bottom (APR/system) up -- we can't give the client a 64bit API and
then cast it to 32bits internally without introducing security holes
on other platforms.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105572 13f79535-47bb-0310-9956-ffa450edef68
Content-Range in r->headers_out, so that the byterange filter knows to
do nothing for a CGI script which produced a content-range.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103971 13f79535-47bb-0310-9956-ffa450edef68
because of the changes to the argument lists of apr_mmap_dup and apr_socket_create,
2.1-dev won't build with apr and apr-util's 0.9 branch anymore
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101154 13f79535-47bb-0310-9956-ffa450edef68
redirection target is not access protected and pass it
to scripts using the REDIRECT_REMOTE_USER environment variable.
PR: 10678, 11602.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100604 13f79535-47bb-0310-9956-ffa450edef68
ap_server_signature() against this cross-site scripting
vulnerability exposed by the directive 'UseCanonicalName Off'.
Also HTML-escape the SERVER_NAME environment variable for CGI
and SSI requests. It's safe to escape as only the '<', '>',
and '&' characters are affected, which won't appear in a valid
hostname. Reported by Matthew Murphy <mattmurphy@kc.rr.com>.
[Brian Pane]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97064 13f79535-47bb-0310-9956-ffa450edef68
explicitly tell the server that warning messages should be sent
to the client in addition to being recorded in the error log.
Prior to this change, ap_log_rerror() always sent warning
messages to the client. In one case, a faulty CGI script caused
the server to send a warning message to the client that contained
the full path to the CGI script. This could be considered a
minor security exposure.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94744 13f79535-47bb-0310-9956-ffa450edef68
reads in mod_cgi: eof wasn't treated as an error condition when
reading the script headers, so we were delivering a 200 when a
CGI script produced no output.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94342 13f79535-47bb-0310-9956-ffa450edef68
The first step is to remove the socket from the conn_rec,
the server now lives in a context that is passed to the
core's input and output filters. This forces us to be very
careful when adding calls that use the socket directly,
because the socket isn't available in most locations.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91887 13f79535-47bb-0310-9956-ffa450edef68
Netware, especially, and any other platform with odd native requirements
for the PATH_TRANSLATED variable (where it should look like a filesystem
entity for non-unixish cgi's.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90976 13f79535-47bb-0310-9956-ffa450edef68
- explicitly include apr_lib.h since ap_config.h doesn't
- use apr_want.h where possible
- use APR_HAVE_ where possible
- remove some unneeded includes
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@88060 13f79535-47bb-0310-9956-ffa450edef68
are used or not. This uses the same mechanism that is used for APR
and APR-util. This may not be the correct solution, but it works, and that
is what I really care about. This also renames CHARSET_EBCDIC to
AP_CHARSET_EBCDIC. This is for namespace correctness, but it also makes
the exports script a bit easier.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@87424 13f79535-47bb-0310-9956-ffa450edef68
modules to not have to muck with the output_filter after it creates the
sub-request. Without this change, modules that create a sub-request have
to manually edit the output_filters, and therefore skip the sub-request
output_filter. If they skip the sub-request output_filter, then we end
up sending multiple EOS buckets to the core_output_filter.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@87065 13f79535-47bb-0310-9956-ffa450edef68
functions to use it. This is onyl the start and I'll pause a while before
I continue in case people really hate this. The patch can be backed out and
all evidence will be removed, but I think this makes maintaining/developing
the code easier in the long term.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86870 13f79535-47bb-0310-9956-ffa450edef68
