: CVE-2013-5704 fix breaks mod_wsgi

morrow, as well as work on the hack that tries to infer the request_rec size to work out if the CVE change has been back ported. Graham On 12 January 2015 at 23:20, Graham Dumpleton wrote: > On 12 January 2015 at 22:27, Joe Orton wrote: > >> On Sat, Jan 10, 2015 at 09:04:12AM +1

Re: CVE-2013-5704 fix breaks mod_wsgi

On 12 January 2015 at 22:27, Joe Orton wrote: > On Sat, Jan 10, 2015 at 09:04:12AM +1100, Graham Dumpleton wrote: > > 1. Verify that recompiling mod_wsgi is actually sufficient given than my > > direct use of request_rec isn't going to populate the extra fields and > th

Re: CVE-2013-5704 fix breaks mod_wsgi

#else rv = apr_socket_wait(sock, APR_WAIT_WRITE); #endif Either way, a minor tweak to mod_wsgi code. Graham On 10 January 2015 at 14:28, Graham Dumpleton wrote: > FWIW, there is potentially another issue for mod_wsgi coming up as well. > Seems that I was using an APR function which was tag

Re: CVE-2013-5704 fix breaks mod_wsgi

update APR soon as well as httpd. Graham On 10 January 2015 at 09:04, Graham Dumpleton wrote: > Thanks for the heads up and I appreciate very much the steps you are > taking to limit possible affects. > > What I will do is the following: > > 1. Verify that recompiling mo

Re: CVE-2013-5704 fix breaks mod_wsgi

Thanks for the heads up and I appreciate very much the steps you are taking to limit possible affects. What I will do is the following: 1. Verify that recompiling mod_wsgi is actually sufficient given than my direct use of request_rec isn't going to populate the extra fields and they will remain

Re: mod_fcgid kill all subprocesses in reload

Sounds like it would perhaps be for the same reason as mod_wsgi has issues with that sort of thing. Only Apache child worker processes get special dispensation as far as graceful shutdowns or reloads are concerned. If instead a module creates additional processes using the other child API calls in

Re: commercial support

On 24 November 2014 at 04:59, Jeff Trawick wrote: > > If you're doing Python web apps it would be cool to "pip install httpd > FRAMEWORK-httpd-wiring" and have a command that wires it up based on > framework settings and a bit of other declarative configuration. (similar > for other ecosystems w

Re: MAJOR SECURITY-PROBLEM Apache 2.4.6

On 22 October 2014 13:51, Yehuda Katz wrote: > On Wed, Oct 1, 2014 at 2:19 PM, Eric Covener wrote: > >> >> On Wed, Oct 1, 2014 at 2:16 PM, Eric Covener wrote: >> >>> To me, this does not exonerate mod_php, it implicates it. I suspect >>> your source code is served because PHP swallowed the Lim

Re: [RFC] CGIPassHeader Authorization|Proxy-Authorization|...

o the > credentials anyway. > > As for the passing right now, you don't need the whole mod_rewrite > machinery > for this: > > SetEnvIf Authorization (.+) HTTP_AUTHORIZATION=$1 > > that's, what I've been using so far :) > > nd > > * Graham Dumple

Re: [RFC] CGIPassHeader Authorization|Proxy-Authorization|...

A few comments on this. The first is that mod_wsgi originally never allowed its WSGIPassAuthorization directive in a htaccess file, and then when it it did first allow it, it was only honoured if AuthConfig was allowed for that context. I kept having people who needed that ability when they had a

Re: Apache2 crashes with segmentation fault

> > I already used the directive WSGIApplicationGroup %{GLOBAL} to run un the > main interpreter context but the issue persists after executing apache > graceful or reload. > > Regards > > > > 2014-07-16 13:44 GMT+00:00 Graham Dumpleton : > > It is well known that the lxml

Re: Apache2 crashes with segmentation fault

It is well known that the lxml package doesn't work properly in a Python sub interpreter context. Force it to run in the main interpreter context. See: http://code.google.com/p/modwsgi/wiki/ApplicationIssues#Python_Simplified_GIL_State_API In other words look at using: WSGIApplicationGroup %{GL

Re: Issue with connect() call made in mod_proxy_fdpass?

Ahh, I am partly being a goose. I kept reading that strlen() as sizeof() when reading the manual page. :-( Graham On 1 June 2014 21:44, Jeff Trawick wrote: > On Sun, Jun 1, 2014 at 3:10 AM, Graham Dumpleton > wrote: > >> What I don't quite understand is why th

Re: Issue with connect() call made in mod_proxy_fdpass?

What I don't quite understand is why the Linux manual pages: http://man7.org/linux/man-pages/man7/unix.7.html are even promoting the style: offsetof(struct sockaddr_un, sun_path) + strlen(sun_path) + 1 That would produce a length with is technically 1 greater than what the size of sockaddr_

Issue with connect() call made in mod_proxy_fdpass?

In mod_proxy_fdpass there is a function socket_connect_un(): https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/proxy/mod_proxy_fdpass.c which contains the code: rv = connect(rawsock, (struct sockaddr*)sa, sizeof(*sa) + strlen(sa->sun_path)); Can

Re: modules calling ap_lingering_close()!!!

On 21 February 2014 02:23, Joe Orton wrote: > On Thu, Feb 20, 2014 at 07:52:34AM -0500, Jeff Trawick wrote: > > WSGI 3.4 daemon mode crashing with httpd 2.4.x... > > > > Program received signal SIGSEGV, Segmentation fault. > > [Switching to Thread 0xaef17b70 (LWP 32761)] > > 0x08078a32 in update_

Re: triggering a process recreation of a child process

On 17 November 2013 22:05, jean-frederic clere wrote: > Hi, > > Is there a way to trigger a clean recreation of a child from a module? > See the apr_proc_other_child_*() family of functions. For an example, go look at the implementation of mod_cgid. Graham

Re: Regarding mod_wsgi and fastcgi modules

For mod_wsgi the mailing list details can be found at: http://code.google.com/p/modwsgi/wiki/WhereToGetHelp?tm=6#Asking_Your_Questions If you actually have thoughts about working on the mod_wsgi code, as opposed to just using it, then suggest you drop a message on the mod_wsgi mailing list with

Re: Can a module find out, whether another module is present?

On 6 February 2013 10:53, Mikhail T. wrote: > On 05.02.2013 18:25, Graham Dumpleton wrote: > > If in the Apache parent process, you would still have to call Tcl_Finalize() > at some point wouldn't you to ensure that all memory is reclaimed? > > I don't think so. I

Re: Can a module find out, whether another module is present?

Is this being done in the Apache parent process or only in the child processes? If in the Apache parent process, you would still have to call Tcl_Finalize() at some point wouldn't you to ensure that all memory is reclaimed? One of the flaws early on in mod_python was that it didn't destroy the Py

Re: Can a module find out, whether another module is present?

Is this being done in the Apache parent process or only in the child processes? If in the Apache parent process, you would still have to call Tcl_Finalize() at some point wouldn't you to ensure that all memory is reclaimed? One of the flaws early on in mod_python was that it didn't destroy the Py

Re: Can a module find out, whether another module is present?

compile. They can only ever keep this up for Apache 2.2 though, as 2.4 differences were too great and minor patches will not make it work there. Graham On 6 February 2013 09:30, Mikhail T. wrote: > On 05.02.2013 17:14, Graham Dumpleton wrote: > > In the next version of mod_wsgi th

Re: Can a module find out, whether another module is present?

Don't know if will be applicable in the case of those modules or not, but mod_python and mod_wsgi have similar conflicts over Python interpreter initialisation and destruction and have had to do a little dance over who gets precedence to ensure things don't crash. In the next version of mod_wsgi t

Re: The Case for a Universal Web Server Load Value

You say: """I have traditional Unix-type load-average and the percentage of how "idle" and "busy" the web-server is. But is that enough info? Or is that too much? How much data should the front-end want or need? Maybe a single agreed-upon value (ala "load average") is best... maybe not. These are

Re: Survery: how do you use httpd?

On 31 October 2011 18:24, William A. Rowe Jr. wrote: > On 10/31/2011 2:19 AM, Sander Temme wrote: >> Dear Apache developers/users, >> >> I have created a quick survey to see how YOU use Apache and what is >> important to you: >> >> http://www.surveymonkey.com/s/HFGDY3C >> >> It's only eight quest

Re: PHP5.3.6

On 18 March 2011 07:24, Rich Bowen wrote: > I wanted to be sure that folks are aware of what's going on in the > Windows/PHP world. I know that, in one sense, it's not our problem, but it > *feels* like our problem to me, and to many of our users. > > PHP5.3.6 was just released, and the Windows

Re: Inspiration for mod_lua

On 31 December 2010 10:56, William A. Rowe Jr. wrote: > On 12/30/2010 3:25 PM, Graham Dumpleton wrote: >> On 31 December 2010 07:37, Brian McCallister wrote: >>> 2010/12/28 Igor Galić : >>>> Hey folks, >>>> >>>> I'm looking for some

Re: Inspiration for mod_lua

On 31 December 2010 07:37, Brian McCallister wrote: > 2010/12/28 Igor Galić : >> Hey folks, >> >> I'm looking for some inspiration on how to make good use of >> mod_lua. Those familiar with its documentation, might find >> it a little bit lacking in this regard. > > My original aim (and what I sti

Re: rational behind not checking the return value of apr_palloc and apr_pcalloc

On 1 September 2010 20:15, Graham Leggett wrote: > On 01 Sep 2010, at 6:07 AM, dave b wrote: > >> What is the rational behind not checking the return value of >> apr_palloc and apr_pcalloc? > > The rationale is to not be forced to check for and handle hundreds of > potential failure cases when you

Re: rational behind not checking the return value of apr_palloc and apr_pcalloc

On 1 September 2010 14:07, dave b wrote: > What is the rational behind not checking the return value of > apr_palloc and apr_pcalloc? Specifically here talking about why HTTPD code doesn't check. Ie., core server code and modules supplied with HTTPD. I am clarifying this because he is hitting up

Re: HTTPD upgraded on eos -> 2.3.8

On 25 August 2010 10:10, Tony Stevenson wrote: > On Wed, Aug 25, 2010 at 01:04:01AM +0100, Tony Stevenson wrote: > >> Had to comment out an output filter line in the main httpd.conf (line 117) > > More specifically had to disable deflate -  "AddOutputFilterByType DEFLATE > text/html text/plain te

Re: Failing startup for vhost configuration problems

On Thursday, August 5, 2010, Niklas Edmundsson wrote: > On Thu, 5 Aug 2010, Graham Dumpleton wrote: > > > On Thursday, August 5, 2010, Stefan Fritsch wrote: > > On Tuesday 03 August 2010, Dan Poirier wrote: > > I'd like to propose that in 2.3/2.4, we fail startup

Re: Failing startup for vhost configuration problems

On Thursday, August 5, 2010, Stefan Fritsch wrote: > On Tuesday 03 August 2010, Dan Poirier wrote: >> I'd like to propose that in 2.3/2.4, we fail startup for any of the >> virtual host misconfigurations for which behavior is undefined but >> right now we only issue a warning. >> >> E.g. no Virtua

Re: [PATCH] tproxy2 patch to the apache 2.2.15

2010/8/4 Daniel Ruggeri : > On 8/3/2010 9:57 AM, JeHo Park wrote: >> hello ~ >> it's my first mail to apache dev .. and i am beginner of the apache. :-) >> Anyway ... recently, i wrote transparent proxy [tproxy2] patch to the >> httpd-2.2.15 >> because i needed web proxy and needed to know the sour

Re: 2.3 upgrade on apache.org

On Monday, July 19, 2010, William A. Rowe Jr. wrote: > On 7/18/2010 12:58 PM, Paul Querna wrote: >> >> We have now disabled Sendfile on apache.org, and the load average >> dropped from ~80 to 0.35. > > Wow. > > Is it unreasonable for us to change the API to disable sendfile as the default > from 2

Re: Problem with mod_fcgid handling ErrorDocuments

On 7 July 2010 11:43, Graham Dumpleton wrote: > On 6 July 2010 22:56, Edgar Frank wrote: >> Hi mod_fcgid developers, >> >> I'm currently exploring a potential problem with mod_fcgid. >> Let's assume a setup with mod_security and mod_fcgid >> (has nothi

Re: Problem with mod_fcgid handling ErrorDocuments

On 6 July 2010 22:56, Edgar Frank wrote: > Hi mod_fcgid developers, > > I'm currently exploring a potential problem with mod_fcgid. > Let's assume a setup with mod_security and mod_fcgid > (has nothing to do with mod_security itself - it just helps to > trigger the problem). > > Now we have a larg

Re: What's next for 2.2 and 2.3/trunk?

On 3 June 2010 10:40, Sander Temme wrote: > > On Jun 1, 2010, at 9:08 AM, Jim Jagielski wrote: > >> Considering that 2.3/trunk is back to limbo-land, I'd like >> to propose that we be more "aggressive" is backporting some >> items. Even if under experimental, it would be nice if slotmem >> and soc

Re: detecting .htaccess in a per-dir directive handler (control mod_fcgid FcgidWrapper use in htaccess via per-server config)

On 18 May 2010 05:13, Jeff Trawick wrote: > mod_fcgid unfortunately allows the FcgidWrapper directive to be > overridden in htaccess when AllowOverride FileInfo is declared.  In > all likelihood some users need that (the feature was contributed and > added in mod_fcgid 2.1, it is especially handy

Re: apache module's privileges

2009/12/16 Dan Poirier : > Jordi Prats writes: > >> If you start apache with root as usual, you realize that every module >> is able to run code with root privileges: > ... >> Why is coded this way? Shouldn't run with lower privileges? > > No.  That's not the purpose of apache modules. There is a

Re: [mod_fcgid] Feedback / Suggestions

2009/11/25 Edgar Frank : >> On Tue, Nov 24, 2009 at 05:07 PM, Jeff Trawick wrote: >> >>> Or otherwise, can someone explain the details to me why it is as it is? >> >>> Especially in terms of not pipeling data directly (maybe after a little >> >>> buffering to build proper FCGI packets)? The commen

Re: MPM-Module perchild

2009/11/23 Jeff Trawick : > On Mon, Nov 23, 2009 at 4:40 AM, > wrote: >> Hello, >> >> We have an internal project where we need the MPM module perchild. The >> Apache 2.0 documentation says that the development is not completed. I >> talked to my boss and he says I could take maybe any necessary r

Re: MPM-Module perchild

2009/11/23 : > Hello, > > We have an internal project where we need the MPM module perchild. The > Apache 2.0 documentation says that the development is not completed. I > talked to my boss and he says I could take maybe any necessary residual > activities, (depending on the size). Therefore, the

Re: [VOTE] release 2.3.3 as alpha

2009/11/12 Graham Dumpleton : > FWIW, the @??@ symbols are coming from apu-1-config because they are > never expanded by configure script for apr-util. Ie., snippet from > apu-1-config is: > > LIBS="-lexpat -liconv" > INCLUDES="" > LDFLAGS=&q

Re: [VOTE] release 2.3.3 as alpha

quot; This has occurred because autoconf hadn't been run to regenerate configure script last time I updated from subversion. Must of missed it. Remember to do it for apr. :-( Trying again now. Graham 2009/11/12 Graham Dumpleton : > 2009/11/12 Graham Dumpleton : >> 2009/

Re: [VOTE] release 2.3.3 as alpha

2009/11/12 Graham Dumpleton : > 2009/11/12 Paul Querna : >> On Wed, Nov 11, 2009 at 10:33 PM, Graham Dumpleton >> wrote: >>> 2009/11/12 Paul Querna : >>>> Test tarballs for Apache httpd 2.3.3-alpha are available at: >>>>    <http://http

Re: [VOTE] release 2.3.3 as alpha

2009/11/12 Paul Querna : > On Wed, Nov 11, 2009 at 10:33 PM, Graham Dumpleton > wrote: >> 2009/11/12 Paul Querna : >>> Test tarballs for Apache httpd 2.3.3-alpha are available at: >>>    <http://httpd.apache.org/dev/dist/> >>> >>> Your votes

Re: [VOTE] release 2.3.3 as alpha

2009/11/12 Paul Querna : > Test tarballs for Apache httpd 2.3.3-alpha are available at: >     > > Your votes please; > >  +/- 1 >  [  ]  Release httpd-2.3.3 as Alpha > > Vote closes at 18:00 UTC on Sunday November 15 2009. > > Thanks, > > Paul > What APR/APR-UTIL

Re: mod_fcgid: different instances of the same program

2009/11/10 Jeff Trawick : > On Mon, Nov 9, 2009 at 5:16 PM, Danny Sadinoff > wrote: >> Here are two details of mod_fcgid process management that I've just >> learned after a long debug session and squinting at the mod_fcgid >> code. >> >> 1) symlinks & you. >> It seems that mod_fcgid identifies f

Re: Httpd 3.0 or something else

2009/11/5 Graham Leggett : > Jim Jagielski wrote: > >> Let's get 2.4 out. And then let's rip it to shreds and drop >> buckets/brigades and fold in serf. > > I think we should decide on exactly what problem we're trying to solve, > before we start thinking about how it is to be solved. > > I'm keen

Re: [mod_fcgid] How to share between vhosts (and extensions)

FWIW, the Python specific hosting module called mod_wsgi for Apache implements named daemon process groups, with ability to control how WSGI applications are delegated to which process group. This includes being able to optionally have process group selected based on value of ENV value set by mod_r

Re: DO NOT REPLY [Bug 47087] Incorrect request body handling with Expect: 100-continue if the client does not receive a transmitted 300 or 400 response prior to sending its body

2009/8/30 Nick Kew : > > On 27 Aug 2009, at 17:22, bugzi...@apache.org wrote: > >> It appears that Apache is violating this paragraph from RFC 2616: >> >>      - Upon receiving a request which includes an Expect request-header >>        field with the "100-continue" expectation, an origin server MU

Re: Catching graceful restart in apache2 module

2009/8/4 Graham Dumpleton : > 2009/8/4 Ruediger Pluem : >> >> >> On 08/04/2009 09:02 AM, Graham Dumpleton wrote: >>> 2009/8/4 Petr Hracek : >>>> I have found in following link: (http://wiki.apache.org/httpd/ModuleLife) >>>> >>>> R

Re: Catching graceful restart in apache2 module

2009/8/4 Ruediger Pluem : > > > On 08/04/2009 09:02 AM, Graham Dumpleton wrote: >> 2009/8/4 Petr Hracek : >>> I have found in following link: (http://wiki.apache.org/httpd/ModuleLife) >>> >>> Race conditions during graceful restart >>> >>&g

Re: Catching graceful restart in apache2 module

2009/8/4 Petr Hracek : > I have found in following link: (http://wiki.apache.org/httpd/ModuleLife) > > Race conditions during graceful restart > > During a graceful restart, old children are still serving old requests while > new children are serving new requests. If the same lock must be used by o

Re: Events, Destruction and Locking

2009/7/9 Rainer Jung : > On 08.07.2009 15:55, Paul Querna wrote: >> On Wed, Jul 8, 2009 at 3:05 AM, Graham >> Dumpleton wrote: >>> 2009/7/8 Graham Leggett : >>>> Paul Querna wrote: >>>> >>>>> It breaks the 1:1: connection mapping to

Re: Help with worker.c

In case you haven't already found it, ensure you have a read of: http://www.fmc-modeling.org/category/projects/apache/amp/4_3Multitasking_server.html It may not address the specific question, but certainly will give you a better overall picture. The rest of that book is also worth reading as

Re: Events, Destruction and Locking

2009/7/8 Graham Leggett : > Paul Querna wrote: > >> It breaks the 1:1: connection mapping to thread (or process) model >> which is critical to low memory footprint, with thousands of >> connections, maybe I'm just insane, but all of the servers taking >> market share, like lighttpd, nginx, etc, all

Re: Where Do I Create Queues in MPM Worker

2009/7/7 ricardo13 : > > > > Graham Dumpleton-2 wrote: >> >> 2009/7/7 ricardo13 : >>> >>> Hi, >>> >>> Sorry, I didn't know that was in wrong forum. What's the best list to >>> write >>> this doubt ?? >>

Re: Where Do I Create Queues in MPM Worker

get" all requests from > worker_queue2. By what criteria would requests get delegated to each queue? In other words, what is the high level outcome you are trying to achieve. For example, are you trying to give priority to certain virtual hosts or listener ports??? Graham > That is wha

Re: Where Do I Create Queues in MPM Worker

Rather than keep demanding an answer to how to do whatever it is you want, that you explain why you want to do it in the first place. Given what looks like a rather inadequate knowledge of Apache, it is quite likely you are going about it all the completely wrong way. So, give some context about wh

Re: httpd initd daemon

2009/6/29 Yahav : > > i would like to set the httpd instance to run as standard linux daemon. the > daemon should be controlled by the init daemon. the problem is that the > apachectl that runs the httpd is starting the main server process then > forking N StarServers and return 0 or something else

Re: Mitigating the Slowloris DoS attack

2009/6/24 Kevin J Walters : > >> "M" == Matthieu Estrade writes: > > M> More granular timeout and maybe adaptative timeout is also IMHO a good > M> way to improve resistance to this kind of attack. > > The current 1.3, 2.0 and 2.2 documentation is in agreement too! > > I believe the ssl module

Re: Mitigating the Slowloris DoS attack

2009/6/23 Weibin Yao : > William A. Rowe, Jr. at 2009-6-23 2:00 wrote: >> >> Andreas Krennmair wrote: >> >>> >>> * Guenter Knauf [2009-06-22 04:30]: >>> wouldnt limiting the number of simultanous connections from one IP already help? F.e. something like: http://gpl.net.ua/modip

Re: Mitigating the Slowloris DoS attack

2009/6/22 Guenter Knauf : > Hi Andreas, > Andreas Krennmair schrieb: >> For those who are still unaware of the Slowloris attack, it's a >> denial-of-service attack that consumes Apache's resources by opening up >> a great number of parallel connections and slowly sending partial >> requests, never

Re: svn commit: r785425 - in /httpd/httpd/trunk: CHANGES modules/mappers/mod_dir.c

2009/6/18 Rich Bowen : > > On Jun 16, 2009, at 18:43, William A. Rowe, Jr. wrote: > >> William A. Rowe, Jr. wrote: >>> >>> This might be NotFoundHandler or for dir-not-file, ListingHandler. >> >> Sorry; not ListingHandler, but IndexHandler. >> >> But there is no point to a NotFoundHandler; the exis

Re: Some ramblings on httpd config

t; Then again this would probably cause a whole lot of overhead and would > force mod_lua to be rewriting a lot I guess. > > > ~Jorge > > > > On Tue, Jun 9, 2009 at 2:49 PM, Akins, Brian wrote: >> On 6/5/09 11:31 PM, "Graham Dumpleton" wrote: >> >&

Re: Some ramblings on httpd config

2009/6/9 Akins, Brian : > On 6/5/09 11:31 PM, "Graham Dumpleton" wrote: > >> This last example wasn't even related to driving configuration. It was >> in practice an actual handler hook implementation for request >> processing, not configuration phases. >

Re: Some ramblings on httpd config

2009/6/6 Rich Bowen : > > On Jun 4, 2009, at 22:53, Graham Leggett wrote: > >>> This approach doesn't require any changes to httpd itself as the >>> ability to do this becomes a feature of just the module supporting >>> that scripting language, eg, mod_lua. The same could also be done for >>> other

Re: Some ramblings on httpd config

2009/6/4 Akins, Brian : > On 6/4/09 8:14 AM, "Jorge Schrauwen" wrote: > >> Like Graham mentioned mod_macro can be of some use here. however since >> I'm looping in  perl I may as well push the 4 lines needed to httpd >> instead of a one line macro replacemen. > > Okay, I'm not explaining my self w

Re: Some ramblings on httpd config

2009/6/4 Akins, Brian : > On 6/3/09 7:50 PM, "Plüm, Rüdiger, VF-Group" > wrote: > >> 1. There are many and large and complex configurations out in the world. > > Which is exactly why I want/need a better way to do them.  I'm currently > using a template system to generate them.  However I wind up

Re: Some ramblings on httpd config

2009/6/4 "Plüm, Rüdiger, VF-Group" : > 2. I admit that some improvements are needed. How about an approach that > allows >   to embed a macro / scripting language into the current configuration system >   that allows you to do more advanced things if you need to. >   (OK, yes this proposal contrad

Re: [RFC] A new hook: invoke_handler and web-application security

2009/4/9 KaiGai Kohei : > Graham Dumpleton wrote: >> 2009/4/9 KaiGai Kohei : >>>>> The reason why I would like to set privilege prior to the invocation >>>>> of contents handler is to apply consistent access controls independent >>>>> from wha

Re: [RFC] A new hook: invoke_handler and web-application security

2009/4/9 KaiGai Kohei : >>> The reason why I would like to set privilege prior to the invocation >>> of contents handler is to apply consistent access controls independent >>> from what kind of script languages are used. >> >> I understand that, but you seem to be focused on the idea of using >> th

Re: [RFC] A new hook: invoke_handler and web-application security

2009/4/9 KaiGai Kohei : > Graham Dumpleton wrote: >> 2009/4/9 KaiGai Kohei : >>> William A. Rowe, Jr. wrote: >>>> KaiGai Kohei wrote: >>>>> However, SElinux does not allow to revert its privilege (security context) >>>>> uncondition

Re: [RFC] A new hook: invoke_handler and web-application security

2009/4/9 KaiGai Kohei : > William A. Rowe, Jr. wrote: >> KaiGai Kohei wrote: >>> However, SElinux does not allow to revert its privilege (security context) >>> unconditionally, even if it is dynamically changed. >>> If we want to revert it, the security policy has to allow B->A in addition >>> to A

Re: [RFC] A new hook: invoke_handler and web-application security

2009/4/8 KaiGai Kohei : > Graham Dumpleton wrote: >> 2009/4/8 KaiGai Kohei : >>> KaiGai Kohei wrote: >>>> Graham Dumpleton wrote: >>>>> 2009/4/8 KaiGai Kohei : >>>>>> Graham Dumpleton wrote: >>>>>>> Explain first

Re: [RFC] A new hook: invoke_handler and web-application security

2009/4/8 KaiGai Kohei : > KaiGai Kohei wrote: >> Graham Dumpleton wrote: >>> 2009/4/8 KaiGai Kohei : >>>> Graham Dumpleton wrote: >>>>> Explain first why using FASTCGI and suexec wouldn't be a better option? >>>> Thease are lim

Re: [RFC] A new hook: invoke_handler and web-application security

2009/4/8 KaiGai Kohei : > Graham Dumpleton wrote: >> 2009/4/8 KaiGai Kohei : >>> Graham Dumpleton wrote: >>>> Explain first why using FASTCGI and suexec wouldn't be a better option? >>> Thease are limited to cgi applications, so we cannot apply such ki

Re: [RFC] A new hook: invoke_handler and web-application security

2009/4/8 KaiGai Kohei : > Graham Dumpleton wrote: >> Explain first why using FASTCGI and suexec wouldn't be a better option? > > Thease are limited to cgi applications, so we cannot apply such kind > of restriction on the built-in script languages and references on > sta

Re: [RFC] A new hook: invoke_handler and web-application security

Explain first why using FASTCGI and suexec wouldn't be a better option? It concerns me that in your plans, even though you are changing the security context of a single thread within an existing process, that that thread may still has access to all the process memory and so could read or modify me

Using unicode host names with Apache.

Is Apache capable of hosting sites with a unicode host name? Is it just a matter of listing the IDNA(RFC3490) variant of the name in ServerName or ServerAlias? Is this the only way it can be done or if configuration files are written as UTF-8, could the host name be listed in its UTF-8 form? Grah

Re: Problems with EOS optimisation in ap_core_output_filter() and file buckets.

2009/2/17 Mladen Turk : > Graham Dumpleton wrote: >> >> 2009/2/17 Mladen Turk : >>> >>> Graham Dumpleton wrote: >>>> >>>> 2009/2/17 Joe Orton : >>>>>> >>>>>> I did used to perform a dup, but was told th

Re: Problems with EOS optimisation in ap_core_output_filter() and file buckets.

2009/2/17 Mladen Turk : > Graham Dumpleton wrote: >> >> 2009/2/17 Joe Orton : >>>> >>>> I did used to perform a dup, but was told that this would cause >>>> problems with file locking. Specifically was told: > >>> I'm getting lost

Re: Problems with EOS optimisation in ap_core_output_filter() and file buckets.

2009/2/17 Joe Orton : > On Mon, Feb 16, 2009 at 10:52:15PM +1100, Graham Dumpleton wrote: >> 2009/2/16 Joe Orton : >> > You say: >> > >> >> For me this is an issue as the file descriptor has been supplied from >> >> a special object returned by a

Re: Problems with EOS optimisation in ap_core_output_filter() and file buckets.

2009/2/16 Joe Orton : > On Sat, Feb 14, 2009 at 10:25:08AM +1100, Graham Dumpleton wrote: > ... >> What the end result of the code is, is that if you have a file bucket >> getting this far where length of file is less than 8000 and an EOS >> follows it, then the actual

Problems with EOS optimisation in ap_core_output_filter() and file buckets.

In ap_core_output_filter() there exists the code starting with: /* Completed iterating over the brigade, now determine if we want * to buffer the brigade or send the brigade out on the network. * * Save if we haven't accumulated enough bytes to send, the connecti

Re: changing mod_wombat's name

2008/12/17 Brian McCallister : > Actually, -1 > > Calling it luau is begging for mass user confusion via misspelings in > the LoadModule directive. > > How about: > > ap_lua, moon, or just bite the bullet and use mod_lua Given that there could be a class of such scripting language modules over tim

Re: [VOTE] Release Apache HTTP server 2.3.0-alpha

2008/12/9 William A. Rowe, Jr. <[EMAIL PROTECTED]>: > Paul Querna wrote: >> >> The change fixed velocity.apache.org, but broke www.apache.org. >> >> All of this sub-request + output filter stuff started in r620133 kinda >> needs some more thought. > > My thought is that fast_internal_subrequest (wh

Re: Dyanamic usage of Apache hash table.

2008/12/3 Jayasingh Samuel <[EMAIL PROTECTED]>: > Hai, > > I have a hash map which takes its input and key from a file.. The file > content will be changed automatically and i want to reload the hash map > automatically after hitting some handler.. What i see is, after reloading > the hash map, iam

Re: [VOTE] move all mod_*.h with public APIs to ./include folder

2008/4/13 Guenter Knauf <[EMAIL PROTECTED]>: > Hi, > > > Please specify which headers specifically you consider to be public. > at least: > > mod_cache.h > mod_core.h > mod_dav.h > mod_dbd.h > mod_proxy.h > mod_session.h Also: mod_auth.h So it doesn't get missed out of Windows installer

Re: overview of MPMs?

2008/4/11 Geoff Thorpe <[EMAIL PROTECTED]>: > Hi all, > > Just wondering if anyone has a link or howto that would give me some > background info on the interface with the different MPM > modes/implementations? I'm not even sure where the different > implementations are in the source tree, but I

Re: Where is Timeout configuration directive value stored?

their input, or that when they don't they will not generate a response more than socket buffer size? Graham On 17/11/2007, Graham Dumpleton <[EMAIL PROTECTED]> wrote: > The function in server/core.c called for the Timeout directive is: > > static const char *set_timeout(cmd_par

Where is Timeout configuration directive value stored?

The function in server/core.c called for the Timeout directive is: static const char *set_timeout(cmd_parms *cmd, void *dummy, const char *arg) { const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT); if (err != NULL) { return err; } cmd->server->t

Win32 httpd 2.2.6 installer missing mod_auth.h?

I'm working on extensions to an existing Apache module of my own to add support for auth providers. Problem is that people who are trying to compile it for Win32 have found that the ASF httpd 2.2.6 installer: http://www.apache.org/dist/httpd/binaries/win32/apache_2.2.6-win32-x86-openssl-0.9.8e.

Re: New module mod_proxy_scgi

Rather than call it X-Sendfile, can we perhaps adopt the generic Script-Control header mechanism as outlined in CGI 1.2. http://cgi-spec.golux.com/cgi-120-00a.html As one example of how Script-Control has been used, see: http://www.openvms-rocks.com/ht_root/src/httpd/cgi.c I have been conte

Re: OS/X + Cisco VPN == trouble

On 25/08/07, Graham Dumpleton <[EMAIL PROTECTED]> wrote: > On 24/08/07, Jim Jagielski <[EMAIL PROTECTED]> wrote: > > > > On Aug 23, 2007, at 8:56 PM, Ian Holsman wrote: > > > > > Hi. > > > > > > This one is frustrating me to no end, and

  1   2   3   >