Skip to content
  1. Oct 10, 2017
    • Joe Orton's avatar
      Merge r1808230 from trunk: · 85189e49
      Joe Orton authored
      * server/protocol.c (ap_content_length_filter): Rewrite the content
        length filter to avoid arbitrary memory consumption for streaming
        responses (e.g. large CGI script output).  Ensures C-L is still
        generated in common cases (static content, small CGI script output),
        but this DOES change behaviour and some responses will end up
        chunked rather than C-L computed.
      
      PR: 61222
      Submitted by: jorton, rpluem
      Reviewed by: jorton, wrowe, ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1811746 13f79535-47bb-0310-9956-ffa450edef68
      85189e49
    • Yann Ylavic's avatar
      Merge r1736186 from trunk: · 10732433
      Yann Ylavic authored
      mod_ssl: return non ambiguous value in ssl_callback_SessionTicket() for
      encryption mode (we used to return 0, OpenSSL documents returning 1 instead).
      
      Practically this does not change anything since OpenSSL will only check for
      >= 0 return value (non error) for encryption mode (the other possible return
      values are only relevant for decryption mode).
      
      However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
      states:
      "
      The return value of the cb function is used by OpenSSL to determine what
      further processing will occur. The following return values have meaning:
      
      2
          This indicates that the ctx and hctx have been set and the session can
          continue on those parameters. Additionally it indicates that the session
          ticket is in a renewal period and should be replaced. The OpenSSL library
          will call cb again with an enc argument of 1 to set the new ticket (see
          RFC5077 3.3 paragraph 2).
      
      1
          This indicates that the ctx and hctx have been set and the session can
          continue on those parameters.
      
      0
          This indicates that it was not possible to set/retrieve a session ticket
          and the SSL/TLS session will continue by by negotiating a set of
          cryptographic parameters or using the alternate SSL/TLS resumption
          mechanism, session ids.
          If called with enc equal to 0 the library will call the cb again to get a
          new set of parameters.
      
      less than 0
          This indicates an error.
      "
      
      So 0 is not appropriate in our code, 1 is what we really want (and it won't
      break if OpenSSL later changes its checks on the callback return value).
      
      Reported/Proposed by: oknet on github, pull request #18.
      Reviewed by: jorton, ylavic, wrowe
      [Closes #18]
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1811742 13f79535-47bb-0310-9956-ffa450edef68
      10732433
  2. Sep 25, 2017
  3. Sep 22, 2017
    • Yann Ylavic's avatar
      Merge r1802875 from trunk: · d688a489
      Yann Ylavic authored
      event: Avoid possible blocking in the listener thread when shutting down
      connections. PR 60956.
      
      start_lingering_close_nonblocking() now puts connections in defer_linger_chain
      which is emptied by any worker thread (all atomically) after its usual work,
      hence any possibly blocking flush and lingering close run outside the listener.
      
      The listener may create a dedicated worker if it fills defer_linger_chain or
      while it's not empty, calling push2worker with a NULL cs.
      
      The state machine in process_socket() is slighly modified to be able to enter
      with CONN_STATE_LINGER directly w/o clogging_input_filters to interfer.
      
      New abort_socket_nonblocking() allows to reset connections when nonblocking is
      required and we can't do much about the connection anymore, nor we want the
      system to linger on its own after close().
      
      Many thanks to Stefan Priebe for his heavy testing on many event's changes!
      
      
      Submitted by: ylavic
      Reviewed by: ylavic, jim, icing
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1809299 13f79535-47bb-0310-9956-ffa450edef68
      d688a489
  4. Sep 19, 2017
  5. Sep 18, 2017
  6. Sep 08, 2017
  7. Aug 18, 2017
    • Joe Orton's avatar
      Merge 1805099 from trunk: · 868be432
      Joe Orton authored
      Fix ProxyAddHeaders merging.
      
      * modules/proxy/mod_proxy.h:
        Add add_forwarded_headers_set field to proxy_dir_conf.
      
      * modules/proxy/mod_proxy.c (create_proxy_dir_config):
        Initialize add_forwarded_headers_set.
        (add_proxy_http_headers): Set it.
        (merge_proxy_dir_config): Merge add_forwarded_headers correctly.
      
      Reviewed by: jorton, rpluem, jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1805390 13f79535-47bb-0310-9956-ffa450edef68
      868be432
  8. Aug 16, 2017
    • Jim Jagielski's avatar
      Merge r1789220, r1792675 from trunk: · 6a466488
      Jim Jagielski authored
      core: Disallow multiple Listen on the same IP:port when listener buckets
      are configured (ListenCoresBucketsRatio > 0), consistently with the single
      bucket case (default), thus fixing the leak of the corresponding socket
      descriptors on graceful restart.
      
      
      
      Follow up to r1789220.
      Document the implicit behaviour of ListenCoresBucketsRatio when multiple
      Listen-ers are configured on the same IP:port.
      
      
      Submitted by: ylavic
      Reviewed by: ylavic, jim, jorton
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1805221 13f79535-47bb-0310-9956-ffa450edef68
      6a466488
  9. Aug 06, 2017
  10. Jul 17, 2017
    • Jim Jagielski's avatar
      Merge r1762580, r1762701, r1762702, r1762718, r1762723, r1762742, r1762743,... · b0d9c063
      Jim Jagielski authored
      Merge r1762580, r1762701, r1762702, r1762718, r1762723, r1762742, r1762743, r1774538, r1779354 from trunk:
      
      event: use atomics for *timeout_queue->total since it's updated concurrently,
      and move TO_QUEUE_*() macros to functions.
      
      
      event: add/remove from/to the pollset outside of the critical sections.
      
      We don't need external locking since it's created with APR_POLLSET_THREADSAFE,
      hence reduce those sections to the lowest cycles possible.
      
      A spinlock may be interesting instead of the mutex now, we won't block and the
      TO_QUEUE_*() and process_timeout_queue() operations are fast...
      
      
      
      event: follow up to r1762701: update log tag.
      
      event: avoid unnecessary listener/polling wake ups (context switches) by using
      apr_pollset_wakeup(), when implemented, to signal the listener according to the
      next timers or timeout queues expiry (updated at insert and maintenance time).
      
      
      
      Follow up to r1762718: CHANGES entry.
      
      event: follow up to r1762718.
      We still need to kill kept-alive connections in normal/expiry processing if
      the workers are busy or dying.
      
      
      
      event: follow up to r1762718 and r1762742: put de condition where it belongs.
      
      
      
      event: follow up to r1762718.
      
      On graceful shutdown/restart, kill kept-alive connections before poll()ing
      again, avoiding to wait for their "normal" timers (before being woken up)
      when they remain the last handled connections.
      
      
      
      event: follow up to r1762701.
      Keep QUEUE_APPEND()+pollset_add() or QUEUE_REMOVE()+pollset_remove() atomic.
      
      Otherwise when a worker adds an entry in some queue (e.g. KA, lingering), it
      might race with the listener in the time between the mutex is released and the
      pollset is updated; meanwhile the listener might process the queue and find an
      entry no yet in its pollset.
      
      For the lingering queue, the entry could then have been used after its pool
      destroyed.
      
      Submitted by: ylavic
      Reviewed by: ylavic, icing, jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1802146 13f79535-47bb-0310-9956-ffa450edef68
      b0d9c063
    • Jim Jagielski's avatar
      Merge r1754164, r1801994, r1801995 from trunk: · ca6bf55c
      Jim Jagielski authored
      mod_proxy_wstunnel: we want to detect whether some response was sent to
      the client when forwarding data from the backend to the client, not the
      reverse.
      
      
      Follow up to r1754164: CHANGES entry.
      
      Follow up to r1801994: CHANGES' PR reference.
      Submitted by: ylavic
      Reviewed by: ylavic, jchampion, jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1802144 13f79535-47bb-0310-9956-ffa450edef68
      ca6bf55c
    • Yann Ylavic's avatar
      Credits. · e51a3d94
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1802129 13f79535-47bb-0310-9956-ffa450edef68
      e51a3d94
    • Yann Ylavic's avatar
      Add CHANGES' security entries for 2.4.27. · dcfafbeb
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1802121 13f79535-47bb-0310-9956-ffa450edef68
      dcfafbeb
  11. Jul 08, 2017
  12. Jul 06, 2017
  13. Jul 04, 2017
  14. Jul 03, 2017
  15. Jun 29, 2017
  16. Jun 26, 2017
    • Jim Jagielski's avatar
      Merge r1799784, r1799786 from trunk: · e7c35344
      Jim Jagielski authored
      Since r1753257, "HEAD" method is registered into the registry hash with the M_GET ID.
      (r1757672 in 2.4.x)
      
      We iterate over all the values of the registery, so there is no need anymore to have a special case for "HEAD" in  'make_allow()'. It has its own entry now.
      
      With the current code, we have "HEAD" 3 times in the Allow Header field.
      This is because we find M_GET 2 times in the registry hash. The first one gives "GET" and "HEAD" (as the special handling), and the second "HEAD" and "HEAD" (as the special handling).
      
      
      BTW, use APR_ARRAY_PUSH instead of hand coding it, in oder to have the code more readable.
      
      PR 61207
      
      Add  CHANGE entry
      Submitted by: jailletc36
      Reviewed by: jailletc36, rpluem, jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1799890 13f79535-47bb-0310-9956-ffa450edef68
      e7c35344
  17. Jun 19, 2017
  18. Jun 14, 2017
  19. Jun 13, 2017
  20. Jun 12, 2017
  21. Jun 06, 2017