1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * http_filter.c --- HTTP routines which either filters or deal with filters.
22 #include "apr_strings.h"
23 #include "apr_buckets.h"
25 #include "apr_signal.h"
27 #define APR_WANT_STDIO /* for sscanf */
28 #define APR_WANT_STRFUNC
29 #define APR_WANT_MEMFUNC
33 #include "util_filter.h"
34 #include "ap_config.h"
36 #include "http_config.h"
37 #include "http_core.h"
38 #include "http_protocol.h"
39 #include "http_main.h"
40 #include "http_request.h"
41 #include "http_vhost.h"
42 #include "http_log.h" /* For errors detected in basic auth common
44 #include "apr_date.h" /* For apr_date_parse_http and APR_DATE_BAD */
45 #include "util_charset.h"
46 #include "util_ebcdic.h"
47 #include "util_time.h"
58 extern module AP_MODULE_DECLARE_DATA http_module;
60 static long get_chunk_size(char *);
62 typedef struct http_filter_ctx {
75 /* This is the HTTP_INPUT filter for HTTP requests and responses from
76 * proxied servers (mod_proxy). It handles chunked and content-length
77 * bodies. This can only be inserted/used after the headers
78 * are successfully parsed.
80 apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
81 ap_input_mode_t mode, apr_read_type_e block,
85 http_ctx_t *ctx = f->ctx;
89 /* just get out of the way of things we don't want. */
90 if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {
91 return ap_get_brigade(f->next, b, mode, block, readbytes);
95 const char *tenc, *lenp;
96 f->ctx = ctx = apr_palloc(f->r->pool, sizeof(*ctx));
97 ctx->state = BODY_NONE;
102 /* LimitRequestBody does not apply to proxied responses.
103 * Consider implementing this check in its own filter.
104 * Would adding a directive to limit the size of proxied
105 * responses be useful?
107 if (!f->r->proxyreq) {
108 ctx->limit = ap_get_limit_req_body(f->r);
114 tenc = apr_table_get(f->r->headers_in, "Transfer-Encoding");
115 lenp = apr_table_get(f->r->headers_in, "Content-Length");
118 if (!strcasecmp(tenc, "chunked")) {
119 ctx->state = BODY_CHUNK;
121 /* test lenp, because it gives another case we can handle */
123 /* Something that isn't in HTTP, unless some future
124 * edition defines new transfer ecodings, is unsupported.
126 apr_bucket_brigade *bb;
127 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
128 "Unknown Transfer-Encoding: %s", tenc);
129 bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
130 e = ap_bucket_error_create(HTTP_NOT_IMPLEMENTED, NULL,
131 f->r->pool, f->c->bucket_alloc);
132 APR_BRIGADE_INSERT_TAIL(bb, e);
133 e = apr_bucket_eos_create(f->c->bucket_alloc);
134 APR_BRIGADE_INSERT_TAIL(bb, e);
136 return ap_pass_brigade(f->r->output_filters, bb);
139 ap_log_rerror(APLOG_MARK, APLOG_WARN, 0, f->r,
140 "Unknown Transfer-Encoding: %s; using Content-Length", tenc);
147 ctx->state = BODY_LENGTH;
150 /* Protects against over/underflow, non-digit chars in the
151 * string (excluding leading space) (the endstr checks)
152 * and a negative number. */
153 if (apr_strtoff(&ctx->remaining, lenp, &endstr, 10)
154 || endstr == lenp || *endstr || ctx->remaining < 0) {
155 apr_bucket_brigade *bb;
158 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
159 "Invalid Content-Length");
161 bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
162 e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
163 f->r->pool, f->c->bucket_alloc);
164 APR_BRIGADE_INSERT_TAIL(bb, e);
165 e = apr_bucket_eos_create(f->c->bucket_alloc);
166 APR_BRIGADE_INSERT_TAIL(bb, e);
168 return ap_pass_brigade(f->r->output_filters, bb);
171 /* If we have a limit in effect and we know the C-L ahead of
172 * time, stop it here if it is invalid.
174 if (ctx->limit && ctx->limit < ctx->remaining) {
175 apr_bucket_brigade *bb;
176 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
177 "Requested content-length of %" APR_OFF_T_FMT
178 " is larger than the configured limit"
179 " of %" APR_OFF_T_FMT, ctx->remaining, ctx->limit);
180 bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
181 e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
182 f->r->pool, f->c->bucket_alloc);
183 APR_BRIGADE_INSERT_TAIL(bb, e);
184 e = apr_bucket_eos_create(f->c->bucket_alloc);
185 APR_BRIGADE_INSERT_TAIL(bb, e);
187 return ap_pass_brigade(f->r->output_filters, bb);
191 /* If we don't have a request entity indicated by the headers, EOS.
192 * (BODY_NONE is a valid intermediate state due to trailers,
193 * but it isn't a valid starting state.)
195 * RFC 2616 Section 4.4 note 5 states that connection-close
196 * is invalid for a request entity - request bodies must be
197 * denoted by C-L or T-E: chunked.
199 * Note that since the proxy uses this filter to handle the
200 * proxied *response*, proxy responses MUST be exempt.
202 if (ctx->state == BODY_NONE && f->r->proxyreq != PROXYREQ_RESPONSE) {
203 e = apr_bucket_eos_create(f->c->bucket_alloc);
204 APR_BRIGADE_INSERT_TAIL(b, e);
209 /* Since we're about to read data, send 100-Continue if needed.
210 * Only valid on chunked and C-L bodies where the C-L is > 0. */
211 if ((ctx->state == BODY_CHUNK ||
212 (ctx->state == BODY_LENGTH && ctx->remaining > 0)) &&
213 f->r->expecting_100 && f->r->proto_num >= HTTP_VERSION(1,1) &&
214 !(f->r->eos_sent || f->r->bytes_sent)) {
216 apr_bucket_brigade *bb;
218 tmp = apr_pstrcat(f->r->pool, AP_SERVER_PROTOCOL, " ",
219 ap_get_status_line(100), CRLF CRLF, NULL);
220 bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
221 e = apr_bucket_pool_create(tmp, strlen(tmp), f->r->pool,
223 APR_BRIGADE_INSERT_HEAD(bb, e);
224 e = apr_bucket_flush_create(f->c->bucket_alloc);
225 APR_BRIGADE_INSERT_TAIL(bb, e);
227 ap_pass_brigade(f->c->output_filters, bb);
230 /* We can't read the chunk until after sending 100 if required. */
231 if (ctx->state == BODY_CHUNK) {
233 apr_bucket_brigade *bb;
235 apr_off_t brigade_length;
237 bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
239 rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
243 if (block == APR_NONBLOCK_READ &&
244 ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) ||
245 (APR_STATUS_IS_EAGAIN(rv)) )) {
249 if (rv == APR_SUCCESS) {
250 /* We have to check the length of the brigade we got back.
251 * We will not accept partial or blank lines.
253 rv = apr_brigade_length(bb, 1, &brigade_length);
254 if (rv == APR_SUCCESS
255 && (!brigade_length ||
256 brigade_length > f->r->server->limit_req_line)) {
259 if (rv == APR_SUCCESS) {
260 rv = apr_brigade_flatten(bb, line, &len);
261 if (rv == APR_SUCCESS) {
262 ctx->remaining = get_chunk_size(line);
266 apr_brigade_cleanup(bb);
268 /* Detect chunksize error (such as overflow) */
269 if (rv != APR_SUCCESS || ctx->remaining < 0) {
270 ctx->remaining = 0; /* Reset it in case we have to
271 * come back here later */
272 e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
275 APR_BRIGADE_INSERT_TAIL(bb, e);
276 e = apr_bucket_eos_create(f->c->bucket_alloc);
277 APR_BRIGADE_INSERT_TAIL(bb, e);
279 return ap_pass_brigade(f->r->output_filters, bb);
282 if (!ctx->remaining) {
283 /* Handle trailers by calling ap_get_mime_headers again! */
284 ctx->state = BODY_NONE;
285 ap_get_mime_headers(f->r);
286 e = apr_bucket_eos_create(f->c->bucket_alloc);
287 APR_BRIGADE_INSERT_TAIL(b, e);
295 e = apr_bucket_eos_create(f->c->bucket_alloc);
296 APR_BRIGADE_INSERT_TAIL(b, e);
300 if (!ctx->remaining) {
301 switch (ctx->state) {
305 e = apr_bucket_eos_create(f->c->bucket_alloc);
306 APR_BRIGADE_INSERT_TAIL(b, e);
309 case BODY_CHUNK: case BODY_CHUNK_PART:
312 apr_bucket_brigade *bb;
314 apr_status_t http_error = HTTP_REQUEST_ENTITY_TOO_LARGE;
316 bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
318 /* We need to read the CRLF after the chunk. */
319 if (ctx->state == BODY_CHUNK) {
320 rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
322 apr_brigade_cleanup(bb);
323 if (block == APR_NONBLOCK_READ &&
324 (APR_STATUS_IS_EAGAIN(rv))) {
331 if (rv == APR_SUCCESS) {
332 /* Read the real chunk line. */
333 rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
336 if (block == APR_NONBLOCK_READ &&
337 ( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) ||
338 (APR_STATUS_IS_EAGAIN(rv)) )) {
339 ctx->state = BODY_CHUNK_PART;
342 ctx->state = BODY_CHUNK;
343 if (rv == APR_SUCCESS) {
344 rv = apr_brigade_flatten(bb, line, &len);
345 if (rv == APR_SUCCESS) {
346 /* Wait a sec, that's a blank line! Oh no. */
349 http_error = HTTP_SERVICE_UNAVAILABLE;
352 ctx->remaining = get_chunk_size(line);
356 apr_brigade_cleanup(bb);
359 /* Detect chunksize error (such as overflow) */
360 if (rv != APR_SUCCESS || ctx->remaining < 0) {
361 apr_status_t out_error;
363 ctx->remaining = 0; /* Reset it in case we have to
364 * come back here later */
365 e = ap_bucket_error_create(http_error,
368 APR_BRIGADE_INSERT_TAIL(bb, e);
369 e = apr_bucket_eos_create(f->c->bucket_alloc);
370 APR_BRIGADE_INSERT_TAIL(bb, e);
372 out_error = ap_pass_brigade(f->r->output_filters, bb);
376 if (!ctx->remaining) {
377 /* Handle trailers by calling ap_get_mime_headers again! */
378 ctx->state = BODY_NONE;
379 ap_get_mime_headers(f->r);
380 e = apr_bucket_eos_create(f->c->bucket_alloc);
381 APR_BRIGADE_INSERT_TAIL(b, e);
390 /* Ensure that the caller can not go over our boundary point. */
391 if (ctx->state == BODY_LENGTH || ctx->state == BODY_CHUNK) {
392 if (ctx->remaining < readbytes) {
393 readbytes = ctx->remaining;
395 AP_DEBUG_ASSERT(readbytes > 0);
398 rv = ap_get_brigade(f->next, b, mode, block, readbytes);
400 if (rv != APR_SUCCESS) {
404 /* How many bytes did we just read? */
405 apr_brigade_length(b, 0, &totalread);
407 /* If this happens, we have a bucket of unknown length. Die because
408 * it means our assumptions have changed. */
409 AP_DEBUG_ASSERT(totalread >= 0);
411 if (ctx->state != BODY_NONE) {
412 ctx->remaining -= totalread;
415 /* If we have no more bytes remaining on a C-L request,
416 * save the callter a roundtrip to discover EOS.
418 if (ctx->state == BODY_LENGTH && ctx->remaining == 0) {
419 e = apr_bucket_eos_create(f->c->bucket_alloc);
420 APR_BRIGADE_INSERT_TAIL(b, e);
423 /* We have a limit in effect. */
425 /* FIXME: Note that we might get slightly confused on chunked inputs
426 * as we'd need to compensate for the chunk lengths which may not
427 * really count. This seems to be up for interpretation. */
428 ctx->limit_used += totalread;
429 if (ctx->limit < ctx->limit_used) {
430 apr_bucket_brigade *bb;
431 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
432 "Read content-length of %" APR_OFF_T_FMT
433 " is larger than the configured limit"
434 " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit);
435 bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
436 e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
439 APR_BRIGADE_INSERT_TAIL(bb, e);
440 e = apr_bucket_eos_create(f->c->bucket_alloc);
441 APR_BRIGADE_INSERT_TAIL(bb, e);
443 return ap_pass_brigade(f->r->output_filters, bb);
451 * Parse a chunk extension, detect overflow.
452 * There are two error cases:
453 * 1) If the conversion would require too many bits, a -1 is returned.
454 * 2) If the conversion used the correct number of bits, but an overflow
455 * caused only the sign bit to flip, then that negative number is
457 * In general, any negative number can be considered an overflow error.
459 static long get_chunk_size(char *b)
462 size_t chunkbits = sizeof(long) * 8;
464 ap_xlate_proto_from_ascii(b, strlen(b));
466 /* Skip leading zeros */
471 while (apr_isxdigit(*b) && (chunkbits > 0)) {
474 if (*b >= '0' && *b <= '9') {
477 else if (*b >= 'A' && *b <= 'F') {
478 xvalue = *b - 'A' + 0xa;
480 else if (*b >= 'a' && *b <= 'f') {
481 xvalue = *b - 'a' + 0xa;
484 chunksize = (chunksize << 4) | xvalue;
488 if (apr_isxdigit(*b) && (chunkbits <= 0)) {
496 typedef struct header_struct {
498 apr_bucket_brigade *bb;
501 /* Send a single HTTP header field to the client. Note that this function
502 * is used in calls to table_do(), so their interfaces are co-dependent.
503 * In other words, don't change this one without checking table_do in alloc.c.
504 * It returns true unless there was a write error of some kind.
506 static int form_header_field(header_struct *h,
507 const char *fieldname, const char *fieldval)
509 #if APR_CHARSET_EBCDIC
516 name_len = strlen(fieldname);
517 val_len = strlen(fieldval);
518 len = name_len + val_len + 4; /* 4 for ": " plus CRLF */
519 headfield = (char *)apr_palloc(h->pool, len + 1);
520 memcpy(headfield, fieldname, name_len);
521 next = headfield + name_len;
524 memcpy(next, fieldval, val_len);
529 ap_xlate_proto_to_ascii(headfield, len);
530 apr_brigade_write(h->bb, NULL, NULL, headfield, len);
533 struct iovec *v = vec;
534 v->iov_base = (void *)fieldname;
535 v->iov_len = strlen(fieldname);
538 v->iov_len = sizeof(": ") - 1;
540 v->iov_base = (void *)fieldval;
541 v->iov_len = strlen(fieldval);
544 v->iov_len = sizeof(CRLF) - 1;
545 apr_brigade_writev(h->bb, NULL, NULL, vec, 4);
546 #endif /* !APR_CHARSET_EBCDIC */
550 /* This routine is called by apr_table_do and merges all instances of
551 * the passed field values into a single array that will be further
552 * processed by some later routine. Originally intended to help split
553 * and recombine multiple Vary fields, though it is generic to any field
554 * consisting of comma/space-separated tokens.
556 static int uniq_field_values(void *d, const char *key, const char *val)
558 apr_array_header_t *values;
564 values = (apr_array_header_t *)d;
566 e = apr_pstrdup(values->pool, val);
569 /* Find a non-empty fieldname */
571 while (*e == ',' || apr_isspace(*e)) {
578 while (*e != '\0' && *e != ',' && !apr_isspace(*e)) {
585 /* Now add it to values if it isn't already represented.
586 * Could be replaced by a ap_array_strcasecmp() if we had one.
588 for (i = 0, strpp = (char **) values->elts; i < values->nelts;
590 if (*strpp && strcasecmp(*strpp, start) == 0) {
594 if (i == values->nelts) { /* if not found */
595 *(char **)apr_array_push(values) = start;
597 } while (*e != '\0');
603 * Since some clients choke violently on multiple Vary fields, or
604 * Vary fields with duplicate tokens, combine any multiples and remove
607 static void fixup_vary(request_rec *r)
609 apr_array_header_t *varies;
611 varies = apr_array_make(r->pool, 5, sizeof(char *));
613 /* Extract all Vary fields from the headers_out, separate each into
614 * its comma-separated fieldname values, and then add them to varies
615 * if not already present in the array.
617 apr_table_do((int (*)(void *, const char *, const char *))uniq_field_values,
618 (void *) varies, r->headers_out, "Vary", NULL);
620 /* If we found any, replace old Vary fields with unique-ified value */
622 if (varies->nelts > 0) {
623 apr_table_setn(r->headers_out, "Vary",
624 apr_array_pstrcat(r->pool, varies, ','));
628 /* Send a request's HTTP response headers to the client.
630 static apr_status_t send_all_header_fields(header_struct *h,
631 const request_rec *r)
633 const apr_array_header_t *elts;
634 const apr_table_entry_t *t_elt;
635 const apr_table_entry_t *t_end;
637 struct iovec *vec_next;
639 elts = apr_table_elts(r->headers_out);
640 if (elts->nelts == 0) {
643 t_elt = (const apr_table_entry_t *)(elts->elts);
644 t_end = t_elt + elts->nelts;
645 vec = (struct iovec *)apr_palloc(h->pool, 4 * elts->nelts *
646 sizeof(struct iovec));
649 /* For each field, generate
650 * name ": " value CRLF
653 vec_next->iov_base = (void*)(t_elt->key);
654 vec_next->iov_len = strlen(t_elt->key);
656 vec_next->iov_base = ": ";
657 vec_next->iov_len = sizeof(": ") - 1;
659 vec_next->iov_base = (void*)(t_elt->val);
660 vec_next->iov_len = strlen(t_elt->val);
662 vec_next->iov_base = CRLF;
663 vec_next->iov_len = sizeof(CRLF) - 1;
666 } while (t_elt < t_end);
668 #if APR_CHARSET_EBCDIC
671 char *tmp = apr_pstrcatv(r->pool, vec, vec_next - vec, &len);
672 ap_xlate_proto_to_ascii(tmp, len);
673 return apr_brigade_write(h->bb, NULL, NULL, tmp, len);
676 return apr_brigade_writev(h->bb, NULL, NULL, vec, vec_next - vec);
680 /* Confirm that the status line is well-formed and matches r->status.
681 * If they don't match, a filter may have negated the status line set by a
683 * Zap r->status_line if bad.
685 static void validate_status_line(request_rec *r)
690 && (strlen(r->status_line) <= 4
691 || apr_strtoi64(r->status_line, &end, 10) != r->status
693 || (end - 3) != r->status_line)) {
694 r->status_line = NULL;
699 * Determine the protocol to use for the response. Potentially downgrade
700 * to HTTP/1.0 in some situations and/or turn off keepalives.
702 * also prepare r->status_line.
704 static void basic_http_header_check(request_rec *r,
705 const char **protocol)
707 if (r->assbackwards) {
708 /* no such thing as a response protocol */
712 validate_status_line(r);
714 if (!r->status_line) {
715 r->status_line = ap_get_status_line(r->status);
718 /* Note that we must downgrade before checking for force responses. */
719 if (r->proto_num > HTTP_VERSION(1,0)
720 && apr_table_get(r->subprocess_env, "downgrade-1.0")) {
721 r->proto_num = HTTP_VERSION(1,0);
724 /* kludge around broken browsers when indicated by force-response-1.0
726 if (r->proto_num == HTTP_VERSION(1,0)
727 && apr_table_get(r->subprocess_env, "force-response-1.0")) {
728 *protocol = "HTTP/1.0";
729 r->connection->keepalive = AP_CONN_CLOSE;
732 *protocol = AP_SERVER_PROTOCOL;
737 /* fill "bb" with a barebones/initial HTTP response header */
738 static void basic_http_header(request_rec *r, apr_bucket_brigade *bb,
739 const char *protocol)
746 if (r->assbackwards) {
747 /* there are no headers to send */
751 /* Output the HTTP/1.x Status-Line and the Date and Server fields */
753 vec[0].iov_base = (void *)protocol;
754 vec[0].iov_len = strlen(protocol);
755 vec[1].iov_base = (void *)" ";
756 vec[1].iov_len = sizeof(" ") - 1;
757 vec[2].iov_base = (void *)(r->status_line);
758 vec[2].iov_len = strlen(r->status_line);
759 vec[3].iov_base = (void *)CRLF;
760 vec[3].iov_len = sizeof(CRLF) - 1;
761 #if APR_CHARSET_EBCDIC
765 tmp = apr_pstrcatv(r->pool, vec, 4, &len);
766 ap_xlate_proto_to_ascii(tmp, len);
767 apr_brigade_write(bb, NULL, NULL, tmp, len);
770 apr_brigade_writev(bb, NULL, NULL, vec, 4);
777 * keep the set-by-proxy server and date headers, otherwise
778 * generate a new server header / date header
780 if (r->proxyreq != PROXYREQ_NONE) {
781 const char *proxy_date;
783 proxy_date = apr_table_get(r->headers_out, "Date");
786 * proxy_date needs to be const. So use date for the creation of
787 * our own Date header and pass it over to proxy_date later to
788 * avoid a compiler warning.
790 date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
791 ap_recent_rfc822_date(date, r->request_time);
794 form_header_field(&h, "Date", proxy_date);
795 server = apr_table_get(r->headers_out, "Server");
797 form_header_field(&h, "Server", server);
799 form_header_field(&h, "Server", ap_get_server_banner());
803 date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
804 ap_recent_rfc822_date(date, r->request_time);
805 form_header_field(&h, "Date", date);
806 form_header_field(&h, "Server", ap_get_server_banner());
809 /* unset so we don't send them again */
810 apr_table_unset(r->headers_out, "Date"); /* Avoid bogosity */
811 apr_table_unset(r->headers_out, "Server");
814 AP_DECLARE(void) ap_basic_http_header(request_rec *r, apr_bucket_brigade *bb)
816 const char *protocol;
818 basic_http_header_check(r, &protocol);
819 basic_http_header(r, bb, protocol);
822 /* Navigator versions 2.x, 3.x and 4.0 betas up to and including 4.0b2
823 * have a header parsing bug. If the terminating \r\n occur starting
824 * at offset 256, 257 or 258 of output then it will not properly parse
825 * the headers. Curiously it doesn't exhibit this problem at 512, 513.
826 * We are guessing that this is because their initial read of a new request
827 * uses a 256 byte buffer, and subsequent reads use a larger buffer.
828 * So the problem might exist at different offsets as well.
830 * This should also work on keepalive connections assuming they use the
831 * same small buffer for the first read of each new request.
833 * At any rate, we check the bytes written so far and, if we are about to
834 * tickle the bug, we instead insert a bogus padding header. Since the bug
835 * manifests as a broken image in Navigator, users blame the server. :(
836 * It is more expensive to check the User-Agent than it is to just add the
837 * bytes, so we haven't used the BrowserMatch feature here.
839 static void terminate_header(apr_bucket_brigade *bb)
841 char tmp[] = "X-Pad: avoid browser bug" CRLF;
846 (void) apr_brigade_length(bb, 1, &len);
848 if (len >= 255 && len <= 257) {
849 buflen = strlen(tmp);
850 ap_xlate_proto_to_ascii(tmp, buflen);
851 apr_brigade_write(bb, NULL, NULL, tmp, buflen);
853 buflen = strlen(crlf);
854 ap_xlate_proto_to_ascii(crlf, buflen);
855 apr_brigade_write(bb, NULL, NULL, crlf, buflen);
858 AP_DECLARE_NONSTD(int) ap_send_http_trace(request_rec *r)
860 core_server_config *conf;
862 apr_bucket_brigade *bb;
866 char *bodyread = NULL, *bodyoff;
867 apr_size_t bodylen = 0;
869 long res = -1; /* init to avoid gcc -Wall warning */
871 if (r->method_number != M_TRACE) {
875 /* Get the original request */
879 conf = (core_server_config *)ap_get_module_config(r->server->module_config,
882 if (conf->trace_enable == AP_TRACE_DISABLE) {
883 apr_table_setn(r->notes, "error-notes",
884 "TRACE denied by server configuration");
885 return HTTP_METHOD_NOT_ALLOWED;
888 if (conf->trace_enable == AP_TRACE_EXTENDED)
889 /* XX should be = REQUEST_CHUNKED_PASS */
890 body = REQUEST_CHUNKED_DECHUNK;
892 body = REQUEST_NO_BODY;
894 if ((rv = ap_setup_client_block(r, body))) {
895 if (rv == HTTP_REQUEST_ENTITY_TOO_LARGE)
896 apr_table_setn(r->notes, "error-notes",
897 "TRACE with a request body is not allowed");
901 if (ap_should_client_block(r)) {
903 if (r->remaining > 0) {
904 if (r->remaining > 65536) {
905 apr_table_setn(r->notes, "error-notes",
906 "Extended TRACE request bodies cannot exceed 64k\n");
907 return HTTP_REQUEST_ENTITY_TOO_LARGE;
909 /* always 32 extra bytes to catch chunk header exceptions */
910 bodybuf = (apr_size_t)r->remaining + 32;
913 /* Add an extra 8192 for chunk headers */
917 bodyoff = bodyread = apr_palloc(r->pool, bodybuf);
919 /* only while we have enough for a chunked header */
920 while ((!bodylen || bodybuf >= 32) &&
921 (res = ap_get_client_block(r, bodyoff, bodybuf)) > 0) {
926 if (res > 0 && bodybuf < 32) {
927 /* discard_rest_of_request_body into our buffer */
928 while (ap_get_client_block(r, bodyread, bodylen) > 0)
930 apr_table_setn(r->notes, "error-notes",
931 "Extended TRACE request bodies cannot exceed 64k\n");
932 return HTTP_REQUEST_ENTITY_TOO_LARGE;
936 return HTTP_BAD_REQUEST;
940 ap_set_content_type(r, "message/http");
942 /* Now we recreate the request, and echo it back */
944 bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
945 apr_brigade_putstrs(bb, NULL, NULL, r->the_request, CRLF, NULL);
948 apr_table_do((int (*) (void *, const char *, const char *))
949 form_header_field, (void *) &h, r->headers_in, NULL);
950 apr_brigade_puts(bb, NULL, NULL, CRLF);
952 /* If configured to accept a body, echo the body */
954 b = apr_bucket_pool_create(bodyread, bodylen,
955 r->pool, bb->bucket_alloc);
956 APR_BRIGADE_INSERT_TAIL(bb, b);
959 ap_pass_brigade(r->output_filters, bb);
964 typedef struct header_filter_ctx {
968 AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
969 apr_bucket_brigade *b)
971 request_rec *r = f->r;
972 conn_rec *c = r->connection;
973 const char *clheader;
974 const char *protocol;
976 apr_bucket_brigade *b2;
978 header_filter_ctx *ctx = f->ctx;
981 AP_DEBUG_ASSERT(!r->main);
983 if (r->header_only) {
985 ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx));
987 else if (ctx->headers_sent) {
988 apr_brigade_destroy(b);
993 for (e = APR_BRIGADE_FIRST(b);
994 e != APR_BRIGADE_SENTINEL(b);
995 e = APR_BUCKET_NEXT(e))
997 if (AP_BUCKET_IS_ERROR(e)) {
998 ap_bucket_error *eb = e->data;
1000 ap_die(eb->status, r);
1001 return AP_FILTER_ERROR;
1005 if (r->assbackwards) {
1007 ap_remove_output_filter(f);
1008 return ap_pass_brigade(f->next, b);
1012 * Now that we are ready to send a response, we need to combine the two
1013 * header field tables into a single table. If we don't do this, our
1014 * later attempts to set or unset a given fieldname might be bypassed.
1016 if (!apr_is_empty_table(r->err_headers_out)) {
1017 r->headers_out = apr_table_overlay(r->pool, r->err_headers_out,
1022 * Remove the 'Vary' header field if the client can't handle it.
1023 * Since this will have nasty effects on HTTP/1.1 caches, force
1024 * the response into HTTP/1.0 mode.
1026 * Note: the force-response-1.0 should come before the call to
1027 * basic_http_header_check()
1029 if (apr_table_get(r->subprocess_env, "force-no-vary") != NULL) {
1030 apr_table_unset(r->headers_out, "Vary");
1031 r->proto_num = HTTP_VERSION(1,0);
1032 apr_table_set(r->subprocess_env, "force-response-1.0", "1");
1039 * Now remove any ETag response header field if earlier processing
1040 * says so (such as a 'FileETag None' directive).
1042 if (apr_table_get(r->notes, "no-etag") != NULL) {
1043 apr_table_unset(r->headers_out, "ETag");
1046 /* determine the protocol and whether we should use keepalives. */
1047 basic_http_header_check(r, &protocol);
1048 ap_set_keepalive(r);
1051 apr_table_mergen(r->headers_out, "Transfer-Encoding", "chunked");
1052 apr_table_unset(r->headers_out, "Content-Length");
1055 ctype = ap_make_content_type(r, r->content_type);
1056 if (strcasecmp(ctype, NO_CONTENT_TYPE)) {
1057 apr_table_setn(r->headers_out, "Content-Type", ctype);
1060 if (r->content_encoding) {
1061 apr_table_setn(r->headers_out, "Content-Encoding",
1062 r->content_encoding);
1065 if (!apr_is_empty_array(r->content_languages)) {
1067 char **languages = (char **)(r->content_languages->elts);
1068 for (i = 0; i < r->content_languages->nelts; ++i) {
1069 apr_table_mergen(r->headers_out, "Content-Language", languages[i]);
1074 * Control cachability for non-cachable responses if not already set by
1075 * some other part of the server configuration.
1077 if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
1078 char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
1079 ap_recent_rfc822_date(date, r->request_time);
1080 apr_table_addn(r->headers_out, "Expires", date);
1083 /* This is a hack, but I can't find anyway around it. The idea is that
1084 * we don't want to send out 0 Content-Lengths if it is a head request.
1085 * This happens when modules try to outsmart the server, and return
1086 * if they see a HEAD request. Apache 1.3 handlers were supposed to
1087 * just return in that situation, and the core handled the HEAD. In
1088 * 2.0, if a handler returns, then the core sends an EOS bucket down
1089 * the filter stack, and the content-length filter computes a C-L of
1090 * zero and that gets put in the headers, and we end up sending a
1091 * zero C-L to the client. We can't just remove the C-L filter,
1092 * because well behaved 2.0 handlers will send their data down the stack,
1093 * and we will compute a real C-L for the head request. RBB
1096 && (clheader = apr_table_get(r->headers_out, "Content-Length"))
1097 && !strcmp(clheader, "0")) {
1098 apr_table_unset(r->headers_out, "Content-Length");
1101 b2 = apr_brigade_create(r->pool, c->bucket_alloc);
1102 basic_http_header(r, b2, protocol);
1107 if (r->status == HTTP_NOT_MODIFIED) {
1108 apr_table_do((int (*)(void *, const char *, const char *)) form_header_field,
1109 (void *) &h, r->headers_out,
1119 "Proxy-Authenticate",
1125 send_all_header_fields(&h, r);
1128 terminate_header(b2);
1130 ap_pass_brigade(f->next, b2);
1132 if (r->header_only) {
1133 apr_brigade_destroy(b);
1134 ctx->headers_sent = 1;
1138 r->sent_bodyct = 1; /* Whatever follows is real body stuff... */
1141 /* We can't add this filter until we have already sent the headers.
1142 * If we add it before this point, then the headers will be chunked
1143 * as well, and that is just wrong.
1145 ap_add_output_filter("CHUNK", NULL, r, r->connection);
1148 /* Don't remove this filter until after we have added the CHUNK filter.
1149 * Otherwise, f->next won't be the CHUNK filter and thus the first
1150 * brigade won't be chunked properly.
1152 ap_remove_output_filter(f);
1153 return ap_pass_brigade(f->next, b);
1156 /* In HTTP/1.1, any method can have a body. However, most GET handlers
1157 * wouldn't know what to do with a request body if they received one.
1158 * This helper routine tests for and reads any message body in the request,
1159 * simply discarding whatever it receives. We need to do this because
1160 * failing to read the request body would cause it to be interpreted
1161 * as the next request on a persistent connection.
1163 * Since we return an error status if the request is malformed, this
1164 * routine should be called at the beginning of a no-body handler, e.g.,
1166 * if ((retval = ap_discard_request_body(r)) != OK) {
1170 AP_DECLARE(int) ap_discard_request_body(request_rec *r)
1172 apr_bucket_brigade *bb, *kept_body = NULL;
1175 core_dir_conf *dconf;
1176 apr_size_t left = 0;
1178 /* Sometimes we'll get in a state where the input handling has
1179 * detected an error where we want to drop the connection, so if
1180 * that's the case, don't read the data as that is what we're trying
1183 * This function is also a no-op on a subrequest.
1185 if (r->main || r->connection->keepalive == AP_CONN_CLOSE ||
1186 ap_status_drops_connection(r->status)) {
1190 /* We may want to save this body away if the administrator has
1191 * asked us to do so for this directory. This allows the body
1192 * to be reexamined by filters such as mod_include, even though
1193 * the main request has no need for this body.
1195 if (!r->kept_body) {
1196 dconf = ap_get_module_config(r->per_dir_config,
1198 if (dconf->keep_body > 0) {
1199 left = dconf->keep_body;
1200 kept_body = apr_brigade_create(r->pool, r->connection->bucket_alloc);
1204 bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
1209 rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
1210 APR_BLOCK_READ, HUGE_STRING_LEN);
1212 if (rv != APR_SUCCESS) {
1213 /* FIXME: If we ever have a mapping from filters (apr_status_t)
1214 * to HTTP error codes, this would be a good place for them.
1216 * If we received the special case AP_FILTER_ERROR, it means
1217 * that the filters have already handled this error.
1218 * Otherwise, we should assume we have a bad request.
1220 if (rv == AP_FILTER_ERROR) {
1221 apr_brigade_destroy(bb);
1225 apr_brigade_destroy(bb);
1226 return HTTP_BAD_REQUEST;
1230 for (bucket = APR_BRIGADE_FIRST(bb);
1231 bucket != APR_BRIGADE_SENTINEL(bb);
1232 bucket = APR_BUCKET_NEXT(bucket))
1237 if (APR_BUCKET_IS_EOS(bucket)) {
1242 /* These are metadata buckets. */
1243 if (bucket->length == 0) {
1247 /* We MUST read because in case we have an unknown-length
1248 * bucket or one that morphs, we want to exhaust it.
1250 rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);
1251 if (rv != APR_SUCCESS) {
1252 apr_brigade_destroy(bb);
1253 return HTTP_BAD_REQUEST;
1256 /* If we have been asked to, keep the data up until the
1257 * configured limit. If the limit is exceeded, we return an
1258 * HTTP_REQUEST_ENTITY_TOO_LARGE response so the caller is
1259 * clear the server couldn't handle their request.
1263 apr_bucket_copy(bucket, &e);
1264 APR_BRIGADE_INSERT_TAIL(kept_body, e);
1268 apr_brigade_destroy(bb);
1269 apr_brigade_destroy(kept_body);
1270 return HTTP_REQUEST_ENTITY_TOO_LARGE;
1275 apr_brigade_cleanup(bb);
1276 } while (!seen_eos);
1279 r->kept_body = kept_body;
1285 /* Here we deal with getting the request message body from the client.
1286 * Whether or not the request contains a body is signaled by the presence
1287 * of a non-zero Content-Length or by a Transfer-Encoding: chunked.
1289 * Note that this is more complicated than it was in Apache 1.1 and prior
1290 * versions, because chunked support means that the module does less.
1292 * The proper procedure is this:
1294 * 1. Call ap_setup_client_block() near the beginning of the request
1295 * handler. This will set up all the necessary properties, and will
1296 * return either OK, or an error code. If the latter, the module should
1297 * return that error code. The second parameter selects the policy to
1298 * apply if the request message indicates a body, and how a chunked
1299 * transfer-coding should be interpreted. Choose one of
1301 * REQUEST_NO_BODY Send 413 error if message has any body
1302 * REQUEST_CHUNKED_ERROR Send 411 error if body without Content-Length
1303 * REQUEST_CHUNKED_DECHUNK If chunked, remove the chunks for me.
1304 * REQUEST_CHUNKED_PASS If chunked, pass the chunk headers with body.
1306 * In order to use the last two options, the caller MUST provide a buffer
1307 * large enough to hold a chunk-size line, including any extensions.
1309 * 2. When you are ready to read a body (if any), call ap_should_client_block().
1310 * This will tell the module whether or not to read input. If it is 0,
1311 * the module should assume that there is no message body to read.
1313 * 3. Finally, call ap_get_client_block in a loop. Pass it a buffer and its size.
1314 * It will put data into the buffer (not necessarily a full buffer), and
1315 * return the length of the input block. When it is done reading, it will
1316 * return 0 if EOF, or -1 if there was an error.
1317 * If an error occurs on input, we force an end to keepalive.
1319 * This step also sends a 100 Continue response to HTTP/1.1 clients if appropriate.
1322 AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
1324 const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
1325 const char *lenp = apr_table_get(r->headers_in, "Content-Length");
1327 r->read_body = read_policy;
1328 r->read_chunked = 0;
1332 if (strcasecmp(tenc, "chunked")) {
1333 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
1334 "Unknown Transfer-Encoding %s", tenc);
1335 return HTTP_NOT_IMPLEMENTED;
1337 if (r->read_body == REQUEST_CHUNKED_ERROR) {
1338 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
1339 "chunked Transfer-Encoding forbidden: %s", r->uri);
1340 return (lenp) ? HTTP_BAD_REQUEST : HTTP_LENGTH_REQUIRED;
1343 r->read_chunked = 1;
1348 if (apr_strtoff(&r->remaining, lenp, &endstr, 10)
1349 || *endstr || r->remaining < 0) {
1351 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
1352 "Invalid Content-Length");
1353 return HTTP_BAD_REQUEST;
1357 if ((r->read_body == REQUEST_NO_BODY)
1358 && (r->read_chunked || (r->remaining > 0))) {
1359 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
1360 "%s with body is not allowed for %s", r->method, r->uri);
1361 return HTTP_REQUEST_ENTITY_TOO_LARGE;
1366 /* Make sure ap_getline() didn't leave any droppings. */
1367 core_request_config *req_cfg =
1368 (core_request_config *)ap_get_module_config(r->request_config,
1370 AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(req_cfg->bb));
1377 AP_DECLARE(int) ap_should_client_block(request_rec *r)
1379 /* First check if we have already read the request body */
1381 if (r->read_length || (!r->read_chunked && (r->remaining <= 0))) {
1388 /* get_client_block is called in a loop to get the request message body.
1389 * This is quite simple if the client includes a content-length
1390 * (the normal case), but gets messy if the body is chunked. Note that
1391 * r->remaining is used to maintain state across calls and that
1392 * r->read_length is the total number of bytes given to the caller
1393 * across all invocations. It is messy because we have to be careful not
1394 * to read past the data provided by the client, since these reads block.
1395 * Returns 0 on End-of-body, -1 on error or premature chunk end.
1398 AP_DECLARE(long) ap_get_client_block(request_rec *r, char *buffer,
1402 apr_bucket_brigade *bb;
1404 if (r->remaining < 0 || (!r->read_chunked && r->remaining == 0)) {
1408 bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
1410 r->connection->keepalive = AP_CONN_CLOSE;
1414 rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
1415 APR_BLOCK_READ, bufsiz);
1417 /* We lose the failure code here. This is why ap_get_client_block should
1420 if (rv != APR_SUCCESS) {
1421 /* if we actually fail here, we want to just return and
1422 * stop trying to read data from the client.
1424 r->connection->keepalive = AP_CONN_CLOSE;
1425 apr_brigade_destroy(bb);
1429 /* If this fails, it means that a filter is written incorrectly and that
1430 * it needs to learn how to properly handle APR_BLOCK_READ requests by
1431 * returning data when requested.
1433 AP_DEBUG_ASSERT(!APR_BRIGADE_EMPTY(bb));
1435 /* Check to see if EOS in the brigade.
1437 * If so, we have to leave a nugget for the *next* ap_get_client_block
1440 if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) {
1441 if (r->read_chunked) {
1449 rv = apr_brigade_flatten(bb, buffer, &bufsiz);
1450 if (rv != APR_SUCCESS) {
1451 apr_brigade_destroy(bb);
1456 r->read_length += bufsiz;
1458 apr_brigade_destroy(bb);
1462 /* Filter to handle any error buckets on output */
1463 apr_status_t ap_http_outerror_filter(ap_filter_t *f,
1464 apr_bucket_brigade *b)
1466 request_rec *r = f->r;
1469 for (e = APR_BRIGADE_FIRST(b);
1470 e != APR_BRIGADE_SENTINEL(b);
1471 e = APR_BUCKET_NEXT(e))
1473 if (AP_BUCKET_IS_ERROR(e)) {
1475 * Start of error handling state tree. Just one condition
1478 if (((ap_bucket_error *)(e->data))->status == HTTP_BAD_GATEWAY) {
1479 /* stream aborted and we have not ended it yet */
1480 r->connection->keepalive = AP_CONN_CLOSE;
1485 return ap_pass_brigade(f->next, b);
1488 typedef struct kept_body_filter_ctx {
1490 apr_off_t remaining;
1494 * Initialisation of filter to handle a kept body on subrequests.
1496 * If a body is to be reinserted into a subrequest, any chunking will have
1497 * been removed from the body during storage. We need to change the request
1498 * from Transfer-Encoding: chunked to an explicit Content-Length.
1500 int ap_kept_body_filter_init(ap_filter_t *f) {
1501 apr_off_t length = 0;
1502 request_rec *r = f->r;
1503 apr_bucket_brigade *kept_body = r->kept_body;
1506 apr_table_unset(r->headers_in, "Transfer-Encoding");
1507 apr_brigade_length(kept_body, 1, &length);
1508 apr_table_set(r->headers_in, "Content-Length", apr_off_t_toa(r->pool, length));
1515 * Filter to handle a kept body on subrequests.
1517 * If a body has been previously kept by the request, and if a subrequest wants
1518 * to re-insert the body into the request, this input filter makes it happen.
1520 apr_status_t ap_kept_body_filter(ap_filter_t *f, apr_bucket_brigade *b,
1521 ap_input_mode_t mode, apr_read_type_e block,
1522 apr_off_t readbytes) {
1523 request_rec *r = f->r;
1524 apr_bucket_brigade *kept_body = r->kept_body;
1525 kept_body_ctx_t *ctx = f->ctx;
1526 apr_bucket *ec, *e2;
1529 /* just get out of the way of things we don't want. */
1530 if (!kept_body || (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE)) {
1531 return ap_get_brigade(f->next, b, mode, block, readbytes);
1534 /* set up the context if it does not already exist */
1536 f->ctx = ctx = apr_palloc(f->r->pool, sizeof(*ctx));
1538 apr_brigade_length(kept_body, 1, &ctx->remaining);
1541 /* kept_body is finished, send next filter */
1542 if (ctx->remaining <= 0) {
1543 return ap_get_brigade(f->next, b, mode, block, readbytes);
1546 /* send all of the kept_body, but no more */
1547 if (readbytes > ctx->remaining) {
1548 readbytes = ctx->remaining;
1551 /* send part of the kept_body */
1552 if ((rv = apr_brigade_partition(kept_body, ctx->offset, &ec)) != APR_SUCCESS) {
1553 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
1554 "apr_brigade_partition() failed on kept_body at %" APR_OFF_T_FMT, ctx->offset);
1557 if ((rv = apr_brigade_partition(kept_body, ctx->offset + readbytes, &e2)) != APR_SUCCESS) {
1558 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
1559 "apr_brigade_partition() failed on kept_body at %" APR_OFF_T_FMT, ctx->offset + readbytes);
1568 if (apr_bucket_copy(ec, &foo) != APR_SUCCESS) {
1569 /* As above; this should not fail since the bucket has
1570 * a known length, but just to be sure, this takes
1571 * care of uncopyable buckets that do somehow manage
1572 * to slip through. */
1573 /* XXX: check for failure? */
1574 apr_bucket_read(ec, &str, &len, APR_BLOCK_READ);
1575 apr_bucket_copy(ec, &foo);
1577 APR_BRIGADE_INSERT_TAIL(b, foo);
1578 ec = APR_BUCKET_NEXT(ec);
1581 ctx->remaining -= readbytes;
1582 ctx->offset += readbytes;