- Dec 04, 2016
-
-
Stefan Eissing authored
SECURITY: CVE-2016-8740 mod_http2: properly crafted, endless HTTP/2 CONTINUATION frames could be used to exhaust all server's memory. Reported by: Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State University mod_http2: wseaking cleanup assertion on streams that have never been scheduled git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772579 13f79535-47bb-0310-9956-ffa450edef68
-
- Dec 02, 2016
-
-
Jim Jagielski authored
Don't take over scoreboard slots from gracefully finishing threads Otherwise the old and the new thread will both update the same scoreboard slot with undefined results. add comments Document which directives set which variables Make ap_find_child_by_pid() look at all slots that have ever been used. This is preparation to allow to use more scoreboard slots in mpm event. mpm_event: minor code simplification - move variable initializations into declarations - use max_workers variable mpm_event: don't re-use scoreboard slots that are still in use This causes inconsistent data in the scoreboard (due to async connections) and makes it difficult to determine what is going on. Therefore it is not a useful fix for the scoreboard-full issues (PR 53555). The consent on the dev list is that we should allocate/use more scoreboard entries instead. Use all available scoreboard slots Allow to use all slots up to ServerLimit. This makes 'scoreboard full' errors much less likely. And if ther is a situation where the scoreboard is full, don't make any more processes finish gracefully due to reduced load until some old processes have terminated. Otherwise, the situation would get worse once the load increases again. ap_daemon_limit is renamed to the more descriptive active_server_limit, to make sure that all its uses are taken care of. PR 53555 mpm_event: add clarifying comment from jim Submitted by: sf Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772335 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
When shutting down a process, free resources early Due to lingering connections, shutting down a process may take a very long time. Free all recycled pools early in the hope that we can already give some memory back to the OS. rename some variables to be more descriptive pid -> pslot tid -> tslot remove unused 'sd' Terminate keep-alive connections when dying When shutting down a process gracefully, terminate keep-alive connections so that we don't get any new requests which may keep the dying process alive longer. Exit threads early during shutdown During graceful shutdown, if there are more running worker threads than open connections, terminate some threads. This frees resources faster, which may be needed for new processes. Exit threads early during shutdown, part 2 Follow up to r1738466: During graceful shutdown, when the listener thread is closing a connection, it needs to wake up a worker thread so that it may terminate. Submitted by: sf Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772334 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Display process slot number in the async overview Fix the number of column for 'Async connections'. There are only 3 columns (writing, keep-alive, closing), not 4. Try to improve the code layout for it to be more readable. Each <th> is on its own line so keep the corresponding "colspan" <td> fields grouped together. r1738628 introduced a new column, 'Slot'. Add an empty cell for it in the last line of the table, in order to fix the layout of the Totals. Replace tab by spaces to be consistent mod_status: note stopping procs in async info table * add new column "stopping", denoting if a process is shutting down * add additional "(old gen)", if a process is from before a graceful reload * add counts of processes and stopping processes to summary line Submitted by: sf, jailletc36, jailletc36, sf Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772333 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Merge r1597533, r1649491, r1665216, r1756553, r1756631, r1726675, r1718496, r1718476, r1747469 from trunk: mod_cache: try to use the key of a possible open but stale cache entry if we have one in cache_try_lock(). PR 50317 Submitted by: Ruediger Pluem * modules/cache/mod_socache_memcache.c (socache_mc_store): Pass through expiration time. Submitted by: Faidon Liambotis <paravoid debian.org>, jorton * mod_cache: Preserve the Content-Type in case of 304 response. 304 does not contain Content-Type and mod_mime regenerates the Content-Type based on the r->filename. This later leads to original Content-Type to be lost (overwriten by whatever mod_mime generates). mod_cache: Use the actual URI path and query-string for identifying the cached entity (key), such that rewrites are taken into account when running afterwards (CacheQuickHandler off). PR 21935. mod_cache: follow up to r1756553: log the real/actual cached URI (debug). better s-maxage support + *) mod_cache: Consider Cache-Control: s-maxage in expiration + calculations. [Eric Covener] + + *) mod_cache: Allow caching of responses with an Expires header + in the past that also has Cache-Control: max-age or s-maxage. + PR55156. [Eric Covener] remove dead code leftover from r1023387. Prior to this revision, there was an apr_atoi64 in this context. Now, ap_cache_control() sets control.max_age (which is checked here) when the maxage value was parsed OK. duplicate debug-level AH00764 in the just-validated path. Rename ap_casecmpstr[n]() to ap_cstr_casecmp[n](), update with APR doxygen Submitted by: jkaluza, jorton, jkaluza, ylavic, ylavic, covener, covener, covener, wrowe Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772331 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 23, 2016
-
-
Stefan Eissing authored
mod_http2: new directive H2EarlyHints git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1771018 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 22, 2016
-
-
Jim Jagielski authored
mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate in the client certificate chain. PR 55786. This is done by handling an empty cert chain as no/NULL chain. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770838 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 21, 2016
-
-
Jim Jagielski authored
Avoid adding duplicate subequest filters, as they would not be stripped properly during an ap_internal_fast_redirect. Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770672 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 14, 2016
-
-
Yann Ylavic authored
ab: follow up to r1733537: CHANGES entry. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1769610 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1769601 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1769599 13f79535-47bb-0310-9956-ffa450edef68
-
Stefan Eissing authored
mod_http2: new directive 'H2PushResource' to enable early pushes before processing of the main request starts. Resources are announced to the client in Link headers on a 103 early hint response. All responses with status code <400 are inspected for Link header and trigger pushes accordingly. 304 still does prevent pushes. 'H2PushResource' can mark resources as 'critical' which gives them higher priority than the main resource. This leads to preferred scheduling for processing and, when content is available, will send it first. 'critical' is also recognized on Link headers. mod_proxy_http2: uris in Link headers are now mapped back to a suitable local url when available. Relative uris with an absolute path are mapped as well. This makes reverse proxy mapping available for resources announced in this header. With 103 interim responses being forwarded to the main client connection, this effectively allows early pushing of resources by a reverse proxied backend server. adding support for newly proposed 103 status code. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1769595 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 04, 2016
-
-
Jim Jagielski authored
http: Respond with "408 Request Timeout" when a timeout occurs while reading the request body. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1768079 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mpm_unix: Apache fails to start if previously crashed then restarted with the same PID (e.g. in container). PR 60261. Proposed by: Val <valentin.bremond gmail.com> Reviewed by: ylavic Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1768078 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 02, 2016
-
-
Eric Covener authored
cleanup next git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767647 13f79535-47bb-0310-9956-ffa450edef68
-
- Nov 01, 2016
-
-
Stefan Eissing authored
mod_http2/mod_proxy_http2 improvments as in CHANGES git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767563 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_remoteip: Use r->useragent_addr as the root trusted address for verifying. This fixes issue resulting in setting of bad useragent_ip when internal redirection has been generated as response to the request (typically as result of "ErrorDocument 40x"). In this case, the original request has been handled by mod_remoteip and its useragent_ip has been changed properly, but when internal redirection to ErrorDocument has been generated later, the mod_remoteip's handler has been executed again with *the same* c->client_addr as in the original request. If c->client_addr IP is trusted, this results in bad useragent_ip being set. When using r->useragent_addr as the root trusted address instead of c->client_addr, the internal redirection uses the first non-trusted IP in this particular case, so it won't change the r->useragent_ip during the internal redirection to ErrorDocument. Submitted by: jkaluza Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767483 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767482 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 27, 2016
-
-
Stefan Eissing authored
mod_http2: v1.7.7, connection shutdown revisited, AP_DEBUG_ASSERT transformed to real asserts git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766856 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 24, 2016
-
-
Stefan Eissing authored
mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data available before the request is sent. PR 57832. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766372 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 17, 2016
-
-
Stefan Eissing authored
mod_http2/mod_proxy_http2: 100-continue implementation, PING checks on aged backend connections git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1765327 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 11, 2016
-
-
Stefan Eissing authored
mod_proxy_http2: renaming duplicate symbol clash between h2_proxy_util and h2_util externals git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1764238 13f79535-47bb-0310-9956-ffa450edef68
-
- Oct 03, 2016
-
-
Stefan Eissing authored
mod_http2: rewrite of how responses and trailers are transferred between master and slave connection. Reduction of internal states for tasks and streams, stability. Heuristic id generation for slave connections to better keep promise of connection ids unique at given point int time. Fix for mod_cgid interop in high load situtations. Fix for handling of incoming trailers when no request body is sent. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1763163 13f79535-47bb-0310-9956-ffa450edef68
-
- Sep 19, 2016
-
-
Stefan Eissing authored
mod_http2: fix for output blocking race condition git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1761478 13f79535-47bb-0310-9956-ffa450edef68
-
- Sep 06, 2016
-
-
Jim Jagielski authored
mpm_winnt: remove 'data' AcceptFilter in favor of 'connect' The 'data' AcceptFilter optimization instructs Windows to wait until data is received on a connection before completing the AcceptEx operation. Unfortunately, it seems this isn't performed atomically -- AcceptEx "partially" accepts the incoming connection during the wait for data, leaving all other incoming connections in the accept queue. This opens the server to a denial of service. Since the fix for this requires a substantial rearchitecture (likely involving multiple outstanding calls to AcceptEx), disable the 'data' filter for now and replace it with 'connect', which uses the AcceptEx interface but does not wait for data. Users running prior releases of httpd on Windows should explicitly move to a 'connect' AcceptFilter in their configurations if they are currently using the default 'data' filter. Many thanks to mludha, Arthur Ramsey, Paul Spangler, and many others for their assistance in tracking down and diagnosing this issue. PR: 59970 mpm_winnt: remove the AcceptEx data network bucket Follow-up to the prior commit: without an incoming data buffer, the custom network bucket code is now orphaned and we can remove it entirely. This has the added benefit that we are no longer using the internal OVERLAPPED.Pointer field, which is discouraged by the MSDN docs. mpm_winnt: remove duplication of ap_process_connection Further follow-up to the previous commit: now that we no longer patch a network bucket into the brigade, we can revert to calling ap_process_connection() directly instead of duplicating its logic. docs: rebuild Submitted by: jchampion Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1759471 13f79535-47bb-0310-9956-ffa450edef68
-
- Sep 01, 2016
-
-
Stefan Eissing authored
mod_cgid: Resolve a case where a short CGI response causes a subsequent CGI to be killed prematurely, resulting in a truncated subsequent response. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1758798 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 30, 2016
-
-
Jim Jagielski authored
* Add missing copy of hcuri and hcexpr ftom the worker to the health check worker. PR: 60038 Submitted by: zdeno <zdeno@scnet.sk> Submitted by: rpluem Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1758373 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 27, 2016
-
-
Stefan Eissing authored
mod_http2: fixed bug in stream shutdown, support for nghttp2 invalid header callback from 1.14.0 and onwards. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1758011 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 25, 2016
-
-
Jim Jagielski authored
mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid triggering mod_proxy_connect's AH01018 once the tunnel is established. https://bugzilla.mozilla.org/show_bug.cgi?id=1279483#c9 mod_reqtimeout: follow up to r1754391: fix missing "else". Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757675 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
ab: add SNI support when available. ab: follow up to r1750854: put the -I at the right place for apr_getopt(). ab: follow up to r1750854. Use SNI when available by default, and invert -I logic to now disable it. ab: follow up to r1750854: some comments and better naming. ab: follow up to r1750854: still better naming, and a C89 fix. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757674 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
mod_proxy_fcgi: avoid loops serving proxied error documents This commit should solve the issue indicated in PR 55415. Httpd loops while serving a error document if: 1) The error document's content is proxied. 2) ProxyErrorOverride is set. The solution proposed is to limit the use of ap_die only to the initial request. I tested the change with very basic scenarios but I am not sure if I got all the use cases, feedback is really welcome. Submitted by: elukey Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757671 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Force mod_proxy_fcgi to read the whole FCGI response even when the content has not been modified (HTTP 304). The problem is described in PR 59838. This patch should avoid bogus reads causing the following issues with HTTP 304 responses: - AH01068: Got bogus version X, expected 1 - AH01069: Got bogus rid X, expected 1 - AH01075: Error dispatching request to : - HTTP 503 logged instead of 304 (even if the external client gets correctly a 304) As discussed on IRC the HTTP_PRECONDITION_FAILED use case should be handled like the HTTP_NOT_MODIFIED one but it will be done in a separate commit. Submitted by: elukey Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757670 13f79535-47bb-0310-9956-ffa450edef68
-
Jim Jagielski authored
Fix spelling in comments and text files. No functional change. PR 59990 Submitted by: rjung Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757669 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 24, 2016
-
-
Stefan Eissing authored
merge of 1752145,1753498,1753541,1754129,1754414,1754534,1755323,1756844,1757524,1757534,1757540 from trunk mod_http2: backport of latest changes - intermediate responses - graceful shutdown of connections - ht debug draft update git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757542 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 16, 2016
-
-
Yann Ylavic authored
* Prevent redirect loops between workers within a balancer by limiting the number of redirects to the number balancer members. PR: 59864 Submitted by: rpluem Reviewed by: rpluem, jim, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756563 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
* Do not overwrite r->status with access_status if access_status is OK or DONE as in this case r->status might contain the true response code. PR: 59869 Submitted by: rpluem Reviewed by: rpluem, jim, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756562 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
mod_dav: Add dav_begin_multistatus, dav_send_one_response, dav_finish_multistatus, dav_send_multistatus, dav_handle_err, dav_failed_proppatch, dav_success_proppatch to mod_dav.h. Submitted by: minfrin Reviewed by: minfrin, jim, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756561 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
mod_dav: Add support for childtags to dav_error. Submitted by: minfrin Reviewed by: minfrin, jim, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756560 13f79535-47bb-0310-9956-ffa450edef68
-
Yann Ylavic authored
httpoxy workarounds, first draft patch as published for all 2.2.x+ sources Optimization to httpoxy workaround, for 2.4.23+ only. Submitted by: Dominic Scheirlinck <dominic vendhq.com>, ylavic Reviewed/backported by: wrowe, jim, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756559 13f79535-47bb-0310-9956-ffa450edef68
-
- Aug 03, 2016
-
-
Jim Jagielski authored
PR59815: rewrite per-directory + fcgi broken in 2.4.23 remove the query string from r->filename before calculating environment (SCRIPT_FILENAME) in mod_proxy_fcgi. Before PR59618, php-fpm would see proxy:fcgi:// and do some of this same stripping. Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1755077 13f79535-47bb-0310-9956-ffa450edef68
-