Jim Jagielski [Tue, 17 Oct 2017 18:48:24 +0000 (18:48 +0000)]
Merge r1812263, r1812301 from trunk:
Fix maintainer mode with GCC/Clang.
Setting -Wstrict-prototypes in combination
with -Werror leads to compiler errors during
configure checks (autoconf generates incomplete
prototypes).
Adding -Wno-error=strict-prototypes lets the
compiler tolerate those.
Possible future enhancement: remember such
"configure time only" flags and remove them
from CFLAGS before generating our build time
files (Makefile, config_vars.mk etc.), so that
the full -Werror is in place during building.
Follow up to r1812263.
As suggested by Joe, add --maintainer/debugger-mode's CFLAGS in
NOTEST_CFLAGS to avoid interractions with autoconf's AC_LANG_PROGRAM.
APACHE_ADD_GCC_CFLAG now also forces -Wno-strict-prototypes for -Werror
to work despite AC_LANG_PROGRAM generating this warning by itself.
Submitted by: rjung, ylavic
Reviewed by: ylavic, rjung, jim
Rainer Jung [Tue, 17 Oct 2017 18:38:29 +0000 (18:38 +0000)]
Rephrase comments by Yann in order to hopefully
make the current situation clearer.
I hope the new text is OK for Yann, otherwise I
could revert and add as my own comment.
i think r1812339 should be an integral part of
the mod_journald backport and currently we do not
have any obstacle for the configure.in proposal.
The ap_expr fix was already backported, the
mod_remoteip fix does not apply to the 2.4 code
and the mod_journald fix IMHO should be voted and
applied together with the pending mod_journald
backport.
util_expr_eval.c: In function ‘ap_expr_eval_re_backref’:
util_expr_eval.c:265:63: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
if (!ctx->re_pmatch || !ctx->re_source || *ctx->re_source == '\0' ||
Same committer shipped a release with one well known broken platform within
days of proposing a showstopper for a platform. This specific platform is not
even universally broken, but only for maintainer mode builds, and same has
upvoted a backport which can't compile in maintainer mode. Confused yet?
It might also be why this well-reasoned patch gathered little review, since
it was parked in a more obscure place?
Yann Ylavic [Fri, 13 Oct 2017 08:42:57 +0000 (08:42 +0000)]
Merge r1808746, r1809028 from trunk:
mod_rewrite/core: avoid the 'Vary: Host' header
In PR 58231 is was brought up that httpd adds the
Vary: Host header whenever a condition is set to true
in mod_rewrite or in an <If> block.
The https://tools.ietf.org/html/rfc7231#section-7.1.4
section seems to disallow this use case:
"The "Vary" header field in a response describes "
"what parts of a request message, "
"aside from the method, Host header field, [...]"
I had a chat with the folks in #traffic-server and
they don't see much point in having a Vary: Host header,
plus it was reported that Varnish doesn't like it very
much (namely it does not cache the response when
it sees the header, links of the report in the PR).
I don't see much value in this behavior of httpd so
I am inclined to remove this response header value,
but I'd be glad to get a more experienced opinion.
mod_rewrite,core: avoid Vary:Host (part 2)
This is a follow up of r1808746 after a chat
with Yann on dev@:
- the HTTP:Host variable suffers from the same problem
- the strcasecmp should be used to allow case-sensitive
comparisons.
- in mod_rewrite is less cumbersome and more clean to just
make the Host header check in lookup_header, so it will
be automatically picked up by every part of the code
that uses it. It shouldn't be a relevant overhead for
mod_rewrite.
Yann Ylavic [Fri, 13 Oct 2017 08:37:45 +0000 (08:37 +0000)]
Merge r1804096, r1807238, r1809981, r1810088, r1810089 from trunk:
bumping version, removing some unused code, fixes in base64url from mod_md
On the trunk:
*) mod_http2: DoS flow control protection is less agressive as long as active tasks stay
below worker capacity. Intended to fix problems with media streaming.
On the trunk:
mod_http2: v0.10.12, removed optimization for mutex handling in bucket beams that could lead to assertion failure in edge cases.
reverting r1807238 bc not addressing the issue https://github.com/icing/mod_h2/issues/120
Joe Orton [Tue, 10 Oct 2017 17:54:32 +0000 (17:54 +0000)]
Merge r1664565 from trunk:
*) mod_rewrite: Add support for starting External Rewriting Programs
as non-root user on UNIX systems by specifying username and group name
as third argument of RewriteMap directive.
Joe Orton [Tue, 10 Oct 2017 17:51:13 +0000 (17:51 +0000)]
Merge r1808230 from trunk:
* server/protocol.c (ap_content_length_filter): Rewrite the content
length filter to avoid arbitrary memory consumption for streaming
responses (e.g. large CGI script output). Ensures C-L is still
generated in common cases (static content, small CGI script output),
but this DOES change behaviour and some responses will end up
chunked rather than C-L computed.
Yann Ylavic [Tue, 10 Oct 2017 17:17:33 +0000 (17:17 +0000)]
Merge r1736186 from trunk:
mod_ssl: return non ambiguous value in ssl_callback_SessionTicket() for
encryption mode (we used to return 0, OpenSSL documents returning 1 instead).
Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).
However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:
2
This indicates that the ctx and hctx have been set and the session can
continue on those parameters. Additionally it indicates that the session
ticket is in a renewal period and should be replaced. The OpenSSL library
will call cb again with an enc argument of 1 to set the new ticket (see
RFC5077 3.3 paragraph 2).
1
This indicates that the ctx and hctx have been set and the session can
continue on those parameters.
0
This indicates that it was not possible to set/retrieve a session ticket
and the SSL/TLS session will continue by by negotiating a set of
cryptographic parameters or using the alternate SSL/TLS resumption
mechanism, session ids.
If called with enc equal to 0 the library will call the cb again to get a
new set of parameters.
less than 0
This indicates an error.
"
So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).
Ruediger Pluem [Tue, 10 Oct 2017 05:53:35 +0000 (05:53 +0000)]
Merge r1811569 from trunk:
* The calculation of the sizes was flawed:
The index tells us the size of the node in 4096 byte pages minus 1.
Hence we need to multiply back with 4096 aka << 12 (plus adding the
missing page).
Ruediger Pluem [Mon, 9 Oct 2017 12:16:00 +0000 (12:16 +0000)]
* The calculation of the sizes was flawed:
The index tells us the size of the node in 4096 byte pages minus 1.
Hence we need to multiply back with 4096 aka << 12 (plus adding the
missing page).
Ruediger Pluem [Fri, 6 Oct 2017 07:06:10 +0000 (07:06 +0000)]
Merge r1811192, r1811285 from trunk:
* Add dump_all_pools and dump_pool_and_childs.
- dump_all_pools: Dump the whole pool hierarchy starting from apr_global_pool.
Requires an arbitrary pool as starting parameter.
- dump_pool_and_childs: Dump the whole pool hierarchy starting from
the given pool.
dump_pool_and_childs is written in Python using the GDB Python API
as doing recursive stuff in standard GDB macros is very difficult.
We no longer bundle APR at all, I don't know that many of these
licenses belong in *this* project repository.
But APR no longer bundles expat at all, making two of those
licenses very archaic - and note they did not reflect the current
LICENSE file contents of the component.
Opinions on leaving it up to repos/asf/apr/apr/trunk/LICENSE
to document other licenses on their project, since we simply are
a consumer of another component, and no longer bundle that?
projects / apache / log