Joe Orton [Thu, 8 Aug 2019 12:11:36 +0000 (12:11 +0000)]
* modules/proxy/mod_proxy_balancer.c (balancer_handler): Check Referer
to improve on protection against balancer-manager XSRF attacks
provided by the nonce.
Joe Orton [Tue, 6 Aug 2019 07:54:24 +0000 (07:54 +0000)]
* modules/filters/mod_proxy_html.c, modules/filters/mod_xml2enc.c:
Fix gcc 9 warnings in code attempting to reduce gcc warnings.
(should have used expat...)
mod_xml2enc.c:26:28: warning: "/*" within comment [-Wcomment]
26 | /* libxml2 includes unicode/*.h files which uses C++ comments */
|
mod_proxy_html.c:32:28: warning: "/*" within comment [-Wcomment]
32 | /* libxml2 includes unicode/*.h files which uses C++ comments */
|
Rainer Jung [Mon, 5 Aug 2019 14:18:22 +0000 (14:18 +0000)]
The GCC flag "-Wno-error=comment" introduced by r1855446
and r1850745 are only known since GCC 4.2. Since it gets
set unconditionally, this breaks compilation with old GCC
even when not using maintainer mode.
Make the fix for maintainer mode more specific by using
a version dependent pragma in the relevant two C files
only switching off error status for comment warnings.
Stefan Eissing [Mon, 5 Aug 2019 11:29:58 +0000 (11:29 +0000)]
*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration
for a domain managed by mod_md caused a startup error. This happened when mod_md installed
its fallback certificate, before it got the first real certificate from Lets Encrypt.
Eric Covener [Thu, 1 Aug 2019 13:58:45 +0000 (13:58 +0000)]
don't mess with AP_ENABLE_EXCEPTION_HOOK on trunk
mpm_common defines it later anyway:
In file included from mod_md.c:25:
In file included from /Users/covener/SRC/httpd-trunk/include/mpm_common.h:40:
In file included from /Users/covener/SRC/httpd-trunk/include/ap_config.h:184:
/Users/covener/SRC/httpd-trunk/include/ap_config_auto.h:11:9: error: 'AP_ENABLE_EXCEPTION_HOOK' macro redefined [-Werror,-Wmacro-redefined]
Stefan Eissing [Thu, 18 Jul 2019 12:31:01 +0000 (12:31 +0000)]
*) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]
Joe Orton [Wed, 17 Jul 2019 07:51:53 +0000 (07:51 +0000)]
mod_cgid: Continuation of r1862968, experimental fd passing support.
Split out CGI bucket implementation from mod_cgi and use in both
mod_cgi and mod_cgid, bringing stderr handling in mod_cgid up to par
with mod_cgi. (There is a lot of code which has been copied between
mod_cgi{,d} so there's scope for further reduction of source
duplication between the modules using this header)
* modules/generators/cgi_common.h: Copied from mod_cgi.c, removed
everything but the CGI bucket implementation with only one change:
(struct cgi_bucket_data, cgi_bucket_create, cgi_bucket_read): Take a
timeout on bucket creation, store and use on reads.
* modules/generators/mod_cgi.c [APR_FILES_AS_SOCKETS]: Include
cgi_common.h.
(cgi_handler): Pass configured timeout to CGI bucket.
* modules/generators/mod_cgid.c: Include cgi_common.h.
(log_script_err): Copy from mod_cgi.c.
(log_script): Use log_script_err.
(send_req): Take fd for stderr.
(cgid_child_errfn): Handle fd-passing case by writing error
to stderr for client to pass through ap_log_rerror.
(cgid_handler): Create pipe for stderr, pass write-end to
server via send_req, use read-end to create CGI bucket. Handle
stderr output in failure paths.
Joe Orton [Fri, 12 Jul 2019 12:09:04 +0000 (12:09 +0000)]
Add experimental support for fd passing in mod_cgid. Attaches CGI
script stderr to the error log specific to the vhost, by passing the
appropriate fd over the AF_UNIX socket from the request handling
thread to the cgid server process.
* modules/generators/mod_cgid.c (sock_readhdr): New function, also
returns auxiliary control data (the stderr fd) if available.
(sock_write): Take optional aux fd argument, send it as control
data. (send_req, get_req): Adjust accordingly to pass/receive the
stderr fd.
(cgid_server): Use passed fd if available, limit the lifetime.
Stefan Eissing [Wed, 10 Jul 2019 10:18:15 +0000 (10:18 +0000)]
*) mod_http2: fixed a bug that prevented proper stream cleanup when connection
throttling was in place. Stream resets by clients on streams initiated by them
are counted as possible trigger for throttling.
Stefan Eissing [Tue, 9 Jul 2019 16:57:59 +0000 (16:57 +0000)]
* moving the openssl related new hooks into mod_ssl_openssl.h
* chaning type parameter to openssl types
* adding explanation of return value in get_stapling_status()
* adding array element description for add_cert_files and add_fallback_cert_files hooks
Stefan Eissing [Wed, 3 Jul 2019 13:46:31 +0000 (13:46 +0000)]
*) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
more to write with streams ongoing (flow control block). The timeout waiting
for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]
Stefan Eissing [Mon, 1 Jul 2019 14:22:04 +0000 (14:22 +0000)]
*) mod_ssl/mod_md:
Adding 2 new hooks for init/get of OCSP stapling status information when
other modules want to provide those. Falls back to own implementation with
same behaviour as before.
Ruediger Pluem [Fri, 28 Jun 2019 08:50:31 +0000 (08:50 +0000)]
* Replace apr_psprintf with apr_pstrcat where the format strings only
contain %s to improve efficiency. Leave out error messages as they
are not on a crtical code path and error message become less readable
when taking out the format specifiers.
Joe Orton [Thu, 27 Jun 2019 09:06:56 +0000 (09:06 +0000)]
* docs/conf/magic: Allow mod_mime_magic to return "audio/x-wav" for
WAV files, and omit returning "audio/unknown" for other RIFF
format files. Having a MIME type defined on a continuation line
*and* the preceding top-level match breaks mod_mime_magic, which
treats the second result "printed" as the MIME encoding. Neither
audio/x-wav nor audio/unknown are IANA registered, though Firefox
and Chrome both appear to recognize the former. Since the RIFF
format can contain non-audio media, returning audio/unknown as
a fallback for all RIFF files appears to be bogus anyway.
Stefan Eissing [Tue, 25 Jun 2019 15:21:10 +0000 (15:21 +0000)]
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
adding certificates and keys to a virtual host. An additional hook allows
answering special TLS connections as used in ACME challenges.
Joe Orton [Tue, 25 Jun 2019 08:54:01 +0000 (08:54 +0000)]
Simplify handling of short-lived pool for dav_propdb in mod_dav. No
functional change.
* modules/dav/main/props.c (dav_popen_propdb): Rename from
dav_open_propdb, take a pool argument.
(dav_open_propdb): Reimplement in terms of above, using
r->pool.
(dav_propfind_walker): Switch to using dav_open_propdb
with scratchpool.
Stefan Eissing [Mon, 24 Jun 2019 16:04:32 +0000 (16:04 +0000)]
*) mod_md: bringing over v2.0.6 from github.
- supports the ACMEv2 protocol
- supports the new challenge method 'tls-alpn-01'
- supports command configuration to setup/teardown 'dns-01' challenges
- supports wildcard certificates when dns challenges are configured
- ACMEv2 is the new default and will be used on the next certificate renewal,
unless another MDCertificateAuthority is configured
- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
- a domain exposes its status at https://<domain>/.httpd/certificate-status
- Managed Domains are now in Apache's 'server-status' page
- A new handler 'md-status' exposes verbose status information in JSON format
- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a
Managed Domain that uses static files. Auto-renewal is turned off for those.
- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and
'errored'. New 'MDWarnWindow' directive to configure when expiration warnings
shall be issued.
- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
announcement by Let's Encrypt:
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
Graham Leggett [Sun, 23 Jun 2019 21:10:23 +0000 (21:10 +0000)]
After reinstatement of DSO support in APR/APR-util, revert r1837437,
r1837435, r1834553, r1833598, r1833452, r1833383, r1833368.
Undoes the following:
mod_ssl: OpenSSL now initializes fully through APR, use that.
mod_ssl: build with LibreSSL.
LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).
So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7
compatibility-exceptions are handled explicitely but overall it's simpler.
Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the
former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,
while the latter has never been (and will never be) defined. So don't call any
with LibreSSL.
Follow up to r1833368: share openssl between modules.
Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto
can use the same crypto library (e.g. openssl), use the new APR crypto loading
API so that they can work together and initialize/terminate the lib either once
for all or on demand and reusable by the others.
Follow up to r1833368: apr_crypto_prng_after_fork() now used a PID.
Make use of the new apr_crypto_rng API if available.
Joe Orton [Fri, 21 Jun 2019 13:30:17 +0000 (13:30 +0000)]
* configure.in, acinclude.m4: Inline APACHE_GEN_MAKEFILES in AC_CONFIG_COMMANDS
and run during the "normal" phase of ./config.status rather than as init-cmds.
Joe Orton [Thu, 20 Jun 2019 13:00:37 +0000 (13:00 +0000)]
Add an --enable-reduced-exports configure option to link libmain.a
using ld's --whole-archive mode and avoid building exports.c entirely.
This reduces the size of a minimal httpd binary by 18% on Linux/x86_64
(687K to 560K) with no difference to the set of symbols available to
modules.
This option is only appropriate to use if using a shared libapr*
build, hence is non-default.
* configure.in: Add --enable-reduced-exports; disable httpdunit build
if used. Define AP_FORCE_EXPORTS if not enabled (default) in place
of AP_USING_AUTOCONF.
* server/main.c (ap_suck_in_APR): Only build if AP_FORCE_EXPORTS is
defined.
* Makefile.in: Link libmain.la using LIBMAIN_LIB.
* server/Makefile.in: Conditionally build exports.c into libmain.
Eric Covener [Mon, 17 Jun 2019 18:35:24 +0000 (18:35 +0000)]
add RedirectRelative directive to allow relative Redirect targets
2616 forbade relative redirect URLs, but 7231 allows them
Early 2.2 maintenance levels did not fix them up, but later 2.2 and all 2.4
fixed them up with ap_construct_url().
Allow opt-in to not fixing up relative URLs with RedirectRelative
Follow up to r1847232.
There is no point to use "old" numbers in recent commit.
Also avoid number duplication. The messages are the same but in different code path, so having different numbers makes sense.
This also avoids a warning when running:
make update-log-msg-tags
Joe Orton [Thu, 13 Jun 2019 15:34:28 +0000 (15:34 +0000)]
* modules/ssl/ssl_engine_config.c (ssl_cmd_check_file):
If dumping the config, don't validate the paths. Allows
e.g. "httpd -L" to work w/ certs configured but not present,
doesn't affect "httpd -t".