1/* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* 18 * http_filter.c --- HTTP routines which either filters or deal with filters. 19 */ 20 21#include "apr.h" 22#include "apr_strings.h" 23#include "apr_buckets.h" 24#include "apr_lib.h" 25#include "apr_signal.h" 26 27#define APR_WANT_STDIO /* for sscanf */ 28#define APR_WANT_STRFUNC 29#define APR_WANT_MEMFUNC 30#include "apr_want.h" 31 32#define CORE_PRIVATE 33#include "util_filter.h" 34#include "ap_config.h" 35#include "httpd.h" 36#include "http_config.h" 37#include "http_core.h" 38#include "http_protocol.h" 39#include "http_main.h" 40#include "http_request.h" 41#include "http_vhost.h" 42#include "http_connection.h" 43#include "http_log.h" /* For errors detected in basic auth common 44 * support code... */ 45#include "apr_date.h" /* For apr_date_parse_http and APR_DATE_BAD */ 46#include "util_charset.h" 47#include "util_ebcdic.h" 48#include "util_time.h" 49 50#include "mod_core.h" 51 52#if APR_HAVE_STDARG_H 53#include <stdarg.h> 54#endif 55#if APR_HAVE_UNISTD_H 56#include <unistd.h> 57#endif 58 59#define INVALID_CHAR -2 60 61static long get_chunk_size(char *); 62 63typedef struct http_filter_ctx { 64 apr_off_t remaining; 65 apr_off_t limit; 66 apr_off_t limit_used; 67 enum { 68 BODY_NONE, 69 BODY_LENGTH, 70 BODY_CHUNK, 71 BODY_CHUNK_PART 72 } state; 73 int eos_sent; 74 char chunk_ln[32]; 75 char *pos; 76 apr_off_t linesize; 77 apr_bucket_brigade *bb; 78} http_ctx_t; 79 80static apr_status_t bail_out_on_error(http_ctx_t *ctx, 81 ap_filter_t *f, 82 int http_error) 83{ 84 apr_bucket *e; 85 apr_bucket_brigade *bb = ctx->bb; 86 87 apr_brigade_cleanup(bb); 88 e = ap_bucket_error_create(http_error, 89 NULL, f->r->pool, 90 f->c->bucket_alloc); 91 APR_BRIGADE_INSERT_TAIL(bb, e); 92 e = apr_bucket_eos_create(f->c->bucket_alloc); 93 APR_BRIGADE_INSERT_TAIL(bb, e); 94 ctx->eos_sent = 1; 95 return ap_pass_brigade(f->r->output_filters, bb); 96} 97 98static apr_status_t get_remaining_chunk_line(http_ctx_t *ctx, 99 apr_bucket_brigade *b, 100 int linelimit) 101{ 102 apr_status_t rv; 103 apr_off_t brigade_length; 104 apr_bucket *e; 105 const char *lineend; 106 apr_size_t len; 107 108 /* 109 * As the brigade b should have been requested in mode AP_MODE_GETLINE 110 * all buckets in this brigade are already some type of memory 111 * buckets (due to the needed scanning for LF in mode AP_MODE_GETLINE) 112 * or META buckets. 113 */ 114 rv = apr_brigade_length(b, 0, &brigade_length); 115 if (rv != APR_SUCCESS) { 116 return rv; 117 } 118 /* Sanity check. Should never happen. See above. */ 119 if (brigade_length == -1) { 120 return APR_EGENERAL; 121 } 122 if (!brigade_length) { 123 return APR_EAGAIN; 124 } 125 ctx->linesize += brigade_length; 126 if (ctx->linesize > linelimit) { 127 return APR_ENOSPC; 128 } 129 /* 130 * As all buckets are already some type of memory buckets or META buckets 131 * (see above), we only need to check the last byte in the last data bucket. 132 */ 133 for (e = APR_BRIGADE_LAST(b); 134 e != APR_BRIGADE_SENTINEL(b); 135 e = APR_BUCKET_PREV(e)) { 136 137 if (APR_BUCKET_IS_METADATA(e)) { 138 continue; 139 } 140 rv = apr_bucket_read(e, &lineend, &len, APR_BLOCK_READ); 141 if (rv != APR_SUCCESS) { 142 return rv; 143 } 144 if (len > 0) { 145 break; /* we got the data we want */ 146 } 147 /* If we got a zero-length data bucket, we try the next one */ 148 } 149 /* We had no data in this brigade */ 150 if (!len || e == APR_BRIGADE_SENTINEL(b)) { 151 return APR_EAGAIN; 152 } 153 if (lineend[len - 1] != APR_ASCII_LF) { 154 return APR_EAGAIN; 155 } 156 /* Line is complete. So reset ctx->linesize for next round. */ 157 ctx->linesize = 0; 158 return APR_SUCCESS; 159} 160 161static apr_status_t get_chunk_line(http_ctx_t *ctx, apr_bucket_brigade *b, 162 int linelimit) 163{ 164 apr_size_t len; 165 int tmp_len; 166 apr_status_t rv; 167 168 tmp_len = sizeof(ctx->chunk_ln) - (ctx->pos - ctx->chunk_ln) - 1; 169 /* Saveguard ourselves against underflows */ 170 if (tmp_len < 0) { 171 len = 0; 172 } 173 else { 174 len = (apr_size_t) tmp_len; 175 } 176 /* 177 * Check if there is space left in ctx->chunk_ln. If not, then either 178 * the chunk size is insane or we have chunk-extensions. Ignore both 179 * by discarding the remaining part of the line via 180 * get_remaining_chunk_line. Only bail out if the line is too long. 181 */ 182 if (len > 0) { 183 rv = apr_brigade_flatten(b, ctx->pos, &len); 184 if (rv != APR_SUCCESS) { 185 return rv; 186 } 187 ctx->pos += len; 188 ctx->linesize += len; 189 *(ctx->pos) = '\0'; 190 /* 191 * Check if we really got a full line. If yes the 192 * last char in the just read buffer must be LF. 193 * If not advance the buffer and return APR_EAGAIN. 194 * We do not start processing until we have the 195 * full line. 196 */ 197 if (ctx->pos[-1] != APR_ASCII_LF) { 198 /* Check if the remaining data in the brigade has the LF */ 199 return get_remaining_chunk_line(ctx, b, linelimit); 200 } 201 /* Line is complete. So reset ctx->pos for next round. */ 202 ctx->pos = ctx->chunk_ln; 203 return APR_SUCCESS; 204 } 205 return get_remaining_chunk_line(ctx, b, linelimit); 206} 207 208 209/* This is the HTTP_INPUT filter for HTTP requests and responses from 210 * proxied servers (mod_proxy). It handles chunked and content-length 211 * bodies. This can only be inserted/used after the headers 212 * are successfully parsed. 213 */ 214apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, 215 ap_input_mode_t mode, apr_read_type_e block, 216 apr_off_t readbytes) 217{ 218 apr_bucket *e; 219 http_ctx_t *ctx = f->ctx; 220 apr_status_t rv; 221 apr_off_t totalread; 222 int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; 223 apr_bucket_brigade *bb; 224 225 /* just get out of the way of things we don't want. */ 226 if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) { 227 return ap_get_brigade(f->next, b, mode, block, readbytes); 228 } 229 230 if (!ctx) { 231 const char *tenc, *lenp; 232 f->ctx = ctx = apr_pcalloc(f->r->pool, sizeof(*ctx)); 233 ctx->state = BODY_NONE; 234 ctx->pos = ctx->chunk_ln; 235 ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc); 236 bb = ctx->bb; 237 238 /* LimitRequestBody does not apply to proxied responses. 239 * Consider implementing this check in its own filter. 240 * Would adding a directive to limit the size of proxied 241 * responses be useful? 242 */ 243 if (!f->r->proxyreq) { 244 ctx->limit = ap_get_limit_req_body(f->r); 245 } 246 else { 247 ctx->limit = 0; 248 } 249 250 tenc = apr_table_get(f->r->headers_in, "Transfer-Encoding"); 251 lenp = apr_table_get(f->r->headers_in, "Content-Length"); 252 253 if (tenc) { 254 if (!strcasecmp(tenc, "chunked")) { 255 ctx->state = BODY_CHUNK; 256 } 257 /* test lenp, because it gives another case we can handle */ 258 else if (!lenp) { 259 /* Something that isn't in HTTP, unless some future 260 * edition defines new transfer ecodings, is unsupported. 261 */ 262 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, 263 "Unknown Transfer-Encoding: %s", tenc); 264 return bail_out_on_error(ctx, f, HTTP_NOT_IMPLEMENTED); 265 } 266 else { 267 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, f->r, 268 "Unknown Transfer-Encoding: %s; using Content-Length", tenc); 269 tenc = NULL; 270 } 271 } 272 if (lenp && !tenc) { 273 char *endstr; 274 275 ctx->state = BODY_LENGTH; 276 errno = 0; 277 278 /* Protects against over/underflow, non-digit chars in the 279 * string (excluding leading space) (the endstr checks) 280 * and a negative number. */ 281 if (apr_strtoff(&ctx->remaining, lenp, &endstr, 10) 282 || endstr == lenp || *endstr || ctx->remaining < 0) { 283 284 ctx->remaining = 0; 285 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, 286 "Invalid Content-Length"); 287 288 return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE); 289 } 290 291 /* If we have a limit in effect and we know the C-L ahead of 292 * time, stop it here if it is invalid. 293 */ 294 if (ctx->limit && ctx->limit < ctx->remaining) { 295 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, 296 "Requested content-length of %" APR_OFF_T_FMT 297 " is larger than the configured limit" 298 " of %" APR_OFF_T_FMT, ctx->remaining, ctx->limit); 299 return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE); 300 } 301 } 302 303 /* If we don't have a request entity indicated by the headers, EOS. 304 * (BODY_NONE is a valid intermediate state due to trailers, 305 * but it isn't a valid starting state.) 306 * 307 * RFC 2616 Section 4.4 note 5 states that connection-close 308 * is invalid for a request entity - request bodies must be 309 * denoted by C-L or T-E: chunked. 310 * 311 * Note that since the proxy uses this filter to handle the 312 * proxied *response*, proxy responses MUST be exempt. 313 */ 314 if (ctx->state == BODY_NONE && f->r->proxyreq != PROXYREQ_RESPONSE) { 315 e = apr_bucket_eos_create(f->c->bucket_alloc); 316 APR_BRIGADE_INSERT_TAIL(b, e); 317 ctx->eos_sent = 1; 318 return APR_SUCCESS; 319 } 320 321 /* Since we're about to read data, send 100-Continue if needed. 322 * Only valid on chunked and C-L bodies where the C-L is > 0. */ 323 if ((ctx->state == BODY_CHUNK || 324 (ctx->state == BODY_LENGTH && ctx->remaining > 0)) && 325 f->r->expecting_100 && f->r->proto_num >= HTTP_VERSION(1,1) && 326 !(f->r->eos_sent || f->r->bytes_sent)) { 327 if (!ap_is_HTTP_SUCCESS(f->r->status)) { 328 ctx->state = BODY_NONE; 329 ctx->eos_sent = 1; 330 } else { 331 char *tmp; 332 int len; 333 334 /* if we send an interim response, we're no longer 335 * in a state of expecting one. 336 */ 337 f->r->expecting_100 = 0; 338 tmp = apr_pstrcat(f->r->pool, AP_SERVER_PROTOCOL, " ", 339 ap_get_status_line(100), CRLF CRLF, NULL); 340 len = strlen(tmp); 341 ap_xlate_proto_to_ascii(tmp, len); 342 apr_brigade_cleanup(bb); 343 e = apr_bucket_pool_create(tmp, len, f->r->pool, 344 f->c->bucket_alloc); 345 APR_BRIGADE_INSERT_HEAD(bb, e); 346 e = apr_bucket_flush_create(f->c->bucket_alloc); 347 APR_BRIGADE_INSERT_TAIL(bb, e); 348 349 ap_pass_brigade(f->c->output_filters, bb); 350 } 351 } 352 353 /* We can't read the chunk until after sending 100 if required. */ 354 if (ctx->state == BODY_CHUNK) { 355 apr_brigade_cleanup(bb); 356 357 rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, 358 block, 0); 359 360 /* for timeout */ 361 if (block == APR_NONBLOCK_READ && 362 ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || 363 (APR_STATUS_IS_EAGAIN(rv)) )) { 364 ctx->state = BODY_CHUNK_PART; 365 return APR_EAGAIN; 366 } 367 368 if (rv == APR_SUCCESS) { 369 rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line); 370 if (APR_STATUS_IS_EAGAIN(rv)) { 371 apr_brigade_cleanup(bb); 372 ctx->state = BODY_CHUNK_PART; 373 return rv; 374 } 375 if (rv == APR_SUCCESS) { 376 ctx->remaining = get_chunk_size(ctx->chunk_ln); 377 if (ctx->remaining == INVALID_CHAR) { 378 rv = APR_EGENERAL; 379 http_error = HTTP_SERVICE_UNAVAILABLE; 380 } 381 } 382 } 383 apr_brigade_cleanup(bb); 384 385 /* Detect chunksize error (such as overflow) */ 386 if (rv != APR_SUCCESS || ctx->remaining < 0) { 387 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r, "Error reading first chunk %s ", 388 (ctx->remaining < 0) ? "(overflow)" : ""); 389 ctx->remaining = 0; /* Reset it in case we have to 390 * come back here later */ 391 if (APR_STATUS_IS_TIMEUP(rv)) { 392 http_error = HTTP_REQUEST_TIME_OUT; 393 } 394 return bail_out_on_error(ctx, f, http_error); 395 } 396 397 if (!ctx->remaining) { 398 /* Handle trailers by calling ap_get_mime_headers again! */ 399 ctx->state = BODY_NONE; 400 ap_get_mime_headers(f->r); 401 e = apr_bucket_eos_create(f->c->bucket_alloc); 402 APR_BRIGADE_INSERT_TAIL(b, e); 403 ctx->eos_sent = 1; 404 return APR_SUCCESS; 405 } 406 } 407 } 408 else { 409 bb = ctx->bb; 410 } 411 412 if (ctx->eos_sent) { 413 e = apr_bucket_eos_create(f->c->bucket_alloc); 414 APR_BRIGADE_INSERT_TAIL(b, e); 415 return APR_SUCCESS; 416 } 417 418 if (!ctx->remaining) { 419 switch (ctx->state) { 420 case BODY_NONE: 421 break; 422 case BODY_LENGTH: 423 e = apr_bucket_eos_create(f->c->bucket_alloc); 424 APR_BRIGADE_INSERT_TAIL(b, e); 425 ctx->eos_sent = 1; 426 return APR_SUCCESS; 427 case BODY_CHUNK: 428 case BODY_CHUNK_PART: 429 { 430 apr_brigade_cleanup(bb); 431 432 /* We need to read the CRLF after the chunk. */ 433 if (ctx->state == BODY_CHUNK) { 434 rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, 435 block, 0); 436 if (block == APR_NONBLOCK_READ && 437 ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || 438 (APR_STATUS_IS_EAGAIN(rv)) )) { 439 return APR_EAGAIN; 440 } 441 /* If we get an error, then leave */ 442 if (rv != APR_SUCCESS) { 443 return rv; 444 } 445 /* 446 * We really don't care whats on this line. If it is RFC 447 * compliant it should be only \r\n. If there is more 448 * before we just ignore it as long as we do not get over 449 * the limit for request lines. 450 */ 451 rv = get_remaining_chunk_line(ctx, bb, 452 f->r->server->limit_req_line); 453 apr_brigade_cleanup(bb); 454 if (APR_STATUS_IS_EAGAIN(rv)) { 455 return rv; 456 } 457 } else { 458 rv = APR_SUCCESS; 459 } 460 461 if (rv == APR_SUCCESS) { 462 /* Read the real chunk line. */ 463 rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, 464 block, 0); 465 /* Test timeout */ 466 if (block == APR_NONBLOCK_READ && 467 ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) || 468 (APR_STATUS_IS_EAGAIN(rv)) )) { 469 ctx->state = BODY_CHUNK_PART; 470 return APR_EAGAIN; 471 } 472 ctx->state = BODY_CHUNK; 473 if (rv == APR_SUCCESS) { 474 rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line); 475 if (APR_STATUS_IS_EAGAIN(rv)) { 476 ctx->state = BODY_CHUNK_PART; 477 apr_brigade_cleanup(bb); 478 return rv; 479 } 480 if (rv == APR_SUCCESS) { 481 ctx->remaining = get_chunk_size(ctx->chunk_ln); 482 if (ctx->remaining == INVALID_CHAR) { 483 rv = APR_EGENERAL; 484 http_error = HTTP_SERVICE_UNAVAILABLE; 485 } 486 } 487 } 488 apr_brigade_cleanup(bb); 489 } 490 491 /* Detect chunksize error (such as overflow) */ 492 if (rv != APR_SUCCESS || ctx->remaining < 0) { 493 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r, "Error reading chunk %s ", 494 (ctx->remaining < 0) ? "(overflow)" : ""); 495 ctx->remaining = 0; /* Reset it in case we have to 496 * come back here later */ 497 if (APR_STATUS_IS_TIMEUP(rv)) { 498 http_error = HTTP_REQUEST_TIME_OUT; 499 } 500 return bail_out_on_error(ctx, f, http_error); 501 } 502 503 if (!ctx->remaining) { 504 /* Handle trailers by calling ap_get_mime_headers again! */ 505 ctx->state = BODY_NONE; 506 ap_get_mime_headers(f->r); 507 e = apr_bucket_eos_create(f->c->bucket_alloc); 508 APR_BRIGADE_INSERT_TAIL(b, e); 509 ctx->eos_sent = 1; 510 return APR_SUCCESS; 511 } 512 } 513 break; 514 } 515 } 516 517 /* Ensure that the caller can not go over our boundary point. */ 518 if (ctx->state == BODY_LENGTH || ctx->state == BODY_CHUNK) { 519 if (ctx->remaining < readbytes) { 520 readbytes = ctx->remaining; 521 } 522 AP_DEBUG_ASSERT(readbytes > 0); 523 } 524 525 rv = ap_get_brigade(f->next, b, mode, block, readbytes); 526 527 if (rv != APR_SUCCESS) { 528 return rv; 529 } 530 531 /* How many bytes did we just read? */ 532 apr_brigade_length(b, 0, &totalread); 533 534 /* If this happens, we have a bucket of unknown length. Die because 535 * it means our assumptions have changed. */ 536 AP_DEBUG_ASSERT(totalread >= 0); 537 538 if (ctx->state != BODY_NONE) { 539 ctx->remaining -= totalread; 540 if (ctx->remaining > 0) { 541 e = APR_BRIGADE_LAST(b); 542 if (APR_BUCKET_IS_EOS(e)) 543 return APR_EOF; 544 } 545 } 546 547 /* If we have no more bytes remaining on a C-L request, 548 * save the callter a roundtrip to discover EOS. 549 */ 550 if (ctx->state == BODY_LENGTH && ctx->remaining == 0) { 551 e = apr_bucket_eos_create(f->c->bucket_alloc); 552 APR_BRIGADE_INSERT_TAIL(b, e); 553 } 554 555 /* We have a limit in effect. */ 556 if (ctx->limit) { 557 /* FIXME: Note that we might get slightly confused on chunked inputs 558 * as we'd need to compensate for the chunk lengths which may not 559 * really count. This seems to be up for interpretation. */ 560 ctx->limit_used += totalread; 561 if (ctx->limit < ctx->limit_used) { 562 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r, 563 "Read content-length of %" APR_OFF_T_FMT 564 " is larger than the configured limit" 565 " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit); 566 apr_brigade_cleanup(bb); 567 e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL, 568 f->r->pool, 569 f->c->bucket_alloc); 570 APR_BRIGADE_INSERT_TAIL(bb, e); 571 e = apr_bucket_eos_create(f->c->bucket_alloc); 572 APR_BRIGADE_INSERT_TAIL(bb, e); 573 ctx->eos_sent = 1; 574 return ap_pass_brigade(f->r->output_filters, bb); 575 } 576 } 577 578 return APR_SUCCESS; 579} 580 581/** 582 * Parse a chunk extension, detect overflow. 583 * There are two error cases: 584 * 1) If the conversion would require too many bits, a -1 is returned. 585 * 2) If the conversion used the correct number of bits, but an overflow 586 * caused only the sign bit to flip, then that negative number is 587 * returned. 588 * In general, any negative number can be considered an overflow error. 589 */ 590static long get_chunk_size(char *b) 591{ 592 long chunksize = 0; 593 size_t chunkbits = sizeof(long) * 8; 594 595 ap_xlate_proto_from_ascii(b, strlen(b)); 596 597 if (!apr_isxdigit(*b)) { 598 /* 599 * Detect invalid character at beginning. This also works for empty 600 * chunk size lines. 601 */ 602 return INVALID_CHAR; 603 } 604 /* Skip leading zeros */ 605 while (*b == '0') { 606 ++b; 607 } 608 609 while (apr_isxdigit(*b) && (chunkbits > 0)) { 610 int xvalue = 0; 611 612 if (*b >= '0' && *b <= '9') { 613 xvalue = *b - '0'; 614 } 615 else if (*b >= 'A' && *b <= 'F') { 616 xvalue = *b - 'A' + 0xa; 617 } 618 else if (*b >= 'a' && *b <= 'f') { 619 xvalue = *b - 'a' + 0xa; 620 } 621 622 chunksize = (chunksize << 4) | xvalue; 623 chunkbits -= 4; 624 ++b; 625 } 626 if (apr_isxdigit(*b) && (chunkbits <= 0)) { 627 /* overflow */ 628 return -1; 629 } 630 631 return chunksize; 632} 633 634typedef struct header_struct { 635 apr_pool_t *pool; 636 apr_bucket_brigade *bb; 637} header_struct; 638 639/* Send a single HTTP header field to the client. Note that this function 640 * is used in calls to table_do(), so their interfaces are co-dependent. 641 * In other words, don't change this one without checking table_do in alloc.c. 642 * It returns true unless there was a write error of some kind. 643 */ 644static int form_header_field(header_struct *h, 645 const char *fieldname, const char *fieldval) 646{ 647#if APR_CHARSET_EBCDIC 648 char *headfield; 649 apr_size_t len; 650 apr_size_t name_len; 651 apr_size_t val_len; 652 char *next; 653 654 name_len = strlen(fieldname); 655 val_len = strlen(fieldval); 656 len = name_len + val_len + 4; /* 4 for ": " plus CRLF */ 657 headfield = (char *)apr_palloc(h->pool, len + 1); 658 memcpy(headfield, fieldname, name_len); 659 next = headfield + name_len; 660 *next++ = ':'; 661 *next++ = ' '; 662 memcpy(next, fieldval, val_len); 663 next += val_len; 664 *next++ = CR; 665 *next++ = LF; 666 *next = 0; 667 ap_xlate_proto_to_ascii(headfield, len); 668 apr_brigade_write(h->bb, NULL, NULL, headfield, len); 669#else 670 struct iovec vec[4]; 671 struct iovec *v = vec; 672 v->iov_base = (void *)fieldname; 673 v->iov_len = strlen(fieldname); 674 v++; 675 v->iov_base = ": "; 676 v->iov_len = sizeof(": ") - 1; 677 v++; 678 v->iov_base = (void *)fieldval; 679 v->iov_len = strlen(fieldval); 680 v++; 681 v->iov_base = CRLF; 682 v->iov_len = sizeof(CRLF) - 1; 683 apr_brigade_writev(h->bb, NULL, NULL, vec, 4); 684#endif /* !APR_CHARSET_EBCDIC */ 685 return 1; 686} 687 688/* This routine is called by apr_table_do and merges all instances of 689 * the passed field values into a single array that will be further 690 * processed by some later routine. Originally intended to help split 691 * and recombine multiple Vary fields, though it is generic to any field 692 * consisting of comma/space-separated tokens. 693 */ 694static int uniq_field_values(void *d, const char *key, const char *val) 695{ 696 apr_array_header_t *values; 697 char *start; 698 char *e; 699 char **strpp; 700 int i; 701 702 values = (apr_array_header_t *)d; 703 704 e = apr_pstrdup(values->pool, val); 705 706 do { 707 /* Find a non-empty fieldname */ 708 709 while (*e == ',' || apr_isspace(*e)) { 710 ++e; 711 } 712 if (*e == '\0') { 713 break; 714 } 715 start = e; 716 while (*e != '\0' && *e != ',' && !apr_isspace(*e)) { 717 ++e; 718 } 719 if (*e != '\0') { 720 *e++ = '\0'; 721 } 722 723 /* Now add it to values if it isn't already represented. 724 * Could be replaced by a ap_array_strcasecmp() if we had one. 725 */ 726 for (i = 0, strpp = (char **) values->elts; i < values->nelts; 727 ++i, ++strpp) { 728 if (*strpp && strcasecmp(*strpp, start) == 0) { 729 break; 730 } 731 } 732 if (i == values->nelts) { /* if not found */ 733 *(char **)apr_array_push(values) = start; 734 } 735 } while (*e != '\0'); 736 737 return 1; 738} 739 740/* 741 * Since some clients choke violently on multiple Vary fields, or 742 * Vary fields with duplicate tokens, combine any multiples and remove 743 * any duplicates. 744 */ 745static void fixup_vary(request_rec *r) 746{ 747 apr_array_header_t *varies; 748 749 varies = apr_array_make(r->pool, 5, sizeof(char *)); 750 751 /* Extract all Vary fields from the headers_out, separate each into 752 * its comma-separated fieldname values, and then add them to varies 753 * if not already present in the array. 754 */ 755 apr_table_do((int (*)(void *, const char *, const char *))uniq_field_values, 756 (void *) varies, r->headers_out, "Vary", NULL); 757 758 /* If we found any, replace old Vary fields with unique-ified value */ 759 760 if (varies->nelts > 0) { 761 apr_table_setn(r->headers_out, "Vary", 762 apr_array_pstrcat(r->pool, varies, ',')); 763 } 764} 765 766/* Send a request's HTTP response headers to the client. 767 */ 768static apr_status_t send_all_header_fields(header_struct *h, 769 const request_rec *r) 770{ 771 const apr_array_header_t *elts; 772 const apr_table_entry_t *t_elt; 773 const apr_table_entry_t *t_end; 774 struct iovec *vec; 775 struct iovec *vec_next; 776 777 elts = apr_table_elts(r->headers_out); 778 if (elts->nelts == 0) { 779 return APR_SUCCESS; 780 } 781 t_elt = (const apr_table_entry_t *)(elts->elts); 782 t_end = t_elt + elts->nelts; 783 vec = (struct iovec *)apr_palloc(h->pool, 4 * elts->nelts * 784 sizeof(struct iovec)); 785 vec_next = vec; 786 787 /* For each field, generate 788 * name ": " value CRLF 789 */ 790 do { 791 vec_next->iov_base = (void*)(t_elt->key); 792 vec_next->iov_len = strlen(t_elt->key); 793 vec_next++; 794 vec_next->iov_base = ": "; 795 vec_next->iov_len = sizeof(": ") - 1; 796 vec_next++; 797 vec_next->iov_base = (void*)(t_elt->val); 798 vec_next->iov_len = strlen(t_elt->val); 799 vec_next++; 800 vec_next->iov_base = CRLF; 801 vec_next->iov_len = sizeof(CRLF) - 1; 802 vec_next++; 803 t_elt++; 804 } while (t_elt < t_end); 805 806#if APR_CHARSET_EBCDIC 807 { 808 apr_size_t len; 809 char *tmp = apr_pstrcatv(r->pool, vec, vec_next - vec, &len); 810 ap_xlate_proto_to_ascii(tmp, len); 811 return apr_brigade_write(h->bb, NULL, NULL, tmp, len); 812 } 813#else 814 return apr_brigade_writev(h->bb, NULL, NULL, vec, vec_next - vec); 815#endif 816} 817 818/* Confirm that the status line is well-formed and matches r->status. 819 * If they don't match, a filter may have negated the status line set by a 820 * handler. 821 * Zap r->status_line if bad. 822 */ 823static void validate_status_line(request_rec *r) 824{ 825 char *end; 826 827 if (r->status_line 828 && (strlen(r->status_line) <= 4 829 || apr_strtoi64(r->status_line, &end, 10) != r->status 830 || *end != ' ' 831 || (end - 3) != r->status_line)) { 832 r->status_line = NULL; 833 } 834} 835 836/* 837 * Determine the protocol to use for the response. Potentially downgrade 838 * to HTTP/1.0 in some situations and/or turn off keepalives. 839 * 840 * also prepare r->status_line. 841 */ 842static void basic_http_header_check(request_rec *r, 843 const char **protocol) 844{ 845 if (r->assbackwards) { 846 /* no such thing as a response protocol */ 847 return; 848 } 849 850 validate_status_line(r); 851 852 if (!r->status_line) { 853 r->status_line = ap_get_status_line(r->status); 854 } 855 856 /* Note that we must downgrade before checking for force responses. */ 857 if (r->proto_num > HTTP_VERSION(1,0) 858 && apr_table_get(r->subprocess_env, "downgrade-1.0")) { 859 r->proto_num = HTTP_VERSION(1,0); 860 } 861 862 /* kludge around broken browsers when indicated by force-response-1.0 863 */ 864 if (r->proto_num == HTTP_VERSION(1,0) 865 && apr_table_get(r->subprocess_env, "force-response-1.0")) { 866 *protocol = "HTTP/1.0"; 867 r->connection->keepalive = AP_CONN_CLOSE; 868 } 869 else { 870 *protocol = AP_SERVER_PROTOCOL; 871 } 872 873} 874 875/* fill "bb" with a barebones/initial HTTP response header */ 876static void basic_http_header(request_rec *r, apr_bucket_brigade *bb, 877 const char *protocol) 878{ 879 char *date; 880 const char *server; 881 header_struct h; 882 struct iovec vec[4]; 883 884 if (r->assbackwards) { 885 /* there are no headers to send */ 886 return; 887 } 888 889 /* Output the HTTP/1.x Status-Line and the Date and Server fields */ 890 891 vec[0].iov_base = (void *)protocol; 892 vec[0].iov_len = strlen(protocol); 893 vec[1].iov_base = (void *)" "; 894 vec[1].iov_len = sizeof(" ") - 1; 895 vec[2].iov_base = (void *)(r->status_line); 896 vec[2].iov_len = strlen(r->status_line); 897 vec[3].iov_base = (void *)CRLF; 898 vec[3].iov_len = sizeof(CRLF) - 1; 899#if APR_CHARSET_EBCDIC 900 { 901 char *tmp; 902 apr_size_t len; 903 tmp = apr_pstrcatv(r->pool, vec, 4, &len); 904 ap_xlate_proto_to_ascii(tmp, len); 905 apr_brigade_write(bb, NULL, NULL, tmp, len); 906 } 907#else 908 apr_brigade_writev(bb, NULL, NULL, vec, 4); 909#endif 910 911 h.pool = r->pool; 912 h.bb = bb; 913 914 /* 915 * keep the set-by-proxy server and date headers, otherwise 916 * generate a new server header / date header 917 */ 918 if (r->proxyreq != PROXYREQ_NONE) { 919 const char *proxy_date; 920 921 proxy_date = apr_table_get(r->headers_out, "Date"); 922 if (!proxy_date) { 923 /* 924 * proxy_date needs to be const. So use date for the creation of 925 * our own Date header and pass it over to proxy_date later to 926 * avoid a compiler warning. 927 */ 928 date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); 929 ap_recent_rfc822_date(date, r->request_time); 930 proxy_date = date; 931 } 932 form_header_field(&h, "Date", proxy_date); 933 server = apr_table_get(r->headers_out, "Server"); 934 if (server) { 935 form_header_field(&h, "Server", server); 936 } 937 } 938 else { 939 date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); 940 ap_recent_rfc822_date(date, r->request_time); 941 form_header_field(&h, "Date", date); 942 form_header_field(&h, "Server", ap_get_server_banner()); 943 } 944 945 /* unset so we don't send them again */ 946 apr_table_unset(r->headers_out, "Date"); /* Avoid bogosity */ 947 apr_table_unset(r->headers_out, "Server"); 948} 949 950AP_DECLARE(void) ap_basic_http_header(request_rec *r, apr_bucket_brigade *bb) 951{ 952 const char *protocol; 953 954 basic_http_header_check(r, &protocol); 955 basic_http_header(r, bb, protocol); 956} 957 958/* Navigator versions 2.x, 3.x and 4.0 betas up to and including 4.0b2 959 * have a header parsing bug. If the terminating \r\n occur starting 960 * at offset 256, 257 or 258 of output then it will not properly parse 961 * the headers. Curiously it doesn't exhibit this problem at 512, 513. 962 * We are guessing that this is because their initial read of a new request 963 * uses a 256 byte buffer, and subsequent reads use a larger buffer. 964 * So the problem might exist at different offsets as well. 965 * 966 * This should also work on keepalive connections assuming they use the 967 * same small buffer for the first read of each new request. 968 * 969 * At any rate, we check the bytes written so far and, if we are about to 970 * tickle the bug, we instead insert a bogus padding header. Since the bug 971 * manifests as a broken image in Navigator, users blame the server. :( 972 * It is more expensive to check the User-Agent than it is to just add the 973 * bytes, so we haven't used the BrowserMatch feature here. 974 */ 975static void terminate_header(apr_bucket_brigade *bb) 976{ 977 char tmp[] = "X-Pad: avoid browser bug" CRLF; 978 char crlf[] = CRLF; 979 apr_off_t len; 980 apr_size_t buflen; 981 982 (void) apr_brigade_length(bb, 1, &len); 983 984 if (len >= 255 && len <= 257) { 985 buflen = strlen(tmp); 986 ap_xlate_proto_to_ascii(tmp, buflen); 987 apr_brigade_write(bb, NULL, NULL, tmp, buflen); 988 } 989 buflen = strlen(crlf); 990 ap_xlate_proto_to_ascii(crlf, buflen); 991 apr_brigade_write(bb, NULL, NULL, crlf, buflen); 992} 993 994AP_DECLARE_NONSTD(int) ap_send_http_trace(request_rec *r) 995{ 996 core_server_config *conf; 997 int rv; 998 apr_bucket_brigade *bb; 999 header_struct h; 1000 apr_bucket *b; 1001 int body; 1002 char *bodyread = NULL, *bodyoff; 1003 apr_size_t bodylen = 0; 1004 apr_size_t bodybuf; 1005 long res = -1; /* init to avoid gcc -Wall warning */ 1006 1007 if (r->method_number != M_TRACE) { 1008 return DECLINED; 1009 } 1010 1011 /* Get the original request */ 1012 while (r->prev) { 1013 r = r->prev; 1014 } 1015 conf = (core_server_config *)ap_get_module_config(r->server->module_config, 1016 &core_module); 1017 1018 if (conf->trace_enable == AP_TRACE_DISABLE) { 1019 apr_table_setn(r->notes, "error-notes", 1020 "TRACE denied by server configuration"); 1021 return HTTP_METHOD_NOT_ALLOWED; 1022 } 1023 1024 if (conf->trace_enable == AP_TRACE_EXTENDED) 1025 /* XX should be = REQUEST_CHUNKED_PASS */ 1026 body = REQUEST_CHUNKED_DECHUNK; 1027 else 1028 body = REQUEST_NO_BODY; 1029 1030 if ((rv = ap_setup_client_block(r, body))) { 1031 if (rv == HTTP_REQUEST_ENTITY_TOO_LARGE) 1032 apr_table_setn(r->notes, "error-notes", 1033 "TRACE with a request body is not allowed"); 1034 return rv; 1035 } 1036 1037 if (ap_should_client_block(r)) { 1038 1039 if (r->remaining > 0) { 1040 if (r->remaining > 65536) { 1041 apr_table_setn(r->notes, "error-notes", 1042 "Extended TRACE request bodies cannot exceed 64k\n"); 1043 return HTTP_REQUEST_ENTITY_TOO_LARGE; 1044 } 1045 /* always 32 extra bytes to catch chunk header exceptions */ 1046 bodybuf = (apr_size_t)r->remaining + 32; 1047 } 1048 else { 1049 /* Add an extra 8192 for chunk headers */ 1050 bodybuf = 73730; 1051 } 1052 1053 bodyoff = bodyread = apr_palloc(r->pool, bodybuf); 1054 1055 /* only while we have enough for a chunked header */ 1056 while ((!bodylen || bodybuf >= 32) && 1057 (res = ap_get_client_block(r, bodyoff, bodybuf)) > 0) { 1058 bodylen += res; 1059 bodybuf -= res; 1060 bodyoff += res; 1061 } 1062 if (res > 0 && bodybuf < 32) { 1063 /* discard_rest_of_request_body into our buffer */ 1064 while (ap_get_client_block(r, bodyread, bodylen) > 0) 1065 ; 1066 apr_table_setn(r->notes, "error-notes", 1067 "Extended TRACE request bodies cannot exceed 64k\n"); 1068 return HTTP_REQUEST_ENTITY_TOO_LARGE; 1069 } 1070 1071 if (res < 0) { 1072 return HTTP_BAD_REQUEST; 1073 } 1074 } 1075 1076 ap_set_content_type(r, "message/http"); 1077 1078 /* Now we recreate the request, and echo it back */ 1079 1080 bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); 1081#if APR_CHARSET_EBCDIC 1082 { 1083 char *tmp; 1084 apr_size_t len; 1085 len = strlen(r->the_request); 1086 tmp = apr_pmemdup(r->pool, r->the_request, len); 1087 ap_xlate_proto_to_ascii(tmp, len); 1088 apr_brigade_putstrs(bb, NULL, NULL, tmp, CRLF_ASCII, NULL); 1089 } 1090#else 1091 apr_brigade_putstrs(bb, NULL, NULL, r->the_request, CRLF, NULL); 1092#endif 1093 h.pool = r->pool; 1094 h.bb = bb; 1095 apr_table_do((int (*) (void *, const char *, const char *)) 1096 form_header_field, (void *) &h, r->headers_in, NULL); 1097 apr_brigade_puts(bb, NULL, NULL, CRLF_ASCII); 1098 1099 /* If configured to accept a body, echo the body */ 1100 if (bodylen) { 1101 b = apr_bucket_pool_create(bodyread, bodylen, 1102 r->pool, bb->bucket_alloc); 1103 APR_BRIGADE_INSERT_TAIL(bb, b); 1104 } 1105 1106 ap_pass_brigade(r->output_filters, bb); 1107 1108 return DONE; 1109} 1110 1111typedef struct header_filter_ctx { 1112 int headers_sent; 1113} header_filter_ctx; 1114 1115AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, 1116 apr_bucket_brigade *b) 1117{ 1118 request_rec *r = f->r; 1119 conn_rec *c = r->connection; 1120 const char *clheader; 1121 const char *protocol; 1122 apr_bucket *e; 1123 apr_bucket_brigade *b2; 1124 header_struct h; 1125 header_filter_ctx *ctx = f->ctx; 1126 const char *ctype; 1127 ap_bucket_error *eb = NULL; 1128 1129 AP_DEBUG_ASSERT(!r->main); 1130 1131 if (r->header_only) { 1132 if (!ctx) { 1133 ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx)); 1134 } 1135 else if (ctx->headers_sent) { 1136 apr_brigade_cleanup(b); 1137 return OK; 1138 } 1139 } 1140 1141 for (e = APR_BRIGADE_FIRST(b); 1142 e != APR_BRIGADE_SENTINEL(b); 1143 e = APR_BUCKET_NEXT(e)) 1144 { 1145 if (AP_BUCKET_IS_ERROR(e) && !eb) { 1146 eb = e->data; 1147 continue; 1148 } 1149 /* 1150 * If we see an EOC bucket it is a signal that we should get out 1151 * of the way doing nothing. 1152 */ 1153 if (AP_BUCKET_IS_EOC(e)) { 1154 ap_remove_output_filter(f); 1155 return ap_pass_brigade(f->next, b); 1156 } 1157 } 1158 if (eb) { 1159 int status; 1160 1161 status = eb->status; 1162 apr_brigade_cleanup(b); 1163 ap_die(status, r); 1164 return AP_FILTER_ERROR; 1165 } 1166 1167 if (r->assbackwards) { 1168 r->sent_bodyct = 1; 1169 ap_remove_output_filter(f); 1170 return ap_pass_brigade(f->next, b); 1171 } 1172 1173 /* 1174 * Now that we are ready to send a response, we need to combine the two 1175 * header field tables into a single table. If we don't do this, our 1176 * later attempts to set or unset a given fieldname might be bypassed. 1177 */ 1178 if (!apr_is_empty_table(r->err_headers_out)) { 1179 r->headers_out = apr_table_overlay(r->pool, r->err_headers_out, 1180 r->headers_out); 1181 } 1182 1183 /* 1184 * Remove the 'Vary' header field if the client can't handle it. 1185 * Since this will have nasty effects on HTTP/1.1 caches, force 1186 * the response into HTTP/1.0 mode. 1187 * 1188 * Note: the force-response-1.0 should come before the call to 1189 * basic_http_header_check() 1190 */ 1191 if (apr_table_get(r->subprocess_env, "force-no-vary") != NULL) { 1192 apr_table_unset(r->headers_out, "Vary"); 1193 r->proto_num = HTTP_VERSION(1,0); 1194 apr_table_set(r->subprocess_env, "force-response-1.0", "1"); 1195 } 1196 else { 1197 fixup_vary(r); 1198 } 1199 1200 /* 1201 * Now remove any ETag response header field if earlier processing 1202 * says so (such as a 'FileETag None' directive). 1203 */ 1204 if (apr_table_get(r->notes, "no-etag") != NULL) { 1205 apr_table_unset(r->headers_out, "ETag"); 1206 } 1207 1208 /* determine the protocol and whether we should use keepalives. */ 1209 basic_http_header_check(r, &protocol); 1210 ap_set_keepalive(r); 1211 1212 if (r->chunked) { 1213 apr_table_mergen(r->headers_out, "Transfer-Encoding", "chunked"); 1214 apr_table_unset(r->headers_out, "Content-Length"); 1215 } 1216 1217 ctype = ap_make_content_type(r, r->content_type); 1218 if (strcasecmp(ctype, NO_CONTENT_TYPE)) { 1219 apr_table_setn(r->headers_out, "Content-Type", ctype); 1220 } 1221 1222 if (r->content_encoding) { 1223 apr_table_setn(r->headers_out, "Content-Encoding", 1224 r->content_encoding); 1225 } 1226 1227 if (!apr_is_empty_array(r->content_languages)) { 1228 int i; 1229 char *token; 1230 char **languages = (char **)(r->content_languages->elts); 1231 const char *field = apr_table_get(r->headers_out, "Content-Language"); 1232 1233 while (field && (token = ap_get_list_item(r->pool, &field)) != NULL) { 1234 for (i = 0; i < r->content_languages->nelts; ++i) { 1235 if (!strcasecmp(token, languages[i])) 1236 break; 1237 } 1238 if (i == r->content_languages->nelts) { 1239 *((char **) apr_array_push(r->content_languages)) = token; 1240 } 1241 } 1242 1243 field = apr_array_pstrcat(r->pool, r->content_languages, ','); 1244 apr_table_setn(r->headers_out, "Content-Language", field); 1245 } 1246 1247 /* 1248 * Control cachability for non-cachable responses if not already set by 1249 * some other part of the server configuration. 1250 */ 1251 if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) { 1252 char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); 1253 ap_recent_rfc822_date(date, r->request_time); 1254 apr_table_addn(r->headers_out, "Expires", date); 1255 } 1256 1257 /* This is a hack, but I can't find anyway around it. The idea is that 1258 * we don't want to send out 0 Content-Lengths if it is a head request. 1259 * This happens when modules try to outsmart the server, and return 1260 * if they see a HEAD request. Apache 1.3 handlers were supposed to 1261 * just return in that situation, and the core handled the HEAD. In 1262 * 2.0, if a handler returns, then the core sends an EOS bucket down 1263 * the filter stack, and the content-length filter computes a C-L of 1264 * zero and that gets put in the headers, and we end up sending a 1265 * zero C-L to the client. We can't just remove the C-L filter, 1266 * because well behaved 2.0 handlers will send their data down the stack, 1267 * and we will compute a real C-L for the head request. RBB 1268 */ 1269 if (r->header_only 1270 && (clheader = apr_table_get(r->headers_out, "Content-Length")) 1271 && !strcmp(clheader, "0")) { 1272 apr_table_unset(r->headers_out, "Content-Length"); 1273 } 1274 1275 b2 = apr_brigade_create(r->pool, c->bucket_alloc); 1276 basic_http_header(r, b2, protocol); 1277 1278 h.pool = r->pool; 1279 h.bb = b2; 1280 1281 if (r->status == HTTP_NOT_MODIFIED) { 1282 apr_table_do((int (*)(void *, const char *, const char *)) form_header_field, 1283 (void *) &h, r->headers_out, 1284 "Connection", 1285 "Keep-Alive", 1286 "ETag", 1287 "Content-Location", 1288 "Expires", 1289 "Cache-Control", 1290 "Vary", 1291 "Warning", 1292 "WWW-Authenticate", 1293 "Proxy-Authenticate", 1294 "Set-Cookie", 1295 "Set-Cookie2", 1296 NULL); 1297 } 1298 else { 1299 send_all_header_fields(&h, r); 1300 } 1301 1302 terminate_header(b2); 1303 1304 ap_pass_brigade(f->next, b2); 1305 1306 if (r->header_only) { 1307 apr_brigade_cleanup(b); 1308 ctx->headers_sent = 1; 1309 return OK; 1310 } 1311 1312 r->sent_bodyct = 1; /* Whatever follows is real body stuff... */ 1313 1314 if (r->chunked) { 1315 /* We can't add this filter until we have already sent the headers. 1316 * If we add it before this point, then the headers will be chunked 1317 * as well, and that is just wrong. 1318 */ 1319 ap_add_output_filter("CHUNK", NULL, r, r->connection); 1320 } 1321 1322 /* Don't remove this filter until after we have added the CHUNK filter. 1323 * Otherwise, f->next won't be the CHUNK filter and thus the first 1324 * brigade won't be chunked properly. 1325 */ 1326 ap_remove_output_filter(f); 1327 return ap_pass_brigade(f->next, b); 1328} 1329 1330/* In HTTP/1.1, any method can have a body. However, most GET handlers 1331 * wouldn't know what to do with a request body if they received one. 1332 * This helper routine tests for and reads any message body in the request, 1333 * simply discarding whatever it receives. We need to do this because 1334 * failing to read the request body would cause it to be interpreted 1335 * as the next request on a persistent connection. 1336 * 1337 * Since we return an error status if the request is malformed, this 1338 * routine should be called at the beginning of a no-body handler, e.g., 1339 * 1340 * if ((retval = ap_discard_request_body(r)) != OK) { 1341 * return retval; 1342 * } 1343 */ 1344AP_DECLARE(int) ap_discard_request_body(request_rec *r) 1345{ 1346 apr_bucket_brigade *bb; 1347 int rv, seen_eos; 1348 1349 /* Sometimes we'll get in a state where the input handling has 1350 * detected an error where we want to drop the connection, so if 1351 * that's the case, don't read the data as that is what we're trying 1352 * to avoid. 1353 * 1354 * This function is also a no-op on a subrequest. 1355 */ 1356 if (r->main || r->connection->keepalive == AP_CONN_CLOSE || 1357 ap_status_drops_connection(r->status)) { 1358 return OK; 1359 } 1360 1361 bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); 1362 seen_eos = 0; 1363 do { 1364 apr_bucket *bucket; 1365 1366 rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, 1367 APR_BLOCK_READ, HUGE_STRING_LEN); 1368 1369 if (rv != APR_SUCCESS) { 1370 /* FIXME: If we ever have a mapping from filters (apr_status_t) 1371 * to HTTP error codes, this would be a good place for them. 1372 * 1373 * If we received the special case AP_FILTER_ERROR, it means 1374 * that the filters have already handled this error. 1375 * Otherwise, we should assume we have a bad request. 1376 */ 1377 if (rv == AP_FILTER_ERROR) { 1378 apr_brigade_destroy(bb); 1379 return rv; 1380 } 1381 else { 1382 apr_brigade_destroy(bb); 1383 return HTTP_BAD_REQUEST; 1384 } 1385 } 1386 1387 for (bucket = APR_BRIGADE_FIRST(bb); 1388 bucket != APR_BRIGADE_SENTINEL(bb); 1389 bucket = APR_BUCKET_NEXT(bucket)) 1390 { 1391 const char *data; 1392 apr_size_t len; 1393 1394 if (APR_BUCKET_IS_EOS(bucket)) { 1395 seen_eos = 1; 1396 break; 1397 } 1398 1399 /* These are metadata buckets. */ 1400 if (bucket->length == 0) { 1401 continue; 1402 } 1403 1404 /* We MUST read because in case we have an unknown-length 1405 * bucket or one that morphs, we want to exhaust it. 1406 */ 1407 rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ); 1408 if (rv != APR_SUCCESS) { 1409 apr_brigade_destroy(bb); 1410 return HTTP_BAD_REQUEST; 1411 } 1412 } 1413 apr_brigade_cleanup(bb); 1414 } while (!seen_eos); 1415 1416 return OK; 1417} 1418 1419/* Here we deal with getting the request message body from the client. 1420 * Whether or not the request contains a body is signaled by the presence 1421 * of a non-zero Content-Length or by a Transfer-Encoding: chunked. 1422 * 1423 * Note that this is more complicated than it was in Apache 1.1 and prior 1424 * versions, because chunked support means that the module does less. 1425 * 1426 * The proper procedure is this: 1427 * 1428 * 1. Call ap_setup_client_block() near the beginning of the request 1429 * handler. This will set up all the necessary properties, and will 1430 * return either OK, or an error code. If the latter, the module should 1431 * return that error code. The second parameter selects the policy to 1432 * apply if the request message indicates a body, and how a chunked 1433 * transfer-coding should be interpreted. Choose one of 1434 * 1435 * REQUEST_NO_BODY Send 413 error if message has any body 1436 * REQUEST_CHUNKED_ERROR Send 411 error if body without Content-Length 1437 * REQUEST_CHUNKED_DECHUNK If chunked, remove the chunks for me. 1438 * REQUEST_CHUNKED_PASS If chunked, pass the chunk headers with body. 1439 * 1440 * In order to use the last two options, the caller MUST provide a buffer 1441 * large enough to hold a chunk-size line, including any extensions. 1442 * 1443 * 2. When you are ready to read a body (if any), call ap_should_client_block(). 1444 * This will tell the module whether or not to read input. If it is 0, 1445 * the module should assume that there is no message body to read. 1446 * 1447 * 3. Finally, call ap_get_client_block in a loop. Pass it a buffer and its size. 1448 * It will put data into the buffer (not necessarily a full buffer), and 1449 * return the length of the input block. When it is done reading, it will 1450 * return 0 if EOF, or -1 if there was an error. 1451 * If an error occurs on input, we force an end to keepalive. 1452 * 1453 * This step also sends a 100 Continue response to HTTP/1.1 clients if appropriate. 1454 */ 1455 1456AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy) 1457{ 1458 const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding"); 1459 const char *lenp = apr_table_get(r->headers_in, "Content-Length"); 1460 1461 r->read_body = read_policy; 1462 r->read_chunked = 0; 1463 r->remaining = 0; 1464 1465 if (tenc) { 1466 if (strcasecmp(tenc, "chunked")) { 1467 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 1468 "Unknown Transfer-Encoding %s", tenc); 1469 return HTTP_NOT_IMPLEMENTED; 1470 } 1471 if (r->read_body == REQUEST_CHUNKED_ERROR) { 1472 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 1473 "chunked Transfer-Encoding forbidden: %s", r->uri); 1474 return (lenp) ? HTTP_BAD_REQUEST : HTTP_LENGTH_REQUIRED; 1475 } 1476 1477 r->read_chunked = 1; 1478 } 1479 else if (lenp) { 1480 char *endstr; 1481 1482 if (apr_strtoff(&r->remaining, lenp, &endstr, 10) 1483 || *endstr || r->remaining < 0) { 1484 r->remaining = 0; 1485 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 1486 "Invalid Content-Length"); 1487 return HTTP_BAD_REQUEST; 1488 } 1489 } 1490 1491 if ((r->read_body == REQUEST_NO_BODY) 1492 && (r->read_chunked || (r->remaining > 0))) { 1493 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 1494 "%s with body is not allowed for %s", r->method, r->uri); 1495 return HTTP_REQUEST_ENTITY_TOO_LARGE; 1496 } 1497 1498#ifdef AP_DEBUG 1499 { 1500 /* Make sure ap_getline() didn't leave any droppings. */ 1501 core_request_config *req_cfg = 1502 (core_request_config *)ap_get_module_config(r->request_config, 1503 &core_module); 1504 AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(req_cfg->bb)); 1505 } 1506#endif 1507 1508 return OK; 1509} 1510 1511AP_DECLARE(int) ap_should_client_block(request_rec *r) 1512{ 1513 /* First check if we have already read the request body */ 1514 1515 if (r->read_length || (!r->read_chunked && (r->remaining <= 0))) { 1516 return 0; 1517 } 1518 1519 return 1; 1520} 1521 1522/* get_client_block is called in a loop to get the request message body. 1523 * This is quite simple if the client includes a content-length 1524 * (the normal case), but gets messy if the body is chunked. Note that 1525 * r->remaining is used to maintain state across calls and that 1526 * r->read_length is the total number of bytes given to the caller 1527 * across all invocations. It is messy because we have to be careful not 1528 * to read past the data provided by the client, since these reads block. 1529 * Returns 0 on End-of-body, -1 on error or premature chunk end. 1530 * 1531 */ 1532AP_DECLARE(long) ap_get_client_block(request_rec *r, char *buffer, 1533 apr_size_t bufsiz) 1534{ 1535 apr_status_t rv; 1536 apr_bucket_brigade *bb; 1537 1538 if (r->remaining < 0 || (!r->read_chunked && r->remaining == 0)) { 1539 return 0; 1540 } 1541 1542 bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); 1543 if (bb == NULL) { 1544 r->connection->keepalive = AP_CONN_CLOSE; 1545 return -1; 1546 } 1547 1548 rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, 1549 APR_BLOCK_READ, bufsiz); 1550 1551 /* We lose the failure code here. This is why ap_get_client_block should 1552 * not be used. 1553 */ 1554 if (rv != APR_SUCCESS) { 1555 /* if we actually fail here, we want to just return and 1556 * stop trying to read data from the client. 1557 */ 1558 r->connection->keepalive = AP_CONN_CLOSE; 1559 apr_brigade_destroy(bb); 1560 return -1; 1561 } 1562 1563 /* If this fails, it means that a filter is written incorrectly and that 1564 * it needs to learn how to properly handle APR_BLOCK_READ requests by 1565 * returning data when requested. 1566 */ 1567 AP_DEBUG_ASSERT(!APR_BRIGADE_EMPTY(bb)); 1568 1569 /* Check to see if EOS in the brigade. 1570 * 1571 * If so, we have to leave a nugget for the *next* ap_get_client_block 1572 * call to return 0. 1573 */ 1574 if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) { 1575 if (r->read_chunked) { 1576 r->remaining = -1; 1577 } 1578 else { 1579 r->remaining = 0; 1580 } 1581 } 1582 1583 rv = apr_brigade_flatten(bb, buffer, &bufsiz); 1584 if (rv != APR_SUCCESS) { 1585 apr_brigade_destroy(bb); 1586 return -1; 1587 } 1588 1589 /* XXX yank me? */ 1590 r->read_length += bufsiz; 1591 1592 apr_brigade_destroy(bb); 1593 return bufsiz; 1594} 1595 1596/* Context struct for ap_http_outerror_filter */ 1597typedef struct { 1598 int seen_eoc; 1599} outerror_filter_ctx_t; 1600 1601/* Filter to handle any error buckets on output */ 1602apr_status_t ap_http_outerror_filter(ap_filter_t *f, 1603 apr_bucket_brigade *b) 1604{ 1605 request_rec *r = f->r; 1606 outerror_filter_ctx_t *ctx = (outerror_filter_ctx_t *)(f->ctx); 1607 apr_bucket *e; 1608 1609 /* Create context if none is present */ 1610 if (!ctx) { 1611 ctx = apr_pcalloc(r->pool, sizeof(outerror_filter_ctx_t)); 1612 f->ctx = ctx; 1613 } 1614 for (e = APR_BRIGADE_FIRST(b); 1615 e != APR_BRIGADE_SENTINEL(b); 1616 e = APR_BUCKET_NEXT(e)) 1617 { 1618 if (AP_BUCKET_IS_ERROR(e)) { 1619 /* 1620 * Start of error handling state tree. Just one condition 1621 * right now :) 1622 */ 1623 if (((ap_bucket_error *)(e->data))->status == HTTP_BAD_GATEWAY) { 1624 /* stream aborted and we have not ended it yet */ 1625 r->connection->keepalive = AP_CONN_CLOSE; 1626 } 1627 continue; 1628 } 1629 /* Detect EOC buckets and memorize this in the context. */ 1630 if (AP_BUCKET_IS_EOC(e)) { 1631 ctx->seen_eoc = 1; 1632 } 1633 } 1634 /* 1635 * Remove all data buckets that are in a brigade after an EOC bucket 1636 * was seen, as an EOC bucket tells us that no (further) resource 1637 * and protocol data should go out to the client. OTOH meta buckets 1638 * are still welcome as they might trigger needed actions down in 1639 * the chain (e.g. in network filters like SSL). 1640 * Remark 1: It is needed to dump ALL data buckets in the brigade 1641 * since an filter in between might have inserted data 1642 * buckets BEFORE the EOC bucket sent by the original 1643 * sender and we do NOT want this data to be sent. 1644 * Remark 2: Dumping all data buckets here does not necessarily mean 1645 * that no further data is send to the client as: 1646 * 1. Network filters like SSL can still be triggered via 1647 * meta buckets to talk with the client e.g. for a 1648 * clean shutdown. 1649 * 2. There could be still data that was buffered before 1650 * down in the chain that gets flushed by a FLUSH or an 1651 * EOS bucket. 1652 */ 1653 if (ctx->seen_eoc) { 1654 for (e = APR_BRIGADE_FIRST(b); 1655 e != APR_BRIGADE_SENTINEL(b); 1656 e = APR_BUCKET_NEXT(e)) 1657 { 1658 if (!APR_BUCKET_IS_METADATA(e)) { 1659 APR_BUCKET_REMOVE(e); 1660 } 1661 } 1662 } 1663 1664 return ap_pass_brigade(f->next, b); 1665} 1666 1667