Checkout Tools
  • last updated 7 hours ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1855849 is being indexed.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly

restore SSL verify state after PHA failure in TLSv1.3.

Submitted by: Michael Kaufmann <mail>

  1. … 1 more file in changeset.
*) mod_md: Explicitly setting file permissions to break out of umasks. We want our

non-privilegded apache user to be able to read them. See github issue

<>. [Stefan Eissing]

  1. … 1 more file in changeset.
Merge consecutive slashes in the URL by default

opt-out w/ `MergeSlashes OFF`.

  1. … 7 more files in changeset.
allow mod_mime to be de disabled per-dir too

  1. … 2 more files in changeset.
mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.

The SSL dir config of proxy/backend connections is stored in r->per_dir_config

but those connections have a lifetime independent of the requests they handle.

So we need to allow the external ssl_engine_set() function to reset mod_ssl's

dir config in between proxy requests, or the first sslconn->dc could be used

after free for the next requests.

mod_proxy can then reset/reinit the request config when recycling its backend


PR 63256.

  1. … 2 more files in changeset.
mod_mime: Add `MimeOptions`

mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata

detection to use only the last (right-most) file extension.

  1. … 2 more files in changeset.
update after backport, mod_http2/proxy_http2 now equivalent
MPMs unix: bind the bucket number of each child to its slot number

We need not remember each child's bucket number in SHM for restarts, for the

lifetime of the httpd main process the bucket number can be bound to the slot

number such that: bucket = slot % num_buckets.

This both simplifies the logic and helps children maintenance per bucket in

threaded MPMs, where previously perform_idle_server_maintenance() could create

or kill children processes for the buckets it was not in charge of.

  1. … 5 more files in changeset.
*) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is

in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.

Fixed. [Michael Kaufmann]

  1. … 1 more file in changeset.
*) mod_http2: new configuration directive: ```H2Padding numbits``` to control

padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,

controlling the range of padding bytes added to a frame. The actual number

added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE

frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]

*) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2

has no more need for it. Optional functions are still declared but no longer implemented.

While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching

versions of both modules. [Stefan Eissing]

*) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which

resolve PR63170. The proxy module does now a single h2 request on the (reused)

connection and returns. [Stefan Eissing]

  1. … 21 more files in changeset.
*) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status

to trigger immediate shutdown of backend connections. This is now always signalled

by mod_http2 when the the session is being released.

proxy_http2 now only sends a PING frame to the backend when there is not already one

in flight. [Stefan Eissing]

*) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite

loop when encountering certain errors on the backend connection.

See <>. [Stefan Eissing]

  1. … 4 more files in changeset.
http: Fix possible empty response with mod_ratelimit for HEAD requests.

Don't eat the EOS in ap_http_header_filter() if it comes in single brigade

with a full response to a HEAD request, otherwise mod_ratelimit will never

flush its pending data.

  1. … 1 more file in changeset.
Follow up to r1853874: CHANGES entry.
mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.

The timeouts apply between the process_connection and pre_read_request hooks.

They are disabled by default for compatibily reasons.

  1. … 2 more files in changeset.
Fix a race condition.

Authentication with valid credentials could be refused in case of concurrent accesses from different users.

PR 63124 [Simon Kappel <simon.kappel>]

  1. … 1 more file in changeset.
Follow up to r1853133: CHANGES entry.
*) mod_http2: Configuration directoves H2Push and H2Upgrade can now be specified per

Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]

*) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to

terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.

Fixes <>. [Michael Kaufmann]

  1. … 29 more files in changeset.
mod_ssl: give mod_md the chance to override certificate after ALPN protocol negotiation.

  1. … 1 more file in changeset.
mod_http2: fixed slave connection keepalives counter.

  1. … 3 more files in changeset.
mod_http2: enable re-use of slave connections again.

  1. … 3 more files in changeset.
reverting last change
  1. … 4 more files in changeset.
mod_http2: enable re-use of slave connections again.

  1. … 4 more files in changeset.
Fix websocket proxy over UDS.

configuration example:

<Location "/apis">

ProxyPass unix:/var/run/unix.sock|ws://


Currently 'ap_proxy_get_worker()' can't get matched pre-defined worker because

of different uri formatting in 'proxy_wstunnel_canon()' and ap_proxy_define_worker()'

PR 62932 <pavel>

  1. … 1 more file in changeset.
LanguagePriority should be case-insensitive in order to match AddLanguage behavior. PR 39730

Test case added in r1850983

  1. … 1 more file in changeset.
Always decode session attributes early.
  1. … 1 more file in changeset.
Update after backport of r1849174 r1849174

*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges

have been fixed. [Michael Kaufmann, Stefan Eissing]

  1. … 4 more files in changeset.
core: Fix incorrect substitution of env vars in directives containing multiple env vars.

In ap_resolve_env(), the string returned from getenv() should be copied since

the returned string may be statically allocated.

This fixes an issue where the value for the last env var is substituted for all

env vars in a directive containing multiple env vars.

  1. … 1 more file in changeset.
core: Split out the ability to parse wildcard files and directories

from the Include/IncludeOptional directives into a generic set of

functions ap_dir_nofnmatch() and ap_dir_fnmatch().

  1. … 5 more files in changeset.
CHANGES related to r1842010.

I have choosen "unlikely" because this bug has been around for ever ([1]) and the pool is only "cleared"; that is to say, the data is still valid, but the memory *could* be re-used.