PR62186: preserve %<m for ErrorDocument internal redirects

  *) core: Preserve the original HTTP request method in the '%<m' LogFormat
     when an path-based ErrorDocument is used.  PR 62186.
     [Micha Lenk <micha lenk.info>]

Submitted By: Micha Lenk
Committed By: covener

Submitted by: covener
Reviewed by: covener, jhriggs, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1830248 13f79535-47bb-0310-9956-ffa450edef68

     trunk patch: http://svn.apache.org/r1827196
     2.4.x patch: svn merge -c 1827196 ^/httpd/httpd/trunk .
     +1: icing, ylavic, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1829486 13f79535-47bb-0310-9956-ffa450edef68

mod_dumpio: do nothing below log level TRACE7.

For instance, depending on EnableMMAP/Sendfile configuration, don't split
file brigades to 8K heap buckets upon reading.



mod_dumpio: follow up to r1818802.

Negate APLOGctrace7(c) test!

Also, return DECLINED when nothing is to be done, same result as OK but
possibly more semantically correct.


Submitted by: ylavic
Reviewed by: jailletc36, jorton, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1828743 13f79535-47bb-0310-9956-ffa450edef68

mod_md: Fix compilation with OpenSSL before version 1.0.2.

Symbol ASN1_TIME_diff is only available for 1.0.2+,
but luckily alternative code we can use is already
available, originally written for the LibreSSL case.

Submitted by: rjung
Reviewed by: rjung, ylavic, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1828741 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections.

Regression introduced in 2.4.30. PR 62232.

The proxy SSL_CTX was not inherited from the vhost (the only available in
2.4.29) in/for any directory context besides <Proxy>...

Mostly debugged and fixed by Rainer, thanks!


Submitted by: ylavic
Reviewed by: ylavic, rpluem, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1828735 13f79535-47bb-0310-9956-ffa450edef68

copy apr_sockaddr_is_wildcard to maintain 1.4.x support.




CHANGES for r1827654

Submitted by: covener
Reviewed by: covener, ylavic, rpluem, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1828734 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1828672 13f79535-47bb-0310-9956-ffa450edef68

modules/md/mod_md.h is now a new public API
also used by other modules (currently mod_ssl),
so it must be in the include path. It was
missing for cmake builds.

Note that this change does not yet enable building
mod_md itself using cmake. That part is still
missing.

CTR (cmake builds only).

Backport of r1828669 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1828670 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827782 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827651 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827650 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827635 13f79535-47bb-0310-9956-ffa450edef68

bump CVE's to top of each release



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827634 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827622 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827594 13f79535-47bb-0310-9956-ffa450edef68

PR62200: EBCDIC: ap_rgetline APR_ENOSPC

On EBCDIC systems, translation does not occur in ap_rgetline() if the line is
larger than the buffer size.

(note: No STATUS vote for EBCDIC fix)

Submitted By: Hank Ibell
Committed By: covener



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827360 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827120 13f79535-47bb-0310-9956-ffa450edef68

Fix timeout logging in ap_process_request().

We can't use 'r' after ap_process_request_after_handler(), the core output
filter might have cleaned up its deferred bucket brigade on error, including
the EOR bucket.

Reported by: steffenal
Closes SpiderLabs/ModSecurity#1542


Follow up to r1826556: CHANGES entry.


Submitted by: ylavic
Reviewed by: ylavic, covener, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826899 13f79535-47bb-0310-9956-ffa450edef68

mod_slotmem_shm: SHMs need to be attached in MPM winnt children processes.

We can't (re-)create them since they exist already and are owned by the
parent process.


Submitted by: ylavic
Reviewed by: ylavic, covener, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826897 13f79535-47bb-0310-9956-ffa450edef68

htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
apr-util's bcrypt implementation doesn't tolerate EBCDIC.

Submitted by: rjung
Reviewed by: rjung, covener, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826892 13f79535-47bb-0310-9956-ffa450edef68

ab: try all destination socket addresses returned by apr_sockaddr_info_get
instead of failing on first one when not available.
Needed for instance if localhost resolves to both ::1 and 127.0.0.1
e.g. if both are in /etc/hosts.

ab: Use only one connection to determine working destination socket address.

Submitted by: rjung
Reviewed by: rjung, covener, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826891 13f79535-47bb-0310-9956-ffa450edef68

htpasswd/htdbm: report the right limit when get_password()
overflows.

Submitted by: rjung
Reviewed by: rjung, covener, jailletc36


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826888 13f79535-47bb-0310-9956-ffa450edef68

htpasswd: Don't fail in -v mode if password file is unwritable.
PR 61631.

Submitted by: rjung
Reviewed by: rjung, ylavic, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826887 13f79535-47bb-0310-9956-ffa450edef68

htpasswd: don't point to (unused) stack memory on output
to make static analysers happy.  PR 60634.

Submitted by: rjung
Reviewed by: rjung, ylavic, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826886 13f79535-47bb-0310-9956-ffa450edef68

LibreSSL doesn't have or require applink.c

Submitted by: rjung
Reviewed by: rjung, ylavic, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826885 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826391 13f79535-47bb-0310-9956-ffa450edef68

* support/ab.c: Fix crash caused by integer overflow when printing stats with
lot of requests (for example -n 500000000).

Submitted by: jkaluza
Reviewed by: jorton, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826310 13f79535-47bb-0310-9956-ffa450edef68

* mod_access_compat, mod_authz_host: Handle '#' character.
For mod_access_compat, disable '#' in hostname completely.
For mod_authz_host, treat '#' as a comment and ignore everything after that.
This allows better handling of admin errors like
'Require host localhost# Add example.com later'.

* modules/aaa/mod_authz_host.c (host_check_authorization): Simplify
  comment stripping in "Require host"; log a warning if a comment is
  used in 'Require host', or an error if the expression is empty with
  the comment stripped. (Currently in 2.4, #comment part is parsed)

Submitted by: jkaluza, jorton
Reviewed by: jorton, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826309 13f79535-47bb-0310-9956-ffa450edef68

* support/rotatelogs.c (get_now): Return the offset applied to the
  Unix time as a parameter.
  (doRotate): When exploding the time for strtfime formatting, iff in
  -l mode, subtract the offset and explode the real Unix time as a
  local time so %Z etc works correctly.

* support/rotatelogs.c (get_now): Fix the NULL ptr dereferences 
  added in r1532281.

* support/rotatelogs.c: Introduce an adjusted_time_t type to store the
  weird "adjusted time since epoch" type returned by get_now().
  Switch from int to long to fix an unnecessary Y2K38 issue.  Adjust
  use throughout and clean up other type issues.  No functional change
  intended apart from fixing Y2K38.

Submitted by: jorton
Reviewed by: jorton, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826306 13f79535-47bb-0310-9956-ffa450edef68

Add optional _RAW suffix to SSL_*_DN_xx attribute names, allowing
users to convert an attribute value without conversion to UTF-8.  (A
public CA has issued certs with attributes tagged as the wrong ASN.1
string types.)

* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Rename from
  asn1_string_to_utf8; add raw argument. Reimplement _to_utf8 as
  macro.
  (modssl_X509_NAME_ENTRY_to_string): Add raw argument.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Use raw
  string conversion if _RAW suffix is present in DN component.

Submitted by: jorton
Reviewed by: jorton, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1826300 13f79535-47bb-0310-9956-ffa450edef68

... for the non-blocking connect case introduced in 2.4.30. 

Submitted By: jorton
Reviewed By: ylavic, druggeri, covener




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1825839 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1825777 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_fcgi: Add the support for mod_proxy's
                flushpackets and flushwait params

This change was requested on the development mailing
list in order to fill another gap between mod_fcgi
and mod_proxy_fcgi, namely the -flush funtionality.

The more evolved core trunk code would not need this
feature becuse of the non-blocking writes, but it
is be needed in 2.4.x.


mod_proxy_fcgi: limit the flush buckets inserted when flushpackets=on|auto

This commit is a follow up of r1802040 based on Jacob's
feedback, namely inserting the FLUSH buckets only when
really needed and useful, not always.


mod_proxy_fcgi: follow up to r1807876.
Fix mixed declarations and code [-Wdeclaration-after-statement].

Fix a compilation warning introduced by r1802040.
mod_proxy_fcgi.c:893:19: warning: ‘flushpoll’ may be used uninitialized in this function [-Wmaybe-uninitialized]

This warning is a false positive.


mod_proxy_fcgi: prioritize the check for mayflush when using flushpackets

The mayflush variable should be checked before the rest
to avoid polling when not needed.

Suggested by Yann Ylavic on the dev@ mailing list.


Submitted by: elukey, ylavic, jailletc36, elukey
Reviewed by: elukey, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1825765 13f79535-47bb-0310-9956-ffa450edef68

mpm_event: move lingering close "sucker" from the listener to worker(s).

This was the last non-constant time action performed by the listener thread.

It's now handled by the worker thread directly after entering lingering close,
which should directly address the cases when the socket is already closed
remotely at that time, hence avoid more scheduling (it may be the common case
for some scenarios).

And it's only if the above would need blocking (i.e. more data to suck) that
the socket is added to the pollset for the listener to re-schedule a worker
later when ready. If no worker is available at that time then the socket is
forcibly closed (similarly to what's done for keepalive connections in this
case).

Also, since process_lingering_close() is now called by a worker thread and
with almost no depth in the call stack, we can grow the size of the "suck"
buffer from 2K to 32K to potentially call recv() up to sixteen times less.


mpm_event: follow up to r1823047.

Update clogged counter on read_request retry too.


mpm_event: follow up to r1823047: simplify "clogging" logic (reentrance).


mpm_event: follow up to r1823047: complete state validation after processing.


mpm_event: follow up to r1823047: CHANGES entry.


mpm_event: follow up to r1823047 and r1824464.

MMN bump for CONN_STATE_NUM, plus don't consider CONN_STATE_LINGER_* as valid
states returned process_connection (never have been).


mpm_event: follow up to r1823047 and r1824862.

Revert (broken) functional change from r1824862.


Submitted by: ylavic
Reviewed by: ylavic, minfrin, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824879 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824874 13f79535-47bb-0310-9956-ffa450edef68

10 years after r567503 , fix this properly.

The lock is created in post_config, so we can't copy it
around in a merge_server_config() callback.


Submitted by: covener
Reviewed by: covener, rpluem, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824872 13f79535-47bb-0310-9956-ffa450edef68

mpm_event: move lingering close "sucker" from the listener to worker(s).

This was the last non-constant time action performed by the listener thread.

It's now handled by the worker thread directly after entering lingering close,
which should directly address the cases when the socket is already closed
remotely at that time, hence avoid more scheduling (it may be the common case
for some scenarios).

And it's only if the above would need blocking (i.e. more data to suck) that
the socket is added to the pollset for the listener to re-schedule a worker
later when ready. If no worker is available at that time then the socket is
forcibly closed (similarly to what's done for keepalive connections in this
case).

Also, since process_lingering_close() is now called by a worker thread and
with almost no depth in the call stack, we can grow the size of the "suck"
buffer from 2K to 32K to potentially call recv() up to sixteen times less.


mpm_event: follow up to r1823047.

Update clogged counter on read_request retry too.


mpm_event: follow up to r1823047: simplify "clogging" logic (reentrance).


mpm_event: follow up to r1823047: complete state validation after processing.


mpm_event: follow up to r1823047: CHANGES entry.


mpm_event: follow up to r1823047 and r1824464.

MMN bump for CONN_STATE_NUM, plus don't consider CONN_STATE_LINGER_* as valid
states returned process_connection (never have been).


Submitted by: ylavic
Reviewed by: ylavic, minfrin, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824868 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824798 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824751 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy: Provide an RFC1035 compliant version of the hostname in the
proxy_worker_shared structure. PR62085


Tone down the message that worker hostname is too long noting it only
affects legacy modules not yet using hostname_ex.


Set the notice when hostname is too long for legacy proxy modules to info level.


Submitted by: minfrin
Reviewed by: minfrin, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824504 13f79535-47bb-0310-9956-ffa450edef68