util_script.c

Checkout Tools
  • last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 97064 is being indexed.

*) SECURITY: [CAN-2002-0840] HTML-escape the address produced by

ap_server_signature() against this cross-site scripting

vulnerability exposed by the directive 'UseCanonicalName Off'.

Also HTML-escape the SERVER_NAME environment variable for CGI

and SSI requests. It's safe to escape as only the '<', '>',

and '&' characters are affected, which won't appear in a valid

hostname. Reported by Matthew Murphy <mattmurphy@kc.rr.com>.

[Brian Pane]

  1. … 2 more files in changeset.

Use apr_ flavors of ischar()

stop using APLOG_NOERRNO in calls to ap_log_?error()

  1. … 24 more files in changeset.
Added the APLOG_TOCLIENT flag to ap_log_rerror() to

explicitly tell the server that warning messages should be sent

to the client in addition to being recorded in the error log.

Prior to this change, ap_log_rerror() always sent warning

messages to the client. In one case, a faulty CGI script caused

the server to send a warning message to the client that contained

the full path to the CGI script. This could be considered a

minor security exposure.

  1. … 3 more files in changeset.
Handle CR/LF terminated lines from CGI scripts.

Reviewed by: Brian Pane

Fix for a bug that I introduced when eliminating the single-byte

reads in mod_cgi: eof wasn't treated as an error condition when

reading the script headers, so we were delivering a 200 when a

CGI script produced no output.

Changed mod_cgi to not do single-byte reads to consume the

script headers

  1. … 4 more files in changeset.
Commit 2 of 2 to:

1. rename ap_rset_content_type to ap_set_content_type

2. reverse the arguments to aligh with ap_set_content_length

  1. … 2 more files in changeset.
Final commit to add ap_rset_content_type accessor. Add AddOutputFiltersbyType

filters during call to ap_rset_content_type()

  1. … 4 more files in changeset.
Update our copyright for this year.

  1. … 260 more files in changeset.
Optimization: changed some apr_pstrndup calls to apr_pstrmemdup

  1. … 1 more file in changeset.
optimize ap_add_common_vars() for the common case where r->subprocess_env is empty

minor performance fix for ap_add_common_vars(): replace printf with apr_itoa()

Begin to abstract out the underlying transport layer.

The first step is to remove the socket from the conn_rec,

the server now lives in a context that is passed to the

core's input and output filters. This forces us to be very

careful when adding calls that use the socket directly,

because the socket isn't available in most locations.

  1. … 18 more files in changeset.
This patch changes the apr_table_elts macro so that it provides

access to the internals of an apr_table_t via a const pointer

instead of the current non-const pointer.

Submitted by: Brian Pane <BPane@pacbell.net>

Reviewed by: Ian Holsman

  1. … 10 more files in changeset.
Improve http2env's performance by cutting the work it has to

do.

Submitted by: Brian Pane <bpane@pacbell.net>

  1. … 1 more file in changeset.

PATHEXT is a critial Win32 cmd.exe variable that declares _which_ extensions

are given command-name status (such as .exe;.bat;.com;.cmd etc.)

This patch is insufficient (highlights an existing problem) for OS2 and

Netware, especially, and any other platform with odd native requirements

for the PATH_TRANSLATED variable (where it should look like a filesystem

entity for non-unixish cgi's.)

Back out the 1.45 change to util_script.c. This change made

us set the environment variable REQUEST_URI to the redirected

URI, instead of the originally requested URI.

PR: 7580

Submitted by: Taketo Kabe <kabe@sra-tohoku.co.jp>

  1. … 1 more file in changeset.

Why two ifdef blocks? This is simpler to read

Change over to apr_strfsize() for apr_off_t file size formatting.

  1. … 4 more files in changeset.
Another of the long term issues cleared up. BeOS can now run

perl and other CGI's that rely on .so's for their operation.

use apr-util's apr_date_parse_http() instead of the to-be-removed

ap_parseHTTPdate()

(proxy needs to make similar changes)

build changes forthcoming...

Submitted by: Justin Erenkrantz

  1. … 2 more files in changeset.
surprised -Wall does not complain, but ap_scan_script_header_err_core() should explicitly return an int

tweak ap_get_remote_host() so that the caller can find out if she got

back an IP address

mod_access needed to know this, but the old code didn't handle IPv6

  1. … 8 more files in changeset.
Update copyright to 2001

  1. … 205 more files in changeset.
Clean up some of the includes:

- explicitly include apr_lib.h since ap_config.h doesn't

- use apr_want.h where possible

- use APR_HAVE_ where possible

- remove some unneeded includes

  1. … 26 more files in changeset.
renaming various functions for consistency sake

see: http://apr.apache.org/~dougm/apr_rename.pl

PR:

Obtained from:

Submitted by:

Reviewed by:

  1. … 94 more files in changeset.
Switch to the APR-provided APR_CHARSET_EBCDIC feature test macro.

  1. … 18 more files in changeset.
Force all Apache functions to be linked into the executable, whether they

are used or not. This uses the same mechanism that is used for APR

and APR-util. This may not be the correct solution, but it works, and that

is what I really care about. This also renames CHARSET_EBCDIC to

AP_CHARSET_EBCDIC. This is for namespace correctness, but it also makes

the exports script a bit easier.

  1. … 24 more files in changeset.