mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys and support up to 8192-bit keys.

Submitted by: rpluem, jorton
Reviewed by: ylavic, kbrand


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610014 13f79535-47bb-0310-9956-ffa450edef68

Fix PR 56480: PROPFIND walker doesn't encode hrefs properly

Reverts r1529559 partially (specifically the dav_xml_escape_uri) bit.
Reverts r1531505 entirely.

* modules/dav/main/mod_dav.c
  (dav_xml_escape_uri): Revert the piece of r1529559 that removes the URI
    escaping from this function.

* modules/dav/main/props.c
  (dav_do_prop_subreq): Escape the URI before doing a sub request with it.
    This resolves some properties like getcontenttype from failing to be
    returned for files that contain characters that require encoding in their
    path.

* modules/dav/main/mod_dav.h
  (dav_resource): Note the inconsistency in the documentation.

* modules/dav/fs/repos.c
  (dav_fs_get_resource): Don't use the unparsed_uri to set the uri field of
    the resource.  This is the correct fix for the double encoding in mod_dav_fs
    that led to the dav_xml_escape_uri() change and r1531505.
  (dav_fs_walker, dav_fs_append_uri): Revert r1531505 changes.

Submitted by: breser
Reviewed by: ylavic, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610013 13f79535-47bb-0310-9956-ffa450edef68

Follow up to r1527220/r1588852:

Implement better error checking/reporting around notification of abrupt parent
process termination.

It is likely that something bad is happening here based on these
user reports:

https://www.apachelounge.com/viewtopic.php?p=27848
http://mail-archives.apache.org/mod_mbox/httpd-users/201406.mbox/%3CCAC%2BRZnuwLD%2BJnoy2TYO8oeAWt6bFLMa%3DEhfDf9hS3cuuGUHXAw%40mail.gmail.com%3E


w-up to r1606368: HANDLE is PVOID which is void * (fix format string)

Submitted by: trawick
Reviewed by: covener, gsmith


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1608907 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1608780 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy: When ping/pong is configured for a worker, don't send or forward
           "100 Continue" (interim) response to the client if it does not
           expect one.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1608762 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.


mod_ssl: follow up to r1583191.

New SSLOCSPUseRequestNonce directive's manual and CHANGES.

Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce
grouped with other OCSP ones, nested if turned to a single AND condition).


Remove SSLOCSPUseRequestNonce OpenSSL-0.9.7 requirement (0.9.8 already required by httpd-2.4) and set availability to 2.5-dev until further notice.

mod_ssl: follow up to r1583191.

Use type BOOL for modssl_ctx_t's field ocsp_use_request_nonce.
Suggested by: kbrand.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1608758 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1605642 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.

Submitted by: trawick
Reviewed by: covener, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1605639 13f79535-47bb-0310-9956-ffa450edef68

* event MPM: fix a race where a worker looks at a conn_rec after it might be
  in use by another thread or may have been freed and 
  re-allocated.

Submitted By: Edward Lu



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1605619 13f79535-47bb-0310-9956-ffa450edef68

authnzldap: support "none" as a filter to suppress using a search filter,
which is required by some mainframe security products serving native
registry over LDAP.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1605618 13f79535-47bb-0310-9956-ffa450edef68

mod_deflate: fix decompression of files larger than 4GB. According to RFC1952,
Input SIZE (compLen) contains the size of the original input data modulo 2^32.

PR: 56062
Submitted by: Lukas Bezdicka



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1604460 13f79535-47bb-0310-9956-ffa450edef68

Merge r1572655, r1572663, r1572668, r1572669, r1572670, r1572671, r1573224, r1586745, r1587594, r1587639, r1590509 from trunk.


Commit 1 on 6 to fix reentrance (incomplete Zlib header or validation bytes) in mod_deflate's output and input filters.
PR 46146 (patches from duplicated PR 55666)

Handle Zlib header buffering in the inflate output filter :
- add the new deflate_ctx_t fields needed to re-enter the Zlib header parsing,
- introduce the new consume_zlib_flags() function to parse/consume the ZLib flags (will be used by the other filters too),
- use it to handle incomplete header in the output filter (deflate).

This alone fixes PR 55666, but the issue remains for PR 46146 (inflate/deflate input filters), hence the following patches.


Commit 2 on 6 to fix reentrance (incomplete Zlib header or validation bytes) in mod_deflate's output and input filters.
PR 46146 (patches from duplicated PR 55666)

Handle Zlib header buffering in the inflate input filter :
- loop until all the header is received,
- handle non blocking reads returning empty brigade,
- fix a double ap_get_brigade() when an EOS brigade is encountered while reading the header,
- in that case and no data was received so far, don't return an error but SUCCESS with the EOS, otherwise fail,
- don't remove the Content-Length and Content-MD5 headers until some data is read.

Still does not handle Zlib flags for now, next commits.


Commit 3 on 6 to fix reentrance (incomplete Zlib header or validation bytes) in mod_deflate's output and input filters.
PR 46146 (patches from duplicated PR 55666)

Handle Zlib validation bytes buffering (CRC + length) in the inflate input filter :
- use validation_buffer and validation_length as state,
- loop until all the bytes are received.


Commit 4 on 6 to fix reentrance (incomplete Zlib header or validation bytes) in mod_deflate's output and input filters.
PR 46146 (patches from duplicated PR 55666)

Handle non blocking reads which would block in the inflate input filter (not an error).


Commit 5 on 6 to fix reentrance (incomplete Zlib header or validation bytes) in mod_deflate's output and input filters.
PR 46146 (patches from duplicated PR 55666)

Handle Zlib flags in the inflate input filter as in the output filter, using consume_zlib_flags().


Commit 6 on 6 to fix reentrance (incomplete Zlib header or validation bytes) in mod_deflate's output and input filters.
PR 46146 (patches from duplicated PR 55666)

Ignore empty buckets and split buckets longer than INT_MAX (since zlib uses 32-bit ints only) in all filters.


mod_deflate: when consuming zlibs flags, APR_INCOMPLETE implies no more bytes available.


mod_deflate: update empty log tags.


mod_deflate: Delay INFLATE input filter's self removal until all the buffered
             buckets are out (including EOS). PR 46146.


mod_deflate: Don't return gzip-ed data when reading FLUSH bucket in INFLATE
             input filter, forward the FLUSH but keep reading should EOS/more
             follow (should not happen, but mod_deflate won't fix it).


mod_deflate: follow up to r1587639.
Don't break the looped brigade when moving the FLUSH bucket to the returned bb
and continue reading.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1604458 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy: Allow reverse-proxy to be set via explicit handler.

Submitted by: ryo takatsuki <ryotakatsuki gmail com>
Reviewed by: ylavic, jim, mrumph


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1604378 13f79535-47bb-0310-9956-ffa450edef68

ab: support custom HTTP method with -m argument.

PR: 56604
Submitted by: Roman Jurkov <winfinit gmail.com>
Reviewed by: ylavic, trawick, covener

(r1601680 and r1601700 not reflected in mergeinfo due to
a collision with an unrelated trunk change)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1604373 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1604340 13f79535-47bb-0310-9956-ffa450edef68

- IVM changed to use shm
- More verbose error logging (no functional change)
- Miscellaneous refactoring that was in trunk but not in 2.4.x (no functional change as such)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1604339 13f79535-47bb-0310-9956-ffa450edef68

core: avoid a double apr_time_now() call on the first succeeding read.

* Correctly escape user provided data.

PR: 56532
Submitted by: Maksymilian <max cert.cx>
Reviewed by: rpluem


Save a few bytes of memory. This can be done in temp_pool.

Fix layout

don't pass uninitialized rv passed to ap_log_rerror()
  (rv wasn't interesting / follow an existing example)

stop throwing away a pointer on the heap

(clang scan-build)


add the URI to DEBUG message 00765 (and drop an exclamation point):

  Cache provider's store_body failed!



Doxygen fix + reorg to match how other header files are built
Submitted by: ylavic, rpluem, jailletc36, jailletc36, trawick, covener, jailletc36
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1603141 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_fcgi: Support iobuffersize parameter.

Submitted by: trawick
Reviewed by: jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1601749 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1599597 13f79535-47bb-0310-9956-ffa450edef68

Merge r1546730, r1583008, r1571369, r1552130, r1578760, r1592615, r1592632, r1595321, r1550302, r1550307, r1585435 from trunk:

fix whitespace in a debug message

s/comment/self-documenting/

normalize an ugly construct which somehow manages to return the correct value

This is annoying to see in a casual "LogLevel debug foo:traceX ..."




Use 'apr_table_setn' instead of 'apr_table_set' when possible in order to save memory.

Follow-up to r1592529:

Define default port for "scgi" schemes (as chosen by
mod_proxy_scgi) in a common location.

Suggested by: jailletc36


fix Doxygen markup error

Submitted by: jailletc36


Tweak a AP_DEBUG_ASSERT condition.
Valid index to use 'req_header_var_names' are 0...6

mod_auth_form: Add a debug message when the fields on a form are not
recognised.


mod_auth_form: Make the trace logging consistent through the notes, session
and form authentication steps.


mod_auth_form: update empty log tags.
Submitted by: trawick, covener, jailletc36, trawick, trawick, jailletc36, minfrin, minfrin, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1599501 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:" scheme.
                    PR55320.

Submitted by: Alex Liu <alex.leo.ca gmail.com>
Committed by: ylavic

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1598603 13f79535-47bb-0310-9956-ffa450edef68

mod_socache_shmcb: Correct counting of expirations for status display.
Expirations happening during retrieval were not counted.

Submitted by: rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1595918 13f79535-47bb-0310-9956-ffa450edef68

mod_cache: Retry unconditional request with the full URL (including the
           query-string) when the origin server's 304 response does not
           match the conditions used to revalidate the stale entry.

http://www.mail-archive.com/dev@httpd.apache.org/msg59884.html

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1595917 13f79535-47bb-0310-9956-ffa450edef68

mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
variables as a result of AliasMatch.

Submitted by: covener
Reviewed by: jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1594539 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_scgi: Support Unix sockets.

ap_proxy_port_of_scheme(): Support default SCGI port (4000).

Submitted by: trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1593004 13f79535-47bb-0310-9956-ffa450edef68

        programs, and implement a special merging algorithm for
             SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1593003 13f79535-47bb-0310-9956-ffa450edef68

Fix errors with CacheLock on Windows:

cache_util.c(757): (OS 80)The file exists.  : [client 127.0.0.1:63889] 
AH00784: Attempt to obtain a cache lock for stale cached URL failed, 
revalidating entry anyway: 

Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1593000 13f79535-47bb-0310-9956-ffa450edef68

mod_expires: don't add Expires header to error responses (4xx/5xx),
             be they generated or forwarded. PR 55669.


Follow up to r1584430.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1592999 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_fcgi: Don't segfault when failing to connect to the backend.


now understood why users haven't reported the segfault (yet) when mod_proxy_fcgi
can't connect to the application

Submitted by: trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1592998 13f79535-47bb-0310-9956-ffa450edef68

                   on startup if default socache_provider is used and
                   AuthnCacheEnable or AuthnCacheProvideFor is used.
                   This problem has been introduced in r1531961.
                   PR 56371.

Submitted by: jkaluza
Reviewed by: ylavic, jim, trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1592991 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588763 13f79535-47bb-0310-9956-ffa450edef68

Also clear the error queue before calling SSL_CTX_use_certificate[_chain]_file
(workaround for OpenSSL versions before 0.9.8h, see
https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1513).

PR 56410.

Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588496 13f79535-47bb-0310-9956-ffa450edef68

  *) mod_proxy_wstunnel: Don't pool backend websockets connections,
     because we need to handshake every time. PR 55890.
     [Eric Covener]



actually remove mod_reqtimeout, since the util_filter functions involved
only manipulate c->input_filters no matter what we pass. We need to make
copies of c->input_filters after, not before, it skips over reqtimeout.

Note: reqtimeout doesn't really interfere today with normal operation,
but this is misleading/confusing when dealing with other
wstunnel issues.



cleanup wstunnel error handling

Submitted By: covener, ylavic, Edward Lu
Commited By: covener



followup to r1587036.

if backend->close is set too early, proxy_util.c will close it right 
away and then blow away the field.

Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588495 13f79535-47bb-0310-9956-ffa450edef68

Bring SNI behavior into better conformance with RFC 6066:

- no longer send a warning-level unrecognized_name(112) alert
  when no matching vhost is found (PR 56241)

- at startup, only issue warnings about IP/port conflicts and name-based
  SSL vhosts when running with an OpenSSL without TLS extension support
  (almost 5 years after SNI was added to 2.2.x, the
  "[...] only work for clients with TLS server name indication support"
  warning feels obsolete)

Proposed by: kbrand
Reviewed by: jorton, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588424 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588356 13f79535-47bb-0310-9956-ffa450edef68

mod_auth_form: Make sure the optional functions are loaded even when
the AuthFormProvider isn't specified.

Submitted by: minfrin
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588247 13f79535-47bb-0310-9956-ffa450edef68

Only read "active" values from the key_files array. PR 56306.

Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588246 13f79535-47bb-0310-9956-ffa450edef68

Reverse the order when merging global and vhost-level config arrays.
Putting the vhost-level elements last allows overriding global settings
(for the deprecated SSLRequire directive, the order is irrelevant,
all of them must be met, cf. ssl_engine_kernel.c:ssl_hook_Access).

Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588245 13f79535-47bb-0310-9956-ffa450edef68

If the "value" argument is prefixed with expr=, parse it with ap_expr
rather than mod_headers' built-in format strings.


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588244 13f79535-47bb-0310-9956-ffa450edef68

* support/rotatelogs.c (main): Prevent creation of zombies from
  post-rotate programs.

Reviewed by: druggeri, ylavic, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588175 13f79535-47bb-0310-9956-ffa450edef68