[Pkg-apache-commits] r1170 - in /trunk/apache2: changelog patches/080_mod_reqtimeout_fixes.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Mon Mar 29 19:47:06 UTC 2010
Author: sf
Date: Mon Mar 29 19:47:03 2010
New Revision: 1170
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1170
Log:
mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
including a fix for mod_proxy CONNECT requests.
Modified:
trunk/apache2/changelog
trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1170&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Mon Mar 29 19:47:03 2010
@@ -1,3 +1,10 @@
+apache2 (2.2.15-3) UNRELEASED; urgency=low
+
+ * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881,
+ including a fix for mod_proxy CONNECT requests.
+
+ -- Stefan Fritsch <sf at debian.org> Mon, 29 Mar 2010 21:44:32 +0200
+
apache2 (2.2.15-2) unstable; urgency=low
* Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
Modified: trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch?rev=1170&op=diff
==============================================================================
--- trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch (original)
+++ trunk/apache2/patches/080_mod_reqtimeout_fixes.dpatch Mon Mar 29 19:47:03 2010
@@ -1,17 +1,16 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
##
-## DP: r921378 and r921526 from upstream trunk:
+## DP: r921378, r921526, r922407, r923418, r923429, r925986, r928881 from upstream trunk:
## DP: - Move initialization to process_connection hook, right before
## DP: ap_process_http_request. This ensures that we are not inserted for other
## DP: protocol handlers (like mod_ftp) and mod_proxy's backend connections.
## DP: - Enforce request timeout even for AP_MODE_GETLINE.
-## DP: - Abort connection when timeout occurs. Otherwise the thread may be blocked
-## DP: another 30s doing a lingering close. The downside is that the client will
-## DP: not receive the error message.
+## DP: - Shorten lingering close wait time to 2s if timeout occurs.
+## DP: - Disable body timeout for CONNECT requests.
@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/modules/filters/mod_reqtimeout.c trunk/modules/filters/mod_reqtimeout.c
--- trunk~/modules/filters/mod_reqtimeout.c 2010-03-10 20:46:14.000000000 +0100
-+++ trunk/modules/filters/mod_reqtimeout.c 2010-03-10 20:46:40.284322045 +0100
++++ trunk/modules/filters/mod_reqtimeout.c 2010-03-29 21:39:55.944233496 +0200
@@ -20,9 +20,11 @@
#include "http_connection.h"
#include "http_protocol.h"
@@ -118,7 +117,7 @@
if (ccfg->in_keep_alive) {
/* For this read, the normal keep-alive timeout must be used */
-@@ -114,13 +150,28 @@
+@@ -114,13 +150,14 @@
return ap_get_brigade(f->next, bb, mode, block, readbytes);
}
@@ -128,21 +127,7 @@
- "Request %s read timeout", ccfg->type);
- return APR_TIMEUP;
+ if (!ccfg->socket) {
-+ core_net_rec *net_rec;
-+ ap_filter_t *core_in = f->next;
-+
-+ while (core_in && core_in->frec != ap_core_input_filter_handle)
-+ core_in = core_in->next;
-+
-+ if (!core_in) {
-+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, f->c,
-+ "mod_reqtimeout: Can't get socket "
-+ "handle from core_input_filter");
-+ ap_remove_input_filter(f);
-+ return ap_get_brigade(f->next, bb, mode, block, readbytes);
-+ }
-+ net_rec = core_in->ctx;
-+ ccfg->socket = net_rec->client_socket;
++ ccfg->socket = ap_get_module_config(f->c->conn_config, &core_module);
}
+ rv = check_time_left(ccfg, &time_left);
@@ -152,7 +137,7 @@
if (block == APR_NONBLOCK_READ || mode == AP_MODE_INIT
|| mode == AP_MODE_EATCRLF) {
rv = ap_get_brigade(f->next, bb, mode, block, readbytes);
-@@ -130,41 +181,104 @@
+@@ -130,41 +167,103 @@
return rv;
}
@@ -180,7 +165,7 @@
+ * impossible to enforce a total timeout, we only do non-blocking
+ * reads.
+ */
-+ apr_size_t remaining = HUGE_STRING_LEN;
++ apr_off_t remaining = HUGE_STRING_LEN;
+ do {
+ apr_off_t bblen;
@@ -197,15 +182,13 @@
- apr_socket_timeout_set(ctx->socket, saved_sock_timeout);
- }
+ if (!APR_BRIGADE_EMPTY(bb)) {
++ if (ccfg->min_rate > 0) {
++ extend_timeout(ccfg, bb);
++ }
++
+ rv = have_lf_or_eos(bb);
+ if (rv != APR_INCOMPLETE) {
+ break;
-+ }
-
-- if (ccfg->min_rate > 0 && rv == APR_SUCCESS) {
-- extend_timeout(ccfg, bb);
-+ if (ccfg->min_rate > 0) {
-+ extend_timeout(ccfg, bb);
+ }
+
+ rv = apr_brigade_length(bb, 1, &bblen);
@@ -241,30 +224,31 @@
+
+ if (ccfg->tmpbb)
+ APR_BRIGADE_PREPEND(bb, ccfg->tmpbb);
-+
-+ }
+
+- if (ccfg->min_rate > 0 && rv == APR_SUCCESS) {
+- extend_timeout(ccfg, bb);
+ }
+ else {
+ /* mode != AP_MODE_GETLINE */
+ rv = ap_get_brigade(f->next, bb, mode, block, readbytes);
+ if (ccfg->min_rate > 0 && rv == APR_SUCCESS) {
+ extend_timeout(ccfg, bb);
+ }
- }
-
++ }
++
+ apr_socket_timeout_set(ccfg->socket, saved_sock_timeout);
-+
+
+out:
if (rv == APR_TIMEUP) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c,
"Request %s read timeout", ccfg->type);
+ /*
-+ * If we allow lingering close, the client may keep this
++ * If we allow a normal lingering close, the client may keep this
+ * process/thread busy for another 30s (MAX_SECS_TO_LINGER).
-+ * Therefore we have to abort the connection. The downside is
-+ * that the client will most likely not receive the error
-+ * message.
++ * Therefore we tell ap_lingering_close() to shorten this period to
++ * 2s (SECONDS_TO_LINGER).
+ */
-+ f->c->aborted = 1;
++ apr_table_setn(f->c->notes, "short-lingering-close", "1");
}
return rv;
}
@@ -276,7 +260,7 @@
reqtimeout_con_cfg *ccfg;
reqtimeout_srv_cfg *cfg;
-@@ -173,12 +287,9 @@
+@@ -173,12 +272,9 @@
AP_DEBUG_ASSERT(cfg != NULL);
if (cfg->header_timeout <= 0 && cfg->body_timeout <= 0) {
/* not configured for this vhost */
@@ -290,7 +274,7 @@
ccfg = apr_pcalloc(c->pool, sizeof(reqtimeout_con_cfg));
ccfg->new_timeout = cfg->header_timeout;
ccfg->new_max_timeout = cfg->header_max_timeout;
-@@ -187,8 +298,9 @@
+@@ -187,8 +283,9 @@
ccfg->rate_factor = cfg->header_rate_factor;
ap_set_module_config(c->conn_config, &reqtimeout_module, ccfg);
@@ -302,7 +286,7 @@
}
static int reqtimeout_after_headers(request_rec *r)
-@@ -198,7 +310,7 @@
+@@ -198,7 +295,7 @@
ap_get_module_config(r->connection->conn_config, &reqtimeout_module);
if (ccfg == NULL) {
@@ -311,7 +295,26 @@
return OK;
}
-@@ -224,7 +336,7 @@
+@@ -208,11 +305,13 @@
+
+ ccfg->timeout_at = 0;
+ ccfg->max_timeout_at = 0;
+- ccfg->new_timeout = cfg->body_timeout;
+- ccfg->new_max_timeout = cfg->body_max_timeout;
+- ccfg->min_rate = cfg->body_min_rate;
+- ccfg->rate_factor = cfg->body_rate_factor;
+- ccfg->type = "body";
++ if (r->method_number != M_CONNECT) {
++ ccfg->new_timeout = cfg->body_timeout;
++ ccfg->new_max_timeout = cfg->body_max_timeout;
++ ccfg->min_rate = cfg->body_min_rate;
++ ccfg->rate_factor = cfg->body_rate_factor;
++ ccfg->type = "body";
++ }
+
+ return OK;
+ }
+@@ -224,7 +323,7 @@
ap_get_module_config(r->connection->conn_config, &reqtimeout_module);
if (ccfg == NULL) {
@@ -320,7 +323,7 @@
return OK;
}
-@@ -406,7 +518,16 @@
+@@ -406,7 +505,16 @@
*/
ap_register_input_filter(reqtimeout_filter_name, reqtimeout_filter, NULL,
AP_FTYPE_CONNECTION + 8);
@@ -338,3 +341,29 @@
ap_hook_post_read_request(reqtimeout_after_headers, NULL, NULL,
APR_HOOK_MIDDLE);
ap_hook_log_transaction(reqtimeout_after_body, NULL, NULL,
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/server/connection.c trunk/server/connection.c
+--- trunk~/server/connection.c 2006-07-12 05:38:44.000000000 +0200
++++ trunk/server/connection.c 2010-03-29 21:39:55.940231846 +0200
+@@ -154,8 +154,20 @@
+ break;
+
+ if (timeup == 0) {
+- /* First time through; calculate now + 30 seconds. */
+- timeup = apr_time_now() + apr_time_from_sec(MAX_SECS_TO_LINGER);
++ /*
++ * First time through;
++ * calculate now + 30 seconds (MAX_SECS_TO_LINGER).
++ *
++ * If some module requested a shortened waiting period, only wait for
++ * 2s (SECONDS_TO_LINGER). This is useful for mitigating certain
++ * DoS attacks.
++ */
++ if (apr_table_get(c->notes, "short-lingering-close")) {
++ timeup = apr_time_now() + apr_time_from_sec(SECONDS_TO_LINGER);
++ }
++ else {
++ timeup = apr_time_now() + apr_time_from_sec(MAX_SECS_TO_LINGER);
++ }
+ continue;
+ }
+ } while (apr_time_now() < timeup);
More information about the Pkg-apache-commits
mailing list