1
/* Licensed to the Apache Software Foundation (ASF) under one or more
2
* contributor license agreements. See the NOTICE file distributed with
3
* this work for additional information regarding copyright ownership.
4
* The ASF licenses this file to You under the Apache License, Version 2.0
5
* (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
8
* http://www.apache.org/licenses/LICENSE-2.0
10
* Unless required by applicable law or agreed to in writing, software
11
* distributed under the License is distributed on an "AS IS" BASIS,
12
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
* See the License for the specific language governing permissions and
14
* limitations under the License.
18
* http_filter.c --- HTTP routines which either filters or deal with filters.
22
#include "apr_strings.h"
23
#include "apr_buckets.h"
25
#include "apr_signal.h"
27
#define APR_WANT_STDIO /* for sscanf */
28
#define APR_WANT_STRFUNC
29
#define APR_WANT_MEMFUNC
33
#include "util_filter.h"
34
#include "ap_config.h"
36
#include "http_config.h"
37
#include "http_core.h"
38
#include "http_protocol.h"
39
#include "http_main.h"
40
#include "http_request.h"
41
#include "http_vhost.h"
42
#include "http_log.h" /* For errors detected in basic auth common
44
#include "apr_date.h" /* For apr_date_parse_http and APR_DATE_BAD */
45
#include "util_charset.h"
46
#include "util_ebcdic.h"
47
#include "util_time.h"
58
static long get_chunk_size(char *);
60
typedef struct http_filter_ctx {
72
/* This is the HTTP_INPUT filter for HTTP requests and responses from
73
* proxied servers (mod_proxy). It handles chunked and content-length
74
* bodies. This can only be inserted/used after the headers
75
* are successfully parsed.
77
apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
78
ap_input_mode_t mode, apr_read_type_e block,
82
http_ctx_t *ctx = f->ctx;
86
/* just get out of the way of things we don't want. */
87
if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {
88
return ap_get_brigade(f->next, b, mode, block, readbytes);
92
const char *tenc, *lenp;
93
f->ctx = ctx = apr_palloc(f->r->pool, sizeof(*ctx));
94
ctx->state = BODY_NONE;
99
/* LimitRequestBody does not apply to proxied responses.
100
* Consider implementing this check in its own filter.
101
* Would adding a directive to limit the size of proxied
102
* responses be useful?
104
if (!f->r->proxyreq) {
105
ctx->limit = ap_get_limit_req_body(f->r);
111
tenc = apr_table_get(f->r->headers_in, "Transfer-Encoding");
112
lenp = apr_table_get(f->r->headers_in, "Content-Length");
115
if (!strcasecmp(tenc, "chunked")) {
116
ctx->state = BODY_CHUNK;
122
ctx->state = BODY_LENGTH;
125
/* Protects against over/underflow, non-digit chars in the
126
* string (excluding leading space) (the endstr checks)
127
* and a negative number. */
128
if (apr_strtoff(&ctx->remaining, lenp, &endstr, 10)
129
|| endstr == lenp || *endstr || ctx->remaining < 0) {
130
apr_bucket_brigade *bb;
133
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
134
"Invalid Content-Length");
136
bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
137
e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
138
f->r->pool, f->c->bucket_alloc);
139
APR_BRIGADE_INSERT_TAIL(bb, e);
140
e = apr_bucket_eos_create(f->c->bucket_alloc);
141
APR_BRIGADE_INSERT_TAIL(bb, e);
143
return ap_pass_brigade(f->r->output_filters, bb);
146
/* If we have a limit in effect and we know the C-L ahead of
147
* time, stop it here if it is invalid.
149
if (ctx->limit && ctx->limit < ctx->remaining) {
150
apr_bucket_brigade *bb;
151
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
152
"Requested content-length of %" APR_OFF_T_FMT
153
" is larger than the configured limit"
154
" of %" APR_OFF_T_FMT, ctx->remaining, ctx->limit);
155
bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
156
e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
157
f->r->pool, f->c->bucket_alloc);
158
APR_BRIGADE_INSERT_TAIL(bb, e);
159
e = apr_bucket_eos_create(f->c->bucket_alloc);
160
APR_BRIGADE_INSERT_TAIL(bb, e);
162
return ap_pass_brigade(f->r->output_filters, bb);
166
/* If we don't have a request entity indicated by the headers, EOS.
167
* (BODY_NONE is a valid intermediate state due to trailers,
168
* but it isn't a valid starting state.)
170
* RFC 2616 Section 4.4 note 5 states that connection-close
171
* is invalid for a request entity - request bodies must be
172
* denoted by C-L or T-E: chunked.
174
* Note that since the proxy uses this filter to handle the
175
* proxied *response*, proxy responses MUST be exempt.
177
if (ctx->state == BODY_NONE && f->r->proxyreq != PROXYREQ_RESPONSE) {
178
e = apr_bucket_eos_create(f->c->bucket_alloc);
179
APR_BRIGADE_INSERT_TAIL(b, e);
184
/* Since we're about to read data, send 100-Continue if needed.
185
* Only valid on chunked and C-L bodies where the C-L is > 0. */
186
if ((ctx->state == BODY_CHUNK ||
187
(ctx->state == BODY_LENGTH && ctx->remaining > 0)) &&
188
f->r->expecting_100 && f->r->proto_num >= HTTP_VERSION(1,1)) {
190
apr_bucket_brigade *bb;
192
tmp = apr_pstrcat(f->r->pool, AP_SERVER_PROTOCOL, " ",
193
ap_get_status_line(100), CRLF CRLF, NULL);
194
bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
195
e = apr_bucket_pool_create(tmp, strlen(tmp), f->r->pool,
197
APR_BRIGADE_INSERT_HEAD(bb, e);
198
e = apr_bucket_flush_create(f->c->bucket_alloc);
199
APR_BRIGADE_INSERT_TAIL(bb, e);
201
ap_pass_brigade(f->c->output_filters, bb);
204
/* We can't read the chunk until after sending 100 if required. */
205
if (ctx->state == BODY_CHUNK) {
207
apr_bucket_brigade *bb;
209
apr_off_t brigade_length;
211
bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
213
rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
216
if (rv == APR_SUCCESS) {
217
/* We have to check the length of the brigade we got back.
218
* We will not accept partial or blank lines.
220
rv = apr_brigade_length(bb, 1, &brigade_length);
221
if (rv == APR_SUCCESS
222
&& (!brigade_length ||
223
brigade_length > f->r->server->limit_req_line)) {
226
if (rv == APR_SUCCESS) {
227
rv = apr_brigade_flatten(bb, line, &len);
228
if (rv == APR_SUCCESS) {
229
ctx->remaining = get_chunk_size(line);
233
apr_brigade_cleanup(bb);
235
/* Detect chunksize error (such as overflow) */
236
if (rv != APR_SUCCESS || ctx->remaining < 0) {
237
ctx->remaining = 0; /* Reset it in case we have to
238
* come back here later */
239
e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
242
APR_BRIGADE_INSERT_TAIL(bb, e);
243
e = apr_bucket_eos_create(f->c->bucket_alloc);
244
APR_BRIGADE_INSERT_TAIL(bb, e);
246
return ap_pass_brigade(f->r->output_filters, bb);
249
if (!ctx->remaining) {
250
/* Handle trailers by calling ap_get_mime_headers again! */
251
ctx->state = BODY_NONE;
252
ap_get_mime_headers(f->r);
253
e = apr_bucket_eos_create(f->c->bucket_alloc);
254
APR_BRIGADE_INSERT_TAIL(b, e);
262
e = apr_bucket_eos_create(f->c->bucket_alloc);
263
APR_BRIGADE_INSERT_TAIL(b, e);
267
if (!ctx->remaining) {
268
switch (ctx->state) {
272
e = apr_bucket_eos_create(f->c->bucket_alloc);
273
APR_BRIGADE_INSERT_TAIL(b, e);
279
apr_bucket_brigade *bb;
281
apr_status_t http_error = HTTP_REQUEST_ENTITY_TOO_LARGE;
283
bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
285
/* We need to read the CRLF after the chunk. */
286
rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
288
apr_brigade_cleanup(bb);
290
if (rv == APR_SUCCESS) {
291
/* Read the real chunk line. */
292
rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,
294
if (rv == APR_SUCCESS) {
295
rv = apr_brigade_flatten(bb, line, &len);
296
if (rv == APR_SUCCESS) {
297
/* Wait a sec, that's a blank line! Oh no. */
300
http_error = HTTP_SERVICE_UNAVAILABLE;
303
ctx->remaining = get_chunk_size(line);
307
apr_brigade_cleanup(bb);
310
/* Detect chunksize error (such as overflow) */
311
if (rv != APR_SUCCESS || ctx->remaining < 0) {
312
apr_status_t out_error;
314
ctx->remaining = 0; /* Reset it in case we have to
315
* come back here later */
316
e = ap_bucket_error_create(http_error,
319
APR_BRIGADE_INSERT_TAIL(bb, e);
320
e = apr_bucket_eos_create(f->c->bucket_alloc);
321
APR_BRIGADE_INSERT_TAIL(bb, e);
323
out_error = ap_pass_brigade(f->r->output_filters, bb);
327
if (!ctx->remaining) {
328
/* Handle trailers by calling ap_get_mime_headers again! */
329
ctx->state = BODY_NONE;
330
ap_get_mime_headers(f->r);
331
e = apr_bucket_eos_create(f->c->bucket_alloc);
332
APR_BRIGADE_INSERT_TAIL(b, e);
341
/* Ensure that the caller can not go over our boundary point. */
342
if (ctx->state == BODY_LENGTH || ctx->state == BODY_CHUNK) {
343
if (ctx->remaining < readbytes) {
344
readbytes = ctx->remaining;
346
AP_DEBUG_ASSERT(readbytes > 0);
349
rv = ap_get_brigade(f->next, b, mode, block, readbytes);
351
if (rv != APR_SUCCESS) {
355
/* How many bytes did we just read? */
356
apr_brigade_length(b, 0, &totalread);
358
/* If this happens, we have a bucket of unknown length. Die because
359
* it means our assumptions have changed. */
360
AP_DEBUG_ASSERT(totalread >= 0);
362
if (ctx->state != BODY_NONE) {
363
ctx->remaining -= totalread;
366
/* If we have no more bytes remaining on a C-L request,
367
* save the callter a roundtrip to discover EOS.
369
if (ctx->state == BODY_LENGTH && ctx->remaining == 0) {
370
e = apr_bucket_eos_create(f->c->bucket_alloc);
371
APR_BRIGADE_INSERT_TAIL(b, e);
374
/* We have a limit in effect. */
376
/* FIXME: Note that we might get slightly confused on chunked inputs
377
* as we'd need to compensate for the chunk lengths which may not
378
* really count. This seems to be up for interpretation. */
379
ctx->limit_used += totalread;
380
if (ctx->limit < ctx->limit_used) {
381
apr_bucket_brigade *bb;
382
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,
383
"Read content-length of %" APR_OFF_T_FMT
384
" is larger than the configured limit"
385
" of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit);
386
bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
387
e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
390
APR_BRIGADE_INSERT_TAIL(bb, e);
391
e = apr_bucket_eos_create(f->c->bucket_alloc);
392
APR_BRIGADE_INSERT_TAIL(bb, e);
394
return ap_pass_brigade(f->r->output_filters, bb);
402
* Parse a chunk extension, detect overflow.
403
* There are two error cases:
404
* 1) If the conversion would require too many bits, a -1 is returned.
405
* 2) If the conversion used the correct number of bits, but an overflow
406
* caused only the sign bit to flip, then that negative number is
408
* In general, any negative number can be considered an overflow error.
410
static long get_chunk_size(char *b)
413
size_t chunkbits = sizeof(long) * 8;
415
ap_xlate_proto_from_ascii(b, strlen(b));
417
/* Skip leading zeros */
422
while (apr_isxdigit(*b) && (chunkbits > 0)) {
425
if (*b >= '0' && *b <= '9') {
428
else if (*b >= 'A' && *b <= 'F') {
429
xvalue = *b - 'A' + 0xa;
431
else if (*b >= 'a' && *b <= 'f') {
432
xvalue = *b - 'a' + 0xa;
435
chunksize = (chunksize << 4) | xvalue;
439
if (apr_isxdigit(*b) && (chunkbits <= 0)) {
447
typedef struct header_struct {
449
apr_bucket_brigade *bb;
452
/* Send a single HTTP header field to the client. Note that this function
453
* is used in calls to table_do(), so their interfaces are co-dependent.
454
* In other words, don't change this one without checking table_do in alloc.c.
455
* It returns true unless there was a write error of some kind.
457
static int form_header_field(header_struct *h,
458
const char *fieldname, const char *fieldval)
460
#if APR_CHARSET_EBCDIC
467
name_len = strlen(fieldname);
468
val_len = strlen(fieldval);
469
len = name_len + val_len + 4; /* 4 for ": " plus CRLF */
470
headfield = (char *)apr_palloc(h->pool, len + 1);
471
memcpy(headfield, fieldname, name_len);
472
next = headfield + name_len;
475
memcpy(next, fieldval, val_len);
480
ap_xlate_proto_to_ascii(headfield, len);
481
apr_brigade_write(h->bb, NULL, NULL, headfield, len);
484
struct iovec *v = vec;
485
v->iov_base = (void *)fieldname;
486
v->iov_len = strlen(fieldname);
489
v->iov_len = sizeof(": ") - 1;
491
v->iov_base = (void *)fieldval;
492
v->iov_len = strlen(fieldval);
495
v->iov_len = sizeof(CRLF) - 1;
496
apr_brigade_writev(h->bb, NULL, NULL, vec, 4);
497
#endif /* !APR_CHARSET_EBCDIC */
501
/* This routine is called by apr_table_do and merges all instances of
502
* the passed field values into a single array that will be further
503
* processed by some later routine. Originally intended to help split
504
* and recombine multiple Vary fields, though it is generic to any field
505
* consisting of comma/space-separated tokens.
507
static int uniq_field_values(void *d, const char *key, const char *val)
509
apr_array_header_t *values;
515
values = (apr_array_header_t *)d;
517
e = apr_pstrdup(values->pool, val);
520
/* Find a non-empty fieldname */
522
while (*e == ',' || apr_isspace(*e)) {
529
while (*e != '\0' && *e != ',' && !apr_isspace(*e)) {
536
/* Now add it to values if it isn't already represented.
537
* Could be replaced by a ap_array_strcasecmp() if we had one.
539
for (i = 0, strpp = (char **) values->elts; i < values->nelts;
541
if (*strpp && strcasecmp(*strpp, start) == 0) {
545
if (i == values->nelts) { /* if not found */
546
*(char **)apr_array_push(values) = start;
548
} while (*e != '\0');
554
* Since some clients choke violently on multiple Vary fields, or
555
* Vary fields with duplicate tokens, combine any multiples and remove
558
static void fixup_vary(request_rec *r)
560
apr_array_header_t *varies;
562
varies = apr_array_make(r->pool, 5, sizeof(char *));
564
/* Extract all Vary fields from the headers_out, separate each into
565
* its comma-separated fieldname values, and then add them to varies
566
* if not already present in the array.
568
apr_table_do((int (*)(void *, const char *, const char *))uniq_field_values,
569
(void *) varies, r->headers_out, "Vary", NULL);
571
/* If we found any, replace old Vary fields with unique-ified value */
573
if (varies->nelts > 0) {
574
apr_table_setn(r->headers_out, "Vary",
575
apr_array_pstrcat(r->pool, varies, ','));
579
/* Send a request's HTTP response headers to the client.
581
static apr_status_t send_all_header_fields(header_struct *h,
582
const request_rec *r)
584
const apr_array_header_t *elts;
585
const apr_table_entry_t *t_elt;
586
const apr_table_entry_t *t_end;
588
struct iovec *vec_next;
590
elts = apr_table_elts(r->headers_out);
591
if (elts->nelts == 0) {
594
t_elt = (const apr_table_entry_t *)(elts->elts);
595
t_end = t_elt + elts->nelts;
596
vec = (struct iovec *)apr_palloc(h->pool, 4 * elts->nelts *
597
sizeof(struct iovec));
600
/* For each field, generate
601
* name ": " value CRLF
604
vec_next->iov_base = (void*)(t_elt->key);
605
vec_next->iov_len = strlen(t_elt->key);
607
vec_next->iov_base = ": ";
608
vec_next->iov_len = sizeof(": ") - 1;
610
vec_next->iov_base = (void*)(t_elt->val);
611
vec_next->iov_len = strlen(t_elt->val);
613
vec_next->iov_base = CRLF;
614
vec_next->iov_len = sizeof(CRLF) - 1;
617
} while (t_elt < t_end);
619
#if APR_CHARSET_EBCDIC
622
char *tmp = apr_pstrcatv(r->pool, vec, vec_next - vec, &len);
623
ap_xlate_proto_to_ascii(tmp, len);
624
return apr_brigade_write(h->bb, NULL, NULL, tmp, len);
627
return apr_brigade_writev(h->bb, NULL, NULL, vec, vec_next - vec);
631
/* Confirm that the status line is well-formed and matches r->status.
632
* If they don't match, a filter may have negated the status line set by a
634
* Zap r->status_line if bad.
636
static void validate_status_line(request_rec *r)
641
&& (strlen(r->status_line) <= 4
642
|| apr_strtoi64(r->status_line, &end, 10) != r->status
644
|| (end - 3) != r->status_line)) {
645
r->status_line = NULL;
650
* Determine the protocol to use for the response. Potentially downgrade
651
* to HTTP/1.0 in some situations and/or turn off keepalives.
653
* also prepare r->status_line.
655
static void basic_http_header_check(request_rec *r,
656
const char **protocol)
658
if (r->assbackwards) {
659
/* no such thing as a response protocol */
663
validate_status_line(r);
665
if (!r->status_line) {
666
r->status_line = ap_get_status_line(r->status);
669
/* Note that we must downgrade before checking for force responses. */
670
if (r->proto_num > HTTP_VERSION(1,0)
671
&& apr_table_get(r->subprocess_env, "downgrade-1.0")) {
672
r->proto_num = HTTP_VERSION(1,0);
675
/* kludge around broken browsers when indicated by force-response-1.0
677
if (r->proto_num == HTTP_VERSION(1,0)
678
&& apr_table_get(r->subprocess_env, "force-response-1.0")) {
679
*protocol = "HTTP/1.0";
680
r->connection->keepalive = AP_CONN_CLOSE;
683
*protocol = AP_SERVER_PROTOCOL;
688
/* fill "bb" with a barebones/initial HTTP response header */
689
static void basic_http_header(request_rec *r, apr_bucket_brigade *bb,
690
const char *protocol)
697
if (r->assbackwards) {
698
/* there are no headers to send */
702
/* Output the HTTP/1.x Status-Line and the Date and Server fields */
704
vec[0].iov_base = (void *)protocol;
705
vec[0].iov_len = strlen(protocol);
706
vec[1].iov_base = (void *)" ";
707
vec[1].iov_len = sizeof(" ") - 1;
708
vec[2].iov_base = (void *)(r->status_line);
709
vec[2].iov_len = strlen(r->status_line);
710
vec[3].iov_base = (void *)CRLF;
711
vec[3].iov_len = sizeof(CRLF) - 1;
712
#if APR_CHARSET_EBCDIC
716
tmp = apr_pstrcatv(r->pool, vec, 4, &len);
717
ap_xlate_proto_to_ascii(tmp, len);
718
apr_brigade_write(bb, NULL, NULL, tmp, len);
721
apr_brigade_writev(bb, NULL, NULL, vec, 4);
724
date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
725
ap_recent_rfc822_date(date, r->request_time);
729
form_header_field(&h, "Date", date);
731
/* keep the set-by-proxy server header, otherwise
732
* generate a new server header */
733
if (r->proxyreq != PROXYREQ_NONE) {
734
server = apr_table_get(r->headers_out, "Server");
736
form_header_field(&h, "Server", server);
740
form_header_field(&h, "Server", ap_get_server_version());
743
/* unset so we don't send them again */
744
apr_table_unset(r->headers_out, "Date"); /* Avoid bogosity */
745
apr_table_unset(r->headers_out, "Server");
748
AP_DECLARE(void) ap_basic_http_header(request_rec *r, apr_bucket_brigade *bb)
750
const char *protocol;
752
basic_http_header_check(r, &protocol);
753
basic_http_header(r, bb, protocol);
756
/* Navigator versions 2.x, 3.x and 4.0 betas up to and including 4.0b2
757
* have a header parsing bug. If the terminating \r\n occur starting
758
* at offset 256, 257 or 258 of output then it will not properly parse
759
* the headers. Curiously it doesn't exhibit this problem at 512, 513.
760
* We are guessing that this is because their initial read of a new request
761
* uses a 256 byte buffer, and subsequent reads use a larger buffer.
762
* So the problem might exist at different offsets as well.
764
* This should also work on keepalive connections assuming they use the
765
* same small buffer for the first read of each new request.
767
* At any rate, we check the bytes written so far and, if we are about to
768
* tickle the bug, we instead insert a bogus padding header. Since the bug
769
* manifests as a broken image in Navigator, users blame the server. :(
770
* It is more expensive to check the User-Agent than it is to just add the
771
* bytes, so we haven't used the BrowserMatch feature here.
773
static void terminate_header(apr_bucket_brigade *bb)
775
char tmp[] = "X-Pad: avoid browser bug" CRLF;
780
(void) apr_brigade_length(bb, 1, &len);
782
if (len >= 255 && len <= 257) {
783
buflen = strlen(tmp);
784
ap_xlate_proto_to_ascii(tmp, buflen);
785
apr_brigade_write(bb, NULL, NULL, tmp, buflen);
787
buflen = strlen(crlf);
788
ap_xlate_proto_to_ascii(crlf, buflen);
789
apr_brigade_write(bb, NULL, NULL, crlf, buflen);
792
AP_DECLARE_NONSTD(int) ap_send_http_trace(request_rec *r)
794
core_server_config *conf;
796
apr_bucket_brigade *bb;
800
char *bodyread = NULL, *bodyoff;
801
apr_size_t bodylen = 0;
803
long res = -1; /* init to avoid gcc -Wall warning */
805
if (r->method_number != M_TRACE) {
809
/* Get the original request */
813
conf = (core_server_config *)ap_get_module_config(r->server->module_config,
816
if (conf->trace_enable == AP_TRACE_DISABLE) {
817
apr_table_setn(r->notes, "error-notes",
818
"TRACE denied by server configuration");
819
return HTTP_FORBIDDEN;
822
if (conf->trace_enable == AP_TRACE_EXTENDED)
823
/* XX should be = REQUEST_CHUNKED_PASS */
824
body = REQUEST_CHUNKED_DECHUNK;
826
body = REQUEST_NO_BODY;
828
if ((rv = ap_setup_client_block(r, body))) {
829
if (rv == HTTP_REQUEST_ENTITY_TOO_LARGE)
830
apr_table_setn(r->notes, "error-notes",
831
"TRACE with a request body is not allowed");
835
if (ap_should_client_block(r)) {
837
if (r->remaining > 0) {
838
if (r->remaining > 65536) {
839
apr_table_setn(r->notes, "error-notes",
840
"Extended TRACE request bodies cannot exceed 64k\n");
841
return HTTP_REQUEST_ENTITY_TOO_LARGE;
843
/* always 32 extra bytes to catch chunk header exceptions */
844
bodybuf = (apr_size_t)r->remaining + 32;
847
/* Add an extra 8192 for chunk headers */
851
bodyoff = bodyread = apr_palloc(r->pool, bodybuf);
853
/* only while we have enough for a chunked header */
854
while ((!bodylen || bodybuf >= 32) &&
855
(res = ap_get_client_block(r, bodyoff, bodybuf)) > 0) {
860
if (res > 0 && bodybuf < 32) {
861
/* discard_rest_of_request_body into our buffer */
862
while (ap_get_client_block(r, bodyread, bodylen) > 0)
864
apr_table_setn(r->notes, "error-notes",
865
"Extended TRACE request bodies cannot exceed 64k\n");
866
return HTTP_REQUEST_ENTITY_TOO_LARGE;
870
return HTTP_BAD_REQUEST;
874
ap_set_content_type(r, "message/http");
876
/* Now we recreate the request, and echo it back */
878
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
879
apr_brigade_putstrs(bb, NULL, NULL, r->the_request, CRLF, NULL);
882
apr_table_do((int (*) (void *, const char *, const char *))
883
form_header_field, (void *) &h, r->headers_in, NULL);
884
apr_brigade_puts(bb, NULL, NULL, CRLF);
886
/* If configured to accept a body, echo the body */
888
b = apr_bucket_pool_create(bodyread, bodylen,
889
r->pool, bb->bucket_alloc);
890
APR_BRIGADE_INSERT_TAIL(bb, b);
893
ap_pass_brigade(r->output_filters, bb);
898
typedef struct header_filter_ctx {
902
AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
903
apr_bucket_brigade *b)
905
request_rec *r = f->r;
906
conn_rec *c = r->connection;
907
const char *clheader;
908
const char *protocol;
910
apr_bucket_brigade *b2;
912
header_filter_ctx *ctx = f->ctx;
914
AP_DEBUG_ASSERT(!r->main);
916
if (r->header_only) {
918
ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx));
920
else if (ctx->headers_sent) {
921
apr_brigade_destroy(b);
926
for (e = APR_BRIGADE_FIRST(b);
927
e != APR_BRIGADE_SENTINEL(b);
928
e = APR_BUCKET_NEXT(e))
930
if (AP_BUCKET_IS_ERROR(e)) {
931
ap_bucket_error *eb = e->data;
933
ap_die(eb->status, r);
934
return AP_FILTER_ERROR;
938
if (r->assbackwards) {
940
ap_remove_output_filter(f);
941
return ap_pass_brigade(f->next, b);
945
* Now that we are ready to send a response, we need to combine the two
946
* header field tables into a single table. If we don't do this, our
947
* later attempts to set or unset a given fieldname might be bypassed.
949
if (!apr_is_empty_table(r->err_headers_out)) {
950
r->headers_out = apr_table_overlay(r->pool, r->err_headers_out,
955
* Remove the 'Vary' header field if the client can't handle it.
956
* Since this will have nasty effects on HTTP/1.1 caches, force
957
* the response into HTTP/1.0 mode.
959
* Note: the force-response-1.0 should come before the call to
960
* basic_http_header_check()
962
if (apr_table_get(r->subprocess_env, "force-no-vary") != NULL) {
963
apr_table_unset(r->headers_out, "Vary");
964
r->proto_num = HTTP_VERSION(1,0);
965
apr_table_set(r->subprocess_env, "force-response-1.0", "1");
972
* Now remove any ETag response header field if earlier processing
973
* says so (such as a 'FileETag None' directive).
975
if (apr_table_get(r->notes, "no-etag") != NULL) {
976
apr_table_unset(r->headers_out, "ETag");
979
/* determine the protocol and whether we should use keepalives. */
980
basic_http_header_check(r, &protocol);
984
apr_table_mergen(r->headers_out, "Transfer-Encoding", "chunked");
985
apr_table_unset(r->headers_out, "Content-Length");
988
apr_table_setn(r->headers_out, "Content-Type",
989
ap_make_content_type(r, r->content_type));
991
if (r->content_encoding) {
992
apr_table_setn(r->headers_out, "Content-Encoding",
993
r->content_encoding);
996
if (!apr_is_empty_array(r->content_languages)) {
998
char **languages = (char **)(r->content_languages->elts);
999
for (i = 0; i < r->content_languages->nelts; ++i) {
1000
apr_table_mergen(r->headers_out, "Content-Language", languages[i]);
1005
* Control cachability for non-cachable responses if not already set by
1006
* some other part of the server configuration.
1008
if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
1009
char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
1010
ap_recent_rfc822_date(date, r->request_time);
1011
apr_table_addn(r->headers_out, "Expires", date);
1014
/* This is a hack, but I can't find anyway around it. The idea is that
1015
* we don't want to send out 0 Content-Lengths if it is a head request.
1016
* This happens when modules try to outsmart the server, and return
1017
* if they see a HEAD request. Apache 1.3 handlers were supposed to
1018
* just return in that situation, and the core handled the HEAD. In
1019
* 2.0, if a handler returns, then the core sends an EOS bucket down
1020
* the filter stack, and the content-length filter computes a C-L of
1021
* zero and that gets put in the headers, and we end up sending a
1022
* zero C-L to the client. We can't just remove the C-L filter,
1023
* because well behaved 2.0 handlers will send their data down the stack,
1024
* and we will compute a real C-L for the head request. RBB
1027
&& (clheader = apr_table_get(r->headers_out, "Content-Length"))
1028
&& !strcmp(clheader, "0")) {
1029
apr_table_unset(r->headers_out, "Content-Length");
1032
b2 = apr_brigade_create(r->pool, c->bucket_alloc);
1033
basic_http_header(r, b2, protocol);
1038
if (r->status == HTTP_NOT_MODIFIED) {
1039
apr_table_do((int (*)(void *, const char *, const char *)) form_header_field,
1040
(void *) &h, r->headers_out,
1050
"Proxy-Authenticate",
1056
send_all_header_fields(&h, r);
1059
terminate_header(b2);
1061
ap_pass_brigade(f->next, b2);
1063
if (r->header_only) {
1064
apr_brigade_destroy(b);
1065
ctx->headers_sent = 1;
1069
r->sent_bodyct = 1; /* Whatever follows is real body stuff... */
1072
/* We can't add this filter until we have already sent the headers.
1073
* If we add it before this point, then the headers will be chunked
1074
* as well, and that is just wrong.
1076
ap_add_output_filter("CHUNK", NULL, r, r->connection);
1079
/* Don't remove this filter until after we have added the CHUNK filter.
1080
* Otherwise, f->next won't be the CHUNK filter and thus the first
1081
* brigade won't be chunked properly.
1083
ap_remove_output_filter(f);
1084
return ap_pass_brigade(f->next, b);
1087
/* In HTTP/1.1, any method can have a body. However, most GET handlers
1088
* wouldn't know what to do with a request body if they received one.
1089
* This helper routine tests for and reads any message body in the request,
1090
* simply discarding whatever it receives. We need to do this because
1091
* failing to read the request body would cause it to be interpreted
1092
* as the next request on a persistent connection.
1094
* Since we return an error status if the request is malformed, this
1095
* routine should be called at the beginning of a no-body handler, e.g.,
1097
* if ((retval = ap_discard_request_body(r)) != OK) {
1101
AP_DECLARE(int) ap_discard_request_body(request_rec *r)
1103
apr_bucket_brigade *bb;
1106
/* Sometimes we'll get in a state where the input handling has
1107
* detected an error where we want to drop the connection, so if
1108
* that's the case, don't read the data as that is what we're trying
1111
* This function is also a no-op on a subrequest.
1113
if (r->main || r->connection->keepalive == AP_CONN_CLOSE ||
1114
ap_status_drops_connection(r->status)) {
1118
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
1123
rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
1124
APR_BLOCK_READ, HUGE_STRING_LEN);
1126
if (rv != APR_SUCCESS) {
1127
/* FIXME: If we ever have a mapping from filters (apr_status_t)
1128
* to HTTP error codes, this would be a good place for them.
1130
* If we received the special case AP_FILTER_ERROR, it means
1131
* that the filters have already handled this error.
1132
* Otherwise, we should assume we have a bad request.
1134
if (rv == AP_FILTER_ERROR) {
1135
apr_brigade_destroy(bb);
1139
apr_brigade_destroy(bb);
1140
return HTTP_BAD_REQUEST;
1144
for (bucket = APR_BRIGADE_FIRST(bb);
1145
bucket != APR_BRIGADE_SENTINEL(bb);
1146
bucket = APR_BUCKET_NEXT(bucket))
1151
if (APR_BUCKET_IS_EOS(bucket)) {
1156
/* These are metadata buckets. */
1157
if (bucket->length == 0) {
1161
/* We MUST read because in case we have an unknown-length
1162
* bucket or one that morphs, we want to exhaust it.
1164
rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);
1165
if (rv != APR_SUCCESS) {
1166
apr_brigade_destroy(bb);
1167
return HTTP_BAD_REQUEST;
1170
apr_brigade_cleanup(bb);
1171
} while (!seen_eos);
1176
/* Here we deal with getting the request message body from the client.
1177
* Whether or not the request contains a body is signaled by the presence
1178
* of a non-zero Content-Length or by a Transfer-Encoding: chunked.
1180
* Note that this is more complicated than it was in Apache 1.1 and prior
1181
* versions, because chunked support means that the module does less.
1183
* The proper procedure is this:
1185
* 1. Call ap_setup_client_block() near the beginning of the request
1186
* handler. This will set up all the necessary properties, and will
1187
* return either OK, or an error code. If the latter, the module should
1188
* return that error code. The second parameter selects the policy to
1189
* apply if the request message indicates a body, and how a chunked
1190
* transfer-coding should be interpreted. Choose one of
1192
* REQUEST_NO_BODY Send 413 error if message has any body
1193
* REQUEST_CHUNKED_ERROR Send 411 error if body without Content-Length
1194
* REQUEST_CHUNKED_DECHUNK If chunked, remove the chunks for me.
1195
* REQUEST_CHUNKED_PASS If chunked, pass the chunk headers with body.
1197
* In order to use the last two options, the caller MUST provide a buffer
1198
* large enough to hold a chunk-size line, including any extensions.
1200
* 2. When you are ready to read a body (if any), call ap_should_client_block().
1201
* This will tell the module whether or not to read input. If it is 0,
1202
* the module should assume that there is no message body to read.
1204
* 3. Finally, call ap_get_client_block in a loop. Pass it a buffer and its size.
1205
* It will put data into the buffer (not necessarily a full buffer), and
1206
* return the length of the input block. When it is done reading, it will
1207
* return 0 if EOF, or -1 if there was an error.
1208
* If an error occurs on input, we force an end to keepalive.
1210
* This step also sends a 100 Continue response to HTTP/1.1 clients if appropriate.
1213
AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
1215
const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
1216
const char *lenp = apr_table_get(r->headers_in, "Content-Length");
1218
r->read_body = read_policy;
1219
r->read_chunked = 0;
1223
if (strcasecmp(tenc, "chunked")) {
1224
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
1225
"Unknown Transfer-Encoding %s", tenc);
1226
return HTTP_NOT_IMPLEMENTED;
1228
if (r->read_body == REQUEST_CHUNKED_ERROR) {
1229
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
1230
"chunked Transfer-Encoding forbidden: %s", r->uri);
1231
return (lenp) ? HTTP_BAD_REQUEST : HTTP_LENGTH_REQUIRED;
1234
r->read_chunked = 1;
1239
if (apr_strtoff(&r->remaining, lenp, &endstr, 10)
1240
|| *endstr || r->remaining < 0) {
1242
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
1243
"Invalid Content-Length");
1244
return HTTP_BAD_REQUEST;
1248
if ((r->read_body == REQUEST_NO_BODY)
1249
&& (r->read_chunked || (r->remaining > 0))) {
1250
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
1251
"%s with body is not allowed for %s", r->method, r->uri);
1252
return HTTP_REQUEST_ENTITY_TOO_LARGE;
1257
/* Make sure ap_getline() didn't leave any droppings. */
1258
core_request_config *req_cfg =
1259
(core_request_config *)ap_get_module_config(r->request_config,
1261
AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(req_cfg->bb));
1268
AP_DECLARE(int) ap_should_client_block(request_rec *r)
1270
/* First check if we have already read the request body */
1272
if (r->read_length || (!r->read_chunked && (r->remaining <= 0))) {
1279
/* get_client_block is called in a loop to get the request message body.
1280
* This is quite simple if the client includes a content-length
1281
* (the normal case), but gets messy if the body is chunked. Note that
1282
* r->remaining is used to maintain state across calls and that
1283
* r->read_length is the total number of bytes given to the caller
1284
* across all invocations. It is messy because we have to be careful not
1285
* to read past the data provided by the client, since these reads block.
1286
* Returns 0 on End-of-body, -1 on error or premature chunk end.
1289
AP_DECLARE(long) ap_get_client_block(request_rec *r, char *buffer,
1293
apr_bucket_brigade *bb;
1295
if (r->remaining < 0 || (!r->read_chunked && r->remaining == 0)) {
1299
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
1301
r->connection->keepalive = AP_CONN_CLOSE;
1305
rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
1306
APR_BLOCK_READ, bufsiz);
1308
/* We lose the failure code here. This is why ap_get_client_block should
1311
if (rv != APR_SUCCESS) {
1312
/* if we actually fail here, we want to just return and
1313
* stop trying to read data from the client.
1315
r->connection->keepalive = AP_CONN_CLOSE;
1316
apr_brigade_destroy(bb);
1320
/* If this fails, it means that a filter is written incorrectly and that
1321
* it needs to learn how to properly handle APR_BLOCK_READ requests by
1322
* returning data when requested.
1324
AP_DEBUG_ASSERT(!APR_BRIGADE_EMPTY(bb));
1326
/* Check to see if EOS in the brigade.
1328
* If so, we have to leave a nugget for the *next* ap_get_client_block
1331
if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) {
1332
if (r->read_chunked) {
1340
rv = apr_brigade_flatten(bb, buffer, &bufsiz);
1341
if (rv != APR_SUCCESS) {
1342
apr_brigade_destroy(bb);
1347
r->read_length += bufsiz;
1349
apr_brigade_destroy(bb);
1353
/* Filter to handle any error buckets on output */
1354
apr_status_t ap_http_outerror_filter(ap_filter_t *f,
1355
apr_bucket_brigade *b)
1357
request_rec *r = f->r;
1360
for (e = APR_BRIGADE_FIRST(b);
1361
e != APR_BRIGADE_SENTINEL(b);
1362
e = APR_BUCKET_NEXT(e))
1364
if (AP_BUCKET_IS_ERROR(e)) {
1366
* Start of error handling state tree. Just one condition
1369
if (((ap_bucket_error *)(e->data))->status == HTTP_BAD_GATEWAY) {
1370
/* stream aborted and we have not ended it yet */
1371
r->connection->keepalive = AP_CONN_CLOSE;
1376
return ap_pass_brigade(f->next, b);