mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
         PR54998.

Submitted By: Tim Kosse <tim.kosse filezilla-project.org>, ylavic
Committed By: ylavic


mod_ssl: SSL_smart_shutdown(): follow up to r1601184.
Use SSL_get_wbio() to comply with OPENSSL_NO_SSL_INTERN.
Stop SSL shutdown loop when flush fails.


mpm_event[opt]: Send the SSL close notify alert when the KeepAliveTimeout
                expires. PR54998.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1651077 13f79535-47bb-0310-9956-ffa450edef68

   * mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198.

Submitted by: jkaluza
Reviewed by: jkaluza, ylavic, covener
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1650677 13f79535-47bb-0310-9956-ffa450edef68

   * mod_ssl: Check if we are having an SSL connection before looking up SSL
              related variables during expression evaluation to avoid a crash.
              If not return NULL as ssl_var_lookup_ssl does by default.  PR 57070

Submitted by: rpluem
Reviewed by: jailletc36, ylavic, covener
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1650659 13f79535-47bb-0310-9956-ffa450edef68

   * mod_proxy_ajp: Fix handling of the default port (8009) in the
     ProxyPass and <Proxy> configurations.  PR 57259.

Submitted by: ylavic
Reviewed by: ylavic, jim, covener
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1650655 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1646179 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Fix recognition of OCSP stapling responses that are encoded
         improperly or too large.

The one byte "ok" flag stored with the response was accounted for in
the wrong condition.


follow up to r1641077: 

one bug was traded for another in r1641077; track the response
length and the cached object length separately to avoid such
confusion

Submitted by: trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1645935 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1645423 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1643256 13f79535-47bb-0310-9956-ffa450edef68

  *) SECURITY: CVE-2014-8109 (cve.mitre.org)
     mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
     used in multiple Require directives with different arguments.
     PR57204 [Edward Lu <Chaosed0 gmail.com>]

Submitted By: Edward Lu
Committed By: covener


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642861 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read
determine whether it is a normal close or a real error. PR 57168.

Abort the client or backend connection on polling errors, but don't forcibly
abort the client side at the end (the core filters will do that otherwise
when necessary), so that lingering close and SSL shutdown can occur on normal
close.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642857 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_wstunnel: abort backend connection on polling error to avoid
further processing (lingering close, SSL shutdown).

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642856 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an error
when parsing or forwarding the response fails.


Follow up to r1640040: CHANGES entry.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642855 13f79535-47bb-0310-9956-ffa450edef68

   * mod_ssl: call ERR_free_strings() with OpenSSL >= 0.9.8e. Fixes memory
     leak in mod_ssl on graceful restart. PR 53435.

Submitted by: jkaluza
Reviewed by: jkaluza, ylavic, covener
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642404 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_fcgi: SECURITY: CVE-2014-3583 (cve.mitre.org)
Fix a potential crash with response headers' size above 8K.

The code changes to mod_authnz_fcgi keep the handle_headers()
function in sync between the two modules.  mod_authnz_fcgi
does not have this issue because it allocated a separate byte
for terminating '\0'.

Submitted by: ylavic, trawick
Reviewed by: ylavic, trawick, mrumph


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1641551 13f79535-47bb-0310-9956-ffa450edef68

Support custom ErrorDocuments for HTTP 501 and 414 status codes.
PR 57167 [Edward Lu <Chaosed0 gmail.com>]

Submitted By: Edward Lu <Chaosed0 gmail.com>
Committed By: covener

Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1638071 13f79535-47bb-0310-9956-ffa450edef68

mod_cache: avoid unlikely access to freed memory.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1638070 13f79535-47bb-0310-9956-ffa450edef68

restore SECURITY to top


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1636006 13f79535-47bb-0310-9956-ffa450edef68

When using EBCDIC encoding, HTTPS through ProxyPass and ProxyRemote doesn't
work correctly. PR 57092

Submitted By: Edward Lu 
Reviewed By: covener, jim, ylavic




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1636002 13f79535-47bb-0310-9956-ffa450edef68

fix another case of 304 response sent to an unconditional request

Submitted By: covener
Reviewed By:  covener, jim, ylavic




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1636001 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1635105 13f79535-47bb-0310-9956-ffa450edef68

Move OCSP stapling information from a per-certificate store
(ex_data attached to an X509 *) to a per-server hash which is
allocated from the pconf pool. Fixes PR 54357, PR 56919 and
a leak with the certinfo_free cleanup function (missing
OCSP_CERTID_free).

* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add
  ssl_stapling_certid_free (used with apr_pool_cleanup_register).
  Switch to a stapling_certinfo hash which is keyed by the SHA-1
  digest of the certificate's DER encoding, rework ssl_stapling_init_cert
  to only store info once per certificate (allocated from the pconf
  to the extent possible) and extend the logging.

* modules/ssl/ssl_private.h: adjust prototype for
  ssl_stapling_init_cert, replace ssl_stapling_ex_init with
  ssl_stapling_certinfo_hash_init

* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls

Based on initial work by Alex Bligh <alex alex.org.uk>


Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value).

Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros).
Submitted by: kbrand, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634529 13f79535-47bb-0310-9956-ffa450edef68

mod_cache_socache: Change average object size
hint from 32 bytes to 2048 bytes.

Submitted by: rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634528 13f79535-47bb-0310-9956-ffa450edef68

mod_cache_socache: Add cache status to server-status.

The status_hook simply calls the status function of
socache, very much like mod_ssl does for the ssl
session cache.


Silence build warning about missing prototype.
Followup to r1629507.

Submitted by: rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634527 13f79535-47bb-0310-9956-ffa450edef68

event: Fix worker-listener deadlock in graceful restart caused by get_worker()
allocating new worker after ap_queue_info_term(), but not setting the
have_idle_worker variable. PR 56960.

Submitted By: Zin UDA
Committed By: jkaluza

Submitted by: jkaluza
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634526 13f79535-47bb-0310-9956-ffa450edef68

Concat string at compile time when possible.
Doing so, sometimes also give the opportunity to turn a 'ap_fputstrs' into a 'ap_fputs'.
PR 53741
Submitted by: jailletc36
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634525 13f79535-47bb-0310-9956-ffa450edef68

mod_substitute: Restrict configuration in .htaccess to
FileInfo as documented.

Submitted by: rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634524 13f79535-47bb-0310-9956-ffa450edef68

mod_substitute: Make maximum line length configurable.


Add docs for new directive SubstituteMaxLineLength
in mod_substitute.

Submitted by: rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634523 13f79535-47bb-0310-9956-ffa450edef68

mod_substitute: Fix memory limitation in case of
regexp plus flatten.

The maxlen argument of ap_varbuf_regsub() is unsigned.
Passing in "AP_SUBST_MAX_LINE_LENGTH - vb.strlen"
in case vb.strlen got to big didn't result in the
expected error but instead was handled as a very big
maxlen.


Add CHANGES for r1628104.
(mod_substitue: Fix memory limitation in case of
regexp plus flatten.)

Submitted by: rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634522 13f79535-47bb-0310-9956-ffa450edef68

PR53218
Allow for longer worker names and make truncation a non-fatal
error... 


Correct loglevel.


oops... prepend 0

Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634520 13f79535-47bb-0310-9956-ffa450edef68

mod_dav: set r->status_line in dav_error_response.
It's used as argument in next ap_rvputs call. PR 55426.

Submitted by: jkaluza
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1634519 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_http: Avoid (unlikely) access to freed memory.

Submitted by: ylavic
Reviewed by: ylavic, jorton, rjung
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1632736 13f79535-47bb-0310-9956-ffa450edef68

http_protocol: fix logic in ap_method_list_(add|remove) in order:
       - to correctly reset bits
       - not to modify the 'method_mask' bitfield unnecessarily

Submitted by: jailletc36
Reviewed by: jailletc36, ylavic, rjung
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1632440 13f79535-47bb-0310-9956-ffa450edef68

mod_slotmem: Increase log level for some originally debug messages.

Submitted by: jim
Reviewed by: jim, ylavic, rjung
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1632437 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1631685 13f79535-47bb-0310-9956-ffa450edef68

In 2.4.10, AuthLDAPBindDN might not be used for some LDAP searches, causing 
LDAP authz failures if AuthLDAPBindDN was able to search through more of
LDAP than web users.




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1631119 13f79535-47bb-0310-9956-ffa450edef68

mod_macro: Remove APLOG_NOERRNO. Add some APLOGNO. Fix some alignment.

Submitted by: jailletc36
Reviewed by: jailletc36, rjung, covener
backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1631118 13f79535-47bb-0310-9956-ffa450edef68

SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference
in Content-Type handling.

mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.

Submitted By: Mark Montague <mark catseye.org>
Reviewed By: Jan Kaluza

Submitted by: jkaluza
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1627749 13f79535-47bb-0310-9956-ffa450edef68

don't let handlers start with r->status = 304 during a failed revalidation

PR56881



Fix typo in comment.

Submitted by: covener, rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1627745 13f79535-47bb-0310-9956-ffa450edef68

mod_status should honor remote_ip as documented

Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1627744 13f79535-47bb-0310-9956-ffa450edef68

to be seen from auth stanzas under virtual hosts. PR 56870. [Eric Covener]


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1626203 13f79535-47bb-0310-9956-ffa450edef68