Checkout Tools
  • last updated 4 hours ago
Constraints: committers
Constraints: files
Constraints: dates
Commit fix for CVE-2010-0010, an integer overflow on platforms where

sizeof(int) < sizeof(long) due to inappapriate casting;

* Change "MIN( (int) a, (int) b)" to "(int) MIN(a, b)". As 'a' is the buffer

size, it will be smaller than any long which overflows an int.

* More generally - change ap_bread and ap_bwrite to defend against a negative

length argument in general. Return -1 if one is passed.

  1. … 2 more files in changeset.
Backport mod_status refresh parameter saniziting patch.

  1. … 2 more files in changeset.
Fix CVE-2007-5000:

* src/modules/standard/mod_imap.c (menu_header): Fix cross-site

scripting issue by escaping the URI, and ensure that a charset

parameter is sent in the content-type to prevent autodetection by

broken browsers.

Reported by: JPCERT

  1. … 1 more file in changeset.
SECURITY: CVE-2007-3847 (

mod_proxy: Prevent reading past the end of a buffer when parsing

date-related headers. PR 41144.

Reviewed by: Eric, JimJag

  1. … 1 more file in changeset.
SECURITY: CVE-2006-5752 (

mod_status: Fix a possible XSS attack against a site with a public

server-status page and ExtendedStatus enabled, for browsers which

perform charset "detection". Reported by Stefan Esser. [Joe Orton]

Joe's patch was tweaked ever so slightly by me, then reviewed

by Joe and Sander T.

  1. … 1 more file in changeset.
Add '*.a' to svn:ignore to ignore library archives.

  1. … 4 more files in changeset.
SECURITY: CVE-2006-3747 (

mod_rewrite: Fix an off-by-one security problem in the ldap scheme

handling. For some RewriteRules this could lead to a pointer being

written out of bounds. Reported by Mark Dowd of McAfee.

Reviewed by: trawick, lars, jorton, wrowe, benl

  1. … 1 more file in changeset.
update license header text
  1. … 221 more files in changeset.
Revert copyright date change patch. Wait until we have

a universal policy and procedure... we cannot willy

nilly change the dates unless significant or

material changes are made.

  1. … 193 more files in changeset.
Update to 2006

  1. … 193 more files in changeset.
Use ap_assert instead of assert in mod_log_forensic.

This fixes issue #38177.

* src/modules/standard/mod_log_forensic.c

(log_escape, log_before): s/assert/ap_assert/

Noticed by: Wilson Cheung <wcheung>

Patch by: Jim Jagielski

Approved by: Jeff Trawick, André Malo

Fix moderate security issue CVE-2005-3352 mod_imap cross-site scripting flaw

Submitted by: Mark Cox <mjc>

Reviewed by: jorton, mjc, fielding

PR: 37874

  1. … 2 more files in changeset.
Minor make file changes to allow the clib prelude to be replaced

Submitted by: Guenter Knauf

  1. … 5 more files in changeset.
Remove CGI block on OPTIONS method so that scripts can

respond to OPTIONS directly rather than via server default.

PR: 15242

Reviewed-by: Paul Querna, Andre Malo, William A. Rowe, Jr.

  1. … 1 more file in changeset.

Close HTTP response splitting issues in Apache 1.3 - much simpler

than the fix for httpd-2.x as we don't support chunked request


Reviewed by: JimJag

Minor cleanup - use NOERRNO logging, more proper body test and

log origin server TRACE denied.

  1. … 1 more file in changeset.

The TRACE method control belonged in mod_proxy, it shouldn't

have been hiding in the http-only proxy provider.

Introduce TraceEnable [on|off|extended], fixes non-compliance

in mod_proxy which accepted request bodies with TRACE requests.

  1. … 7 more files in changeset.

Correct transposed :tid: case, needs to be in the #ifdef MULTITHREAD

scenario, not visa versa.

Submitted by: Brian Havard

Win32-enable, unix threaded-enable the mod_log_forensic module.

* adds a get_forensic_id() function, differing between win32,

threaded, and non-threaded platforms (threaded and win32

platforms get instead an pid:tid:time:seq identifier.)

* stop the module config abuse, and simply use r->notes (this

requires the 169534 svn patch already applied.)

Fix an irritating bug. The forensic-id is captured in two places, as

an r->notes entry, and in the (supposedly constant) server config(!)

This patch retrieves the r->notes copy instead at final logging phase.

fix warning on systems where pid_t is long

reviewed by: nd, jim

drop .cvsignore files

  1. … 19 more files in changeset.
general property cleanup

  1. … 833 more files in changeset.
Remove Showstopper. Now waiting a few hours before tag and roll...


Obtained from:

Submitted by:

Reviewed by:

  1. … 1 more file in changeset.
len is size_t so adjust as safe


Obtained from:

Submitted by: Joe O.

Reviewed by:

Apply the CAN-2004-0940 patch.


Obtained from:

Submitted by:

Reviewed by:

  1. … 2 more files in changeset.
mod_rewrite:Fix query string handling for proxied URLs.

PR: 14518

Obtained from:

Submitted by:

Reviewed by: nd, minfrin, jim

  1. … 2 more files in changeset.
Add in most-likely last patch before 1.3.32

  1. … 2 more files in changeset.
TPF-specific changes to two sample files and mod_proxy.h.

  1. … 2 more files in changeset.