- May 01, 2015
-
-
Jim Jagielski authored
If a directory exists but no indexes can be resolved, the fallback resource should be attempted first before giving up. Submitted By: Jack <tjerk.meesters gmail.com> , covener Committed By: covener Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1677186 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 26, 2015
-
-
Kaspar Brand authored
Add support for extracting subjectAltName entries of type rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables. * docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the environment variables table * modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction of subjectAltName entries for the "StdEnvVars" case * modules/ssl/ssl_engine_vars.c: add support for retrieving the SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with individual on-demand lookup (ssl_var_lookup_ssl_cert_san), or with full-list extraction to the environment ("StdEnvVars") * modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype * modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where suitable. Limit SSL_X509_getSAN to the two most common subjectAltName entry types appearing in user or server certificates (i.e., rfc822Name and dNSName), for the time being. * modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8 and SSL_X509_getSAN prototypes Proposed by: kbrand Reviewed by: ylavic, druggeri git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1676087 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 20, 2015
-
-
Jim Jagielski authored
mpm_event: Allow for timer events duplicates. Meanwhile ap[r]_skiplist_add()... mpm_event: follow up to r1666468. We only need one compare function for add semantic with apr_skiplist_insert() and unique timers (pointers). It also should work with apr_skiplist_remove() and apr_skiplist_find(), be they used some day. mpm_event: follow up to r1666468 and r1666618. We don't need to return 0 in the compare function, but for debugging purpose which we could implement later if necessary (in a separate function). For now, keep the function simple as in 2.4.x to ease backport, and add a comment about why we never return 0 here. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674921 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 19, 2015
-
-
Rainer Jung authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674670 13f79535-47bb-0310-9956-ffa450edef68
-
Rainer Jung authored
move CHANGES entries to correct version. Use "mod_ssl" instead of "ssl". git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674667 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_proxy_wstunnel: Bypass the handler while the connection is not upgraded to WebSocket, so that other modules can possibly take over the leading HTTP requests. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674661 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
* Fix If-Match handling: - We need to fail if we do NOT match. - ETag comparison only makes sense if we have an ETag PR: 57358 Submitted by: Kunihiko Sakamoto <ksakamoto google.com> Reviewed by: rpluem Submitted by: rpluem Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674658 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Add a warning if protocol given in SSLProtocol or SSLProxyProtocol will override other parameters given in the same directive. This could be a missing + or - prefix. PR 52820 Tweak log message Add CHANGES entry before backport proposal Follow-up to r1520445: Tweak error message for clarity Submitted by: jailletc36, trawick Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674655 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 16, 2015
-
-
Jeff Trawick authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674048 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 15, 2015
-
-
Eric Covener authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673942 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
* Use the correct server name for SNI in case the backend SSL connection itself is established via a proxy server. PR: 57139 Submitted by: Szabolcs Gyurko <szabolcs gyurko.org> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673941 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when checking the server certificate constraints (SSL_X509_getBC()). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673940 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
PR 57379: If mod_cgi and mod_cgid get installed, use IfModule for MPM to LoadModule mod_cgi for prefork and mod_cgid for all other MPMs. Previously when combined with --enable-load-all-modules both modules were loaded and it was undefined which one actually handled cgi requests. Based on a patch by olli hauer <ohauer gmx.de>. Addition to r1652955: Use "=" in combination with "test" instead of "==". Fix indentation and tab use after r1652955. Submitted By: olli hauer <ohauer gmx.de> Reviewed By: rjung, ylavic, covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673909 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
allow time to first byte (of response headers) to be logged by mod_logio. mod_logio was just a conveninent place to do this w/o writing a new filter or complicating an existing important one. Use 'unsigned int' in bitfield git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673904 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
*) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad Gateway) when no response is ever received from the backend. Submitted By: jkaluza Reviewde By: covener, ylavic, trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673902 13f79535-47bb-0310-9956-ffa450edef68
-
Jeff Trawick authored
mod_ssl: Protect ENGINE_CTRL_CHIL_SET_FORKCHECK macro with a featue check for libressl. Submitted by: Stuart Henderson <sthen openbsd.org> Reviewed by: covener, trawick, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673900 13f79535-47bb-0310-9956-ffa450edef68
-
Jeff Trawick authored
backends not recycling connections (disablereuse), including the default reverse and forward proxies. Submitted by: ylavic (and trawick for an old helper function) Reviewed by: rjung, covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673896 13f79535-47bb-0310-9956-ffa450edef68
-
Jeff Trawick authored
mod_buffer: Forward flushed input data immediately and avoid (unlikely) access to freed memory. Submitted by: ylavic, jailletc36 Reviewed by: covener, rjung git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673871 13f79535-47bb-0310-9956-ffa450edef68
-
Jeff Trawick authored
core: Add CGIPassAuth directive to control whether HTTP authorization headers are passed to scripts as CGI variables. PR: 56855 Reviewed by: rjung, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673860 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 07, 2015
-
-
Joe Orton authored
Credit to guy who rediscovered, fixed, committed & merged: 100% git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1671786 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 05, 2015
-
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1671417 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 31, 2015
-
-
Jim Jagielski authored
core_filters: restore/disable TCP_NOPUSH option after non-blocking sendfile. CHANGES: follow up to r1669289. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670328 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
core: If explicitly configured, use the KeepaliveTimeout value of the virtual host which handled the latest request on the connection, or by default the one of the first virtual host bound to the same IP:port. For non-async MPMs, use either r->server's or c->base_server's value in ap_process_http_sync_connection() depending on a new server_rec's flag called keep_alive_timeout_set and determined at config time. For event MPM, use a queue per timeout value, chaining the queues per type (keepalive wrt KeepAliveTimeout, write completion wrt to Timeout) so that maintenance can be done on all the queues from the head, and such that insertions/maintenance remain in O(1). A server config is created and pointing to the queue of each vhost at post_config time, hence the config can be associated to the connection state (cs) at post_read_request time (keep_alive_timeout_set is used to determine r->server vs c->base_server here), and we can simply insert with TO_QUEUE_INSERT(cs->sc->q, cs). PR56226. While at it, since each queue now embeds it own timeout and hence the expiration_time of the cs has changed to a queue_timestamp (the time it was queued), we can detect clock skews and expire entries immediatly if the system is set (eg. far) in the past during runtime and we want to avoid waiting for (eg.) centuries before the current logic kills them. Any entry which is registered above now + q->timeout is concerned, and is now cleaned from the queue when encountered. PR57374. core: Follow up to r1664071: comments on new keep_alive_timeout_set flag. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670326 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
core: Initialize scoreboard's used optional functions on graceful restarts to avoid a crash when relocation occurs. PR 57177. core: follow up to r1668532: CHANGES entry. core: follow up to r1668532: always initialize optional_fn pointers in ap_create_scoreboard(). Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670325 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_proxy_connect/wstunnel: If both client and backend sides get readable at the same time, don't lose errors occuring while forwarding on the first side when none occurs next on the other side, and abort. CHANGES: Follow up to r1657636, clarify message. mod_proxy_{connect,wstunnel}: follow up to r1657636. Since rv is not used as an apr_status_t in the loop (it's logging is done by proxy_{connect,wstunnel}_transfer() when necessary/relevent), use a boolean instead to avoid the ugly ORs between APR error codes. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670324 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
core: Add expression support to ErrorDocument. Switch from a fixed sized 664 byte array per merge to a hash table. Submitted by: minfrin Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670320 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Avoid a potential integer underflow in the lock timeout value sent back to a client. The answer to a LOCK request could be an extremly large integer if the time needed to lock the resource was longer that the requested timeout given in the LOCK request. In such a case, we now answer "Second-0". PR55420 Submitted by: jailletc36 Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670319 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 27, 2015
-
-
Jim Jagielski authored
Retry ENOENT like ECONNREFUSED, but only near a server restart. PR57685 Submitted By: Edward Lu Committed By: covener Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669559 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_proxy_http: Don't expect the backend to ack the "Connection: close" to finally close those not meant to be kept alive by SetEnv proxy-nokeepalive or force-proxy-request-1.0, and respond with 502 instead of 400 if its Connection header is invalid. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669558 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_proxy: use the original (non absolute) form of the request-line's URI for requests embedded in CONNECT payloads used to connect SSL backends via a ProxyRemote forward-proxy. PR 55892. Submitted by: Hendrik Harms <hendrik.harms gmail com> Reviewed by: wrowe, ylavic Committed by: ylavic mod_proxy: follow up to r1665215: CHANGES entry. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669556 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
A misplaced check for inflation limits prevented limiting relatively small inputs. PR56872 Submitted By: Edward Lu Committed By: covener mod_deflate: follow up to r1619383. deflate_in_filter(): - use inflated bytes per inflate() call to compute the total output bytes, - check zlib errors before limits, - add missing check_ratio() when asked to flush. deflate_out_filter(): - check ratio after each inflate() call. mod_deflate: follow up to r1619383 and r1619444: CHANGES entry. CHANGES: follow up to r1662245: Add PR number. Submitted by: covener, ylavic, ylavic, ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669555 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 24, 2015
-
-
Eric Covener authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1668880 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
*) SECURITY: CVE-2015-0253 (cve.mitre.org) core: Fix a crash introduced in with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. [Yann Ylavic] Submitted By: ylavic Committed By: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1668879 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
Remove some instances where a RewriteBase must be specified Previously, any time you used a relative substitution in per-directory/htaccess context, you needed to specify a RewriteBase. But in case where the context document root and context prefix are known via e.g. mod_userdir or mod_alias, and the substitution is under the context document root, we can determine the replacement automatically. This makes htaccess files or config snippets a bit more portable. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1668870 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 05, 2015
-
-
Jim Jagielski authored
mpm_event: follow up to r1538490, r1545736, r1604350, r1639614 and r1642868. Clear and restore sbh in notify_suspend() and notify_resume() respectively. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664365 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides a combination of certificate serialNumber and issuer as defined by CertificateExactMatch in RFC4523. Submitted by: minfrin Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664363 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 04, 2015
-
-
Eric Covener authored
*) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash. [Edward Lu <Chaosed0 gmail.com>] Discovered by Guido Vranken <guidovranken gmail.com> Submitted by: Edward Lu Committed by: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664118 13f79535-47bb-0310-9956-ffa450edef68
-
Eric Covener authored
Fix bit-shifting of websockets frame fields that would yield wrong opcodes when the FIN bit was set. Results in PING not being recognized by mod_lua. PR57524 Submitted By: Edward Lu Committed By: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664117 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 02, 2015
-
-
http://svn.apache.org/r1661913Graham Leggett authored
ab: Add missing longest request (100%) to CSV export. PR57614. Submitted by: ylavic Reviewed by: covener, minfrin git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1663405 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_macro: Clear macros before initialization to avoid use-after-free on startup or restart when the module is linked statically. PR 57525 Submitted by: apache.org tech.futurequest.net Committed by: Yann Ylavic Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1663260 13f79535-47bb-0310-9956-ffa450edef68
-