Checkout Tools
  • last updated 4 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Merge r1833014 from trunk:

* modules/http/http_request.c (ap_process_request_after_handler,

ap_process_request): Cache and retrieve the brigade structure used

to send EOR and FLUSH between requests in c->pool userdata, to avoid

allocating a brigade structure per-request out of c->pool.

Submitted by: rpluem, jorton

Submitted by: jorton

Reviewed by: jorton, covener, jim

  1. … 3 more files in changeset.
Merge r1828920 from trunk:

PR62186: preserve %<m for ErrorDocument internal redirects

*) core: Preserve the original HTTP request method in the '%<m' LogFormat

when an path-based ErrorDocument is used. PR 62186.

[Micha Lenk <micha lenk.info>]

Submitted By: Micha Lenk

Committed By: covener

Submitted by: covener

Reviewed by: covener, jhriggs, jim

  1. … 3 more files in changeset.
Merge r1826556, r1826847 from trunk:

Fix timeout logging in ap_process_request().

We can't use 'r' after ap_process_request_after_handler(), the core output

filter might have cleaned up its deferred bucket brigade on error, including

the EOR bucket.

Reported by: steffenal

Closes SpiderLabs/ModSecurity#1542

Follow up to r1826556: CHANGES entry.

Submitted by: ylavic

Reviewed by: ylavic, covener, rjung

  1. … 2 more files in changeset.
Revert r1826543, was meant for trunk...
Fix timeout logging in ap_process_request().

We can't use 'r' after ap_process_request_after_handler(), the core output

filter might have cleaned up its deferred bucket brigade on error, including

the EOR bucket.

Reported by: steffenal

Fixes SpiderLabs/ModSecurity#1542

[Reverted by r1826555]

Merge r1811744 from trunk:

core, mod_rewrite: introduce the 'redirect-keeps-vary' note

to allow proper Vary header insertion when

dealing with a RewriteRule in a directory

context.

This change is an attempt to fix a long standing problem,

brought up while working on PR 58231. Our documentation clearly

states the following:

"If a HTTP header is used in a condition this header is added

to the Vary header of the response in case the condition

evaluates to true for the request."

This is currently not true for RewriteCond/Rules working in

a directory context, since when an internal redirect happens

all the outstanding response headers get dropped.

There might be a better solution so I am looking forward to

hear more opinions and comments. My goal for a delicate change

like this one would be to affect the least amount of configurations

possible, without triggering unwanted side effects.

If the solution is good for everybody tests will be written

in the suite asap.

Submitted by: elukey

Reviewed by: elukey, icing, ylavic

  1. … 4 more files in changeset.
Merge r1698334 from trunk:

Avoid adding duplicate subequest filters, as they would not be stripped

properly during an ap_internal_fast_redirect.

Submitted by: covener

Reviewed/backported by: jim

  1. … 4 more files in changeset.
revert 1767482 backport

cleanup next

  1. … 4 more files in changeset.
Merge r1698239 from trunk:

Submitted by: covener

Reviewed/backported by: jim

  1. … 4 more files in changeset.
Merge of r1750392,r1750412,r1750416,r1750474,r1750494,r1750508 from trunk:

mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data

available before the request is sent. PR 57832.

  1. … 8 more files in changeset.
Merge r1710095, r1710105, r1711902 from trunk:

core: Limit to ten the number of tolerated empty lines between request,

and consume them before the pipelining check to avoid possible response

delay when reading the next request without flushing.

Before this commit, the maximum number of empty lines was the same as

configured LimitRequestFields, defaulting to 100, which was way too much.

We now use a fixed/hard limit of 10 (DEFAULT_LIMIT_BLANK_LINES).

check_pipeline() is changed to check for (up to the limit) and comsume the

trailing [CR]LFs so that they won't be interpreted as pipelined requests,

otherwise we would block on the next read without flushing data, and hence

possibly delay pending response(s) until the next/real request comes in or

the keepalive timeout expires.

Finally, when the maximum number of empty line is reached in

read_request_line(), or that request line does not contains at least a method

and an (valid) URI, we can fail early and avoid some failure detected in

further processing.

core: follow up to r1710095.

Simplify logic in check_pipeline(), and log unexpected errors.

core: follow up to r1710095, r1710105.

We can do this in a single (no inner) loop, and simplify again the logic.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 5 more files in changeset.
Merge r1697855, r1697339, r1696428, r1696266, r1696264, r1695874, r1695727, r1692516, r1692486, r1610674, r1685069, r1693918, r1698116, r1698133, r1694950, r1700968, r1701005, r1701145, r1701178 from trunk:

adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get

changed Protocols to let vhosts override servers, removed old H2Engine example from readme

creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment

removed unnecessary lingering_close and sbh update on end of protocol upgrade handling

introducing ap_array_index in util, used in protocol and mod_h2

fixes existing protocol missing in selection if not explicitly proposed

new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging

removed accidental code

new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2

SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse

proxy configuration, a remote attacker could send a carefully crafted

request which could crash a server process, resulting in denial of

service.

Thanks to Marek Kroemeke working with HP's Zero Day Initiative for

reporting this issue.

* server/util.c (ap_parse_token_list_strict): New function.

* modules/proxy/proxy_util.c (find_conn_headers): Use it here.

* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):

Send a 400 for a malformed Connection header.

Submitted by: Edward Lu, breser, covener

http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code

for clients requesting a hostname on a reused connection whose SNI (from the

TLS handshake) does not match.

PR 5802.

This allows HTTP/2 clients to fall back to a new connection as per:

https://tools.ietf.org/html/rfc7540#section-9.1.2

Proposed by: Stefan Eissing <stefan eissing.org>

Reviewed by: ylavic

c89

Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com

giving ap_array_index a start parameter, adding ap_array_contains

ap_process_request needs exportation for use in mod_h2 on Windows

final final change to the new ap_array_str_* functions after review

changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon

mod_ssl: fix compiler warning (bad cast).

improvements in ap_select_protocol(), supplied by yann ylavic

Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing

Reviewed/backported by: jim

  1. … 16 more files in changeset.
Merge r1657881, r1665643 from trunk:

http: Make ap_die() robust against any HTTP error code and not modify

response status (finally logged) when nothing is to be done.

ap_die(): follow up to r1657881.

Use log level DEBUG for AP_FILTER_ERROR => HTTP_INTERNAL_SERVER_ERROR.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1666998 from trunk:

core: Cleanup the request soon/even if some output filter fails to

handle the EOR bucket.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 4 more files in changeset.
SECURITY: CVE-2013-5704 (cve.mitre.org)

core: HTTP trailers could be used to replace HTTP headers

late during request processing, potentially undoing or

otherwise confusing modules that examined or modified

request headers earlier. Adds "MergeTrailers" directive to restore

legacy behavior.

Submitted by: Edward Lu, Yann Ylavic, Joe Orton, Eric Covener

Backports: r1610814

Reviewed by: covener, wrowe, ylavic

  1. … 11 more files in changeset.
Merge r1402924 from trunk:

also copy r->invoke_mtx when creating a subrequest

Submitted by: covener

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1361803 from trunk:

Code clean up (remove useless memory allocation)

Submitted by: Christophe JAILLET <christophe jaillet wanadoo fr>

PR: 52648

Reviewed by: rjung, jim, jorton

  1. … 5 more files in changeset.
Backport:

Further clarify the naming of the entity that originates the request by

calling that entity a useragent instead of a client.

Further clarify the naming of the entity that directly connects to us by

calling that entity a client instead of a peer.

  1. … 26 more files in changeset.
Backport r1209766, r1210252, r1210284:

Add lots of unique tags to error log messages

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 164 more files in changeset.
Backport:

Introduce a per request version of the remote IP address, which can be

optionally modified by a module when the effective IP of the client

is not the same as the real IP of the client (such as a load balancer).

Introduce a per connection "peer_ip" and a per request "client_ip" to

distinguish between the raw IP address of the connection and the effective

IP address of the request.

  1. … 31 more files in changeset.
Merge r1204104, 1204180:

Remove MPM-private stuff from conn_state_t.

This should make it easier to improve the event MPM in 2.4 without breaking

the API.

  1. … 7 more files in changeset.
backport r1204630:

Downgrade some more error messages about broken client behavior to level

info.

  1. … 2 more files in changeset.