Age | Commit message (Collapse) | Author |
|
|
|
|
|
that was already in are purely cosmetical, but this will make the future
merge of mod_ssl 2.8.13 easier.
|
|
|
|
|
|
|
|
ok henning@ jmc@
|
|
chmod/chown to root.www 0640, just in case a etag file from the initial
version is around.
ok cloder theo
|
|
|
|
the etag-state file wasn't readable after chroot and privilege drop.
therefore, make it root.www 640.
split the read and write portions to their own functions, and in init_etag,
try to write the etag-state; in case of any problem with that, create a new
one and read that.
|
|
the great intial witch hunt, as prompted by tdeval@
os-aix-dso.c: ok henning@
ab.C: ok drahn@
|
|
the boundary could never ever be accidentally matched inside base64
data. Based on conversation with markus@, deraadt@, henning@. OK
deraadt@, henning@
|
|
ETag (entity tag) header value. Instead of including
the file modification date, inode, file size, etc.
directly in the ETag header, return a SHA1 hash of
these values instead.
This SHA1 hash is initialized with a pseudorandom
secret, so that it's harder to brute force inode
numbers. This initialization secret is saved in a
file called "etag-state" in the httpd chroot logs/
directory, so that the ETag header values are consistent
across httpd restarts (if the secret were different
each time httpd started, ETags would change unnecessarily
and thereby cause caches to refresh unnecessarily).
An additional change is introduced: we add the dev
number to the hash when (and only when) we add the
inode number to the hash.
Before:
HTTP/1.1 200 OK
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3
ETag: "b10d3-1e59-3e49cbe4"
In this case, we can tell the inode number of index.html
is is b10d3 hex.
After:
HTTP/1.1 200 OK
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3
ETag: "3f3b3cb2ce2e278087960b3be6a6e9844166e371"
Idea and solution by deraadt@. OK deraadt@, henning@. Any
bugs are my fault :)
|
|
the base64 alphabet includes the characters '/', '+', and '=', it may
violate section 4 of RFC 1341, which says that these kinds of characters
must be quoted in order to be used as a header parameter. Pointed out
by Wouter Clarie (rimshot AT pandora DOT be).
My solution is not to quote the parameter (I'm afraid that will break
simple browsers) but to replace special characters with alphabetic
characters so that the resulting string is entirely alphanumeric. We
don't want to use hex here, the alphabet is too small.
"not too ugly for me" deraadt@, "a bit ugly but good enough" henning@,
"that might be better than quoting" wouter
|
|
Instead, generate a random MIME boundary separator that is also
much longer, which makes it less likely to occur in the data.
Before:
HTTP/1.1 206 Partial Content
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3
Content-Type: multipart/byteranges; boundary=3e4e7d648e6
where the first 6 hex digits of the boundary is the request
time and the last 4 hex digits of the boundary (48e6) is the PID
of the httpd process that served the request.
After:
HTTP/1.1 206 Partial Content
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3
Content-Type: multipart/byteranges; boundary=lqmQDSxeaFSosnx+R46M94slY7G5BKGVPIhCc4ffoW852Vz0RbOaLJfMCAHHTfvR
The boundary now consists of 48 pseudorandom bytes encoded into 64
base64 characters. This is in accordance with RFC 1341 section 7.2.1.
Based on conversations with deraadt@. OK deraadt@
|
|
|
|
|
|
many tweaks by millert@ (thanks)
thanks mpech@ for help with adduser(8)
ok millert@
|
|
|
|
|
|
|
|
|
|
not exploiteable; would need more programming errors to cause harm
from jim@apache
|
|
|
|
ok theo
|
|
|
|
|
|
|
|
henning@
|
|
henning@ ok
|
|
|
|
from David Krause, Thanks!
|
|
|
|
PR 2902, Francesco Toscan, Thanks!
|
|
PR 2891, jlouis at diku dk, Thanks!
|
|
fixes a cross site scripting bug
fixes 2 off-by-ones
|
|
Problem found by David Wagner (among others).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
pointed out by nicolas at untz dot net, thanks!
|
|
|
|
not php3.
inspired by a PR from j@pureftpd.org for the -dist file.
|
|
*) SECURITY: CAN-2002-0840 (cve.mitre.org)
Prevent a cross-site scripting vulnerability in the default
error page. The issue could only be exploited if the directive
UseCanonicalName is set to Off and a server is being run at
a domain that allows wildcard DNS. [Matthew Murphy]
|
|
parameters a bit more logical. missing startssl pointed out by jsyn@, what
made me look at it ;-)
ok deraadt@
|
|
access.conf.
"These are now distributed empty" just doesn't fit if we don't install them
any more.
|