From 0d11ddb595411d5cb29afaad52cba30c9a2b67af Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Mon, 14 Jun 2010 19:59:05 +0000 Subject: [PATCH] - Introduce ap_log_cserror to allow mod_ssl to associate log messages to different servers than c->base_server. - Adjust the scope of some mod_ssl trace logging from server to conn. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@954611 13f79535-47bb-0310-9956-ffa450edef68 --- include/ap_mmn.h | 3 +- include/http_config.h | 20 ++++++++++++ include/http_log.h | 56 +++++++++++++++++++++++++++++++-- modules/ssl/ssl_engine_io.c | 19 +++++------ modules/ssl/ssl_engine_kernel.c | 4 +-- server/log.c | 13 ++++++++ server/util_debug.c | 22 +++++++++++++ 7 files changed, 123 insertions(+), 14 deletions(-) diff --git a/include/ap_mmn.h b/include/ap_mmn.h index d296c2c205..fca4850c40 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -228,6 +228,7 @@ * 20100606.1 (2.3.6-dev) Added extended timestamp formatting via * ap_recent_ctime_ex(). * 20100609.0 (2.3.6-dev) Dropped ap_args_to_table due to missing constraints. + * 20100609.1 (2.3.7-dev) Introduce ap_log_cserror() */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ @@ -235,7 +236,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20100609 #endif -#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/include/http_config.h b/include/http_config.h index 6c2eebf90f..636f728080 100644 --- a/include/http_config.h +++ b/include/http_config.h @@ -497,6 +497,18 @@ AP_DECLARE(int) ap_get_server_module_loglevel(const server_rec *s, int index); */ AP_DECLARE(int) ap_get_conn_module_loglevel(const conn_rec *c, int index); +/** + * Generic accessor for modules the module-specific loglevel + * @param c The connection from which to get the loglevel. + * @param s The server from which to get the loglevel if c does not have a + * specific loglevel configuration. + * @param index The module_index of the module to get the loglevel for. + * @return The module-specific loglevel + */ +AP_DECLARE(int) ap_get_conn_server_module_loglevel(const conn_rec *c, + const server_rec *s, + int index); + /** * Generic accessor for modules to get the module-specific loglevel * @param r The request from which to get the loglevel. @@ -521,6 +533,11 @@ AP_DECLARE(void) ap_set_module_loglevel(apr_pool_t *p, struct ap_logconf *l, ((c)->log ? (c)->log : \ &(c)->base_server->log) +#define ap_get_conn_server_logconf(c,s) \ + ( ( (c)->log != &(c)->base_server->log && (c)->log != NULL ) ? \ + (c)->log : \ + &(s)->log ) + #define ap_get_request_logconf(r) \ ((r)->log ? (r)->log : \ (r)->connection->log ? (r)->connection->log : \ @@ -537,6 +554,9 @@ AP_DECLARE(void) ap_set_module_loglevel(apr_pool_t *p, struct ap_logconf *l, #define ap_get_conn_module_loglevel(c,i) \ (ap_get_module_loglevel(ap_get_conn_logconf(c),i)) +#define ap_get_conn_server_module_loglevel(c,s,i) \ + (ap_get_module_loglevel(ap_get_conn_server_logconf(c,s),i)) + #define ap_get_request_module_loglevel(r,i) \ (ap_get_module_loglevel(ap_get_request_logconf(r),i)) diff --git a/include/http_log.h b/include/http_log.h index 0ca660145a..fac8ef5773 100644 --- a/include/http_log.h +++ b/include/http_log.h @@ -136,6 +136,10 @@ static int * const aplog_module_index; ( (((level)&APLOG_LEVELMASK) <= APLOG_NOTICE) || \ (ap_get_conn_module_loglevel(c, module_index) \ >= ((level)&APLOG_LEVELMASK) ) ) +#define APLOG_CS_MODULE_IS_LEVEL(c,s,module_index,level) \ + ( (((level)&APLOG_LEVELMASK) <= APLOG_NOTICE) || \ + (ap_get_conn_server_module_loglevel(c, s, module_index) \ + >= ((level)&APLOG_LEVELMASK) ) ) #define APLOG_R_MODULE_IS_LEVEL(r,module_index,level) \ ( (((level)&APLOG_LEVELMASK) <= APLOG_NOTICE) || \ (ap_get_request_module_loglevel(r, module_index) \ @@ -147,6 +151,11 @@ static int * const aplog_module_index; (s == NULL) || \ (ap_get_server_module_loglevel(s, module_index) \ >= ((level)&APLOG_LEVELMASK) ) ) ) +#define APLOG_CS_MODULE_IS_LEVEL(c,s,module_index,level) \ + ( (((level)&APLOG_LEVELMASK) <= APLOG_MAX_LOGLEVEL) && \ + ( (((level)&APLOG_LEVELMASK) <= APLOG_NOTICE) || \ + (ap_get_conn_server_module_loglevel(c, s, module_index) \ + >= ((level)&APLOG_LEVELMASK) ) ) ) #define APLOG_C_MODULE_IS_LEVEL(c,module_index,level) \ ( (((level)&APLOG_LEVELMASK) <= APLOG_MAX_LOGLEVEL) && \ ( (((level)&APLOG_LEVELMASK) <= APLOG_NOTICE) || \ @@ -163,6 +172,8 @@ static int * const aplog_module_index; APLOG_MODULE_IS_LEVEL(s,APLOG_MODULE_INDEX,level) #define APLOG_C_IS_LEVEL(c,level) \ APLOG_C_MODULE_IS_LEVEL(c,APLOG_MODULE_INDEX,level) +#define APLOG_CS_IS_LEVEL(c,s,level) \ + APLOG_CS_MODULE_IS_LEVEL(c,s,APLOG_MODULE_INDEX,level) #define APLOG_R_IS_LEVEL(r,level) \ APLOG_R_MODULE_IS_LEVEL(r,APLOG_MODULE_INDEX,level) @@ -327,7 +338,7 @@ AP_DECLARE(void) ap_log_perror_(const char *file, int line, int module_index, /** * ap_log_rerror() - log messages which are related to a particular - * request. This uses a a printf-like format to log messages to the + * request. This uses a printf-like format to log messages to the * error_log. * @param file The file in which this function is called * @param line The line number on which this function is called @@ -362,7 +373,7 @@ AP_DECLARE(void) ap_log_rerror_(const char *file, int line, int module_index, /** * ap_log_cerror() - log messages which are related to a particular - * connection. This uses a a printf-like format to log messages to the + * connection. This uses a printf-like format to log messages to the * error_log. * @param file The file in which this function is called * @param line The line number on which this function is called @@ -397,6 +408,47 @@ AP_DECLARE(void) ap_log_cerror_(const char *file, int line, int module_level, const conn_rec *c, const char *fmt, ...) __attribute__((format(printf,7,8))); +/** + * ap_log_cserror() - log messages which are related to a particular + * connection and to a vhost other than c->base_server. This uses a + * printf-like format to log messages to the error_log. + * @param file The file in which this function is called + * @param line The line number on which this function is called + * @param level The level of this error message + * @param module_index The module_index of the module generating this message + * @param status The status code from the previous command + * @param c The connection which we are logging for + * @param s The server which we are logging for + * @param fmt The format string + * @param ... The arguments to use to fill out fmt. + * @note Use APLOG_MARK to fill out file and line + * @note If a request_rec is available, use that with ap_log_rerror() + * in preference to calling this function. This function is mainly useful for + * modules like mod_ssl to use before the request_rec is created. + * @warning It is VERY IMPORTANT that you not include any raw data from + * the network, such as the request-URI or request header fields, within + * the format string. Doing so makes the server vulnerable to a + * denial-of-service attack and other messy behavior. Instead, use a + * simple format string like "%s", followed by the string containing the + * untrusted data. + */ +#if __STDC_VERSION__ >= 199901L +/* need additional step to expand APLOG_MARK first */ +#define ap_log_cserror(...) ap_log_cserror__(__VA_ARGS__) +#define ap_log_cserror__(file, line, mi, level, status, c, s, ...) \ + do { if (APLOG_CS_MODULE_IS_LEVEL(c, s, mi, level)) \ + ap_log_cserror_(file, line, mi, level, status, c, s, \ + __VA_ARGS__); \ + } while(0) +#else +#define ap_log_cserror ap_log_cserror_ +#endif +AP_DECLARE(void) ap_log_cserror_(const char *file, int line, int module_level, + int level, apr_status_t status, + const conn_rec *c, const server_rec *s, + const char *fmt, ...) + __attribute__((format(printf,8,9))); + /** * Convert stderr to the error log * @param s The current server diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 33ca726147..5ee27f47b1 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1017,11 +1017,12 @@ static void ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx, SSL_smart_shutdown(ssl); /* and finally log the fact that we've closed the connection */ - if (APLOG_C_IS_LEVEL(c, loglevel)) { - ap_log_cerror(APLOG_MARK, loglevel, 0, c, - "Connection closed to child %ld with %s shutdown " - "(server %s)", - c->id, type, ssl_util_vhostid(c->pool, mySrvFromConn(c))); + if (APLOG_CS_IS_LEVEL(c, mySrvFromConn(c), loglevel)) { + ap_log_cserror(APLOG_MARK, loglevel, 0, c, mySrvFromConn(c), + "Connection closed to child %ld with %s shutdown " + "(server %s)", + c->id, type, + ssl_util_vhostid(c->pool, mySrvFromConn(c))); } /* deallocate the SSL connection */ @@ -1740,7 +1741,7 @@ void ssl_io_filter_init(conn_rec *c, request_rec *r, SSL *ssl) apr_pool_cleanup_register(c->pool, (void*)filter_ctx, ssl_io_filter_cleanup, apr_pool_cleanup_null); - if (APLOGctrace4(c)) { + if (APLOG_CS_IS_LEVEL(c, mySrvFromConn(c), APLOG_TRACE4)) { BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); } @@ -1850,18 +1851,18 @@ long ssl_io_data_cb(BIO *bio, int cmd, if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN) || cmd == (BIO_CB_READ |BIO_CB_RETURN) ) { if (rc >= 0) { - ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, s, + ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s, "%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s", SSL_LIBRARY_NAME, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"), rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"), bio, argp, (argp != NULL ? "(BIO dump follows)" : "(Oops, no memory buffer?)")); - if ((argp != NULL) && APLOGctrace7(c)) + if ((argp != NULL) && APLOG_CS_IS_LEVEL(c, s, APLOG_TRACE7)) ssl_io_data_dump(s, argp, rc); } else { - ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, s, + ap_log_cserror(APLOG_MARK, APLOG_TRACE4, 0, c, s, "%s: I/O error, %d bytes expected to %s on BIO#%pp [mem: %pp]", SSL_LIBRARY_NAME, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"), diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 0a875d5f96..f4cf448eec 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -2138,10 +2138,10 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) * There is one special filter callback, which is set * very early depending on the base_server's log level. * If this is not the first vhost we're now selecting - * (and the first vhost doesn't use APLOG_DEBUG), then + * (and the first vhost doesn't use APLOG_TRACE4), then * we need to set that callback here. */ - if (APLOGdebug(s)) { + if (APLOGtrace4(s)) { BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); } diff --git a/server/log.c b/server/log.c index b6ce1b6802..db3ae273ec 100644 --- a/server/log.c +++ b/server/log.c @@ -820,6 +820,19 @@ AP_DECLARE(void) ap_log_rerror_(const char *file, int line, int module_index, va_end(args); } +AP_DECLARE(void) ap_log_cserror_(const char *file, int line, int module_index, + int level, apr_status_t status, + const conn_rec *c, const server_rec *s, + const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + log_error_core(file, line, module_index, level, status, s, c, + NULL, NULL, fmt, args); + va_end(args); +} + AP_DECLARE(void) ap_log_cerror_(const char *file, int line, int module_index, int level, apr_status_t status, const conn_rec *c, const char *fmt, ...) diff --git a/server/util_debug.c b/server/util_debug.c index cf8aa0e9c9..3e753f786d 100644 --- a/server/util_debug.c +++ b/server/util_debug.c @@ -139,6 +139,28 @@ AP_DECLARE(int) ap_get_conn_module_loglevel(const conn_rec *c, int module_index) return l->module_levels[module_index]; } +#if defined(ap_get_conn_server_module_loglevel) +#undef ap_get_conn_server_module_loglevel +AP_DECLARE(int) ap_get_conn_server_module_loglevel(const conn_rec *c, + const server_rec *s, + int module_index); +#endif + +AP_DECLARE(int) ap_get_conn_server_module_loglevel(const conn_rec *c, + const server_rec *s, + int module_index) +{ + const struct ap_logconf *l = (c->log && c->log != &c->base_server->log) ? + c->log : &s->log; + if (module_index < 0 || l->module_levels == NULL || + l->module_levels[module_index] < 0) + { + return l->level; + } + + return l->module_levels[module_index]; +} + #if defined(ap_get_request_module_loglevel) #undef ap_get_request_module_loglevel AP_DECLARE(int) ap_get_request_module_loglevel(const request_rec *c, int module_index); -- 2.40.0