core: Fix incorrect substitution of env vars in directives containing multiple env vars.

In ap_resolve_env(), the string returned from getenv() should be copied since
the returned string may be statically allocated.

This fixes an issue where the value for the last env var is substituted for all
env vars in a directive containing multiple env vars.

Submitted by: hwibell
Reviewed by: hwibell, covener, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1848686 13f79535-47bb-0310-9956-ffa450edef68

PR62311: only create the rewritelock when needed

Submitted By: Hank Ibell <hwibell gmail.com>
Committed By: covener



Submitted by: covener
Reviewed by: jailletc36, icing (by inspection), covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1848681 13f79535-47bb-0310-9956-ffa450edef68

   in the expression does NOT match. In this case val is NULL
   and we should just set the value for the environment variable
   like in the pattern case.
+1: jailletc36, jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847292 13f79535-47bb-0310-9956-ffa450edef68

   an absolute URI on the request line
+1: jailletc36, jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847290 13f79535-47bb-0310-9956-ffa450edef68

   trunk patch: http://svn.apache.org/r1843244
+1: elukey, jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847288 13f79535-47bb-0310-9956-ffa450edef68

   just like worker.
+1: covener, jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847286 13f79535-47bb-0310-9956-ffa450edef68

   connections, and PR 61519 where $HTTPS was incorrect for the
   "SSLEngine optional" case.
+1: jorton, jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847284 13f79535-47bb-0310-9956-ffa450edef68

         not cleared beforehand.
+1: icing, jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847280 13f79535-47bb-0310-9956-ffa450edef68

This messes-up error handling performed in 'ssl_io_filter_error()'
+1: ylavic, jim, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847278 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1846255 13f79535-47bb-0310-9956-ffa450edef68

If ProxyPassReverse is used for reverse mapping of relative redirects, subsequent ProxyPassReverse statements, whether they are relative or absolute, may fail.

PR 60408 [Peter Haworth <pmh1wheel gmail.com>]
Submitted by: jailletc36
Reviewed by: jailletc36, rpluem, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1846044 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1844248 13f79535-47bb-0310-9956-ffa450edef68

by SSLProxyMachineCertificate{File|Path}.

The certificates and keys loaded during configuration time got lost during
runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host
level and there was an SSL directive at directory level, e.g. SSLRequire.

This fixes a regression likely introduced in r1740928 (backported in r1824187).

Backport of r1844002 from trunk.

Submitted by: rjung
Reviewed by: rjung, rpluem, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1844226 13f79535-47bb-0310-9956-ffa450edef68

down below.

This fixes a crash during SSL renegotiation with OptRenegotiate set,
when client certificates are available from the original handshake
but were originally not verified and should get verified now.
This is a regression in 2.4.36 (unreleased).

Backport of r1828793 from trunk.

Submitted by: rjung
Reviewed by: rjung, rpluem, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1844223 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1844069 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843493 13f79535-47bb-0310-9956-ffa450edef68

mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
responses allowing these modules to properly set or fix-up the response
headers such as Vary or ETag.

This change follows up on r1837056 that disabled that special handling and
thus resulted in a potential violation of RFC7232, 4.1:

   The server generating a 304 response MUST generate any of the following
   header fields that would have been sent in a 200 (OK) response to the
   same request: Cache-Control, Content-Location, Date, ETag, Expires,
   and Vary.)

References:
  https://lists.apache.org/thread.html/f5733ca6743757e8aa8b58a0cd9e27680971551c2a20f5606c66507e@%3Cdev.httpd.apache.org%3E
  https://tools.ietf.org/html/rfc7232#section-4.1
Submitted by: kotkov
Reviewed by: kotkov, ylavic, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843469 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: adding defensive code for stream EOS handling, in case the request handler
     missed to signal it the normal way (eos buckets). Addresses github issues 
     https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
     and https://github.com/icing/mod_h2/issues/170. 


Submitted by: icing
Reviewed by: icing, ylavic, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843468 13f79535-47bb-0310-9956-ffa450edef68

These need to be signed longs... cast as needed.


Add CHANGES entry
Submitted by: jim, jailletc36
Reviewed by: jailletc36 (by inspection), ylavic, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843467 13f79535-47bb-0310-9956-ffa450edef68

trunk: http://svn.apache.org/r1841784
2.4.x: svn merge -c r1841784 ^/httpd/httpd/trunk .
+1: minfrin, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843412 13f79535-47bb-0310-9956-ffa450edef68

trunk patch: http://svn.apache.org/r1738415
             http://svn.apache.org/r1826930
2.4.x patch: https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/httpd-2.4-ab.patch
+1: minfrin, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843411 13f79535-47bb-0310-9956-ffa450edef68

* Pickup the proxy related configuration for verify mode and verify depth and
  not the configuration settings for frontend connections in case of
  connections by the proxy to the backend.

PR: 62769



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843370 13f79535-47bb-0310-9956-ffa450edef68

apportion blame/credit widely.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841920 13f79535-47bb-0310-9956-ffa450edef68

before signals handling to avoid lifetime issues on restart or shutdown.
PR 62658.
trunk patch: http://svn.apache.org/r1835845
             http://svn.apache.org/r1835846
             http://svn.apache.org/r1837354
             http://svn.apache.org/r1837356
             http://svn.apache.org/r1839571
             http://svn.apache.org/r1839583
2.4.x patch: http://home.apache.org/~ylavic/patches/2.4.x-mpms_async_objects_lifetime.patch
+1: ylavic, jim (but not for 2.4.35), minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841586 13f79535-47bb-0310-9956-ffa450edef68

Style only

Be more consistent:
   - add space between (if|while) and \(
   - place of 'break ' statement

Fix cut and paste typo in error message + remove empty lines to be consistent

follow-up to r1656549.

Instead of logging a password (which is not a good practice), clarify the associated message

* Silence compiler warning

Be less tolerant when parsing the credencial for Basic authorization. Only spaces  should be accepted after the authorization scheme. \t are also tolerated.

The current code accepts \v and \f as well.

The same behavior is already used in 'ap_get_basic_auth_pw()' which is mostly the same function as 'get_basic_auth()'.

Function used as 'apr_reslist_destructor' when calling 'apr_reslist_create()' should have the following prototype:

apr_status_t (*apr_reslist_destructor)(void *resource, void *params, apr_pool_t *pool);
Submitted by: jailletc36, rpluem, jailletc36, jailletc36
Reviewed by: jailletc36, minfrin, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841329 13f79535-47bb-0310-9956-ffa450edef68

trunk patch: http://svn.apache.org/r1838937
2.4.x patch: svn merge -c 1838937 ^/httpd/httpd/trunk .
+1: jim, ylavic, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841266 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841264 13f79535-47bb-0310-9956-ffa450edef68

trunk patch: http://svn.apache.org/r1840582
2.4.x patch: svn merge -c 1840582 ^/httpd/httpd/trunk .
+1: jim, ylavic, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841263 13f79535-47bb-0310-9956-ffa450edef68

trunk patch: http://svn.apache.org/r1836276
2.4.x patch: svn merge -c 1836276 ^/httpd/httpd/trunk .
+1: jim, ylavic, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841261 13f79535-47bb-0310-9956-ffa450edef68

trunk: http://svn.apache.org/r1837225
       http://svn.apache.org/r1837366
2.4.x patch: http://home.apache.org/~jim/patches/client64v2.patch
+1: jim, icing (by inspection), minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841259 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841178 13f79535-47bb-0310-9956-ffa450edef68

  *) http: Enforce consistently no response body with both 204 and 304
     statuses.  [Yann Ylavic]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1840572 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1840550 13f79535-47bb-0310-9956-ffa450edef68

* mod_proxy: Remove load order and link dependency between mod_lbmethod_*
  modules and mod_proxy by providing mod_proxy's ap_proxy_balancer_get_best_worker
  as an optional function.

PR: 62557


* Remove invalid copy and paste comments

* Always retrieve conditional function. static variable might contain garbage if module was reloaded in a static build.

* Add missing log numbers

* ap_proxy_balancer_get_best_worker cannot be exported and used as an optional
  function at the same time. So rename ap_proxy_balancer_get_best_worker to
  proxy_balancer_get_best_worker and make it static which is then used as an
  optional function and recreate ap_proxy_balancer_get_best_worker as an
  exported thin wrapper of proxy_balancer_get_best_worker.

Submitted by: rpluem
Reviewed by: covener, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1840548 13f79535-47bb-0310-9956-ffa450edef68

Merged 1827912,1827924,1827992,1828222,1828720,1828723,1833588,1833589,1839920,1839946 from trunk

  *) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9. 
     SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for.
     Directive "SSLVerifyClient" now triggers certificate retrieval from the client.
     Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
     as this would need to trigger the master connection thread - which we do not support
     right now.
     Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
     does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
     TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate.
     Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they 
     can match their needs onto the TLSv1.3 protocol.
     [Yann Ylavic, Stefan Eissing]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840120 13f79535-47bb-0310-9956-ffa450edef68

in milliseconds.

Backport of remaining parts of r1837590 from trunk
(only html mode changes, auto parts were already
backported).

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839785 13f79535-47bb-0310-9956-ffa450edef68

in mod_status when "ProxyStatus" is "On":
add "busy" count to html mode.

Backport of remaining parts of r1837588 from trunk
(only html mode changes, auto parts were already
backported).

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839784 13f79535-47bb-0310-9956-ffa450edef68

in milliseconds to auto mode.

Partial backport of r1839532 from trunk
(only auto mode changes, html parts not yet
backported).

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839533 13f79535-47bb-0310-9956-ffa450edef68

in mod_status when "ProxyStatus" is "On":
add "busy" count to auto mode and show byte counts
in auto mode always in units of kilobytes.

Partial backport of r1837588 from trunk
(only auto mode changes, html parts not yet
backported).

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839532 13f79535-47bb-0310-9956-ffa450edef68

processes in the "cu" and "cs" values.
Add CPU time of the parent process to the
"c" and "s" values.

Backport of r1837595 from trunk.

Submitted by: rjung
Reviewed by: rjung, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839531 13f79535-47bb-0310-9956-ffa450edef68