When a script returns a no-body response code, pretend it was a HEAD
request so as to drop any body the script might erroneously generate.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@760167 13f79535-47bb-0310-9956-ffa450edef68
for our later call to ap_meets_conditions a few lines above. Having it put
in the merge table will fail as merge and r->err_headers_out get merged
AFTER our call to ap_meets_conditions. Besides of this having multiple
ETag headers (or a merged version of them) does not seem to make sense.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@541974 13f79535-47bb-0310-9956-ffa450edef68
ap_get_server_description().
High-level summary:
The full server version information is now included in the error log at
startup as well as server status reports, irrespective of the setting
of the ServerTokens directive.
Third-party modules must now use ap_get_server_banner() or
ap_get_server_description() in place of ap_get_server_version().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@440337 13f79535-47bb-0310-9956-ffa450edef68
bottom (APR/system) up -- we can't give the client a 64bit API and
then cast it to 32bits internally without introducing security holes
on other platforms.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105572 13f79535-47bb-0310-9956-ffa450edef68
Content-Range in r->headers_out, so that the byterange filter knows to
do nothing for a CGI script which produced a content-range.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103971 13f79535-47bb-0310-9956-ffa450edef68
because of the changes to the argument lists of apr_mmap_dup and apr_socket_create,
2.1-dev won't build with apr and apr-util's 0.9 branch anymore
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101154 13f79535-47bb-0310-9956-ffa450edef68
redirection target is not access protected and pass it
to scripts using the REDIRECT_REMOTE_USER environment variable.
PR: 10678, 11602.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100604 13f79535-47bb-0310-9956-ffa450edef68
ap_server_signature() against this cross-site scripting
vulnerability exposed by the directive 'UseCanonicalName Off'.
Also HTML-escape the SERVER_NAME environment variable for CGI
and SSI requests. It's safe to escape as only the '<', '>',
and '&' characters are affected, which won't appear in a valid
hostname. Reported by Matthew Murphy <mattmurphy@kc.rr.com>.
[Brian Pane]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97064 13f79535-47bb-0310-9956-ffa450edef68
explicitly tell the server that warning messages should be sent
to the client in addition to being recorded in the error log.
Prior to this change, ap_log_rerror() always sent warning
messages to the client. In one case, a faulty CGI script caused
the server to send a warning message to the client that contained
the full path to the CGI script. This could be considered a
minor security exposure.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94744 13f79535-47bb-0310-9956-ffa450edef68
reads in mod_cgi: eof wasn't treated as an error condition when
reading the script headers, so we were delivering a 200 when a
CGI script produced no output.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94342 13f79535-47bb-0310-9956-ffa450edef68
