Checkout Tools
  • last updated 5 hours ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1811930 is being indexed.

proposing new module flag backport

Non-distribution directory for holding patches for backport proposals.

Lowest hanging fruit; more challenging patches appear stalled at the moment
* server/util_script.c (ap_add_common_vars): Allow mod_env to override

all system path environment variables, not just PATH. (The

behaviour for PATH alone was changed in r965679 for PR 43906.)

Documentation rebuild
On the trunk:

mod_md: v1.0.0, new config directive 'MDNotifyCmd' to hook in a program when Managed

Domains have obtained/renewed their certificates successfully.

Add the (hopefully) intended change for r1811799's proposal
Merge r1809209 from trunk:

Fix a segmentation fault if AuthzDBDQuery is not set.

PR: 61546

Submitted by: Lubos Uhliarik <luhliari>

Reviewed by: jailletc36, ylavic, elukey

Merge r1664565 from trunk:

*) mod_rewrite: Add support for starting External Rewriting Programs

as non-root user on UNIX systems by specifying username and group name

as third argument of RewriteMap directive.

Submitted by: jkaluza

Reviewed by: jorton, wrowe, ylavic

Merge r1808230 from trunk:

* server/protocol.c (ap_content_length_filter): Rewrite the content

length filter to avoid arbitrary memory consumption for streaming

responses (e.g. large CGI script output). Ensures C-L is still

generated in common cases (static content, small CGI script output),

but this DOES change behaviour and some responses will end up

chunked rather than C-L computed.

PR: 61222

Submitted by: jorton, rpluem

Reviewed by: jorton, wrowe, ylavic

core, mod_rewrite: introduce the 'redirect-keeps-vary' note

to allow proper Vary header insertion when

dealing with a RewriteRule in a directory


This change is an attempt to fix a long standing problem,

brought up while working on PR 58231. Our documentation clearly

states the following:

"If a HTTP header is used in a condition this header is added

to the Vary header of the response in case the condition

evaluates to true for the request."

This is currently not true for RewriteCond/Rules working in

a directory context, since when an internal redirect happens

all the outstanding response headers get dropped.

There might be a better solution so I am looking forward to

hear more opinions and comments. My goal for a delicate change

like this one would be to affect the least amount of configurations

possible, without triggering unwanted side effects.

If the solution is good for everybody tests will be written

in the suite asap.

Merge r1736186 from trunk:

mod_ssl: return non ambiguous value in ssl_callback_SessionTicket() for

encryption mode (we used to return 0, OpenSSL documents returning 1 instead).

Practically this does not change anything since OpenSSL will only check for

>= 0 return value (non error) for encryption mode (the other possible return

values are only relevant for decryption mode).

However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()



The return value of the cb function is used by OpenSSL to determine what

further processing will occur. The following return values have meaning:


This indicates that the ctx and hctx have been set and the session can

continue on those parameters. Additionally it indicates that the session

ticket is in a renewal period and should be replaced. The OpenSSL library

will call cb again with an enc argument of 1 to set the new ticket (see

RFC5077 3.3 paragraph 2).


This indicates that the ctx and hctx have been set and the session can

continue on those parameters.


This indicates that it was not possible to set/retrieve a session ticket

and the SSL/TLS session will continue by by negotiating a set of

cryptographic parameters or using the alternate SSL/TLS resumption

mechanism, session ids.

If called with enc equal to 0 the library will call the cb again to get a

new set of parameters.

less than 0

This indicates an error.


So 0 is not appropriate in our code, 1 is what we really want (and it won't

break if OpenSSL later changes its checks on the callback return value).

Reported/Proposed by: oknet on github, pull request #18.

Reviewed by: jorton, ylavic, wrowe

[Closes #18]

Vote, promote.
Upvote, promote
This appears wrong... left a duplicate break line here when manually editing
Fix Release as well as Debug target, submitted by Ivan Zhakov

Merge r1798785 from trunk:

Quiet spurious gcc warning in ap_parse_form_data ("'escaped_char[0]' may be

used uninitialized in this function").

Submitted by: ylavic

Reviewed by: jailletc36, ylavic, jorton

mod_ssl SessionTicket callback fixeruper.


XML updates.

ab: Make the TLS layer aware that the underlying socket is nonblocking,

and use/handle POLLOUT where needed to avoid busy IOs and recover write

errors when appropriate.

ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous

read was incomplete (the SSL case can cause the next poll() to timeout

since data are buffered already). PR 61301

Merge r1811570 from trunk:

* Make it compatible with Python 3

Submitted by: rpluem

Merge r1811569 from trunk:

* The calculation of the sizes was flawed:

The index tells us the size of the node in 4096 byte pages minus 1.

Hence we need to multiply back with 4096 aka << 12 (plus adding the

missing page).

Submitted by: rpluem

Merge r1811540, r1811541 from trunk:

* It needs to be the dereferenced node

* Convert to int before using

Submitted by: rpluem

* Make it compatible with Python 3