SECURITY: CVE-2016-8740

mod_http2: properly crafted, endless HTTP/2 CONTINUATION frames could be used to exhaust all server's memory.

Reported by: Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State University

mod_http2: wseaking cleanup assertion on streams that have never been scheduled


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772579 13f79535-47bb-0310-9956-ffa450edef68

Don't take over scoreboard slots from gracefully finishing threads

Otherwise the old and the new thread will both update the same scoreboard slot
with undefined results.



add comments

Document which directives set which variables


Make ap_find_child_by_pid() look at all slots that have ever been used.

This is preparation to allow to use more scoreboard slots in mpm event.


mpm_event: minor code simplification

- move variable initializations into declarations
- use max_workers variable


mpm_event: don't re-use scoreboard slots that are still in use

This causes inconsistent data in the scoreboard (due to async
connections) and makes it difficult to determine what is going on.
Therefore it is not a useful fix for the scoreboard-full issues (PR
53555).

The consent on the dev list is that we should allocate/use more
scoreboard entries instead.


Use all available scoreboard slots

Allow to use all slots up to ServerLimit. This makes 'scoreboard full'
errors much less likely.

And if ther is a situation where the scoreboard is full, don't make any
more processes finish gracefully due to reduced load until some old
processes have terminated. Otherwise, the situation would get worse once
the load increases again.

ap_daemon_limit is renamed to the more descriptive active_server_limit,
to make sure that all its uses are taken care of.

PR 53555



mpm_event: add clarifying comment

from jim

Submitted by: sf
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772335 13f79535-47bb-0310-9956-ffa450edef68

When shutting down a process, free resources early

Due to lingering connections, shutting down a process may take a very
long time. Free all recycled pools early in the hope that we can already
give some memory back to the OS.


rename some variables to be more descriptive

pid -> pslot
tid -> tslot
remove unused 'sd'


Terminate keep-alive connections when dying

When shutting down a process gracefully, terminate keep-alive connections so
that we don't get any new requests which may keep the dying process alive
longer.



Exit threads early during shutdown

During graceful shutdown, if there are more running worker threads than open
connections, terminate some threads. This frees resources faster, which may be
needed for new processes.



Exit threads early during shutdown, part 2

Follow up to r1738466: During graceful shutdown, when the listener thread is
closing a connection, it needs to wake up a worker thread so that it may
terminate.


Submitted by: sf
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772334 13f79535-47bb-0310-9956-ffa450edef68

Display process slot number in the async overview 


Fix the number of column for 'Async connections'.
There are only 3 columns (writing, keep-alive, closing), not 4.

Try to improve the code layout for it to be more readable.
Each <th> is on its own line so keep the corresponding "colspan" <td> fields grouped together.

r1738628 introduced a new column, 'Slot'.
Add an empty cell for it in the last line of the table, in order to fix the layout of the Totals.

Replace tab by spaces to be consistent

mod_status: note stopping procs in async info table

* add new column "stopping", denoting if a process is shutting down
* add additional "(old gen)", if a process is from before a graceful reload
* add counts of processes and stopping processes to summary line


Submitted by: sf, jailletc36, jailletc36, sf
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772333 13f79535-47bb-0310-9956-ffa450edef68

Merge r1597533, r1649491, r1665216, r1756553, r1756631, r1726675, r1718496, r1718476, r1747469 from trunk:

mod_cache: try to use the key of a possible open but stale cache entry
if we have one in cache_try_lock(). PR 50317

Submitted by: Ruediger Pluem


* modules/cache/mod_socache_memcache.c (socache_mc_store): Pass
  through expiration time.

Submitted by: Faidon Liambotis <paravoid debian.org>, jorton


* mod_cache: Preserve the Content-Type in case of 304 response.
304 does not contain Content-Type and mod_mime regenerates
the Content-Type based on the r->filename. This later leads to original
Content-Type to be lost (overwriten by whatever mod_mime generates).


mod_cache: Use the actual URI path and query-string for identifying the
cached entity (key), such that rewrites are taken into account when
running afterwards (CacheQuickHandler off).  PR 21935.
 


mod_cache: follow up to r1756553: log the real/actual cached URI (debug).



better s-maxage support
 
+  *) mod_cache: Consider Cache-Control: s-maxage in expiration
+     calculations.  [Eric Covener]
+
+  *) mod_cache: Allow caching of responses with an Expires header
+     in the past that also has Cache-Control: max-age or s-maxage.
+     PR55156. [Eric Covener]




remove dead code leftover from r1023387. 

Prior to this revision, there was an apr_atoi64 in this context.
Now, ap_cache_control() sets control.max_age (which is checked here) when
the maxage value was parsed OK.



duplicate debug-level AH00764 in the just-validated path.



Rename ap_casecmpstr[n]() to ap_cstr_casecmp[n](), update with APR doxygen
Submitted by: jkaluza, jorton, jkaluza, ylavic, ylavic, covener, covener, covener, wrowe
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772331 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: new directive H2EarlyHints



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1771018 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
in the client certificate chain.  PR 55786.

This is done by handling an empty cert chain as no/NULL chain.


Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770838 13f79535-47bb-0310-9956-ffa450edef68

Avoid adding duplicate subequest filters, as they would not be stripped
properly during an ap_internal_fast_redirect.


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770672 13f79535-47bb-0310-9956-ffa450edef68

ab: follow up to r1733537: CHANGES entry.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1769610 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1769601 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1769599 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: new directive 'H2PushResource' to enable early pushes before 
     processing of the main request starts. Resources are announced to the 
     client in Link headers on a 103 early hint response. 
     All responses with status code <400 are inspected for Link header and
     trigger pushes accordingly. 304 still does prevent pushes.
     'H2PushResource' can mark resources as 'critical' which gives them higher
     priority than the main resource. This leads to preferred scheduling for
     processing and, when content is available, will send it first. 'critical'
     is also recognized on Link headers.
     
mod_proxy_http2: uris in Link headers are now mapped back to a suitable
     local url when available. Relative uris with an absolute path are mapped
     as well. This makes reverse proxy mapping available for resources
     announced in this header. 
     With 103 interim responses being forwarded to the main client connection,
     this effectively allows early pushing of resources by a reverse proxied
     backend server.
     adding support for newly proposed 103 status code.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1769595 13f79535-47bb-0310-9956-ffa450edef68

http: Respond with "408 Request Timeout" when a timeout occurs while
reading the request body.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1768079 13f79535-47bb-0310-9956-ffa450edef68

mpm_unix: Apache fails to start if previously crashed then restarted with
the same PID (e.g. in container).  PR 60261.

Proposed by: Val <valentin.bremond gmail.com>
Reviewed by: ylavic

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1768078 13f79535-47bb-0310-9956-ffa450edef68

cleanup next



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767647 13f79535-47bb-0310-9956-ffa450edef68

mod_http2/mod_proxy_http2 improvments as in CHANGES


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767563 13f79535-47bb-0310-9956-ffa450edef68

mod_remoteip: Use r->useragent_addr as the root trusted address for verifying.

This fixes issue resulting in setting of bad useragent_ip when internal
redirection has been generated as response to the request (typically as
result of "ErrorDocument 40x").

In this case, the original request has been handled by mod_remoteip and its
useragent_ip has been changed properly, but when internal redirection
to ErrorDocument has been generated later, the mod_remoteip's handler has been
executed again with *the same* c->client_addr as in the original request. If
c->client_addr IP is trusted, this results in bad useragent_ip being set.

When using r->useragent_addr as the root trusted address instead of
c->client_addr, the internal redirection uses the first non-trusted
IP in this particular case, so it won't change the r->useragent_ip during
the internal redirection to ErrorDocument.

Submitted by: jkaluza
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767483 13f79535-47bb-0310-9956-ffa450edef68

Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767482 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: v1.7.7, connection shutdown revisited, AP_DEBUG_ASSERT transformed to real asserts


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766856 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
     available before the request is sent.  PR 57832.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766372 13f79535-47bb-0310-9956-ffa450edef68

mod_http2/mod_proxy_http2: 100-continue implementation, PING checks on aged backend connections


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1765327 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_http2: renaming duplicate symbol clash between h2_proxy_util and h2_util externals



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1764238 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: rewrite of how responses and trailers are transferred between
     master and slave connection. Reduction of internal states for tasks
     and streams, stability. Heuristic id generation for slave connections
     to better keep promise of connection ids unique at given point int time.
     Fix for mod_cgid interop in high load situtations. 
     Fix for handling of incoming trailers when no request body is sent.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1763163 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: fix for output blocking race condition



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1761478 13f79535-47bb-0310-9956-ffa450edef68

mpm_winnt: remove 'data' AcceptFilter in favor of 'connect'

The 'data' AcceptFilter optimization instructs Windows to wait until
data is received on a connection before completing the AcceptEx
operation. Unfortunately, it seems this isn't performed atomically --
AcceptEx "partially" accepts the incoming connection during the wait for
data, leaving all other incoming connections in the accept queue. This
opens the server to a denial of service.

Since the fix for this requires a substantial rearchitecture (likely
involving multiple outstanding calls to AcceptEx), disable the 'data'
filter for now and replace it with 'connect', which uses the AcceptEx
interface but does not wait for data.

Users running prior releases of httpd on Windows should explicitly move
to a 'connect' AcceptFilter in their configurations if they are
currently using the default 'data' filter.

Many thanks to mludha, Arthur Ramsey, Paul Spangler, and many others for
their assistance in tracking down and diagnosing this issue.

PR: 59970

mpm_winnt: remove the AcceptEx data network bucket

Follow-up to the prior commit: without an incoming data buffer, the
custom network bucket code is now orphaned and we can remove it
entirely. This has the added benefit that we are no longer using the
internal OVERLAPPED.Pointer field, which is discouraged by the MSDN
docs.

mpm_winnt: remove duplication of ap_process_connection

Further follow-up to the previous commit: now that we no longer patch a
network bucket into the brigade, we can revert to calling
ap_process_connection() directly instead of duplicating its logic.

docs: rebuild
Submitted by: jchampion
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1759471 13f79535-47bb-0310-9956-ffa450edef68

mod_cgid: Resolve a case where a short CGI response causes a subsequent
     CGI to be killed prematurely, resulting in a truncated subsequent
     response. 


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1758798 13f79535-47bb-0310-9956-ffa450edef68

* Add missing copy of hcuri and hcexpr ftom the worker to the health check worker.

PR: 60038
Submitted by: zdeno <zdeno@scnet.sk>

Submitted by: rpluem
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1758373 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: fixed bug in stream shutdown, support for nghttp2 invalid header callback from 1.14.0 and onwards.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1758011 13f79535-47bb-0310-9956-ffa450edef68

mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid
triggering mod_proxy_connect's AH01018 once the tunnel is established.
https://bugzilla.mozilla.org/show_bug.cgi?id=1279483#c9



mod_reqtimeout: follow up to r1754391: fix missing "else".
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757675 13f79535-47bb-0310-9956-ffa450edef68

ab: add SNI support when available.

ab: follow up to r1750854: put the -I at the right place for apr_getopt().

ab: follow up to r1750854.
Use SNI when available by default, and invert -I logic to now disable it.

ab: follow up to r1750854: some comments and better naming.

ab: follow up to r1750854: still better naming, and a C89 fix.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757674 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_fcgi: avoid loops serving proxied error documents

This commit should solve the issue indicated in PR 55415.
Httpd loops while serving a error document if:
1) The error document's content is proxied.
2) ProxyErrorOverride is set.
The solution proposed is to limit the use of ap_die only
to the initial request. I tested the change with very basic
scenarios but I am not sure if I got all the use cases,
feedback is really welcome.


Submitted by: elukey
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757671 13f79535-47bb-0310-9956-ffa450edef68

Force mod_proxy_fcgi to read the whole FCGI response 
even when the content has not been modified (HTTP 304).

The problem is described in PR 59838. This patch should 
avoid bogus reads causing the following issues with
HTTP 304 responses:
- AH01068: Got bogus version X, expected 1
- AH01069: Got bogus rid X, expected 1
- AH01075: Error dispatching request to :
- HTTP 503 logged instead of 304 (even if the external 
  client gets correctly a 304)

As discussed on IRC the HTTP_PRECONDITION_FAILED use case
should be handled like the HTTP_NOT_MODIFIED one but it will
be done in a separate commit.


Submitted by: elukey
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757670 13f79535-47bb-0310-9956-ffa450edef68

Fix spelling in comments and text files.
No functional change.
PR 59990

Submitted by: rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757669 13f79535-47bb-0310-9956-ffa450edef68

merge of 1752145,1753498,1753541,1754129,1754414,1754534,1755323,1756844,1757524,1757534,1757540 from trunk

mod_http2: backport of latest changes
 - intermediate responses
 - graceful shutdown of connections
 - ht debug draft update



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757542 13f79535-47bb-0310-9956-ffa450edef68

* Prevent redirect loops between workers within a balancer by limiting the
  number of redirects to the number balancer members.

PR: 59864

Submitted by: rpluem
Reviewed by: rpluem, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756563 13f79535-47bb-0310-9956-ffa450edef68

* Do not overwrite r->status with access_status if access_status is OK or DONE
  as in this case r->status might contain the true response code.

PR: 59869

Submitted by: rpluem
Reviewed by: rpluem, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756562 13f79535-47bb-0310-9956-ffa450edef68

mod_dav: Add dav_begin_multistatus, dav_send_one_response,
dav_finish_multistatus, dav_send_multistatus, dav_handle_err, 
dav_failed_proppatch, dav_success_proppatch to mod_dav.h.

Submitted by: minfrin
Reviewed by: minfrin, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756561 13f79535-47bb-0310-9956-ffa450edef68

mod_dav: Add support for childtags to dav_error.

Submitted by: minfrin
Reviewed by: minfrin, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756560 13f79535-47bb-0310-9956-ffa450edef68

httpoxy workarounds, first draft patch as published for all 2.2.x+ sources

Optimization to httpoxy workaround, for 2.4.23+ only.

Submitted by: Dominic Scheirlinck <dominic vendhq.com>, ylavic
Reviewed/backported by: wrowe, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756559 13f79535-47bb-0310-9956-ffa450edef68

PR59815: rewrite per-directory + fcgi broken in 2.4.23

remove the query string from r->filename before calculating environment
(SCRIPT_FILENAME) in mod_proxy_fcgi.  Before PR59618, php-fpm would
see proxy:fcgi:// and do some of this same stripping.




Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1755077 13f79535-47bb-0310-9956-ffa450edef68