From 37f858acc6656dce745bf7564971b503d5b497e3 Mon Sep 17 00:00:00 2001 From: Ryan Bloom Date: Tue, 4 Jun 2002 07:12:26 +0000 Subject: [PATCH] Remove all special mod_ssl URIs. This also fixes the bug where redirecting (.*) will allow an SSL protected page to be viewed without SSL. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95501 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++ modules/ssl/mod_ssl.c | 1 - modules/ssl/mod_ssl.h | 1 + modules/ssl/ssl_engine_io.c | 16 ++++++- modules/ssl/ssl_engine_kernel.c | 78 ++++++++++++--------------------- 5 files changed, 47 insertions(+), 53 deletions(-) diff --git a/CHANGES b/CHANGES index e094e177de..a1b35deb3d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,9 @@ Changes with Apache 2.0.37 + *) Remove all special mod_ssl URIs. This also fixes the bug where + redirecting (.*) will allow an SSL protected page to be viewed + without SSL. [Ryan Bloom] + *) Fix the binary build install script so that the build logic created by "apxs -g" will work when the user has a binary build. [Jeff Trawick] diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 9326cbc0cd..14e971ce79 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -583,7 +583,6 @@ static void ssl_register_hooks(apr_pool_t *p) ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE); - ap_hook_handler (ssl_hook_Handler, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE); ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE); diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index 5999e97ad9..5f8009d694 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -414,6 +414,7 @@ typedef struct { int verify_depth; int is_proxy; int disabled; + int non_ssl_request; } SSLConnRec; typedef struct { diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 290e54409f..47e76329c4 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -741,8 +741,17 @@ static apr_status_t ssl_io_input_getline(ssl_io_input_ctx_t *ctx, return APR_SUCCESS; } +/* Just use a simple request. Any request will work for this, because + * we use a flag in the conn_rec->conn_vector now. The fake request just + * gets the request back to the Apache core so that a response can be sent. + * + * We should probably use a 0.9 request, but the BIO bucket code is calling + * socket_bucket_read one extra time with all 0.9 requests from the client. + * Until that is resolved, continue to use a 1.0 request, just like we + * always have. + */ #define HTTP_ON_HTTPS_PORT \ - "GET /mod_ssl:error:HTTP-request HTTP/1.0" + "GET / HTTP/1.0" #define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \ apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \ @@ -760,6 +769,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, apr_bucket_brigade *bb, apr_status_t status) { + SSLConnRec *sslconn = myConnConfig(f->c); apr_bucket *bucket; switch (status) { @@ -771,9 +781,11 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, "trying to send HTML error page"); ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server); + sslconn->non_ssl_request = 1; + ssl_io_filter_disable(f); + /* fake the request line */ bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); - ssl_io_filter_disable(f); break; default: diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index bfa3d10968..1e50644ae8 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -174,6 +174,34 @@ int ssl_hook_ReadReq(request_rec *r) return DECLINED; } + if (sslconn->non_ssl_request) { + const char *errmsg; + char *thisurl; + char *thisport = ""; + int port = ap_get_server_port(r); + + if (!ap_is_default_port(port, r)) { + thisport = apr_psprintf(r->pool, ":%u", port); + } + + thisurl = ap_escape_html(r->pool, + apr_psprintf(r->pool, "https://%s%s/", + ap_get_server_name(r), + thisport)); + + errmsg = apr_psprintf(r->pool, + "Reason: You're speaking plain HTTP " + "to an SSL-enabled server port.
\n" + "Instead use the HTTPS scheme to access " + "this URL, please.
\n" + "
Hint: " + "%s
", + thisurl, thisurl); + + apr_table_setn(r->notes, "error-notes", errmsg); + return HTTP_BAD_REQUEST; + } + /* * Get the SSL connection structure and perform the * delayed interlinking from SSL back to request_rec @@ -182,13 +210,6 @@ int ssl_hook_ReadReq(request_rec *r) SSL_set_app_data2(ssl, r); } - /* - * Force the mod_ssl content handler when URL indicates this - */ - if (strEQn(r->uri, "/mod_ssl:", 9)) { - r->handler = "mod_ssl:content-handler"; - } - return DECLINED; } @@ -264,49 +285,6 @@ int ssl_hook_Translate(request_rec *r) return DECLINED; } -/* - * Content Handler - */ -int ssl_hook_Handler(request_rec *r) -{ - if (strNE(r->handler, "mod_ssl:content-handler")) { - return DECLINED; - } - - if (strNEn(r->uri, "/mod_ssl:", 9)) { - return DECLINED; - } - - if (strEQ(r->uri, "/mod_ssl:error:HTTP-request")) { - const char *errmsg; - char *thisurl; - char *thisport = ""; - int port = ap_get_server_port(r); - - if (!ap_is_default_port(port, r)) { - thisport = apr_psprintf(r->pool, ":%u", port); - } - - thisurl = ap_escape_html(r->pool, - apr_psprintf(r->pool, "https://%s%s/", - ap_get_server_name(r), - thisport)); - - errmsg = apr_psprintf(r->pool, - "Reason: You're speaking plain HTTP " - "to an SSL-enabled server port.
\n" - "Instead use the HTTPS scheme to access " - "this URL, please.
\n" - "
Hint: " - "%s
", - thisurl, thisurl); - - apr_table_setn(r->notes, "error-notes", errmsg); - } - - return HTTP_BAD_REQUEST; -} - /* * Access Handler */ -- 2.40.0