Skip to content
  1. Sep 25, 2018
  2. Sep 21, 2018
  3. Sep 19, 2018
    • Jim Jagielski's avatar
      Merge r1749402, r1656549, r1840776, r1800126, r1817131, r1834226 from trunk: · 8a4e7e56
      Jim Jagielski authored
      Style only
      
      Be more consistent:
         - add space between (if|while) and \(
         - place of 'break ' statement
      
      Fix cut and paste typo in error message + remove empty lines to be consistent
      
      follow-up to r1656549.
      
      Instead of logging a password (which is not a good practice), clarify the associated message
      
      * Silence compiler warning
      
      Be less tolerant when parsing the credencial for Basic authorization. Only spaces  should be accepted after the authorization scheme. \t are also tolerated.
      
      The current code accepts \v and \f as well.
      
      The same behavior is already used in 'ap_get_basic_auth_pw()' which is mostly the same function as 'get_basic_auth()'.
      
      Function used as 'apr_reslist_destructor' when calling 'apr_reslist_create()' should have the following prototype:
      
      apr_status_t (*apr_reslist_destructor)(void *resource, void *params, apr_pool_t *pool);
      Submitted by: jailletc36, rpluem, jailletc36, jailletc36
      Reviewed by: jailletc36, minfrin, jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841329 13f79535-47bb-0310-9956-ffa450edef68
      8a4e7e56
  4. Sep 18, 2018
  5. Sep 11, 2018
  6. Sep 05, 2018
    • Stefan Eissing's avatar
      On the tlsv1.3-for-2.4.x branch: · d5943f3e
      Stefan Eissing authored
      Merged 1827912,1827924,1827992,1828222,1828720,1828723,1833588,1833589,1839920,1839946 from trunk
      
        *) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9. 
           SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for.
           Directive "SSLVerifyClient" now triggers certificate retrieval from the client.
           Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
           as this would need to trigger the master connection thread - which we do not support
           right now.
           Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
           does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
           TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate.
           Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they 
           can match their needs onto the TLSv1.3 protocol.
           [Yann Ylavic, Stefan Eissing]
      
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840120 13f79535-47bb-0310-9956-ffa450edef68
      d5943f3e
  7. Aug 31, 2018
  8. Aug 29, 2018
  9. Aug 28, 2018
    • Yann Ylavic's avatar
      Merge r1837130 from trunk: · ae583b57
      Yann Ylavic authored
      mod_ratelimit: Don't interfere with "chunked" encoding.
      
      By the time ap_http_header_filter() sends the header brigade and adds the
      "CHUNK" filter, we need to garantee that the header went through all the
      filters' stack, and more specifically above ap_http_chunk_filter() which
      assumes that all it receives is content data.
      Since rate_limit_filter() may retain the header brigade, make it run after
      ap_http_chunk_filter(), just before AP_FTYPE_CONNECTION filters.
      
      Also, ap_http_header_filter() shouldn't eat the EOS for HEAD/no-body responses.
      For instance mod_ratelimit depends on it since r1835168, but any next request
      filter may as well to flush and/or bail out approprietely.
      
      This fixes the regression introduced in 2.4.34 (r1835168).
      PR 62568.
      
      Submitted by: ylavic
      Reviewed by: covener, ylavic, jim
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1839497 13f79535-47bb-0310-9956-ffa450edef68
      ae583b57
  10. Aug 15, 2018
    • Jim Jagielski's avatar
      Merge r1418761, r1418765, r1510295, r1757147, r1805163, r1818924, r1827374,... · fd0648f2
      Jim Jagielski authored
      Merge r1418761, r1418765, r1510295, r1757147, r1805163, r1818924, r1827374, r1831772, r1832351, r1832951, r1815004 from trunk:
      
      Don't claim "BIO dump follows" if it is not logged due to log level config.
      
      
      make ssl_io_data_dump respect per-conn loglevel
      
      
      add high trace level log messages for debugging buffering and write completion
      
      
      * modules/ssl/ssl_engine_kernel.c (ssl_callback_SessionTicket): Fail
        if RAND_bytes() fails; possible per API, although not in practice
        with the OpenSSL implementation.
      
      
      Fix typo in log message.
      
      
      ap_add_common_vars(): use apr_pstrmemdup().
      
      This avoids a transient replacement/restore of '?' by '\0' in r->filename.
      
      
      Use 'ap_request_has_body()' instead of duplicating its implemenation.
      
      The logic in 'ap_request_has_body()' is:
          has_body = (!r->header_only
                      && (r->kept_body
                          || apr_table_get(r->headers_in, "Transfer-Encoding")
                          || ( (cls = apr_table_get(r->headers_in, "Content-Length"))
                              && (apr_strtoff(&cl, cls, &estr, 10) == APR_SUCCESS)
                              && (!*estr)
                              && (cl > 0) )
                          )
                      );
      So the test is slighly different from the original code. (but this looks fine to me)
      
      This also has the advantage to avoid a redundant call to 'apr_table_get()' and to improve readability.
      
      While at it, move the test '!r->expecting_100' a few lines above because it is cheap.
      
      PR62368: Print the unparsed URI in AH03454
      
      ... to include r->args and get otherwise get as close to possible to
      what came in over the wire.
      
      Submitted By: Hank Ibell <hwibell gmail.com>
      Committed By: covener
      
      
      
      
      All error handling paths of this function call 'apr_brigade_destroy()' , except this one.
      So add it here too.
      
      Probably spotted with the help of the Coccinelle software (Thx Julia for the patch and for Coccinelle)
      
      See PR 53016
      
      * modules/proxy/proxy_util.c (ap_proxy_share_worker): Skip creating subpool
        for debugging unless debug-level logging is enabled.  No functional change.
      
      
      mod_watchdog: Correct some log messages and fix
      compiler warning
      "'rv' may be used uninitialized in this function".
      
      Follow up to r1722154.
      
      Submitted by: sf, jorton, jorton, ylavic, jailletc36, covener, jailletc36, jorton, rjung
      Reviewed by: jailletc36, jim, jorton
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1838103 13f79535-47bb-0310-9956-ffa450edef68
      fd0648f2
  11. Aug 14, 2018
  12. Aug 03, 2018
  13. Jul 23, 2018
  14. Jul 18, 2018
  15. Jul 10, 2018
  16. Jul 06, 2018
  17. Jul 05, 2018
    • Eric Covener's avatar
      zap my name, I just noticed the accepted proposal. · f78ad6f5
      Eric Covener authored
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1835189 13f79535-47bb-0310-9956-ffa450edef68
      f78ad6f5
    • Yann Ylavic's avatar
      Follow up to r1835179: CHANGES entry. · 488bba5e
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1835180 13f79535-47bb-0310-9956-ffa450edef68
      488bba5e
    • Yann Ylavic's avatar
      Merge r1832280 from trunk: · 8912df6d
      Yann Ylavic authored
      In 'ap_proxy_cookie_reverse_map', iterate over each token of the 'Set-Cookie' header field in order to avoid updating the wrong one.
      
      This could happen if the header field has something like 'fakepath=foo;path=bar". In this case fakepath would be updated instead of path.
      
      We don't need regex anymore in order to parse the field values and 'ap_proxy_strmatch_domain' and 'ap_proxy_strmatch_path' are now useless. (and should be axed IMHO)
      
      PR 61560
      
      
      Submitted by: jailletc36
      Reviewed by: jailletc36, rpluem, ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1835171 13f79535-47bb-0310-9956-ffa450edef68
      8912df6d
    • Yann Ylavic's avatar
      CHANGES: trim trailing spaces. · b647b25a
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1835169 13f79535-47bb-0310-9956-ffa450edef68
      b647b25a
    • Yann Ylavic's avatar
      Merge r1833875 from trunk: · 31878ee9
      Yann Ylavic authored
      mod_ratelimit: fix behavior with proxied content
      
      mod_ratelimit works by splitting data in "chunks"
      to send to the client, sleeping a predefined amount
      of time between them (200ms). So for example,
      a rate-limit 40 value would correspond to a chunk size
      of 8192 bytes, flushed to the client every 200ms.
      
      The idea works fine when httpd directly serves the
      content, since the filter will be called once with
      a single bucket brigade. In the context of a proxied
      content though the filter is likely to be called multiple
      times, with a bucket brigade size that corresponds to
      the maximum allowed buffer size. If this value is lower
      or higher than the chunk size, the filter will not
      properly rate limit the data going to the client.
      
      This patch solves the problem with two fix:
      1) do_sleep is now stored in the ctx context struct,
         so if the filter is invoked multiple times it
         will still sleep when needed. For example, say
         that the chunk_size is 8192 and the bucket brigate
         len is 10240: the filter will flush 8192 bytes
         on the first invocation, sleep 200ms, flush the
         remaining bytes and then finish. The next invocation
         will do the same, clearly not leading to the
         correct "sleeping pattern".
      2) The example above highlights also another issue:
         mod_ratelimit should  flush only chunk_size bytes
         at the time (I am now excluding the burst calculation
         from the picture), and buffer between invocations
         unless the brigade contains EOS.
      
      The change has been tested with various scenarios and
      it looks working as expected, but of course more
      feedback/testing is welcome.
      
      The original patch was written by me and then Yann
      refactored the code to be more precise and efficient,
      basically transforming an axe in a wonderful Japanese
      katana sword, so credits to him for this work.
      
      PR: 62362
      
      
      Submitted by: elukey
      Reviewed by: elukey, jim, ylavic
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1835168 13f79535-47bb-0310-9956-ffa450edef68
      31878ee9
  18. Jul 02, 2018
  19. Jun 29, 2018
  20. Jun 26, 2018
  21. Jun 25, 2018
  22. Jun 24, 2018