Checkout Tools
  • last updated 5 hours ago
Constraints: committers
Constraints: files
Constraints: dates

Backport AllowAnyURI related revisions from 2.2.x to pave the way for CVE-2011-4317

Reviewed by:rjung, wrowe, covener

  1. … 7 more files in changeset.
*) SECURITY: CVE-2012-0053 (

Fix an issue in error responses that could expose "httpOnly" cookies

when no custom ErrorDocument is specified for status code 400.

[Eric Covener]

r1234837 on 2.0.x:

+1: trawick, rjung, jim

  1. … 2 more files in changeset.
Merge r1179239 from trunk:

SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some

reverse proxy configurations by strictly validating the request-URI:

* server/protocol.c (read_request_line): Send a 400 response if the

request-URI does not match the grammar from RFC 2616. This ensures

the input string for RewriteRule et al really is an absolute path.

Reviewed by: jim, rjung, jorton

  1. … 1 more file in changeset.
merge from trunk and 2.2.x:

SECURITY: CVE-2010-0434 (

Ensure each subrequest has a shallow copy of headers_in so that the

parent request headers are not corrupted. Elimiates a problematic

optimization in the case of no request body.

PR: 48359

Submitted by: Jake Scott, William Rowe, Ruediger Pluem

Reviewed by: wrowe, trawick, rpluem

  1. … 2 more files in changeset.
Yes, reverting prematurely applied backport
Add CVE-2010-0434 fix for consideration
  1. … 1 more file in changeset.
update license header text
  1. … 314 more files in changeset.
Revert 395235, the major copyright fubar by me.

  1. … 697 more files in changeset.
Update the last year of Copyright for the 2.0.x branch.

  1. … 696 more files in changeset.
Merge 394070 from trunk;

* Initialize last_char as otherwise a random value will be compared

against APR_ASCII_LF at the end of the loop if bb only contains an

EOS bucket.

PR: 39282

Submitted by: Davi Arnaut <davi>

Reviewed by: rpluem

  1. … 2 more files in changeset.
backport 327008 PR 18757. keep the C-L header for a HEAD with no

response body.

  1. … 2 more files in changeset.
Backport from trunk:

*) Support the suppress-error-charset setting, as with Apache 1.3.x.

PR 31274.

Reviewed by: jorton, nd

  1. … 5 more files in changeset.

core: strip C-L from any request with a T-E header

resolves external origin CAN-2005-2088 issues, does not

address internal origin C-L/T-E discrepancies within proxy_http

Security: CVE CAN-2005-2088

Submitted by: Joe Orton

Reviewed by: Jeff Trawick, Will Rowe

  1. … 2 more files in changeset.
Update copyright year to 2005 and standardize on current copyright owner line.

  1. … 483 more files in changeset.
general property cleanup

  1. … 720 more files in changeset.