/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* * http_filter.c --- HTTP routines which either filters or deal with filters. */ #include "apr.h" #include "apr_strings.h" #include "apr_buckets.h" #include "apr_lib.h" #include "apr_signal.h" #define APR_WANT_STDIO /* for sscanf */ #define APR_WANT_STRFUNC #define APR_WANT_MEMFUNC #include "apr_want.h" #define CORE_PRIVATE #include "util_filter.h" #include "ap_config.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" #include "http_protocol.h" #include "http_main.h" #include "http_request.h" #include "http_vhost.h" #include "http_connection.h" #include "http_log.h" /* For errors detected in basic auth common * support code... */ #include "apr_date.h" /* For apr_date_parse_http and APR_DATE_BAD */ #include "util_charset.h" #include "util_ebcdic.h" #include "util_time.h" #include "mod_core.h" #if APR_HAVE_STDARG_H #include <stdarg.h> #endif #if APR_HAVE_UNISTD_H #include <unistd.h> #endif #define INVALID_CHAR -2 static long get_chunk_size(char *); typedef struct http_filter_ctx { apr_off_t remaining; apr_off_t limit; apr_off_t limit_used; enum { BODY_NONE, BODY_LENGTH, BODY_CHUNK, BODY_CHUNK_PART } state; int eos_sent; char chunk_ln[32]; char *pos; apr_off_t linesize; apr_bucket_brigade *bb; } http_ctx_t; static apr_status_t bail_out_on_error(http_ctx_t *ctx, ap_filter_t *f, int http_error) { apr_bucket *e; apr_bucket_brigade *bb = ctx->bb; apr_brigade_cleanup(bb); e = ap_bucket_error_create(http_error, NULL, f->r->pool, f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); ctx->eos_sent = 1; return ap_pass_brigade(f->r->output_filters, bb); } static apr_status_t get_remaining_chunk_line(http_ctx_t *ctx, apr_bucket_brigade *b, int linelimit) { apr_status_t rv; apr_off_t brigade_length; apr_bucket *e; const char *lineend; apr_size_t len; /* * As the brigade b should have been requested in mode AP_MODE_GETLINE * all buckets in this brigade are already some type of memory * buckets (due to the needed scanning for LF in mode AP_MODE_GETLINE) * or META buckets. */ rv = apr_brigade_length(b, 0, &brigade_length); if (rv != APR_SUCCESS) { return rv; } /* Sanity check. Should never happen. See above. */ if (brigade_length == -1) { return APR_EGENERAL; } if (!brigade_length) { return APR_EAGAIN; } ctx->linesize += brigade_length; if (ctx->linesize > linelimit) { return APR_ENOSPC; } /* * As all buckets are already some type of memory buckets or META buckets * (see above), we only need to check the last byte in the last data bucket. */ for (e = APR_BRIGADE_LAST(b); e != APR_BRIGADE_SENTINEL(b); e = APR_BUCKET_PREV(e)) { if (APR_BUCKET_IS_METADATA(e)) { continue; } rv = apr_bucket_read(e, &lineend, &len, APR_BLOCK_READ); if (rv != APR_SUCCESS) { return rv; } if (len > 0) { break; /* we got the data we want */ } /* If we got a zero-length data bucket, we try the next one */ } /* We had no data in this brigade */ if (!len || e == APR_BRIGADE_SENTINEL(b)) { return APR_EAGAIN; } if (lineend[len - 1] != APR_ASCII_LF) { return APR_EAGAIN; } /* Line is complete. So reset ctx->linesize for next round. */ ctx->linesize = 0; return APR_SUCCESS; } static apr_status_t get_chunk_line(http_ctx_t *ctx, apr_bucket_brigade *b, int linelimit) { apr_size_t len; int tmp_len; apr_status_t rv; tmp_len = sizeof(ctx->chunk_ln) - (ctx->pos - ctx->chunk_ln) - 1; /* Saveguard ourselves against underflows */ if (tmp_len < 0) { len = 0; } else { len = (apr_size_t) tmp_len; } /* * Check if there is space left in ctx->chunk_ln. If not, then either * the chunk size is insane or we have chunk-extensions. Ignore both * by discarding the remaining part of the line via * get_remaining_chunk_line. Only bail out if the line is too long. */ if (len > 0) { rv = apr_brigade_flatten(b, ctx->pos, &len); if (rv != APR_SUCCESS) { return rv; } ctx->pos += len; ctx->linesize += len; *(ctx->pos) = '\0'; /* * Check if we really got a full line. If yes the * last char in the just read buffer must be LF. * If not advance the buffer and return APR_EAGAIN. * We do not start processing until we have the * full line. */ if (ctx->pos[-1] != APR_ASCII_LF) { /* Check if the remaining data in the brigade has the LF */ return get_remaining_chunk_line(ctx, b, linelimit); } /* Line is complete. So reset ctx->pos for next round. */ ctx->pos = ctx->chunk_ln; return APR_SUCCESS; } return get_remaining_chunk_line(ctx, b, linelimit); } /* This is the HTTP_INPUT filter for HTTP requests and responses from * proxied servers (mod_proxy). It handles chunked and content-length * bodies. This can only be inserted/used after the headers * are successfully parsed. */ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes) { apr_bucket *e; http_ctx_t *ctx = f->ctx; apr_status_t rv; apr_off_t totalread; int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; apr_bucket_brigade *bb; /* just get out of the way of things we don't want. */ if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) { return ap_get_brigade(f->next, b, mode, block, readbytes); } if (!ctx) { const char *tenc, *lenp; f->ctx = ctx = apr_pcalloc(f->r->pool, sizeof(*ctx)); ctx->state = BODY_NONE; ctx->pos = ctx->chunk_ln; ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc); bb = ctx->bb; /* LimitRequestBody does not apply to proxied responses. * Consider implementing this check in its own filter. * Would adding a directive to limit the size of proxied * responses be useful? */ if (!f->r->proxyreq) { ctx->limit = ap_get_limit_req_body(f->r); } else { ctx->limit = 0; } tenc = apr_table_get(f->r->headers_in, "Transfer-Encoding"); lenp = apr_table_get(f->r->headers_in, "Content-Length"); if (tenc) { if (!strcasecmp(tenc, "chunked")) { ctx->state = BODY_CHUNK; } /* test lenp, because it gives another case we can handle */ else if (!lenp) { /* Something that isn't in HTTP, unless some future * edition defines new transfer ecodings, is unsupported. */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, "Unknown Transfer-Encoding: %s", tenc); return bail_out_on_error(ctx, f, HTTP_NOT_IMPLEMENTED); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, f->r, "Unknown Transfer-Encoding: %s; using Content-Length", tenc); tenc = NULL; } } if (lenp && !tenc) { char *endstr; ctx->state = BODY_LENGTH; errno = 0; /* Protects against over/underflow, non-digit chars in the * string (excluding leading space) (the endstr checks) * and a negative number. */ if (apr_strtoff(&ctx->remaining, lenp, &endstr, 10) || endstr == lenp || *endstr || ctx->remaining < 0) { ctx->remaining = 0; ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, "Invalid Content-Length"); return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE); } /* If we have a limit in effect and we know the C-L ahead of * time, stop it here if it is invalid. */ if (ctx->limit && ctx->limit < ctx->remaining) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, "Requested content-length of %" APR_OFF_T_FMT " is larger than the configured limit" " of %" APR_OFF_T_FMT, ctx->remaining, ctx->limit); return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE); } } /* If we don't have a request entity indicated by the headers, EOS. * (BODY_NONE is a valid intermediate state due to trailers, * but it isn't a valid starting state.) * * RFC 2616 Section 4.4 note 5 states that connection-close * is invalid for a request entity - request bodies must be * denoted by C-L or T-E: chunked. * * Note that since the proxy uses this filter to handle the * proxied *response*, proxy responses MUST be exempt. */ if (ctx->state == BODY_NONE && f->r->proxyreq != PROXYREQ_RESPONSE) { e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); ctx->eos_sent = 1; return APR_SUCCESS; } /* Since we're about to read data, send 100-Continue if needed. * Only valid on chunked and C-L bodies where the C-L is > 0. */ if ((ctx->state == BODY_CHUNK || (ctx->state == BODY_LENGTH && ctx->remaining > 0)) && f->r->expecting_100 && f->r->proto_num >= HTTP_VERSION(1,1) && !(f->r->eos_sent || f->r->bytes_sent)) { if (!ap_is_HTTP_SUCCESS(f->r->status)) { ctx->state = BODY_NONE; ctx->eos_sent = 1; } else { char *tmp; tmp = apr_pstrcat(f->r->pool, AP_SERVER_PROTOCOL, " ", ap_get_status_line(100), CRLF CRLF, NULL); apr_brigade_cleanup(bb); e = apr_bucket_pool_create(tmp, strlen(tmp), f->r->pool, f->c->bucket_alloc); APR_BRIGADE_INSERT_HEAD(bb, e); e = apr_bucket_flush_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); ap_pass_brigade(f->c->output_filters, bb); } } /* We can't read the chunk until after sending 100 if required. */ if (ctx->state == BODY_CHUNK) { apr_brigade_cleanup(bb); rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, block, 0); /* for timeout */ if (block == APR_NONBLOCK_READ && ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || (APR_STATUS_IS_EAGAIN(rv)) )) { ctx->state = BODY_CHUNK_PART; return APR_EAGAIN; } if (rv == APR_SUCCESS) { rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line); if (APR_STATUS_IS_EAGAIN(rv)) { apr_brigade_cleanup(bb); ctx->state = BODY_CHUNK_PART; return rv; } if (rv == APR_SUCCESS) { ctx->remaining = get_chunk_size(ctx->chunk_ln); if (ctx->remaining == INVALID_CHAR) { rv = APR_EGENERAL; http_error = HTTP_SERVICE_UNAVAILABLE; } } } apr_brigade_cleanup(bb); /* Detect chunksize error (such as overflow) */ if (rv != APR_SUCCESS || ctx->remaining < 0) { ctx->remaining = 0; /* Reset it in case we have to * come back here later */ return bail_out_on_error(ctx, f, http_error); } if (!ctx->remaining) { /* Handle trailers by calling ap_get_mime_headers again! */ ctx->state = BODY_NONE; ap_get_mime_headers(f->r); e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); ctx->eos_sent = 1; return APR_SUCCESS; } } } else { bb = ctx->bb; } if (ctx->eos_sent) { e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); return APR_SUCCESS; } if (!ctx->remaining) { switch (ctx->state) { case BODY_NONE: break; case BODY_LENGTH: e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); ctx->eos_sent = 1; return APR_SUCCESS; case BODY_CHUNK: case BODY_CHUNK_PART: { apr_brigade_cleanup(bb); /* We need to read the CRLF after the chunk. */ if (ctx->state == BODY_CHUNK) { rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, block, 0); if (block == APR_NONBLOCK_READ && ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || (APR_STATUS_IS_EAGAIN(rv)) )) { return APR_EAGAIN; } /* If we get an error, then leave */ if (rv != APR_SUCCESS) { return rv; } /* * We really don't care whats on this line. If it is RFC * compliant it should be only \r\n. If there is more * before we just ignore it as long as we do not get over * the limit for request lines. */ rv = get_remaining_chunk_line(ctx, bb, f->r->server->limit_req_line); apr_brigade_cleanup(bb); if (APR_STATUS_IS_EAGAIN(rv)) { return rv; } } else { rv = APR_SUCCESS; } if (rv == APR_SUCCESS) { /* Read the real chunk line. */ rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, block, 0); /* Test timeout */ if (block == APR_NONBLOCK_READ && ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || (APR_STATUS_IS_EAGAIN(rv)) )) { ctx->state = BODY_CHUNK_PART; return APR_EAGAIN; } ctx->state = BODY_CHUNK; if (rv == APR_SUCCESS) { rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line); if (APR_STATUS_IS_EAGAIN(rv)) { ctx->state = BODY_CHUNK_PART; apr_brigade_cleanup(bb); return rv; } if (rv == APR_SUCCESS) { ctx->remaining = get_chunk_size(ctx->chunk_ln); if (ctx->remaining == INVALID_CHAR) { rv = APR_EGENERAL; http_error = HTTP_SERVICE_UNAVAILABLE; } } } apr_brigade_cleanup(bb); } /* Detect chunksize error (such as overflow) */ if (rv != APR_SUCCESS || ctx->remaining < 0) { ctx->remaining = 0; /* Reset it in case we have to * come back here later */ bail_out_on_error(ctx, f, http_error); return rv; } if (!ctx->remaining) { /* Handle trailers by calling ap_get_mime_headers again! */ ctx->state = BODY_NONE; ap_get_mime_headers(f->r); e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); ctx->eos_sent = 1; return APR_SUCCESS; } } break; } } /* Ensure that the caller can not go over our boundary point. */ if (ctx->state == BODY_LENGTH || ctx->state == BODY_CHUNK) { if (ctx->remaining < readbytes) { readbytes = ctx->remaining; } AP_DEBUG_ASSERT(readbytes > 0); } rv = ap_get_brigade(f->next, b, mode, block, readbytes); if (rv != APR_SUCCESS) { return rv; } /* How many bytes did we just read? */ apr_brigade_length(b, 0, &totalread); /* If this happens, we have a bucket of unknown length. Die because * it means our assumptions have changed. */ AP_DEBUG_ASSERT(totalread >= 0); if (ctx->state != BODY_NONE) { ctx->remaining -= totalread; } /* If we have no more bytes remaining on a C-L request, * save the callter a roundtrip to discover EOS. */ if (ctx->state == BODY_LENGTH && ctx->remaining == 0) { e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); } /* We have a limit in effect. */ if (ctx->limit) { /* FIXME: Note that we might get slightly confused on chunked inputs * as we'd need to compensate for the chunk lengths which may not * really count. This seems to be up for interpretation. */ ctx->limit_used += totalread; if (ctx->limit < ctx->limit_used) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, "Read content-length of %" APR_OFF_T_FMT " is larger than the configured limit" " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit); apr_brigade_cleanup(bb); e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL, f->r->pool, f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); ctx->eos_sent = 1; return ap_pass_brigade(f->r->output_filters, bb); } } return APR_SUCCESS; } /** * Parse a chunk extension, detect overflow. * There are two error cases: * 1) If the conversion would require too many bits, a -1 is returned. * 2) If the conversion used the correct number of bits, but an overflow * caused only the sign bit to flip, then that negative number is * returned. * In general, any negative number can be considered an overflow error. */ static long get_chunk_size(char *b) { long chunksize = 0; size_t chunkbits = sizeof(long) * 8; ap_xlate_proto_from_ascii(b, strlen(b)); if (!apr_isxdigit(*b)) { /* * Detect invalid character at beginning. This also works for empty * chunk size lines. */ return INVALID_CHAR; } /* Skip leading zeros */ while (*b == '0') { ++b; } while (apr_isxdigit(*b) && (chunkbits > 0)) { int xvalue = 0; if (*b >= '0' && *b <= '9') { xvalue = *b - '0'; } else if (*b >= 'A' && *b <= 'F') { xvalue = *b - 'A' + 0xa; } else if (*b >= 'a' && *b <= 'f') { xvalue = *b - 'a' + 0xa; } chunksize = (chunksize << 4) | xvalue; chunkbits -= 4; ++b; } if (apr_isxdigit(*b) && (chunkbits <= 0)) { /* overflow */ return -1; } return chunksize; } typedef struct header_struct { apr_pool_t *pool; apr_bucket_brigade *bb; } header_struct; /* Send a single HTTP header field to the client. Note that this function * is used in calls to table_do(), so their interfaces are co-dependent. * In other words, don't change this one without checking table_do in alloc.c. * It returns true unless there was a write error of some kind. */ static int form_header_field(header_struct *h, const char *fieldname, const char *fieldval) { #if APR_CHARSET_EBCDIC char *headfield; apr_size_t len; apr_size_t name_len; apr_size_t val_len; char *next; name_len = strlen(fieldname); val_len = strlen(fieldval); len = name_len + val_len + 4; /* 4 for ": " plus CRLF */ headfield = (char *)apr_palloc(h->pool, len + 1); memcpy(headfield, fieldname, name_len); next = headfield + name_len; *next++ = ':'; *next++ = ' '; memcpy(next, fieldval, val_len); next += val_len; *next++ = CR; *next++ = LF; *next = 0; ap_xlate_proto_to_ascii(headfield, len); apr_brigade_write(h->bb, NULL, NULL, headfield, len); #else struct iovec vec[4]; struct iovec *v = vec; v->iov_base = (void *)fieldname; v->iov_len = strlen(fieldname); v++; v->iov_base = ": "; v->iov_len = sizeof(": ") - 1; v++; v->iov_base = (void *)fieldval; v->iov_len = strlen(fieldval); v++; v->iov_base = CRLF; v->iov_len = sizeof(CRLF) - 1; apr_brigade_writev(h->bb, NULL, NULL, vec, 4); #endif /* !APR_CHARSET_EBCDIC */ return 1; } /* This routine is called by apr_table_do and merges all instances of * the passed field values into a single array that will be further * processed by some later routine. Originally intended to help split * and recombine multiple Vary fields, though it is generic to any field * consisting of comma/space-separated tokens. */ static int uniq_field_values(void *d, const char *key, const char *val) { apr_array_header_t *values; char *start; char *e; char **strpp; int i; values = (apr_array_header_t *)d; e = apr_pstrdup(values->pool, val); do { /* Find a non-empty fieldname */ while (*e == ',' || apr_isspace(*e)) { ++e; } if (*e == '\0') { break; } start = e; while (*e != '\0' && *e != ',' && !apr_isspace(*e)) { ++e; } if (*e != '\0') { *e++ = '\0'; } /* Now add it to values if it isn't already represented. * Could be replaced by a ap_array_strcasecmp() if we had one. */ for (i = 0, strpp = (char **) values->elts; i < values->nelts; ++i, ++strpp) { if (*strpp && strcasecmp(*strpp, start) == 0) { break; } } if (i == values->nelts) { /* if not found */ *(char **)apr_array_push(values) = start; } } while (*e != '\0'); return 1; } /* * Since some clients choke violently on multiple Vary fields, or * Vary fields with duplicate tokens, combine any multiples and remove * any duplicates. */ static void fixup_vary(request_rec *r) { apr_array_header_t *varies; varies = apr_array_make(r->pool, 5, sizeof(char *)); /* Extract all Vary fields from the headers_out, separate each into * its comma-separated fieldname values, and then add them to varies * if not already present in the array. */ apr_table_do((int (*)(void *, const char *, const char *))uniq_field_values, (void *) varies, r->headers_out, "Vary", NULL); /* If we found any, replace old Vary fields with unique-ified value */ if (varies->nelts > 0) { apr_table_setn(r->headers_out, "Vary", apr_array_pstrcat(r->pool, varies, ',')); } } /* Send a request's HTTP response headers to the client. */ static apr_status_t send_all_header_fields(header_struct *h, const request_rec *r) { const apr_array_header_t *elts; const apr_table_entry_t *t_elt; const apr_table_entry_t *t_end; struct iovec *vec; struct iovec *vec_next; elts = apr_table_elts(r->headers_out); if (elts->nelts == 0) { return APR_SUCCESS; } t_elt = (const apr_table_entry_t *)(elts->elts); t_end = t_elt + elts->nelts; vec = (struct iovec *)apr_palloc(h->pool, 4 * elts->nelts * sizeof(struct iovec)); vec_next = vec; /* For each field, generate * name ": " value CRLF */ do { vec_next->iov_base = (void*)(t_elt->key); vec_next->iov_len = strlen(t_elt->key); vec_next++; vec_next->iov_base = ": "; vec_next->iov_len = sizeof(": ") - 1; vec_next++; vec_next->iov_base = (void*)(t_elt->val); vec_next->iov_len = strlen(t_elt->val); vec_next++; vec_next->iov_base = CRLF; vec_next->iov_len = sizeof(CRLF) - 1; vec_next++; t_elt++; } while (t_elt < t_end); #if APR_CHARSET_EBCDIC { apr_size_t len; char *tmp = apr_pstrcatv(r->pool, vec, vec_next - vec, &len); ap_xlate_proto_to_ascii(tmp, len); return apr_brigade_write(h->bb, NULL, NULL, tmp, len); } #else return apr_brigade_writev(h->bb, NULL, NULL, vec, vec_next - vec); #endif } /* Confirm that the status line is well-formed and matches r->status. * If they don't match, a filter may have negated the status line set by a * handler. * Zap r->status_line if bad. */ static void validate_status_line(request_rec *r) { char *end; if (r->status_line && (strlen(r->status_line) <= 4 || apr_strtoi64(r->status_line, &end, 10) != r->status || *end != ' ' || (end - 3) != r->status_line)) { r->status_line = NULL; } } /* * Determine the protocol to use for the response. Potentially downgrade * to HTTP/1.0 in some situations and/or turn off keepalives. * * also prepare r->status_line. */ static void basic_http_header_check(request_rec *r, const char **protocol) { if (r->assbackwards) { /* no such thing as a response protocol */ return; } validate_status_line(r); if (!r->status_line) { r->status_line = ap_get_status_line(r->status); } /* Note that we must downgrade before checking for force responses. */ if (r->proto_num > HTTP_VERSION(1,0) && apr_table_get(r->subprocess_env, "downgrade-1.0")) { r->proto_num = HTTP_VERSION(1,0); } /* kludge around broken browsers when indicated by force-response-1.0 */ if (r->proto_num == HTTP_VERSION(1,0) && apr_table_get(r->subprocess_env, "force-response-1.0")) { *protocol = "HTTP/1.0"; r->connection->keepalive = AP_CONN_CLOSE; } else { *protocol = AP_SERVER_PROTOCOL; } } /* fill "bb" with a barebones/initial HTTP response header */ static void basic_http_header(request_rec *r, apr_bucket_brigade *bb, const char *protocol) { char *date; const char *server; header_struct h; struct iovec vec[4]; if (r->assbackwards) { /* there are no headers to send */ return; } /* Output the HTTP/1.x Status-Line and the Date and Server fields */ vec[0].iov_base = (void *)protocol; vec[0].iov_len = strlen(protocol); vec[1].iov_base = (void *)" "; vec[1].iov_len = sizeof(" ") - 1; vec[2].iov_base = (void *)(r->status_line); vec[2].iov_len = strlen(r->status_line); vec[3].iov_base = (void *)CRLF; vec[3].iov_len = sizeof(CRLF) - 1; #if APR_CHARSET_EBCDIC { char *tmp; apr_size_t len; tmp = apr_pstrcatv(r->pool, vec, 4, &len); ap_xlate_proto_to_ascii(tmp, len); apr_brigade_write(bb, NULL, NULL, tmp, len); } #else apr_brigade_writev(bb, NULL, NULL, vec, 4); #endif h.pool = r->pool; h.bb = bb; /* * keep the set-by-proxy server and date headers, otherwise * generate a new server header / date header */ if (r->proxyreq != PROXYREQ_NONE) { const char *proxy_date; proxy_date = apr_table_get(r->headers_out, "Date"); if (!proxy_date) { /* * proxy_date needs to be const. So use date for the creation of * our own Date header and pass it over to proxy_date later to * avoid a compiler warning. */ date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); ap_recent_rfc822_date(date, r->request_time); proxy_date = date; } form_header_field(&h, "Date", proxy_date); server = apr_table_get(r->headers_out, "Server"); if (server) { form_header_field(&h, "Server", server); } } else { date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); ap_recent_rfc822_date(date, r->request_time); form_header_field(&h, "Date", date); form_header_field(&h, "Server", ap_get_server_banner()); } /* unset so we don't send them again */ apr_table_unset(r->headers_out, "Date"); /* Avoid bogosity */ apr_table_unset(r->headers_out, "Server"); } AP_DECLARE(void) ap_basic_http_header(request_rec *r, apr_bucket_brigade *bb) { const char *protocol; basic_http_header_check(r, &protocol); basic_http_header(r, bb, protocol); } /* Navigator versions 2.x, 3.x and 4.0 betas up to and including 4.0b2 * have a header parsing bug. If the terminating \r\n occur starting * at offset 256, 257 or 258 of output then it will not properly parse * the headers. Curiously it doesn't exhibit this problem at 512, 513. * We are guessing that this is because their initial read of a new request * uses a 256 byte buffer, and subsequent reads use a larger buffer. * So the problem might exist at different offsets as well. * * This should also work on keepalive connections assuming they use the * same small buffer for the first read of each new request. * * At any rate, we check the bytes written so far and, if we are about to * tickle the bug, we instead insert a bogus padding header. Since the bug * manifests as a broken image in Navigator, users blame the server. :( * It is more expensive to check the User-Agent than it is to just add the * bytes, so we haven't used the BrowserMatch feature here. */ static void terminate_header(apr_bucket_brigade *bb) { char tmp[] = "X-Pad: avoid browser bug" CRLF; char crlf[] = CRLF; apr_off_t len; apr_size_t buflen; (void) apr_brigade_length(bb, 1, &len); if (len >= 255 && len <= 257) { buflen = strlen(tmp); ap_xlate_proto_to_ascii(tmp, buflen); apr_brigade_write(bb, NULL, NULL, tmp, buflen); } buflen = strlen(crlf); ap_xlate_proto_to_ascii(crlf, buflen); apr_brigade_write(bb, NULL, NULL, crlf, buflen); } AP_DECLARE_NONSTD(int) ap_send_http_trace(request_rec *r) { core_server_config *conf; int rv; apr_bucket_brigade *bb; header_struct h; apr_bucket *b; int body; char *bodyread = NULL, *bodyoff; apr_size_t bodylen = 0; apr_size_t bodybuf; long res = -1; /* init to avoid gcc -Wall warning */ if (r->method_number != M_TRACE) { return DECLINED; } /* Get the original request */ while (r->prev) { r = r->prev; } conf = (core_server_config *)ap_get_module_config(r->server->module_config, &core_module); if (conf->trace_enable == AP_TRACE_DISABLE) { apr_table_setn(r->notes, "error-notes", "TRACE denied by server configuration"); return HTTP_METHOD_NOT_ALLOWED; } if (conf->trace_enable == AP_TRACE_EXTENDED) /* XX should be = REQUEST_CHUNKED_PASS */ body = REQUEST_CHUNKED_DECHUNK; else body = REQUEST_NO_BODY; if ((rv = ap_setup_client_block(r, body))) { if (rv == HTTP_REQUEST_ENTITY_TOO_LARGE) apr_table_setn(r->notes, "error-notes", "TRACE with a request body is not allowed"); return rv; } if (ap_should_client_block(r)) { if (r->remaining > 0) { if (r->remaining > 65536) { apr_table_setn(r->notes, "error-notes", "Extended TRACE request bodies cannot exceed 64k\n"); return HTTP_REQUEST_ENTITY_TOO_LARGE; } /* always 32 extra bytes to catch chunk header exceptions */ bodybuf = (apr_size_t)r->remaining + 32; } else { /* Add an extra 8192 for chunk headers */ bodybuf = 73730; } bodyoff = bodyread = apr_palloc(r->pool, bodybuf); /* only while we have enough for a chunked header */ while ((!bodylen || bodybuf >= 32) && (res = ap_get_client_block(r, bodyoff, bodybuf)) > 0) { bodylen += res; bodybuf -= res; bodyoff += res; } if (res > 0 && bodybuf < 32) { /* discard_rest_of_request_body into our buffer */ while (ap_get_client_block(r, bodyread, bodylen) > 0) ; apr_table_setn(r->notes, "error-notes", "Extended TRACE request bodies cannot exceed 64k\n"); return HTTP_REQUEST_ENTITY_TOO_LARGE; } if (res < 0) { return HTTP_BAD_REQUEST; } } ap_set_content_type(r, "message/http"); /* Now we recreate the request, and echo it back */ bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); #if APR_CHARSET_EBCDIC { char *tmp; apr_size_t len; len = strlen(r->the_request); tmp = apr_pmemdup(r->pool, r->the_request, len); ap_xlate_proto_to_ascii(tmp, len); apr_brigade_putstrs(bb, NULL, NULL, tmp, CRLF_ASCII, NULL); } #else apr_brigade_putstrs(bb, NULL, NULL, r->the_request, CRLF, NULL); #endif h.pool = r->pool; h.bb = bb; apr_table_do((int (*) (void *, const char *, const char *)) form_header_field, (void *) &h, r->headers_in, NULL); apr_brigade_puts(bb, NULL, NULL, CRLF_ASCII); /* If configured to accept a body, echo the body */ if (bodylen) { b = apr_bucket_pool_create(bodyread, bodylen, r->pool, bb->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, b); } ap_pass_brigade(r->output_filters, bb); return DONE; } typedef struct header_filter_ctx { int headers_sent; } header_filter_ctx; AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, apr_bucket_brigade *b) { request_rec *r = f->r; conn_rec *c = r->connection; const char *clheader; const char *protocol; apr_bucket *e; apr_bucket_brigade *b2; header_struct h; header_filter_ctx *ctx = f->ctx; const char *ctype; ap_bucket_error *eb = NULL; AP_DEBUG_ASSERT(!r->main); if (r->header_only) { if (!ctx) { ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx)); } else if (ctx->headers_sent) { apr_brigade_destroy(b); return OK; } } for (e = APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b); e = APR_BUCKET_NEXT(e)) { if (AP_BUCKET_IS_ERROR(e) && !eb) { eb = e->data; continue; } /* * If we see an EOC bucket it is a signal that we should get out * of the way doing nothing. */ if (AP_BUCKET_IS_EOC(e)) { ap_remove_output_filter(f); return ap_pass_brigade(f->next, b); } } if (eb) { ap_die(eb->status, r); return AP_FILTER_ERROR; } if (r->assbackwards) { r->sent_bodyct = 1; ap_remove_output_filter(f); return ap_pass_brigade(f->next, b); } /* * Now that we are ready to send a response, we need to combine the two * header field tables into a single table. If we don't do this, our * later attempts to set or unset a given fieldname might be bypassed. */ if (!apr_is_empty_table(r->err_headers_out)) { r->headers_out = apr_table_overlay(r->pool, r->err_headers_out, r->headers_out); } /* * Remove the 'Vary' header field if the client can't handle it. * Since this will have nasty effects on HTTP/1.1 caches, force * the response into HTTP/1.0 mode. * * Note: the force-response-1.0 should come before the call to * basic_http_header_check() */ if (apr_table_get(r->subprocess_env, "force-no-vary") != NULL) { apr_table_unset(r->headers_out, "Vary"); r->proto_num = HTTP_VERSION(1,0); apr_table_set(r->subprocess_env, "force-response-1.0", "1"); } else { fixup_vary(r); } /* * Now remove any ETag response header field if earlier processing * says so (such as a 'FileETag None' directive). */ if (apr_table_get(r->notes, "no-etag") != NULL) { apr_table_unset(r->headers_out, "ETag"); } /* determine the protocol and whether we should use keepalives. */ basic_http_header_check(r, &protocol); ap_set_keepalive(r); if (r->chunked) { apr_table_mergen(r->headers_out, "Transfer-Encoding", "chunked"); apr_table_unset(r->headers_out, "Content-Length"); } ctype = ap_make_content_type(r, r->content_type); if (strcasecmp(ctype, NO_CONTENT_TYPE)) { apr_table_setn(r->headers_out, "Content-Type", ctype); } if (r->content_encoding) { apr_table_setn(r->headers_out, "Content-Encoding", r->content_encoding); } if (!apr_is_empty_array(r->content_languages)) { int i; char *token; char **languages = (char **)(r->content_languages->elts); const char *field = apr_table_get(r->headers_out, "Content-Language"); while (field && (token = ap_get_list_item(r->pool, &field)) != NULL) { for (i = 0; i < r->content_languages->nelts; ++i) { if (!strcasecmp(token, languages[i])) break; } if (i == r->content_languages->nelts) { *((char **) apr_array_push(r->content_languages)) = token; } } field = apr_array_pstrcat(r->pool, r->content_languages, ','); apr_table_setn(r->headers_out, "Content-Language", field); } /* * Control cachability for non-cachable responses if not already set by * some other part of the server configuration. */ if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) { char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); ap_recent_rfc822_date(date, r->request_time); apr_table_addn(r->headers_out, "Expires", date); } /* This is a hack, but I can't find anyway around it. The idea is that * we don't want to send out 0 Content-Lengths if it is a head request. * This happens when modules try to outsmart the server, and return * if they see a HEAD request. Apache 1.3 handlers were supposed to * just return in that situation, and the core handled the HEAD. In * 2.0, if a handler returns, then the core sends an EOS bucket down * the filter stack, and the content-length filter computes a C-L of * zero and that gets put in the headers, and we end up sending a * zero C-L to the client. We can't just remove the C-L filter, * because well behaved 2.0 handlers will send their data down the stack, * and we will compute a real C-L for the head request. RBB */ if (r->header_only && (clheader = apr_table_get(r->headers_out, "Content-Length")) && !strcmp(clheader, "0")) { apr_table_unset(r->headers_out, "Content-Length"); } b2 = apr_brigade_create(r->pool, c->bucket_alloc); basic_http_header(r, b2, protocol); h.pool = r->pool; h.bb = b2; if (r->status == HTTP_NOT_MODIFIED) { apr_table_do((int (*)(void *, const char *, const char *)) form_header_field, (void *) &h, r->headers_out, "Connection", "Keep-Alive", "ETag", "Content-Location", "Expires", "Cache-Control", "Vary", "Warning", "WWW-Authenticate", "Proxy-Authenticate", "Set-Cookie", "Set-Cookie2", NULL); } else { send_all_header_fields(&h, r); } terminate_header(b2); ap_pass_brigade(f->next, b2); if (r->header_only) { apr_brigade_destroy(b); ctx->headers_sent = 1; return OK; } r->sent_bodyct = 1; /* Whatever follows is real body stuff... */ if (r->chunked) { /* We can't add this filter until we have already sent the headers. * If we add it before this point, then the headers will be chunked * as well, and that is just wrong. */ ap_add_output_filter("CHUNK", NULL, r, r->connection); } /* Don't remove this filter until after we have added the CHUNK filter. * Otherwise, f->next won't be the CHUNK filter and thus the first * brigade won't be chunked properly. */ ap_remove_output_filter(f); return ap_pass_brigade(f->next, b); } /* In HTTP/1.1, any method can have a body. However, most GET handlers * wouldn't know what to do with a request body if they received one. * This helper routine tests for and reads any message body in the request, * simply discarding whatever it receives. We need to do this because * failing to read the request body would cause it to be interpreted * as the next request on a persistent connection. * * Since we return an error status if the request is malformed, this * routine should be called at the beginning of a no-body handler, e.g., * * if ((retval = ap_discard_request_body(r)) != OK) { * return retval; * } */ AP_DECLARE(int) ap_discard_request_body(request_rec *r) { apr_bucket_brigade *bb; int rv, seen_eos; /* Sometimes we'll get in a state where the input handling has * detected an error where we want to drop the connection, so if * that's the case, don't read the data as that is what we're trying * to avoid. * * This function is also a no-op on a subrequest. */ if (r->main || r->connection->keepalive == AP_CONN_CLOSE || ap_status_drops_connection(r->status)) { return OK; } bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); seen_eos = 0; do { apr_bucket *bucket; rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN); if (rv != APR_SUCCESS) { /* FIXME: If we ever have a mapping from filters (apr_status_t) * to HTTP error codes, this would be a good place for them. * * If we received the special case AP_FILTER_ERROR, it means * that the filters have already handled this error. * Otherwise, we should assume we have a bad request. */ if (rv == AP_FILTER_ERROR) { apr_brigade_destroy(bb); return rv; } else { apr_brigade_destroy(bb); return HTTP_BAD_REQUEST; } } for (bucket = APR_BRIGADE_FIRST(bb); bucket != APR_BRIGADE_SENTINEL(bb); bucket = APR_BUCKET_NEXT(bucket)) { const char *data; apr_size_t len; if (APR_BUCKET_IS_EOS(bucket)) { seen_eos = 1; break; } /* These are metadata buckets. */ if (bucket->length == 0) { continue; } /* We MUST read because in case we have an unknown-length * bucket or one that morphs, we want to exhaust it. */ rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ); if (rv != APR_SUCCESS) { apr_brigade_destroy(bb); return HTTP_BAD_REQUEST; } } apr_brigade_cleanup(bb); } while (!seen_eos); return OK; } /* Here we deal with getting the request message body from the client. * Whether or not the request contains a body is signaled by the presence * of a non-zero Content-Length or by a Transfer-Encoding: chunked. * * Note that this is more complicated than it was in Apache 1.1 and prior * versions, because chunked support means that the module does less. * * The proper procedure is this: * * 1. Call ap_setup_client_block() near the beginning of the request * handler. This will set up all the necessary properties, and will * return either OK, or an error code. If the latter, the module should * return that error code. The second parameter selects the policy to * apply if the request message indicates a body, and how a chunked * transfer-coding should be interpreted. Choose one of * * REQUEST_NO_BODY Send 413 error if message has any body * REQUEST_CHUNKED_ERROR Send 411 error if body without Content-Length * REQUEST_CHUNKED_DECHUNK If chunked, remove the chunks for me. * REQUEST_CHUNKED_PASS If chunked, pass the chunk headers with body. * * In order to use the last two options, the caller MUST provide a buffer * large enough to hold a chunk-size line, including any extensions. * * 2. When you are ready to read a body (if any), call ap_should_client_block(). * This will tell the module whether or not to read input. If it is 0, * the module should assume that there is no message body to read. * * 3. Finally, call ap_get_client_block in a loop. Pass it a buffer and its size. * It will put data into the buffer (not necessarily a full buffer), and * return the length of the input block. When it is done reading, it will * return 0 if EOF, or -1 if there was an error. * If an error occurs on input, we force an end to keepalive. * * This step also sends a 100 Continue response to HTTP/1.1 clients if appropriate. */ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy) { const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding"); const char *lenp = apr_table_get(r->headers_in, "Content-Length"); r->read_body = read_policy; r->read_chunked = 0; r->remaining = 0; if (tenc) { if (strcasecmp(tenc, "chunked")) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Unknown Transfer-Encoding %s", tenc); return HTTP_NOT_IMPLEMENTED; } if (r->read_body == REQUEST_CHUNKED_ERROR) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "chunked Transfer-Encoding forbidden: %s", r->uri); return (lenp) ? HTTP_BAD_REQUEST : HTTP_LENGTH_REQUIRED; } r->read_chunked = 1; } else if (lenp) { char *endstr; if (apr_strtoff(&r->remaining, lenp, &endstr, 10) || *endstr || r->remaining < 0) { r->remaining = 0; ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Invalid Content-Length"); return HTTP_BAD_REQUEST; } } if ((r->read_body == REQUEST_NO_BODY) && (r->read_chunked || (r->remaining > 0))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s with body is not allowed for %s", r->method, r->uri); return HTTP_REQUEST_ENTITY_TOO_LARGE; } #ifdef AP_DEBUG { /* Make sure ap_getline() didn't leave any droppings. */ core_request_config *req_cfg = (core_request_config *)ap_get_module_config(r->request_config, &core_module); AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(req_cfg->bb)); } #endif return OK; } AP_DECLARE(int) ap_should_client_block(request_rec *r) { /* First check if we have already read the request body */ if (r->read_length || (!r->read_chunked && (r->remaining <= 0))) { return 0; } return 1; } /* get_client_block is called in a loop to get the request message body. * This is quite simple if the client includes a content-length * (the normal case), but gets messy if the body is chunked. Note that * r->remaining is used to maintain state across calls and that * r->read_length is the total number of bytes given to the caller * across all invocations. It is messy because we have to be careful not * to read past the data provided by the client, since these reads block. * Returns 0 on End-of-body, -1 on error or premature chunk end. * */ AP_DECLARE(long) ap_get_client_block(request_rec *r, char *buffer, apr_size_t bufsiz) { apr_status_t rv; apr_bucket_brigade *bb; if (r->remaining < 0 || (!r->read_chunked && r->remaining == 0)) { return 0; } bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); if (bb == NULL) { r->connection->keepalive = AP_CONN_CLOSE; return -1; } rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, APR_BLOCK_READ, bufsiz); /* We lose the failure code here. This is why ap_get_client_block should * not be used. */ if (rv != APR_SUCCESS) { /* if we actually fail here, we want to just return and * stop trying to read data from the client. */ r->connection->keepalive = AP_CONN_CLOSE; apr_brigade_destroy(bb); return -1; } /* If this fails, it means that a filter is written incorrectly and that * it needs to learn how to properly handle APR_BLOCK_READ requests by * returning data when requested. */ AP_DEBUG_ASSERT(!APR_BRIGADE_EMPTY(bb)); /* Check to see if EOS in the brigade. * * If so, we have to leave a nugget for the *next* ap_get_client_block * call to return 0. */ if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) { if (r->read_chunked) { r->remaining = -1; } else { r->remaining = 0; } } rv = apr_brigade_flatten(bb, buffer, &bufsiz); if (rv != APR_SUCCESS) { apr_brigade_destroy(bb); return -1; } /* XXX yank me? */ r->read_length += bufsiz; apr_brigade_destroy(bb); return bufsiz; } /* Context struct for ap_http_outerror_filter */ typedef struct { int seen_eoc; } outerror_filter_ctx_t; /* Filter to handle any error buckets on output */ apr_status_t ap_http_outerror_filter(ap_filter_t *f, apr_bucket_brigade *b) { request_rec *r = f->r; outerror_filter_ctx_t *ctx = (outerror_filter_ctx_t *)(f->ctx); apr_bucket *e; /* Create context if none is present */ if (!ctx) { ctx = apr_pcalloc(r->pool, sizeof(outerror_filter_ctx_t)); f->ctx = ctx; } for (e = APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b); e = APR_BUCKET_NEXT(e)) { if (AP_BUCKET_IS_ERROR(e)) { /* * Start of error handling state tree. Just one condition * right now :) */ if (((ap_bucket_error *)(e->data))->status == HTTP_BAD_GATEWAY) { /* stream aborted and we have not ended it yet */ r->connection->keepalive = AP_CONN_CLOSE; } continue; } /* Detect EOC buckets and memorize this in the context. */ if (AP_BUCKET_IS_EOC(e)) { ctx->seen_eoc = 1; } } /* * Remove all data buckets that are in a brigade after an EOC bucket * was seen, as an EOC bucket tells us that no (further) resource * and protocol data should go out to the client. OTOH meta buckets * are still welcome as they might trigger needed actions down in * the chain (e.g. in network filters like SSL). * Remark 1: It is needed to dump ALL data buckets in the brigade * since an filter in between might have inserted data * buckets BEFORE the EOC bucket sent by the original * sender and we do NOT want this data to be sent. * Remark 2: Dumping all data buckets here does not necessarily mean * that no further data is send to the client as: * 1. Network filters like SSL can still be triggered via * meta buckets to talk with the client e.g. for a * clean shutdown. * 2. There could be still data that was buffered before * down in the chain that gets flushed by a FLUSH or an * EOS bucket. */ if (ctx->seen_eoc) { for (e = APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b); e = APR_BUCKET_NEXT(e)) { if (!APR_BUCKET_IS_METADATA(e)) { APR_BUCKET_REMOVE(e); } } } return ap_pass_brigade(f->next, b); }
.htaccess Tutorial
Find information you are looking for on the AskApache Home Page.