This is a first stab, the checks will likely have to be revised.
For now, we check
* if the request line contains control characters
* if the request uri has fragment or username/password
* that the request method is standard or registered with RegisterHttpMethod
* that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
or missing for 0.9
* if there is garbage in the request line after the protocol
* if any request header contains control characters
* if any request header has an empty name
* for the host name in the URL or Host header:
- if an IPv4 dotted decimal address: Reject octal or hex values, require
exactly four parts
- if a DNS host name: Reject non-alphanumeric characters besides '.' and
'-'. As a side effect, this rejects multiple Host headers.
* if any response header contains control characters
* if any response header has an empty name
* that the Location response header (if present) has a valid scheme and is
absolute
If we have a host name both from the URL and the Host header, we replace the
Host header with the value from the URL to enforce RFC conformance.
There is a log-only mode, but the loglevels of the logged messages need some
thought/work. Currently, the checks for incoming data log for 'core' and the
checks for outgoing data log for 'http'. Maybe we need a way to configure the
loglevels separately from the core/http loglevels.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1426877 13f79535-47bb-0310-9956-ffa450edef68
This reverts r1407643, but changes the syntax of HttpProtocol to
min=0.9|1.0, which is less ambiguous than the previous +0.9|-0.9.
Allowing to configure an arbitrary version range was a bad idea,
because it only checked the version in the request line, without
affecting the semantics of the headers, etc.
A tighter restriction off the version in the request line is still
possible with <If "%{SERVER_PROTOCOL_NUM} ..."> .
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1425366 13f79535-47bb-0310-9956-ffa450edef68
core's translate-name to fail unsupported URIs.
Rewrite and proxy now decline what they don't support rather
than fail the request.
Suggested by: trawick
Implemented by: jorton
Tweaked by: wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1233604 13f79535-47bb-0310-9956-ffa450edef68
excluded from this cleanup as they must be signature identical to the
clib functions, and although the definition of size_t has been flakey,
the definition of those functions appears to be generally clean since
ANSI C.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1228323 13f79535-47bb-0310-9956-ffa450edef68
optionally modified by a module when the effective IP of the client
is not the same as the real IP of the client (such as a load balancer).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1204968 13f79535-47bb-0310-9956-ffa450edef68
reverse proxy configurations by strictly validating the request-URI:
* server/protocol.c (read_request_line): Send a 400 response if the
request-URI does not match the grammar from RFC 2616. This ensures
the input string for RewriteRule et al really is an absolute path.
Reviewed by: rpluem, wrowe, covener, fielding
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1179239 13f79535-47bb-0310-9956-ffa450edef68
everywhere.
We know that the core module has module_index 0. Therefore we can save
some pointer operations in ap_get_module_config(cv, &core_module) and
ap_set_module_config(cv, &core_module, val). As these are called rather often,
this may actually have some (small) measurable effect.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1132781 13f79535-47bb-0310-9956-ffa450edef68
and this allows the compiler to optimize the strlen() call away.
Submitted by: Christophe Jaillet <christophe jaillet wanadoo fr>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1131465 13f79535-47bb-0310-9956-ffa450edef68
treatment of headers_out, resolving PR 48359 by keeping subrequest
scope changes out of the main request headers. This ensures that all
requests-without-bodies behave as the requests-with-bodies code has.
Mitre: CVE-2010-0434
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@901578 13f79535-47bb-0310-9956-ffa450edef68
Log 408 errors in access log as was done in Apache 1.3.x.
PR: 39785
Submitted by: Nobutaka Mantani, Stefan Fritsch
Reviewed and added to by: Dan Poirier
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@820760 13f79535-47bb-0310-9956-ffa450edef68
