diff options
| author |   henning <henning@openbsd.org> | 2003-11-17 18:57:04 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2003-11-17 18:57:04 +0000 |
| commit | 8f5b697b6f0e95e72694eadadd184154dbf3883c (patch) | |
| tree | 38ddecc1dbb5aebfbb6e6e2ff3f28e010b7e8601 /usr.sbin/httpd/src | |
| parent | and make them look all equal.. (diff) | |
| download | wireguard-openbsd-8f5b697b6f0e95e72694eadadd184154dbf3883c.tar.xz wireguard-openbsd-8f5b697b6f0e95e72694eadadd184154dbf3883c.zip | |
merge apache 1.3.29 and mod_ssl 2.8.16
ok brad@
Diffstat (limited to 'usr.sbin/httpd/src')
52 files changed, 303 insertions, 144 deletions
diff --git a/usr.sbin/httpd/src/CHANGES b/usr.sbin/httpd/src/CHANGES index fefcb687ce5..f7e44fb99e7 100644 --- a/usr.sbin/httpd/src/CHANGES +++ b/usr.sbin/httpd/src/CHANGES @@ -1,9 +1,51 @@ +Changes with Apache 1.3.29 + + *) SECURITY: CAN-2003-0542 (cve.mitre.org) + Fix buffer overflows in mod_alias and mod_rewrite which occurred if + one configured a regular expression with more than 9 captures. + [André Malo] + + *) Within ap_bclose(), ap_pclosesocket() is now called consistently + for sockets and ap_pclosef() for files. Also, closesocket() + is used consistenly to close socket fd's. The previous + confusion between socket and file fd's would cause problems + with some applications now that we proactively close fd's to + prevent leakage. PR 22805 + [Radu Greab <rgreab@fx.ro>, Jim Jagielski] + + *) If a request fails and the client will be redirected to another URL + due to ErrorDocument, see if we need to drop the connection after + sending the 302 response. This fixes a problem where Apache treated + the body of the failed request as the next request on a keepalive + connection. The subsequent 501 error sent to the browser prevented + some browsers from fetching the error document. [Jeff Trawick] + + *) Fixed mod_usertrack to not get false positive matches on the + user-tracking cookie's name. PR 16661. + [Manni Wood <manniwood@planet-save.com>] + + *) Enabled RFC1413 ident functionality for both Win32 and + NetWare platforms. This also included an alternate thread safe + implementation of the socket timout functionality when querying + the identd daemon. + [Brad Nicholes, William Rowe] + + *) Prevent creation of subprocess Zombies when using CGI wrappers + such as suExec and cgiwrap. PR 21737. [Numerous] + + *) ab: Overlong credentials given via command line no longer clobber + the buffer. [André Malo] + + *) Fix ProxyPass for ftp requests - the original code was segfaulting since + many of the values were not being filled out in the request_rec. + [Tollef Fog Heen <tfheen@debian.org, Thom May] + Changes with Apache 1.3.28 *) SECURITY: CAN-2003-0460 (cve.mitre.org) Fix the rotatelogs support program on Win32 and OS/2 to ignore special control characters received over the pipe. Previously - such characters could cause it to quit logging and exit. + such characters could cause rotatelogs to quit logging and exit. [André Malo] *) Prevent the server from crashing when entering infinite loops. The diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL index 33ad80fd6d9..b844dbcd9f1 100644 --- a/usr.sbin/httpd/src/CHANGES.SSL +++ b/usr.sbin/httpd/src/CHANGES.SSL @@ -23,6 +23,30 @@ / __/ | (_) | __ |_____(_)___/ ___________________________________________ + Changes with mod_ssl 2.8.16 (18-Jul-2003 to 01-Nov-2003) + + *) Upgraded to Apache 1.3.29 + + *) Avoid memory corruption in certificate handling caused by a heap + memory double-freeing situation. + + *) Allow "HTTPS" variable to be passed through by suEXEC. + + *) Clear the OpenSSL error code in pass phrase reading code to + workaround the following situation: multiple keys, all with + different passphrases -- entering the correct pass phrase at each + prompt leads to an OpenSSL error message after the last prompt. + + *) Reverted the recent change where ap_cleanup_for_exec() called + ap_kill_alloc_shared(). This caused nasty side-effects in other + processes and is not necessary at all (because shared memory + segments are not inherited across exec). + + *) mod_ssl was checking the OpenSSL error reason code against + SSL_R_HTTP_REQUEST and concluded the result is an SSL error. Since + OpenSSL reason codes are not unique, this isn't always the case. + It now additionally checks that the library is the SSL library. + Changes with mod_ssl 2.8.15 (21-Mar-2003 to 18-Jul-2003) *) Upgraded to Apache 1.3.28 diff --git a/usr.sbin/httpd/src/Configure b/usr.sbin/httpd/src/Configure index e971f92a358..d4345035318 100644 --- a/usr.sbin/httpd/src/Configure +++ b/usr.sbin/httpd/src/Configure @@ -1,5 +1,5 @@ #!/bin/sh -# $OpenBSD: Configure,v 1.22 2003/08/21 13:11:33 henning Exp $ +# $OpenBSD: Configure,v 1.23 2003/11/17 18:57:05 henning Exp $ ## ==================================================================== ## The Apache Software License, Version 1.1 ## @@ -2028,7 +2028,7 @@ if [ "x$using_shlib" = "x1" ] ; then # select the special subtarget for shared core generation SUBTARGET=target_shared # determine additional suffixes for libhttpd.so - V=1 R=3 P=28 + V=1 R=3 P=29 if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then SHLIB_SUFFIX_LIST="" fi diff --git a/usr.sbin/httpd/src/include/httpd.h b/usr.sbin/httpd/src/include/httpd.h index 2cbd208dc49..3dd3bb44c3b 100644 --- a/usr.sbin/httpd/src/include/httpd.h +++ b/usr.sbin/httpd/src/include/httpd.h @@ -461,7 +461,7 @@ extern "C" { #define SERVER_BASEVENDOR "Apache Group" #define SERVER_BASEPRODUCT "Apache" -#define SERVER_BASEREVISION "1.3.28" +#define SERVER_BASEREVISION "1.3.29" #define SERVER_BASEVERSION SERVER_BASEPRODUCT "/" SERVER_BASEREVISION #define SERVER_PRODUCT SERVER_BASEPRODUCT @@ -485,7 +485,7 @@ API_EXPORT(void) ap_add_config_define(const char *define); * Always increases along the same track as the source branch. * For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'. */ -#define APACHE_RELEASE 10328100 +#define APACHE_RELEASE 10329100 #define SERVER_PROTOCOL "HTTP/1.1" #ifndef SERVER_SUPPORT diff --git a/usr.sbin/httpd/src/main/alloc.c b/usr.sbin/httpd/src/main/alloc.c index 1373258458b..7924b619e74 100644 --- a/usr.sbin/httpd/src/main/alloc.c +++ b/usr.sbin/httpd/src/main/alloc.c @@ -2014,9 +2014,6 @@ API_EXPORT(void) ap_cleanup_for_exec(void) cleanup_pool_for_exec(permanent_pool); ap_unblock_alarms(); #endif /* ndef WIN32 */ -#ifdef EAPI - ap_kill_alloc_shared(); -#endif } API_EXPORT_NONSTD(void) ap_null_cleanup(void *data) @@ -3095,7 +3092,12 @@ static void free_proc_chain(struct process_chain *procs) for (p = procs; p; p = p->next) { if ((p->kill_how == kill_after_timeout) || (p->kill_how == kill_only_once)) { - /* Subprocess may be dead already. Only need the timeout if not. */ + /* + * This is totally bogus, but seems to be the + * only portable (as in reliable) way to accomplish + * this. Note that this implies an unavoidable + * delay. + */ ap_os_kill(p->pid, SIGTERM); need_timeout = 1; } diff --git a/usr.sbin/httpd/src/main/buff.c b/usr.sbin/httpd/src/main/buff.c index ea54a79660e..1ba8923129b 100644 --- a/usr.sbin/httpd/src/main/buff.c +++ b/usr.sbin/httpd/src/main/buff.c @@ -1516,7 +1516,6 @@ API_EXPORT(int) ap_bclose(BUFF *fb) rc1 = ap_bflush(fb); else rc1 = 0; -#if defined(WIN32) || defined(NETWARE) || defined(CYGWIN_WINSOCK) if (fb->flags & B_SOCKET) { rc2 = ap_pclosesocket(fb->pool, fb->fd); if (fb->fd_in != fb->fd) { @@ -1525,24 +1524,13 @@ API_EXPORT(int) ap_bclose(BUFF *fb) else { rc3 = 0; } - } -#if !defined(NETWARE) && !defined(CYGWIN_WINSOCK) - else if (fb->hFH != INVALID_HANDLE_VALUE) { + } else { +#if defined(WIN32) + if (fb->hFH != INVALID_HANDLE_VALUE) { rc2 = ap_pcloseh(fb->pool, fb->hFH); rc3 = 0; } -#endif else { -#elif defined(BEOS) - if (fb->flags & B_SOCKET) { - rc2 = ap_pclosesocket(fb->pool, fb->fd); - if (fb->fd_in != fb->fd) { - rc3 = ap_pclosesocket(fb->pool, fb->fd_in); - } - else { - rc3 = 0; - } - } else { #endif rc2 = ap_pclosef(fb->pool, fb->fd); if (fb->fd_in != fb->fd) { @@ -1551,7 +1539,8 @@ API_EXPORT(int) ap_bclose(BUFF *fb) else { rc3 = 0; } -#if defined(WIN32) || defined (BEOS) || defined(NETWARE) || defined(CYGWIN_WINSOCK) + } +#if defined(WIN32) } #endif diff --git a/usr.sbin/httpd/src/main/http_core.c b/usr.sbin/httpd/src/main/http_core.c index 07ed6ec9140..f08fa50d54e 100644 --- a/usr.sbin/httpd/src/main/http_core.c +++ b/usr.sbin/httpd/src/main/http_core.c @@ -1,4 +1,4 @@ -/* $OpenBSD: http_core.c,v 1.15 2003/08/21 13:11:35 henning Exp $ */ +/* $OpenBSD: http_core.c,v 1.16 2003/11/17 18:57:05 henning Exp $ */ /* ==================================================================== * The Apache Software License, Version 1.1 @@ -1280,7 +1280,7 @@ static const char *set_error_document(cmd_parms *cmd, core_dir_config *conf, if (error_number == 401 && line[0] != '/' && line[0] != '"') { /* Ignore it... */ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, cmd->server, - "cannot use a full or relative URL in a 401 ErrorDocument " + "cannot use a full URL in a 401 ErrorDocument " "directive --- ignoring!"); } else { /* Store it... */ diff --git a/usr.sbin/httpd/src/main/http_main.c b/usr.sbin/httpd/src/main/http_main.c index a4c4b77bff6..a91e8eaab6b 100644 --- a/usr.sbin/httpd/src/main/http_main.c +++ b/usr.sbin/httpd/src/main/http_main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: http_main.c,v 1.33 2003/10/24 10:38:30 henning Exp $ */ +/* $OpenBSD: http_main.c,v 1.34 2003/11/17 18:57:05 henning Exp $ */ /* ==================================================================== * The Apache Software License, Version 1.1 @@ -3780,11 +3780,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server) #ifndef _OSD_POSIX ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf, "make_sock: for %s, setsockopt: (SO_REUSEADDR)", addr); -#ifdef BEOS closesocket(s); -#else - close(s); -#endif ap_unblock_alarms(); exit(1); #endif /*_OSD_POSIX*/ @@ -3794,11 +3790,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server) if (setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *) &one, sizeof(int)) < 0) { ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf, "make_sock: for %s, setsockopt: (SO_KEEPALIVE)", addr); -#ifdef BEOS closesocket(s); -#else - close(s); -#endif ap_unblock_alarms(); exit(1); @@ -3853,11 +3845,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server) GETUSERMODE(); #endif -#ifdef BEOS closesocket(s); -#else - close(s); -#endif ap_unblock_alarms(); exit(1); } @@ -3869,11 +3857,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server) if (listen(s, ap_listenbacklog) == -1) { ap_log_error(APLOG_MARK, APLOG_ERR, server_conf, "make_sock: unable to listen for connections on %s", addr); -#ifdef BEOS closesocket(s); -#else - close(s); -#endif ap_unblock_alarms(); exit(1); } @@ -3923,11 +3907,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server) "larger than FD_SETSIZE (%u) " "found, you probably need to rebuild Apache with a " "larger FD_SETSIZE", addr, s, FD_SETSIZE); -#ifdef BEOS closesocket(s); -#else - close(s); -#endif exit(1); } #endif diff --git a/usr.sbin/httpd/src/main/http_request.c b/usr.sbin/httpd/src/main/http_request.c index c0e27afb749..b936a6c083e 100644 --- a/usr.sbin/httpd/src/main/http_request.c +++ b/usr.sbin/httpd/src/main/http_request.c @@ -1117,7 +1117,15 @@ API_EXPORT(void) ap_die(int type, request_rec *r) * apache code, and continue with the usual REDIRECT handler. * But note that the client will ultimately see the wrong * status... + * + * Also, before updating r->status, we may need to ensure that + * the connection is dropped. For example, there may be + * unread request body that would confuse us if we try + * to read another request. */ + if (ap_status_drops_connection(r->status)) { + r->connection->keepalive = -1; + } r->status = REDIRECT; ap_table_setn(r->headers_out, "Location", custom_response); } diff --git a/usr.sbin/httpd/src/main/rfc1413.c b/usr.sbin/httpd/src/main/rfc1413.c index ebef8be6886..6bc0dbfc72b 100644 --- a/usr.sbin/httpd/src/main/rfc1413.c +++ b/usr.sbin/httpd/src/main/rfc1413.c @@ -99,6 +99,38 @@ int ap_rfc1413_timeout = RFC1413_TIMEOUT; /* Global so it can be changed */ +#if (defined (NETWARE) || defined (WIN32)) +#define write(a,b,c) send(a,b,c,0) +#define read(a,b,c) recv(a,b,c,0) +#endif + +#ifdef MULTITHREAD +#define RFC_USER_STATIC + +static int setsocktimeout (int sock, int timeout) +{ +#if (defined (NETWARE) || defined (WIN32)) + u_long msec = 0; + + /* Make sure that we are in blocking mode */ + if (ioctlsocket(sock, FIONBIO, &msec) == SOCKET_ERROR) { + return h_errno; + } + + /* Win32 timeouts are in msec, represented as int */ + msec = timeout * 1000; + setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, + (char *) &msec, sizeof(msec)); + setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, + (char *) &msec, sizeof(msec)); +#else + /* XXX Needs to be implemented for non-winsock platforms */ +#endif + return 0; +} +#else /* MULTITHREAD */ + +#define RFC_USER_STATIC static static JMP_BUF timebuf; /* ident_timeout - handle timeouts */ @@ -106,6 +138,7 @@ static void ident_timeout(int sig) { ap_longjmp(timebuf, sig); } +#endif /* bind_connect - bind both ends of a socket */ /* Ambarish fix this. Very broken */ @@ -237,22 +270,28 @@ static int get_rfc1413(int sock, const struct sockaddr_in *our_sin, /* rfc1413 - return remote user name, given socket structures */ API_EXPORT(char *) ap_rfc1413(conn_rec *conn, server_rec *srv) { - static char user[RFC1413_USERLEN + 1]; /* XXX */ - static char *result; - static int sock; + RFC_USER_STATIC char user[RFC1413_USERLEN + 1]; /* XXX */ + RFC_USER_STATIC char *result; + RFC_USER_STATIC int sock; result = FROM_UNKNOWN; sock = ap_psocket_ex(conn->pool, AF_INET, SOCK_STREAM, IPPROTO_TCP, 1); if (sock < 0) { - ap_log_error(APLOG_MARK, APLOG_CRIT, srv, - "socket: rfc1413: error creating socket"); - conn->remote_logname = result; + ap_log_error(APLOG_MARK, APLOG_CRIT, srv, + "socket: rfc1413: error creating socket"); + conn->remote_logname = result; } /* * Set up a timer so we won't get stuck while waiting for the server. */ +#ifdef MULTITHREAD + if (setsocktimeout(sock, ap_rfc1413_timeout) == 0) { + if (get_rfc1413(sock, &conn->local_addr, &conn->remote_addr, user, srv) >= 0) + result = ap_pstrdup (conn->pool, user); + } +#else if (ap_setjmp(timebuf) == 0) { ap_set_callback_and_alarm(ident_timeout, ap_rfc1413_timeout); @@ -260,8 +299,10 @@ API_EXPORT(char *) ap_rfc1413(conn_rec *conn, server_rec *srv) result = user; } ap_set_callback_and_alarm(NULL, 0); +#endif ap_pclosesocket(conn->pool, sock); conn->remote_logname = result; return conn->remote_logname; } + diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c b/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c index 9195a66f392..a39c111fd0c 100644 --- a/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c +++ b/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c @@ -547,13 +547,14 @@ static int ftp_cleanup_and_return(request_rec *r, BUFF *ctrl, BUFF *data, int cs */ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url) { - char *host, *path, *strp, *parms; + char *desthost, *path, *strp, *parms; + char *strp2; char *cwd = NULL; char *user = NULL; /* char *account = NULL; how to supply an account in a URL? */ const char *password = NULL; const char *err; - int port, i, j, len, rc, nocache = 0; + int destport, i, j, len, rc, nocache = 0; int csd = 0, sock = -1, dsock = -1; struct sockaddr_in server; struct hostent server_hp; @@ -562,6 +563,8 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url) BUFF *ctrl = NULL; BUFF *data = NULL; pool *p = r->pool; + char *destportstr = NULL; + const char *urlptr = NULL; int one = 1; NET_SIZE_T clen; char xfer_type = 'A'; /* after ftp login, the default is ASCII */ @@ -593,17 +596,34 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url) /* We break the URL into host, port, path-search */ - host = r->parsed_uri.hostname; - port = (r->parsed_uri.port != 0) - ? r->parsed_uri.port - : ap_default_port_for_request(r); - path = ap_pstrdup(p, r->parsed_uri.path); - if (path == NULL) - path = ""; - else - while (*path == '/') - ++path; + urlptr = strstr(url, "://"); + if (urlptr == NULL) + return HTTP_BAD_REQUEST; + urlptr += 3; + destport = 21; + strp = strchr(urlptr, '/'); + if (strp == NULL) { + desthost = ap_pstrdup(p, urlptr); + urlptr = "/"; + } + else { + char *q = ap_palloc(p, strp - urlptr + 1); + memcpy(q, urlptr, strp - urlptr); + q[strp - urlptr] = '\0'; + urlptr = strp; + desthost = q; + } + strp2 = strchr(desthost, ':'); + if (strp2 != NULL) { + *(strp2++) = '\0'; + if (ap_isdigit(*strp2)) { + destport = atoi(strp2); + destportstr = strp2; + } + } + path = strchr(urlptr, '/')+1; + /* * The "Authorization:" header must be checked first. We allow the user * to "override" the URL-coded user [ & password ] in the Browsers' @@ -643,25 +663,25 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url) } /* check if ProxyBlock directive on this host */ - destaddr.s_addr = ap_inet_addr(host); + destaddr.s_addr = ap_inet_addr(desthost); for (i = 0; i < conf->noproxies->nelts; i++) { if (destaddr.s_addr == npent[i].addr.s_addr || (npent[i].name != NULL && - (npent[i].name[0] == '*' || strstr(host, npent[i].name) != NULL))) + (npent[i].name[0] == '*' || strstr(desthost, npent[i].name) != NULL))) return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine blocked"); } - ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, r->server, "FTP: connect to %s:%d", host, port); + ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, r->server, "FTP: connect to %s:%d", desthost, destport); - parms = strchr(path, ';'); + parms = strchr(url, ';'); if (parms != NULL) *(parms++) = '\0'; memset(&server, 0, sizeof(struct sockaddr_in)); server.sin_family = AF_INET; - server.sin_port = htons((unsigned short)port); - err = ap_proxy_host2addr(host, &server_hp); + server.sin_port = htons((unsigned short)destport); + err = ap_proxy_host2addr(desthost, &server_hp); if (err != NULL) return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR, err); @@ -1293,7 +1313,7 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url) if (destaddr.s_addr == ncent[i].addr.s_addr || (ncent[i].name != NULL && (ncent[i].name[0] == '*' || - strstr(host, ncent[i].name) != NULL))) { + strstr(desthost, ncent[i].name) != NULL))) { nocache = 1; break; } diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl b/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl index 38162731d72..0ee5efe798a 100644 --- a/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl +++ b/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl @@ -9,7 +9,7 @@ ## ## ==================================================================== -## Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. +## Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile.win32 b/usr.sbin/httpd/src/modules/ssl/Makefile.win32 index 92781c182f9..53efc8e5ffd 100644 --- a/usr.sbin/httpd/src/modules/ssl/Makefile.win32 +++ b/usr.sbin/httpd/src/modules/ssl/Makefile.win32 @@ -10,7 +10,7 @@ ## ## ==================================================================== -## Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. +## Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.module b/usr.sbin/httpd/src/modules/ssl/libssl.module index 7b25d02afc8..bac4dc9f860 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.module +++ b/usr.sbin/httpd/src/modules/ssl/libssl.module @@ -10,7 +10,7 @@ ## ## ==================================================================== -## Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. +## Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version index 27741bbb5e1..041ddcfe1c1 100644 --- a/usr.sbin/httpd/src/modules/ssl/libssl.version +++ b/usr.sbin/httpd/src/modules/ssl/libssl.version @@ -1 +1 @@ -mod_ssl/2.8.15-1.3.28 +mod_ssl/2.8.16-1.3.29 diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c index 04995fb3ea3..160eb22c355 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -74,7 +74,7 @@ * identify the module to SCCS `what' and RCS `ident' commands */ static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >"; -static char const rcsid[] = "$Id: mod_ssl.c,v 1.8 2001/06/20 18:06:15 brad Exp $"; +static char const rcsid[] = "$Id: mod_ssl.c,v 1.9 2003/11/17 18:57:05 henning Exp $"; /* * the table of configuration directives we provide diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h index 8d881940d48..9f78fb1f8be 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c index ba1039b1ae7..691ca13b54f 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c index 3ff679ea1a4..d6276ea7922 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c index c698a90eaba..f774b2880ca 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c @@ -12,7 +12,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c index f0f9e00e48c..04727d5323e 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c index b7df879650c..61c63c765a8 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c index d93c2fff8ab..8e7b7d94e57 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_engine_init.c,v 1.22 2003/03/19 15:13:26 henning Exp $ */ +/* $OpenBSD: ssl_engine_init.c,v 1.23 2003/11/17 18:57:06 henning Exp $ */ /* _ _ ** _ __ ___ ___ __| | ___ ___| | mod_ssl @@ -11,7 +11,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c index d0bdd45066d..63347a159d4 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c index 318397922bc..e21d9c2421c 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -253,7 +253,8 @@ void ssl_hook_NewConnection(conn_rec *conn) ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)FALSE); return; } - else if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) { + else if ((ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) && + (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_SSL)) { /* * The case where OpenSSL has recognized a HTTP request: * This means the client speaks plain HTTP on our HTTPS @@ -964,11 +965,11 @@ int ssl_hook_Access(request_rec *r) certstack = SSL_get_peer_cert_chain(ssl); cert = SSL_get_peer_certificate(ssl); if (certstack == NULL && cert != NULL) { - /* client cert is in the session cache, but there is - no chain, since ssl3_get_client_certificate() - sk_X509_shift'ed the peer cert out of the chain. - So we put it back here for the purpose of quick - renegotiation. */ + /* client certificate is in the SSL session cache, but + there is no chain, since ssl3_get_client_certificate() + sk_X509_shift()'ed the peer certificate out of the + chain. So we put it back here for the purpose of quick + renegotiation. */ certstack = sk_new_null(); sk_X509_push(certstack, cert); } @@ -995,10 +996,12 @@ int ssl_hook_Access(request_rec *r) SSL_set_verify_result(ssl, certstorectx.error); X509_STORE_CTX_cleanup(&certstorectx); if (SSL_get_peer_cert_chain(ssl) != certstack) { - /* created by us, so free it */ + /* created by us above, so free it */ sk_X509_pop_free(certstack, X509_free); } - X509_free(cert); + else { + /* X509_free(cert); not necessary AFAIK --rse */ + } } else { /* do a full renegotiation */ diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c index 8c334d74a6b..e5bf3107707 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c index 514cfecd731..e87c5dfa2d2 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c index 2821076829b..d887a014b41 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -237,6 +237,9 @@ void ssl_pphrase_Handle(server_rec *s, pool *p) ssl_die(); } cpPassPhraseCur = NULL; + /* Ensure that the error stack is empty; otherwise the + OpenSSL UI code may dump it to stderr. */ + ERR_clear_error(); bReadable = ((pPrivateKey = SSL_read_PrivateKey(fp, NULL, ssl_pphrase_Handle_CB)) != NULL ? TRUE : FALSE); ap_pfclose(p, fp); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c index 98550060d02..86cbf6a0653 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c index 313fbee2365..958c0530f27 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr.c b/usr.sbin/httpd/src/modules/ssl/ssl_expr.c index 49ab873dedc..e992621ef29 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_expr.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr.h b/usr.sbin/httpd/src/modules/ssl/ssl_expr.h index 419bb021927..adf12e51639 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_expr.h +++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr.h @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c b/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c index dc7e7b63074..dfcbf9e13dd 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y b/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y index 1e3ad6e5137..8ac78e57142 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y +++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l b/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l index a0db7cccdeb..005e4b58c3e 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l +++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache.c index 139c7865fec..2b063b50ac8 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_scache.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache_dbm.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache_dbm.c index 96e4b92e6ee..d01b7c754f7 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_scache_dbm.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache_dbm.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c index 1cf5816dfd6..fa9cbf5176e 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 2000-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 2000-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmht.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmht.c index fad41e09ff0..94a0ad9f0a7 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmht.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmht.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util.c b/usr.sbin/httpd/src/modules/ssl/ssl_util.c index 0c3b04a0358..b01d5d43c2f 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c index be156aedc35..8a3afbc2b75 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h index 723e8095b40..213a3f2ec29 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c index e076f7cb0a3..543680890cc 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h index 66b8b9fa270..56c9a044186 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c index 6473b983253..9860e59b0a2 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1999-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1999-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h index 69c53bd8a09..1cccf5b8681 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h +++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h @@ -9,7 +9,7 @@ */ /* ==================================================================== - * Copyright (c) 1999-2001 Ralf S. Engelschall. All rights reserved. + * Copyright (c) 1999-2003 Ralf S. Engelschall. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/usr.sbin/httpd/src/modules/standard/mod_include.c b/usr.sbin/httpd/src/modules/standard/mod_include.c index fd3b019c8ea..87e1cbdf046 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_include.c +++ b/usr.sbin/httpd/src/modules/standard/mod_include.c @@ -1506,6 +1506,7 @@ static int parse_expr(request_rec *r, const char *expr, const char *error) } else { new->left = current->right; + new->left->parent = new; current->right = new; new->parent = current; } @@ -1609,6 +1610,7 @@ static int parse_expr(request_rec *r, const char *expr, const char *error) } else { new->left = current->right; + new->left->parent = new; current->right = new; new->parent = current; } diff --git a/usr.sbin/httpd/src/modules/standard/mod_mime.c b/usr.sbin/httpd/src/modules/standard/mod_mime.c index f22051ebc58..32c0f03e4cf 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_mime.c +++ b/usr.sbin/httpd/src/modules/standard/mod_mime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mod_mime.c,v 1.13 2003/08/21 13:11:37 henning Exp $ */ +/* $OpenBSD: mod_mime.c,v 1.14 2003/11/17 18:57:06 henning Exp $ */ /* ==================================================================== * The Apache Software License, Version 1.1 @@ -352,7 +352,7 @@ static void init_mime(server_rec *s, pool *p) if (!(f = ap_pcfg_openfile(p, types_confname))) { ap_log_error(APLOG_MARK, APLOG_ERR, s, - "could not open mime types log file %s.", types_confname); + "could not open mime types config file %s.", types_confname); exit(1); } diff --git a/usr.sbin/httpd/src/modules/standard/mod_usertrack.c b/usr.sbin/httpd/src/modules/standard/mod_usertrack.c index aaab2e76591..2de49ed2a91 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_usertrack.c +++ b/usr.sbin/httpd/src/modules/standard/mod_usertrack.c @@ -126,6 +126,8 @@ typedef struct { char *cookie_name; char *cookie_domain; char *prefix_string; + char *regexp_string; /* used to compile regexp; save for debugging */ + regex_t *regexp; /* used to find usertrack cookie in cookie header */ } cookie_dir_rec; /* Define this to allow post-2000 cookies. Cookies use two-digit dates, @@ -284,35 +286,48 @@ static void make_cookie(request_rec *r) return; } +/* dcfg->regexp is "^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)", + * which has three subexpressions, $0..$2 */ +#define NUM_SUBS 3 + static int spot_cookie(request_rec *r) { cookie_dir_rec *dcfg = ap_get_module_config(r->per_dir_config, &usertrack_module); - const char *cookie; - char *value; + const char *cookie_header; + regmatch_t regm[NUM_SUBS]; + int i; if (!dcfg->enabled) { return DECLINED; } - if ((cookie = ap_table_get(r->headers_in, - (dcfg->style == CT_COOKIE2 - ? "Cookie2" - : "Cookie")))) - if ((value = strstr(cookie, dcfg->cookie_name))) { - char *cookiebuf, *cookieend; - - value += strlen(dcfg->cookie_name) + 1; /* Skip over the '=' */ - cookiebuf = ap_pstrdup(r->pool, value); - cookieend = strchr(cookiebuf, ';'); - if (cookieend) - *cookieend = '\0'; /* Ignore anything after a ; */ - - /* Set the cookie in a note, for logging */ - ap_table_setn(r->notes, "cookie", cookiebuf); - - return DECLINED; /* There's already a cookie, no new one */ - } + if ((cookie_header = ap_table_get(r->headers_in, + (dcfg->style == CT_COOKIE2 + ? "Cookie2" + : "Cookie")))) { + if (!ap_regexec(dcfg->regexp, cookie_header, NUM_SUBS, regm, 0)) { + char *cookieval = NULL; + /* Our regexp, + * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+) + * only allows for $1 or $2 to be available. ($0 is always + * filled with the entire matched expression, not just + * the part in parentheses.) So just check for either one + * and assign to cookieval if present. */ + if (regm[1].rm_so != -1) { + cookieval = ap_pregsub(r->pool, "$1", cookie_header, + NUM_SUBS, regm); + } + if (regm[2].rm_so != -1) { + cookieval = ap_pregsub(r->pool, "$2", cookie_header, + NUM_SUBS, regm); + } + /* Set the cookie in a note, for logging */ + ap_table_setn(r->notes, "cookie", cookieval); + + return DECLINED; /* There's already a cookie, no new one */ + } + } make_cookie(r); return OK; /* We set our cookie */ } @@ -422,7 +437,26 @@ static const char *set_cookie_name(cmd_parms *cmd, void *mconfig, char *name) { cookie_dir_rec *dcfg = (cookie_dir_rec *) mconfig; + /* The goal is to end up with this regexp, + * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+) + * with cookie_name + * obviously substituted with the real cookie name set by the + * user in httpd.conf. */ + dcfg->regexp_string = ap_pstrcat(cmd->pool, "^", name, + "=([^;]+)|;[ \t]+", name, + "=([^;]+)", NULL); + dcfg->cookie_name = ap_pstrdup(cmd->pool, name); + + dcfg->regexp = ap_pregcomp(cmd->pool, dcfg->regexp_string, REG_EXTENDED); + if (dcfg->regexp == NULL) { + return "Regular expression could not be compiled."; + } + if (dcfg->regexp->re_nsub + 1 != NUM_SUBS) { + return ap_pstrcat(cmd->pool, "Invalid cookie name \"", + name, "\"", NULL); + } + return NULL; } diff --git a/usr.sbin/httpd/src/support/ab.c b/usr.sbin/httpd/src/support/ab.c index 6b7827a2ac8..ef25566a871 100644 --- a/usr.sbin/httpd/src/support/ab.c +++ b/usr.sbin/httpd/src/support/ab.c @@ -1357,14 +1357,15 @@ static void test(void) static void copyright(void) { if (!use_html) { - printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.13 $> apache-1.3"); + printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.14 $> apache-1.3"); printf("Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n"); printf("Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/\n"); printf("\n"); } else { printf("<p>\n"); - printf(" This is ApacheBench, Version %s <i><%s></i> apache-1.3<br>\n", VERSION, "$Revision: 1.13 $"); printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n"); + printf(" This is ApacheBench, Version %s <i><%s></i> apache-1.3<br>\n", VERSION, "$Revision: 1.14 $"); + printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n"); printf(" Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/<br>\n"); printf("</p>\n<p>\n"); } @@ -1591,7 +1592,12 @@ int main(int argc, char **argv) */ while (isspace((int)*optarg)) optarg++; - l = ap_base64encode(tmp, optarg, strlen(optarg)); + if (ap_base64encode_len(strlen(optarg)) > sizeof(tmp)) { + fprintf(stderr, "%s: Authentication credentials too long\n", + argv[0]); + exit(1); + } + l = ap_base64encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0'; strncat(auth, "Authorization: Basic ", sizeof(auth)-strlen(auth)-1); @@ -1604,6 +1610,10 @@ int main(int argc, char **argv) */ while (isspace((int)*optarg)) optarg++; + if (ap_base64encode_len(strlen(optarg)) > sizeof(tmp)) { + fprintf(stderr, "%s: Proxy credentials too long\n", argv[0]); + exit(1); + } l = ap_base64encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0'; diff --git a/usr.sbin/httpd/src/support/dbmmanage b/usr.sbin/httpd/src/support/dbmmanage index 3a9602d9cfe..2ca1250714d 100644 --- a/usr.sbin/httpd/src/support/dbmmanage +++ b/usr.sbin/httpd/src/support/dbmmanage @@ -211,7 +211,7 @@ sub genseed { srand (time ^ $$ or time ^ ($$ + ($$ << 15))); } else { - for (qw(-xlwwa -le)) { + for (qw(xlwwa -le)) { `ps $_ 2>/dev/null`; $psf = $_, last unless $?; } diff --git a/usr.sbin/httpd/src/support/suexec.c b/usr.sbin/httpd/src/support/suexec.c index dec01e434ed..04f6e494fbc 100644 --- a/usr.sbin/httpd/src/support/suexec.c +++ b/usr.sbin/httpd/src/support/suexec.c @@ -138,6 +138,7 @@ char *safe_env_lst[] = /* variable name starts with */ "HTTP_", #ifdef MOD_SSL + "HTTPS=", "HTTPS_", "SSL_", #endif |