Skip to content
GitLab
  1. 21 Dec, 2017 1 commit
  3. 03 Dec, 2017 1 commit
  5. 02 Dec, 2017 1 commit
  7. 13 Nov, 2017 2 commits
    • Jim Jagielski's avatar
      Merge r1813643 from trunk: · 6440bc78
      Jim Jagielski authored 
      mod_macro: fix usability of globally defined macros in .htaccess files.
PR 57525.

Reverts pre_config hook from r1656669 (happens too late for EXEC_ON_READ), and
ensures ap_macros is reset on restart with a pconf cleanup.

Proposed by: Jose Kahan <jose w3.org>
Reviewed by: ylavic

Submitted by: ylavic
Reviewed by: ylavic, icing, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1815101 13f79535-47bb-0310-9956-ffa450edef68
      6440bc78
    • Jim Jagielski's avatar
      Merge r1811744 from trunk: · 122dce01
      Jim Jagielski authored 
      core, mod_rewrite: introduce the 'redirect-keeps-vary' note
                   to allow proper Vary header insertion when
                   dealing with a RewriteRule in a directory
                   context.

This change is an attempt to fix a long standing problem,
brought up while working on PR 58231. Our documentation clearly
states the following:

"If a HTTP header is used in a condition this header is added
to the Vary header of the response in case the condition
evaluates to true for the request."

This is currently not true for RewriteCond/Rules working in
a directory context, since when an internal redirect happens
all the outstanding response headers get dropped.

There might be a better solution so I am looking forward to
hear more opinions and comments. My goal for a delicate change
like this one would be to affect the least amount of configurations
possible, without triggering unwanted side effects.

If the solution is good for everybody tests will be written
in the suite asap.


Submitted by: elukey
Reviewed by: elukey, icing, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1815100 13f79535-47bb-0310-9956-ffa450edef68
      122dce01
  9. 07 Nov, 2017 1 commit
    • Stefan Eissing's avatar
      On the 2.4.x branch: · acc35ca6
      Stefan Eissing authored 
      Merged /httpd/httpd/trunk:r1811649,1811664,1814118

  *) ab: Make the TLS layer aware that the underlying socket is nonblocking,
     and use/handle POLLOUT where needed to avoid busy IOs and recover write
     errors when appropriate.  [Yann Ylavic]

  *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
     read was incomplete (the SSL case can cause the next poll() to timeout
     since data are buffered already).  PR 61301 [Luca Toscano, Yann Ylavic]




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1814468 13f79535-47bb-0310-9956-ffa450edef68
      acc35ca6
  11. 06 Nov, 2017 1 commit
  13. 03 Nov, 2017 1 commit
  15. 01 Nov, 2017 1 commit
  17. 17 Oct, 2017 1 commit
  19. 16 Oct, 2017 1 commit
  21. 13 Oct, 2017 3 commits
    • Yann Ylavic's avatar
      Merge r1808746, r1809028 from trunk: · 1339bb53
      Yann Ylavic authored 
      mod_rewrite/core: avoid the 'Vary: Host' header

In PR 58231 is was brought up that httpd adds the
Vary: Host header whenever a condition is set to true
in mod_rewrite or in an <If> block.

The https://tools.ietf.org/html/rfc7231#section-7.1.4
section seems to disallow this use case:

"The "Vary" header field in a response describes "
"what parts of a request message, "
"aside from the method, Host header field, [...]"

I had a chat with the folks in #traffic-server and
they don't see much point in having a Vary: Host header,
plus it was reported that Varnish doesn't like it very
much (namely it does not cache the response when
it sees the header, links of the report in the PR).

I don't see much value in this behavior of httpd so
I am inclined to remove this response header value,
but I'd be glad to get a more experienced opinion.



mod_rewrite,core: avoid Vary:Host (part 2)

This is a follow up of r1808746 after a chat
with Yann on dev@:

- the HTTP:Host variable suffers from the same problem
- the strcasecmp should be used to allow case-sensitive
  comparisons.
- in mod_rewrite is less cumbersome and more clean to just
  make the Host header check in lookup_header, so it will
  be automatically picked up by every part of the code
  that uses it. It shouldn't be a relevant overhead for
  mod_rewrite.


Submitted by: elukey
Reviewed by: elukey, ylavic, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1812083 13f79535-47bb-0310-9956-ffa450edef68
      1339bb53
    • Yann Ylavic's avatar
      Merge r1804096, r1807238, r1809981, r1810088, r1810089 from trunk: · 9889a8bf
      Yann Ylavic authored 
      bumping version, removing some unused code, fixes in base64url from mod_md

On the trunk:

  *) mod_http2: DoS flow control protection is less agressive as long as active tasks stay
     below worker capacity. Intended to fix problems with media streaming. 


On the trunk:
mod_http2: v0.10.12, removed optimization for mutex handling in bucket beams that could lead to assertion failure in edge cases.


reverting r1807238 bc not addressing the issue https://github.com/icing/mod_h2/issues/120

mod_http2: non-dev 1.10.12 for backport


Submitted by: icing
Reviewed by: icing, steffenal, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1812081 13f79535-47bb-0310-9956-ffa450edef68
      9889a8bf
    • Yann Ylavic's avatar
      Merge r1805195, r1812004 from trunk: · 82ef1467
      Yann Ylavic authored 
      Update offsets

Entry for 2.4.28 regression (r1808855 missing r1805195).

Submitted by: jim, ylavic
Reviewed/backported by: ylavic (RTC per miss in the original merge)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1812074 13f79535-47bb-0310-9956-ffa450edef68
      82ef1467
  23. 10 Oct, 2017 4 commits
    • Joe Orton's avatar
      Merge r1809209 from trunk: · fdd7b66f
      Joe Orton authored 
      Fix a segmentation fault if AuthzDBDQuery is not set.

PR: 61546
Submitted by: Lubos Uhliarik <luhliari redhat.com>
Reviewed by: jailletc36, ylavic, elukey


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1811749 13f79535-47bb-0310-9956-ffa450edef68
      fdd7b66f
    • Joe Orton's avatar
      Merge r1664565 from trunk: · 542a8ecb
      Joe Orton authored 
      *) mod_rewrite: Add support for starting External Rewriting Programs
   as non-root user on UNIX systems by specifying username and group name
   as third argument of RewriteMap directive.

Submitted by: jkaluza
Reviewed by: jorton, wrowe, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1811748 13f79535-47bb-0310-9956-ffa450edef68
      542a8ecb
    • Joe Orton's avatar
      Merge r1808230 from trunk: · 85189e49
      Joe Orton authored 
      * server/protocol.c (ap_content_length_filter): Rewrite the content
  length filter to avoid arbitrary memory consumption for streaming
  responses (e.g. large CGI script output).  Ensures C-L is still
  generated in common cases (static content, small CGI script output),
  but this DOES change behaviour and some responses will end up
  chunked rather than C-L computed.

PR: 61222
Submitted by: jorton, rpluem
Reviewed by: jorton, wrowe, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1811746 13f79535-47bb-0310-9956-ffa450edef68
      85189e49
    • Yann Ylavic's avatar
      Merge r1736186 from trunk: · 10732433
      Yann Ylavic authored 
      mod_ssl: return non ambiguous value in ssl_callback_SessionTicket() for
encryption mode (we used to return 0, OpenSSL documents returning 1 instead).

Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).

However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:

2
    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters. Additionally it indicates that the session
    ticket is in a renewal period and should be replaced. The OpenSSL library
    will call cb again with an enc argument of 1 to set the new ticket (see
    RFC5077 3.3 paragraph 2).

1
    This indicates that the ctx and hctx have been set and the session can
    continue on those parameters.

0
    This indicates that it was not possible to set/retrieve a session ticket
    and the SSL/TLS session will continue by by negotiating a set of
    cryptographic parameters or using the alternate SSL/TLS resumption
    mechanism, session ids.
    If called with enc equal to 0 the library will call the cb again to get a
    new set of parameters.

less than 0
    This indicates an error.
"

So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).

Reported/Proposed by: oknet on github, pull request #18.
Reviewed by: jorton, ylavic, wrowe
[Closes #18]


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1811742 13f79535-47bb-0310-9956-ffa450edef68
      10732433
  25. 25 Sep, 2017 1 commit
  27. 22 Sep, 2017 1 commit
    • Yann Ylavic's avatar
      Merge r1802875 from trunk: · d688a489
      Yann Ylavic authored 
      event: Avoid possible blocking in the listener thread when shutting down
connections. PR 60956.

start_lingering_close_nonblocking() now puts connections in defer_linger_chain
which is emptied by any worker thread (all atomically) after its usual work,
hence any possibly blocking flush and lingering close run outside the listener.

The listener may create a dedicated worker if it fills defer_linger_chain or
while it's not empty, calling push2worker with a NULL cs.

The state machine in process_socket() is slighly modified to be able to enter
with CONN_STATE_LINGER directly w/o clogging_input_filters to interfer.

New abort_socket_nonblocking() allows to reset connections when nonblocking is
required and we can't do much about the connection anymore, nor we want the
system to linger on its own after close().

Many thanks to Stefan Priebe for his heavy testing on many event's changes!


Submitted by: ylavic
Reviewed by: ylavic, jim, icing


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1809299 13f79535-47bb-0310-9956-ffa450edef68
      d688a489
  29. 19 Sep, 2017 3 commits
  31. 18 Sep, 2017 2 commits
  33. 08 Sep, 2017 6 commits
  35. 18 Aug, 2017 1 commit
    • Joe Orton's avatar
      Merge 1805099 from trunk: · 868be432
      Joe Orton authored 
      Fix ProxyAddHeaders merging.

* modules/proxy/mod_proxy.h:
  Add add_forwarded_headers_set field to proxy_dir_conf.

* modules/proxy/mod_proxy.c (create_proxy_dir_config):
  Initialize add_forwarded_headers_set.
  (add_proxy_http_headers): Set it.
  (merge_proxy_dir_config): Merge add_forwarded_headers correctly.

Reviewed by: jorton, rpluem, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1805390 13f79535-47bb-0310-9956-ffa450edef68
      868be432
  37. 16 Aug, 2017 1 commit
    • Jim Jagielski's avatar
      Merge r1789220, r1792675 from trunk: · 6a466488
      Jim Jagielski authored 
      core: Disallow multiple Listen on the same IP:port when listener buckets
are configured (ListenCoresBucketsRatio > 0), consistently with the single
bucket case (default), thus fixing the leak of the corresponding socket
descriptors on graceful restart.



Follow up to r1789220.
Document the implicit behaviour of ListenCoresBucketsRatio when multiple
Listen-ers are configured on the same IP:port.


Submitted by: ylavic
Reviewed by: ylavic, jim, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1805221 13f79535-47bb-0310-9956-ffa450edef68
      6a466488
  39. 06 Aug, 2017 1 commit
  41. 17 Jul, 2017 4 commits
    • Jim Jagielski's avatar
      Merge r1762580, r1762701, r1762702, r1762718, r1762723, r1762742, r1762743,... · b0d9c063
      Jim Jagielski authored 
      Merge r1762580, r1762701, r1762702, r1762718, r1762723, r1762742, r1762743, r1774538, r1779354 from trunk:

event: use atomics for *timeout_queue->total since it's updated concurrently,
and move TO_QUEUE_*() macros to functions.


event: add/remove from/to the pollset outside of the critical sections.

We don't need external locking since it's created with APR_POLLSET_THREADSAFE,
hence reduce those sections to the lowest cycles possible.

A spinlock may be interesting instead of the mutex now, we won't block and the
TO_QUEUE_*() and process_timeout_queue() operations are fast...



event: follow up to r1762701: update log tag.

event: avoid unnecessary listener/polling wake ups (context switches) by using
apr_pollset_wakeup(), when implemented, to signal the listener according to the
next timers or timeout queues expiry (updated at insert and maintenance time).



Follow up to r1762718: CHANGES entry.

event: follow up to r1762718.
We still need to kill kept-alive connections in normal/expiry processing if
the workers are busy or dying.



event: follow up to r1762718 and r1762742: put de condition where it belongs.



event: follow up to r1762718.

On graceful shutdown/restart, kill kept-alive connections before poll()ing
again, avoiding to wait for their "normal" timers (before being woken up)
when they remain the last handled connections.



event: follow up to r1762701.
Keep QUEUE_APPEND()+pollset_add() or QUEUE_REMOVE()+pollset_remove() atomic.

Otherwise when a worker adds an entry in some queue (e.g. KA, lingering), it
might race with the listener in the time between the mutex is released and the
pollset is updated; meanwhile the listener might process the queue and find an
entry no yet in its pollset.

For the lingering queue, the entry could then have been used after its pool
destroyed.

Submitted by: ylavic
Reviewed by: ylavic, icing, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1802146 13f79535-47bb-0310-9956-ffa450edef68
      b0d9c063
    • Jim Jagielski's avatar
      Merge r1754164, r1801994, r1801995 from trunk: · ca6bf55c
      Jim Jagielski authored 
      mod_proxy_wstunnel: we want to detect whether some response was sent to
the client when forwarding data from the backend to the client, not the
reverse.


Follow up to r1754164: CHANGES entry.

Follow up to r1801994: CHANGES' PR reference.
Submitted by: ylavic
Reviewed by: ylavic, jchampion, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1802144 13f79535-47bb-0310-9956-ffa450edef68
      ca6bf55c
    • Yann Ylavic's avatar
      Credits. · e51a3d94
      Yann Ylavic authored 
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1802129 13f79535-47bb-0310-9956-ffa450edef68
      e51a3d94
    • Yann Ylavic's avatar
      Add CHANGES' security entries for 2.4.27. · dcfafbeb
      Yann Ylavic authored 
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1802121 13f79535-47bb-0310-9956-ffa450edef68
      dcfafbeb
  43. 08 Jul, 2017 1 commit
  45. 06 Jul, 2017 1 commit