httpd-2.0 nightly build log

httpd-2.0 nightly build log

am 13.03.2002 10:06:28 von Chuck

Build started Wed Mar 13 01:00:01 PST 2002 on FreeBSD 4.5-STABLE
Checking out httpd-2.0 apr apr-util
Building httpd-2.0-nightly
Merging package apr
Merging package apr-util
Building config in httpd-2.0-nightly
Configuring in httpd-2.0-nightly w/options --enable-maintainer-mode --enable-auth-anon --enable-auth-dbm --enable-auth-db --enable-auth-digest --enable-file-cache --enable-echo --enable-cache --enable-example --enable-ext-filter --enable-case-filter --enable-case-filter-in --enable-optional-hook-export --enable-optional-hook-import --enable-optional-fn-import --enable-optional-fn-export --enable-mime-magic --enable-cern-meta --enable-expires --enable-headers --enable-usertrack --enable-unique-id --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http --enable-dav --enable-info --enable-suexec --enable-cgi --enable-cgid --enable-dav-fs --enable-vhost-alias --enable-speling --enable-rewrite --enable-ssl --with-ssl=/usr --enable-rule=SSL_EXPERIMENTAL
Not configured: --enable-charset-lite --enable-disk-cache --enable-tls --with-tls=/usr
Making in httpd-2.0-nightly
ssl_engine_config.c: In function `ssl_cmd_check_aidx_max':
ssl_engine_config.c:569: warning: `desc' might be used uninitialized in this function
ssl_engine_config.c:569: warning: `files' might be used uninitialized in this function
ssl_engine_kernel.c: In function `ssl_hook_Access':
ssl_engine_kernel.c:334: warning: `cipher_list_old' might be used uninitialized in this function
ssl_engine_kernel.c: In function `ssl_hook_Fixup':
ssl_engine_kernel.c:1124: warning: `ssl' might be used uninitialized in this function
ssl_engine_vars.c: In function `ssl_var_lookup_ssl':
ssl_engine_vars.c:288: too few arguments to function `SSL_SESSION_id2sz'
htpasswd.o: In function `main':
/x1/home/chuck/httpd-2.0-nightly/support/htpasswd.c(.text+0x a90): warning: tmpnam() possibly used unsafely; consider using mkstemp()
Build finished Wed Mar 13 01:06:28 PST 2002

http://cvs.apache.org/builds/httpd-proxy/logs/

Re:

am 04.10.2002 16:27:44 von Maurizio Marini

On Friday 04 October 2002 12:26 pm, i.t wrote:

>it would be helpful, if you could provide some more actual details



Hi sir,

It would be nice in general to have a module that allows to modify parameters
passed in a post, precisely like mod_rewrite allows the change of parameters
passed by get. Is this feasible ?

leave general case and come to my problem.


I'm developing in redhat 7.3 httpd 1.3.23-14; it's a very complex infrastructure with mod_pubcookie, mod_proxy and mod_rewrite
it's not easy to describe it; it's easier for me to show you the piece of code that in http allowed me to change parameter in post stuff, but not any more in https



int change_out_post(request_rec *r, char *username) {
char argsbuffer[HUGE_STRING_LEN];
int retval;


/* checkout http_protocols.c for reading the body info */
if ((retval = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
return retval;


if (ap_should_client_block(r)) {
char *p=r->connection->client->inptr;
int len_read;
ap_hard_timeout("copy script args", r);


;
if ((p=strstr(r->connection->client->inptr, "username")) != NULL) {
memcpy( p+strlen("username="), foo, 10);
p=r->connection->client->inptr;
}
libpbc_debug("change_out_post[%d]: inptr: %s\n", __LINE__, p);
ap_kill_timeout(r);
}
return(1);


}


i try to explain it:


Premise.
suppose that u want authenticate a user and after authentication u want to add the username to hidden parameter
beacause application on backend (we are in rev-proxy architecture) needs it as post parameters.


The misfact.
before autheticating using mod_pubcookie i add some hidden parameter initialized to null
e.g. 'username= '
u can see sufficient blanks after username=, to accomodate for username value
it's a low tricky, don't blame to me!


after authetication i try to valorize username...how?!?
with strstr i search the parameter name in post area pointed (if we are in http!!!) by r->connection->client->inptr
i add 9 bytes to this pointer (strlen("username="))
i write the username in place of blanks
done!
this horrible trick worked until i pass to https...


Conclusion.
i fear that it's not portable (sure it doesn't work in apache 2.0!) and after apache
rewriting for chunked exploit all my stuff is outdated, even i've not tested it;
i write this piece of code the days before 21 June!!!


My prayer.
now, i know well that this piece of sw cannot be a solution and i seraching for some help to do something more robust and reliable.


thnx in advance!



--
Maurizio Marini