Changeset 8ac7c0d in mod_gnutls for src

Timestamp:

Feb 11, 2016, 2:48:07 PM (3 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, upstream

Children:

a038290

Parents:

7aeabcb

git-author:

Thomas Klute <thomas2.klute@…> (02/11/16 14:21:17)

git-committer:

Thomas Klute <thomas2.klute@…> (02/11/16 14:48:07)

Message:

Register "ssl_is_https" function for compatibility with mod_rewrite

mod_rewrite calls this function to fill its %{HTTPS} special variable,
and not providing it meant that conditions like

RewriteCond? "%{HTTPS}" "off"

would match HTTPS connections using mod_gnutls. When used to redirect
clients from HTTP to HTTPS connections, this could lead to redirection
loops as reported in Debian bug #514005 [1]. In addition to
registering the function this commit also adds a test chase that
checks if an HTTP to HTTPS redirection works.

[1] ​https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514005

File:

• src/mod_gnutls.c (modified) (2 diffs)

src/mod_gnutls.c

@@ -69 +69 @@
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
-}
-
+
+    /* mod_rewrite calls this function to detect HTTPS */
+    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+}
+
+
+
+/*
+ * mod_rewrite calls this function to fill %{HTTPS}. A non-zero return
+ * value means that HTTPS is in use.
+ */
 int ssl_is_https(conn_rec *c)
 {
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
         ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+
+    if(sc->enabled == GNUTLS_ENABLED_FALSE
+       || ctxt == NULL
+       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
+    {
         /* SSL/TLS Disabled or Plain HTTP Connection Detected */
         return 0;
@@ -82 +97 @@
     return 1;
 }
+
+
 
 int ssl_engine_disable(conn_rec *c)