Same committer shipped a release with one well known broken platform within
days of proposing a showstopper for a platform. This specific platform is not
even universally broken, but only for maintainer mode builds, and same has
upvoted a backport which can't compile in maintainer mode. Confused yet?
It might also be why this well-reasoned patch gathered little review, since
it was parked in a more obscure place?
Yann Ylavic [Fri, 13 Oct 2017 08:42:57 +0000 (08:42 +0000)]
Merge r1808746, r1809028 from trunk:
mod_rewrite/core: avoid the 'Vary: Host' header
In PR 58231 is was brought up that httpd adds the
Vary: Host header whenever a condition is set to true
in mod_rewrite or in an <If> block.
The https://tools.ietf.org/html/rfc7231#section-7.1.4
section seems to disallow this use case:
"The "Vary" header field in a response describes "
"what parts of a request message, "
"aside from the method, Host header field, [...]"
I had a chat with the folks in #traffic-server and
they don't see much point in having a Vary: Host header,
plus it was reported that Varnish doesn't like it very
much (namely it does not cache the response when
it sees the header, links of the report in the PR).
I don't see much value in this behavior of httpd so
I am inclined to remove this response header value,
but I'd be glad to get a more experienced opinion.
mod_rewrite,core: avoid Vary:Host (part 2)
This is a follow up of r1808746 after a chat
with Yann on dev@:
- the HTTP:Host variable suffers from the same problem
- the strcasecmp should be used to allow case-sensitive
comparisons.
- in mod_rewrite is less cumbersome and more clean to just
make the Host header check in lookup_header, so it will
be automatically picked up by every part of the code
that uses it. It shouldn't be a relevant overhead for
mod_rewrite.
Yann Ylavic [Fri, 13 Oct 2017 08:37:45 +0000 (08:37 +0000)]
Merge r1804096, r1807238, r1809981, r1810088, r1810089 from trunk:
bumping version, removing some unused code, fixes in base64url from mod_md
On the trunk:
*) mod_http2: DoS flow control protection is less agressive as long as active tasks stay
below worker capacity. Intended to fix problems with media streaming.
On the trunk:
mod_http2: v0.10.12, removed optimization for mutex handling in bucket beams that could lead to assertion failure in edge cases.
reverting r1807238 bc not addressing the issue https://github.com/icing/mod_h2/issues/120
Joe Orton [Tue, 10 Oct 2017 17:54:32 +0000 (17:54 +0000)]
Merge r1664565 from trunk:
*) mod_rewrite: Add support for starting External Rewriting Programs
as non-root user on UNIX systems by specifying username and group name
as third argument of RewriteMap directive.
Joe Orton [Tue, 10 Oct 2017 17:51:13 +0000 (17:51 +0000)]
Merge r1808230 from trunk:
* server/protocol.c (ap_content_length_filter): Rewrite the content
length filter to avoid arbitrary memory consumption for streaming
responses (e.g. large CGI script output). Ensures C-L is still
generated in common cases (static content, small CGI script output),
but this DOES change behaviour and some responses will end up
chunked rather than C-L computed.
Yann Ylavic [Tue, 10 Oct 2017 17:17:33 +0000 (17:17 +0000)]
Merge r1736186 from trunk:
mod_ssl: return non ambiguous value in ssl_callback_SessionTicket() for
encryption mode (we used to return 0, OpenSSL documents returning 1 instead).
Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).
However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:
2
This indicates that the ctx and hctx have been set and the session can
continue on those parameters. Additionally it indicates that the session
ticket is in a renewal period and should be replaced. The OpenSSL library
will call cb again with an enc argument of 1 to set the new ticket (see
RFC5077 3.3 paragraph 2).
1
This indicates that the ctx and hctx have been set and the session can
continue on those parameters.
0
This indicates that it was not possible to set/retrieve a session ticket
and the SSL/TLS session will continue by by negotiating a set of
cryptographic parameters or using the alternate SSL/TLS resumption
mechanism, session ids.
If called with enc equal to 0 the library will call the cb again to get a
new set of parameters.
less than 0
This indicates an error.
"
So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).
Ruediger Pluem [Tue, 10 Oct 2017 05:53:35 +0000 (05:53 +0000)]
Merge r1811569 from trunk:
* The calculation of the sizes was flawed:
The index tells us the size of the node in 4096 byte pages minus 1.
Hence we need to multiply back with 4096 aka << 12 (plus adding the
missing page).
Ruediger Pluem [Mon, 9 Oct 2017 12:16:00 +0000 (12:16 +0000)]
* The calculation of the sizes was flawed:
The index tells us the size of the node in 4096 byte pages minus 1.
Hence we need to multiply back with 4096 aka << 12 (plus adding the
missing page).
Ruediger Pluem [Fri, 6 Oct 2017 07:06:10 +0000 (07:06 +0000)]
Merge r1811192, r1811285 from trunk:
* Add dump_all_pools and dump_pool_and_childs.
- dump_all_pools: Dump the whole pool hierarchy starting from apr_global_pool.
Requires an arbitrary pool as starting parameter.
- dump_pool_and_childs: Dump the whole pool hierarchy starting from
the given pool.
dump_pool_and_childs is written in Python using the GDB Python API
as doing recursive stuff in standard GDB macros is very difficult.
We no longer bundle APR at all, I don't know that many of these
licenses belong in *this* project repository.
But APR no longer bundles expat at all, making two of those
licenses very archaic - and note they did not reflect the current
LICENSE file contents of the component.
Opinions on leaving it up to repos/asf/apr/apr/trunk/LICENSE
to document other licenses on their project, since we simply are
a consumer of another component, and no longer bundle that?
event: Avoid possible blocking in the listener thread when shutting down
connections. PR 60956.
start_lingering_close_nonblocking() now puts connections in defer_linger_chain
which is emptied by any worker thread (all atomically) after its usual work,
hence any possibly blocking flush and lingering close run outside the listener.
The listener may create a dedicated worker if it fills defer_linger_chain or
while it's not empty, calling push2worker with a NULL cs.
The state machine in process_socket() is slighly modified to be able to enter
with CONN_STATE_LINGER directly w/o clogging_input_filters to interfer.
New abort_socket_nonblocking() allows to reset connections when nonblocking is
required and we can't do much about the connection anymore, nor we want the
system to linger on its own after close().
Many thanks to Stefan Priebe for his heavy testing on many event's changes!
Jim Jagielski [Tue, 19 Sep 2017 10:15:00 +0000 (10:15 +0000)]
Merge r1729235, r1730079, r1801665 from trunk:
Exclude MPM modules from automatic LoadModule
enabling when configure was called with
-enable-load-all-modules. The default MPM
should still get enabled automatically.
Use different variables to track normal
modules and MPMs during build.
Normal modules and MPMs follow different
rules in the config, e.g. we are only
allowed to have one active LoadModule
for an MPM in the config.
As a side effect, LoadModule for MPMs
will now come before LoadModule for
the normal modules.
Jim Jagielski [Mon, 18 Sep 2017 13:05:46 +0000 (13:05 +0000)]
Merge r1801594 from trunk:
Add logic to read the Upgrade header and use it in the response.
Use we you are proxying to a server that has multiple upgrade on the same IP/Port.
PR 61142
projects / apache / log