summaryrefslogtreecommitdiff
path: root/usr.sbin/httpd
AgeCommit message (Collapse)Author
2007-10-30Add two module configuration directories named modules and modules.sampleRobert Nagy
and include *.conf files from the modules directory by default. The modules.sample directory will be used by some ports to place their configuration files. ok deraadt@, jsign@
2007-10-14'expresion' -> 'expression'. Reported by Jung on tech@.Kenneth R Westerback
2007-09-15[fF]uther -> [fF]urther in comments and man page. First one spotted onKenneth R Westerback
tech@ by Jung.
2007-09-11use strcspn to properly overwrite '\n' in fgets returned bufferGilles Chehade
ok pyr@, ray@, millert@, moritz@, chl@
2007-09-11add application/x-bittorrentHenning Brauer
From: Alex Holst <a@mongers.org>
2007-08-24Add a new configuration directive 'RLimitNOFILE' to set the number ofMarc Balmer
of open filedescriptors (like RLimitNPROC for the number of processes). ok ckuethe, "no objection" henning
2007-08-09fix CVE-2007-3304Martynas Venckus
The Apache HTTP server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the HTTP server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service. ok miod@ (who also noticed to protect reclaim_child_processes); henning@; djm@
2007-08-08fix CVE-2006-5752Martynas Venckus
A flaw was found in the mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available. ok miod@, henning@
2007-07-23fix a variable shadowing problemHenning Brauer
PR5549, From: veins@evilkittens.org
2007-06-01paranoid snprintf length calculation to avoid a possible bufferPeter Valchev
overflow in SSL session id parsing (by reaching a negative size arg) ok henning
2007-05-31convert to new .Dd format;Jason McIntyre
2007-05-25"interupt" -> "interrupt" in various comments. Mostly from Diego Casati.Kenneth R Westerback
2007-04-05another extra test i missed before, from charles longeauTed Unangst
2007-03-30Restore full version reporting when using the -v and -V switch.Pierre-Yves Ritschard
This unbreaks some configuration scripts. ok henning@, xsa@, espie@
2007-03-26remove the unneccessary options descriptions from usage();Jason McIntyre
noticed by Igor Sobrado ok henning
2007-03-26fix lines with too many args; from Igor SobradoJason McIntyre
2007-03-22remove default output of version numbers to silence confused auditingPierre-Yves Ritschard
programs. prompted by deraadt@ and cloder@, ok cloder@, henning@, xsa@
2007-03-20remove some bogus *p tests from charles longeauTed Unangst
ok deraadt millert
2007-03-06- Pass full buffer to fgets().Ray Lai
- Use sizeof(buf) instead of BUFSIZ. - Only overwrite '\n'. From Charles Longeau. OK millert@ and moritz@.
2007-03-01spell address correctly; ok jmc@ henning@David Krause
2007-02-20Change hard coded numbers to sizeof(buf). Also change someRay Lai
sizeof(buf) - 1 to sizeof(buf), since fgets takes the whole buffer size. Based on diff from Charles Longeau <chl at tuxfamily dot org> long ago. OK millert@.
2007-02-19unbreak by allowing clean in !objdir case to fail (no Makefile there in thatHenning Brauer
case), ok espie, also noticed by simon
2007-02-15regen, DEV_RANDOM is goneHenning Brauer
2007-02-15get rid of the ConfigStart/End section used by the weird fragile apacheHenning Brauer
configure system. the mod_auth_digest module has such a section, and there (via two other indirections, of course!) -DDEV_RANDOM=/dev/arandom is added to CFLAGS. via a few more bizarre indicrections that ends up in ap_config_auto.h. Since ap_config_auto.h gets installed in /usr/lib/apache/include/ and thus might be used by 3rd party modules, we must be very careful with removing shitz there. But I kinda doubt anything relies on a define that is only there when a module marked as experimental is compiled in. since we long ago made mod_auth_digest use arc4random and do not use said DEV_RANDOM define at all any more, we don't need it ourselves. so nuke the mod_auth_digest ConfigStart/End section, which doesn't do anything else, alltogether. Since mod_auth_digest is only compiled as DSO, the define was missing on static archs, therefore breaking the build on vax an friends since espie put the pregenerated ap_config_auto.h in. ok millert deraadt
2007-02-14g/c NO_DL_NEEDED, it is no longer used by os/unix/os.cTodd C. Miller
2007-02-13unbreak compile on 64bit systems; no cookie for espie. ok millertHenning Brauer
2007-02-13remove prereq, by using a pre-generated include file (this one should nowMarc Espie
be MI since we removed stuff that was arch-dependent). The Configure script still rebuilds a copy of that file, and we check it for diffs. okay millert@
2007-02-03remove varying parts from generated configure info:Marc Espie
- ap_snprintf can grab needed types from stdint.h - expat-lite can grab byte-order from system includes. no breakage in modules in the ports tree. work by me and millert@, ok miod@.
2007-01-30apachectl picks up httpd_flags from rc.conf for some time now - and thatHenning Brauer
is good! so let's do it in all cases... missed case: on restart and graceful, when apachectl figures out that no httpd is running, it tries to start one. found out the hard way by yours truly
2006-12-23Spelling.Kenneth R Westerback
'preceeding' -> 'preceding' 'preceeds' -> 'precedes' 'preceeded' -> 'preceded'
2006-11-06fix proxying on big-endian 64-bit machines, u_long is not the size ofTheo de Raadt
an ip address, that's for sure; pr 5232 arjones@simultan.dyndns.org
2006-09-26escape error response to unsupported Expect: header, fixesDamien Miller
CVE-2006-3918; ok cloder@
2006-08-01add ProxyPreserveHost support to mod_proxy. it allows to pass the originalFederico G. Schwindt
Host header to the backend. default off. henning@ ok.
2006-07-28avoid printing the server built dateHenning Brauer
2006-07-28avoid printing server built date, we set that to "unknown" anywayHenning Brauer
leave the function there of course, it's part of the API
2006-07-28A vulnerability has been reported in Apache HTTP Server, which potentially canHenning Brauer
be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused by a off-by-one error in mod_rewrite and can be exploited to cause a one-byte buffer overflow. http://secunia.com/advisories/21197/ report "Alexey E. Suslikov" <cruel@texnika.com.ua>, the obvious fix mailed in by Stuart Henderson <stu@spacehopper.org>
2006-05-15set cur & max limits with MaxFOOPerChild instead of cur twiceHenning Brauer
From: John Wong <johnw@wonghome.net>, ok ckuethe
2006-04-13Fix pr 5073, httpd/mod_ssl can leak file descriptors in theBob Beck
case where an ssl connection is not found in the scache dbm Reported by, and fix suggested by Darrin Chandler <darrin@puffy.asicommunications.com> testing by me, ok henning@
2006-04-04dead code removalHenning Brauer
2006-04-04nuke bundled regex lib, we have and always used the OpenBSD one of courseHenning Brauer
From: Daniel Ouellet <daniel@presscom.net>
2006-04-04rip out bundled dbm, we've always used our dbmHenning Brauer
From: Daniel Ouellet <daniel@presscom.net>
2006-03-26add mime type for atomHenning Brauer
From: "Alex Holst" <a@mongers.org> "It's the brave new world of rss/atom feeds. It's what the kids want."
2006-03-22Remove four unused functions: ap_sync_scoreboard_image, reopen_scoreboard,Ray Lai
put_scoreboard_info, and update_scoreboard_global. From Daniel Ouellet, plus one line he missed. OK henning@ and otto@
2006-03-14fix sentence to make sense.Bob Beck
ok millert@ jmc@ ketennis@ and others from before 3.9 lock
2006-03-12more getopt() EOF crud; adobriyan@gmailTheo de Raadt
2006-02-22allow ressource limits for child processes to be set.Henning Brauer
from Chris Kuethe <chris.kuethe@gmail.com> running at UofA for months now, ok beck niallo, also tested mbalmer
2006-02-16add types for google earth shitzHenning Brauer
From: Alex Holst <a@mongers.org>
2006-02-13spelling in error message; ok otto@Kevin Steves
2006-02-11Fix a few "discards qualifier" warnings. From A. Farber in PR 5114.Otto Moerbeek
ok kettenis@
2006-01-20fix a cross-site scripting vulnerability in mod_imap;Robert Nagy
CVE-2005-3352 ok niallo@; henning@ no objections