On Thu, Jun 11, 2009 at 09:46:39AM -0400, Dan Poirier wrote:
I was looking at mod_auth_digest and bug 16057. Currently the shared
memory code in that module is disabled, and it turns out that has
effects throughout the module, such as disabling all client tracking,
nonce-count checking,
On Mon, Jun 01, 2009 at 10:22:45AM -0700, Jeff Trawick wrote:
On Mon, Jun 1, 2009 at 7:30 AM, Stefan Fritsch s...@sfritsch.de wrote:
The interesting test file in mod_perls source is ./t/response/TestAPI/
add_config.pm.
It looks like the test sets Options ExecCGI and expects
Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the
deveopment list for Apache httpd, CC'ed. (I'm quoting the full mail
inline for reference of dev@ readers)
On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
mod_ssl can perform client authentication
On Mon, May 25, 2009 at 12:03:23PM -0400, Jeff Trawick wrote:
I'm fine with your patch plus a bit of commentary in ap_allow_options().
Proposed patch as below:
Index: modules/filters/mod_include.c
===
---
On Fri, May 22, 2009 at 05:12:31PM -0400, Jeff Trawick wrote:
(untested)
ap_allow_options() is how applications, including our mod_include, access
the enabled options for a given request (other than evil apps which define
CORE_PRIVATE and locate the core_dir_config). As this is a callable
On Thu, May 21, 2009 at 02:39:57PM -0400, Jeff Trawick wrote:
On Wed, May 20, 2009 at 8:53 AM, Joe Orton jor...@redhat.com wrote:
Given that the semantics of the options has changed, I don't think it's
worth changing httpd to maintain any pretence of compile-time or
run-time compatibility
On Fri, May 22, 2009 at 05:26:07PM +0100, Joe Orton wrote:
Attaching my original analysis for security@ which hopefully answers
that question ;)
attempt 2
I've now had a deeper look into this. I can't see a way to fix the
problem without changing the semantics of the OPT_ bits used, as I
mod_rewrite creates a global mutex and serializes writes to the log file
(if one is configured).
Maybe I'm being stupid here, but why is that? It seems to be
superfluous - it uses a single apr_file_write() to write a log entry, so
operates under exactly the same atomicity assumptions as
On Sun, May 17, 2009 at 11:15:00AM -0400, Jeff Trawick wrote:
On Tue, May 12, 2009 at 9:17 AM, cove...@apache.org wrote:
Author: covener
Date: Tue May 12 13:17:29 2009
New Revision: 773881
URL: http://svn.apache.org/viewvc?rev=773881view=rev
Log:
backport 772997, 773322, 773342
On Thu, May 14, 2009 at 04:23:22PM -0700, Chris Darroch wrote:
However, note that any choices we make here also, I believe,
impacts the socache API, which has identical issues around data
consistency in multi-process/multi-thread contexts. Personally
I'd love to see these two APIs be as
On Thu, May 14, 2009 at 12:51:18PM +0200, Rainer Jung wrote:
On 13.05.2009 22:38, William A. Rowe, Jr. wrote:
Please revert the introduction of a _wrapper struct and let's simply
fix the piped_log structure?
Do we really want to add it to the public API?
There's no need for that structure
On Mon, May 11, 2009 at 11:56:42AM -0400, Jeff Trawick wrote:
Currently, starting httpd as non-root with mod_fcgid loaded fails unless
User/Group are set to the active User/Group. Normally, httpd modules don't
try to set ownership of objects to the specified User/Group unless starting
as
On Sun, May 10, 2009 at 12:32:44PM +0200, Ruediger Pluem wrote:
On 05/10/2009 12:26 AM, Eric Covener wrote:
On Sat, May 9, 2009 at 5:55 PM, Ruediger Pluem rpl...@apache.org wrote:
--- server/core.c (Revision 773105)
+++ server/core.c (Arbeitskopie)
@@ -242,8 +242,9 @@
On Tue, Apr 28, 2009 at 02:48:52PM +0100, Joe Orton wrote:
5) I'll post an updated patch soon which fixes the behaviour of Options
Includes/Options +IncludesNoExec such that SSI is permitted without
exec, as is the current 2.2.x behaviour, since that seems to be the
rough consensus. Jon
On Wed, May 06, 2009 at 02:54:59PM -0500, William Rowe wrote:
Plüm, Rüdiger, VF-Group wrote:
This causes trunk to fail compilation with:
make[1]: *** No rule to make target `modules/mappers/libmod_so.la', needed
by `httpd'. Stop.
make: *** [all-recursive] Error 1
Please don't
Thanks for all the feedback so far. I've added in tests of combinations
using negative options in .htaccess, bringing the test matrix to a
glorious size of 3 x 4 x 10 = 120 entries: this page gives before/after
results with 2.2.x vanilla and the patch I posted previously:
On Wed, Apr 01, 2009 at 12:07:49PM -, rpl...@apache.org wrote:
Author: rpluem
Date: Wed Apr 1 12:07:47 2009
New Revision: 760866
URL: http://svn.apache.org/viewvc?rev=760866view=rev
Log:
...
+if (sc-proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) {
+apr_time_t
A security issue in the handling of the Includes and IncludesNoExec
directives was reported recently, and I'm after some help.
The security issues are as follows:
a) If AllowOverride Options=IncludesNoEXEC is configured in
httpd.conf, a user can put Options Includes in an .htaccess
file
On Wed, Apr 08, 2009 at 10:38:52AM +0900, KaiGai Kohei wrote:
I've posted my idea to improve web-application security a few times
however, it could not interest folks unfortunatelly. :(
So, I would like to offer another approach for the purpose.
The attached patch is a proof of the concept of
On Wed, Apr 08, 2009 at 09:09:14AM +0100, Nick Kew wrote:
On 8 Apr 2009, at 08:32, Joe Orton wrote:
So I'm not sure that it's worthwhile. Having said that, it seems a
lot more worthwhile than the mod_privileges approach in the trunk,
which seems to claim it is secure so long as you don't
On Tue, Apr 07, 2009 at 01:29:20PM +0200, Plüm, Rüdiger, VF-Group wrote:
...
I think the reason for this behaviour is the following:
1. The subrequest created by mod_dir uses a subpool of r-pool for its
allocations.
2. ap_internal_fast_redirect uses the data allocated out of this subpool
On Mon, Mar 23, 2009 at 05:45:08PM +0100, Ruediger Pluem wrote:
It turned out that changing the c-base_server in the SNI callback has some
flaws. So the following patch stores the correct server_rec in the connection
record configuration and adjusts the remaining part of mod_ssl to use this
On Thu, Mar 19, 2009 at 04:36:42PM -0400, Jeff Trawick wrote:
Beyond the mod_authany question, why doesn't mod_ssl declare its check user
id hook really-first if it can generate the basic auth? (Let the extremely
limited number of modules which generate basic auth headers fight it out via
(cc'ing d...@apr since that's where the vformatter lives)
On Thu, Mar 05, 2009 at 12:54:13AM -0600, William Rowe wrote:
Trying to come up with ways to process large entries without
so much copying.
My thought for 2.4 is to introduce an apr_vformatter code
modifier, '#', into the s syntax.
On Thu, Feb 19, 2009 at 10:00:50PM +0100, Ruediger Pluem wrote:
On 02/19/2009 12:32 PM, Joe Orton wrote:
...
@@ -497,13 +500,17 @@
next = APR_BUCKET_NEXT(bucket);
}
bytes_in_brigade += bucket-length;
-if (!APR_BUCKET_IS_FILE(bucket
On Wed, Feb 18, 2009 at 09:39:31PM +0100, Ruediger Pluem wrote:
On 02/18/2009 11:16 AM, Joe Orton wrote:
There is still a nasty issue with the trunk code that can cause you to
run out of FD's as the new non blocking core output filter has some trouble
setting aside the file buckets
On Mon, Feb 16, 2009 at 03:12:11PM +0100, Ruediger Pluem wrote:
On 02/16/2009 02:13 PM, Joe Orton wrote:
Why is it invalid use of the filtering/buckets API to close the file
after sending the FILE-containing brigade up the filter stack?
It seems counter-intuitive to me that *anything
On Sat, Feb 14, 2009 at 10:25:08AM +1100, Graham Dumpleton wrote:
...
What the end result of the code is, is that if you have a file bucket
getting this far where length of file is less than 8000 and an EOS
follows it, then the actual file bucket is held over rather than data
being read and
On Mon, Feb 16, 2009 at 12:34:26PM +0100, Ruediger Pluem wrote:
On 02/16/2009 11:07 AM, Joe Orton wrote:
The call to:
ap_save_brigade(f, ctx-b, b, ctx-deferred_write_pool);
in that code path should result in the FILE bucket and the contained fd
being dup()ed. (Though
On Mon, Feb 16, 2009 at 10:52:15PM +1100, Graham Dumpleton wrote:
2009/2/16 Joe Orton jor...@redhat.com:
You say:
For me this is an issue as the file descriptor has been supplied from
a special object returned by a higher level application and it would
be hard to maintain the file
The AuthLDAPCharsetConfig directive allows server admins to do charset
conversion of the username passed in the HTTP auth headers.
RFC 2617 does not specify use of encoding non-ASCII usernames in the
{Proxy-},Authorization request headers; mod_authnz_ldap is guessing an
encoding based on any
On Tue, Feb 10, 2009 at 09:52:43AM -0500, Eric Covener wrote:
On Tue, Feb 10, 2009 at 8:45 AM, Joe Orton jor...@redhat.com wrote:
The AuthLDAPCharsetConfig directive allows server admins to do charset
conversion of the username passed in the HTTP auth headers.
RFC 2617 does not specify
On Thu, Jan 22, 2009 at 04:09:25PM +1100, Gervase Markham wrote:
Short version: I am hoping to find out what the problems are with the
trunk version of TLS/SNI, how they can be fixed, and what the chances
are of a backport to 2.2.
Making sure that mod_ssl's existing access control options work
On Sun, Jan 11, 2009 at 05:36:07PM -, rj...@apache.org wrote:
Author: rjung
Date: Sun Jan 11 09:36:07 2009
New Revision: 733493
URL: http://svn.apache.org/viewvc?rev=733493view=rev
Log:
Allow to trigger rotatelogs log file rotation from
using HUP and INT signals to the rotatelogs
On Sat, Jan 03, 2009 at 02:55:24PM +0100, Rainer Jung wrote:
Most build variables for httpd are used via APACHE_SUBST, which means
they get added to build/config_vars.mk.
A) Where to define them?
There are two places, were a lot of ariables are added via
On Mon, Jan 12, 2009 at 12:03:31PM +0100, Rainer Jung wrote:
On 12.01.2009 11:19, Rainer Jung wrote:
On 12.01.2009 10:04, Joe Orton wrote:
Sending SIGTERM to the rotatelogs process and having the parent recycle
it should have done that already, surely, without adding all this
complexity
On Thu, Jan 08, 2009 at 09:40:59PM -, cove...@apache.org wrote:
Author: covener
Date: Thu Jan 8 13:40:59 2009
New Revision: 732832
URL: http://svn.apache.org/viewvc?rev=732832view=rev
Log:
Translate locally generated 100-Continue message to
ASCII on EBCDIC systems.
...
---
On Wed, Jan 07, 2009 at 02:34:29PM -0500, Eric Covener wrote:
On Fri, Dec 26, 2008 at 10:53 PM, n...@apache.org wrote:
Author: niq
Date: Fri Dec 26 19:53:32 2008
New Revision: 729586
URL: http://svn.apache.org/viewvc?rev=729586view=rev
Log:
CGI: return 504 (Gateway timeout) rather
On Tue, Jan 06, 2009 at 12:10:25PM -0600, William Rowe wrote:
Would folks comment on Nathan's, Joe's and Stefan's work on
https://issues.apache.org/bugzilla/show_bug.cgi?id=42829
and offer any comments on why this patch;
https://issues.apache.org/bugzilla/attachment.cgi?id=22822
On Sat, Dec 27, 2008 at 01:12:24PM +, Nick Kew wrote:
On 27 Dec 2008, at 09:52, Ruediger Pluem wrote:
On 12/27/2008 03:13 AM, n...@apache.org wrote:
Author: niq
Date: Fri Dec 26 18:13:47 2008
New Revision: 729579
URL: http://svn.apache.org/viewvc?rev=729579view=rev
Log:
PR#39332: fix
On Fri, Dec 12, 2008 at 02:41:14PM -0600, William Rowe wrote:
jor...@apache.org wrote:
Author: jorton
Date: Fri Dec 12 12:20:40 2008
New Revision: 726109
URL: http://svn.apache.org/viewvc?rev=726109view=rev
Log:
mod_ssl: Make the size of the per-dir-reneg request-body buffer
On Tue, Dec 09, 2008 at 10:30:51AM -0800, Chris Darroch wrote:
Joe Orton wrote:
* include/ap_socache.h: Use C++ safety wrappers, and rename -delete
to -remove since the former is a C++ reserved word.
Thanks again for the socache refactoring! I've been trying to
keep these two modules
On Fri, Dec 12, 2008 at 11:15:49AM -0800, Chris Darroch wrote:
Joe Orton wrote:
Both modules look very neat! Are you going to commit them? I might
debate the naming of mod_shmap ;)
Heh, thanks. I don't know, I hadn't really thought about committing
them ... maybe the shmap one
typedef enum {
TOKEN_STRING,
TOKEN_RE,
TOKEN_AND,
} token_type_t;
} token_t;
} backref_t;
... all lack namespace-safety.
as do:
typedef const char *(*string_func_t)(request_rec*, const char*);
typedef int (*opt_func_t)(request_rec*, ap_parse_node_t*, string_func_t);
which are also
On Fri, Dec 05, 2008 at 12:43:57AM -0800, Paul Querna wrote:
Trunk is CTR, but I do want to make sure no one is completely opposed to
pulling in mod_wombat.
+1, go for it. For the record, I'd be happy for lua to become a
mandatory or strongly-recommended dependency such that we could remove
On Thu, Dec 04, 2008 at 12:13:52PM +, Dr Stephen Henson wrote:
At Joe's request I've posted the last comment here. It is in reference
to bug #43822 which is OCSP Stapling support for mod_ssl:
Thanks for posting.
...
The mutex code has been removed and some dummy functions to replace them
On Thu, Nov 06, 2008 at 09:58:52PM +0100, Ruediger Pluem wrote:
What is the problem at all?
mod_proxy_http uses a a conn_rec to communicate with the backend. It somehow
reverses
the meaning of input and output filters and uses them to send the request and
receive
the response. In order
On Fri, Nov 07, 2008 at 01:29:15PM +0100, Plüm, Rüdiger, VF-Group wrote:
Would it be possible to substitute the backend (fake) conn_rec's
-bucket_alloc pointer with the real r-connection-bucket_alloc,
for the duration of the request/response to the backend? Wouldn't
that ensure that
On Wed, Oct 29, 2008 at 11:59:06AM -0700, Paul Querna wrote:
Is COW ability of fork important enough with modern memory and operating
systems, to maintain two significantly different code paths for spawning
children processes?
I looked at a stock 2.2 install (x86_64) with most modules
On Tue, Oct 28, 2008 at 12:12:51AM -0700, Paul Querna wrote:
I've added the Simple MPM to trunk:
https://svn.apache.org/viewvc/httpd/httpd/trunk/server/mpm/simple/
Great!
- The name. Someone suggest something better than Simple.
I like naming projects by grepping the dictionary, and
On Wed, Aug 20, 2008 at 10:36:37AM -0400, Sander Temme wrote:
On Aug 18, 2008, at 5:18 AM, Joe Orton wrote:
So generally pconf is the right pool to use, along with a cleanup
registered against that pool which sets the callbacks to NULL.
Yes, with the cleanup it no longer hangs. What about
On Thu, Aug 21, 2008 at 01:49:35PM +0200, Plüm, Rüdiger, VF-Group wrote:
Given that the lifetime of the callbacks is now constrained, is the
new global pool still needed?
Where does this patch use a global pool? It keeps a reference on the pconf
pool in a global variable, but it no longer
On Fri, Aug 15, 2008 at 06:33:21AM -0700, Sander Temme wrote:
On Aug 15, 2008, at 12:48 AM, Plüm, Rüdiger, VF-Group wrote:
1. Why creating a global pool for dynlockpool? Why can't this be a
subpool
of the pool passed to ssl_util_thread_setup?
Because that's the pconf pool and gets
On Mon, Aug 11, 2008 at 08:20:40PM +0100, Joe Orton wrote:
I think that something like this is the way to go: (against 2.2.x since
my trunk install is currently refusing to do anything DAVy)
I committed a version of that with the logic, um, improved, as r685112,
and am +1 for backport
On Thu, Aug 07, 2008 at 03:12:00PM -, Jeff Trawick wrote:
--- httpd/httpd/trunk/modules/dav/fs/repos.c (original)
+++ httpd/httpd/trunk/modules/dav/fs/repos.c Thu Aug 7 08:12:00 2008
@@ -1475,10 +1475,8 @@
/* append this file onto the path buffer (copy null term) */
On Sat, May 31, 2008 at 12:00:55AM +0200, Ruediger Pluem wrote:
On 05/30/2008 01:49 PM, [EMAIL PROTECTED] wrote:
URL: http://svn.apache.org/viewvc?rev=661666view=rev
Log:
Prevent CSRF attacks against the balancer-manager (CVE-2007-6420)
...
@@ -619,6 +622,27 @@
}
}
+/* post_config
On Tue, Jun 03, 2008 at 04:42:07PM +0200, Kaspar Brand wrote:
So, is there still hope for SNI being added in 2.2.9...? Let me know if
there's anything else I can do to increase the chances of getting this
proposal accepted.
http://svn.apache.org/viewvc?rev=662815view=rev
Changing the dirconf
On Thu, May 29, 2008 at 03:34:21PM -0700, Paul Querna wrote:
Stefan Fritsch wrote:
https://issues.apache.org/bugzilla/attachment.cgi?id=21137 has been in
Debian testing and unstable for about 6 months without problems. It is not
an elegant solution but it works. Considering that is is not
On Wed, Feb 13, 2008 at 10:00:23AM +0100, Kaspar Brand wrote:
While I was testing revocation checking for client certs in an SNI
configuration (Dirk, many thanks for make_sni.sh, btw!), I came across a
flaw in the current implementation when CRL information - i.e.
On Tue, Apr 22, 2008 at 06:27:26PM +0200, Dirk-Willem van Gulik wrote:
On Apr 22, 2008, at 5:53 PM, Joe Orton wrote:
On Wed, Feb 13, 2008 at 10:00:23AM +0100, Kaspar Brand wrote:
While I was testing revocation checking for client certs in an SNI
configuration (Dirk, many thanks
On Wed, Apr 09, 2008 at 03:10:25PM +0200, Graham Leggett wrote:
Roy T. Fielding wrote:
-1. Bloat like this belongs in a module.
This piece of code depends on the KeptBodySize directive, which is part of
the http_filter, and sits alongside ap_discard_request_body().
I don't understand why
On Wed, Apr 09, 2008 at 05:07:33PM +0200, Graham Leggett wrote:
Joe Orton wrote:
I don't understand why *that* stuff needed to be in the core. It is
certainly possible to consume then reinject the request body, without
changing one line of core filters; it's done in mod_ssl, see
On Tue, Apr 08, 2008 at 02:22:36PM +0200, Graham Leggett wrote:
[EMAIL PROTECTED] wrote:
Session cache interface redesign, Part 8:
Is this stuff documented yet? (Or am I jumping the gun...?)
ap_socache.h is the only documentation; it should be reasonably clear
how to use a cache from that,
On Mon, Apr 07, 2008 at 06:34:55PM +0200, Graham Leggett wrote:
Joe Orton wrote:
mod_session_cookie.c:59: warning: no previous prototype for
'ap_session_cookie_save'
I just checked for any unchecked in files, and found a change to
Makefile.in that hadn't been checked in. Can you try
On Thu, Apr 03, 2008 at 09:51:09PM -, [EMAIL PROTECTED] wrote:
Author: chrisd
Date: Thu Apr 3 14:51:07 2008
New Revision: 644525
URL: http://svn.apache.org/viewvc?rev=644525view=rev
Log:
Avoid calling access control hooks for internal requests with
configurations which match those of
The code on the trunk gives a bunch of warnings:
Building shared: mod_session.la mod_session_cookie.la mod_session_crypto.la
mod_session_dbd.la
mod_session_cookie.c:59: warning: no previous prototype for
'ap_session_cookie_save'
mod_session_cookie.c:108: warning: no previous prototype for
It occurred to me recently that it is relatively simple to prevent
CSRF attacks against the balancer-handler (see CVE-2007-6420), by
generating a secret nonce at startup and requiring the presence of
that secret in the submitted parameters.
Any objections?
Index:
On Tue, Mar 11, 2008 at 03:39:22PM +0100, Plüm, Rüdiger, VF-Group wrote:
It occurred to me recently that it is relatively simple to prevent
CSRF attacks against the balancer-handler (see CVE-2007-6420), by
generating a secret nonce at startup and requiring the presence of
that secret in
On Wed, Mar 05, 2008 at 09:32:54AM +0100, Plüm, Rüdiger, VF-Group wrote:
[Patch shows diffs relative to original ssl_scache_* for
the providers]
Does it make sense to do this in a branch in subversion?
Not sure if this is needed as Joe has already done a lot of the redesign work
in
The cleanest and simplest way to extract the session cache providers
from mod_ssl seems to be like this:
1) define the provider vtable structure in a header, ap_socache.h
2) implement all the provider backends in separate modules,
mod_socache_*
There's no central registration of new backends
On Tue, Feb 26, 2008 at 09:58:31PM +0100, Ruediger Pluem wrote:
On 02/26/2008 05:57 PM, [EMAIL PROTECTED] wrote:
Author: jorton
Date: Tue Feb 26 08:57:56 2008
New Revision: 631297
URL: http://svn.apache.org/viewvc?rev=631297view=rev
Log:
Session cache interface redesign, Part 6:
...
On Mon, Feb 25, 2008 at 05:26:08PM -0800, Paul Querna wrote:
how did you want to structure keys?
Interesting question. I envisage this working by having consumers
configure and set up independent cache instances; so if you had
mod_auth_digest and mod_ssl both using a shmcb provider, you'd get
On Mon, Feb 25, 2008 at 10:54:58PM +, Dr Stephen Henson wrote:
Well I can think of a several applications for de-SSL-ifying or
specifically de-SSL_SESSION-ifying (i.e. being able to store things other
than SSL_SESSION) the code straight off.
Both SSL related.
The OCSP stapling patch
On Tue, Feb 26, 2008 at 04:51:40PM +, Dr Stephen Henson wrote:
Well the current CRL strategy has a few problems. It ignores critical
extensions but that's a separate issue...
I was looking at this recently; is it still true that mod_ssl has to do
so much of the CRL revocation checks for
On Sat, Feb 23, 2008 at 12:25:40PM +0100, Ruediger Pluem wrote:
On 02/22/2008 10:09 PM, [EMAIL PROTECTED] wrote:
--- httpd/httpd/trunk/modules/ssl/ssl_scache.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_scache.c Fri Feb 22 13:09:40 2008
@@ -40,6 +40,20 @@
void
On Sat, Feb 23, 2008 at 11:40:26AM +0100, Ruediger Pluem wrote:
On 02/22/2008 08:58 PM, [EMAIL PROTECTED] wrote:
Author: jorton
Date: Fri Feb 22 11:58:39 2008
New Revision: 630307
URL: http://svn.apache.org/viewvc?rev=630307view=rev
...
memcpy(expiry, dbmval.dptr, sizeof(time_t));
+
On Mon, Feb 25, 2008 at 08:51:23PM +0100, Ruediger Pluem wrote:
On 02/25/2008 11:59 AM, Joe Orton wrote:
Ah, no, that's not quite the intent. The intent of the code is only to
ignore the first post_config run during startup. It's necessary and
correct for this code to initialize the cache
On Mon, Feb 25, 2008 at 09:49:55PM +0100, Ruediger Pluem wrote:
On 02/25/2008 09:09 PM, [EMAIL PROTECTED] wrote:
Author: jorton
Date: Mon Feb 25 12:09:38 2008
New Revision: 630974
URL: http://svn.apache.org/viewvc?rev=630974view=rev
Log:
Session cache interface redesign, Part 4:
...
---
The session cache interface in mod_ssl on the trunk is now mostly SSL-
and mod_ssl-agnostic with respect to the data storage and configuration.
There is still some tight coupling between the session cache and the
ssl_mutex interface, but that's next on my hit list.
Is there any interest in
CC'ing [EMAIL PROTECTED] since the code in question is in APR.
On Fri, Feb 22, 2008 at 05:45:53PM +0100, Plüm, Rüdiger, VF-Group wrote:
On Feb 22, 2008, at 9:27 AM, Plüm, Rüdiger, VF-Group wrote:
+/*
+ * Try to reduce the following casting mess: We know that point will
be
+
On Fri, Feb 01, 2008 at 10:41:39AM +0100, Stefan Fritsch wrote:
Joe Orton wrote:
I mentioned in the bug that the signal handler could cause undefined
behaviour, but I'm not sure now whether that is true. On Linux I can
reproduce some cases where this will happen, which are all due
On Wed, Jan 23, 2008 at 03:53:38PM -0800, William Rowe wrote:
security/vulnerabilities-oval.xml
I'm ending up with deltas such as these...
-httpd_state
xmlns=http://oval.mitre.org/XMLSchema/oval-definitions-5#apache;
id=oval:org.apache.httpd:ste:131 version=1 comment=the version of
On Fri, Jan 04, 2008 at 02:42:05PM +0100, Stefan Fritsch wrote:
this bug can be quite annoying because of the resources used by the hung
processes. It happens e.g. under Linux when epoll is used.
The patch from http://issues.apache.org/bugzilla/show_bug.cgi?id=42829#c14
has been in Debian
Thanks for the detailed response and sorry for the slow follow-up,
Kaspar. I'll just deal with the main issue for the time being:
On Wed, Jan 02, 2008 at 05:36:22PM +0100, Kaspar Brand wrote:
Has a configuration
with an SSLVerifyClient specified in the named vhost been tested?
Yes, and
On Mon, Jan 07, 2008 at 11:29:43AM +0100, Ruediger Pluem wrote:
Ok, hopefully final one. Though I still have some optimizations in the
pipe they do not relate directly to the bug.
Nick could you please test latest trunk (already contains optimizations) and
2.2.x with r609394 and r609538
On Fri, Dec 21, 2007 at 01:16:21PM -, [EMAIL PROTECTED] wrote:
Author: fuankg
Date: Fri Dec 21 05:16:21 2007
New Revision: 606190
URL: http://svn.apache.org/viewvc?rev=606190view=rev
Log:
Added server name indication (RFC 4366) support (PR 34607).
Commits containing changes authored
On Sun, Dec 16, 2007 at 08:37:08PM +0100, Stefan Fritsch wrote:
*) http_protocol: Escape request method in 413 error reporting.
Determined to be not generally exploitable, but a flaw in any case.
PR 44014 [Victor Stinner victor.stinner inl.fr]
This is CVE-2007-6203. Maybe you
Many thanks for the detailed response! Everything taken on board, with
one further question:
On Thu, Nov 29, 2007 at 09:35:40PM +, Dr Stephen Henson wrote:
...
OpenSSL supports #1 and #2 directly so these should be automatic if the
OpenSSL OCSP API has been used correctly.
A limited
On Fri, Nov 30, 2007 at 10:34:28AM +0100, Marc Stern wrote:
To be generic, we should be able to set some options based on the cert CA,
because we could use several types of certs (like when dealing with
national certs from European countries).
Having security policy decided based on a *regex
Taking this discussion out of bugzilla. As implemented currently the
OCSP validation is working like this:
1) trusted store T initialized with root certs configured via SSLCA*
2) foreach cert in chain from (root...client certificate):
a) verify cert is signed by trusted cert (or, is
with Apache 2.3.0
[ When backported to 2.2.x, remove entry from this file ]
+ *) mod_ssl: Add support for OCSP validation of client certificates.
+ PR 41123. [Marc Stern marc.stern approach.be, Joe Orton]
+
Shouldn't we add Steve to this? As far as I followed the discussion
On Tue, Nov 06, 2007 at 09:45:42PM +0100, Ruediger Pluem wrote:
On 11/06/2007 04:02 PM, [EMAIL PROTECTED] wrote:
Author: jorton
Date: Tue Nov 6 07:02:32 2007
New Revision: 592446
URL: http://svn.apache.org/viewvc?rev=592446view=rev
Log:
...
* modules/ssl/ssl_engine_io.c
On Thu, Oct 04, 2007 at 11:52:03AM +0100, Nick Kew wrote:
On Thu, 04 Oct 2007 11:27:30 +0200
Ruediger Pluem [EMAIL PROTECTED] wrote:
I think you should move it to http_filters.c. There are a bunch
of static functions that you can use for creating the header strings
and all this stuff
On Fri, Oct 05, 2007 at 09:08:13AM -, [EMAIL PROTECTED] wrote:
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Oct 5 02:08:13 2007
@@ -185,6 +185,10 @@
Not in or needed at trunk/, as apr 1.3.0 has the proper fix.
On Fri, Oct 05, 2007 at 03:37:57PM +1000, Bojan Smojver wrote:
Now imagine someone (like yours truly :-) writing a handler/filter that
sends many, many buckets inside a brigade down the filter chain. This
causes the httpd process to start consuming many, many megabytes (in
some instances I
On Tue, Oct 02, 2007 at 01:12:08AM +0100, Nick Kew wrote:
RFC2616 mandates that a proxy MUST return interim (1xx)
responses to an HTTP/1.1 client, except where the proxy
itself requested the interim response. I'd interpret
that slightly liberally, to mean we MUST return an interim
response
On Mon, Oct 01, 2007 at 02:22:11AM -0500, William Rowe wrote:
server/Makefile.in;
export_files:
tmp=export_files_unsorted.txt; \
rm -f $$tmp touch $$tmp; \
for dir in $(EXPORT_DIRS); do \
ls $$dir/*.h $$tmp; \
done; \
for dir in
On Mon, Oct 01, 2007 at 02:01:24AM +0100, Nick Kew wrote:
Coadvisor has several testcases involving a Content-Type line with
a lot of qualifier tokens. These tokens are quoted strings and
include backslashes. This is going to wrap when I cutpaste:
Content-Type: text/other;
On Thu, Sep 27, 2007 at 11:58:01AM +0100, Nick Kew wrote:
On Thu, 27 Sep 2007 08:51:50 +0200
Ruediger Pluem [EMAIL PROTECTED] wrote:
On 09/27/2007 12:42 AM, Nick Kew wrote:
* Chunked response with too big chunks: the response is
lost completely.
Verdict: serious bug!!!
What do
On Fri, Sep 21, 2007 at 12:19:27AM +0100, Sriskanthaverl wrote:
The following simple fix on t/modules/include.t make the test pass
through. Can I have your comments and get it committed. Thankyou.
A few people have complained about this breaking; it seems to work just
as well here so I've
701 - 800 of 1530 matches
Mail list logo
