* mod_authn_dbd: apr_pstrdup dbd_password and dbd_hash to fix use-after-free
bug with postgresql


mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
of DB lookup entries independently of the selected DB engine.  PR 46421.

Suggested by: Michel Stam <michel reverze net>
Proposed by: Steven whitson <steven.whitson gmail com>
Reviewed/Extended/Committed by: ylavic


Follup up to r1679181: CHANGES entry.
Submitted by: jkaluza, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681107 13f79535-47bb-0310-9956-ffa450edef68

mod_log_config: instead of using the new dedicated
pattern format "%M" for duration milliseconds,
overload the existing "%D" to choose the time precision
("%{s}D" for seconds, "%{ms}D" for milliseconds and
"%{us}D" for microseconds).

The existing %T and %D without precision are kept for
compatibility.

The previously introduced "%M" (r1677187) is removed,
it has not yet been released. Format pattern characters
are rare, so we should only use a new one if an
existing one isn't a good fit.


Fix syntax.


Follow-up to r1680895:

Let %T be the format character which accepts time resolution
arguments.

Submitted by: rjung, trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681106 13f79535-47bb-0310-9956-ffa450edef68

Conform to RFC 7525, with additional suggestion to drop RSA Kx ciphers

Document RFC 7525 changes
Submitted by: wrowe
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679987 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Check for RAND_egd() at configure time and only use it if present.
Fixes the build with LibreSSL which does not provide this function.

Submitted by: Bernard Spil <pil.oss gmail com>, stsp
Committed by: stsp


mod_ssl: Make the config parser complain if SSLRandomSeed specifies
the Entropy Gathering Daemon (EGD) as source while the underlying
SSL library does not support EGD (e.g. in case of LibreSSL).

Suggested and reviewed by: kbrand


Follow up to r1674542 and r1675410: CHANGES entry.
Submitted by: stsp, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679199 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1678717 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1678234 13f79535-47bb-0310-9956-ffa450edef68

consistently output SSLCertificateChainFile deprecation warnings
Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1678233 13f79535-47bb-0310-9956-ffa450edef68

If a directory exists but no indexes can be resolved, the fallback resource
should be attempted first before giving up.

Submitted By: Jack <tjerk.meesters gmail.com> , covener
Committed By: covener


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1677186 13f79535-47bb-0310-9956-ffa450edef68

Add support for extracting subjectAltName entries of type
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
  environment variables table

* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
  of subjectAltName entries for the "StdEnvVars" case

* modules/ssl/ssl_engine_vars.c: add support for retrieving the
  SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
  individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
  or with full-list extraction to the environment ("StdEnvVars")

* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype

* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
  SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
  code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
  suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
  entry types appearing in user or serv...

mpm_event: Allow for timer events duplicates. 
Meanwhile ap[r]_skiplist_add()...


mpm_event: follow up to r1666468.
We only need one compare function for add semantic with apr_skiplist_insert()
and unique timers (pointers). It also should work with apr_skiplist_remove()
and apr_skiplist_find(), be they used some day.


mpm_event: follow up to r1666468 and r1666618.
We don't need to return 0 in the compare function, but for debugging purpose
which we could implement later if necessary (in a separate function).
For now, keep the function simple as in 2.4.x to ease backport, and add a
comment about why we never return 0 here.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674921 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674670 13f79535-47bb-0310-9956-ffa450edef68

move CHANGES entries to correct version.

Use "mod_ssl" instead of "ssl".


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674667 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_wstunnel: Bypass the handler while the connection is not
upgraded to WebSocket, so that other modules can possibly take over
the leading HTTP requests.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674661 13f79535-47bb-0310-9956-ffa450edef68

* Fix If-Match handling:
  - We need to fail if we do NOT match.
  - ETag comparison only makes sense if we have an ETag

PR: 57358
Submitted by: Kunihiko Sakamoto <ksakamoto google.com>
Reviewed by: rpluem

Submitted by: rpluem
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674658 13f79535-47bb-0310-9956-ffa450edef68

Add a warning if protocol given in SSLProtocol  or SSLProxyProtocol will override other parameters given in the same directive.
This could be a missing + or - prefix.

PR 52820

Tweak log message

Add CHANGES entry before backport proposal

Follow-up to r1520445:

Tweak error message for clarity

Submitted by: jailletc36, trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674655 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674048 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673942 13f79535-47bb-0310-9956-ffa450edef68

* Use the correct server name for SNI in case the backend SSL connection itself
  is established via a proxy server.

PR: 57139
Submitted by: Szabolcs Gyurko <szabolcs gyurko.org>



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673941 13f79535-47bb-0310-9956-ffa450edef68

ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when
checking the server certificate constraints (SSL_X509_getBC()).



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673940 13f79535-47bb-0310-9956-ffa450edef68

    PR 57379: If mod_cgi and mod_cgid get installed,
    use IfModule for MPM to LoadModule mod_cgi for
    prefork and mod_cgid for all other MPMs.

    Previously when combined with --enable-load-all-modules
    both modules were loaded and it was undefined
    which one actually handled cgi requests.

    Based on a patch by olli hauer <ohauer gmx.de>.


    Addition to r1652955: Use "=" in combination
    with "test" instead of "==".


    Fix indentation and tab use after r1652955.


Submitted By: olli hauer <ohauer gmx.de> 
Reviewed By: rjung, ylavic, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673909 13f79535-47bb-0310-9956-ffa450edef68

allow time to first byte (of response headers)
to be logged by mod_logio.  

mod_logio was just a conveninent place to do this 
w/o writing a new filter or complicating an existing 
important one.



Use 'unsigned int' in bitfield


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673904 13f79535-47bb-0310-9956-ffa450edef68

 
  *) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
     Gateway) when no response is ever received from the backend.

Submitted By: jkaluza
Reviewde By: covener, ylavic, trawick




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673902 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Protect ENGINE_CTRL_CHIL_SET_FORKCHECK macro with a 
featue check for libressl.

Submitted by: Stuart Henderson <sthen openbsd.org>
Reviewed by: covener, trawick, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673900 13f79535-47bb-0310-9956-ffa450edef68

backends not recycling connections (disablereuse), including the default
reverse and forward proxies.

Submitted by: ylavic (and trawick for an old helper function)
Reviewed by: rjung, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673896 13f79535-47bb-0310-9956-ffa450edef68

mod_buffer: Forward flushed input data immediately and avoid (unlikely)
access to freed memory.

Submitted by: ylavic, jailletc36
Reviewed by: covener, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673871 13f79535-47bb-0310-9956-ffa450edef68

core: Add CGIPassAuth directive to control whether HTTP authorization
headers are passed to scripts as CGI variables.

PR: 56855
Reviewed by: rjung, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673860 13f79535-47bb-0310-9956-ffa450edef68

Credit to guy who rediscovered, fixed, committed & merged: 100%


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1671786 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1671417 13f79535-47bb-0310-9956-ffa450edef68

core_filters: restore/disable TCP_NOPUSH option after non-blocking sendfile.

CHANGES: follow up to r1669289.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670328 13f79535-47bb-0310-9956-ffa450edef68

core: If explicitly configured, use the KeepaliveTimeout value of the
virtual host which handled the latest request on the connection, or by
default the one of the first virtual host bound to the same IP:port.

For non-async MPMs, use either r->server's or c->base_server's value in
ap_process_http_sync_connection() depending on a new server_rec's flag
called keep_alive_timeout_set and determined at config time.

For event MPM, use a queue per timeout value, chaining the queues per
type (keepalive wrt KeepAliveTimeout, write completion wrt to Timeout)
so that maintenance can be done on all the queues from the head, and such
that insertions/maintenance remain in O(1).
A server config is created and pointing to the queue of each vhost at
post_config time, hence the config can be associated to the connection
state (cs) at post_read_request time (keep_alive_timeout_set is used to
determine r->server vs c->base_server here), and we can simply insert
with TO_QUEUE_INSERT(cs->sc->q, cs).  PR56226.

While at it, since each queue now embeds it own timeout and hence the
expiration_time of the cs has changed to a queue_timestamp (the time it
was queued), we can detect clock skews and expire entries immediatly if
the system is set (eg. far) in the past during runtime and we want to
avoid waiting for (eg.) centuries before the current logic kills them.
Any entry which is registered above now + q->timeout is concerned, and
is now cleaned from the queue when encountered.  PR57374.


core: Follow up to r1664071: comments on new keep_alive_timeout_set flag.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670326 13f79535-47bb-0310-9956-ffa450edef68

core: Initialize scoreboard's used optional functions on graceful restarts to
avoid a crash when relocation occurs.  PR 57177.


core: follow up to r1668532: CHANGES entry.

core: follow up to r1668532: always initialize optional_fn pointers in ap_create_scoreboard().
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670325 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_connect/wstunnel: If both client and backend sides get readable
at the same time, don't lose errors occuring while forwarding on the first
side when none occurs next on the other side, and abort.


CHANGES: Follow up to r1657636, clarify message.


mod_proxy_{connect,wstunnel}: follow up to r1657636.
Since rv is not used as an apr_status_t in the loop (it's logging is done by
proxy_{connect,wstunnel}_transfer() when necessary/relevent), use a boolean
instead to avoid the ugly ORs between APR error codes.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670324 13f79535-47bb-0310-9956-ffa450edef68

core: Add expression support to ErrorDocument. Switch from a fixed
sized 664 byte array per merge to a hash table.

Submitted by: minfrin
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670320 13f79535-47bb-0310-9956-ffa450edef68

Avoid a potential integer underflow in the lock timeout value sent back to a client. The answer to a LOCK request could be an extremly large integer if the time needed to lock the resource was longer that the requested timeout given in the LOCK request. In such a case, we now answer "Second-0".  PR55420
Submitted by: jailletc36
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670319 13f79535-47bb-0310-9956-ffa450edef68

Retry ENOENT like ECONNREFUSED, but only near a server restart.

PR57685

Submitted By: Edward Lu
Committed By: covener



Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669559 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
or force-proxy-request-1.0, and respond with 502 instead of 400 if its
Connection header is invalid.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669558 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy: use the original (non absolute) form of the request-line's URI
for requests embedded in CONNECT payloads used to connect SSL backends via
a ProxyRemote forward-proxy. PR 55892.

Submitted by: Hendrik Harms <hendrik.harms gmail com>
Reviewed  by: wrowe, ylavic
Committed by: ylavic


mod_proxy: follow up to r1665215: CHANGES entry.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669556 13f79535-47bb-0310-9956-ffa450edef68

A misplaced check for inflation limits prevented limiting relatively
small inputs.  PR56872

Submitted By: Edward Lu 
Committed By: covener



mod_deflate: follow up to r1619383.

deflate_in_filter():
- use inflated bytes per inflate() call to compute the total output bytes,
- check zlib errors before limits,
- add missing check_ratio() when asked to flush.

deflate_out_filter():
- check ratio after each inflate() call.


mod_deflate: follow up to r1619383 and r1619444: CHANGES entry.

CHANGES: follow up to r1662245: Add PR number.
Submitted by: covener, ylavic, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669555 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1668880 13f79535-47bb-0310-9956-ffa450edef68

  *) SECURITY: CVE-2015-0253 (cve.mitre.org)
     core: Fix a crash introduced in with ErrorDocument 400 pointing
     to a local URL-path with the INCLUDES filter active, introduced
     in 2.4.11. PR 57531. [Yann Ylavic]


Submitted By: ylavic
Committed By: covener






git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1668879 13f79535-47bb-0310-9956-ffa450edef68