chrisd in httpd

Skip DirectoryIndex execution unless method is GET or POST, restoring

2.2 behavior when using mod_dav. PR 54914.

Otherwise, variable behavior results: if no DirectoryIndex file is found,

mod_dav's r->handler runs as expected. But if an index file is found,

r->handler will be changed by ap_internal_fast_redirect() to something

other than mod_dav's r->handler, while r->method is left unchanged,

usually leading to a 405 response.

Follow-up to r1540312, adding compatibility note for optional

socache provider arguments.

Propose mod_authn_socache provider argument support.

Support optional initialization arguments for socache providers in


Correct typo in comments for ap_map_http_request_error().

Correct typo in comments for ap_map_http_request_error().

Follow up to r1526598: add missing util_fcgi source files.

    • ?
    • ?
Vote and promote.

Propose AuthBasicUseDigestAlgorithm directive.

Vote and promote.

Update transformations.

Add AuthBasicUseDigestAlgorithm directive to allow migration of

passwords from digest to basic authentication.

propose backport of r1376695 to limit logged Status lines

Catch up change log with r1376695.

Apply the same length limit when logging Status header values

as used when logging invalid header lines.

Application of a limit on logged header data suggested by Jeff Trawick.

Simplify change log entry for r1362317, per Jeff's advice.

propose r1362538 for backport

Log the value of Status header lines in script responses rather than

than just the fixed header name of "Status".

Fix ordering of change notes from r1362317 and r1362533.

(Apologies again -- another habit clearly long-forgotten.)

Conform script response parsing with mod_cgid and ensure no response body

is sent when ap_meets_conditions() determines that request conditions

are met.

The design of fcgid_bridge.c follows mod_cgid.c in its use of the

ap_scan_script_header_err_*() functions. A patch submitted to the original

maintainer and committed in r753526 supports conditional requests simply by

not returning early when ap_meets_conditions() returns < 400. However, the

response body is still sent, unlike mod_cgid's handling of this case.

In r541990 mod_cgid's handling of the 304 return code was altered and

key comments added. This patch realigns mod_fcgid with mod_cgid and

adds further comments regarding mod_fcgid's output filter.

Merge access control hook function logic into a common base, with

improved comments and logging, to reduce code duplication and simplify

future maintenance.

Add a note relating to r1357986 (avoid making internal sub-requests

when Location headers seen in FCGI_AUTHORIZER mode).

Apologies for the separate commit -- I've clearly forgotten some habits.

Avoid internal sub-requests and processing of Location headers when

in FCGI_AUTHORIZER mode, as the mod_fcgid_authenticator(), etc. hook

functions report an error if the script returned a Location header and

redirections are nonsensical in this mode.

Previously, the handle_request_ipc() and handle_request() functions would

examine this header when in FCGI_AUTHORIZER mode and then possibly execute

an internal sub-request, which has no particular use, as its return value

is ignored and its output may conflict with that of the actual content

generation phase.

Restore set_access_info()/set_access_authoritative()/get_access_info()

triplet which was split by the introduction of a configuration function

for FcgidWin32PreventOrphans in r1311569.

updated notes on ap_hook_check_* wrappers and AP_AUTH_INTERNAL_* flags

Allow processes to be reused within multiple phases of a request

by releasing them into the free list as soon as possible after reading

their response headers. This applies to processes being used in

the FCGI_AUTHORIZER role, as well as those returning error codes or


Thus a single process may act as both an authorizer and a responder for

a single request. It may also handle ErrorDocument redirections,

e.g., if it responds with a 401 status code while authorizing, the same

process may then handle that error and respond with a custom login page.

Fix lookup of process command lines when using FcgidWrapper or

access control directives, including within .htaccess files.

Making the existing command-line-to-group-ID mapping work with dynamically

discovered configurations (i.e., .htaccess files) and making it thread-safe

would require global shared-memory storage with locks, or something similar.

Instead we just use the raw command lines to help distinguish different


Also clean up some interactions between access control directives and

wrappers, specifically, since AAA directives perform a check for an

extant (executable) file based on the path they're configured with,

they can only work with wrappers if the wrapper is an actual file, not

a virtual one, and thus we can remove the additional get_wrapper_info() calls

for these directives. Effectively, the AAA directives are themselves a

kind of wrapper, since we're not looking up their process from the requested

URL. Future work might allow the AAA directives to take a command line

with arguments, making them equal citizens with non-AAA wrappers.

Fix minor formatting typo in r904317.

In FCGI_AUTHORIZER role, avoid spawning a new process for every

different HTTP request. This incorrect behaviour occurred because

the inode, deviceid, etc. used to look up existing processes were

always extracted from r->finfo. In the FCGI_AUTHORIZER role, this is

just whatever resource is being protected (e.g., an image file);

instead we want to use the inode, deviceid, etc. for the configured program.

    • ?
rename auth_conf to fcgid_auth_conf