summaryrefslogtreecommitdiff
path: root/usr.sbin/httpd
AgeCommit message (Collapse)Author
2003-05-17sync to reduce diffsHenning Brauer
2003-05-17bye byeHenning Brauer
2003-05-12cut crap, use strdup instead of malloc + strlcpy, use err()Henning Brauer
2003-05-12extend copyright to 2003Henning Brauer
2003-05-12no point in strncmp here; seen after question fromHenning Brauer
Pedro Bastos <pbastos@rdc.puc-rio.br>
2003-05-12explicit != NULL for pointerHenning Brauer
2003-04-30add an ap_server_strip_chroot for LoadModule tags. this partiallyAnil Madhavapeddy
unbreaks apachectl restarts (it still dies when it hits dlopen later on) henning@ ok
2003-04-20oh, the cgi-man thing... duhTheo de Raadt
2003-04-16honour httpd_flags from rc.confHenning Brauer
ok hin@ jakob@ ho@ markus@ lebel@ avsm@ todd@
2003-04-15fix an oupsHenning Brauer
2003-04-15close to "official" ap_config.h so future merges are easier. NOOP, just styleHenning Brauer
2003-04-14standalone/stand alone -> stand-alone;Jason McIntyre
from NetBSD (Igor Sobrado); httpd stuff passed to apache people; ok millert@
2003-04-09string shit; ok dhartmei@Henning Brauer
2003-04-09more string shit, ok bob and vincentHenning Brauer
2003-04-08missing free(pagname); noticed by vincentHenning Brauer
2003-04-082x trivial strcpyHenning Brauer
2003-04-08very easy strcpyHenning Brauer
2003-04-08kill one more strcpy; easy oneHenning Brauer
2003-04-08easy sprintf in code we don't useHenning Brauer
2003-04-08string fixes in code we don't compile by default; tedu help & okHenning Brauer
2003-04-08use asprintf; ok henningTheo de Raadt
2003-04-08yes I am a dorkHenning Brauer
2003-04-08string fixes; pval agreesHenning Brauer
2003-04-08trivial strcpy in code we don't even compileHenning Brauer
2003-04-08string stuff, ok pvalHenning Brauer
2003-04-08bye-bye sprintf, ok pval@Henning Brauer
2003-04-08string stuff; ok pval@Henning Brauer
2003-04-08more strcpy & friends bye-bye; ok pvalHenning Brauer
2003-04-08string shit; ok pvalHenning Brauer
2003-04-08string shit, ok pval@Henning Brauer
2003-04-08more string shitzHenning Brauer
2003-04-08easy strcpy eliminationHenning Brauer
2003-04-05trivial sprintfHenning Brauer
2003-03-23sync FILES section with realityHenning Brauer
2003-03-23correct URL to apache online docsHenning Brauer
2003-03-19use RSA key blinding code from mod_ssl 2.8.13. differences to our own fixHenning Brauer
that was already in are purely cosmetical, but this will make the future merge of mod_ssl 2.8.13 easier.
2003-03-15missing ap_server_strip_chroot()Henning Brauer
2003-03-14RSA blinding for private keys here too.Hakan Olsson
2003-03-14Add RSA blinding for private keys. markus@ ok.Hakan Olsson
2003-03-06date should be written formally: .Dd Month day, yearDavid Krause
ok henning@ jmc@
2003-02-21open the etag-state file writeonly. open it O_TRUNC in case it was too big.Henning Brauer
chmod/chown to root.www 0640, just in case a etag file from the initial version is around. ok cloder theo
2003-02-21$OpenBSD$Henning Brauer
2003-02-21fix restarts.Henning Brauer
the etag-state file wasn't readable after chroot and privilege drop. therefore, make it root.www 640. split the read and write portions to their own functions, and in init_etag, try to write the etag-state; in case of any problem with that, create a new one and read that.
2003-02-18intial -> initial;Jason McIntyre
the great intial witch hunt, as prompted by tdeval@ os-aix-dso.c: ok henning@ ab.C: ok drahn@
2003-02-17Add hyphens to boundary ID to make it not pure base64. This means thatChad Loder
the boundary could never ever be accidentally matched inside base64 data. Based on conversation with markus@, deraadt@, henning@. OK deraadt@, henning@
2003-02-16Don't leak the inode numbers of served files via theChad Loder
ETag (entity tag) header value. Instead of including the file modification date, inode, file size, etc. directly in the ETag header, return a SHA1 hash of these values instead. This SHA1 hash is initialized with a pseudorandom secret, so that it's harder to brute force inode numbers. This initialization secret is saved in a file called "etag-state" in the httpd chroot logs/ directory, so that the ETag header values are consistent across httpd restarts (if the secret were different each time httpd started, ETags would change unnecessarily and thereby cause caches to refresh unnecessarily). An additional change is introduced: we add the dev number to the hash when (and only when) we add the inode number to the hash. Before: HTTP/1.1 200 OK Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3 ETag: "b10d3-1e59-3e49cbe4" In this case, we can tell the inode number of index.html is is b10d3 hex. After: HTTP/1.1 200 OK Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3 ETag: "3f3b3cb2ce2e278087960b3be6a6e9844166e371" Idea and solution by deraadt@. OK deraadt@, henning@. Any bugs are my fault :)
2003-02-16My last commit uses base64 for the multipart MIME boundary id. SinceChad Loder
the base64 alphabet includes the characters '/', '+', and '=', it may violate section 4 of RFC 1341, which says that these kinds of characters must be quoted in order to be used as a header parameter. Pointed out by Wouter Clarie (rimshot AT pandora DOT be). My solution is not to quote the parameter (I'm afraid that will break simple browsers) but to replace special characters with alphabetic characters so that the resulting string is entirely alphanumeric. We don't want to use hex here, the alphabet is too small. "not too ugly for me" deraadt@, "a bit ugly but good enough" henning@, "that might be better than quoting" wouter
2003-02-15Don't leak httpd child PIDs via multipart MIME boundary separators.Chad Loder
Instead, generate a random MIME boundary separator that is also much longer, which makes it less likely to occur in the data. Before: HTTP/1.1 206 Partial Content Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3 Content-Type: multipart/byteranges; boundary=3e4e7d648e6 where the first 6 hex digits of the boundary is the request time and the last 4 hex digits of the boundary (48e6) is the PID of the httpd process that served the request. After: HTTP/1.1 206 Partial Content Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3 Content-Type: multipart/byteranges; boundary=lqmQDSxeaFSosnx+R46M94slY7G5BKGVPIhCc4ffoW852Vz0RbOaLJfMCAHHTfvR The boundary now consists of 48 pseudorandom bytes encoded into 64 base64 characters. This is in accordance with RFC 1341 section 7.2.1. Based on conversations with deraadt@. OK deraadt@
2003-02-10indentTheo de Raadt
2003-02-08typo; krauseHenning Brauer