/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* * http_filter.c --- HTTP routines which either filters or deal with filters. */ #include "apr.h" #include "apr_strings.h" #include "apr_buckets.h" #include "apr_lib.h" #include "apr_signal.h" #define APR_WANT_STDIO /* for sscanf */ #define APR_WANT_STRFUNC #define APR_WANT_MEMFUNC #include "apr_want.h" #include "util_filter.h" #include "ap_config.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" #include "http_protocol.h" #include "http_main.h" #include "http_request.h" #include "http_vhost.h" #include "http_connection.h" #include "http_log.h" /* For errors detected in basic auth common * support code... */ #include "apr_date.h" /* For apr_date_parse_http and APR_DATE_BAD */ #include "util_charset.h" #include "util_ebcdic.h" #include "util_time.h" #include "mod_core.h" #if APR_HAVE_STDARG_H #include #endif #if APR_HAVE_UNISTD_H #include #endif APLOG_USE_MODULE(http); static apr_bucket *create_trailers_bucket(request_rec *r, apr_bucket_alloc_t *bucket_alloc); static apr_bucket *create_response_bucket(request_rec *r, apr_bucket_alloc_t *bucket_alloc); static void merge_response_headers(request_rec *r); typedef struct http_filter_ctx { apr_off_t remaining; apr_off_t limit; apr_off_t limit_used; apr_int32_t chunk_used; apr_int32_t chunk_bws; apr_int32_t chunkbits; enum { BODY_NONE, /* streamed data */ BODY_LENGTH, /* data constrained by content length */ BODY_CHUNK, /* chunk expected */ BODY_CHUNK_PART, /* chunk digits */ BODY_CHUNK_EXT, /* chunk extension */ BODY_CHUNK_CR, /* got space(s) after digits, expect [CR]LF or ext */ BODY_CHUNK_LF, /* got CR after digits or ext, expect LF */ BODY_CHUNK_DATA, /* data constrained by chunked encoding */ BODY_CHUNK_END, /* chunked data terminating CRLF */ BODY_CHUNK_END_LF, /* got CR after data, expect LF */ BODY_CHUNK_TRAILER /* trailers */ } state; unsigned int at_eos:1, seen_data:1; } http_ctx_t; /** * Parse a chunk line with optional extension, detect overflow. * There are several error cases: * 1) If the chunk link is misformatted, APR_EINVAL is returned. * 2) If the conversion would require too many bits, APR_EGENERAL is returned. * 3) If the conversion used the correct number of bits, but an overflow * caused only the sign bit to flip, then APR_ENOSPC is returned. * A negative chunk length always indicates an overflow error. */ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer, apr_size_t len, int linelimit, int strict) { apr_size_t i = 0; while (i < len) { char c = buffer[i]; ap_xlate_proto_from_ascii(&c, 1); /* handle CRLF after the chunk */ if (ctx->state == BODY_CHUNK_END || ctx->state == BODY_CHUNK_END_LF) { if (c == LF) { if (strict && (ctx->state != BODY_CHUNK_END_LF)) { /* * CR missing before LF. */ return APR_EINVAL; } ctx->state = BODY_CHUNK; } else if (c == CR && ctx->state == BODY_CHUNK_END) { ctx->state = BODY_CHUNK_END_LF; } else { /* * CRLF expected. */ return APR_EINVAL; } i++; continue; } /* handle start of the chunk */ if (ctx->state == BODY_CHUNK) { if (!apr_isxdigit(c)) { /* * Detect invalid character at beginning. This also works for * empty chunk size lines. */ return APR_EINVAL; } else { ctx->state = BODY_CHUNK_PART; } ctx->remaining = 0; /* The maximum number of bits that can be handled in a * chunk size is in theory sizeof(apr_off_t)*8-1 since * off_t is signed, but use -4 to avoid undefined * behaviour when bitshifting left. */ ctx->chunkbits = sizeof(apr_off_t) * 8 - 4; ctx->chunk_used = 0; ctx->chunk_bws = 0; } if (c == LF) { if (strict && (ctx->state != BODY_CHUNK_LF)) { /* * CR missing before LF. */ return APR_EINVAL; } if (ctx->remaining) { ctx->state = BODY_CHUNK_DATA; } else { ctx->state = BODY_CHUNK_TRAILER; } } else if (ctx->state == BODY_CHUNK_LF) { /* * LF expected. */ return APR_EINVAL; } else if (c == CR) { ctx->state = BODY_CHUNK_LF; } else if (c == ';') { ctx->state = BODY_CHUNK_EXT; } else if (ctx->state == BODY_CHUNK_EXT) { /* * Control chars (excluding tabs) are invalid. * TODO: more precisely limit input */ if (c != '\t' && apr_iscntrl(c)) { return APR_EINVAL; } } else if (c == ' ' || c == '\t') { /* This allows limited BWS (or 'implied *LWS' in RFC2616 * terms) between chunk-size and '[chunk-ext] CRLF'. This * is not allowed by RFC7230/9112 though servers have been * seen which emit spaces here. The code previously (and * mistakenly?) referenced the 7230 errata concerning BWS * *within* chunk-ext, but the conditional above is * followed during chunk-ext (state BODY_CHUNK_EXT): * https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4667 * See also: https://github.com/squid-cache/squid/pull/1914 */ ctx->state = BODY_CHUNK_CR; if (++ctx->chunk_bws > 10) { return APR_EINVAL; } } else if (ctx->state == BODY_CHUNK_CR) { /* * ';', CR or LF expected. */ return APR_EINVAL; } else if (ctx->state == BODY_CHUNK_PART) { int xvalue; /* ignore leading zeros */ if (!ctx->remaining && c == '0') { i++; continue; } ctx->chunkbits -= 4; if (ctx->chunkbits < 0) { /* overflow */ return APR_ENOSPC; } if (c >= '0' && c <= '9') { xvalue = c - '0'; } else if (c >= 'A' && c <= 'F') { xvalue = c - 'A' + 0xa; } else if (c >= 'a' && c <= 'f') { xvalue = c - 'a' + 0xa; } else { /* bogus character */ return APR_EINVAL; } ctx->remaining = (ctx->remaining << 4) | xvalue; if (ctx->remaining < 0) { /* Overflow - should be unreachable since the * chunkbits limit will be reached first. */ return APR_ENOSPC; } } else { /* Should not happen */ return APR_EGENERAL; } i++; } /* sanity check */ ctx->chunk_used += len; if (ctx->chunk_used < 0 || ctx->chunk_used > linelimit) { return APR_ENOSPC; } return APR_SUCCESS; } static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f, apr_bucket_brigade *b) { int rv; apr_bucket *e; request_rec *r = f->r; apr_table_t *trailers; apr_table_t *saved_headers_in = r->headers_in; int saved_status = r->status; trailers = apr_table_make(r->pool, 5); r->status = HTTP_OK; r->headers_in = trailers; ap_get_mime_headers(r); r->headers_in = saved_headers_in; if (r->status == HTTP_OK) { r->status = saved_status; if (!apr_is_empty_table(trailers)) { e = ap_bucket_headers_create(trailers, r->pool, b->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); } e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); ctx->at_eos = 1; rv = APR_SUCCESS; } else { const char *error_notes = apr_table_get(r->notes, "error-notes"); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02656) "Error while reading HTTP trailer: %i%s%s", r->status, error_notes ? ": " : "", error_notes ? error_notes : ""); rv = APR_EINVAL; } return rv; } typedef struct h1_in_ctx_t { unsigned int at_trailers:1; unsigned int at_eos:1; unsigned int seen_data:1; } h1_in_ctx_t; /* This is the HTTP_INPUT filter for HTTP requests and responses from * proxied servers (mod_proxy). It handles chunked and content-length * bodies. This can only be inserted/used after the headers * are successfully parsed. */ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes) { apr_bucket *e, *next; h1_in_ctx_t *ctx = f->ctx; request_rec *r = f->r; apr_status_t rv; if (!ctx) { f->ctx = ctx = apr_pcalloc(f->r->pool, sizeof(*ctx)); } /* Since we're about to read data, send 100-Continue if needed. * Only valid on chunked and C-L bodies where the C-L is > 0. * * If the read is to be nonblocking though, the caller may not want to * handle this just now (e.g. mod_proxy_http), and is prepared to read * nothing if the client really waits for 100 continue, so we don't * send it now and wait for later blocking read. * * In any case, even if r->expecting remains set at the end of the * request handling, ap_set_keepalive() will finally do the right * thing (i.e. "Connection: close" the connection). */ if (block == APR_BLOCK_READ && r->expecting_100 && r->proto_num >= HTTP_VERSION(1,1) && !(ctx->at_eos || r->eos_sent || r->bytes_sent)) { if (!ap_is_HTTP_SUCCESS(r->status)) { ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, "ap_http_in_filter: status != OK, not sending 100-continue"); ctx->at_eos = 1; /* send EOS below */ } else if (!ctx->seen_data) { int saved_status = r->status; const char *saved_status_line = r->status_line; ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, "ap_http_in_filter: sending 100-continue"); r->status = HTTP_CONTINUE; r->status_line = NULL; ap_send_interim_response(r, 0); AP_DEBUG_ASSERT(!r->expecting_100); r->status_line = saved_status_line; r->status = saved_status; } else { /* https://tools.ietf.org/html/rfc7231#section-5.1.1 * A server MAY omit sending a 100 (Continue) response if it * has already received some or all of the message body for * the corresponding request [...] */ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10260) "request body already/partly received while " "100-continue is expected, omit sending interim " "response"); r->expecting_100 = 0; } } /* sanity check in case we're read twice */ if (ctx->at_eos) { e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); rv = APR_SUCCESS; goto cleanup; } rv = ap_get_brigade(f->next, b, mode, block, readbytes); if (APR_SUCCESS == rv) { for (e = APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b); e = next) { next = APR_BUCKET_NEXT(e); if (!APR_BUCKET_IS_METADATA(e)) { if (e->length != 0) { ctx->seen_data = 1; } if (ctx->at_trailers) { /* DATA after trailers? Someone smuggling something? */ rv = AP_FILTER_ERROR; goto cleanup; } continue; } if (AP_BUCKET_IS_HEADERS(e)) { /* trailers */ ap_bucket_headers * hdrs = e->data; /* Allow multiple HEADERS buckets carrying trailers here, * will not happen from HTTP/1.x and current H2 implementation, * but is an option. */ ctx->at_trailers = 1; if (!apr_is_empty_table(hdrs->headers)) { r->trailers_in = apr_table_overlay(r->pool, r->trailers_in, hdrs->headers); } apr_bucket_delete(e); } if (APR_BUCKET_IS_EOS(e)) { ctx->at_eos = 1; if (!apr_is_empty_table(r->trailers_in)) { core_server_config *conf = ap_get_module_config( r->server->module_config, &core_module); if (conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE) { r->headers_in = apr_table_overlay(r->pool, r->headers_in, r->trailers_in); } } goto cleanup; } } } cleanup: return rv; } apr_status_t ap_h1_body_in_filter(ap_filter_t *f, apr_bucket_brigade *b, ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes) { core_server_config *conf = (core_server_config *) ap_get_module_config(f->r->server->module_config, &core_module); int strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); apr_bucket *e; http_ctx_t *ctx = f->ctx; apr_status_t rv; int again; /* just get out of the way of things we don't want. */ if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) { return ap_get_brigade(f->next, b, mode, block, readbytes); } if (!ctx) { const char *tenc, *lenp; f->ctx = ctx = apr_pcalloc(f->r->pool, sizeof(*ctx)); ctx->state = BODY_NONE; /* LimitRequestBody does not apply to proxied responses. * Consider implementing this check in its own filter. * Would adding a directive to limit the size of proxied * responses be useful? */ if (f->r->proxyreq != PROXYREQ_RESPONSE) { ctx->limit = ap_get_limit_req_body(f->r); } else { ctx->limit = 0; } tenc = apr_table_get(f->r->headers_in, "Transfer-Encoding"); lenp = apr_table_get(f->r->headers_in, "Content-Length"); if (tenc) { if (ap_is_chunked(f->r->pool, tenc)) { ctx->state = BODY_CHUNK; } else if (f->r->proxyreq == PROXYREQ_RESPONSE) { /* http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-23 * Section 3.3.3.3: "If a Transfer-Encoding header field is * present in a response and the chunked transfer coding is not * the final encoding, the message body length is determined by * reading the connection until it is closed by the server." */ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(02555) "Unknown Transfer-Encoding: %s; " "using read-until-close", tenc); tenc = NULL; } else { /* Something that isn't a HTTP request, unless some future * edition defines new transfer encodings, is unsupported. */ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(01585) "Unknown Transfer-Encoding: %s", tenc); ap_die(HTTP_NOT_IMPLEMENTED, f->r); return APR_EGENERAL; } lenp = NULL; } if (lenp) { ctx->state = BODY_LENGTH; /* Protects against over/underflow, non-digit chars in the * string, leading plus/minus signs, trailing characters and * a negative number. */ if (!ap_parse_strict_length(&ctx->remaining, lenp)) { ctx->remaining = 0; ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(01587) "Invalid Content-Length"); return APR_EINVAL; } /* If we have a limit in effect and we know the C-L ahead of * time, stop it here if it is invalid. */ if (ctx->limit && ctx->limit < ctx->remaining) { ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(01588) "Requested content-length of %" APR_OFF_T_FMT " is larger than the configured limit" " of %" APR_OFF_T_FMT, ctx->remaining, ctx->limit); return APR_ENOSPC; } } /* If we don't have a request entity indicated by the headers, EOS. * (BODY_NONE is a valid intermediate state due to trailers, * but it isn't a valid starting state.) * * RFC 2616 Section 4.4 note 5 states that connection-close * is invalid for a request entity - request bodies must be * denoted by C-L or T-E: chunked. * * Note that since the proxy uses this filter to handle the * proxied *response*, proxy responses MUST be exempt. */ if (ctx->state == BODY_NONE && f->r->proxyreq != PROXYREQ_RESPONSE) { ctx->at_eos = 1; /* send EOS below */ } } /* sanity check in case we're read twice */ if (ctx->at_eos) { e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); return APR_SUCCESS; } do { apr_brigade_cleanup(b); again = 0; /* until further notice */ /* read and handle the brigade */ switch (ctx->state) { case BODY_CHUNK: case BODY_CHUNK_PART: case BODY_CHUNK_EXT: case BODY_CHUNK_CR: case BODY_CHUNK_LF: case BODY_CHUNK_END: case BODY_CHUNK_END_LF: { rv = ap_get_brigade(f->next, b, AP_MODE_GETLINE, block, 0); /* for timeout */ if (block == APR_NONBLOCK_READ && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b)) || (APR_STATUS_IS_EAGAIN(rv)))) { return APR_EAGAIN; } if (rv == APR_EOF) { return APR_INCOMPLETE; } if (rv != APR_SUCCESS) { return rv; } e = APR_BRIGADE_FIRST(b); while (e != APR_BRIGADE_SENTINEL(b)) { const char *buffer; apr_size_t len; if (!APR_BUCKET_IS_METADATA(e)) { rv = apr_bucket_read(e, &buffer, &len, APR_BLOCK_READ); if (rv == APR_SUCCESS) { if (len > 0) { ctx->seen_data = 1; } rv = parse_chunk_size(ctx, buffer, len, f->r->server->limit_req_fieldsize, strict); } if (rv != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, f->r, APLOGNO(01590) "Error reading/parsing chunk %s ", (APR_ENOSPC == rv) ? "(overflow)" : ""); return rv; } } apr_bucket_delete(e); e = APR_BRIGADE_FIRST(b); } again = 1; /* come around again */ if (ctx->state == BODY_CHUNK_TRAILER) { /* Treat UNSET as DISABLE - trailers aren't merged by default */ return read_chunked_trailers(ctx, f, b); } break; } case BODY_NONE: case BODY_LENGTH: case BODY_CHUNK_DATA: { /* Ensure that the caller can not go over our boundary point. */ if (ctx->state != BODY_NONE && ctx->remaining < readbytes) { readbytes = ctx->remaining; } if (readbytes > 0) { apr_off_t totalread; rv = ap_get_brigade(f->next, b, mode, block, readbytes); /* for timeout */ if (block == APR_NONBLOCK_READ && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b)) || (APR_STATUS_IS_EAGAIN(rv)))) { return APR_EAGAIN; } if (rv == APR_EOF && ctx->state != BODY_NONE && ctx->remaining > 0) { return APR_INCOMPLETE; } if (rv != APR_SUCCESS) { return rv; } /* How many bytes did we just read? */ apr_brigade_length(b, 0, &totalread); if (totalread > 0) { ctx->seen_data = 1; } /* If this happens, we have a bucket of unknown length. Die because * it means our assumptions have changed. */ AP_DEBUG_ASSERT(totalread >= 0); if (ctx->state != BODY_NONE) { ctx->remaining -= totalread; if (ctx->remaining > 0) { e = APR_BRIGADE_LAST(b); if (APR_BUCKET_IS_EOS(e)) { apr_bucket_delete(e); return APR_INCOMPLETE; } } else if (ctx->state == BODY_CHUNK_DATA) { /* next chunk please */ ctx->state = BODY_CHUNK_END; ctx->chunk_used = 0; } } /* We have a limit in effect. */ if (ctx->limit) { /* FIXME: Note that we might get slightly confused on * chunked inputs as we'd need to compensate for the chunk * lengths which may not really count. This seems to be up * for interpretation. */ ctx->limit_used += totalread; if (ctx->limit < ctx->limit_used) { ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(01591) "Read content length of " "%" APR_OFF_T_FMT " is larger than the " "configured limit of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit); return APR_ENOSPC; } } } /* If we have no more bytes remaining on a C-L request, * save the caller a round trip to discover EOS. */ if (ctx->state == BODY_LENGTH && ctx->remaining == 0) { e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); ctx->at_eos = 1; } break; } case BODY_CHUNK_TRAILER: { rv = ap_get_brigade(f->next, b, mode, block, readbytes); /* for timeout */ if (block == APR_NONBLOCK_READ && ((rv == APR_SUCCESS && APR_BRIGADE_EMPTY(b)) || (APR_STATUS_IS_EAGAIN(rv)))) { return APR_EAGAIN; } if (rv != APR_SUCCESS) { return rv; } break; } default: { /* Should not happen */ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(02901) "Unexpected body state (%i)", (int)ctx->state); return APR_EGENERAL; } } } while (again); return APR_SUCCESS; } struct check_header_ctx { request_rec *r; int strict; }; /* check a single header, to be used with apr_table_do() */ static int check_header(struct check_header_ctx *ctx, const char *name, const char **val) { const char *pos, *end; char *dst = NULL; if (name[0] == '\0') { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02428) "Empty response header name, aborting request"); return 0; } if (ctx->strict) { end = ap_scan_http_token(name); } else { end = ap_scan_vchar_obstext(name); } if (*end) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02429) "Response header name '%s' contains invalid " "characters, aborting request", name); return 0; } for (pos = *val; *pos; pos = end) { end = ap_scan_http_field_content(pos); if (*end) { if (end[0] != CR || end[1] != LF || (end[2] != ' ' && end[2] != '\t')) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02430) "Response header '%s' value of '%s' contains " "invalid characters, aborting request", name, pos); return 0; } if (!dst) { *val = dst = apr_palloc(ctx->r->pool, strlen(*val) + 1); } } if (dst) { memcpy(dst, pos, end - pos); dst += end - pos; if (*end) { /* skip folding and replace with a single space */ end += 3 + strspn(end + 3, "\t "); *dst++ = ' '; } } } if (dst) { *dst = '\0'; } return 1; } static int check_headers_table(apr_table_t *t, struct check_header_ctx *ctx) { const apr_array_header_t *headers = apr_table_elts(t); apr_table_entry_t *header; int i; for (i = 0; i < headers->nelts; ++i) { header = &APR_ARRAY_IDX(headers, i, apr_table_entry_t); if (!header->key) { continue; } if (!check_header(ctx, header->key, (const char **)&header->val)) { return 0; } } return 1; } /** * Check headers for HTTP conformance * @return 1 if ok, 0 if bad */ static APR_INLINE int check_headers(request_rec *r) { struct check_header_ctx ctx; core_server_config *conf = ap_get_core_module_config(r->server->module_config); const char *val; if ((val = apr_table_get(r->headers_out, "Transfer-Encoding"))) { if (apr_table_get(r->headers_out, "Content-Length")) { apr_table_unset(r->headers_out, "Content-Length"); r->connection->keepalive = AP_CONN_CLOSE; } if (!ap_is_chunked(r->pool, val)) { r->connection->keepalive = AP_CONN_CLOSE; return 0; } } ctx.r = r; ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); return check_headers_table(r->headers_out, &ctx) && check_headers_table(r->err_headers_out, &ctx); } static int check_headers_recursion(request_rec *r) { void *check = NULL; apr_pool_userdata_get(&check, "check_headers_recursion", r->pool); if (check) { return 1; } apr_pool_userdata_setn("true", "check_headers_recursion", NULL, r->pool); return 0; } typedef struct header_struct { apr_pool_t *pool; apr_bucket_brigade *bb; } header_struct; /* Send a single HTTP header field to the client. Note that this function * is used in calls to apr_table_do(), so don't change its interface. * It returns true unless there was a write error of some kind. */ static int form_header_field(header_struct *h, const char *fieldname, const char *fieldval) { #if APR_CHARSET_EBCDIC char *headfield; apr_size_t len; headfield = apr_pstrcat(h->pool, fieldname, ": ", fieldval, CRLF, NULL); len = strlen(headfield); ap_xlate_proto_to_ascii(headfield, len); apr_brigade_write(h->bb, NULL, NULL, headfield, len); #else struct iovec vec[4]; struct iovec *v = vec; v->iov_base = (void *)fieldname; v->iov_len = strlen(fieldname); v++; v->iov_base = ": "; v->iov_len = sizeof(": ") - 1; v++; v->iov_base = (void *)fieldval; v->iov_len = strlen(fieldval); v++; v->iov_base = CRLF; v->iov_len = sizeof(CRLF) - 1; apr_brigade_writev(h->bb, NULL, NULL, vec, 4); #endif /* !APR_CHARSET_EBCDIC */ return 1; } /* This routine is called by apr_table_do and merges all instances of * the passed field values into a single array that will be further * processed by some later routine. Originally intended to help split * and recombine multiple Vary fields, though it is generic to any field * consisting of comma/space-separated tokens. */ static int uniq_field_values(void *d, const char *key, const char *val) { apr_array_header_t *values; char *start; char *e; char **strpp; int i; values = (apr_array_header_t *)d; e = apr_pstrdup(values->pool, val); do { /* Find a non-empty fieldname */ while (*e == ',' || apr_isspace(*e)) { ++e; } if (*e == '\0') { break; } start = e; while (*e != '\0' && *e != ',' && !apr_isspace(*e)) { ++e; } if (*e != '\0') { *e++ = '\0'; } /* Now add it to values if it isn't already represented. * Could be replaced by a ap_array_strcasecmp() if we had one. */ for (i = 0, strpp = (char **) values->elts; i < values->nelts; ++i, ++strpp) { if (*strpp && ap_cstr_casecmp(*strpp, start) == 0) { break; } } if (i == values->nelts) { /* if not found */ *(char **)apr_array_push(values) = start; } } while (*e != '\0'); return 1; } /* * Since some clients choke violently on multiple Vary fields, or * Vary fields with duplicate tokens, combine any multiples and remove * any duplicates. */ static void fixup_vary(request_rec *r) { apr_array_header_t *varies; varies = apr_array_make(r->pool, 5, sizeof(char *)); /* Extract all Vary fields from the headers_out, separate each into * its comma-separated fieldname values, and then add them to varies * if not already present in the array. */ apr_table_do(uniq_field_values, varies, r->headers_out, "Vary", NULL); /* If we found any, replace old Vary fields with unique-ified value */ if (varies->nelts > 0) { apr_table_setn(r->headers_out, "Vary", apr_array_pstrcat(r->pool, varies, ',')); } } /* Confirm that the status line is well-formed and matches r->status. * If they don't match, a filter may have negated the status line set by a * handler. * Zap r->status_line if bad. */ static apr_status_t validate_status_line(request_rec *r) { char *end; if (r->status_line) { int len = strlen(r->status_line); if (len < 3 || apr_strtoi64(r->status_line, &end, 10) != r->status || (end - 3) != r->status_line || (len >= 4 && ! apr_isspace(r->status_line[3]))) { r->status_line = NULL; return APR_EGENERAL; } /* Since we passed the above check, we know that length three * is equivalent to only a 3 digit numeric http status. * RFC2616 mandates a trailing space, let's add it. */ if (len == 3) { r->status_line = apr_pstrcat(r->pool, r->status_line, " ", NULL); return APR_EGENERAL; } return APR_SUCCESS; } return APR_EGENERAL; } /* * Determine the protocol to use for the response. Potentially downgrade * to HTTP/1.0 in some situations and/or turn off keepalives. * * also prepare r->status_line. */ static void basic_http_header_check(request_rec *r) { apr_status_t rv; if (r->assbackwards) { /* no such thing as a response protocol */ return; } rv = validate_status_line(r); if (!r->status_line) { r->status_line = ap_get_status_line(r->status); } else if (rv != APR_SUCCESS) { /* Status line is OK but our own reason phrase * would be preferred if defined */ const char *tmp = ap_get_status_line(r->status); if (!strncmp(tmp, r->status_line, 3)) { r->status_line = tmp; } } /* Note that we must downgrade before checking for force responses. */ if (r->proto_num > HTTP_VERSION(1,0) && apr_table_get(r->subprocess_env, "downgrade-1.0")) { r->proto_num = HTTP_VERSION(1,0); } } AP_DECLARE(void) ap_basic_http_header(request_rec *r, apr_bucket_brigade *bb) { apr_bucket *b; basic_http_header_check(r); b = create_response_bucket(r, bb->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, b); } AP_DECLARE_NONSTD(int) ap_send_http_trace(request_rec *r) { core_server_config *conf; int rv; apr_bucket_brigade *bb; header_struct h; apr_bucket *b; int body; char *bodyread = NULL, *bodyoff; apr_size_t bodylen = 0; apr_size_t bodybuf; long res = -1; /* init to avoid gcc -Wall warning */ if (r->method_number != M_TRACE) { return DECLINED; } /* Get the original request */ while (r->prev) { r = r->prev; } conf = ap_get_core_module_config(r->server->module_config); if (conf->trace_enable == AP_TRACE_DISABLE) { apr_table_setn(r->notes, "error-notes", "TRACE denied by server configuration"); return HTTP_METHOD_NOT_ALLOWED; } if (conf->trace_enable == AP_TRACE_EXTENDED) /* XXX: should be = REQUEST_CHUNKED_PASS */ body = REQUEST_CHUNKED_DECHUNK; else body = REQUEST_NO_BODY; if ((rv = ap_setup_client_block(r, body))) { if (rv == HTTP_REQUEST_ENTITY_TOO_LARGE) apr_table_setn(r->notes, "error-notes", "TRACE with a request body is not allowed"); return rv; } if (ap_should_client_block(r)) { if (r->remaining > 0) { if (r->remaining > 65536) { apr_table_setn(r->notes, "error-notes", "Extended TRACE request bodies cannot exceed 64k\n"); return HTTP_REQUEST_ENTITY_TOO_LARGE; } /* always 32 extra bytes to catch chunk header exceptions */ bodybuf = (apr_size_t)r->remaining + 32; } else { /* Add an extra 8192 for chunk headers */ bodybuf = 73730; } bodyoff = bodyread = apr_palloc(r->pool, bodybuf); /* only while we have enough for a chunked header */ while ((!bodylen || bodybuf >= 32) && (res = ap_get_client_block(r, bodyoff, bodybuf)) > 0) { bodylen += res; bodybuf -= res; bodyoff += res; } if (res > 0 && bodybuf < 32) { /* discard_rest_of_request_body into our buffer */ while (ap_get_client_block(r, bodyread, bodylen) > 0) ; apr_table_setn(r->notes, "error-notes", "Extended TRACE request bodies cannot exceed 64k\n"); return HTTP_REQUEST_ENTITY_TOO_LARGE; } if (res < 0) { return HTTP_BAD_REQUEST; } } ap_set_content_type_ex(r, "message/http", 1); /* Now we recreate the request, and echo it back */ bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); #if APR_CHARSET_EBCDIC { char *tmp; apr_size_t len; len = strlen(r->the_request); tmp = apr_pmemdup(r->pool, r->the_request, len); ap_xlate_proto_to_ascii(tmp, len); apr_brigade_putstrs(bb, NULL, NULL, tmp, CRLF_ASCII, NULL); } #else apr_brigade_putstrs(bb, NULL, NULL, r->the_request, CRLF, NULL); #endif h.pool = r->pool; h.bb = bb; apr_table_do((int (*) (void *, const char *, const char *)) form_header_field, (void *) &h, r->headers_in, NULL); apr_brigade_puts(bb, NULL, NULL, CRLF_ASCII); /* If configured to accept a body, echo the body */ if (bodylen) { b = apr_bucket_pool_create(bodyread, bodylen, r->pool, bb->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, b); } ap_pass_brigade(r->output_filters, bb); return DONE; } typedef struct header_filter_ctx { int final_status; int final_header_only; int dying; } header_filter_ctx; AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, apr_bucket_brigade *b) { request_rec *r = f->r; conn_rec *c = r->connection; apr_bucket *e, *next, *eos = NULL, *bcontent = NULL; header_filter_ctx *ctx = f->ctx; ap_bucket_error *eb = NULL; apr_status_t rv = APR_SUCCESS; int recursive_error = 0; AP_DEBUG_ASSERT(!r->main); if (!ctx) { ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx)); } if (!ctx->final_status) { /* Determine if it is time to insert the response bucket for * the request. Request handlers just write content or an EOS * and that needs to take the current state of request_rec to * send on status and headers as a response bucket. * * But we also send interim responses (as response buckets) * through this filter and that must not trigger generating * an additional response bucket. * * Waiting on a DATA/ERROR/EOS bucket alone is not enough, * unfortunately, as some handlers trigger response generation * by just writing a FLUSH (see mod_lua's websocket for example). */ apr_bucket *respb = NULL; ap_bucket_response *resp; for (e = APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b) && !bcontent; e = APR_BUCKET_NEXT(e)) { if (APR_BUCKET_IS_METADATA(e)) { if (AP_BUCKET_IS_RESPONSE(e)) { /* RESPONSE buckets may get passed by others, for * example ap_send_interim_response() or ap_die(). * We examine the status code of such a RESPONSE below * to determine if the response answers the request * or is just interim. */ respb = e; resp = respb->data; if (!ctx->final_status && (resp->status >= 200 || resp->status == HTTP_SWITCHING_PROTOCOLS)) { ctx->final_status = resp->status; ctx->final_header_only = AP_STATUS_IS_HEADER_ONLY(resp->status); bcontent = APR_BUCKET_NEXT(e); break; } } else if (APR_BUCKET_IS_FLUSH(e)) { /* flush without response bucket triggers */ if (!respb) bcontent = e; } else if (APR_BUCKET_IS_EOS(e)) { bcontent = e; } else if (AP_BUCKET_IS_ERROR(e)) { /* Need to handle this below via ap_die() */ break; } else if (AP_BUCKET_IS_EOC(e)) { /* Need to handle this below. EOC prevents generating * a RESPONSE if not already triggered by buckets preceding * it. */ break; } } else { /* First content bucket, always triggering the response.*/ bcontent = e; } } if (!ctx->final_status && bcontent) { ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, "ap_http_header_filter prep response status %d", r->status); merge_response_headers(r); if (!check_headers(r)) { /* We may come back here from ap_die() below, * so clear anything from this response. */ apr_table_clear(r->headers_out); apr_table_clear(r->err_headers_out); r->content_type = r->content_encoding = NULL; r->content_languages = NULL; r->clength = r->chunked = 0; apr_brigade_cleanup(b); /* Don't recall ap_die() if we come back here (from its own internal * redirect or error response), otherwise we can end up in infinite * recursion; better fall through with 500, minimal headers and an * empty body (EOS only). */ if (!check_headers_recursion(r)) { ap_die(HTTP_INTERNAL_SERVER_ERROR, r); return AP_FILTER_ERROR; } r->status = HTTP_INTERNAL_SERVER_ERROR; e = ap_bucket_eoc_create(c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); e = apr_bucket_eos_create(c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); ap_set_content_length(r, 0); recursive_error = 1; } /* insert the RESPONSE before the first content bucket */ respb = create_response_bucket(r, b->bucket_alloc); APR_BUCKET_INSERT_BEFORE(bcontent, respb); ctx->final_status = r->status; ctx->final_header_only = (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status)); r->sent_bodyct = 1; /* Whatever follows is real body stuff... */ } } if (ctx->final_status && ctx->final_header_only) { /* The final RESPONSE has already been sent or is in front of `bcontent` * in the brigade. For a header_only respone, remove all content buckets * up to the first EOS. On seeing EOS, we remove ourself and are done. * NOTE that `header_only` responses never generate trailes. */ for (e = bcontent? bcontent : APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b); e = next) { next = APR_BUCKET_NEXT(e); if (APR_BUCKET_IS_EOS(e)) { eos = e; break; } apr_bucket_delete(e); } if (eos) { ap_remove_output_filter(f); } if (!APR_BRIGADE_EMPTY(b)) { rv = ap_pass_brigade(f->next, b); } r->final_resp_passed = 1; return rv; } /* Look for ERROR/EOC/EOS that require special handling. */ for (e = APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b); e = APR_BUCKET_NEXT(e)) { if (APR_BUCKET_IS_METADATA(e)) { if (APR_BUCKET_IS_EOS(e)) { if (!eos) eos = e; } else if (AP_BUCKET_IS_EOC(e)) { /* If we see an EOC bucket it is a signal that we should get out * of the way doing nothing. */ ap_remove_output_filter(f); return ap_pass_brigade(f->next, b); } else if (AP_BUCKET_IS_ERROR(e)) { int status; eb = e->data; status = eb->status; if (r->final_resp_passed) { ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, "ap_http_header_filter error bucket, should " "die with status=%d but final response already " "underway", status); ap_remove_output_filter(f); APR_BUCKET_REMOVE(e); apr_brigade_cleanup(b); APR_BRIGADE_INSERT_TAIL(b, e); e = ap_bucket_eoc_create(c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); e = apr_bucket_eos_create(c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(b, e); c->aborted = 1; return ap_pass_brigade(f->next, b); } else { ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, "ap_http_header_filter error bucket, die with %d and error", status); apr_brigade_cleanup(b); /* This will invoke us again */ ctx->dying = 1; ap_die(status, r); return AP_FILTER_ERROR; } } } } if (r->assbackwards) { r->sent_bodyct = 1; ap_remove_output_filter(f); rv = ap_pass_brigade(f->next, b); goto out; } if (eos) { e = create_trailers_bucket(r, b->bucket_alloc); if (e) { APR_BUCKET_INSERT_BEFORE(eos, e); } ap_remove_output_filter(f); } else if (ctx->final_status == HTTP_SWITCHING_PROTOCOLS) { /* switching protocol, whatever comes next is not HTTP/1.x */ ap_remove_output_filter(f); } rv = ap_pass_brigade(f->next, b); out: if (ctx->final_status) r->final_resp_passed = 1; if (recursive_error) { return AP_FILTER_ERROR; } return rv; } /* * Map specific APR codes returned by the filter stack to HTTP error * codes, or the default status code provided. Use it as follows: * * return ap_map_http_request_error(rv, HTTP_BAD_REQUEST); * * If the filter has already handled the error, AP_FILTER_ERROR will * be returned, which is cleanly passed through. * * These mappings imply that the filter stack is reading from the * downstream client, the proxy will map these codes differently. */ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status) { switch (rv) { case AP_FILTER_ERROR: return AP_FILTER_ERROR; case APR_EGENERAL: return HTTP_BAD_REQUEST; case APR_ENOSPC: return HTTP_REQUEST_ENTITY_TOO_LARGE; case APR_ENOTIMPL: return HTTP_NOT_IMPLEMENTED; case APR_TIMEUP: case APR_ETIMEDOUT: return HTTP_REQUEST_TIME_OUT; default: return status; } } /* In HTTP/1.1, any method can have a body. However, most GET handlers * wouldn't know what to do with a request body if they received one. * This helper routine tests for and reads any message body in the request, * simply discarding whatever it receives. We need to do this because * failing to read the request body would cause it to be interpreted * as the next request on a persistent connection. * * Since we return an error status if the request is malformed, this * routine should be called at the beginning of a no-body handler, e.g., * * if ((retval = ap_discard_request_body(r)) != OK) { * return retval; * } */ AP_DECLARE(int) ap_discard_request_body(request_rec *r) { int rc = OK; conn_rec *c = r->connection; apr_bucket_brigade *bb; /* Sometimes we'll get in a state where the input handling has * detected an error where we want to drop the connection, so if * that's the case, don't read the data as that is what we're trying * to avoid. * * This function is also a no-op on a subrequest. */ if (r->main || c->keepalive == AP_CONN_CLOSE) { return OK; } if (ap_status_drops_connection(r->status)) { c->keepalive = AP_CONN_CLOSE; return OK; } bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); for (;;) { apr_status_t rv; rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, APR_BLOCK_READ, HUGE_STRING_LEN); if (rv != APR_SUCCESS) { rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST); goto cleanup; } while (!APR_BRIGADE_EMPTY(bb)) { apr_bucket *b = APR_BRIGADE_FIRST(bb); if (APR_BUCKET_IS_EOS(b)) { goto cleanup; } /* There is no need to read empty or metadata buckets or * buckets of known length, but we MUST read buckets of * unknown length in order to exhaust them. */ if (b->length == (apr_size_t)-1) { apr_size_t len; const char *data; rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ); if (rv != APR_SUCCESS) { rc = HTTP_BAD_REQUEST; goto cleanup; } } apr_bucket_delete(b); } } cleanup: apr_brigade_cleanup(bb); if (rc != OK) { c->keepalive = AP_CONN_CLOSE; } return rc; } /* Here we deal with getting the request message body from the client. * Whether or not the request contains a body is signaled by the presence * of a non-zero Content-Length or by a Transfer-Encoding: chunked. * * Note that this is more complicated than it was in Apache 1.1 and prior * versions, because chunked support means that the module does less. * * The proper procedure is this: * * 1. Call ap_setup_client_block() near the beginning of the request * handler. This will set up all the necessary properties, and will * return either OK, or an error code. If the latter, the module should * return that error code. The second parameter selects the policy to * apply if the request message indicates a body, and how a chunked * transfer-coding should be interpreted. Choose one of * * REQUEST_NO_BODY Send 413 error if message has any body * REQUEST_CHUNKED_ERROR Send 411 error if body without Content-Length * REQUEST_CHUNKED_DECHUNK If chunked, remove the chunks for me. * REQUEST_CHUNKED_PASS If chunked, pass the chunk headers with body. * * In order to use the last two options, the caller MUST provide a buffer * large enough to hold a chunk-size line, including any extensions. * * 2. When you are ready to read a body (if any), call ap_should_client_block(). * This will tell the module whether or not to read input. If it is 0, * the module should assume that there is no message body to read. * * 3. Finally, call ap_get_client_block in a loop. Pass it a buffer and its size. * It will put data into the buffer (not necessarily a full buffer), and * return the length of the input block. When it is done reading, it will * return 0 if EOF, or -1 if there was an error. * If an error occurs on input, we force an end to keepalive. * * This step also sends a 100 Continue response to HTTP/1.1 clients if appropriate. */ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy) { const char *lenp = apr_table_get(r->headers_in, "Content-Length"); apr_off_t limit_req_body = ap_get_limit_req_body(r); r->read_body = read_policy; r->read_chunked = 0; r->remaining = 0; if (r->body_indeterminate) { /* Protocols like HTTP/2 can carry bodies without length and * HTTP/1.1 has chunked encoding signalled via this note. */ if (r->read_body == REQUEST_CHUNKED_ERROR) { ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01593) "indeterminate request body length forbidden: %s", r->uri); r->read_chunked = 0; return (lenp) ? HTTP_BAD_REQUEST : HTTP_LENGTH_REQUIRED; } r->read_chunked = 1; } else if (lenp) { if (!ap_parse_strict_length(&r->remaining, lenp)) { r->remaining = 0; ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01594) "Invalid Content-Length '%s'", lenp); return HTTP_BAD_REQUEST; } } if ((r->read_body == REQUEST_NO_BODY) && (r->read_chunked || (r->remaining > 0))) { ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01595) "%s with body is not allowed for %s", r->method, r->uri); return HTTP_REQUEST_ENTITY_TOO_LARGE; } if (limit_req_body > 0 && (r->remaining > limit_req_body)) { /* 01588 msg in HTTP_IN filter will be skipped for a connection-dropping status, * in r->status, so log a similar message here. */ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(10483) "Requested content-length of %" APR_OFF_T_FMT " is larger than the configured limit" " of %" APR_OFF_T_FMT, r->remaining, limit_req_body); return HTTP_REQUEST_ENTITY_TOO_LARGE; } #ifdef AP_DEBUG { /* Make sure ap_getline() didn't leave any droppings. */ core_request_config *req_cfg = (core_request_config *)ap_get_core_module_config(r->request_config); AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(req_cfg->bb)); } #endif return OK; } AP_DECLARE(int) ap_should_client_block(request_rec *r) { /* First check if we have already read the request body */ if (r->read_length || (!r->read_chunked && (r->remaining <= 0))) { return 0; } return 1; } /* get_client_block is called in a loop to get the request message body. * This is quite simple if the client includes a content-length * (the normal case), but gets messy if the body is chunked. Note that * r->remaining is used to maintain state across calls and that * r->read_length is the total number of bytes given to the caller * across all invocations. It is messy because we have to be careful not * to read past the data provided by the client, since these reads block. * Returns 0 on End-of-body, -1 on error or premature chunk end. * */ AP_DECLARE(long) ap_get_client_block(request_rec *r, char *buffer, apr_size_t bufsiz) { apr_status_t rv; apr_bucket_brigade *bb; if (r->remaining < 0 || (!r->read_chunked && r->remaining == 0)) { return 0; } bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); if (bb == NULL) { r->connection->keepalive = AP_CONN_CLOSE; return -1; } rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, APR_BLOCK_READ, bufsiz); /* We lose the failure code here. This is why ap_get_client_block should * not be used. */ if (rv == AP_FILTER_ERROR) { /* AP_FILTER_ERROR means a filter has responded already, * we are DONE. */ apr_brigade_destroy(bb); return -1; } if (rv != APR_SUCCESS) { apr_bucket *e; /* work around our silent swallowing of error messages by mapping * error codes at this point, and sending an error bucket back * upstream. */ apr_brigade_cleanup(bb); e = ap_bucket_error_create( ap_map_http_request_error(rv, HTTP_BAD_REQUEST), NULL, r->pool, r->connection->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); e = apr_bucket_eos_create(r->connection->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); rv = ap_pass_brigade(r->output_filters, bb); if (APR_SUCCESS != rv) { ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, r, APLOGNO(02484) "Error while writing error response"); } /* if we actually fail here, we want to just return and * stop trying to read data from the client. */ r->connection->keepalive = AP_CONN_CLOSE; apr_brigade_destroy(bb); return -1; } /* If this fails, it means that a filter is written incorrectly and that * it needs to learn how to properly handle APR_BLOCK_READ requests by * returning data when requested. */ AP_DEBUG_ASSERT(!APR_BRIGADE_EMPTY(bb)); /* Check to see if EOS in the brigade. * * If so, we have to leave a nugget for the *next* ap_get_client_block * call to return 0. */ if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) { if (r->read_chunked) { r->remaining = -1; } else { r->remaining = 0; } } rv = apr_brigade_flatten(bb, buffer, &bufsiz); if (rv != APR_SUCCESS) { apr_brigade_destroy(bb); return -1; } /* XXX yank me? */ r->read_length += bufsiz; apr_brigade_destroy(bb); return bufsiz; } /* Context struct for ap_http_outerror_filter */ typedef struct { int seen_eoc; int first_error; } outerror_filter_ctx_t; /* Filter to handle any error buckets on output */ apr_status_t ap_http_outerror_filter(ap_filter_t *f, apr_bucket_brigade *b) { request_rec *r = f->r; outerror_filter_ctx_t *ctx = (outerror_filter_ctx_t *)(f->ctx); apr_bucket *e; /* Create context if none is present */ if (!ctx) { ctx = apr_pcalloc(r->pool, sizeof(outerror_filter_ctx_t)); f->ctx = ctx; } for (e = APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b); e = APR_BUCKET_NEXT(e)) { if (AP_BUCKET_IS_ERROR(e)) { /* * Start of error handling state tree. Just one condition * right now :) */ if (((ap_bucket_error *)(e->data))->status == HTTP_BAD_GATEWAY || ((ap_bucket_error *)(e->data))->status == HTTP_GATEWAY_TIME_OUT) { /* stream aborted and we have not ended it yet */ r->connection->keepalive = AP_CONN_CLOSE; } /* * Memorize the status code of the first error bucket for possible * later use. */ if (!ctx->first_error) { ctx->first_error = ((ap_bucket_error *)(e->data))->status; } continue; } /* Detect EOC buckets and memorize this in the context. */ if (AP_BUCKET_IS_EOC(e)) { r->connection->keepalive = AP_CONN_CLOSE; ctx->seen_eoc = 1; } } /* * Remove all data buckets that are in a brigade after an EOC bucket * was seen, as an EOC bucket tells us that no (further) resource * and protocol data should go out to the client. OTOH meta buckets * are still welcome as they might trigger needed actions down in * the chain (e.g. in network filters like SSL). * Remark 1: It is needed to dump ALL data buckets in the brigade * since an filter in between might have inserted data * buckets BEFORE the EOC bucket sent by the original * sender and we do NOT want this data to be sent. * Remark 2: Dumping all data buckets here does not necessarily mean * that no further data is send to the client as: * 1. Network filters like SSL can still be triggered via * meta buckets to talk with the client e.g. for a * clean shutdown. * 2. There could be still data that was buffered before * down in the chain that gets flushed by a FLUSH or an * EOS bucket. */ if (ctx->seen_eoc) { /* * Set the request status to the status of the first error bucket. * This should ensure that we log an appropriate status code in * the access log. * We need to set r->status on each call after we noticed an EOC as * data bucket generators like ap_die might have changed the status * code. But we know better in this case and insist on the status * code that we have seen in the error bucket. */ if (ctx->first_error) { r->status = ctx->first_error; } e = APR_BRIGADE_FIRST(b); while (e != APR_BRIGADE_SENTINEL(b)) { apr_bucket *c = e; e = APR_BUCKET_NEXT(e); if (!APR_BUCKET_IS_METADATA(c)) { apr_bucket_delete(c); } } } return ap_pass_brigade(f->next, b); } /* fill "bb" with a barebones/initial HTTP/1.x response header */ static void h1_append_response_head(request_rec *r, ap_bucket_response *resp, const char *protocol, apr_bucket_brigade *bb) { const char *date = NULL; const char *server = NULL; const char *status_line; struct iovec vec[4]; if (r->assbackwards) { /* there are no headers to send */ return; } /* Output the HTTP/1.x Status-Line and the Date and Server fields */ if (resp->reason) { status_line = apr_psprintf(r->pool, "%d %s", resp->status, resp->reason); } else { status_line = ap_get_status_line_ex(r->pool, resp->status); } vec[0].iov_base = (void *)protocol; vec[0].iov_len = strlen(protocol); vec[1].iov_base = (void *)" "; vec[1].iov_len = sizeof(" ") - 1; vec[2].iov_base = (void *)(status_line); vec[2].iov_len = strlen(status_line); vec[3].iov_base = (void *)CRLF; vec[3].iov_len = sizeof(CRLF) - 1; #if APR_CHARSET_EBCDIC { char *tmp; apr_size_t len; tmp = apr_pstrcatv(r->pool, vec, 4, &len); ap_xlate_proto_to_ascii(tmp, len); apr_brigade_write(bb, NULL, NULL, tmp, len); } #else apr_brigade_writev(bb, NULL, NULL, vec, 4); #endif date = apr_table_get(resp->headers, "Date"); server = apr_table_get(resp->headers, "Server"); if (date) { /* We always write that as first, just because we * always did and some quirky clients might rely on that. */ ap_h1_append_header(bb, r->pool, "Date", date); apr_table_unset(resp->headers, "Date"); } if (server) { /* We always write that second, just because we * always did and some quirky clients might rely on that. */ ap_h1_append_header(bb, r->pool, "Server", server); apr_table_unset(resp->headers, "Server"); } if (APLOGrtrace3(r)) { ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, "Response sent with status %d%s", r->status, APLOGrtrace4(r) ? ", headers:" : ""); /* * Date and Server are less interesting, use TRACE5 for them while * using TRACE4 for the other headers. */ if (date) ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, " Date: %s", date); if (server) ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, " Server: %s", server); } } typedef struct h1_response_ctx { int final_response_sent; /* strict: a response status >= 200 was sent */ int discard_body; /* the response is header only, discard body */ apr_bucket_brigade *tmpbb; } h1_response_ctx; apr_status_t ap_h1_response_out_filter(ap_filter_t *f, apr_bucket_brigade *b) { request_rec *r = f->r; conn_rec *c = r->connection; apr_bucket *e, *next = NULL; h1_response_ctx *ctx = f->ctx; apr_status_t rv = APR_SUCCESS; core_server_config *conf = ap_get_core_module_config(r->server->module_config); int strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); AP_DEBUG_ASSERT(!r->main); if (!ctx) { ctx = f->ctx = apr_pcalloc(r->pool, sizeof(*ctx)); } for (e = APR_BRIGADE_FIRST(b); e != APR_BRIGADE_SENTINEL(b); e = next) { next = APR_BUCKET_NEXT(e); if (APR_BUCKET_IS_METADATA(e)) { if (APR_BUCKET_IS_EOS(e)) { if (!ctx->final_response_sent) { /* should not happen. do we generate a 500 here? */ } ap_remove_output_filter(f); goto pass; } else if (AP_BUCKET_IS_RESPONSE(e)) { ap_bucket_response *resp = e->data; ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "ap_h1_response_out_filter seeing response bucket status=%d", resp->status); if (strict && resp->status < 100) { /* error, not a valid http status */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10386) "ap_h1_response_out_filter seeing headers " "status=%d in strict mode", resp->status); rv = AP_FILTER_ERROR; goto cleanup; } else if (ctx->final_response_sent) { /* already sent the final response for the request. */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10387) "ap_h1_response_out_filter seeing headers " "status=%d after final response already sent", resp->status); rv = AP_FILTER_ERROR; goto cleanup; } else { /* a response status to transcode, might be final or interim */ const char *proto = AP_SERVER_PROTOCOL; ctx->final_response_sent = (resp->status >= 200) || (!strict && resp->status < 100); ctx->discard_body = ctx->final_response_sent && (r->header_only || AP_STATUS_IS_HEADER_ONLY(resp->status)); if (!ctx->tmpbb) { ctx->tmpbb = apr_brigade_create(r->pool, c->bucket_alloc); } if (next != APR_BRIGADE_SENTINEL(b)) { apr_brigade_split_ex(b, next, ctx->tmpbb); } if (ctx->final_response_sent) { ap_h1_set_keepalive(r, resp); if (AP_STATUS_IS_HEADER_ONLY(resp->status)) { apr_table_unset(resp->headers, "Transfer-Encoding"); } else if (r->chunked) { apr_table_mergen(resp->headers, "Transfer-Encoding", "chunked"); apr_table_unset(resp->headers, "Content-Length"); } } /* kludge around broken browsers when indicated by force-response-1.0 */ if (r->proto_num == HTTP_VERSION(1,0) && apr_table_get(r->subprocess_env, "force-response-1.0")) { r->connection->keepalive = AP_CONN_CLOSE; proto = "HTTP/1.0"; } h1_append_response_head(r, resp, proto, b); ap_h1_append_headers(b, r, resp->headers); ap_h1_terminate_header(b); apr_bucket_delete(e); if (ctx->final_response_sent && r->chunked) { /* We can't add this filter until we have already sent the headers. * If we add it before this point, then the headers will be chunked * as well, and that is just wrong. */ rv = ap_pass_brigade(f->next, b); apr_brigade_cleanup(b); ap_log_rerror(APLOG_MARK, APLOG_TRACE2, rv, r, "ap_h1_response_out_filter passed response" ", add CHUNK filter"); if (APR_SUCCESS != rv) { apr_brigade_cleanup(ctx->tmpbb); goto cleanup; } ap_add_output_filter("CHUNK", NULL, r, r->connection); } APR_BRIGADE_CONCAT(b, ctx->tmpbb); if (resp->status == HTTP_SWITCHING_PROTOCOLS) { /* switched to another protocol, get out of the way */ AP_DEBUG_ASSERT(!r->chunked); ap_remove_output_filter(f); goto pass; } } } } else if (!ctx->final_response_sent && strict) { /* data buckets before seeing the final response are in error. */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10390) "ap_h1_response_out_filter seeing data before headers, %ld bytes ", (long)e->length); rv = AP_FILTER_ERROR; goto cleanup; } else if (ctx->discard_body) { apr_bucket_delete(e); } } pass: rv = ap_pass_brigade(f->next, b); cleanup: return rv; } static const char *get_status_reason(const char *status_line) { if (status_line && strlen(status_line) > 4) { return status_line + 4; } return NULL; } static void merge_response_headers(request_rec *r) { const char *ctype; /* * Now that we are ready to send a response, we need to combine the two * header field tables into a single table. If we don't do this, our * later attempts to set or unset a given fieldname might be bypassed. */ if (!apr_is_empty_table(r->err_headers_out)) { r->headers_out = apr_table_overlay(r->pool, r->err_headers_out, r->headers_out); apr_table_clear(r->err_headers_out); } ap_set_std_response_headers(r); /* * Remove the 'Vary' header field if the client can't handle it. * Since this will have nasty effects on HTTP/1.1 caches, force * the response into HTTP/1.0 mode. * * Note: the force-response-1.0 should come before the call to * basic_http_header_check() */ if (apr_table_get(r->subprocess_env, "force-no-vary") != NULL) { apr_table_unset(r->headers_out, "Vary"); r->proto_num = HTTP_VERSION(1,0); apr_table_setn(r->subprocess_env, "force-response-1.0", "1"); } else { fixup_vary(r); } /* Determine the protocol and whether we should use keepalives. */ basic_http_header_check(r); /* * Now remove any ETag response header field if earlier processing * says so (such as a 'FileETag None' directive). */ if (apr_table_get(r->notes, "no-etag") != NULL) { apr_table_unset(r->headers_out, "ETag"); } /* * Control cachability for non-cacheable responses if not already set by * some other part of the server configuration. */ if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) { char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); ap_recent_rfc822_date(date, r->request_time); apr_table_addn(r->headers_out, "Expires", date); } /* 204/304 responses don't have content related headers */ if (AP_STATUS_IS_HEADER_ONLY(r->status)) { apr_table_unset(r->headers_out, "Transfer-Encoding"); apr_table_unset(r->headers_out, "Content-Length"); r->content_type = r->content_encoding = NULL; r->content_languages = NULL; r->clength = r->chunked = 0; } ctype = ap_make_content_type(r, r->content_type); if (ctype) { apr_table_setn(r->headers_out, "Content-Type", ctype); } if (r->content_encoding) { apr_table_setn(r->headers_out, "Content-Encoding", r->content_encoding); } if (!apr_is_empty_array(r->content_languages)) { int i; char *token; char **languages = (char **)(r->content_languages->elts); const char *field = apr_table_get(r->headers_out, "Content-Language"); while (field && (token = ap_get_list_item(r->pool, &field)) != NULL) { for (i = 0; i < r->content_languages->nelts; ++i) { if (!ap_cstr_casecmp(token, languages[i])) break; } if (i == r->content_languages->nelts) { *((char **) apr_array_push(r->content_languages)) = token; } } field = apr_array_pstrcat(r->pool, r->content_languages, ','); apr_table_setn(r->headers_out, "Content-Language", field); } } static apr_bucket *create_response_bucket(request_rec *r, apr_bucket_alloc_t *bucket_alloc) { /* r->headers_out fully prepared. Create a headers bucket * containing the response to send down the filter chain. */ return ap_bucket_response_create(r->status, get_status_reason(r->status_line), r->headers_out, r->notes, r->pool, bucket_alloc); } static apr_bucket *create_trailers_bucket(request_rec *r, apr_bucket_alloc_t *bucket_alloc) { if (r->trailers_out && !apr_is_empty_table(r->trailers_out)) { ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "sending trailers"); return ap_bucket_headers_create(r->trailers_out, r->pool, bucket_alloc); } return NULL; } typedef struct h1_request_ctx { enum { REQ_LINE, /* reading 1st request line */ REQ_HEADERS, /* reading header lines */ REQ_BODY, /* reading body follows, terminal */ REQ_ERROR, /* failed, terminal */ } state; request_rec *r; char *request_line; const char *method; const char *uri; const char *protocol; } h1_request_ctx; static apr_status_t read_request_line(h1_request_ctx *ctx, apr_bucket_brigade *bb) { apr_size_t len; int num_blank_lines = DEFAULT_LIMIT_BLANK_LINES; core_server_config *conf = ap_get_core_module_config(ctx->r->server->module_config); int strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); apr_status_t rv; /* Read past empty lines until we get a real request line, * a read error, the connection closes (EOF), or we timeout. * * We skip empty lines because browsers have to tack a CRLF on to the end * of POSTs to support old CERN webservers. But note that we may not * have flushed any previous response completely to the client yet. * We delay the flush as long as possible so that we can improve * performance for clients that are pipelining requests. If a request * is pipelined then we won't block during the (implicit) read() below. * If the requests aren't pipelined, then the client is still waiting * for the final buffer flush from us, and we will block in the implicit * read(). B_SAFEREAD ensures that the BUFF layer flushes if it will * have to block during a read. */ do { /* ensure ap_rgetline allocates memory each time thru the loop * if there are empty lines */ ctx->request_line = NULL; len = 0; rv = ap_rgetline(&ctx->request_line, (apr_size_t)(ctx->r->server->limit_req_line + 2), &len, ctx->r, strict ? AP_GETLINE_CRLF : 0, bb); if (rv != APR_SUCCESS) { return rv; } else if (len > 0) { /* got the line in ctx->r->the_request */ return APR_SUCCESS; } } while (--num_blank_lines >= 0); /* too many blank lines */ return APR_EINVAL; } static void sanitize_brigade(apr_bucket_brigade *bb) { apr_bucket *e, *next; for (e = APR_BRIGADE_FIRST(bb); e != APR_BRIGADE_SENTINEL(bb); e = next) { next = APR_BUCKET_NEXT(e); if (!APR_BUCKET_IS_METADATA(e) && e->length == 0) { apr_bucket_delete(e); } } } apr_status_t ap_h1_request_in_filter(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode_t mode, apr_read_type_e block, apr_off_t readbytes) { request_rec *r = f->r; apr_bucket *e; h1_request_ctx *ctx = f->ctx; apr_status_t rv = APR_SUCCESS; int http_status = HTTP_OK; /* just get out of the way for things we don't want to handle. */ if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) { return ap_get_brigade(f->next, bb, mode, block, readbytes); } if (!ctx) { f->ctx = ctx = apr_pcalloc(r->pool, sizeof(*ctx)); ctx->r = r; ctx->state = REQ_LINE; } /* This filter needs to get out of the way of read_request_line() */ ap_remove_input_filter(f); while (APR_SUCCESS == rv) { switch (ctx->state) { case REQ_LINE: if ((rv = read_request_line(ctx, bb)) != APR_SUCCESS) { /* certain failures are answered with a HTTP error bucket * and are terminal for parsing a request */ ctx->method = ctx->uri = "-"; ctx->protocol = "HTTP/1.0"; if (APR_STATUS_IS_ENOSPC(rv)) { http_status = HTTP_REQUEST_URI_TOO_LARGE; } else if (APR_STATUS_IS_TIMEUP(rv)) { http_status = HTTP_REQUEST_TIME_OUT; } else if (APR_STATUS_IS_BADARG(rv)) { http_status = HTTP_BAD_REQUEST; } else if (APR_STATUS_IS_EINVAL(rv)) { http_status = HTTP_BAD_REQUEST; } goto cleanup; } if (!ap_h1_tokenize_request_line(r, ctx->request_line, &ctx->method, &ctx->uri, &ctx->protocol)) { http_status = HTTP_BAD_REQUEST; goto cleanup; } /* got the request line and it looked to contain what we need */ ctx->state = REQ_HEADERS; break; case REQ_HEADERS: ap_get_mime_headers_core(r, bb); if (r->status != HTTP_OK) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00567) "request failed: error reading the headers"); http_status = r->status; goto cleanup; } /* clear the brigade, as ap_get_mime_headers_core() leaves the last * empty line in there, insert the REQUEST bucket and return */ apr_brigade_cleanup(bb); e = ap_bucket_request_createn(ctx->method, ctx->uri, ctx->protocol, r->headers_in, r->pool, r->connection->bucket_alloc); /* reading may leave 0 length data buckets in the brigade, * get rid of those. */ sanitize_brigade(bb); APR_BRIGADE_INSERT_HEAD(bb, e); ctx->state = REQ_BODY; ap_log_rerror(APLOG_MARK, APLOG_TRACE1, rv, r, "http1 request and headers parsed: %s %s %s", ctx->method, ctx->uri, ctx->protocol); goto cleanup; case REQ_BODY: /* we should not come here */ AP_DEBUG_ASSERT(0); rv = ap_get_brigade(f->next, bb, mode, block, readbytes); goto cleanup; case REQ_ERROR: default: rv = APR_EINVAL; goto cleanup; } } /* while(APR_SUCCESS == rv) */ cleanup: if (http_status != HTTP_OK) { ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, "failed reading request line, returning error bucket %d", http_status); apr_brigade_cleanup(bb); e = ap_bucket_error_create(http_status, NULL, r->pool, f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); ctx->state = REQ_ERROR; return APR_SUCCESS; } return rv; }