Changes with Apache 2.3.0
[ When backported to 2.2.x, remove entry from this file ]
+ *) mod_deflate: Transform ETag when transforming the entity.
+ PR 39727 [Henrik Nordstrom <hno squid-cache.org>, Nick Kew]
+
*) mod_ldap: Set character set for status page to ISO-8859-1 to avoid
UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
*) mpm winnt: fix null pointer dereference
PR 42572 [Davi Arnaut]
- *) mod_deflate: Don't leave a strong ETag in place while transforming
- the entity.
- PR 39727 [Nick Kew]
-
*) core: reinstate location walk to fix config for subrequests
PR 41960 [Jose Kahan <jose w3.org>]
return APR_SUCCESS;
}
/* PR 39727: we're screwing up our clients if we leave a strong ETag
- * header while transforming content. A minimal fix that makes us
- * protocol-compliant is to make it a weak ETag. Whether we can
- * use this ourselves (e.g. in mod_cache) is a different issue.
+ * header while transforming content. Henrik Nordstrom suggests
+ * appending ";gzip".
*
- * Henrik Nordstrom suggests instead appending ";gzip", commenting:
- * "This should allows for easy bidirectional mapping, simplifying most
- * conditionals as no transformation of the entity body is needed to find
- * the etag, and the simple format makes it easier to trace should any
- * misunderstandings occur."
- *
- * We might consider such a strategy in future if we implement support
- * for such a scheme.
+ * Pending a more thorough review of our Etag handling, let's just
+ * implement his suggestion. It fixes the bug, or at least turns it
+ * from a showstopper to an inefficiency. And it breaks nothing that
+ * wasn't already broken.
*/
-static void deflate_check_etag(request_rec *r)
+static void deflate_check_etag(request_rec *r, const char *transform)
{
const char *etag = apr_table_get(r->headers_out, "ETag");
if (etag && (((etag[0] != 'W') && (etag[0] !='w')) || (etag[1] != '/'))) {
apr_table_set(r->headers_out, "ETag",
- apr_pstrcat(r->pool, "W/", etag, NULL));
+ apr_pstrcat(r->pool, etag, "-", transform, NULL));
}
}
static apr_status_t deflate_out_filter(ap_filter_t *f,
}
apr_table_unset(r->headers_out, "Content-Length");
apr_table_unset(r->headers_out, "Content-MD5");
- deflate_check_etag(r);
+ deflate_check_etag(r, "gzip");
/* initialize deflate output buffer */
ctx->stream.next_out = ctx->buffer;
/* these are unlikely to be set anyway, but ... */
apr_table_unset(r->headers_out, "Content-Length");
apr_table_unset(r->headers_out, "Content-MD5");
- deflate_check_etag(r);
+ deflate_check_etag(r, "gunzip");
/* initialize inflate output buffer */
ctx->stream.next_out = ctx->buffer;