Checkout Tools
  • last updated 3 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
The mod_watchdog change is not user-visible (AFAIK) so should not be in CHANGES.

That was not me. Honors go to Joe.
*) mod_watchdog: Switch to simpler logic to avoid the thread cleanup running

before the thread has started, avoiding mutex operations with undefined

behaviour. [Christophe Jaillet]

  1. … 3 more files in changeset.
*) mod_http2: connection terminology renamed to master/secondary.

trunk patch: http://svn.apache.org/r1878926

http://svn.apache.org/r1879156

2.4.x patch: https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/h2-master-secondary.patch

+1: icing, ylavic, minfrin

ylavic: nitpicking, mixed "H2_secondary_IN" and "H2_secondary_OUT" case to

register the filters, but not for adding them. IIRC filters names

are case insentive so shouldn't matter, just popped at my eyes..

icing: updated patch and added r1879156 to fix the eye bleed.

jailletc36: CHANGES could also be looked at if it makes sense to update the terminology

also here

  1. … 15 more files in changeset.
*) core: Drop an invalid Last-Modified header value coming

from a (F)CGI script instead of replacing it with Unix epoch.

Warn the users about Last-Modified header value replacements

and violations of the RFC.

trunk patch: http://svn.apache.org/r1748379

http://svn.apache.org/r1750747

http://svn.apache.org/r1750749

http://svn.apache.org/r1750953

http://svn.apache.org/r1751138

http://svn.apache.org/r1751139

http://svn.apache.org/r1751147

http://svn.apache.org/r1757818

http://svn.apache.org/r1879253

http://svn.apache.org/r1879348

2.4.x: trunk patches work, final view:

http://home.apache.org/~elukey/httpd-2.4.x-core-last_modified_tz_logging.patch

svn merge -c 1748379,1750747,1750749,1750953,1751138,1751139,1751139,1757818,1879253,r1879348 ^/httpd/httpd/trunk .

The code has been tested with a simple PHP script returning different Last-Modified

headers (GMT now, GMT now Europe/Paris, GMT tomorrow, GMT yesterday, PST now).

+1: elukey, jorton, jim

jorton: +1 though I'd say log at WARN or INFO for the APR_BAD_DATE case

rather than "silently" (at normal log-level) dropping the parsed header?

[also nit: wrapping a lone ap_log_rerror(,APLOG_X) call in

if (APLOGrX(..) is unnecessary/redundant]

  1. … 3 more files in changeset.
  1. … 18 more files in changeset.
*) mod_proxy_fcgi: Don't unset when condition is false. PR64365

trunk patch:

- http://svn.apache.org/r1877829

- http://svn.apache.org/r1877830

2.4.x patch: svn merge -c 1877829,1877830 ^/httpd/httpd/trunk .

+1: covener, ylavic, rpluem

  1. … 3 more files in changeset.
Merge r1878280 from trunk:

mod_proxy_http: don't strip EOS when spooling request body to file.

To prevent stream_reqbody() from sending the FILE and FLUSH bucket in separate

brigades, and thus apr_file_setaside() to trigger if network congestion occurs

with the backend, restore the EOS in spool_reqbody_cl() which was stripped

when spooling the request body to a file.

Until APR r1878279 is released (and installed by users), apr_file_setaside()

on a temporary file (mktemp) will simply drop the file cleanup, leaking the

fd and inode..

This fixes BZ 64452.

Submitted by: ylavic

Reviewed by: ylavic, jorton, rpluem

  1. … 2 more files in changeset.
Merge r1879179, r1879180 from trunk:

EVP_PKEY_up_ref(): fix ref count locking type for proxy EVP pkey

When enabling client authentication for proxy (SSLProxyMachineCertificateFile),

the client certificate callback function ssl_callback_proxy_cert uses another

reference count locking type then one that is used by the caller function when

trying to free the private key afterwards by using EVP_PKEY_free.

This can lead to a race-condition on pkey->references resulting in a double

free error.

On my system, the error occurs sporadically when threaded health checking

(mod_watchdog) forces two threads competing for the client's private key.

For example, see following two backtraces of a coredump where thread 1 and

thread 15 both run into CRYPTO_free(). Actually, the private key should never

be freed during run-time nor should two threads ever enter CRYPTO_free()

concurrently.

(gdb) t 1

[Switching to thread 1 (Thread 0xb2cfbb40 (LWP 16054))]

#0 0xf7f3f329 in __kernel_vsyscall ()

(gdb) bt

#0 0xf7f3f329 in __kernel_vsyscall ()

#1 0xf7cec9e7 in raise () from /lib32/libc.so.6

#2 0xf7cedfb9 in abort () from /lib32/libc.so.6

#3 0xf7d2a14d in ?? () from /lib32/libc.so.6

#4 0xf7d2fd27 in ?? () from /lib32/libc.so.6

#5 0xf7d3047d in ?? () from /lib32/libc.so.6

#6 0x08499c70 in CRYPTO_free (str=0x93376b0) at mem.c:434

#7 0x084cc063 in EVP_PKEY_free (x=0x93376b0) at p_lib.c:406

#8 0x08463917 in ssl3_send_client_certificate (s=0xad21f070) at s3_clnt.c:3475

#9 0x0845d62c in ssl3_connect (s=0xad21f070) at s3_clnt.c:426

#10 0x08484213 in SSL_connect (s=0xad21f070) at ssl_lib.c:1008

#11 0x0846f9c8 in ssl23_get_server_hello (s=0xad21f070) at s23_clnt.c:832

#12 0x0846ea45 in ssl23_connect (s=0xad21f070) at s23_clnt.c:231

#13 0x08484213 in SSL_connect (s=0xad21f070) at ssl_lib.c:1008

#14 0x08261e73 in ssl_io_filter_handshake (filter_ctx=0xb4d3f450) at ssl_engine_io.c:1245

#15 0x08263ba6 in ssl_io_filter_output (f=0xb4d3f480, bb=0xacc079a0) at ssl_engine_io.c:1760

#16 0x080ea2c9 in ap_pass_brigade (next=0xb4d3f480, bb=0xacc079a0) at util_filter.c:590

#17 0x08263b07 in ssl_io_filter_coalesce (f=0xb4d3f468, bb=0xacc079a0) at ssl_engine_io.c:1728

#18 0x080ea2c9 in ap_pass_brigade (next=0xb4d3f468, bb=0xacc079a0) at util_filter.c:590

#19 0x08251658 in hc_send (r=0xacc069b0, out=0x8c25ec8 "GET /hcheck HTTP/1.0\r\nHost: XXX\r\n\r\n", bb=0xacc079a0) at mod_proxy_hcheck.c:664

#20 0x08251eb3 in hc_check_http (baton=0xacc068d8) at mod_proxy_hcheck.c:806

#21 0x08252653 in hc_check (thread=0x8cc6b10, b=0xacc068d8) at mod_proxy_hcheck.c:870

#22 0x08383185 in thread_pool_func (t=0x8cc6b10, param=0x8c245e0) at misc/apr_thread_pool.c:266

#23 0x083baef6 in dummy_worker (opaque=0x8cc6b10) at threadproc/unix/thread.c:142

#24 0xf7ec615f in start_thread () from /lib32/libpthread.so.0

#25 0xf7da862e in clone () from /lib32/libc.so.6

(gdb) t 15

[Switching to thread 15 (Thread 0xb44feb40 (LWP 16049))]

#0 0xf7dd90a5 in _dl_addr () from /lib32/libc.so.6

(gdb) bt

#0 0xf7dd90a5 in _dl_addr () from /lib32/libc.so.6

#1 0xf7db610c in backtrace_symbols_fd () from /lib32/libc.so.6

#2 0xf7cd89ab in ?? () from /lib32/libc.so.6

#3 0xf7d2a148 in ?? () from /lib32/libc.so.6

#4 0xf7d2fd27 in ?? () from /lib32/libc.so.6

#5 0xf7d3047d in ?? () from /lib32/libc.so.6

#6 0x08499c70 in CRYPTO_free (str=0x93376b0) at mem.c:434

#7 0x084cc063 in EVP_PKEY_free (x=0x93376b0) at p_lib.c:406

#8 0x08463917 in ssl3_send_client_certificate (s=0xacf1baa0) at s3_clnt.c:3475

#9 0x0845d62c in ssl3_connect (s=0xacf1baa0) at s3_clnt.c:426

#10 0x08484213 in SSL_connect (s=0xacf1baa0) at ssl_lib.c:1008

#11 0x0846f9c8 in ssl23_get_server_hello (s=0xacf1baa0) at s23_clnt.c:832

#12 0x0846ea45 in ssl23_connect (s=0xacf1baa0) at s23_clnt.c:231

#13 0x08484213 in SSL_connect (s=0xacf1baa0) at ssl_lib.c:1008

#14 0x08261e73 in ssl_io_filter_handshake (filter_ctx=0xb4d37430) at ssl_engine_io.c:1245

#15 0x08263ba6 in ssl_io_filter_output (f=0xb4d37460, bb=0xad101588) at ssl_engine_io.c:1760

#16 0x080ea2c9 in ap_pass_brigade (next=0xb4d37460, bb=0xad101588) at util_filter.c:590

#17 0x08263b07 in ssl_io_filter_coalesce (f=0xb4d37448, bb=0xad101588) at ssl_engine_io.c:1728

#18 0x080ea2c9 in ap_pass_brigade (next=0xb4d37448, bb=0xad101588) at util_filter.c:590

#19 0x08251658 in hc_send (r=0xad100598, out=0x8c25898 "GET /hcheck HTTP/1.0\r\nHost: XXX\r\n\r\n", bb=0xad101588) at mod_proxy_hcheck.c:664

#20 0x08251eb3 in hc_check_http (baton=0xad1004c0) at mod_proxy_hcheck.c:806

#21 0x08252653 in hc_check (thread=0x8cc6ab0, b=0xad1004c0) at mod_proxy_hcheck.c:870

#22 0x08383185 in thread_pool_func (t=0x8cc6ab0, param=0x8c245e0) at misc/apr_thread_pool.c:266

#23 0x083baef6 in dummy_worker (opaque=0x8cc6ab0) at threadproc/unix/thread.c:142

#24 0xf7ec615f in start_thread () from /lib32/libpthread.so.0

#25 0xf7da862e in clone () from /lib32/libc.so.6

Many thanks to Armin for finding this.

Github: closes #129

Submitted by: Armin Abfalterer (arminabf)

Reviewed by: ylavic

Follow up to r1879179: CHANGES entry.

Reviewed by: ylavic, jorton, rpluem

  1. … 2 more files in changeset.
reflow

Merge r1876616 from trunk:

*) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.

PR64330

Submitted by: icing

Reviewed by: steffenal, rpluem, gbechis, jim

  1. … 2 more files in changeset.
Merge r1877783 from trunk:

*) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout

was configured with a handshake timeout. Fixes gitub issue #196.

Submitted by: icing

Reviewed by: icing, steffenal, rpluem

  1. … 5 more files in changeset.
Merge r1876548 from trunk:

mod_ssl: Fix memory leak in stapling code. PR63687.

Free issuer's X509 in ssl_stapling_init_cert()'s early return paths.

Submitted by: icing

Submitted by: ylavic

Reviewed by: gbechis, jorton, icing

  1. … 3 more files in changeset.
Merge r1878433 from trunk:

*) mod_proxy_http2: the "ping" proxy parameter

(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used

when checking the liveliness of a new or reused h2 connection to the backend.

With short durations, this makes load-balancing more responsive. The module

will hold back requests until ping conditions are met, using features of the

HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]

Note: mod_proxy_http2 is currently CTR on 2.4.x.

Submitted by: icing

Reviewed by: rpluem

  1. … 4 more files in changeset.
Merged /httpd/httpd/trunk:r1878233,1878264

*) mod_proxy_http2: respect ProxyTimeout settings on backend connections

while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]

  1. … 2 more files in changeset.
Merge r1876869 from trunk:

systemd dependencies are only needed by mod_systemd.

They should currently not be needed by httpd directly

or any other binary. So no need to add them to

HTTPD_LIBS.

Submitted by: rjung

Reviewed by: rjung, jim, jorton

  1. … 1 more file in changeset.
Put post-release security entries underneath

2.4.43 instead of 2.4.44.

Updates for announcement of 2.4.43
  1. … 1 more file in changeset.
Post 2.4.43 tag updates
  1. … 3 more files in changeset.
Merge r1874577 from trunk:

mod_ssl: Fix memory leak of OCSP stapling response.

The OCSP_RESPONSE is either ignored or serialized (i2d_OCSP_RESPONSE) in the

TLS response/handshake extension, so it must be freed.

Submitted by: ylavic

Reviewed by: gbechis, rpluem, ylavic

  1. … 2 more files in changeset.
Post 2.4.42 tag updates
  1. … 3 more files in changeset.
Merge r1869216, r1869224 from trunk:

mod_proxy_http: fix load-balancer fallback for requests with a body.

Since r1656259 (or r1656259 in 2.4.41) and the move of prefetch before connect,

the balancer fallback case where proxy_http_handler() is re-entered with the

next balancer member broke.

We need to save the body (partially) prefetched the first time and reuse it on

successive calls, otherwise we might forward partial or empty body.

mod_proxy_http: follow up to r1869216.

Let's call stream_reqbody() for all rb_methods, no RB_SPOOL_CL special case.

This both simplifies code and allows to keep EOS into the input_brigade until

it's sent, and thus detect whether we already fetched the whole body if/when

proxy_http_handler() re-enters for different balancer members.

  1. … 2 more files in changeset.
typo [skip ci]

Merge r1874689 from trunk:

*) mod_http2: Fixes issue where mod_unique_id would generate non-unique request

identifier under load, see <https://github.com/icing/mod_h2/issues/195>.

[Michael Kaufmann, Stefan Eissing]

Submitted by: icing

Reviewed by: icing, ylavic, jim

  1. … 7 more files in changeset.
Merge r1874616 from trunk:

PR64140: Allow %{Content-Type} in health check expressions

Submitted By: Renier Velazco <renier.velazco upr.edu>

Commited By: covener

Github: closes #97

Submitted by: covener

Reviewed by: covener, ylavic, jim

  1. … 3 more files in changeset.
Merge r1874424 from trunk:

PR64172: drop severity of AH01666

Submitted by: covener

Reviewed by: covener, ylavic, jim

  1. … 3 more files in changeset.
restore CHANGES entry [skip ci]

Merge r1874389, r1874480, r1874601 from trunk:

PR64077: samesite/httponly/secure flags for usertrack

Submitted By: Prashant Keshvani <prashant2400 gmail.com>, Eric Covener

Committed By: covener

* Whitespace fix

Remove duplicated "CookieTracking" directive in 'command_rec'.

  1. … 3 more files in changeset.
* Fix typo and adjust formating
mod_proxy_ajp: Add "secret" parameter to proxy workers

to implement legacy AJP13 authentication. PR 53098.

The attribute is now suggested/required by tomcat.

Backport of r1738878 from trunk.

Backported by: covener

Reviewed by: covener, jorton, rjung

  1. … 7 more files in changeset.