Drop an invalid Last-Modified header value returned by a FCGI/CGI

script instead tranforming it to Unix Epoch.

This bug was mentioned in the users@ mailing list and outlined in
the following centos bug: https://bugs.centos.org/view.php?id=10940
To reproduce the issue it is sufficient to connect mod-fastcgi
to a PHP script that returns a HTTP response with
the header "Last-Modified: foo". The header will be modified by
script_util.c to "Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT".
Dropping an invalid header in this case seems to be the most
consistent and correct option in my opinion, plus it shouldn't
break existing configurations. Returning Unix Epoch might be
dangerous and should be avoided, but please let me know your opinions.
Moreover this is my first commit outside the documentation court,
I hope to have got the procedure right.
This fix has been tested also with the 2.4.x branch.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1748379 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 9999c76569d56d2dab35a672b75f70e0e297f773..485f1dfc767703f4b8a8c0376988e53f9bf5400e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) core: Drop an invalid Last-Modified header value coming
+     from a FCGI/CGI script instead of replacing it with Unix epoch.
+     [Luca Toscano]
+
   *) mod_dav: Allow other modules to become providers and add ACLs
      to the DAV response.
      [Jari Urpalainen <jari.urpalainen nokia.com>, Graham Leggett]

diff --git a/server/util_script.c b/server/util_script.c
index c9201b49cf9e3056182fb26939d342a04253d391..aa24518eaebd57b849f3378e6c267f72bb3060a6 100644 (file)
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -662,11 +662,19 @@ AP_DECLARE(int) ap_scan_script_header_err_core_ex(request_rec *r, char *buffer,
         }
         /*
          * If the script gave us a Last-Modified header, we can't just
-         * pass it on blindly because of restrictions on future values.
+         * pass it on blindly because of restrictions on future or invalid values.
          */
         else if (!ap_cstr_casecmp(w, "Last-Modified")) {
-            ap_update_mtime(r, apr_date_parse_http(l));
-            ap_set_last_modified(r);
+            apr_time_t last_modified_date = apr_date_parse_http(l);
+            if (last_modified_date != APR_DATE_BAD) {
+                ap_update_mtime(r, last_modified_date);
+                ap_set_last_modified(r);
+            }
+            else {
+                if (APLOGrtrace1(r))
+                   ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
+                                 "Ignored invalid header value: Last-Modified: '%s'", l);
+            }
         }
         else if (!ap_cstr_casecmp(w, "Set-Cookie")) {
             apr_table_add(cookie_table, w, l);