Joe Orton [Fri, 17 Nov 2017 17:14:32 +0000 (17:14 +0000)]
* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Check username
does not contain a colon before constructing Authorization header
for FakeBasicAuth mode. (Also constify 'user' variable.)
Stefan Eissing [Thu, 16 Nov 2017 16:50:58 +0000 (16:50 +0000)]
On the trunk:
mod_md v1.0.3: fixes for getting stalled on new license agreemnet from CA. Job properties persisted now to preserve change when watchdog child changes.
Follow up to r1815264
Get items in dsw files, BuildBin.dsp that didn't make 1815264
Make sure abs builds before a2md so applink.c in OpenSSL 1.1.0 gets copied
into same location as it exists in 1.0.2.
Luca Toscano [Sat, 11 Nov 2017 19:20:01 +0000 (19:20 +0000)]
core: silently ignore a not existent file path when IncludeOptional
is used.
In https://bz.apache.org/bugzilla/show_bug.cgi?id=57585 some use cases
were reported in which IncludeOptional seems to be too strict in its
sanity checks.
This change is a proposal to relax IncludeOptional checks to silently
fail when a file path is not existent rather than returning SyntaxError.
Rainer Jung [Sat, 11 Nov 2017 10:36:17 +0000 (10:36 +0000)]
Look for serf-1 instead of serf-0 during configure.
Using a fixed major version might not be the best
choice but using a fixed outdated one is even worse.
Yann Ylavic [Thu, 2 Nov 2017 21:49:43 +0000 (21:49 +0000)]
mpm_unix(es): cleanup properly on exit in one_process mode.
We can't destroy ap_pglobal because clean_child_exit() runs in DSO which would
be unloaded under us, so use atexit() to defer the final apr_terminate().
Improve mod_proxy_html doc
- add some links and color highligh
- remove some <var> (i.e. italic) around parameters that should be written unmodified (On|Off...)
Stefan Eissing [Mon, 30 Oct 2017 14:27:18 +0000 (14:27 +0000)]
*) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
unixd.c: In function ‘ap_unixd_mpm_set_signals’:
unixd.c:579:5: error: implicit declaration of function ‘apr_signal’; did you mean ‘strsignal’? [-Werror=implicit-function-declaration]
apr_signal(SIGPIPE, SIG_IGN);
^~~~~~~~~~
strsignal
Not sure where it comes from, maybe related to r1812301.
Stefan Eissing [Mon, 23 Oct 2017 11:55:33 +0000 (11:55 +0000)]
On the trunk:
*) mod_md: v1.0.1, ServerName/Alias names from pure-http: virtual hosts are no longer
auto-added to a Managed Domain. Error counts of jobs are presisted. When the server
restarts (gracefully) any errored staging areas are purged to reset the signup/renewal
process.
Rainer Jung [Mon, 16 Oct 2017 21:41:15 +0000 (21:41 +0000)]
Fix format pattern (%lu => %APR_SIZE_T_FMT).
Detected by maintainer mode compilation and GCC error:
.../modules/metadata/mod_remoteip.c:
In function 'remoteip_input_filter':
.../include/http_log.h:117:33:
error: format '%lu' expects argument of type
'long unsigned int', but argument 8 has type
'apr_size_t {aka unsigned int}' [-Werror=format=]
util_expr_eval.c: In function ‘ap_expr_eval_re_backref’:
util_expr_eval.c:265:63: error: comparison between pointer and zero character constant [-Werror=pointer-compare]
if (!ctx->re_pmatch || !ctx->re_source || *ctx->re_source == '\0' ||
Rainer Jung [Mon, 16 Oct 2017 09:22:38 +0000 (09:22 +0000)]
Fix maintainer mode with GCC/Clang.
Setting -Wstrict-prototypes in combination
with -Werror leads to compiler errors during
configure checks (autoconf generates incomplete
prototypes).
Adding -Wno-error=strict-prototypes lets the
compiler tolerate those.
Possible future enhancement: remember such
"configure time only" flags and remove them
from CFLAGS before generating our build time
files (Makefile, config_vars.mk etc.), so that
the full -Werror is in place during building.
Yann Ylavic [Sat, 14 Oct 2017 16:27:14 +0000 (16:27 +0000)]
Follow up to r1740928: including NOT_IN_PROXY in NOT_IN_DIR_LOC_FILE is both
incomplete and not backportable, fix it by introducing NOT_IN_DIR_CONTEXT and
restoring NOT_IN_DIR_LOC_FILE to its previous value.
Per ap_check_cmd_context(), NOT_IN_DIR_LOC_FILE actually/really means "not in
any directory context", while the definition itself does not include all the
existing directory contexts (e.g. <Limit>, or <Proxy> before r1740928).
This is a bit of a misnomer, at least, so instead of (ab)using it by adding the
missing contexts (in an incompatible way), let's define NOT_IN_DIR_CONTEXT to
really exclude all directory context (i.e. NOT_IN_DIR_LOC_FILE + NOT_IN_LIMIT +
NOT_IN_PROXY) and use it wherever NOT_IN_DIR_LOC_FILE was used.
This is by itself a major MMN bump (modules not compiled with this commit and
having directives checked against NOT_IN_DIR_LOC_FILE won't be caught the same
way by NOT_IN_DIR_CONTEXT in the new ap_check_cmd_context() code), but with the
below change, 2.4.x should work as before:
- if ((forbidden & NOT_IN_DIR_CONTEXT) == NOT_IN_DIR_CONTEXT) {
+ if ((forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE) {
if (cmd->path != NULL) {
return apr_pstrcat(cmd->pool, cmd->cmd->name, gt,
- " cannot occur within directory context", NULL);
+ " cannot occur within <Directory/Location/Files/Proxy> "
+ "section", NULL);
}
...
}
Joe Orton [Thu, 12 Oct 2017 15:11:50 +0000 (15:11 +0000)]
Add optional _RAW suffix to SSL_*_DN_xx attribute names, allowing
users to convert an attribute value without conversion to UTF-8. (A
public CA has issued certs with attributes tagged as the wrong ASN.1
string types.)
* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Rename from
asn1_string_to_utf8; add raw argument. Reimplement _to_utf8 as
macro.
(modssl_X509_NAME_ENTRY_to_string): Add raw argument.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Use raw
string conversion if _RAW suffix is present in DN component.
Joe Orton [Wed, 11 Oct 2017 14:48:55 +0000 (14:48 +0000)]
* server/util_script.c (ap_add_common_vars): Allow mod_env to override
all system path environment variables, not just PATH. (The
behaviour for PATH alone was changed in r965679 for PR 43906.)
Luca Toscano [Tue, 10 Oct 2017 17:41:37 +0000 (17:41 +0000)]
core, mod_rewrite: introduce the 'redirect-keeps-vary' note
to allow proper Vary header insertion when
dealing with a RewriteRule in a directory
context.
This change is an attempt to fix a long standing problem,
brought up while working on PR 58231. Our documentation clearly
states the following:
"If a HTTP header is used in a condition this header is added
to the Vary header of the response in case the condition
evaluates to true for the request."
This is currently not true for RewriteCond/Rules working in
a directory context, since when an internal redirect happens
all the outstanding response headers get dropped.
There might be a better solution so I am looking forward to
hear more opinions and comments. My goal for a delicate change
like this one would be to affect the least amount of configurations
possible, without triggering unwanted side effects.
If the solution is good for everybody tests will be written
in the suite asap.
Yann Ylavic [Tue, 10 Oct 2017 10:54:48 +0000 (10:54 +0000)]
ab: Make the TLS layer aware that the underlying socket is nonblocking,
and use/handle POLLOUT where needed to avoid busy IOs and recover write
errors when appropriate.
Yann Ylavic [Tue, 10 Oct 2017 09:09:22 +0000 (09:09 +0000)]
ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
read was incomplete (the SSL case can cause the next poll() to timeout
since data are buffered already). PR 61301
Ruediger Pluem [Mon, 9 Oct 2017 13:30:26 +0000 (13:30 +0000)]
* The calculation of the sizes was flawed:
The index tells us the size of the node in 4096 byte pages minus 1.
Hence we need to multiply back with 4096 aka << 12 (plus adding the
missing page).
Ruediger Pluem [Thu, 5 Oct 2017 12:01:25 +0000 (12:01 +0000)]
* Add dump_all_pools and dump_pool_and_childs.
- dump_all_pools: Dump the whole pool hierarchy starting from apr_global_pool.
Requires an arbitrary pool as starting parameter.
- dump_pool_and_childs: Dump the whole pool hierarchy starting from
the given pool.
dump_pool_and_childs is written in Python using the GDB Python API
as doing recursive stuff in standard GDB macros is very difficult.
Yann Ylavic [Mon, 2 Oct 2017 21:57:26 +0000 (21:57 +0000)]
ap_expr: open string expressions to the <word>.
Introduces the syntax "%{:<word>:}", borrowed from the <var>'s one, and which
likewise can be embedded anywhere in a string expression (the same reserved
character ':' gets reused in an unambiguous manner).
This allows the two types of expressions (boolean and string) to now share
fully the same language set, namely: strings, lists, vars, regexes, backrefs,
functions with multiple or complex arguments, and especially combinations
thereof.
Most of them were reserved to boolean expressions only, while complex string
constructions can also benefit to, well, strings. The <word> construct allows
that (say the syntax "%{:<word>:}" looks like a temporary variable constructed
in a string).
Since string expressions may now have to deal with lists (arrays), they also
need a way to produce/extract strings from list and vice versa. This can be
done with the new "join" and "split" operators, while the new substitution
regexes (like "s/<pattern>/<substitute>/<flags>") may be used to manipulate
strings in place. All this of course available for both string and boolean
expressions.
projects / apache / log