Skip to content
  1. Dec 12, 2016
  2. Dec 10, 2016
  3. Dec 09, 2016
  4. Dec 08, 2016
  5. Dec 07, 2016
  6. Dec 06, 2016
  7. Dec 05, 2016
    • Yann Ylavic's avatar
      Propose mod_session_crypto fix for CVE-2016-0736. · c9a2aab2
      Yann Ylavic authored
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772814 13f79535-47bb-0310-9956-ffa450edef68
      c9a2aab2
    • Eric Covener's avatar
      capitalize · a2adf371
      Eric Covener authored
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772764 13f79535-47bb-0310-9956-ffa450edef68
      a2adf371
    • Eric Covener's avatar
      Merge r1772758 from trunk: · 7247c2d1
      Eric Covener authored
      provide more access control migration hints
      
      current examples don't account for when access control overlaps
      with authentication.
      
      
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772762 13f79535-47bb-0310-9956-ffa450edef68
      7247c2d1
    • Jim Jagielski's avatar
      updates · 467d13bb
      Jim Jagielski authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772685 13f79535-47bb-0310-9956-ffa450edef68
      467d13bb
    • Jim Jagielski's avatar
      ------------------------------------------------------------------------ · 14a591ea
      Jim Jagielski authored
      r1772419 | covener | 2016-12-02 19:10:53 -0500 (Fri, 02 Dec 2016) | 7 lines
      
      Merge r1772418 from trunk:
      
      loop in checking response headers 
      
      w/ HTTPProtocolOptions Unsafe
      
      
      ------------------------------------------------------------------------
      r1772236 | wrowe | 2016-12-01 11:29:27 -0500 (Thu, 01 Dec 2016) | 8 lines
      
      Appears we cannot disallow this whitespace, since the chunk BNF coexisted
      with the implied *LWS rule, before RFC7230 eliminated the later. Whether
      this is actually OWS or BWS is an editorial decision beyond our pay grade.
      
      Backports: r1765475
      Submitted by: wrowe
      
      
      ------------------------------------------------------------------------
      r1771697 | rpluem | 2016-11-28 04:59:00 -0500 (Mon, 28 Nov 2016) | 4 lines
      
      Merge r1771690 from trunk:
      
      * Fix numbers count in comment.
      
      ------------------------------------------------------------------------
      r1771696 | rpluem | 2016-11-28 04:56:42 -0500 (Mon, 28 Nov 2016) | 1 line
      
      * Revert 1771372: As Bill points out correctly. Only backport trunk revisions to this branch.
      ------------------------------------------------------------------------
      r1771372 | rpluem | 2016-11-25 14:55:18 -0500 (Fri, 25 Nov 2016) | 1 line
      
      * Fix numbers count in comment.
      ------------------------------------------------------------------------
      r1770870 | wrowe | 2016-11-22 13:44:21 -0500 (Tue, 22 Nov 2016) | 3 lines
      
      Optimize away one more strchr.
      Backports: 1770869
      
      ------------------------------------------------------------------------
      r1770868 | wrowe | 2016-11-22 13:34:25 -0500 (Tue, 22 Nov 2016) | 8 lines
      
      List discussion resulted in rejecting all but SP characters in the request
      line, but in the strict mode prioritize excessive space testing over bad
      space testing (which is captured later) and make both more efficient
      (at this test ll[0] is already whitespace or \0 char). Also correct a comment.
      
      Backports: r1770867
      Submitted by: wrowe
      
      ------------------------------------------------------------------------
      r1770846 | covener | 2016-11-22 09:32:45 -0500 (Tue, 22 Nov 2016) | 5 lines
      
      Merge r1770817 from trunk:
      
      Removing unused warning after r1764961 changes.
      
      
      ------------------------------------------------------------------------
      r1770789 | covener | 2016-11-21 20:58:06 -0500 (Mon, 21 Nov 2016) | 25 lines
      
      Merge r1770786 from trunk:
      
      remove Location: header checks for absolute URL
      
      https://tools.ietf.org/html/rfc7231#section-7.1.2
      
         The "Location" header field is used in some responses to refer to a
         specific resource in relation to the response.  The type of
         relationship is defined by the combination of request method and
         status code semantics.
      
           Location = URI-reference
      
         The field value consists of a single URI-reference.  When it has the
         form of a relative reference ([RFC3986], Section 4.2), the final
         value is computed by resolving it against the effective request URI
         ([RFC3986], Section 5).
      
      
      There is even an example with no scheme:
      
           Location: /People.html#tim
      
      
      
      ------------------------------------------------------------------------
      r1770386 | wrowe | 2016-11-18 09:45:32 -0500 (Fri, 18 Nov 2016) | 6 lines
      
      Backport: r1769965
      Submitted by: wrowe, rpluem
      
      Actually cause the Host header to be overridden, as noted by rpluem,
      and simplify now that there isn't a log-only mode.
      
      ------------------------------------------------------------------------
      r1770173 | wrowe | 2016-11-17 07:09:32 -0500 (Thu, 17 Nov 2016) | 1 line
      
      Merge of r1765451 did not apply cleanly, drop unneeded prototype.
      ------------------------------------------------------------------------
      r1769675 | wrowe | 2016-11-14 13:57:12 -0500 (Mon, 14 Nov 2016) | 1 line
      
      Add an entry about RFC strictness
      ------------------------------------------------------------------------
      r1769674 | wrowe | 2016-11-14 13:54:42 -0500 (Mon, 14 Nov 2016) | 1 line
      
      Clean up CHANGES for clarity
      ------------------------------------------------------------------------
      r1769672 | wrowe | 2016-11-14 13:15:07 -0500 (Mon, 14 Nov 2016) | 31 lines
      
      Dropped the never-released ap_has_cntrls() as it had very limited 
      and inefficient application at that, added ap_scan_vchar_obstext()
      to accomplish a similar purpose.
      
      Dropped HttpProtocolOptions StrictURL option, this will be better
      handled in the future with a specific directive and perhaps multiple
      levels of scrutiny, use ap_scan_vchar_obstext() to simply ensure there
      are no control characters or whitespace within the URI.
      
      Changed the scanning of the response header table by check_headers()
      to follow the same rulesets as reading request headers. Disallow any
      CTL character within a response header value, and any CTL or whitespace
      in response header field name, even in strict mode.
      
      Apply HttpProtocolOptions Strict to chunk header parsing, invalid
      whitespace is invalid, line termination must follow CRLF convention.
      Submitted by: wrowe
      Backport: r1764961,1765112-1765115 
      
      When redrawing the parser, ap_get_http_token looked to be useful, but there's
      no application for this yet in httpd, so hold off adding this function when
      we backport the enhancements. ap_scan_http_token was entirely sufficient.
      If the community wants this new function, we can add it when backporting
      work is complete.
      
      This patch, and the earlier patches Friday actually demanded an mmn major
      bump due to struct member changes. In any final backport, new members must
      be added to the end of the struct to retain an mmn minor designation.
      Submitted by: wrowe
      Backport: r1765451
      
      ------------------------------------------------------------------------
      r1769669 | wrowe | 2016-11-14 12:59:10 -0500 (Mon, 14 Nov 2016) | 124 lines
      
      Fix syntax
      Submitted by: jailletc36
      Backport: r1756862
      
      Introduce StrictURI|UnsafeURI for RFC3986 enforcement
      Submitted by: wrowe
      Backport: r1756959
      
      Surpress noise about syntax
      Submitted by: wrowe
      Backport: r1756978
      
      Yann is correct, % is distinct from reserved and unreserved
      Submitted by: wrowe
      Backport: r1757062
      
      As commented, ensure we don't flag a request as a rejected 0.9 request
      if we identified any other parsing errors and handle all 0.9 request
      errors as 400 BAD REQUEST, presuming HTTP/1.0 to deliver the error details.
      Do not report 0.9 issues as 505 INVALID PROTOCOL because the client apparently
      specified no protocol, and 505 post-dates the simple HTTP request mechanism.
      Submitted by: wrowe
      Backport: r1757065
      
      Rename LenientWhitespace to UnsafeWhitespace and change StrictWhitespace
      to the default behavior, after discussion with fielding et al about the
      purpose of section 3.5. Update the documentation to clarify this.
      
      This patch removes whitespace considerations from the Strict|Unsafe toggle
      and consolidates them all in the StrictWhitespace|UnsafeWhitespace toggle.
      
      Added a bunch of logic comments to read_request_line parsing.
      
      Dropped the badwhitespace list for an all-or-nothing toggle in rrl.
      
      Leading space before the method is optimized to be evaluated only once.
      
      Toggled the request from HTTP/0.9 to HTTP/1.0 for more BAD_REQUEST cases.
      
      Moved s/[\n\v\f\r]/ / cleanup logic earlier in the cycle, to operate on
      each individual line read, and catch bad whitespace errors earlier.
      This changes the obs-fold to more efficiently condense whitespace and
      forces concatinatination with a single SP, always. Overrides are not
      necessary since obs-fold is clearly deprecated.
      Submitted by: wrowe
      Backport: r1757589
      
      Also catch invalid spaces between the URI <> Protocol in StrictWhitespace mode.
      (matching the test for the Method <> URI)
      Submitted by: wrowe
      Backport: r1757593
      
      Correct RFC reference text (link was right)
      Submitted by: wrowe
      Backport: r1757711
      
      First survey results, all intrinsicly bad input will be logged at the debug
      level, no louder. This patch intentionally dodges the Limit* constrained tests
      since administrators may shoot themselves in the foot, or be confronted with
      impossibly long cookie values, etc.
      
      Adjust the documentation to match.
      Submitted by: wrowe
      Backport: r1757920
      
      Correct URL failure reporting.
      
      Drop the second reporting of HEAD over HTTP/0.9 requests, we short-circuit
      this early now in read_request_line() when presented anything other than
      the sole "GET" method permitted by spec.
      Revert to the correct APLOGNO ID for this case	
      Submitted by: wrowe
      Backport: r1757921, r1757924
      
      Folding StrictWhitespace into the Strict ruleset of RFC7230, per dev@ poll.
      This choice is unanimous, although StrictURI (a different RFC) still hasn't
      found absolute concensus.
      Submitted by: wrowe
      Backport: r1758226
      
      Correct the parser construction for several optimizations,
      based on the fact that bad whitespace shall not be permitted
      or corrected in any operating mode, while preserving the 
      ability to extract bad method/uri/proto for later reporting
      and diagnostics.
      
      This change causes badwhitespace in the request line or any
      request field line to always fail, and not honor the setting
      of the HttpProtocolOptions Unsafe option. Mult SP characters
      or trailing SP characters in the request line are still 
      permitted in Unsafe mode.
      
      Adjusted several error message emits to match these changes.
      Submitted by: wrowe
      Backport: r1758263
      
      Clarify documentation based on concensus decisions discussed on dev@
      and reflecting the current implementation, clean up stray <p>
      Submitted by: wrowe
      Backport: r1758265, r1758266
      
      New optional flag to enforce <CR><LF> line delimiters in ap_[r]getline,
      created by overloading 'int fold' (1 or 0) as 'int flags', with the same
      value 1 for AP_GETLINE_FOLD (which httpd doesn't use), and a new value
      2 for AP_GETLINE_CRLF
      
      Enforce CRLF when HttpProtocolOptions Strict is in force.
      
      Correctly introduces a new t/TEST fail.
      Submitted by: wrowe
      Backport: r1758304
      
      Calm some overly agressive crlf handling, and clarify
      Submitted by: wrowe
      Backport: r1758305, r1758313
      
      Review of IE 11, Firefox 48 and Chrome 53 all indicate that ';' URI characters
      are transmitted unencoded, per RFC3986 section 3.3 grammer. Correct httpd's
      behavior to not encode ';' in proxied URI's or Location: response headers.
      Submitted by: wrowe
      Backport: r1760444
      
      
      
      ------------------------------------------------------------------------
      r1769664 | wrowe | 2016-11-14 12:07:40 -0500 (Mon, 14 Nov 2016) | 48 lines
      
      Drop unused, previously sscanf() target variables
      Submitted by: wrowe
      Backport: r1756821
      
      Drop redundant == --rrl_none evaluation
      Submitted by: rpluem
      Backport: r1756823
      
      server/protocol.c (read_request_line): Fix compiler warnings with GCC.
      Submitted by: jorton
      Backport: r1756824
      
      Correct request header handling of whitespace with the new possible config of
      HttpProtocolOptions Unsafe StrictWhitespace
      
      I have elected not to preserve any significance to excess whitespace in the
      now-deprecated obs-fold code path, that's certainly open for discussion.
      
      This can be reviewed by tweaking t/conf/extra.conf to switch Strict to Unsafe.
      Submitted by: wrowe
      Backport: r1756847
      
      A band-aid to resolve an immediate IBM MVS'ism
      Submitted by: wrowe
      Backport: r1756849
      
      Resolve Netware (and other arch) build error for non-portable isascii()
      Submitted by: wrowe
      Backport: r1756934
      
      Generally, the cart comes before the horse, this mirrors apr_lib.h
      Submitted by: wrowe
      Backport: r1756937
      
      After lengthy investigation with covener's assistance, it seems we cannot
      use a static table. We cannot change this to dynamic use of the local iconv
      without build changes to avoid such use on cross-platform builds.
      
      I'm satisfied if we trust iscntrl to at least catch all the most lethal
      C0 Ctrls (we are promised it catches bad carriage control/line endings)
      and leave this in the short term with an XXX to revisit at a future time.
      
      The token stop never needed this table, because we can use the affirmative
      list of token characters to define it.
      Submitted by: wrowe, covener
      Backport: r1756946
      
      
      ------------------------------------------------------------------------
      r1769662 | wrowe | 2016-11-14 12:01:20 -0500 (Mon, 14 Nov 2016) | 46 lines
      
      	
      Rename the previously undocumented HTTPProtocol directive
      to EnforceHTTPProtocol, and invert the default behavior
      to strictly observe RFC 7230 unless otherwise configured.
      And Document This.
      
      The relaxation option is renamed 'Unsafe'. 'Strict' is no
      longer case sensitive. 'min=0.9|1.0' is now the verbose
      'Allow0.9' or 'Require1.0' case-insenstive grammer. The
      exclusivity tests have been modified to detect conflicts.
      
      The 'strict,log' option failed to enforce strict conformance,
      and has been removed. Unsafe, informational logging is possible
      in any loadable module, after the request data is unsafely
      accepted.
      
      This triggers a group of failures in t/apache/headers.t as
      expected since those patterns violated RFC 7230 section 3.2.4.
      Submitted by: wrowe
      Backport: r1756540
      
      Correct AP_HTTP_CONFORMANCE_ flags
      Submitted by: wrowe
      Backport: r1756555
      
      Renaming this directive to HttpProtocolOptions after discussion on dev@
      Submitted by: wrowe
      Backport: r1756649
      
      Perform correct, strict parsing of the request line, handling the
      http protocol tag, url and method appropriately, and attempting 
      to extract values even in the presence of unusual whitespace in
      keeping with section 3.5, prior to responding with whatever
      error reply is needed. Conforms to RFC7230 in all respects,
      the section 3.5 optional behavior can be disabled by the user
      with a new HttpProtocolOptions StrictWhitespace flag. In all
      cases, the_request is regenerated from the parsed components
      with exactly two space characters.
      
      Shift sf's 'strict' method check from the Strict behavior because
      it violates forward proxy logic, adding a new RegisteredMethods
      flag, as it will certainly be useful to some.
      Submitted by: wrowe
      Backport: r1756729
      
      
      ------------------------------------------------------------------------
      r1769649 | wrowe | 2016-11-14 10:29:20 -0500 (Mon, 14 Nov 2016) | 124 lines
      
      Improve legibility of reviewing the generated table, using hex rather than dec
      Submitted by: wrowe
      Backport: r1754536
      
      Correct T_HTTP_TOKEN_STOP per RFC2068 (2.2) - RFC7230 (3.2.6),
      which has always defined 'token' as CHAR or VCHAR - visible USASCII only.
      NUL char is also a stop, end of parsing.
      Submitted by: wrowe
      Backport: r1754538
      
      Be more explicit about NUL in case iscntrl is inconsistent
      Submitted by: wrowe
      Backport: r1754539
      
      Introduce T_HTTP_CTRLS for efficiently finding non-text chars
      Submitted by: wrowe
      Backport: r1754540
      
      Introduce ap_scan_http_field_content, ap_scan_http_token
      and ap_get_http_token [later reverted] for more efficient
      string handling.
      Submitted by: wrowe
      Backport: r1754541
      
      With NUL as a TOKEN_STOP, this code is more efficient
      Submitted by: wrowe
      Backport: r1754544
      
      We arrive here for more than one cause; offer a more general statement
      Submitted by: wrowe
      Backport: r1754547
      
      Strictly observe spec on obs-fold
      Submitted by: wrowe
      Backport: r1754548
      
      Leave an emphatic TODO per Jeff's observations
      Submitted by: trawick
      Backport: r1754555
      
      Introduce ap_scan_http_token / ap_scan_http_field_content for a much
      more efficient pass through the header text; rather than reparsing
      the strings over and over under the HTTP_CONFORMANCE_STRICT fules.
      
      Improve logic and legibility by eliminating multiple repetitive tests
      of the STRICT flag, and simply reorder 'classic' behavior first and
      this new parser second to simplify the diff. Because of the whitespace
      change (which I had wished to dodge), reading this --ignore-all-space
      is a whole lot easier. Particularly against 2.4.x branch, which is now
      identical in the 'classic' logic flow. Both of which I'll share with dev@
      Submitted by: wrowe
      Backport: r1754556
      
      Friendly catch by Rüdiger, restore line mis-removed by the previous commit
      Submitted by: rpluem
      Backport: r1754568
      
      Clean up doubled-'{'
      Correct usage for ap_scan_http_token (had used _get_ syntax)
      Correct logic, detect no 'token' chars, or missing ':'
      Submitted by: wrowe, rpluem
      Backport: r1754569,r1754570,r1754577
      
      Replacement solution to identify VCHAR/ASCII symbols, even in EBCDIC.
      Looking for someone with an EBCDIC environment to post the output of
      the test_char.h generated file for verification.
      Submitted by: wrowe
      Backport: r1754579
      
      Clean up an edge case where obs-fold continuation preceeds the first header,
      as with r1755098, but this time ensure the previous header processing logic 
      ensures there was a previous header as identified by jchampion.
      
      This patch restructures the loop for legibility with a loop continuation,
      allowing us to flatten all of this hard-to-follow code. The subsequent
      patch will be a whitespace-only change for formatting.
      
      Testing len > 0 is redundant when *field is a "\0" and mismatches here,
      folded flag was a no-op, unused once we added continue; logic.
      Fix these as initially attempted in r1755114.
      
      Improve comments and reflow whitespace.
      Submitted by: wrowe
      Backport: r1755123,r1755124,r1755125,r1755126
      
      As promised, reduce this logic by net 9 code lines, shifting the burden 
      of killing trailing whitespace to the purpose-agnostic read logic.
      
      Whitespace before or after an obs-fold, and before or after a field value
      have no semantic purpose at all. Because we are building a buffer for all
      folded values, reducing the size of the newly allocated buffer is always
      to our advantage.
      Submitted by: wrowe
      Backport: r1755233
      
      Treat empty obs-fold line as a noop, eliminate all intra-obs-fold excess
      whitespace, and observe the 1 SP per obs-folding per spec.
      Submitted by: wrowe
      Backport: r1755234,r1755235,r1755236
      
      Treat empty obs-fold line as abusive traffic.
      Submitted by: wrowe
      Backport: r1755263
      
      Stop reflecting irrelevant data to the request error notes, particularly
      for abusive and malformed traffic the non-technical consumer of a user-agent
      has no control over.
      
      Simply take note where the administrator-configured limits have been exceeded,
      that administrator can find details in the error log if desired.
      Submitted by: wrowe
      Backport: r1755264
      
      Follow up to r1755264.
      Don't crash when ap_rgetline() returns a NULL field on ENOSPC.
      Submitted by: ylavic
      Backport: r1755343
      
      Follow on to r1755264, for the case of merged header length exceptions,
      and ensure the field header name is truncated to a sane log width.
      Submitted by: wrowe
      Backport: r1755744
      
      
      ------------------------------------------------------------------------
      r1769454 | wrowe | 2016-11-12 18:47:29 -0500 (Sat, 12 Nov 2016) | 2 lines
      
      Partial Backport of r1746884, no-op changes that introduce patch conflicts.
      
      ------------------------------------------------------------------------
      r1768978 | wrowe | 2016-11-09 09:39:05 -0500 (Wed, 09 Nov 2016) | 5 lines
      
      Backports: r1687643
      Submitted by: covener
      
      be less weird in comment
      
      ------------------------------------------------------------------------
      r1768977 | wrowe | 2016-11-09 09:37:34 -0500 (Wed, 09 Nov 2016) | 5 lines
      
      Backports: r1687642
      Submitted by: covener
      elaborate on a misleading comment
      
      
      ------------------------------------------------------------------------
      r1768971 | wrowe | 2016-11-09 09:32:09 -0500 (Wed, 09 Nov 2016) | 8 lines
      
      
      core: Follow up to r1664205 (previously backported)
      Don't let invalid r->proto_num/protocol out of read_request_line() reach
      the output filters (when responding with 400 Bad Request).
      Suggested by: rpluem
      Backports: r1664576
      
      
      ------------------------------------------------------------------------
      r1768969 | wrowe | 2016-11-09 09:23:00 -0500 (Wed, 09 Nov 2016) | 10 lines
      
      Backport: r1610383 
      Submitted by: jailletc36
      Simplify code.
      
      Cases where 'loc' doesn't have any ':' or is  starting with ':' are already
      handled by 'ap_is_url()'
      Calling 'apr_isascii()' seems useless.
      
      
      
      ------------------------------------------------------------------------
      r1768968 | wrowe | 2016-11-09 09:20:45 -0500 (Wed, 09 Nov 2016) | 4 lines
      
      Backport: r1546860 
      Submitted by: jailletc36
      Fix missing space in message of protocol.c (other r1546860 changes ignored)
      
      ------------------------------------------------------------------------
      r1768093 | wrowe | 2016-11-04 16:50:45 -0400 (Fri, 04 Nov 2016) | 7 lines
      
      ap_rgetline_core() now pulls from r->proto_input_filters
      for better input filtering behavior during chunked trailer
      processing by ap_http_filter().
      Backports: r1446421
      Submitted by: joes
      
      
      ------------------------------------------------------------------------
      r1768090 | wrowe | 2016-11-04 16:47:00 -0400 (Fri, 04 Nov 2016) | 7 lines
      
      Stupid CodeWarrior compiler cant take vars with struct inits.
      Ensure that is_v6literal is always initialized
      
      Backports: r1428145, r1436457
      Submitted by: fuankg, rpluem
      
      
      ------------------------------------------------------------------------
      r1768036 | wrowe | 2016-11-04 10:20:16 -0400 (Fri, 04 Nov 2016) | 40 lines
      
      Add an option to enforce stricter HTTP conformance
      
      This is a first stab, the checks will likely have to be revised.
      For now, we check
      
       * if the request line contains control characters
       * if the request uri has fragment or username/password
       * that the request method is standard or registered with RegisterHttpMethod
       * that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
         or missing for 0.9
       * if there is garbage in the request line after the protocol
       * if any request header contains control characters
       * if any request header has an empty name
       * for the host name in the URL or Host header:
         - if an IPv4 dotted decimal address: Reject octal or hex values, require
           exactly four parts
         - if a DNS host name: Reject non-alphanumeric characters besides '.' and
           '-'. As a side effect, this rejects multiple Host headers.
       * if any response header contains control characters
       * if any response header has an empty name
       * that the Location response header (if present) has a valid scheme and is
         absolute
      
      If we have a host name both from the URL and the Host header, we replace the
      Host header with the value from the URL to enforce RFC conformance.
      
      There is a log-only mode, but the loglevels of the logged messages need some
      thought/work. Currently, the  checks for incoming data log for 'core' and the
      checks for outgoing data log for 'http'. Maybe we need a way to configure the
      loglevels separately from the core/http loglevels.
      
      change protocol number parsing in strict mode according to HTTPbis draft
      - only accept single digit version components
      - don't accept white-space after protocol specification
      
      Clean up comment, fix log tags.
      Submitted by: sf
      Backports: r1426877, r1426879, r1426988, r1426992
      
      
      ------------------------------------------------------------------------
      r1768035 | wrowe | 2016-11-04 10:14:59 -0400 (Fri, 04 Nov 2016) | 14 lines
      
      Correctly parse an IPv6 literal host specification in an absolute URL
      in the request line.
      
      - Fix handling of brackets [ ] surrounding the IPv6 address.
      - Skip parsing r->hostname again if not necessary.
      - Do some checks that the IPv6 address is sane. This is not done by
        apr_parse_addr_port().
      
      log client error at level debug, log broken Host header value
      
      Backports: r1407006, r1426827
      Submitted by: sf
      
      
      ------------------------------------------------------------------------
      r1767942 | wrowe | 2016-11-03 14:01:23 -0400 (Thu, 03 Nov 2016) | 5 lines
      
      Expose ap_method_register() to the admin with a new RegisterHttpMethod
      directive.
      Backports: r1407599
      Submitted by: sf
      
      ------------------------------------------------------------------------
      r1767941 | wrowe | 2016-11-03 13:57:50 -0400 (Thu, 03 Nov 2016) | 9 lines
      
      New directive HttpProtocol which allows to disable HTTP/0.9 support
      with min=0.9|1.0 syntax.
          
      A tighter restriction off the version in the request line is still
      possible with <If "%{SERVER_PROTOCOL_NUM} ..."> .
      Submitted by: sf
      Backports: r1406719, r1407643, r1425366
      
      
      ------------------------------------------------------------------------
      r1767912 | wrowe | 2016-11-03 11:55:18 -0400 (Thu, 03 Nov 2016) | 1 line
      
      Branch to bring http protocol parsing in 2.4.x in sync with trunk
      ------------------------------------------------------------------------
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772678 13f79535-47bb-0310-9956-ffa450edef68
      14a591ea
    • Jim Jagielski's avatar
      promote · 43f05657
      Jim Jagielski authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772677 13f79535-47bb-0310-9956-ffa450edef68
      43f05657
    • Jim Jagielski's avatar
      votes · feaf5d36
      Jim Jagielski authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772676 13f79535-47bb-0310-9956-ffa450edef68
      feaf5d36