- Apr 18, 2014
-
-
Jim Jagielski authored
Also clear the error queue before calling SSL_CTX_use_certificate[_chain]_file (workaround for OpenSSL versions before 0.9.8h, see https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1513). PR 56410. Submitted by: kbrand Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588496 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
*) mod_proxy_wstunnel: Don't pool backend websockets connections, because we need to handshake every time. PR 55890. [Eric Covener] actually remove mod_reqtimeout, since the util_filter functions involved only manipulate c->input_filters no matter what we pass. We need to make copies of c->input_filters after, not before, it skips over reqtimeout. Note: reqtimeout doesn't really interfere today with normal operation, but this is misleading/confusing when dealing with other wstunnel issues. cleanup wstunnel error handling Submitted By: covener, ylavic, Edward Lu Commited By: covener followup to r1587036. if backend->close is set too early, proxy_util.c will close it right away and then blow away the field. Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588495 13f79535-47bb-0310-9956-ffa450edef68
-
Kaspar Brand authored
Bring SNI behavior into better conformance with RFC 6066: - no longer send a warning-level unrecognized_name(112) alert when no matching vhost is found (PR 56241) - at startup, only issue warnings about IP/port conflicts and name-based SSL vhosts when running with an OpenSSL without TLS extension support (almost 5 years after SNI was added to 2.2.x, the "[...] only work for clients with TLS server name indication support" warning feels obsolete) Proposed by: kbrand Reviewed by: jorton, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588424 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 17, 2014
-
-
Christophe Jaillet authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588356 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_auth_form: Make sure the optional functions are loaded even when the AuthFormProvider isn't specified. Submitted by: minfrin Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588247 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Only read "active" values from the key_files array. PR 56306. Submitted by: kbrand Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588246 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Reverse the order when merging global and vhost-level config arrays. Putting the vhost-level elements last allows overriding global settings (for the deprecated SSLRequire directive, the order is irrelevant, all of them must be met, cf. ssl_engine_kernel.c:ssl_hook_Access). Submitted by: kbrand Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588245 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
If the "value" argument is prefixed with expr=, parse it with ap_expr rather than mod_headers' built-in format strings. Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588244 13f79535-47bb-0310-9956-ffa450edef68
-
Joe Orton authored
* support/rotatelogs.c (main): Prevent creation of zombies from post-rotate programs. Reviewed by: druggeri, ylavic, covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588175 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 16, 2014
-
-
Jeff Trawick authored
Merged /httpd/httpd/trunk:r1515403,1515411,1515420,1517175,1521909,1526647,1541181,1578762,1585054,1585072,1588054 mod_authnz_fcgi: New module to enable FastCGI authorizer applications to authenticate and/or authorize clients. Submitted by: trawick, jailletc36, gsmith Approved by: trawick, jim, gsmith (Thanks gsmith for the Windows build bits!) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588064 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 15, 2014
-
-
Jim Jagielski authored
* Do not parse URL in case of regular expression as they likely do not follow the URL syntax. PR: 56074 Submitted by: rpluem Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1587699 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_reqtimeout: Resolve unexpected timeouts on keepalive requests under the Event MPM. PR56216. Submitted By: Frank Meier <frank meier ergon ch> Committed By: covener Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1587697 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Add suspend_connection and resume_connection hooks to notify modules when the thread/connection relationship changes. (Currently implemented only for the Event MPM; should be implemented for all async MPMs.) follow-up to r1546759: remove an inadvertently committed testcase Submitted by: trawick Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1587695 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_proxy_fcgi: Fix sending of response without some HTTP headers that might be set by filters. The problem occurs when no body bytes were read while reading the response headers, resulting in an empty brigade being sent down the filter stack. One particualr filter that mishandles the empty initial brigade is mod_deflate. It neglects to add to the response header fields. PR: 55558 Submitted by: Jim Riggs <jim riggs.me> Reviewed by: trawick Submitted by: trawick Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1587694 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Do not delete the wrong data from HTML code when a "http-equiv" meta tag specifies a Content-Type behind any other "http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>] Submitted by: jailletc36 Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1587693 13f79535-47bb-0310-9956-ffa450edef68
-
- Apr 03, 2014
-
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1584443 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 31, 2014
-
-
Jeff Trawick authored
with proxy under the 2.4.8 section it had already been added the the proper (2.4.7) section git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1583378 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 29, 2014
-
-
Daniel Gruno authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1582968 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 27, 2014
-
-
Daniel Gruno authored
mod_lua: Prevent HTTP Response Splitting by not allowing tables in the request_rec to be set with values containing newlines. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1582264 13f79535-47bb-0310-9956-ffa450edef68
-
Daniel Gruno authored
mod_lua: escape key/value pairs when setting cookies to prevent header splitting with tainted cookies. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1582255 13f79535-47bb-0310-9956-ffa450edef68
-
Daniel Gruno authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1582251 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 18, 2014
-
-
Daniel Gruno authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1578965 13f79535-47bb-0310-9956-ffa450edef68
-
Daniel Gruno authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1578964 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 13, 2014
-
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1577237 13f79535-47bb-0310-9956-ffa450edef68
-
Daniel Gruno authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1577218 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1577157 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1577146 13f79535-47bb-0310-9956-ffa450edef68
-
Daniel Gruno authored
for LuaMapHandler. This fixes a bug where FallbackResource invalidates the LuaMapHandler directive in certain cases by changing the URI before the map handler code executes [Daniel Gruno]. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1577145 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1577139 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 11, 2014
-
-
Jeff Trawick authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1576466 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1576408 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1576403 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 10, 2014
-
-
Jim Jagielski authored
Update rationale draft-ietf-httpbis-p1-messaging-23 fixes regarding interactions between TE and content-length in the same req/resp. PR 55616 (add missing APLOGNO), part 1 Wrap at 80 still, here at httpd project Use a distinguishing APLOGNO for unk t-e with read-until-close behavior Submitted by: jim, kbrand, wrowe, wrowe Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1575934 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>) Segfaults w/ truncated cookie logging. Clean up the cookie logging parser to recognize only the cookie=value pairs, not valueless cookies. This refactors multiple passes over the same string buffer into a single pass parser. Submitted by: wrowe Reviewed by: rpluem, jim Submitted by: wrowe Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1575904 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 03, 2014
-
-
Eric Covener authored
restore http://svn.apache.org/viewvc?view=revision&revision=233369 under a configurable option: don't run mod_dir if r->handler is already set. Backported by: covner Reviewed By: jim, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1573580 13f79535-47bb-0310-9956-ffa450edef68
-
- Mar 02, 2014
-
-
Jim Jagielski authored
* Do not perform SNI / Host header comparison in case of a forward proxy request as in case of a forward proxy request the host header can not be used for virtual host selection in our webserver. * Update comment. No functional change. * Put a note in CHANGES about r1553204 Submitted by: rpluem Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1573362 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Throw away the myCtxVar{Set,Get} abomination and introduce a pphrase_cb_arg_t struct instead, for passing stuff between ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct members instead of using additional local variables, to make the data flow more transparent. (Doesn't "vastly simplify" the code yet, but hopefully we'll get there when further stripping down ssl_pphrase_Handle.) Remove the hardcoded algorithm-type dependency for the SSLCertificateFile and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile Splitting the patch into smaller pieces turned out to be infeasible, unfortunately, due to the heavily intertwined code in ssl_engine_config.c, ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the modssl_pk_server_t data structure. For better comprehensibility, a detailed listing of the changes follows: ssl_private.h - drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t - use apr_array_header_t for cert_files and key_files - drop tPublicCert from SSLModConfigRec - drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants ssl_engine_config.c - change to apr_array_header_t for SSLCertificate[Key]File - drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs and keys (in theory; currently OpenSSL does not support more than one cert/key per algorithm type) - add deprecation warning for SSLCertificateChainFile ssl_engine_init.c - configure server certs/keys in ssl_init_server_certs (no longer via ssl_pphrase_Handle in ssl_init_Module) - in ssl_init_server_certs, read in certificates and keys with standard OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to ssl_load_encrypted_pkey when encountering an encrypted private key - drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check, and ssl_init_ctx_cleanup_server - move the "problematic re-initialization" check to ssl_init_server_ctx ssl_engine_pphrase.c - use servername:port:index as the key identifier, instead of the previously used servername:port:algorithm - ssl_pphrase_Handle overhaul: remove all cert/public-key handling, make it only load a single (encrypted) private key, and rename to ssl_load_encrypted_pkey - in the passphrase prompt message, show the private key file name instead of the vhost id and the algorithm name - do no longer supply the algorithm name as an argument to "exec"-type passphrase prompting programs ssl_util.c - drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr, and ssl_asn1_table_keyfmt ssl_util_ssl.{c,h} - drop SSL_read_X509 - constify the filename arg for SSL_read_PrivateKey CodeWarrior compiler doesnt allow vars as struct inits. Remove per-certificate chain handling code (obsoleted by https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943) make the ppcb_arg initialization a bit more uniform and easier to read Followup fix for r1553824: also pass the file name to ssl_load_encrypted_pkey, to make sure that we retry with the same filename we used for SSL_CTX_use_PrivateKey_file first With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx. update APLOGNO for r1564760 Submitted by: kbrand, fuankg, kbrand, kbrand, kbrand, kbrand, kbrand Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1573360 13f79535-47bb-0310-9956-ffa450edef68
-
- Feb 21, 2014
-
-
Jim Jagielski authored
*) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore, and IgnoreInherit to allow RewriteRules to be pushed from parent scopes to child scopes without explicitly configuring each child scope. PR56153. Submitted By: Edward Lu Committed By: covener Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1570684 13f79535-47bb-0310-9956-ffa450edef68
-
Daniel Gruno authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1570530 13f79535-47bb-0310-9956-ffa450edef68
-
- Feb 20, 2014
-
-
Jim Jagielski authored
PR: 54852. Only use a dummy_connection for idle processes Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1570327 13f79535-47bb-0310-9956-ffa450edef68
-