Checkout Tools
  • last updated 5 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
core,modules: provide/use ap_parse_strict_length() helper.

It helps simplifying a lot of duplicated code based on apr_strtoff(), while

also rejecting leading plus/minus signs which are dissalowed in Content-Length

and (Content-)Range headers.

  1. … 18 more files in changeset.
Fix spelling errors found by codespell. [skip ci]

  1. … 100 more files in changeset.
* Replace apr_psprintf with apr_pstrcat where the format strings only

contain %s to improve efficiency. Leave out error messages as they

are not on a crtical code path and error message become less readable

when taking out the format specifiers.

  1. … 5 more files in changeset.
* modules/dav/main/mod_dav.c (dav_send_multistatus): Tag the pool.

Simplify handling of short-lived pool for dav_propdb in mod_dav. No

functional change.

* modules/dav/main/props.c (dav_popen_propdb): Rename from

dav_open_propdb, take a pool argument.

(dav_open_propdb): Reimplement in terms of above, using

r->pool.

(dav_propfind_walker): Switch to using dav_open_propdb

with scratchpool.

  1. … 2 more files in changeset.
* modules/dav/main/mod_dav.c (dav_method_propfind): Tag the scratchpool.

* dav_stream_response processes data that has been allocated from the propdb

pool. Hence close the propdb *after* dav_stream_response which clears thei

probdb pool.

Save a few cycles.

There is no need to check the first bytes, they are known to be "bytes ".

Wire through the log message number.

  1. … 1 more file in changeset.
Make sure ACL API support in mod_dav is not dependent on the presence

or absence of apr-util v1.6. Log a message to note that ACL support

is disabled with apr-util <= 1.5.

  1. … 2 more files in changeset.
Follow up to r1739201.

These APR_TIMEUP special cases are now handled by ap_map_http_request_error().

  1. … 2 more files in changeset.
mod_dav: Fix a potential cause of unbounded memory usage or incorrect

behavior in a routine that sends <DAV:response>'s to the output filters.

The dav_send_one_response() function accepts the current head of the output

filter list as an argument, but the actual head can change between calls to

ap_pass_brigade(). This can happen with self-removing filters, e.g., with

the filter from mod_headers or mod_deflate. Consequently, executing an

already removed filter can either cause unwanted memory usage or incorrect

behavior.

This patch changes the signature of the existing mod_dav's public API,

dav_send_one_response(), because this API is not yet a part of any 2.4.x

release.

* modules/dav/main/mod_dav.c

(dav_send_one_response): Accept a request_rec instead of an ap_filter_t.

Write the response to r->output_filters.

(dav_send_multistatus, dav_stream_response): Update these calling sites

of dav_send_one_response().

* modules/dav/main/mod_dav.h

(dav_send_one_response): Adjust definition.

  1. … 1 more file in changeset.
mod_dav: follow up to r1746207: fix typo (missing '/') for closing tag.

Allow other modules to become providers and add ACLs

to the DAV response. Requires apr-util v1.6+.

  1. … 5 more files in changeset.
mod_dav: Add dav_begin_multistatus, dav_send_one_response,

dav_finish_multistatus, dav_send_multistatus, dav_handle_err,

dav_failed_proppatch, dav_success_proppatch to mod_dav.h.

  1. … 3 more files in changeset.
mod_dav: Add dav_get_provider_name() function to obtain the name

of the provider from mod_dav.

  1. … 3 more files in changeset.
Rename ap_casecmpstr[n]() to ap_cstr_casecmp[n](), update with APR doxygen
  1. … 49 more files in changeset.
mod_dav: Add support for childtags to dav_error.

  1. … 3 more files in changeset.
Added many log numbers to log statements that

had none.

Those were not detected by the coccinelle script.

  1. … 34 more files in changeset.
More ap_casecmpstr[n]() usages (follow up to r1715876).

  1. … 26 more files in changeset.
Save a few bytes in conf pool
core, modules: like r1657897 but for core and other modules than mod_proxy.

More uses of ap_map_http_request_error() and AP_FILTER_ERROR so that we never

return an HTTP error status from a handler if some filter generated a response

already.

That is, from a handler, either ap_get_brigade() (an input filter) returned

AP_FILTER_ERROR and we must forward it to ap_die(), or ap_pass_brigade() (an

output filter) failed with any status and we must return AP_FILTER_ERROR in

any case for ap_die() to determine whether a response is needed or not.

  1. … 15 more files in changeset.
tab vs space
Fix PR 56480: PROPFIND walker doesn't encode hrefs properly

Reverts r1529559 partially (specifically the dav_xml_escape_uri) bit.

Reverts r1531505 entirely.

* modules/dav/main/mod_dav.c

(dav_xml_escape_uri): Revert the piece of r1529559 that removes the URI

escaping from this function.

* modules/dav/main/props.c

(dav_do_prop_subreq): Escape the URI before doing a sub request with it.

This resolves some properties like getcontenttype from failing to be

returned for files that contain characters that require encoding in their

path.

* modules/dav/main/mod_dav.h

(dav_resource): Note the inconsistency in the documentation.

* modules/dav/fs/repos.c

(dav_fs_get_resource): Don't use the unparsed_uri to set the uri field of

the resource. This is the correct fix for the double encoding in mod_dav_fs

that led to the dav_xml_escape_uri() change and r1531505.

(dav_fs_walker, dav_fs_append_uri): Revert r1531505 changes.

  1. … 3 more files in changeset.
mod_dav: Fix invalid Location header when a resource is created by passing an

absolute URI on the request line.

Using r->unparsed_uri is wrong since it might contain a scheme, hostname and

port. See section 5.1.2 of RFC 2616, an absolute URI is allowed. The

unparsed_uri field is absolutely unparsed. The current code causes the

Location header to end up having the scheme, host and port included twice.

* modules/dav/main/mod_dav.c

(dav_created): Call ap_escape_uri() on r->uri when caller doesn't provide a

location.

Fix PR 55397: dav_resource->uri treated as an unparsed uri.

The change made for PR 54611 caused this field to be treated as

unescaped. mod_dav_svn however, provided escaped URIs. Essentially

breaking support for paths with non-URI safe characters in SVN.

Adjust the code so that dav_resource->uri is assumed to be escaped and

adjust mod_dav_fs so that it uses escaped URIs in this field.

* modules/dav/fs/repos.c

(dav_fs_get_resource): Use the unparsed_uri to contruct the resource uri.

* modules/dav/main/mod_dav.c

(dav_xml_escape_uri): Do not uri escape, just handle xml escaping.

(dav_created): Assume that locn if provided is escaped.

(dav_method_copymove, dav_method_bind): Use the unparsed_uri on the request

when calling dav_created() to adjust to locn assuming it is escaped.

* modules/dav/main/mod_dav.h

(dav_resource): Document that uri is escaped.

  1. … 2 more files in changeset.
mod_dav: Fix PR 55306.

Makes mod_dav no longer require that the lock token be provided when the

source of a COPY is locked. The prior behavior was in violating of

RFC 4918 which says that the lock token is only required on resources

that may be modified by the method.

* modules/dav/main/mod_dav.h

(DAV_VALIDATE_NO_MODIFY): New flag to be passed to dav_validate_* functions.

* modules/dav/main/mod_dav.c

(dav_method_copymove): Use the new flag when calling dav_validate_request()

on the COPY source.

* modules/dav/main/util.c

(dav_validate_resource_state): Use the flag to decide to ignore if the lock

token is not provided.

  1. … 2 more files in changeset.
mod_dav: set r->status_line in dav_error_response.

It's used as argument in next ap_rvputs call. PR 55426.

Fix bug #55304 with the provided patch, slightly reformatted.

In short: do not validate conditions of a COPY source's parent since

it is not modified during the operation.

* modules/dav/main/mod_dav.c:

(dav_method_copymove): adjust params to dav_validate_request()

CVE-2013-1896

mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with

the source href (sent as part of the request body as XML) pointing to a

URI that is not configured for DAV will trigger a segfault.

Submitted by: Ben Reser <ben reser.org>

  1. … 1 more file in changeset.