[Pkg-apache-commits] r1170 - in /trunk/apache2: changelog patches/080_mod_reqtimeout_fixes.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Mon Mar 29 19:47:06 UTC 2010


Author: sf
Date: Mon Mar 29 19:47:03 2010
New Revision: 1170

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1170
Log:
mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
including a fix for mod_proxy CONNECT requests.

Modified:
    trunk/apache2/changelog
    trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1170&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Mon Mar 29 19:47:03 2010
@@ -1,3 +1,10 @@
+apache2 (2.2.15-3) UNRELEASED; urgency=low
+
+  * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
+    including a fix for mod_proxy CONNECT requests.
+
+ -- Stefan Fritsch <sf at debian.org>  Mon, 29 Mar 2010 21:44:32 +0200
+
 apache2 (2.2.15-2) unstable; urgency=low
 
   * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding

Modified: trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch?rev=1170&op=diff
==============================================================================
--- trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch (original)
+++ trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch Mon Mar 29 19:47:03 2010
@@ -1,17 +1,16 @@
 #! /bin/sh /usr/share/dpatch/dpatch-run
 ##
-## DP: r921378 and r921526 from upstream trunk:
+## DP: r921378, r921526, r922407, r923418, r923429, r925986, r928881 from upstream trunk:
 ## DP: - Move initialization to process_connection hook, right before
 ## DP:   ap_process_http_request.  This ensures that we are not inserted for other
 ## DP:   protocol handlers (like mod_ftp) and mod_proxy's backend connections.
 ## DP: - Enforce request timeout even for AP_MODE_GETLINE.
-## DP: - Abort connection when timeout occurs. Otherwise the thread may be blocked
-## DP:   another 30s doing a lingering close. The downside is that the client will
-## DP:   not receive the error message.
+## DP: - Shorten lingering close wait time to 2s if timeout occurs.
+## DP: - Disable body timeout for CONNECT requests.
 @DPATCH@
 diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/modules/filters/mod_reqtimeout.c trunk/modules/filters/mod_reqtimeout.c
 --- trunk~/modules/filters/mod_reqtimeout.c	2010-03-10 20:46:14.000000000 +0100
-+++ trunk/modules/filters/mod_reqtimeout.c	2010-03-10 20:46:40.284322045 +0100
++++ trunk/modules/filters/mod_reqtimeout.c	2010-03-29 21:39:55.944233496 +0200
 @@ -20,9 +20,11 @@
  #include "http_connection.h"
  #include "http_protocol.h"
@@ -118,7 +117,7 @@
  
      if (ccfg->in_keep_alive) {
          /* For this read, the normal keep-alive timeout must be used */
-@@ -114,13 +150,28 @@
+@@ -114,13 +150,14 @@
          return ap_get_brigade(f->next, bb, mode, block, readbytes);
      }
  
@@ -128,21 +127,7 @@
 -                      "Request %s read timeout", ccfg->type);
 -        return APR_TIMEUP;
 +    if (!ccfg->socket) {
-+        core_net_rec *net_rec;
-+        ap_filter_t *core_in = f->next;
-+
-+        while (core_in && core_in->frec != ap_core_input_filter_handle)
-+            core_in = core_in->next;
-+
-+        if (!core_in) {
-+            ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, f->c,
-+                          "mod_reqtimeout: Can't get socket "
-+                          "handle from core_input_filter");
-+            ap_remove_input_filter(f);
-+            return ap_get_brigade(f->next, bb, mode, block, readbytes);
-+        }
-+        net_rec = core_in->ctx;
-+        ccfg->socket = net_rec->client_socket;
++        ccfg->socket = ap_get_module_config(f->c->conn_config, &core_module);
      }
  
 +    rv = check_time_left(ccfg, &time_left);
@@ -152,7 +137,7 @@
      if (block == APR_NONBLOCK_READ || mode == AP_MODE_INIT
          || mode == AP_MODE_EATCRLF) {
          rv = ap_get_brigade(f->next, bb, mode, block, readbytes);
-@@ -130,41 +181,104 @@
+@@ -130,41 +167,103 @@
          return rv;
      }
  
@@ -180,7 +165,7 @@
 +         * impossible to enforce a total timeout, we only do non-blocking
 +         * reads.
 +         */
-+        apr_size_t remaining = HUGE_STRING_LEN;
++        apr_off_t remaining = HUGE_STRING_LEN;
 +        do {
 +            apr_off_t bblen;
  
@@ -197,15 +182,13 @@
 -        apr_socket_timeout_set(ctx->socket, saved_sock_timeout);
 -    }
 +            if (!APR_BRIGADE_EMPTY(bb)) {
++                if (ccfg->min_rate > 0) {
++                    extend_timeout(ccfg, bb);
++                }
++
 +                rv = have_lf_or_eos(bb);
 +                if (rv != APR_INCOMPLETE) {
 +                    break;
-+                }
- 
--    if (ccfg->min_rate > 0 && rv == APR_SUCCESS) {
--        extend_timeout(ccfg, bb);
-+                if (ccfg->min_rate > 0) {
-+                    extend_timeout(ccfg, bb);
 +                }
 +
 +                rv = apr_brigade_length(bb, 1, &bblen);
@@ -241,30 +224,31 @@
 +
 +        if (ccfg->tmpbb)
 +            APR_BRIGADE_PREPEND(bb, ccfg->tmpbb);
-+
-+    }
+ 
+-    if (ccfg->min_rate > 0 && rv == APR_SUCCESS) {
+-        extend_timeout(ccfg, bb);
+     }
 +    else {
 +        /* mode != AP_MODE_GETLINE */
 +        rv = ap_get_brigade(f->next, bb, mode, block, readbytes);
 +        if (ccfg->min_rate > 0 && rv == APR_SUCCESS) {
 +            extend_timeout(ccfg, bb);
 +        }
-     }
- 
++    }
++
 +    apr_socket_timeout_set(ccfg->socket, saved_sock_timeout);
-+
+ 
 +out:
      if (rv == APR_TIMEUP) {
          ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c,
                        "Request %s read timeout", ccfg->type);
 +        /*
-+         * If we allow lingering close, the client may keep this
++         * If we allow a normal lingering close, the client may keep this
 +         * process/thread busy for another 30s (MAX_SECS_TO_LINGER).
-+         * Therefore we have to abort the connection. The downside is
-+         * that the client will most likely not receive the error
-+         * message.
++         * Therefore we tell ap_lingering_close() to shorten this period to
++         * 2s (SECONDS_TO_LINGER).
 +         */
-+        f->c->aborted = 1;
++        apr_table_setn(f->c->notes, "short-lingering-close", "1");
      }
      return rv;
  }
@@ -276,7 +260,7 @@
      reqtimeout_con_cfg *ccfg;
      reqtimeout_srv_cfg *cfg;
  
-@@ -173,12 +287,9 @@
+@@ -173,12 +272,9 @@
      AP_DEBUG_ASSERT(cfg != NULL);
      if (cfg->header_timeout <= 0 && cfg->body_timeout <= 0) {
          /* not configured for this vhost */
@@ -290,7 +274,7 @@
      ccfg = apr_pcalloc(c->pool, sizeof(reqtimeout_con_cfg));
      ccfg->new_timeout = cfg->header_timeout;
      ccfg->new_max_timeout = cfg->header_max_timeout;
-@@ -187,8 +298,9 @@
+@@ -187,8 +283,9 @@
      ccfg->rate_factor = cfg->header_rate_factor;
      ap_set_module_config(c->conn_config, &reqtimeout_module, ccfg);
  
@@ -302,7 +286,7 @@
  }
  
  static int reqtimeout_after_headers(request_rec *r)
-@@ -198,7 +310,7 @@
+@@ -198,7 +295,7 @@
          ap_get_module_config(r->connection->conn_config, &reqtimeout_module);
  
      if (ccfg == NULL) {
@@ -311,7 +295,26 @@
          return OK;
      }
  
-@@ -224,7 +336,7 @@
+@@ -208,11 +305,13 @@
+ 
+     ccfg->timeout_at = 0;
+     ccfg->max_timeout_at = 0;
+-    ccfg->new_timeout = cfg->body_timeout;
+-    ccfg->new_max_timeout = cfg->body_max_timeout;
+-    ccfg->min_rate = cfg->body_min_rate;
+-    ccfg->rate_factor = cfg->body_rate_factor;
+-    ccfg->type = "body";
++    if (r->method_number != M_CONNECT) {
++        ccfg->new_timeout = cfg->body_timeout;
++        ccfg->new_max_timeout = cfg->body_max_timeout;
++        ccfg->min_rate = cfg->body_min_rate;
++        ccfg->rate_factor = cfg->body_rate_factor;
++        ccfg->type = "body";
++    }
+ 
+     return OK;
+ }
+@@ -224,7 +323,7 @@
          ap_get_module_config(r->connection->conn_config, &reqtimeout_module);
  
      if (ccfg == NULL) {
@@ -320,7 +323,7 @@
          return OK;
      }
  
-@@ -406,7 +518,16 @@
+@@ -406,7 +505,16 @@
       */
      ap_register_input_filter(reqtimeout_filter_name, reqtimeout_filter, NULL,
                               AP_FTYPE_CONNECTION + 8);
@@ -338,3 +341,29 @@
      ap_hook_post_read_request(reqtimeout_after_headers, NULL, NULL,
                                APR_HOOK_MIDDLE);
      ap_hook_log_transaction(reqtimeout_after_body, NULL, NULL,
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/server/connection.c trunk/server/connection.c
+--- trunk~/server/connection.c	2006-07-12 05:38:44.000000000 +0200
++++ trunk/server/connection.c	2010-03-29 21:39:55.940231846 +0200
+@@ -154,8 +154,20 @@
+             break;
+ 
+         if (timeup == 0) {
+-            /* First time through; calculate now + 30 seconds. */
+-            timeup = apr_time_now() + apr_time_from_sec(MAX_SECS_TO_LINGER);
++            /*
++             * First time through;
++             * calculate now + 30 seconds (MAX_SECS_TO_LINGER).
++             *
++             * If some module requested a shortened waiting period, only wait for
++             * 2s (SECONDS_TO_LINGER). This is useful for mitigating certain
++             * DoS attacks.
++             */
++            if (apr_table_get(c->notes, "short-lingering-close")) {
++                timeup = apr_time_now() + apr_time_from_sec(SECONDS_TO_LINGER);
++            }
++            else {
++                timeup = apr_time_now() + apr_time_from_sec(MAX_SECS_TO_LINGER);
++            }
+             continue;
+         }
+     } while (apr_time_now() < timeup);




More information about the Pkg-apache-commits mailing list