diff options
| author | Stefan Eissing <icing@apache.org> | 2017-09-13 16:16:49 +0200 |
|---|---|---|
| committer | Stefan Eissing <icing@apache.org> | 2017-09-13 16:16:49 +0200 |
| commit | 0c2ae2a804dae76a991be48a6ea493e16432d809 (patch) | |
| tree | 097af5f4dbc9da9e244f1a40b0087239663808bb /modules/md/md_util.c | |
| parent | * server/protocol.c (ap_content_length_filter): Rewrite the content (diff) | |
| download | apache2-0c2ae2a804dae76a991be48a6ea493e16432d809.tar.xz apache2-0c2ae2a804dae76a991be48a6ea493e16432d809.zip | |
On the trunk:
mod_md: v0.9.5:
- New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if
new certificates are requested with the OCSP Must Staple extension.
- Known limitation: when the server is configured to ditch and restart child processes, for example
after a certain number of connections/requests, the mod_md watchdog instance might migrate
to a new child process. Since not all its state is persisted, some messsages might appear a
second time in the logs.
- Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-'
is used - which negates that a https: port exists. Also, a warning is logged if no
VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in
its address list.
- New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently
or temporarily.
- Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also
a changed mod_ssl patch (v5) to take effect.
- compatibility with libressl
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1808241 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/md/md_util.c')
| -rw-r--r-- | modules/md/md_util.c | 107 |
1 files changed, 71 insertions, 36 deletions
diff --git a/modules/md/md_util.c b/modules/md/md_util.c index 756aaef382..875cef61fc 100644 --- a/modules/md/md_util.c +++ b/modules/md/md_util.c @@ -647,52 +647,54 @@ const char *md_util_schemify(apr_pool_t *p, const char *s, const char *def_schem return apr_psprintf(p, "%s:%s", def_scheme, s); } -apr_status_t md_util_abs_uri_check(apr_pool_t *p, const char *uri, const char **perr) +static apr_status_t uri_check(apr_uri_t *uri_parsed, apr_pool_t *p, + const char *uri, const char **perr) { const char *s, *err = NULL; - apr_uri_t uri_parsed; apr_status_t rv; - if (APR_SUCCESS != (rv = apr_uri_parse(p, uri, &uri_parsed))) { + if (APR_SUCCESS != (rv = apr_uri_parse(p, uri, uri_parsed))) { err = "not an uri"; } - else if (!uri_parsed.scheme) { - err = "missing uri scheme"; - } - else if (strlen(uri_parsed.scheme) + 1 >= strlen(uri)) { - err = "missing uri identifier"; - } - else if (strchr(uri, ' ') || strchr(uri, '\t') ) { - err = "whitespace in uri"; - } - else if (!strncmp("http", uri_parsed.scheme, 4)) { - if (!uri_parsed.hostname) { - err = "missing hostname"; + else if (uri_parsed->scheme) { + if (strlen(uri_parsed->scheme) + 1 >= strlen(uri)) { + err = "missing uri identifier"; } - else if (!md_util_is_dns_name(p, uri_parsed.hostname, 0)) { - err = "invalid hostname"; + else if (!strncmp("http", uri_parsed->scheme, 4)) { + if (!uri_parsed->hostname) { + err = "missing hostname"; + } + else if (!md_util_is_dns_name(p, uri_parsed->hostname, 0)) { + err = "invalid hostname"; + } + if (uri_parsed->port_str + && (!apr_isdigit(uri_parsed->port_str[0]) + || uri_parsed->port == 0 + || uri_parsed->port > 65353)) { + err = "invalid port"; + } } - if (uri_parsed.port_str && (uri_parsed.port == 0 || uri_parsed.port > 65353)) { - err = "invalid port"; + else if (!strcmp("mailto", uri_parsed->scheme)) { + s = strchr(uri, '@'); + if (!s) { + err = "missing @"; + } + else if (strchr(s+1, '@')) { + err = "duplicate @"; + } + else if (s == uri + strlen(uri_parsed->scheme) + 1) { + err = "missing local part"; + } + else if (s == (uri + strlen(uri)-1)) { + err = "missing hostname"; + } + else if (strstr(uri, "..")) { + err = "double period"; + } } } - else if (!strcmp("mailto", uri_parsed.scheme)) { - s = strchr(uri, '@'); - if (!s) { - err = "missing @"; - } - else if (strchr(s+1, '@')) { - err = "duplicate @"; - } - else if (s == uri + strlen(uri_parsed.scheme) + 1) { - err = "missing local part"; - } - else if (s == (uri + strlen(uri)-1)) { - err = "missing hostname"; - } - else if (strstr(uri, "..")) { - err = "double period"; - } + if (strchr(uri, ' ') || strchr(uri, '\t') ) { + err = "whitespace in uri"; } if (err) { @@ -702,6 +704,39 @@ apr_status_t md_util_abs_uri_check(apr_pool_t *p, const char *uri, const char ** return rv; } +apr_status_t md_util_abs_uri_check(apr_pool_t *p, const char *uri, const char **perr) +{ + apr_uri_t uri_parsed; + apr_status_t rv; + + if (APR_SUCCESS == (rv = uri_check(&uri_parsed, p, uri, perr))) { + if (!uri_parsed.scheme) { + *perr = "missing uri scheme"; + return APR_EINVAL; + } + } + return rv; +} + +apr_status_t md_util_abs_http_uri_check(apr_pool_t *p, const char *uri, const char **perr) +{ + apr_uri_t uri_parsed; + apr_status_t rv; + + if (APR_SUCCESS == (rv = uri_check(&uri_parsed, p, uri, perr))) { + if (!uri_parsed.scheme) { + *perr = "missing uri scheme"; + return APR_EINVAL; + } + if (apr_strnatcasecmp("http", uri_parsed.scheme) + && apr_strnatcasecmp("https", uri_parsed.scheme)) { + *perr = "uri scheme must be http or https"; + return APR_EINVAL; + } + } + return rv; +} + /* retry login ************************************************************************************/ apr_status_t md_util_try(md_util_try_fn *fn, void *baton, int ignore_errs, |