summaryrefslogtreecommitdiff
path: root/usr.sbin/httpd
AgeCommit message (Collapse)Author
2003-03-23sync FILES section with realityHenning Brauer
2003-03-23correct URL to apache online docsHenning Brauer
2003-03-19use RSA key blinding code from mod_ssl 2.8.13. differences to our own fixHenning Brauer
that was already in are purely cosmetical, but this will make the future merge of mod_ssl 2.8.13 easier.
2003-03-15missing ap_server_strip_chroot()Henning Brauer
2003-03-14RSA blinding for private keys here too.Hakan Olsson
2003-03-14Add RSA blinding for private keys. markus@ ok.Hakan Olsson
2003-03-06date should be written formally: .Dd Month day, yearDavid Krause
ok henning@ jmc@
2003-02-21open the etag-state file writeonly. open it O_TRUNC in case it was too big.Henning Brauer
chmod/chown to root.www 0640, just in case a etag file from the initial version is around. ok cloder theo
2003-02-21$OpenBSD$Henning Brauer
2003-02-21fix restarts.Henning Brauer
the etag-state file wasn't readable after chroot and privilege drop. therefore, make it root.www 640. split the read and write portions to their own functions, and in init_etag, try to write the etag-state; in case of any problem with that, create a new one and read that.
2003-02-18intial -> initial;Jason McIntyre
the great intial witch hunt, as prompted by tdeval@ os-aix-dso.c: ok henning@ ab.C: ok drahn@
2003-02-17Add hyphens to boundary ID to make it not pure base64. This means thatChad Loder
the boundary could never ever be accidentally matched inside base64 data. Based on conversation with markus@, deraadt@, henning@. OK deraadt@, henning@
2003-02-16Don't leak the inode numbers of served files via theChad Loder
ETag (entity tag) header value. Instead of including the file modification date, inode, file size, etc. directly in the ETag header, return a SHA1 hash of these values instead. This SHA1 hash is initialized with a pseudorandom secret, so that it's harder to brute force inode numbers. This initialization secret is saved in a file called "etag-state" in the httpd chroot logs/ directory, so that the ETag header values are consistent across httpd restarts (if the secret were different each time httpd started, ETags would change unnecessarily and thereby cause caches to refresh unnecessarily). An additional change is introduced: we add the dev number to the hash when (and only when) we add the inode number to the hash. Before: HTTP/1.1 200 OK Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3 ETag: "b10d3-1e59-3e49cbe4" In this case, we can tell the inode number of index.html is is b10d3 hex. After: HTTP/1.1 200 OK Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3 ETag: "3f3b3cb2ce2e278087960b3be6a6e9844166e371" Idea and solution by deraadt@. OK deraadt@, henning@. Any bugs are my fault :)
2003-02-16My last commit uses base64 for the multipart MIME boundary id. SinceChad Loder
the base64 alphabet includes the characters '/', '+', and '=', it may violate section 4 of RFC 1341, which says that these kinds of characters must be quoted in order to be used as a header parameter. Pointed out by Wouter Clarie (rimshot AT pandora DOT be). My solution is not to quote the parameter (I'm afraid that will break simple browsers) but to replace special characters with alphabetic characters so that the resulting string is entirely alphanumeric. We don't want to use hex here, the alphabet is too small. "not too ugly for me" deraadt@, "a bit ugly but good enough" henning@, "that might be better than quoting" wouter
2003-02-15Don't leak httpd child PIDs via multipart MIME boundary separators.Chad Loder
Instead, generate a random MIME boundary separator that is also much longer, which makes it less likely to occur in the data. Before: HTTP/1.1 206 Partial Content Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3 Content-Type: multipart/byteranges; boundary=3e4e7d648e6 where the first 6 hex digits of the boundary is the request time and the last 4 hex digits of the boundary (48e6) is the PID of the httpd process that served the request. After: HTTP/1.1 206 Partial Content Server: Apache/1.3.27 (Unix) mod_ssl/2.8.12 OpenSSL/0.9.7-beta3 Content-Type: multipart/byteranges; boundary=lqmQDSxeaFSosnx+R46M94slY7G5BKGVPIhCc4ffoW852Vz0RbOaLJfMCAHHTfvR The boundary now consists of 48 pseudorandom bytes encoded into 64 base64 characters. This is in accordance with RFC 1341 section 7.2.1. Based on conversations with deraadt@. OK deraadt@
2003-02-10indentTheo de Raadt
2003-02-08typo; krauseHenning Brauer
2003-01-29typos;Jason McIntyre
many tweaks by millert@ (thanks) thanks mpech@ for help with adduser(8) ok millert@
2003-01-20typos; alan@alanday.comTheo de Raadt
2002-12-25no more -O1 needed on alphaHenning Brauer
2002-12-22spelink; Wouter Clarie in PR 3047Henning Brauer
2002-12-15mroe speling; torhHenning Brauer
2002-12-11fix buffer overflow in the FIX_PRECISION macroHenning Brauer
not exploiteable; would need more programming errors to cause harm from jim@apache
2002-12-11typos in comments; David KrauseHenning Brauer
2002-12-10-O1 on alpha for nowHenning Brauer
ok theo
2002-12-09From Andrushock, s/sucess/success/gTodd C. Miller
2002-12-07typo, henning okAnil Madhavapeddy
2002-12-05typo in error message; Tor HoughtonHenning Brauer
2002-11-23Correct href, from Francesco Toscan <francesco@toscan.biz>margarida
henning@
2002-11-22fix fd handling, so 'make build >log 2>fixme' really worksPhilipp Buehler
henning@ ok
2002-11-22honor COPTS; ok henning@Christian Weisgerber
2002-11-18kill unused #define which was a workaround with old OpenSSL versionsHenning Brauer
from David Krause, Thanks!
2002-11-18kill duplicate int retry; from David Krause, Thanks!Henning Brauer
2002-11-07mention restart issues with 3rd party modulesHenning Brauer
PR 2902, Francesco Toscan, Thanks!
2002-11-07httpd(8), not (1)...Henning Brauer
PR 2891, jlouis at diku dk, Thanks!
2002-10-28merge mod-ssl 2.8.12Henning Brauer
fixes a cross site scripting bug fixes 2 off-by-ones
2002-10-23Replace tmpnam() with mkstemp() to avoid possible /tmp race.Todd C. Miller
Problem found by David Wagner (among others).
2002-10-07merge apache 1.3.27Henning Brauer
2002-10-07sync MANUALFILESHenning Brauer
2002-10-07drain the bitbucketHenning Brauer
2002-10-07emacsed outHenning Brauer
2002-10-07gone to the big harddrive in the skyHenning Brauer
2002-10-07merge apache 1.3.27 and mod_ssl 2.8.11Henning Brauer
2002-10-07import apache 1.3.27 and mod_ssl 2.8.11Henning Brauer
2002-10-07make restarts work again with missing srm.conf (sigh)Henning Brauer
pointed out by nicolas at untz dot net, thanks!
2002-10-06match php 4, too, in the example, j@pureftpd.orgHenning Brauer
2002-10-06in the commented out AddType example for php take values fitting for php4,Henning Brauer
not php3. inspired by a PR from j@pureftpd.org for the -dist file.
2002-10-04fix a cross-site scripting vuln:Henning Brauer
*) SECURITY: CAN-2002-0840 (cve.mitre.org) Prevent a cross-site scripting vulnerability in the default error page. The issue could only be exploited if the directive UseCanonicalName is set to Off and a server is being run at a domain that allows wildcard DNS. [Matthew Murphy]
2002-09-28format usage nicer, and add startssl to summary usage. also order theHenning Brauer
parameters a bit more logical. missing startssl pointed out by jsyn@, what made me look at it ;-) ok deraadt@
2002-09-20better comment about RessourceConfig and AccessConfig aka srm.conf andHenning Brauer
access.conf. "These are now distributed empty" just doesn't fit if we don't install them any more.