ASF Bugzilla – Attachment 9626 Details for
Bug 12355
POST incompatible w/ renegotiate https: connection
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
diff against httpd-2.0.48
diff.txt (text/plain), 6.51 KB, created by
keilh
on 2003-12-18 12:33:22 UTC
(
hide
)
Description:
diff against httpd-2.0.48
Filename:
MIME Type:
Creator:
keilh
Created:
2003-12-18 12:33:22 UTC
Size:
6.51 KB
patch
obsolete
>*** mod_ssl.h.patched Thu Dec 18 13:11:48 2003 >--- mod_ssl.h Thu Dec 18 13:13:19 2003 >*************** >*** 709,714 **** >--- 709,715 ---- > void ssl_io_filter_init(conn_rec *, SSL *); > void ssl_io_filter_register(apr_pool_t *); > long ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long); >+ long ssl_io_suck(request_rec *); > > /* PRNG */ > int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *); >*** ssl_engine_kernel.c.patched Thu Dec 18 13:11:39 2003 >--- ssl_engine_kernel.c Thu Dec 18 13:15:04 2003 >*************** >*** 583,596 **** > * > * !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !! > */ >! if (renegotiate && !renegotiate_quick && (r->method_number == M_POST)) { > ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, > "SSL Re-negotiation in conjunction " > "with POST method not supported!\n" > "hint: try SSLOptions +OptRenegotiate"); >! > return HTTP_METHOD_NOT_ALLOWED; > } > > /* > * now do the renegotiation if anything was actually reconfigured >--- 583,602 ---- > * > * !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !! > */ >! if (renegotiate && !renegotiate_quick && (r->method_number == M_POST)) { >! #ifdef SSL_CONSERVATIVE > ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, > "SSL Re-negotiation in conjunction " > "with POST method not supported!\n" > "hint: try SSLOptions +OptRenegotiate"); >! > return HTTP_METHOD_NOT_ALLOWED; >+ #else >+ if( ssl_io_suck(r) != OK) { >+ return HTTP_METHOD_NOT_ALLOWED; >+ } > } >+ #endif /* SSL_CONSERVATIVE */ > > /* > * now do the renegotiation if anything was actually reconfigured >*** ssl_engine_io.c.patched Thu Dec 18 13:12:02 2003 >--- ssl_engine_io.c Thu Dec 18 13:21:31 2003 >*************** >*** 897,902 **** >--- 897,987 ---- > } > > static const char ssl_io_filter[] = "SSL/TLS Filter"; >+ static const char ssl_buff_filter[] = "SSL/TLS Buffering Filter"; >+ /* >+ * reads the buffered data during a POST request with renegotiation >+ * will be registere at runtime. >+ * NOTE: we try to buffer the complete body. Use the attribute 'LimitRequestBody' >+ * preventing DOS attacks. >+ */ >+ long ssl_io_suck(request_rec *r) >+ { >+ apr_bucket *bucket; >+ apr_bucket_brigade *bb = apr_brigade_create(r->pool,r->connection->bucket_alloc); >+ >+ int readed = 0; >+ int len = 0; >+ int toRead= 0; >+ char *buffer = NULL; >+ char *pos = NULL; >+ >+ if(ap_setup_client_block(r,REQUEST_CHUNKED_DECHUNK) !=OK) { >+ return HTTP_METHOD_NOT_ALLOWED; >+ } >+ >+ if(!ap_should_client_block(r)) { >+ return OK; >+ } >+ >+ do { >+ buffer = apr_pcalloc(r->pool,HUGE_STRING_LEN); >+ toRead = HUGE_STRING_LEN; >+ >+ /* check malloc */ >+ if(buffer == NULL) { >+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, >+ "SSL Re-negotiation in conjunction " >+ "with POST (buffering body failed)!\n"); >+ apr_brigade_destroy(bb); >+ return HTTP_METHOD_NOT_ALLOWED; >+ } >+ >+ /* fill the bucket */ >+ pos = buffer; >+ len = 0; >+ do { >+ readed = ap_get_client_block(r,pos,toRead); >+ >+ if(readed <=0) { >+ break; >+ } >+ >+ toRead -= readed; >+ >+ /* sanity */ >+ if(toRead<0) { >+ return HTTP_METHOD_NOT_ALLOWED; >+ } >+ >+ pos += readed; >+ len += readed; >+ } >+ while(toRead>0); >+ >+ /* check last read result */ >+ if(readed<0) { >+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, >+ "SSL Re-negotiation in conjunction " >+ "with POST (reading body failed)!\n"); >+ apr_brigade_destroy(bb); >+ return HTTP_METHOD_NOT_ALLOWED; >+ } >+ >+ /* check if we have readed everything */ >+ if(len == 0) { >+ break; >+ } >+ bucket = apr_bucket_pool_create(buffer,len,r->pool,r->connection->bucket_alloc); >+ >+ APR_BRIGADE_INSERT_TAIL(bb, bucket); >+ } >+ while(1); >+ >+ //add the ssl_buff_filter_input >+ ap_add_input_filter(ssl_buff_filter, bb, r, r->connection); >+ >+ return OK; >+ } > > /* > * Close the SSL part of the socket connection >*************** >*** 1361,1366 **** >--- 1446,1529 ---- > return status; > } > >+ static apr_status_t ssl_buff_filter_input(ap_filter_t *f, >+ apr_bucket_brigade *bb, >+ ap_input_mode_t mode, >+ apr_read_type_e block, >+ apr_off_t readbytes) >+ { >+ apr_bucket_brigade *aa = f->ctx; >+ apr_status_t rv; >+ >+ if(aa && !APR_BRIGADE_EMPTY(aa)) { >+ >+ if(mode == AP_MODE_READBYTES) { >+ apr_bucket *b; >+ apr_off_t missing = readbytes; >+ apr_size_t len; >+ const char *tmp; >+ >+ while (!APR_BRIGADE_EMPTY(aa)) { >+ b = APR_BRIGADE_FIRST(aa); >+ >+ rv = apr_bucket_read(b, &tmp, &len, APR_BLOCK_READ); >+ if (rv != APR_SUCCESS) { >+ return rv; >+ } >+ >+ /* consume whole bucket */ >+ if(missing >= len) { >+ APR_BUCKET_REMOVE(b); >+ APR_BRIGADE_INSERT_TAIL(bb,b); >+ } >+ /* comsume only a part */ >+ else{ >+ rv = apr_bucket_split(b, missing); >+ if (rv != APR_SUCCESS) { >+ return rv; >+ } >+ >+ APR_BUCKET_REMOVE(b); >+ APR_BRIGADE_INSERT_TAIL(bb, b); >+ break; >+ } >+ >+ missing -= len; >+ >+ if (missing = 0) { >+ break; >+ } >+ >+ if(missing<0) { >+ return AP_FILTER_ERROR; >+ } >+ } >+ return APR_SUCCESS; >+ } >+ else if (mode == AP_MODE_READBYTES) { >+ apr_bucket_brigade *nb = apr_brigade_create(f->r->pool,f->c->bucket_alloc); >+ >+ /* split */ >+ rv = apr_brigade_split_line(nb,aa,block,readbytes); >+ if( rv != APR_SUCCESS) { >+ return rv; >+ } >+ >+ /* concatinate */ >+ APR_BRIGADE_CONCAT(bb,aa); >+ >+ /* remember the rest */ >+ f->ctx = nb; >+ >+ return APR_SUCCESS; >+ } >+ >+ } >+ >+ >+ return ap_pass_brigade(f->next, bb); >+ } >+ > static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, > SSL *ssl) > { >*************** >*** 1417,1422 **** >--- 1580,1586 ---- > { > ap_register_input_filter (ssl_io_filter, ssl_io_filter_input, NULL, AP_FTYPE_CONNECTION + 5); > ap_register_output_filter (ssl_io_filter, ssl_io_filter_output, NULL, AP_FTYPE_CONNECTION + 5); >+ ap_register_input_filter (ssl_buff_filter, ssl_buff_filter_input, NULL, AP_FTYPE_PROTOCOL - 1); > return; > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 12355
: 9626 |
11681
|
11736
|
11745
|
16491
|
16495