Yann Ylavic [Tue, 10 Mar 2015 17:25:17 +0000 (17:25 +0000)]
core, modules: like r1657897 but for core and other modules than mod_proxy.
More uses of ap_map_http_request_error() and AP_FILTER_ERROR so that we never
return an HTTP error status from a handler if some filter generated a response
already.
That is, from a handler, either ap_get_brigade() (an input filter) returned
AP_FILTER_ERROR and we must forward it to ap_die(), or ap_pass_brigade() (an
output filter) failed with any status and we must return AP_FILTER_ERROR in
any case for ap_die() to determine whether a response is needed or not.
Jan Kaluža [Mon, 9 Mar 2015 12:48:11 +0000 (12:48 +0000)]
* mod_cache: Preserve the Content-Type in case of 304 response.
304 does not contain Content-Type and mod_mime regenerates
the Content-Type based on the r->filename. This later leads to original
Content-Type to be lost (overwriten by whatever mod_mime generates).
Yann Ylavic [Mon, 9 Mar 2015 12:45:56 +0000 (12:45 +0000)]
mod_proxy: use the original (non absolute) form of the request-line's URI
for requests embedded in CONNECT payloads used to connect SSL backends via
a ProxyRemote forward-proxy. PR 55892.
Ruediger Pluem [Fri, 6 Mar 2015 19:31:42 +0000 (19:31 +0000)]
* Do not reset the retry timeout if the worker is in error at this stage even
if the connection to the backend was successful. It was likely set into
error by a different thread / process in parallel e.g. for a timeout or
bad status. We should respect this and should not continue with a connection
via this worker even if we got one.
Yann Ylavic [Fri, 6 Mar 2015 09:55:16 +0000 (09:55 +0000)]
core: Follow up to r1664205.
Don't let invalid r->proto_num/protocol out of read_request_line() reach
the output filters (when responding with 400 Bad Request).
Suggested by: rpluem
Jan Kaluža [Fri, 6 Mar 2015 09:14:07 +0000 (09:14 +0000)]
*) mod_rewrite: Add support for starting External Rewriting Programs
as non-root user on UNIX systems by specifying username and group name
as third argument of RewriteMap directive.
Eric Covener [Thu, 5 Mar 2015 02:33:16 +0000 (02:33 +0000)]
*) SECURITY: CVE-2015-0253 (cve.mitre.org)
core: Fix a crash introduced in with ErrorDocument 400 pointing
to a local URL-path with the INCLUDES filter active, introduced
in 2.4.11. PR 57531. [Yann Ylavic]
Yann Ylavic [Wed, 4 Mar 2015 16:58:01 +0000 (16:58 +0000)]
core: If explicitly configured, use the KeepaliveTimeout value of the
virtual host which handled the latest request on the connection, or by
default the one of the first virtual host bound to the same IP:port.
For non-async MPMs, use either r->server's or c->base_server's value in
ap_process_http_sync_connection() depending on a new server_rec's flag
called keep_alive_timeout_set and determined at config time.
For event MPM, use a queue per timeout value, chaining the queues per
type (keepalive wrt KeepAliveTimeout, write completion wrt to Timeout)
so that maintenance can be done on all the queues from the head, and such
that insertions/maintenance remain in O(1).
A server config is created and pointing to the queue of each vhost at
post_config time, hence the config can be associated to the connection
state (cs) at post_read_request time (keep_alive_timeout_set is used to
determine r->server vs c->base_server here), and we can simply insert
with TO_QUEUE_INSERT(cs->sc->q, cs). PR56226.
While at it, since each queue now embeds it own timeout and hence the
expiration_time of the cs has changed to a queue_timestamp (the time it
was queued), we can detect clock skews and expire entries immediatly if
the system is set (eg. far) in the past during runtime and we want to
avoid waiting for (eg.) centuries before the current logic kills them.
Any entry which is registered above now + q->timeout is concerned, and
is now cleaned from the queue when encountered. PR57374.
Yann Ylavic [Sun, 1 Mar 2015 00:44:49 +0000 (00:44 +0000)]
mpm_event: follow up to r1538490, r1545736, r1604350, r1639614 and r1642868.
Clear and restore sbh in notify_suspend() and notify_resume() respectively.
Jeff Trawick [Sun, 22 Feb 2015 20:12:26 +0000 (20:12 +0000)]
mod_ssl_ct needs a per-vhost module config even if a vhost
doesn't contain mod_ssl_ct's own directives, because the
module config needs to represent that vhost's certificates.
Jeff Trawick [Sun, 22 Feb 2015 15:50:54 +0000 (15:50 +0000)]
Provide separate SSL_CT_*_STATUS variables for client vs. proxy
connections, courtesy of a new flag passed from mod_ssl on its
pre_connection "optional hook."
Graham Leggett [Sat, 21 Feb 2015 00:33:34 +0000 (00:33 +0000)]
mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
a combination of certificate serialNumber and issuer as defined by
CertificateExactMatch in RFC4523.
Yann Ylavic [Tue, 10 Feb 2015 17:25:54 +0000 (17:25 +0000)]
mod_proxy_http: Use the "Connection: close" header for requests to
backends not recycling connections (disablereuse), including the default
reverse and forward proxies.
Yann Ylavic [Tue, 10 Feb 2015 17:03:05 +0000 (17:03 +0000)]
mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
or force-proxy-request-1.0, and respond with 502 instead of 400 if its
Connection header is invalid.
Yann Ylavic [Fri, 6 Feb 2015 16:54:16 +0000 (16:54 +0000)]
mod_proxy(es): Avoid error response/document handling by the core if some
input filter already did it while reading client's payload.
When an input filter returns AP_FILTER_ERROR, it has already called ap_die()
or at least already responded to the client.
Here we don't want to lose AP_FILTER_ERROR when returning from proxy handlers,
so we use ap_map_http_request_error() to forward any AP_FILTER_ERROR to
ap_die() which knows whether a response needs to be completed or not.
Before this commit, returning an HTTP error code in this case caused a double
response to be generated.
Depends on r1657881 to preserve r->status (for logging) when nothing is to be
done by ap_die() when handling AP_FILTER_ERROR.
Rainer Jung [Thu, 5 Feb 2015 20:33:59 +0000 (20:33 +0000)]
Expression parser: Optimize another concatenation
case by using iteration instead of recursion.
We have a relatively small recursion limit of
about 10 operations. This is a compilation
limit (a define). It can be hit if many expr
vars or function calls are concatenated.
The new optimization is very similar to the
existing one, which optimizes consecutive
concatenations in node2 of the tree. The new
one optimizes consecutive concatenations in
node 1.
Yann Ylavic [Thu, 5 Feb 2015 17:36:23 +0000 (17:36 +0000)]
mod_proxy_connect/wstunnel: If both client and backend sides get readable
at the same time, don't lose errors occuring while forwarding on the first
side when none occurs next on the other side, and abort.
Eric Covener [Wed, 4 Feb 2015 14:44:23 +0000 (14:44 +0000)]
*) SECURITY: CVE-2015-0228 (cve.mitre.org)
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.
[Edward Lu <Chaosed0 gmail.com>]
Discovered by Guido Vranken <guidovranken gmail.com>
Eric Covener [Wed, 4 Feb 2015 14:33:51 +0000 (14:33 +0000)]
Fix bit-shifting of websockets frame fields that would yield wrong opcodes
when the FIN bit was set. Results in PING not being recognized
by mod_lua. PR57524
projects / apache / log