sync with trunk before I start mucking in the waters themselvesapreq-integration

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/apreq-integration@725390 13f79535-47bb-0310-9956-ffa450edef68

6 files changed, 256 insertions, 15 deletions

diff --git a/docs/manual/mod/mod_heartbeat.xml b/docs/manual/mod/mod_heartbeat.xml
new file mode 100644
index 0000000000..3a488d0879
--- /dev/null
+++ b/docs/manual/mod/mod_heartbeat.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision$ -->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<modulesynopsis metafile="mod_heartbeat.xml.meta">
+
+<name>mod_heartbeat</name>
+<description></description>
+<status>Extension</status>
+<sourcefile>mod_heartbeat.c</sourcefile>
+<identifier>heartbeat_module</identifier>
+<compatibility>Available in 2.3 and later</compatibility>
+
+<summary>
+    <note><!-- FIXME: -->This document is still under development.</note>
+</summary>
+
+<directivesynopsis>
+<name>HeartbeatAddress</name>
+<description>Address to send heartbeat requests</description>
+<syntax></syntax>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+    <note><!-- FIXME: -->This document is still under development.</note>
+</usage> 
+</directivesynopsis>
+
+</modulesynopsis>
diff --git a/docs/manual/mod/mod_heartmonitor.xml b/docs/manual/mod/mod_heartmonitor.xml
new file mode 100644
index 0000000000..a0c81ded66
--- /dev/null
+++ b/docs/manual/mod/mod_heartmonitor.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0"?>
+<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision$ -->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<modulesynopsis metafile="mod_heartmonitor.xml.meta">
+
+<name>mod_heartmonitor</name>
+<description></description>
+<status>Extension</status>
+<sourcefile>mod_heartmonitor.c</sourcefile>
+<identifier>heartmonitor_module</identifier>
+<compatibility>Available in 2.3 and later</compatibility>
+
+<summary>
+    <note><!-- FIXME: -->This document is still under development.</note>
+</summary>
+
+<directivesynopsis>
+<name>HeartbeatListen</name>
+<description>Address to listen for heartbeat requests</description>
+<syntax></syntax>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+    <note><!-- FIXME: -->This document is still under development.</note>
+</usage> 
+</directivesynopsis>
+
+<directivesynopsis>
+<name>HeartbeatStorage</name>
+<description>Path to store heartbeat data</description>
+<syntax>HeartbeatStorage <var>file-path</var></syntax>
+<default>HeartbeatStorage logs/hb.dat</default>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+    <note><!-- FIXME: -->This document is still under development.</note>
+</usage> 
+</directivesynopsis>
+
+</modulesynopsis>
diff --git a/docs/manual/mod/mod_lbmethod_heartbeat.xml b/docs/manual/mod/mod_lbmethod_heartbeat.xml
new file mode 100644
index 0000000000..71eaf16624
--- /dev/null
+++ b/docs/manual/mod/mod_lbmethod_heartbeat.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0"?>
+<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision$ -->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<modulesynopsis metafile="mod_lbmethod_heartbeat.xml.meta">
+
+<name>mod_lbmethod_heartbeat</name>
+<description><!-- FIXME: --> This document is still under development.</description>
+<status>Extension</status>
+<sourcefile>mod_lbmethod_heartbeat.c</sourcefile>
+<identifier>lbmethod_heartbeat_module</identifier>
+<compatibility>Available in version 2.3 and later</compatibility>
+
+<summary>
+    <note><!-- FIXME: --> This document is still under development.</note>
+</summary>
+<seealso><module>mod_proxy</module></seealso>
+<seealso><module>mod_proxy_balancer</module></seealso>
+<seealso><module>mod_heartbeat</module></seealso>
+<seealso><module>mod_heartmonitor</module></seealso>
+
+<directivesynopsis>
+<name>HeartbeatStorage</name>
+<description>Path to read heartbeat data</description>
+<syntax>HeartbeatStorage <var>file-path</var></syntax>
+<default>HeartbeatStorage logs/hb.dat</default>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+    <note><!-- FIXME: -->This document is still under development.</note>
+</usage> 
+</directivesynopsis>
+
+</modulesynopsis>
diff --git a/docs/manual/mod/mod_negotiation.xml.ja b/docs/manual/mod/mod_negotiation.xml.ja
index 56a50d93a0..8340670c38 100644
--- a/docs/manual/mod/mod_negotiation.xml.ja
+++ b/docs/manual/mod/mod_negotiation.xml.ja
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.ja.xsl"?>
-<!-- English Revision: 151408:420990 (outdated) -->
+<!-- English Revision: 420990 -->
 
 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
@@ -84,8 +84,8 @@
       このヘッダがない場合、ファイルの実際の長さが使用されます。</dd>
 
       <dt><code>Content-Type:</code></dt>
-      <dd>ドキュメントの MIME
-      メディアタイプ、オプショナルなパラメータ付き。パラメータの構文は
+      <dd>ドキュメントの <glossary ref="mime-type">MIME
+      メディアタイプ</glossary>、オプショナルなパラメータ付き。パラメータの構文は
       <code>name=value</code>
       で、メディアタイプや他のパラメータとはセミコロンで分離されます。
       共通のパラメータは以下のとおり:
diff --git a/docs/manual/mod/mod_privileges.xml b/docs/manual/mod/mod_privileges.xml
index b6d141d30d..f63fb07573 100644
--- a/docs/manual/mod/mod_privileges.xml
+++ b/docs/manual/mod/mod_privileges.xml
@@ -58,6 +58,92 @@ separation is an issue.</p>
 
 </summary>
 
+<section id="security"><title>Security Considerations</title>
+<p>There are three principal security concerns with mod_privileges:</p>
+<ul><li>Running as a system user introduces the same security issues
+    as mod_suexec, and near-equivalents such as cgiwrap and suphp.</li>
+<li>A privileges-aware malicious user extension (module or script)
+    could escalate its privileges to anything available to the
+    httpd process in any virtual host.</li>
+<li>A privileges-aware malicious user extension (module or script)
+    could escalate privileges to set its user ID to another
+    system user (and/or group).</li>
+</ul>
+
+<p>The first is amply discussed in the suexec page and elsewhere, and
+doesn't need repeating here.  The second and third boil down to one
+principle: ensure no untrusted privileges-aware code can be loaded.
+</p>
+
+<p>There are several ways privileges-aware code could be loaded into Apache:</p>
+<ul>
+<li>within the base system (e.g. mod_privileges itself if statically linked).</li>
+<li>Loaded at startup using a LoadModule or LoadFile directive.</li>
+<li>Loaded at startup indirectly by an application module such as mod_php.</li>
+<li>Loaded at runtime by an application module or script.</li>
+</ul>
+
+<p>What gets loaded at startup is under the control of the sysop, and
+relatively easy to deal with.  A tool will be provided to audit your
+installation.  That leaves code loaded in the course of processing a
+request as the threat.  There is unfortunately no generic way apache
+can control what a script running under an application module can load,
+so you should use the security provided by your scripting module
+and language.</p>
+
+<section><title>Security with mod_php</title>
+
+<p>There is no known PHP extension supporting Solaris privileges, so it
+is unlikely that a script could escalate privileges unless it can
+load external (non-PHP) privileges-aware code.  However, you should
+nevertheless audit your mod_php installation.</p>
+
+<p>To prevent scripts loading privileges-aware code, PHP's dl() function
+should be disabled.  This is automatic in safe mode.</p>
+
+</section>
+
+<section><title>Security with mod_perl</title>
+
+<p>Perl has an extension Sun::Solaris::Privileges that exposes the privileges
+API to scripts.  You should ensure this extension is NOT installed if you
+have untrusted users.</p>
+
+<p>You will also need to ensure that your users cannot load shared objects
+(including PerlXS) from their own user directories, or that if this is
+enabled, the entire user-space must be carefully audited.</p>
+</section>
+
+<section><title>Security with mod_python</title>
+
+<p>There is no known Python extension supporting Solaris privileges, so it
+is unlikely that a script could escalate privileges unless it can
+load external (non-Python) privileges-aware code.  However, you should
+nevertheless audit your mod_ruby installation.</p>
+
+<p>*** What are the issues of Python loading a shared object?</p>
+</section>
+
+<section><title>Security with mod_ruby</title>
+
+<p>There is no known Ruby extension supporting Solaris privileges, so it
+is unlikely that a script could escalate privileges unless it can
+load external (non-Ruby) privileges-aware code.  However, you should
+nevertheless audit your mod_ruby installation.</p>
+
+<p>*** What are the issues of Ruby loading a shared object?</p>
+</section>
+
+<section><title>Security with Lua/mod_wombat</title>
+
+<p>???</p>
+</section>
+<section><title>Security with scripts</title>
+<p>The security issues of mod_privileges do not affect scripts such as
+traditional CGI, which run in a separate process.  That includes
+PHP, Perl, Python, Ruby, etc, run out-of-process.</p>
+</section>
+</section>
 <directivesynopsis>
 <name>VHostUser</name>
 <description>Sets the User ID under which a virtual host runs.</description>
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
index fed313bee9..4da05d2ba0 100644
--- a/modules/http/http_request.c
+++ b/modules/http/http_request.c
@@ -518,6 +518,15 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r)
     r->output_filters = rr->output_filters;
     r->input_filters = rr->input_filters;
 
+    /* If any filters pointed at the now-defunct rr, we must point them
+     * at our "new" instance of r.  In particular, some of rr's structures
+     * will now be bogus (say rr->headers_out).  If a filter tried to modify
+     * their f->r structure when it is pointing to rr, the real request_rec
+     * will not get updated.  Fix that here.
+     */
+    update_r_in_filters(r->input_filters, rr, r);
+    update_r_in_filters(r->output_filters, rr, r);
+
     if (r->main) {
         ap_add_output_filter_handle(ap_subreq_core_filter_handle,
                                     NULL, r, r->connection);
@@ -541,20 +550,8 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r)
         }
         if (next && (next->frec == ap_subreq_core_filter_handle)) {
             ap_remove_output_filter(next);
-            if (next == r->output_filters) {
-                r->output_filters = r->output_filters->next;
-            }
         }
     }
-
-    /* If any filters pointed at the now-defunct rr, we must point them
-     * at our "new" instance of r.  In particular, some of rr's structures
-     * will now be bogus (say rr->headers_out).  If a filter tried to modify
-     * their f->r structure when it is pointing to rr, the real request_rec
-     * will not get updated.  Fix that here.
-     */
-    update_r_in_filters(r->input_filters, rr, r);
-    update_r_in_filters(r->output_filters, rr, r);
 }
 
 AP_DECLARE(void) ap_internal_redirect(const char *new_uri, request_rec *r)