mod_proxy_wstunnel: Bypass the handler while the connection is not upgraded to WebSocket, so that other modules can possibly take over the leading HTTP requests.

mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate response header to be used by the application, for when the application or framework is unable to return Location in the internal-redirect form.

Remove entries for fixes/features already merged to 2.4.x branch

Revert r1672014 - doesn't work as advertised (would break configs where the per-vhost log level is different from the global level)

libressl fix for removed ENGINE_CTRL_CHIL_SET_FORKCHECK Submitted By: Stuart Henderson <sthen openbsd.org> Commited By: covener

Add CHANGES entry before backport proposal

UNSET the VirtualHost's LogLevel just before calling ap_merge_log_config(), to make sure that the DEFAULT_LOGLEVEL (APLOG_WARNING) is also in effect when ap_process_config_tree() in main.c:main() walks through the VirtualHost sections. See https://mail-archives.apache.org/mod_mbox/httpd-dev/201404.mbox/%3C535CC85B.80501%40velox.ch%3E for one case this is addressing. This reverts the change from r1024427 on the one hand, but still ensures correct LogLevel merging on the other hand.

allow time to first byte (of response headers) to be logged by mod_logio. mod_logio was just a conveninent place to do this w/o writing a new filter or complicating an existing important one.

CHANGES: remove entries merged into 2.4.x.

http: Add support for RFC2324/RFC7168. Sample implementation: http://people.apache.org/~minfrin/mod_teapot.c

mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad Gateway) when no response is ever received from the backend.

CHANGES: follow up to r1669289.

backported

backported

core: follow up to r1668532: CHANGES entry.

Retry ENOENT like ECONNREFUSED, but only near a server restart. PR57685 Submitted By: Edward Lu Committed By: covener

core: Cleanup the request soon/even if some output filter fails to handle the EOR bucket.

mpm_event: Allow for timer events duplicates. Meanwhile ap[r]_skiplist_add()...

Avoid a potential integer underflow in the lock timeout value sent back to a client. The answer to a LOCK request could be an extremly large integer if the time needed to lock the resource was longer that the requested timeout given in the LOCK request. In such a case, we now answer "Second-0". PR55420

ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when checking the server certificate constraints (SSL_X509_getBC()).

CHANGES: remove backported entries.

CHANGES: follow up to r1656259 and r1665625. Merge both commits into a single entry to ease common backport.

mod_proxy: follow up to r1665215: CHANGES entry.

* Do not reset the retry timeout if the worker is in error at this stage even if the connection to the backend was successful. It was likely set into error by a different thread / process in parallel e.g. for a timeout or bad status. We should respect this and should not continue with a connection via this worker even if we got one.

*) mod_rewrite: Add support for starting External Rewriting Programs as non-root user on UNIX systems by specifying username and group name as third argument of RewriteMap directive.

*) SECURITY: CVE-2015-0253 (cve.mitre.org) core: Fix a crash introduced in with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. [Yann Ylavic] Submitted By: ylavic Committed By: covener

backported

backported

core: If explicitly configured, use the KeepaliveTimeout value of the virtual host which handled the latest request on the connection, or by default the one of the first virtual host bound to the same IP:port. For non-async MPMs, use either r->server's or c->base_server's value in ap_process_http_sync_connection() depending on a new server_rec's flag called keep_alive_timeout_set and determined at config time. For event MPM, use a queue per timeout value, chaining the queues per type (keepalive wrt KeepAliveTimeout, write completion wrt to Timeout) so that maintenance can be done on all the queues from the head, and such that insertions/maintenance remain in O(1). A server config is created and pointing to the queue of each vhost at post_config time, hence the config can be associated to the connection state (cs) at post_read_request time (keep_alive_timeout_set is used to determine r->server vs c->base_server here), and we can simply insert with TO_QUEUE_INSERT(cs->sc->q, cs). PR56226. While at it, since each queue now embeds it own timeout and hence the expiration_time of the cs has changed to a queue_timestamp (the time it was queued), we can detect clock skews and expire entries immediatly if the system is set (eg. far) in the past during runtime and we want to avoid waiting for (eg.) centuries before the current logic kills them. Any entry which is registered above now + q->timeout is concerned, and is now cleaned from the queue when encountered. PR57374.

mod_authn_core: Add expression support to AuthName and AuthType.

Remove some backported entries

CHANGES: follow up to r1662245: Add PR number.

mod_deflate: follow up to r1619383 and r1619444: CHANGES entry.

ab: Add missing longest request (100%) to CSV export. Submitted by: Marcin Fabrykowski <bugzilla fabrykowski.pl> Committed by: ylavic

Backported

core: Add expression support to ErrorDocument. Switch from a fixed sized 664 byte array per merge to a hash table.

mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides a combination of certificate serialNumber and issuer as defined by CertificateExactMatch in RFC4523.

suexec: Filter out HTTP_PROXY Some programs look there for the http proxy server.

mod_proxy_http: Use the "Connection: close" header for requests to backends not recycling connections (disablereuse), including the default reverse and forward proxies.

mod_proxy_http: Don't expect the backend to ack the "Connection: close" to finally close those not meant to be kept alive by SetEnv proxy-nokeepalive or force-proxy-request-1.0, and respond with 502 instead of 400 if its Connection header is invalid.

Fix a precedence issue. The logic is unchanged but 'ret' does not have the expected value. So the logged error message may be incorrect. + add some empty lines between functions

mod_proxy(es): Avoid error response/document handling by the core if some input filter already did it while reading client's payload. When an input filter returns AP_FILTER_ERROR, it has already called ap_die() or at least already responded to the client. Here we don't want to lose AP_FILTER_ERROR when returning from proxy handlers, so we use ap_map_http_request_error() to forward any AP_FILTER_ERROR to ap_die() which knows whether a response needs to be completed or not. Before this commit, returning an HTTP error code in this case caused a double response to be generated. Depends on r1657881 to preserve r->status (for logging) when nothing is to be done by ap_die() when handling AP_FILTER_ERROR.

http: Make ap_die() robust against any HTTP error code and not modify response status (finally logged) when nothing is to be done.

CHANGES: Follow up to r1657636, clarify message.

mod_proxy_connect/wstunnel: If both client and backend sides get readable at the same time, don't lose errors occuring while forwarding on the first side when none occurs next on the other side, and abort.

*) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash. [Edward Lu <Chaosed0 gmail.com>] Discovered by Guido Vranken <guidovranken gmail.com> Submitted by: Edward Lu Committed by: covener

Fix bit-shifting of websockets frame fields that would yield wrong opcodes when the FIN bit was set. Results in PING not being recognized by mod_lua. PR57524 Submitted By: Edward Lu Committed By: covener

mod_macro: Clear macros before initialization to avoid use-after-free on startup or restart when the module is linked statically. PR 57525 Submitted by: apache.org tech.futurequest.net Committed by: Yann Ylavic

Follow up to r1656259: CHANGES entry.

Block Define/Undefine from per-directory context, because they will fire while the block is read not when it evaluates for a given request.

AP_INIT_NO_ARGS mishandled in macro Submitted by: Joachim Zobel <jzobel heute-morgen.de>, covener Committed by: covener

mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored in virtualhost context (new version of r1653906 reverted by r1653993). Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch> Committed/modified By: ylavic

mod_ssl: revert r1653906, will commit an alternative just after. The issue with r1653906 is that existing configurations like "SSLProtocol -SSLv3" (where the default is assumed to be ALL) won't work anymore.

mod_alias: Introduce expression parser support for Alias, ScriptAlias and Redirect.

Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored in virtualhost context. Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch> Commited By: covener

mod_rewrite: Improve 'bad flag delimeters' startup error by showing how the input was tokenized. PR 56528. Submitted By: Edward Lu <Chaosed0 gmail.com> Committed By: covener

backported

backported

Backported

Update conn_rec.id when a new thread begins working on a connection, because the old thread may work on a new connection and assign the same ID in parallel. Submitted By: Michael Thorpe Committed By: covener

Add support for extracting subjectAltName entries of type rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables. * docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the environment variables table * modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction of subjectAltName entries for the "StdEnvVars" case * modules/ssl/ssl_engine_vars.c: add support for retrieving the SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with individual on-demand lookup (ssl_var_lookup_ssl_cert_san), or with full-list extraction to the environment ("StdEnvVars") * modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype * modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where suitable. Limit SSL_X509_getSAN to the two most common subjectAltName entry types appearing in user or server certificates (i.e., rfc822Name and dNSName), for the time being. * modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8 and SSL_X509_getSAN prototypes

mod_proxy: Don't put non balancer-member workers in error state by default for connection or 500/503 errors, and honor status=+I for any error. PR 48388.

Add CHANGE for r1649632

Add PR

* modules/cache/mod_socache_memcache.c (socache_mc_store): Pass through expiration time. Submitted by: Faidon Liambotis <paravoid debian.org>, jorton

split-logfile: Fix perl error: 'Can't use string ("example.org:80") as a symbol ref while "strict refs"'. PR 56329. Submitted By: Holger Mauermann <mauermann gmail.com> Committed By: covener

PR 56603: Inappropiate ProxyPassReverse match when interpolated URL is empty string Submitted By: <ajprout hotmail.com> Committed By: covener

Configuration files with long lines and continuation characters are not read properly. PR 55910. Submitted By: Manuel Mausz <manuel-as mausz.at> Committed By: covener

provide alternative PATH_INFO calculation options for proxy_fcgi. PR 55329

typo and formatting

Allow SetHandler+UDS+fcgi to take advantage of dedicated workers including opting in to connection reuse and other proxy options (max=, etc). adds 'enablereuse' proxyoption and a minor MMN bump to share proxy_desocketfy outside of mod_proxy.c, which is required to match workers to URLs.

Allow (a hokey) opt-in to connection reuse for mod_proxy_fcgi + TCP. Connection reuse has been disabled since r1032345 at the end of 2011. Attempt to reverse the polarity of the connection reuse doc which has been wrong for a long time.

tweak SCRIPT_FILENAME passed to fastcgi backends when a balancer is used.

* Fix If-Match handling: - We need to fail if we do NOT match. - ETag comparison only makes sense if we have an ETag PR: 57358 Submitted by: Kunihiko Sakamoto <ksakamoto google.com> Reviewed by: rpluem

in 2.4

mod_proxy: don't add the default port to the name of proxy workers. PR 57259. ap_proxy_port_of_scheme() knows more default ports than apr_unparse_uri().

* mod_ssl: Fix renegotiation failures redirected to an ErrorDocument. PR 57334. When this occurs, the redirect (internal) request reaches ssl_hook_Access() and make SSL_do_handshake crash probably because we force the renegotiation based on an incomplete SSL state. To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given SSL connection is not in a valid (handshaken) state.

backported in r1642861

* core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts. PR 57328. Submitted-by: Armin Abfalterer <a.abfalterer gmail.com> Reviewed/Committed-by: ylavic

* mod_proxy_ajp: Fix client connection errors handling and logged status when it occurs. PR 56823.

ap_expr: Add filemod function for checking file modification times.

core: Add CGIPassAuth directive to control whether HTTP authorization headers are passed to scripts as CGI variables. PR: 56855

backported in r1641551

*) SECURITY: CVE-2014-8109 (cve.mitre.org) mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments. PR57204 [Edward Lu <Chaosed0 gmail.com>] Submitted By: Edward Lu Committed By: covener

Remove some instances where a RewriteBase must be specified Previously, any time you used a relative substitution in per-directory/htaccess context, you needed to specify a RewriteBase. But in case where the context document root and context prefix are known via e.g. mod_userdir or mod_alias, and the substitution is under the context document root, we can determine the replacement automatically. This makes htaccess files or config snippets a bit more portable.

mod_ssl: Fix recognition of OCSP stapling responses that are encoded improperly or too large. The one byte "ok" flag stored with the response was accounted for in the wrong condition.

mod_authnz_fcgi is not vulnerable to the CVE-2014-3583 bug (and it is too late to use the same CVE anyway). The code changes to mod_authnz_fcgi are retained in order to keep the similar code in sync between the two modules.

Follow up to r1640040: CHANGES entry.

mod_proxy_fcgi: SECURITY: CVE-2014-3583 (cve.mitre.org) Fix a potential crash with response headers' size above 8K. The code changes to mod_authnz_fcgi keep the handle_headers() function in sync between the two modules. mod_authnz_fcgi does not have this issue because it allocated a separate byte for terminating '\0'.

Revert r1638818, r1639812, r1639717 and r1639814 for new staging.

mod_authnz_fcgi: Fix a potential crash with response headers' size above 8K. (similar to r1638818 for mod_proxy_fcgi).

revert r1638691, more comprehensive followup planned shortly.

mod_proxy_fcgi: CVE-2014-3583: Fix a potential crash with response headers' size above 8K.

Fix a bug in r1604350 that can lead to crashes in the event MPM under load. if start_lingering_close_blocking() returns 0, notify_suspend() will write a 1 into some potentially recently free'd memory from ptrans (cs->suspended).

see your doctor about any rashes since r1608202.

Resolve rashes with LDAP authz and non-LDAP authn since r1608202.

remove some more recent 2.4 backports.

remove two recently backported items

Support custom ErrorDocuments for HTTP 501 and 414 status codes. PR 57167 [Edward Lu <Chaosed0 gmail.com>] Submitted By: Edward Lu <Chaosed0 gmail.com> Committed By: covener

mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read determine whether it is a normal close or a real error. PR 57168. Abort the client or backend connection on polling errors, but don't forcibly abort the client side at the end (the core filters will do that otherwise when necessary), so that lingering close and SSL shutdown can occur on normal close.

mod_proxy_wstunnel: abort backend connection on polling error to avoid further processing (lingering close, SSL shutdown).

Follow up to r1632742: CHANGES entry.

When using EBCDIC encoding, HTTPS through ProxyPass and ProxyRemote doesn't work correctly. PR 57092 Submitted By: Edward Lu Committed By: covener

fix another case of 304 response sent to an unconditional request

* Use the correct server name for SNI in case the backend SSL connection itself is established via a proxy server. PR: 57139 Submitted by: Szabolcs Gyurko <szabolcs gyurko.org>

Remove some backported item

SSLOCSPUseRequestNonce already in 2.4.x branch

* Check if we are having an SSL connection before looking up SSL related variables during expression evaluation to avoid a crash. If not return an empty string. PR: 57070

core: follow up to r1629925: changelog.

mod_cache_socache: Change average object size hint from 32 bytes to 2048 bytes.

mod_cache_socache: Add cache status to server-status. The status_hook simply calls the status function of socache, very much like mod_ssl does for the ssl session cache.

Move OCSP stapling information from a per-certificate store (ex_data attached to an X509 *) to a per-server hash which is allocated from the pconf pool. Fixes PR 54357, PR 56919 and a leak with the certinfo_free cleanup function (missing OCSP_CERTID_free). * modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add ssl_stapling_certid_free (used with apr_pool_cleanup_register). Switch to a stapling_certinfo hash which is keyed by the SHA-1 digest of the certificate's DER encoding, rework ssl_stapling_init_cert to only store info once per certificate (allocated from the pconf to the extent possible) and extend the logging. * modules/ssl/ssl_private.h: adjust prototype for ssl_stapling_init_cert, replace ssl_stapling_ex_init with ssl_stapling_certinfo_hash_init * modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls Based on initial work by Alex Bligh <alex alex.org.uk>

mod_substitute: Restrict configuration in .htaccess to FileInfo as documented.

mod_substitute: Make maximum line length configurable.

Add CHANGES for r1628104. (mod_substitue: Fix memory limitation in case of regexp plus flatten.)

backported

Improve CHANGES description

Content-Length header should always be interpreted as a decimal. Leading 0 could be erroneously considered as an octal value. PR 56598. [Chris Card <ctcard hotmail com>]

SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference in Content-Type handling. mod_cache: Avoid a crash when Content-Type has an empty value. PR56924. Submitted By: Mark Montague <mark catseye.org> Reviewed By: Jan Kaluza

these are backported

PR53218 Allow for longer worker names and make truncation a non-fatal error...

Add API to support TLS channel bindings with mod_ssl. * modules/ssl/mod_ssl.h: Define ssl_get_tls_cb. * modules/ssl/ssl_engine_vars.c (ssl_get_tls_cb): New function. Submitted by: Simo Sorce <simo redhat.com>

don't let handlers start with r->status = 304 during a failed revalidation PR56881

Avoid useless warning message when parsing a section guarded by <IfDefine foo> if $(foo) is used within the section. PR 56503

mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the application. PR: 56858 Submitted by: Manuel Mausz <manuel-asf mausz.at> Reviewed by: trawick

PR56832 -- mod_ratelimit reports at ERROR level everytime a lower-level filter encounters an error. Since the core output filter only emits TRACE1, a higher level filter shouldn't log the same condition as ERROR.

PR53420: Proxy responses with error status and "ProxyErrorOverride On" hang until proxy timeout. Regression from 2.2. It was introduced by r912063 in order to fix PR41646.

mod_proxy_wstunnel: Concurrent websockets messages could be lost or delayed with ProxyWebsocketAsync enabled. Submitted By: Edward Lu Committed By: covener

Add compiled and loaded PCRE version numbers to "httpd -V" output and to mod_info page.

mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for internationalization.

Remove backported item.

*) SECURITY: CVE-2013-5704 (cve.mitre.org) core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds "MergeTrailers" directive to restore legacy behavior. Submitted By: Edward Lu, Yann Ylavic, Joe Orton, Eric Covener Committed By: covener

fix logic in ap_method_list_(add|remove) in order: - to correctly reset bits - not to modify the 'method_mask' bitfield unnecessarily Also remove a useless 'register' in the declaration of a variable.

Suggestion from Rick Houser -- for compatibility, pick an unusual character as the first character in a 2/3 character pattern.

allow two character mod_log_config formats

Remove backported item.

remove entries for recently backported changes

Extend the scope of SSLSessionCacheTimeout to sessions resumed by TLS session resumption (RFC 5077).

Add CHANGES for r1610207.

Include any error notes set by modules in the canned error response for 403 errors.

Set an error note for requests rejected due to SSLStrictSNIVHostCheck. This allows custom error documents to include the specific reason for denying access to the server.

Perform SNI checks only on the initial request. In particular, if these checks detect a problem, the checks shouldn't return an error again when processing an ErrorDocument redirect for the original problem.

backported

Consolidate common code that got duplicated by 2.3.x authz refactoring. Arrange for backend LDAP connections to be returned to the pool by a fixup hook rather than staying locked until the end of (a potentially slow) request. Add a little more trace4 to the authnz_ldap side of LDAP connection obtain/release.

make LDAPConnectionPoolTTL more conservative, use r->request_time rather than end-of-request time, and only update it after a round-trip with the LDAP server rather than every time we check back into the pool.

remove some entries now present in the 2.4.x branch

be more general

missed a case in r1538490: PR56639 Always NULL c->sbh before putting a connection back in a pollset or queue. We can't NULL c->sbh at the bottom of process_socket() after putting a socket back on the event_pollset or having it go into lingering close, because the listener or a worker thread could A) continue on the connection or B) free and allocate the same conn_rec pointer before we get to the bottom of process_socket(). Submitted By: Edward Lu Committed By: covener

Remove backported changes.

Add missing CHANGES entries for r1572655,1572663,1572668-1572671,1573224,1586745,1587594,1587639,1590509, r1572092, and r1572896,1572911.

mod_proxy: Don't limit the size of the connectable Unix Domain Socket paths. Since connect() to UDS path is used at several places, introduce ap_proxy_connect_uds() in proxy_util.

mod_proxy_fcgi iobuffersize support in 2.4.x via r1601749

mod_ssl: dump SSL IO/state for the write side of the connection(s), like reads.

Fix ab's r1601076 changelog credits.

Add ab's r1601076 changelog.

Remove one backported change.

mod_proxy: Shutdown (eg. SSL close notify) the backend connection before closing.

Revert r1601285 and r1601283. Shouldn't have commited the latter without disussing it on dev@. Since the former creates upper APLOGNOs, revert and then recommit with the reverted next tag number.

mod_proxy: Shutdown (eg. close notify) the backend connection before closing.

mpm_event[opt]: Send the SSL close notify alert when the KeepAliveTimeout expires. PR54998.

mod_ssl: Ensure that the SSL close notify alert is flushed to the client. PR54998. Submitted By: Tim Kosse <tim.kosse filezilla-project.org>, ylavic Committed By: ylavic

Remove backported changes.

add GlobalLog directive to allow a diagnostic log to be inherited by all virtual hosts, even if they define their own logs. Submitted By: Edward Lu <Chaosed0 gmail.com> Committed by: covener

Optimize w/ duplicated listeners and use of SO_REUSEPORT where available.

mod_proxy_html: support automatic doctype detection. PR 56285 Patch by Micha Lenk, adapted by niq

mod_proxy_html: skip documents < 4 bytes PR 56286 Micha Lenk

Fix computation of the size of 'struct sockaddr_un' when passed to 'connect()'. Use the same logic as the one in ' in 'proxy_util.c'.

mod_socache_shmcb: Correct counting of expirations for status display. Expirations happening during retrieval were not counted.

* Correctly escape user provided data. PR: 56532 Submitted by: Maksymilian <max cert.cx> Reviewed by: rpluem

mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:" scheme. PR55320. Submitted by: Alex Liu <alex.leo.ca gmail.com> Committed by: ylavic

Remove entry for r1583175 and r1593745, now in 2.4.x branch

PR56333: Add an API to resume a connection that a handler has previously suspended. Submitted by: Artem <artemciy gmail.com>, Edward Lu <Chaosed0 gmail.com> Committed by: covener

Extend the socket callbacks in event to allow a timeout on the I/O callback. When a socket callback has a timeout, an associated timer event is used to remove the sockets from the pollset and call a timeout function. * This includes a noteworthy change to the main event loop. Previously, we would call epoll, then process the timer events, then iterate through the poll results. After this patch, the timer events are processed before the poll() a _non-queued_ action can change the pollset conents (a users timed callback function conversely could easily sit in a queue while the main thread continues down into epoll) * timer events can now have sockets associated with them, those sockets are removed from the pollset when the timer event fires w/o a queue to the worker. * timer events now have a canceled flag that can be toggled without locking the timer list. * Drop the severity of some wstunnel messages from DEBUG to TRACE1 * Lift the restriction on using asynchronous websockets connections but having an idle timeout

stop setting context info for AliasMatch. These concepts do not really map well/reliably to AliasMatch.

remove some entries for backported improvements

mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme(): Support default SCGI port (4000).

now understood why users haven't reported the segfault (yet) when mod_proxy_fcgi can't connect to the application

mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.

mod_proxy_fcgi: Support iobuffersize parameter.

mod_cache: Preserve non-cacheable headers forwarded from an origin 304 response. PR 55547. When mod_cache asks for a revalidation of a stale entry and the origin responds with a 304 (not that stale), the module strips the non-cacheable headers from the origin response and merges the stale headers to update the cache. The problem is that mod_cache won't forward the non-cacheable headers to the client, for example if the 304 response contains both Set-Cookie and 'Cache-Control: no-cache="Set-Cookie"' headers, or CacheIgnoreHeaders is used.

mod_cache: Don't add cached/revalidated entity headers to a 304 response. PR 55547. When the conditional request meets the conditions of the stale then revalidated entry, the forwarded 304 response includes the entity headers merged from the cached headers (before updating the entry). Strip them before returning a 304. Since the entity headers are stripped elsewhere, factorize the code using a new table (MOD_CACHE_ENTITY_HEADERS[]) containing these headers's names.

Revert r1591312 (again) to commit the 2 fixes separately.

mod_cache: Don't add cached/revalidated entity headers to a 304 response. PR 55547. When the conditional request meets the conditions of the stale then revalidated entry, the forwarded 304 response includes the entity headers merged from the cached headers (before updating the entry). Strip them before returning a 304. Since the entity headers are stripped elsewhere, factorize the code using a new table (MOD_CACHE_ENTITY_HEADERS[]) containing these headers's names.

Rollback r1591302, wrong file commited.

mod_cache: Don't add cached/revalidated entity headers to a 304 response. PR 55547. When the conditional request meets the conditions of the stale then revalidated entry, the forwarded 304 response includes the entity headers merged from the cached headers (before updating the entry). Strip them before returning a 304. Since the entity headers are stripped elsewhere, factorize the code using a new table (MOD_CACHE_ENTITY_HEADERS[]) containing these headers's names.

mod_cache: Retry unconditional request with the full URL (including the query-string) when the origin server's 304 response does not match the conditions used to revalidate the stale entry. http://www.mail-archive.com/dev@httpd.apache.org/msg59884.html

mod_authnz_ldap: Fail explicitly when the filter is too long. Remove unnecessary apr_pstrdup() and strlen().

mod_proxy_fcgi: Don't segfault when failing to connect to the backend.

Add the ldap-search option to mod_authnz_ldap, allowing authorization to be based on arbitrary expressions that do not include the username.

Add the ldap function to the expression API, allowing LDAP filters and distinguished names based on expressions to be escaped correctly to guard against LDAP injection. Note: this requires at least APR v1.6.0 or above for the apr_escape API.

Add module mod_ssl_ct, which provides an implementation of Certificate Transparency (RFC 6962) for httpd. mod_ssl_ct requires OpenSSL 1.0.2 (in beta) and must be explicitly enabled via configure. Note that support/ctauditscts is purposefully not installed; it does not properly function due to a dependency on a certificate-transparency open source project tool which itself is not sufficiently complete at this time.

in 2.4.x as of r1588496

Fix errors with CacheLock on Windows: cache_util.c(757): (OS 80)The file exists. : [client 127.0.0.1:63889] AH00784: Attempt to obtain a cache lock for stale cached URL failed, revalidating entry anyway:

mod_proxy: Preserve original request headers even if they differ from the ones to be forwarded to the backend. PR 45387.

mod_proxy: follow up to r1588519: CHANGE.

Also clear the error queue before calling SSL_CTX_use_certificate[_chain]_file (workaround for OpenSSL versions before 0.9.8h, see https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1513). PR 56410.

Merge r1585090 from trunk: Bring SNI behavior into better conformance with RFC 6066: - no longer send a warning-level unrecognized_name(112) alert when no matching vhost is found (PR 56241) - at startup, only issue warnings about IP/port conflicts and name-based SSL vhosts when running with an OpenSSL without TLS extension support (almost 5 years after SNI was added to 2.2.x, the "[...] only work for clients with TLS server name indication support" warning feels obsolete) Proposed by: kbrand Reviewed by: jorton, ylavic

Prevent an external proxy from presenting an internal proxy in mod_remoteip.c. PR 55962.

axe entries for changes that are in 2.4.10-dev

mod_ssl: Add hooks to allow other modules to perform processing at several stages of initialization and connection handling. See mod_ssl_openssl.h. This is enough to allow implementation of Certificate Transparency outside of mod_ssl.

renamed

typo

several related mod_proxy_wstunnel changes that are tough to pull apart: * make async websockets tunnel opt-in * add config for how long we block a thread in asynch mode * add config for a cap on the synchronous path * avoid sending error responses down the upgraded tunnel

stop leaking websockets backend connections (trunk only)

cleanup wstunnel error handling Submitted By: covener, ylavic, Edward Lu Commited By: covener

*) mod_proxy_wstunnel: Don't pool backend websockets connections, because we need to handshake every time. PR 55890. [Eric Covener]

mod_proxy_http: Add detach_backend hook. The immediate use is for a SSL-related module which works on the backend proxy connection to be able to "leak" information into the client r for logging. This could be useful with other proxy scheme handlers.

Attempt to make progress on PR39727/PR45023 blocking migration to 2.4. Provide DeflateAlterETag directive to choose between 2.2 behavior, 2.4 behavior, or dropping ETag from the compressed representation. Preserves 2.4 default which breas 304 responses for compressed content.

Reverse the order when merging global and vhost-level config arrays. Putting the vhost-level elements last allows overriding global settings (for the deprecated SSLRequire directive, the order is irrelevant, all of them must be met, cf. ssl_engine_kernel.c:ssl_hook_Access).

Only read "active" values from the key_files array. PR 56306.

mod_proxy_fcgi: Fix sending of response without some HTTP headers that might be set by filters. The problem occurs when no body bytes were read while reading the response headers, resulting in an empty brigade being sent down the filter stack. One particualr filter that mishandles the empty initial brigade is mod_deflate. It neglects to add to the response header fields. PR: 55558 Submitted by: Jim Riggs <jim riggs.me> Reviewed by: trawick

add BNP flag to give control to the user on whether a space ' ' in an escaped backrefernece is decoded to a + (default) or %20. Useful if your backreference isn't going into the query string.

Bring SNI behavior into better conformance with RFC 6066: - no longer send a warning-level unrecognized_name(112) alert when no matching vhost is found (PR 56241) - at startup, only issue warnings about IP/port conflicts and name-based SSL vhosts when running with an OpenSSL without TLS extension support (almost 5 years after SNI was added to 2.2.x, the "[...] only work for clients with TLS server name indication support" warning feels obsolete)

Do not delete the wrong data from HTML code when a "http-equiv" meta tag specifies a Content-Type behind any other "http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>]

Move entry already backported to 2.4.8.

Follow up to r1584430.

add CHANGES for r1584417

mod_ssl: follow up to r1583191. New SSLOCSPUseRequestNonce directive's manual and CHANGES. Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce grouped with other OCSP ones, nested if turned to a single AND condition).

mod_reqtimeout: Resolve unexpected timeouts on keepalive requests under the Event MPM. PR56216. Submitted By: Frank Meier <frank meier ergon ch> Committed By: covener

backported

backported

* This one is backported

These are in 2.4.x

Module identification

CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>) Segfaults w/ truncated cookie logging. Clean up the cookie logging parser to recognize only the cookie=value pairs, not valueless cookies. This refactors multiple passes over the same string buffer into a single pass parser. Submitted by: wrowe Reviewed by: rpluem, jim

backported

* Put a note in CHANGES about r1553204

backported in r1570530

Allow mod_lua to supply a database result with named rows instead of only numeric indexes.

remove more backported fixes

*) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore, and IgnoreInherit to allow RewriteRules to be pushed from parent scopes to child scopes without explicitly configuring each child scope. PR56153. Submitted By: Edward Lu Committed By: covener

mod_lua: Add r:wspeek for checking if data is available to be read.

this was backported too.

backported

handle POLLERR/POLLHUP during poll() to avoid high CPU busy loop. Submitted By: Joffroy Christen <joffroy.christen solvaxis com>, Eric Covener] Committed By: covener

mod_lua: Upgrade r:setcookie to accept a table of arguments, and add domain, path and HttpOnly to the list of options available for setting. PR 56128

mod_lua: Fix r:setcookie() to add, rather than replace, the Set-Cookie header. PR56105 Submitted By: Kevin J Walters <kjw ms com>, Edward Lu <Chaosed0 gmail com> Committed By: covener

mod_proxy_fcgi: Fix error message when an unexpected protocol version number is received from the application. PR: 56110

Use the correct IP addresses to populate the proxy_ips field in mod_remoteip.c. PR 55972.

* Do not parse URL in case of regular expression as they likely do not follow the URL syntax. PR: 56074

Correct the trusted proxy match test in mod_remoteip. PR 54651.\n\nSubmitted By: Yoshinori Ehara <yoshinori ehara gmail com>\nEndorsed By: Eugene L <eugenel amazon com>\nCommited By: mrumph

Add %{CONN_REMOTE_ADDR} to mod_rewrite. PR56094 Submitted By: Edward Lu <Chaosed0 gmail com> Committed By: covener

Skip DirectoryIndex execution unless method is GET or POST, restoring 2.2 behavior when using mod_dav. PR 54914. Otherwise, variable behavior results: if no DirectoryIndex file is found, mod_dav's r->handler runs as expected. But if an index file is found, r->handler will be changed by ap_internal_fast_redirect() to something other than mod_dav's r->handler, while r->method is left unchanged, usually leading to a 405 response.

remove some recent backports

backported before 2.4.7

backported

mod_session: When we have a session we were unable to decode, behave as if there was no session at all.

mod_session: Fix problems interpreting the SessionInclude and SessionExclude configuration. PR: 56038 Submitted by: Erik Pearson <erik adaptations.com> Reviewed by: trawick

followups to r1557641 suggested by nd -- add prefix to both the macro and the handler name itself.

don't search for directory indexes/directoryslashes if a URL is in the middle of being rewritten [in per-dir context]. PR53929

restore http://svn.apache.org/viewvc?view=revision&revision=233369 under a configurable option: don't run mod_dir if r->handler is already set. PR53794

avoid a tight busy loop with memory allocations when the [N] flag isn't making progress. If backported, probably increase the hard-coded limit to 32k from 10k.

PR 55833 fix is in 2.4.x now

Backport r1421323, r1534754, r1546693, r1555464 from trunk: Add support for OpenSSL configuration commands by introducing the SSLOpenSSLConfCmd directive. Proposed by: kbrand Reviewed by: drh, trawick

no more "Covnener"

Fix config merging of SSLOCSPEnable and SSLOCSPOverrideResponder. Reviewed by: rpluem

in 2.4

* CHANGES: Consolidate for humans who have to read this file.

Add directives to control two protocol options: HttpContentLengthHeadZero - allow Content-Length of 0 to be returned on HEAD HttpExpectStrict - allow admin to control whether we must see "100-continue" This is helpful when using Ceph's radosgw and httpd. Inspired by: Yehuda Sadeh <yehuda@inktank.com> See https://github.com/ceph/apache2/commits/precise * include/http_core.h (core_server_config): Add http_cl_head_zero and http_expect_strict fields. * modules/http/http_filters.c (ap_http_header_filter): Only clear out the C-L if http_cl_head_zero is not explictly set. * server/core.c (merge_core_server_configs): Add new fields. (set_cl_head_zero, set_expect_strict): New config helpers. (HttpContentLengthHeadZero, HttpExpectStrict): Declare new directives. * server/protocol.c (ap_read_request): Allow http_expect_strict to control if we return 417. * include/ap_mmn.h (MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR): Bump. * CHANGES: Add a brief description.

core: Support named groups and backreferences within the LocationMatch, DirectoryMatch, FilesMatch and ProxyMatch directives.

mod_authz_user: Support the expression parser within the require directives.

mod_authnz_host: Support the expression parser within the require directives.

mod_authnz_groupfile: Support the expression parser within the require directives.

mod_authnz_dbm: Support the expression parser within the require directives.

mod_authnz_dbd: Support the expression parser within the require directives.

mod_authnz_ldap: Support the expression parser within the require directives.

Remove the hardcoded algorithm-type dependency for the SSLCertificateFile and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile Splitting the patch into smaller pieces turned out to be infeasible, unfortunately, due to the heavily intertwined code in ssl_engine_config.c, ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the modssl_pk_server_t data structure. For better comprehensibility, a detailed listing of the changes follows: ssl_private.h - drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t - use apr_array_header_t for cert_files and key_files - drop tPublicCert from SSLModConfigRec - drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants ssl_engine_config.c - change to apr_array_header_t for SSLCertificate[Key]File - drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs and keys (in theory; currently OpenSSL does not support more than one cert/key per algorithm type) - add deprecation warning for SSLCertificateChainFile ssl_engine_init.c - configure server certs/keys in ssl_init_server_certs (no longer via ssl_pphrase_Handle in ssl_init_Module) - in ssl_init_server_certs, read in certificates and keys with standard OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to ssl_load_encrypted_pkey when encountering an encrypted private key - drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check, and ssl_init_ctx_cleanup_server - move the "problematic re-initialization" check to ssl_init_server_ctx ssl_engine_pphrase.c - use servername:port:index as the key identifier, instead of the previously used servername:port:algorithm - ssl_pphrase_Handle overhaul: remove all cert/public-key handling, make it only load a single (encrypted) private key, and rename to ssl_load_encrypted_pkey - in the passphrase prompt message, show the private key file name instead of the vhost id and the algorithm name - do no longer supply the algorithm name as an argument to "exec"-type passphrase prompting programs ssl_util.c - drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr, and ssl_asn1_table_keyfmt ssl_util_ssl.{c,h} - drop SSL_read_X509 - constify the filename arg for SSL_read_PrivateKey

Remove <Proxy ~ wildcard-url> syntax which: - is equivalent to <ProxyMatch wildcard-url> - has never been documented - incorrectly checks parameters (!cmd->path should be !cmd->path[0]) - is buggy (! is missing in front of strncasecmp)

FreeBSD: Disable IPv4-mapped listening sockets by default for versions 5+ instead of just for FreeBSD 5. PR: 53824

mod_auth_form: Add a debug message when the fields on a form are not recognised.

mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all configured SSL CA certificates to stdout the same way as DUMP_CERTS does.

Only close hdrs.fd when returning non-OK from cache_select(), because it will be read from in the very next mod_cache callback recall_headers(). Problem masked on unix by buffering.

If the "value" argument is prefixed with expr=, parse it with ap_expr rather than mod_headers' built-in format strings.

2.4.x CHANGES was updated in r1546547 to cover these entries

Add suspend_connection and resume_connection hooks to notify modules when the thread/connection relationship changes. (Currently implemented only for the Event MPM; should be implemented for all async MPMs.)

remove some new-ish entries for changes now in the 2.4.x branch

mod_ssl: Don't flush when an EOS is received. Prepares mod_ssl to support write completion.

PR: 54852. Only use a dummy_connection for idle processes

Fix potential rejection of valid MaxMemFree and ThreadStackSize directives. Submitted by: Mike Rumph <mike.rumph oracle.com> Reviewed by: trawick

cmake build support for Windows is now in the 2.4.x branch; remove support for building that branch

Add parse_errorlog_arg callback to ap_errorlog_provider to allow providers to check the ErrorLog argument. Implement this check in mod_syslog.

PR 55475: Detect incomplete body in HTTP input filter and return APR_INCOMPLETE

SECURITY (CVE-2014-0231): Fix for DoS due to hang waiting for CGI script. Patch one of two. Permit a read timeout to be used in mod_cgid to give up on a slow CGI script. In trunk, it defaults to the servers Timeout. PR43494 Submitted By: Eric Covener, Toshikuni Fukaya Reviewed By: Eric Covener

PR 55670 Don't risk failing silently at startup when running in a tty.

in 2.4.7

docco userland change

Support optional initialization arguments for socache providers in mod_authn_socache.

mod_session: Reset the max-age on session save. PR 47476.

mod_session: After parsing the value of the header specified by the SessionHeader directive, remove the value from the response. PR 55279.

mod_auth_form: Make sure the optional functions are loaded even when the AuthFormProvider isn't specified.

core: Don't truncate output when sending is interrupted by a signal, such as from an exiting CGI process. PR: 55643

core: Add missing Reason-Phrase in HTTP response headers. PR 54946.

Remove backported items from CHANGES.

*) mod_rewrite: Make rewrite websocket aware to allow proxying. PR 55598. [Chris Harris <chris.harris kitware com>]

add attribution

Don't use a hardcoded cn=* in case the subgroup has no CN. Submitted By: David Hawes <dhawes vt.edu> Committed By: Eric Covener

in 2.4.x

Improve ephemeral key handling (companion to r1526168): - allow to configure custom DHE or ECDHE parameters via the SSLCertificateFile directive, and adapt its documentation accordingly (addresses PR 49559) - add standardized DH parameters from RFCs 2409 and 3526, use them based on the length of the certificate's RSA/DSA key, and add a FAQ entry for clients which limit DH support to 1024 bits (such as Java 7 and earlier) - move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to ssl_util_ssl.c, and add ssl_ec_GetParamFromFile() - drop ssl_engine_dh.c from mod_ssl For the standardized DH parameters, OpenSSL version 0.9.8a or later is required, which was therefore made a new minimum requirement in r1527294.

Increase minimum required OpenSSL version to 0.9.8a (in preparation for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y functions added in that release): - remove obsolete #defines / macros - in ssl_private.h, regroup definitions based on whether they depend on TLS extension support or not - for ECC and SRP support, set HAVE_X and change the rather awkward #ifndef OPENSSL_NO_X lines accordingly For the discussion prior to taking this step, see https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E

mod_lua: Use a (new) global pool/mutex setup for IVM rather than a per-process pool.

WinNT MPM: Exit the child if the parent process crashes or is terminated. Submitted by: Oracle, via trawick The original modification was made some years ago for Oracle HTTP Server by an Oracle employee. trawick made additional changes for style and for trunk/2.4.x changes.

remove entry for r1525931 (APLOG_STARTUP with ErrorLogFormat), now in 2.4.x branch

minor edits

Fix for PR 54626.

worker MPM: Don't forcibly kill worker threads if the child process is exiting gracefully. Submitted by: Oracle, via trawick This modification was made some years ago for Oracle HTTP Server by an Oracle employee.

mod_proxy: Add ap_connection_reusable() for checking if a connection is reusable as of this point in processing. mod_proxy_fcgi uses the new API to determine if FCGI_CONN_CLOSE should be enabled, but that doesn't change existing behavior since the connection is currently marked for closure elsewhere in the module.

meanwhile in 2.4.6 and 2.2.25, respectively

Streamline ephemeral key handling: - drop support for ephemeral RSA keys (only allowed/needed for export ciphers) - drop pTmpKeys from the per-process SSLModConfigRec, and remove the temp key generation at startup (unnecessary for DHE/ECDHE) - unconditionally disable null and export-grade ciphers by always prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string - do not configure per-connection SSL_tmp_*_callbacks, as it is sufficient to set them for the SSL_CTX - set default curve for ECDHE at startup, obviating the need for a per-handshake callback, for the time being (and also configure SSL_OP_SINGLE_ECDH_USE, previously left out) For additional background, see https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E

Suppress formatting of startup messages written to the console when ErrorLogFormat is used.

Change the default value of AuthLDAPMaxSubGroupDepth, so sub-group searching is opt-in. Not intended for 2.4 backport.

mod_syslog: New module implementing syslog ap_error_log provider. Previously, this code was part of core, now it's in separate module.

Add ap_errorlog_provider to make ErrorLog logging modular. Move syslog support from core to new mod_syslog.

Borrow a fix from mod_authnz_fcgi: mod_proxy_fcgi: Handle reading protocol data that is split between packets.

Bring some envvar flexibility from mod_authnz_fcgi to mod_proxy_fcgi: mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars. An individual envvar with an encoded length of more than 16K will be omitted.

draft-ietf-httpbis-p1-messaging-23 fixes regarding interactions between TE and content-length in the same req/resp.

Use apr_socket_timeout_get instead of hard-coded 30 seconds timeout. Document r1524368 in CHANGES.

revert 1524161 for the time being

RFC2616 issue

remove some recently backported fixes.

In 2.4, the MPM leaves a copy of the non-disconnected FD sitting in context->accept_socket. This FD will be closed a second time, often shortly after a worker picks it up in this same FD being reused. The first recv fails with WSAENOTSOCK since the same FD was closed in the listener thread while the worker was pulling it off the queue (The second close is of the underlying FD/socket, not a shared apr_socket_t, so it's not short-circuited) This patch makes it a bit more 2.2.x-ish and solves my problem -- the context->accept_socket gets zapped at the bottom of the loop if !disconnected.

mod_auth_digest: Be more specific when the realm mismatches because the realm has not been specified.

SECURITY (CVE-2013-4352): Fix a NULL pointer deference which allowed untrusted origin servers to crash mod_cache in a forward proxy configuration. mod_cache: Avoid a crash with strcmp() when the hostname is not provided.

that line was obviously wrong.

mod_lua: Add rudimentary WebSocket support. This is a WIP (emphasis on the W, I and P) and subject to change as the idea surrounding it evolves into something meaningful. But for now, WebSockets, yay! Please do review this!

Forgot to add getcookie/setcookie to CHANGES. Hereby done.

add "Header note" which was the solution for two users this week on IRC.

Mistakenly try to use a line comment to the end of your Listen directive on Windows => crash-o-matic Or, WinNT MPM: Don't crash during child process initialization if the Listen protocol is unrecognized.

Add r:setcookie(key, val, secure, expires) and r:getcookie(key) to the request_rec table.

mod_status, mod_echo: Fix the display of client addresses. They were truncated to 31 characters which is not enough for IPv6 addresses. PR 54848 [Bernhard Schmidt <berni birkenwald de>]

mod_lua: If the first yield() of a LuaOutputFilter returns a string, it should be prefixed to the response as documented. Also, don't put empty heap buckets in the brigade if a yield() is called with no string.

forgot my name

mod_lua: Remove ETAG, Content-Length, and Content-MD5 when a LuaOutputFilter is configured without mod_filter. [Eric Covener]

register LuaOutputFilters with AP_FILTER_PROTO_CHANGE|AP_FILTER_PROTO_CHANGE_LENGTH

*) mod_filter: Add "change=no" as a proto-flag to FilterProtocol to remove a providers initial flags set at registration time. [Eric Covener]

Return a 500 error instead of DECLINED when LuaHook* script does not return a numeric value.

Add experimental cmake-based build system for Windows. Thanks tdonovan for sharing your earlier version! A lot of good stuff is from Tom; a lot of bad stuff is from me.

fix email ID

"LDAPReferrals off" does not disable LDAPReferrals feature. Default OpenLDAP value for LDAP_OPT_REFERRALS is ON and the current code does not set it to OFF even when there is "LDAPReferrals off" directive in the config file. Changes LDAPReferrals to tri-state: - "on" - default. Calls apr_ldap_set_option to set referrals on. - "off" - Calls apr_ldap_set_option to turn referrals off. - "default" - Does not call apr_ldap_set_option at all. The default remains ON. If "default" and SDK defaults to ON, no rebind callback is used. Submitted By: Jan Kaluza <kaluze AT redhat.com> Committed By: covener

Don't log AUTHZ_DENIED failures at ERROR level in authz providers

pre_htaccess hook is gone

mod_authnz_fcgi: New module to enable FastCGI authorizer applications to authenticate and/or authorize clients. A fair amount of code was taken from or at least based on mod_proxy_fcgi, with a smaller amount taken from mod_fcgid.

merged to 2.4.x

merged to 2.4.x

fcgistarter: Specify SO_REUSEADDR to allow starting a server with old connections in TIME_WAIT.

Make the statement about the poll sense change less strong

Add AuthBasicUseDigestAlgorithm directive to allow migration of passwords from digest to basic authentication.

Add util_fcgi.h and associated definitions and support routines for FastCGI, based largely on mod_proxy_fcgi.

Add ap_log_data(), ap_log_rdata(), etc. for logging buffers.

ab: Fix potential buffer overflows when processing the T and X command-line options. PR: 55360 Submitted by: Mike Rumph <mike.rumph oracle.com> Reviewed by: trawick

remove pre_htaccess/open_htaccess noise now that open_htaccess hook is in 2.4.x branch

In 2.4.x

* modules/metadata/mod_unique_id.c: Replace use of hostname + pid with PRNG output. Submitted by: Jan Kaluza <jkaluza redhat.com> Reviewed by: sf, jorton

restore "core_output_filter: writing data to the network" message when c->aborted is set in the core output filter, but now at TRACE1.

Remove backported items.

Replace pre_htaccess hook with more flexible open_htaccess hook

Remove mod_lua items. Those are part of 2.4 now.

Remove backported items. Reduction by 1/3.

minor readability tweak to r1497371

authnzldap: support "none" as a filter to suppress using a search filter, which is required by some mainframe security products serving native registry over LDAP.

recognize the "defualt handler name" in r->handler, which is used when no SetHandler/AddHandler and no matching mimetype during type_checker.

core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization on Linux kernel versions 3.x and above. PR: 55121 Submitted by: Bradley Heilbrun <apache heilbrun.org> Reviewed by: trawick

correct CHANGES for r1496339, confused myself. Normal merge from global config to vhost.

*) core: merge AllowEncodedSlashes from the base configuration into (non-default) name-based virtual hosts. [Eric Covener]

provide a simple (no <If>) way to set a header only if it's not already there.

Use cp on AIX too. /usr/bin/install isn't compatible on recent systems and it's a pain to install and force /opt/freeware/bin.

re-try LDAP connections in a few authz paths.

prevent excessive delays retrying new connections that timed out.

protect 'AP_DECLARE_MODULE(deflate)' from expansion to 'AP_DECLARE_MODULE(z_deflate)' if zlib has been built with -DZ_PREFIX.

mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size previously limited to 64MB.

Describe mod_auth_digest changes more accurately

mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged correctly.

Actually use the secret when generating nonces. This change may cause problems if used with round robin load balancers. Before it is backported, we should add a directive to use a user specified secret. PR: 54637

mod_cache_socache: Use the name of the socache implementation when performing a lookup rather than using the raw arguments.

rotatelogs: add -n number-of-files option to roate through a number of fixed-name logfiles.

tolerate LuaMapHandler scripts that don't return anything

Add a new -l parameter in order not to check the length of the responses. This can be usefull with dynamic pages. PR9945, PR27888, PR42040

* modules/ssl/ssl_util_ocsp.c (read_response): Ignore empty buckets in the brigade, which can be left over from line splitting. Fixes case where the OCSP response was only partially read from the wire.

CVE-2013-2249 mod_session_dbd: Make sure that dirty flag is respected when saving sessions, and ensure the session ID is changed each time the session changes.

Reverting as per veto in http://svn.apache.org/r1486021.

CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. Submitted by: Ben Reser <ben reser.org>

mod_logio: new format-specifier %C (combined) which is the sum of received and sent byte counts. PR54015

core: Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Reduce memory usage by 48 bytes per request.

mod_deflate: Remove assumptions as to when an EOS bucket might arrive. Gracefully step aside if the body size is zero.

Fix PR 54463 by removing an optional 'standard' parameter. It has been no-une for more than 10 years and is not documented. This also makes the code more consistent with other mod_auth modules.

mod_proxy_http: Make the proxy-interim-response environment variable effective by formally overriding origin server behaviour.

core: Stop the HTTP_IN filter from attempting to write error buckets to the output filters, which is bogus in the proxy case. Create a clean mapping from APR codes to HTTP status codes, and use it where needed.

mod_proxy: Ensure we don't attempt to amend a table we are iterating through, ensuring that all headers listed by Connection are removed.

PR54948: wildcard name-based vhosts printed twice in apachectl -S

mod_proxy: Reject invalid values for Max-Forwards.

mod_cache: If a 304 response indicates an entity not currently cached, then the cache MUST disregard the response and repeat the request without the conditional.

Mod_proxy used the global pool w/o mutex. fix.

mod_proxy: Ensure network errors detected by the proxy are returned as 504 Gateway Timout as opposed to 502 Bad Gateway, in order to be compliant with RFC2616 14.9.4 Cache Revalidation and Reload Controls.

mod_cache: Ensure that we don't attempt to replace a cached response with an older response as per RFC2616 13.12.

core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions() with weak validation combined with If-Range and Range headers. Break out explicit conditional header checks to be useable elsewhere in the server. Ensure weak validation RFC compliance in the byteranges filter. Ensure RFC validation compliance when serving cached entities. PR 16142

core: Add the ability to do explicit matching on weak and strong ETags as per RFC2616 Section 13.3.3.

mod_cache: Ensure that updated responses to HEAD requests don't get mistakenly paired with a previously cached body. Ensure that any existing body is removed when a HEAD request is cached.

mod_cache: Honour Cache-Control: no-store in a request.

mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the semantics of the proxy-revalidate directive.

mod_cache: Make sure that contradictory entity headers present in a 304 Not Modified response are caught and cause the entity to be removed.

mod_cache: Make sure Vary processing handles multivalued Vary headers and multivalued headers referred to via Vary.

mod_cache: When serving from cache, only the last header of a multivalued header was taken into account. Fixed.

mod_cache: Ignore response headers specified by no-cache=header and private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure that these headers are still processed when multiple Cache-Control headers are present in the response. PR 54706

mod_cache: Invalidate cached entities in response to RFC2616 Section 13.10 Invalidation After Updates or Deletions. PR 15868 Resolves outstanding issue with r1070179 as per http://www.gossamer-threads.com/lists/apache/dev/395830?do=post_view_threaded#395830

mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981.

mod_dav: Do not segfault on PROPFIND with a zero length DBM. PR 52559 Submitted by: Diego Santa Cruz <diego.santaCruz spinetix.com> Tested by William Lewis <wiml omnigroup com>

mod_dav: Do not fail PROPPATCH when prop namespace is not known. PR 52559 Submitted by: Diego Santa Cruz <diego.santaCruz spinetix.com> Tested by William Lewis <wiml omnigroup com>

mod_dav: When a PROPPATCH attempts to remove a non-existent dead property on a resource for which there is no dead property in the same namespace httpd segfaults. PR 52559 Submitted by Diego Santa Cruz <diego.santaCruz spinetix.com> Tested by William Lewis <wiml omnigroup com>

mod_dav: PROPPATCH delete (svn propdel) silently discards errors. PR 53525 Submitted by Arwin Arni <arwin collab.net>

mod_dav: Ensure URI is correctly uriencoded on return. PR 54611 Patch submitted by Timothy Wood <tjw omnigroup com> Tested by William Lewis <wiml omnigroup com>

mod_dav: Sending an If or If-Match header with an invalid ETag doesn't result in a 412 Precondition Failed for a COPY operation. PR: 54610 Submitted by: Timothy Wood <tjw omnigroup.com>

* Backported

Done.

htdigest: Fix buffer overflow when reading digest password file with very long lines. PR 54893.

* Fix null pointer dereference in case SetEnvif and SetEnvIfExpr are used together. PR: 54881

mod_dav: Make sure that when we prepare an If URL for Etag comparison, we compare unencoded paths. PR 53910 Patch submitted by Timothy Wood <tjw omnigroup com> Tested by William Lewis <wiml omnigroup com>

core, mod_ssl: Lift the restriction that prevents mod_ssl taking full advantage of the event MPM. Enable the ability for a module to reverse the sense of a poll event from a read to a write or vice versa.

remove backported item

Add workaround for gcc bug on sparc/64bit PR: 52900

revert r1352596, for the reasons explained in https://mail-archives.apache.org/mod_mbox/httpd-dev/201304.mbox/%3C515FED7C.5010009%40velox.ch%3E

in 2.4.5-dev

htpasswd: Add -v option to verify a password htpasswd and htdbm could use some more refactoring...

fix htpasswd/htdbm brown paper bag bugs - use the correct string to generate the hash from. PR 54735 - print error message instead of empty string while there, replace strdup + check for oom with apr_pstrdup

mod_dav: Improve error handling in dav_method_put(), add new dav_join_error() function. PR: 54145 Submitted by: Ben Reser <ben reser.org> Reviewed by: trawick

if shm initialization fails, reset client_list to avoid crashes

fix merge of min/max file size by setting corresponding _set

spelling fix

mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits in the error log to debug level. [William Rowe]

Has been backported. CHANGES in 2.4 not needed, because regression was never released.

Unbreak default case of RewriteBase not being set after r1410681 Contributed By: Evgeny Barsukov Reviewed By: covener

ap_rgetline_core() now pulls from r->proto_input_filters for better input filtering behavior during chunked trailer processing by ap_http_filter().

in 2.4.x

In 2.4.4-dev

Chop inappropriate detail from my recent CHANGES entry

mod_proxy_html: bugfixes and introduce HTML5 doctype

Fix valgrind warning about uninitialized memory in argument to semctl PR: 53690 Submitted by: Mikhail T. <mi+apache aldan algebra com>

Don't keepalive the connection to the client if the backend closes the connection. PR: 54474 Submitted by: Pavel Mateja <pavel netsafe cz>

Avoid valgrind warnings in mod_ssl random number generator We intentionally add uninitialized stack memory. To avoid warnings, make valgrind believe that the memory is defined. Add configure option to enable valgrind support

backported

* This one is backported to 2.4.x

* A limit of zero means unlimited for LimitRequestBody. PR: 54435 Submitted by: Pavel Mateja <pavel netsafe.cz> Reviewed by: rpluem

these are in 2.4.x

Add lua_dbd features to CHANGES

Add some caching for password hash validation. Password hash functions must be expensive in order to be secure. But if they have to be re-evaluated for every request, performance suffers. As a minimal remedy, cache the most recent result for every connection. This gives a great performance boost if a web browser does many requests on the same connection with the same user+password. In principle, this may keep the plain text password around longer than before. But in practice, there won't be much difference since user+password can already remain in some unused data bucket for longer than the request duration. A proper solution still needs to be found for connections from proxies which may carry requests for many different users. While it currently only requires the conn_rec, the new ap_password_validate() function takes username and request_rec to allow future extensions, like detection of brute-force attempts.

Remove support for Request-Range header sent by Navigator 2-3 and MSIE 3

Add an option to enforce stricter HTTP conformance This is a first stab, the checks will likely have to be revised. For now, we check * if the request line contains control characters * if the request uri has fragment or username/password * that the request method is standard or registered with RegisterHttpMethod * that the request protocol is of the form HTTP/[1-9]+.[0-9]+, or missing for 0.9 * if there is garbage in the request line after the protocol * if any request header contains control characters * if any request header has an empty name * for the host name in the URL or Host header: - if an IPv4 dotted decimal address: Reject octal or hex values, require exactly four parts - if a DNS host name: Reject non-alphanumeric characters besides '.' and '-'. As a side effect, this rejects multiple Host headers. * if any response header contains control characters * if any response header has an empty name * that the Location response header (if present) has a valid scheme and is absolute If we have a host name both from the URL and the Host header, we replace the Host header with the value from the URL to enforce RFC conformance. There is a log-only mode, but the loglevels of the logged messages need some thought/work. Currently, the checks for incoming data log for 'core' and the checks for outgoing data log for 'http'. Maybe we need a way to configure the loglevels separately from the core/http loglevels.

Correctly parse an IPv6 literal host specification in an absolute URL in the request line. - Fix handling of brackets [ ] surrounding the IPv6 address. - Skip parsing r->hostname again if not necessary. - Do some checks that the IPv6 address is sane. This is not done by apr_parse_addr_port().

mod_ssl: add support for subjectAltName-based host name checking in proxy mode (PR 54030) factor out code from ssl_engine_init.c:ssl_check_public_cert() to ssl_util_ssl.c:SSL_X509_match_name() introduce new SSLProxyCheckPeerName directive, which should eventually obsolete SSLProxyCheckPeerCN ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication when aborting with HTTP_BAD_GATEWAY

Check that AsyncRequestWorkerFactor is not negative PR :54254 Submitted by: Jackie Zhang <jackie qq zhang gmail com>

backported

backported

Backported.

httxt2dbm: Correct length computation for the 'value' stored in the DBM file PR 47650

Backported in r1420827.

Add support for OpenSSL configuration commands.

- Remove backported items from CHANGES. - Add eventopt to CHANGES - Remove obsolete compatibility note form SRP docs (has been backported).

mod_proxy_balancer: It's totally unclear what Drn, Dis, Ign, Stby means. PR 52478

remove two more items that have been backported to 2.4

Remove some backported items

remove items backported to 2.4.x

add missing space for paragraph alignment.

Tell CHANGES about added 'Warning' directive.

Add LogLevelOverride directive that allows to override the loglevel for clients from certain IPs

Userland change

add PR's in for recent commits

PR54223: 2.4 generates AH00554 when Include points to a directory with no wildcard. r931435 refactored ap_process_resource_config() so it didn't read through directories, but also changed a path non-fnmatch directories are passed through to call ap_process_resource_config().

PR54222: catch invalid ServerTokens args Submitted by: Jackie Zhang <jackie.qq.zhang gmail.com> Reviewed/modified by: covener

Don't log a spurious "-" if a request has been rejected before mod_log_forensic could attach its id to it. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693292

Add SERVER_PROTOCOL_VERSION, SERVER_PROTOCOL_VERSION_MAJOR, SERVER_PROTOCOL_VERSION_MINOR ap_expr variables.

PR53963: don't merge the rewritebase down w/o an opt-in

mod_session_dbd: fix a segmentation fault in the function dbd_remove. The segmentation fault is caused by an uninitialized function pointer session_dbd_acquire_fn. PR 53452

Expose ap_method_register() to the admin with a new RegisterHttpMethod directive.

The following now respects DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR: - mod_cache: thundering herd lock directory

*) mod_xml2enc: Fix problems with charset conversion altering the Content-Length. [Micha Lenk <micha lenk info>]

New directive HttpProtocol which allows to disable HTTP/0.9 support. The syntax is designed to allow addition of a +/- strict option later on.

mod_allowhandlers: New module to forbid specific handlers for specific directories.

Make ap_check_cmd_context() treat <If> sections like <File> sections. This is necessary to properly disallow directives that don't work in <If>. A separate NOT_IN_IF flag may be nicer, but would create much more hassle when being backported to 2.4.

Make <If> sections in virtual host context fill in cmd->path so that other directive notice that they are in a config section. This fixes LogLevel not working in <If> sections that are not in Location/Directory/File sections.

*) mod_cache_disk: Resolve errors while revalidating disk-cached files on Windows ("...rename tempfile to datafile failed..."). PR 38827 [Eric Covener]

Allow for setting of sticky session split char... Bugz 53893

*) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS AAAA records. PR 40841. [Andrew Rucker Jones <arjones simultan dyndns org>, <ast domdv de>, Jim Jagielski]

ap_expr: Add req_novary function that allows HTTP header lookups without adding the name to the Vary header

Change default for SSLCompression to off, as compression causes security issues in most setups

only write the first len chars to syslog, as the buffer may have additional text added speculatively

configure: Fix processing of --disable-FEATURE for various features.

"Iterate" directives: Report an error if no arguments are provided.

Optionally read passwords from stdin PR: 40243 Submitted by: Adomas Paltanavicius <adomas paltanavicius gmail com>, sf

add support for bcrypt PR: 49288

Start refactoring of htpasswd and htdbm - Move many common code parts into separate source file. This adds some of htpasswd's recent improvements to htdbm. - Rework salt generation to use the full 48bit of entropy for MD5 Previously, it would only generate 2^32 different salts on a given platform. - Use apr_getopt().

Allow forced setting of TLS1.1 and TLS1.2 protocols with the -f command-line switch, and adapt the output to more accurately report what SSL/TLS protocol was negotiated (use SSL_get_version() instead of SSL_CIPHER_get_version()). PR: 53916 Submitted by: Nicolás Pernas Maradei <nico emutex com> Reviewed/amended by: Kaspar Brand

* modules/arch/unix/mod_systemd.c: New module. Submitted by: Jan Kaluza <jkaluza redhat.com>

core: ErrorDocument now works for requests without a Host header. PR: 48357

--with-module: Fix failure to integrate them into some existing module directories. modules/config?.m4 needs to run after the modules/*/config?.m4. Otherwise, modules.mk as created for --with-module gets wiped out first. PR: 40097

mod_header changes

Document these new funcs and make it API aware

add pre_htaccess hook; in conjunction with earlier dirwalk_stat and post_perdir_config hooks, this should allow mpm-itk to be used without patches to httpd core

mod_cache_socache: New cache implementation backed by mod_socache that replaces mod_mem_cache removed from httpd v2.2.

mod_auth_form: Support the expr parser in the AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and AuthFormLogoutLocation directives.

add dirwalk_stat hook, for use by mpm-itk

Persist local balancer-manager changes across restart/graceful.

Document new provider function fgrab()

Windows: Fix output of -M, -L, and similar command-line options which display information about the server configuration (backport r1374428). Submitted by: trawick Reviewed/backported by: gsmith, fuankg

Avoid the overhead of creating and grabbing a uuid for the balancer nonce if we're never going to use it.

Add new directives, LuaInputFilter/LuaOutputFilter for creating content filters using Lua.

Catch up change log with r1376695.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a wildcard common name match. PR: 53006

WinNT MPM: Store pid and generation for each thread in scoreboard to allow tracking of threads from exiting children via mod_status or other such mechanisms.

Windows: Fix output of -M, -L, and similar command-line options which display information about the server configuration.

Another three done.

Fix CHANGES entry.

* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fix test for missing decrypted private keys, and ensure that the keypair matches. PR: 52212 Submitted by: Keith Burdis <keith burdis.org>, jorton

mod_lua: Allow scripts handled by the lua-script handler to set a return code that will be sent to the client, such as 302, 500 etc. This will allow scripts to be able to f.x. redirect a user to another page by returning 302.

Fix crash in packet dump code of mod_proxy_ajp when logging with LogLevel trace7 or trace8. PR 53730

Wrong content type and character set when mod_cache serves stale content because of a proxy error. PR 53539. Correction to r1361153.

Fix ported to 2.4.

Fix bus error in mod_socache_shmcb due to a misalignment in some 64 bit builds, especially on Solaris Sparc. PR 53040

add back the DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR stuff that is not in 2.4.x The trunk patches for these all have some configuration breakage as 2.4.x interprets the individual directive or API parameter as relative to ServerRoot whereas trunk interprets everything relative to DefaultRuntimeDir.

In 2.4.x

Remove backported item from trunk CHANGES.

oops, sluggr -> petterb

core: Be less strict when checking whether Content-Type is set to "application/x-www-form-urlencoded" when parsing POST data, or we risk losing data with an appended charset. PR 53698 Reported by: Petter Berntsen < sluggr gmail.com >

Windows: Fix SSL failures on windows with AcceptFilter https none. The now-stray apr_socket_opt_set(APR_SO_NONBLOCK=On) call was originally added with r327872. The call was harmless on Unix due to APR's use of non-blocking sockets when implementing timeouts on that platform, but harmful on Windows since it collided with APR's different implementation of timeouts on that platform. PR: 52476

ab: Fix read failure when targeting SSL server.

make LDAPSharedCacheFile relative to DefaultRuntimeDir

mod_auth_digest now respects DefaultRuntimeDir

In 2.4.x as of revision 1371208

mod_lua: Decline to serve a request if the script doesn't exist, instead of throwing an internal server error.

Mutex directive: finish support of DefaultRuntimeDir a partial conversion was made in r1299718, but I'm not sure when that change is effective

mod_socache_shmcb and mod_socache_dbm: finish support of DefaultRuntimeDir a partial conversion was made in r1299718, affecting cases where no filename was specified

mod_lua: Add r:flush, r:sendfile as well as additional request information in the request_rec structure

Add changes entry for r1369995, r1369999

The Pidfile directive and ap_log_pid()/ap_remove_pid()/ap_read_pid() now respect DefaultRuntimeDir

Document changes to mod_lua (yes, I'm always late with these :( )

htpasswd: Use correct file mode for checking if file is writable. Also switch to the non-deprecated APR_FOPEN_* flags PR: 45923

Remove another finished backport form trunk STATUS.

Remove another round of backports from trunk CHANGES.

core: Respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR for the scoreboard (ScoreBoardFile).

Remove backported items from trunk CHANGES.

Merged in 2.4.x

Also in 2.4.x

This is in 2.4.x

core: Add post_perdir_config hook. Submitted by: Steinar Gunderson <sgunderson bigfoot.com> trawick added/fixed include/ pieces

Update CHANGES

Forgot to sign it

Add LuaCodeCache to CHANGES.

Add a note about LUA_COMPAT_ALL.