Bug 29257

Summary: Problem with apache-1.3.31 and mod_frontpage (dso, official FreeBSD port).
Product: Apache httpd-1.3 Reporter: Andy Dills <andy>
Component: OtherAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED WONTFIX    
Severity: normal CC: a.panfilov, lhecking
Priority: P3    
Version: HEAD   
Target Milestone: ---   
Hardware: PC   
OS: FreeBSD   

Description Andy Dills 2004-05-27 20:57:09 UTC 
I was in the process of trying to upgrade to apache-1.3.31 today. You should 
know we use the DSO mod_frontpage built from the FreeBSD ports system, which 
is based on the original "improved mod_frontpage" and further improved to 
support FP2002 as well as security fixes. 

When doing the intial authentication from Frontpage, when using 1.3.29 (which 
works flawlessly) you see this in the access log:

216.127.136.116 - - [27/May/2004:14:25:01 -0400] "GET /_vti_inf.html HTTP/1.1" 
200 1754
216.127.136.116 - - [27/May/2004:14:25:01 -
0400] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 240
216.127.136.116 - - [27/May/2004:14:25:01 -
0400] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 480
216.127.136.116 - spagma [27/May/2004:14:25:05 -
0400] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 200 2481

When using apache 1.3.31, I get this:

16.127.136.116 - - [27/May/2004:14:00:00 -0400] "OPTIONS / HTTP/1.1" 200 -
216.127.136.116 - - [27/May/2004:14:00:00 -0400] "GET /_vti_inf.html HTTP/1.1" 
200 1754
216.127.136.116 - - [27/May/2004:14:00:00 -
0400] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 240
216.127.136.116 - - [27/May/2004:14:00:00 -
0400] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 480
216.127.136.116 - - [27/May/2004:14:00:00 -0400] "method=open+service%3a4%2e0%
2e2%2e4715&service%5fname=%2f" 501 -

And in the error log:

[Thu May 27 13:32:06 2004] [error] [client 216.127.136.116] Invalid method in 
request method=open+service%3a4%2e0%2e2%2e4715&service%5fname=%2

Not being an expert on the apache code, I would assume this has something to 
do with the fact that the frontpage auth packets have a <CRLF><CRLF> in the 
middle of the header, and thus apache is seeing the rest of the header as a 
new request. I'm assuming you guys were addressing a potential security issue, 
or whatnot.

All I know is the DSO works on 1.3.29 and not 1.3.31, and since I like your 
software so much I thought I'd pass it along, so hopefully it can be addressed 
in a later build.

Thanks!
Comment 1 Jeff Trawick 2004-05-27 23:58:40 UTC 
Can you try backing out these 1.3.31 patches individually to see if one of these
resulted in the breakage?

http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_protocol.c?r1=1.332&r2=1.333

http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_request.c?r1=1.173&r2=1.174
Comment 2 Andy Dills 2004-05-28 01:19:38 UTC 
Hey! Alright, we solved that one quick.

The second patch you mention is indeed the problem:
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_request.c?
r1=1.173&r2=1.174

Backing out just that one restores full functionality.

Thanks!
Comment 3 Jeff Trawick 2004-05-28 02:16:53 UTC 
Thanks for trying so quickly!  I'll point this out on the developer's mailing
list for discussion.  (I have no idea the meaning of all this ;) )

Now I find other discussion of this at

  http://www.rtr.com/fp2002disc/_disc2/00000a71.htm
Comment 4 Pierre Grandmaison 2004-06-04 15:57:33 UTC 
Is this being researched to evaluate whether making this patch change would be 
a security risk?

We are also experiencing this problem.
Comment 5 Andy Dills 2004-06-04 17:13:57 UTC 
From reading the thread on the developers list, you should not be concerned 
with backing out this patch. It appears very likely a 1.3.32 will soon be 
released without this patch, as apparently it is breaking other functionality 
as well.
Comment 6 Joe Orton 2004-06-28 11:56:15 UTC 
For completeness, users experiencing this problems should apply this patch:

http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_request.c?r1=1.174&r2=1.175

which will be included in the next 1.3 release.
Comment 7 Joe Orton 2004-06-28 11:56:55 UTC 
*** Bug 29237 has been marked as a duplicate of this bug. ***
Comment 8 Joe Orton 2004-10-11 10:34:34 UTC 
*** Bug 31638 has been marked as a duplicate of this bug. ***
Comment 9 Ron van den Dungen 2005-04-08 17:27:05 UTC 
(In reply to comment #6)
> For completeness, users experiencing this problems should apply this patch:
> 
>
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_request.c?r1=1.174&r2=1.175
> 
> which will be included in the next 1.3 release.

Seems this patch is still needed in 1.3.33. Apache 1.3.33 still breaks the
mod_frontpage.
Comment 10 Ron van den Dungen 2005-10-19 09:31:08 UTC 
(In reply to comment #9)
> 
> Seems this patch is still needed in 1.3.33. Apache 1.3.33 still breaks the
> mod_frontpage.

And still there in 1.3.34. Why doesn't this patch get included?
Comment 11 Malte S. Stretz 2011-03-21 11:15:11 UTC 
Apache HTTP Server 1.3.x is not supported anymore and no bugs will be fixed in the old codebase (cf. <http://mail-archives.apache.org/mod_mbox/httpd-announce/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E>). Since this bug seems to affect only 1.3.x, I'm closing it as WONTFIX.

If this bug still affects you in a recent version (version 2.2.x or the upcoming version 2.4), please open a new bug.

Thank you for reporting the bug.