util_script.c

Checkout Tools
  • last updated 8 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1757818 is being indexed.

After a long discussion in dev@ I reviewed my previous commit to only warn

the admins about Last-Modified header violations rather than trying

to interpret datestrings (like the ones not in GMT).

I also added explicit comments to summarize the current assumptions,

so it will be easier for somebody in the future to modify the code.

The following use cases are covered:

1) (F)CGI backend sends a Last-Modified header not in GMT and considered in the future by httpd (like now() in the EU/Paris timezone)

2) (F)CGI backend sends a Last-Modified header not in GMT and not considered in the future by httpd (like now() + 2 hours in the PST timezone)

3) (F)CGI backend sends a Last-Modified header in GMT but with a datetime in the future

Suggestions and opinion are really welcome.

Optimization to httpoxy workaround, for 2.4.23+ only.

Submitted by: ylavic

httpoxy workarounds, first draft patch as published for all 2.2.x+ sources
  1. … 1 more file in changeset.
Improve the FCGI/CGI Last-Modified header value handling.

Patch from Yann after a discussion on the dev@ mailing list.

ap_scan_script_header_err_core_ex is now using apr_date_parse_rfc

in order to recognize non-GMT datestr following RFC822/1123

and transforming them to GMT rather than replacing the value

with GMT now (that could add httpd's processing time to the

original value). Logging has also been improved from my initial

solution.

Fixed typo in log message, wrong RFC mentioned.
Fix indentation and extra spaces of my previous commit, apologies.

Log CGI/FCGI Last-Modified header value changes.

The Last-Modified header coming from a backend FCGI/CGI script is inspected

by util_script.c to enforce RFC2616 (https://tools.ietf.org/html/rfc2616#section-14.29).

The Last-Modified header also needs to be compliant with RFC882/1123 as stated in

https://tools.ietf.org/html/rfc2616#section-3.3.1, and one important assumption that

httpd makes (correctly, as the RFC suggests) is to assume the GMT timezone. If the datestr

returned by the FCGI/CGI script is set with a different timezone, then the value might be considered

"in the future" and replaced with GMT now() as calculated by httpd. Adding a trace log might

help sysadmins while debugging these kind of issues. This is a follow up of r1748379.

Drop an invalid Last-Modified header value returned by a FCGI/CGI

script instead tranforming it to Unix Epoch.

This bug was mentioned in the users@ mailing list and outlined in

the following centos bug: https://bugs.centos.org/view.php?id=10940

To reproduce the issue it is sufficient to connect mod-fastcgi

to a PHP script that returns a HTTP response with

the header "Last-Modified: foo". The header will be modified by

script_util.c to "Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT".

Dropping an invalid header in this case seems to be the most

consistent and correct option in my opinion, plus it shouldn't

break existing configurations. Returning Unix Epoch might be

dangerous and should be avoided, but please let me know your opinions.

Moreover this is my first commit outside the documentation court,

I hope to have got the procedure right.

This fix has been tested also with the 2.4.x branch.

  1. … 1 more file in changeset.
Rename ap_casecmpstr[n]() to ap_cstr_casecmp[n](), update with APR doxygen
  1. … 49 more files in changeset.
Add CGIVar directive for configuring REQUEST_URI behavior

The goal is to use this one directive to handle any configurable

CGI variable behavior; only one CGI variable is supported initially.

  1. … 4 more files in changeset.
hostname: Test and log useragent_host per-request across various modules,

including the scoreboard, expression and rewrite engines, setenvif,

authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.

PR55348 [William Rowe]

This is the complete change set which applies cleanly to 2.4.x as well,

the server/scoreboard.c will follow, which does not apply due to drift.

  1. … 9 more files in changeset.
Added many log numbers to log statements that

had none.

Those were not detected by the coccinelle script.

  1. … 34 more files in changeset.
Use new ap_casecmpstr[n]() functions where appropriate (not exhaustive).

  1. … 32 more files in changeset.
Revert r1715789: will re-commit without spurious functional changes.

  1. … 32 more files in changeset.
Use new ap_casecmpstr[n]() functions where appropriate (not exhaustive).

[Reverted by r1715869]

  1. … 32 more files in changeset.
followup to r1710380 -- refactored name and didn't have 'make depend'

Make the fix for fully qualifying REDIRECT_URL from PR#57785 opt-in.

  1. … 3 more files in changeset.
core/util_script: relax alphanumeric filter of enviroment variable names

on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.

unadulterated in 64 bit versions of Windows. PR 46751.

  1. … 1 more file in changeset.
Make REDIRECT_URL a complete URL (where set).

PR 57785

  1. … 1 more file in changeset.
core: Add CGIPassAuth directive to control whether HTTP authorization

headers are passed to scripts as CGI variables.

PR: 56855

  1. … 5 more files in changeset.
Turn some APR_BUCKET_REMOVE(e)+apr_bucket_destroy(e) into the equivalent apr_bucket_delete(e) to reduce code verbosity

  1. … 4 more files in changeset.
Add missing APLOGNO.

Refactor some lines to keep APLOGNO on the same line as ap_log_error, when applicable.

Split lines longer than 80.

Improve alignment.

  1. … 14 more files in changeset.
Remove useless tests.

Turn

if (*x && apr_isspace(*x))

into

if (apr_isspace(*x))

  1. … 9 more files in changeset.
Avoid some memory allocation on error path in 'http2env' if TRACE1 logging is not activated.

Avoid a function call to 'apr_filepath_name_get' which ends up to a strrchr call, if TRACE1 logging is not activated.

remove an unnecessary check in a nest loop of ap_create_environment()

Apply the same length limit when logging Status header values

as used when logging invalid header lines.

Application of a limit on logged header data suggested by Jeff Trawick.

Log the value of Status header lines in script responses rather than

than just the fixed header name of "Status".

  1. … 1 more file in changeset.
Fix error handling in ap_scan_script_header_err_brigade() if there

is no EOS bucket in the brigade:

Also don't loop if there is a timeout when discarding the script output.

Thanks to Edgar Frank for the analysis.

PR: 48272 (partial fix)

  1. … 1 more file in changeset.
Make sure the getsfunc_*() functions used by ap_scan_script_header_err*()

NUL-terminate the resulting string, even in case of an error. mod_cgi

and mod_cgid try to log incomplete output from CGI scripts.

Handle cases, esp when using mod_proxy_fcgi, when we do not

want SCRIPT_FILENAME to include the query string.

  1. … 4 more files in changeset.