http: Fix LimitRequestBody checks when there is no more bytes to read.

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Committed by: ylavic
Reviewed  by: ylavic, mrumph, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1688935 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1686449 13f79535-47bb-0310-9956-ffa450edef68

LDAP connection pool did not release/close connections with 
"LDAPConnectionPoolTTL 0".  PR58037.

Submitted by: Ted Phelps <phelps gnusto.com>
committed by: covener


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1686275 13f79535-47bb-0310-9956-ffa450edef68

*) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
   data during read of chunked request bodies. PR 58049. 
   [Edward Lu <Chaosed0 gmail.com>]

Submitted By: Edward Lu <Chaosed0 gmail.com>


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1686272 13f79535-47bb-0310-9956-ffa450edef68

Follow up to r1684513: allow spaces before and after chunk-size.
Slightly modified version of trawick's proposal.

Follow up to r1685345: don't accept spaces *before* the chunk-size.

Follow up to r1685345: CHANGES entry.

Follow up to r1685349: remove a tab.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1686271 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1685986 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Remove deprecated SSLCertificateChainFile warning.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1685870 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1684895 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1684533 13f79535-47bb-0310-9956-ffa450edef68

Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook.  

Submitted by: breser
Backports: r1684524
Reviewed by: wrowe, ylavic, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1684525 13f79535-47bb-0310-9956-ffa450edef68

Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.

Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.

Submitted by: graham, ylavic
Reviewed by: ylavic, wrowe, jim
Backports: 1484852, 1684513
Reported by: Régis Leroy



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1684515 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1683585 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy: Don't put the worker in error state for 500 or 503 errors
returned by the backend unless failonstatus is configured to.  PR 56925.


mod_proxy: follow up to r1681694.

Handle the proxy-error-override note also in mod_proxy_ajp.

The note is not needed in mod_proxy_fcgi (which also handles
ProxyErrorOverride) since it calls ap_die() by itself, and always
returns OK to proxy_handler().

Add a comment about the note where used.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1683112 13f79535-47bb-0310-9956-ffa450edef68

PR 57968: Don't lowercase the argument to SetHandler if the handler is
proxy:unix.


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682888 13f79535-47bb-0310-9956-ffa450edef68

handler or input filter already did it while reading the request (causing
a double response body).

Submitted by: ylavic
Backports: r1482522 (partial, ap_map_http_request_error() things only!),
           r1529988, r1529991, r1643537, r1643543, r1657897, r1665625, 
           r1665721, r1674056
Reviewed by: ylavic, minfrin, wrowe




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682544 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682360 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682077 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681347 13f79535-47bb-0310-9956-ffa450edef68

r1679032:

mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
the OCSP response for a different certificate.  mod_ssl has an additional
global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache
implementation which doesn't require it.  (A further, unrelated
code change to mod_ssl is required to allow the use of memcache 
as a stapling cache, and I haven't tested with distcache; thus
it isn't clear if this helps in practice yet.)

r1679192:

Fix regression in check for cached response
(Essentially) Submitted by: ylavic

r1680276:

OCSP stapling: slight simplification to some internal interfaces,
add a few comments and sanity checks

Submitted by: trawick (with assist from ylavic)
Reviewed by: jim, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681320 13f79535-47bb-0310-9956-ffa450edef68

* modules/aaa/mod_authz_owner.h: Add header file with optional hook
  declaration for "authz_owner_get_file_group".

* modules/aaa/mod_authz_dbm.c, modules/aaa/mod_authz_groupfile.c: Use
  the header to pick up the above declaration; retrieve the optional
  function in a hook; use a static variable to store the function
  pointer.

Submitted by: jorton
Reviewed by: jkaluza, wrowe, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681311 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681187 13f79535-47bb-0310-9956-ffa450edef68

http: Make ap_die() robust against any HTTP error code and not modify
response status (finally logged) when nothing is to be done.


ap_die(): follow up to r1657881.

Use log level DEBUG for AP_FILTER_ERROR => HTTP_INTERNAL_SERVER_ERROR.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681114 13f79535-47bb-0310-9956-ffa450edef68

core: Cleanup the request soon/even if some output filter fails to
handle the EOR bucket.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681113 13f79535-47bb-0310-9956-ffa450edef68

* mod_authn_dbd: apr_pstrdup dbd_password and dbd_hash to fix use-after-free
bug with postgresql


mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
of DB lookup entries independently of the selected DB engine.  PR 46421.

Suggested by: Michel Stam <michel reverze net>
Proposed by: Steven whitson <steven.whitson gmail com>
Reviewed/Extended/Committed by: ylavic


Follup up to r1679181: CHANGES entry.
Submitted by: jkaluza, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681107 13f79535-47bb-0310-9956-ffa450edef68

mod_log_config: instead of using the new dedicated
pattern format "%M" for duration milliseconds,
overload the existing "%D" to choose the time precision
("%{s}D" for seconds, "%{ms}D" for milliseconds and
"%{us}D" for microseconds).

The existing %T and %D without precision are kept for
compatibility.

The previously introduced "%M" (r1677187) is removed,
it has not yet been released. Format pattern characters
are rare, so we should only use a new one if an
existing one isn't a good fit.


Fix syntax.


Follow-up to r1680895:

Let %T be the format character which accepts time resolution
arguments.

Submitted by: rjung, trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681106 13f79535-47bb-0310-9956-ffa450edef68

Conform to RFC 7525, with additional suggestion to drop RSA Kx ciphers

Document RFC 7525 changes
Submitted by: wrowe
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679987 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Check for RAND_egd() at configure time and only use it if present.
Fixes the build with LibreSSL which does not provide this function.

Submitted by: Bernard Spil <pil.oss gmail com>, stsp
Committed by: stsp


mod_ssl: Make the config parser complain if SSLRandomSeed specifies
the Entropy Gathering Daemon (EGD) as source while the underlying
SSL library does not support EGD (e.g. in case of LibreSSL).

Suggested and reviewed by: kbrand


Follow up to r1674542 and r1675410: CHANGES entry.
Submitted by: stsp, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679199 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1678717 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1678234 13f79535-47bb-0310-9956-ffa450edef68

consistently output SSLCertificateChainFile deprecation warnings
Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1678233 13f79535-47bb-0310-9956-ffa450edef68

If a directory exists but no indexes can be resolved, the fallback resource
should be attempted first before giving up.

Submitted By: Jack <tjerk.meesters gmail.com> , covener
Committed By: covener


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1677186 13f79535-47bb-0310-9956-ffa450edef68

Add support for extracting subjectAltName entries of type
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
  environment variables table

* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
  of subjectAltName entries for the "StdEnvVars" case

* modules/ssl/ssl_engine_vars.c: add support for retrieving the
  SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
  individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
  or with full-list extraction to the environment ("StdEnvVars")

* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype

* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
  SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
  code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
  suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
  entry types appearing in user or server certificates (i.e., rfc822Name
  and dNSName), for the time being.

* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
  and SSL_X509_getSAN prototypes


Proposed by: kbrand
Reviewed by: ylavic, druggeri


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1676087 13f79535-47bb-0310-9956-ffa450edef68

mpm_event: Allow for timer events duplicates. 
Meanwhile ap[r]_skiplist_add()...


mpm_event: follow up to r1666468.
We only need one compare function for add semantic with apr_skiplist_insert()
and unique timers (pointers). It also should work with apr_skiplist_remove()
and apr_skiplist_find(), be they used some day.


mpm_event: follow up to r1666468 and r1666618.
We don't need to return 0 in the compare function, but for debugging purpose
which we could implement later if necessary (in a separate function).
For now, keep the function simple as in 2.4.x to ease backport, and add a
comment about why we never return 0 here.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674921 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674670 13f79535-47bb-0310-9956-ffa450edef68

move CHANGES entries to correct version.

Use "mod_ssl" instead of "ssl".


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674667 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_wstunnel: Bypass the handler while the connection is not
upgraded to WebSocket, so that other modules can possibly take over
the leading HTTP requests.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674661 13f79535-47bb-0310-9956-ffa450edef68

* Fix If-Match handling:
  - We need to fail if we do NOT match.
  - ETag comparison only makes sense if we have an ETag

PR: 57358
Submitted by: Kunihiko Sakamoto <ksakamoto google.com>
Reviewed by: rpluem

Submitted by: rpluem
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674658 13f79535-47bb-0310-9956-ffa450edef68

Add a warning if protocol given in SSLProtocol  or SSLProxyProtocol will override other parameters given in the same directive.
This could be a missing + or - prefix.

PR 52820

Tweak log message

Add CHANGES entry before backport proposal

Follow-up to r1520445:

Tweak error message for clarity

Submitted by: jailletc36, trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674655 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674048 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673942 13f79535-47bb-0310-9956-ffa450edef68