Joe Orton [Fri, 8 Oct 2004 11:59:33 +0000 (11:59 +0000)]
Fix CAN-2004-0885:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton
Joshua Slive [Wed, 6 Oct 2004 17:08:49 +0000 (17:08 +0000)]
As the first stage of a simplification of the default config in 2.1 (only!), I'm
going to remove all the html files under httpd-2.1/docs/docroot/ and replace them
with an index.html file containing only <html><body><h1>It works!</h1></body></html>
I'm going to do this because:
1. The old welcome page is a constant source of confusion to random web surfers who
stumble on unconfigured apache installs.
2. New users, when finding on a docroot with dozens of files, are often confused
about where to put their own content.
3. The international welcome page is a large source of bug reports from people
wanting to tweak grammar or provide new translations.
4. This will allow us to simplify the default config by removing the config stuff
necessary to handle the typemap.
Graham Leggett [Mon, 4 Oct 2004 23:43:20 +0000 (23:43 +0000)]
mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
library handles special characters.
PR: 24437
Obtained from:
Submitted by: Jess Holle
Reviewed by:
Graham Leggett [Sun, 3 Oct 2004 16:44:06 +0000 (16:44 +0000)]
mod_ldap: fix a bogus error message to tell the user which file
is causing a potential problem with the LDAP shared memory cache.
PR: 31431
Obtained from:
Submitted by: Graham Leggett
Reviewed by:
Graham Leggett [Sun, 3 Oct 2004 16:24:53 +0000 (16:24 +0000)]
mod_ldap: prevent the possiblity of an infinite loop in the LDAP
statistics display.
PR: 29216
Obtained from:
Submitted by: Graham Leggett
Reviewed by:
Mladen Turk [Wed, 29 Sep 2004 19:09:55 +0000 (19:09 +0000)]
No need to call the ap_proxy_initialize_worker when initializing
balancer members, but make sure that balancer module is initialized
after proxy module.
Joe Orton [Wed, 29 Sep 2004 14:38:42 +0000 (14:38 +0000)]
* modules/http/http_protocol.c (ap_http_filter): Always fail if the
Content-Length header is an empty string; previously this was only
an error with some strto* implementations.
Try to correctly follow RFC 2616 13.3 on validating stale cache responses by
teaching mod_cache's cache_select_url and cache_save_filter how to deal with
this corner case.
* modules/experimental/cache_storage.c
(cache_select_url): If we have a stale entry, save the handle so that
cache_save_filter can use it later, and make the request conditional.
* modules/experimental/cache_util.c
(ap_cache_request_is_conditional): Take in a table rather than request_rec.
* modules/experimental/mod_cache.c
(cache_out_filter): Fix bogus comment.
(cache_save_filter): If we have already responded to the client, block all
data; correctly merge in 'stale' handles that are not really stale; set
r->status where appropriate; serve cached response if 'fresh'
* modules/experimental/mod_cache.h
(cache_info): Add a status field.
(cache_request_rec): Add stale handle field and note we may block responses.
(ap_cache_request_is_conditional): Update prototype.
* modules/experimental/mod_disk_cache.c
(store_headers): Use cache_info status instead of r->status.
* modules/experimental/mod_mem_cache.c
(recall_headers): Properly recall the status field.
(store_headers): Store the status field via cache_info status.
Joe Orton [Tue, 28 Sep 2004 13:09:37 +0000 (13:09 +0000)]
* support/apxs.in: Reset $opt so that -I, -D and -Wc,* options are not
passed to the libtool link line. For "-Wl,-foo" pass "-foo" on the
link line regardless of whether gcc is used; without guessing whether
libtool --mode=link will invoke gcc or some native ld the previous
behaviour is not really correct.
Mladen Turk [Sun, 26 Sep 2004 06:58:36 +0000 (06:58 +0000)]
Use the Christian von Roques's idea that makes the election mechanism
much simpler. This also removes the need to count the number of free
connections per channel.
Mladen Turk [Sun, 26 Sep 2004 06:56:24 +0000 (06:56 +0000)]
Count the bytes trasfered and readed so we can display the actual
data traffic, and add additional balancer mechanism that will use the
data traffic into account.
Mladen Turk [Sun, 26 Sep 2004 06:54:27 +0000 (06:54 +0000)]
Remove proxy_runtime_worker and make the things simpler by
sharing runtime status accross child processes. Also make sure
that shared data is initialized after the scoreboard is created.
Fix race conditions in mod_disk_cache by properly using the tempfile rather
than the data file. (We rename the tempfile when we're completed with the data
file which is an atomic operation.)
Part of the code assumed that it was using a temporary file; other parts
wrote directly to the body file - which was incorrect. So, clean up the
whole mess to be consistent and more correct.
Joe Orton [Wed, 22 Sep 2004 15:32:09 +0000 (15:32 +0000)]
* modules/ssl/ssl_scache_shmcb.c (ssl_scahe_shmcb_init): If anonymous
shm is not supported, always remove the named segment first to cope
with unclean shutdowns.
Previously, if the cached copy was stale, the response would go into an
indeterminate state. Therefore, the freshness check must be done before we
'accept' the response and, if it fails (i.e. stale), we can't allow any side
effects.
This caused a number of changes to how mod_disk_cache reads its headers as
ap_scan_script_header_err() purposely has side-effects and that's
unacceptable. So, factor out only what we need.
Also, remove the broken conditional filter code as you can't reliably alter the
filter list once the response is started. (Regardless, cache_select_url()
has the freshness checks now.)
Assist to Sascha Schumann for reporting mod_cache was busted.
In order for mod_expires to work with mod_cache, mod_expires has to go first.
Otherwise, mod_cache has no clue that the response has a limited lifetime.
Joe Orton [Mon, 20 Sep 2004 12:12:01 +0000 (12:12 +0000)]
* configure.in: Ensure that $CC and $CPP are correctly passed through
to the pcre configure script if config caching is disabled (the
autoconf 2.5x default).
Graham Leggett [Sun, 19 Sep 2004 23:11:10 +0000 (23:11 +0000)]
Fix the global mutex crash when the global mutex is never allocated due
to disabled/empty caches.
PR:
Obtained from:
Submitted by: Jess Holle <jessh ptc.com>
Reviewed by:
Chris Pepper [Sun, 19 Sep 2004 04:20:37 +0000 (04:20 +0000)]
Update the description of digest support for 2004, adding Konqueror, Mac IE, and Safari as supporting browsers, and lynx as an (apparently) non-supporting browser. Confirmation of the official lynx home would be welcome -- lynx.browser.org and UKans both have older versions.
I *believe* IE/Mac (which has a much different code base than IE/Win) doesn't have the GET bug described on Windows -- at least I can request a URL like "http://myhost/?testing" and successfully log in and get to http://myhost/, but I'm not sure if there's a subtlety I missed. I also alphabetized the (fairly long) list of browsers (keeping Mozilla and Netscape together), and toned down the warning about lack of support, since everything but lynx now seems to handle digest auth.
Jeff Trawick [Sat, 18 Sep 2004 16:18:26 +0000 (16:18 +0000)]
mod_rewrite: Handle per-location rules when r->filename is unset.
Previously this would segfault or simply not match as expected,
depending on the platform.
Mladen Turk [Thu, 16 Sep 2004 12:08:00 +0000 (12:08 +0000)]
Add maximum nuber of attempts for failover and run scheme handler
if worker is in error state up to that number.
Another great idea from Christian von Roques.
projects / apache / log