s/apr_pstrndup/apr_pstrmemdup/ when applicable

SECURITY (CVE-2013-4352): Fix a NULL pointer deference which allowed untrusted origin servers to crash mod_cache in a forward proxy configuration. mod_cache: Avoid a crash with strcmp() when the hostname is not provided.

const goodness with nasty strrchr and strchr functions (resolve warning in maintainer mode)

Ensure that Warning headers are correctly handled as per RFC2616.

core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions() with weak validation combined with If-Range and Range headers. Break out explicit conditional header checks to be useable elsewhere in the server. Ensure weak validation RFC compliance in the byteranges filter. Ensure RFC validation compliance when serving cached entities. PR 16142

mod_cache: Honour Cache-Control: no-store in a request.

Silent no-prototype compiler warning.

mod_cache: Make sure Vary processing handles multivalued Vary headers and multivalued headers referred to via Vary.

mod_cache: When serving from cache, only the last header of a multivalued header was taken into account. Fixed.

Apply log message tags to messages.

mod_cache: Invalidate cached entities in response to RFC2616 Section 13.10 Invalidation After Updates or Deletions. PR 15868 Resolves outstanding issue with r1070179 as per http://www.gossamer-threads.com/lists/apache/dev/395830?do=post_view_threaded#395830

cache_storage: remove useless test + update function name in debug log + skip as soon as we know headers do not match

Add lots of unique tags to error log messages

mod_cache: When a request other than GET or HEAD arrives, we must invalidate existing cache entities as per RFC2616 13.10. PR 15868.

Use ap_log_rerror() instead of ap_log_error() across mod_cache and mod_disk_cache.

Don't attempt to kill a stale entry that cannot be revalidated so early in the process, as this will happen later anyway as necessary. We may want to serve the stale entry should the backend not be available.

Don't attempt to remove the existing conditional headers until we have committed to adding our own.

Support Cache-Control: only-if-cached, as per RFC2616 14.9.4.

Fix the error cases in the cache_select() loop. On error we must loop around to the next provider, not return DECLINED too early, except for the revalidate case, where returning DECLINED is correct behaviour.

Fix the return values in the cache_select() function, we don't return APR error codes in this case.

Begin the process of optimising the parsing of Cache-Control headers. Parse the incoming Cache-Control and Pragma headers once, instead of on each test.

mod_cache: Don't regenerate the cache key if we have already generated it.

mod_cache: Allow control over the base URL of reverse proxied requests using the CacheKeyBaseURL directive, so that the cache key can be calculated from the endpoint URL instead of the server URL.

Remove a relic from the original error code, and fix segfaults in the process.

Make cache_provider_list and cache_request_rec private by moving them out of mod_cache.h.

Make cache_server_conf, cache_enable and cache_disable private. Remove public prefixes from ap_cache_accept_headers, ap_cache_try_lock and ap_cache_get_providers.

Make ap_cache_accept_headers, ap_cache_accept_headers, ap_cache_try_lock and ap_cache_check_freshness private.

Remove the MOD_CACHE_REQUEST_REC hack, and pass the cache_request_rec structure through mod_cache's function parameters in the usual way.

Move private cache_* declarations out of the public mod_cache.h file.

mod_cache: Give the cache provider the opportunity to choose to cache or not cache based on the buckets present in the brigade, such as the presence of a FILE bucket.

mod_cache: Check the request to determine whether we are allowed to return cached content at all, and respect a "Cache-Control: no-cache" header from a client. Previously, "no-cache" would behave like "max-age=0".

mod_cache: Use a proper filter context to hold filter data instead of misusing the per-request configuration. Fixes a segfault on trunk when the normal handler is used.

CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure. If a specially crafted request was sent, it is possible to crash mod_dav, mod_cache or mod_session, as they accessed a field that is set to NULL by the URI parser, assuming that it always put in a valid string. PR: 49246 Submitted by: Mark Drayton Patch by: Jeff Trawick

Use the new APLOG_USE_MODULE/AP_DECLARE_MODULE macros everywhere to take advantage of per-module loglevels

Allow several of the configured session identifiers to be found and removed in a single request.

* Do an exact match of the keys defined by CacheIgnoreURLSessionIdentifiers against the querystring instead of a partial match. PR: 48401 Submitted by: Dodou Wang <wangdong.08 gmail.com> Reviewed by: rpluem

mod_cache: Introduce the thundering herd lock, a mechanism to keep the flood of requests at bay that strike a backend webserver as a cached entity goes stale.

* Correctly detect if CacheIgnoreURLSessionIdentifiers is set.

* Add CacheIgnoreURLSessionIdentifiers directive to ignore defined session identifiers encoded in the URL when caching.

Remove all references to CORE_PRIVATE.

* Do not do Range requests if we use our own conditionals for validating a cache entity: If we get 304 the Range does not matter and otherwise the entity changed and we want to have the complete entity. PR: 44579

* Save the key we generate during our first run of cache_generate_key_default on each request in the request_config. During consecutive runs of cache_generate_key_default during processing the request we restore it from there as we might not be able to generate the same key again as the ingredients used to compose the key might have changed and we constantly must use a key that could be generated during the quick handler phase. PR: 41475

* Add CacheIgnoreQueryString directive to cache requests with a query string even if no expiration time is specified. Futhermore the query string will not be used for key generation such that requests to the same URI path, but with different query strings are mapped to the same cache entity. Turning this setting to ON violates RFC 2616/13.9 and thus it is turned off by default. PR: 41484 Submitted by: Fredrik Widlund <fredrik.widlund qbrick.com> Reviewed by: rpluem

* Remove expired content from cache that cannot be revalidated. PR: 30370

* Use the query string stored in r->parsed_uri.query instead of r->args as r->args could have been changed (e.g. via mod_rewrite) after the quick handler hook. This causes resources to be stored under a key, where they cannot be fetched again in the quick handler. PR: 40805

update license header text

* Keep the Content-Type for successfully revalidated cached objects, by unsetting possible Content-Type headers in r->headers_out and r->err_headers_out as they may be different to what we have received from the cache. Actually they are not needed as r->content_type set by ap_set_content_type a few lines above will be used in the store_headers functions of the storage providers as a fallback and the HTTP_HEADER filter does overwrite the Content-Type header with r->content_type anyway. PR: 39647

* Cleanup the code by replacing some inline code to lower-case a string with ap_str_tolower. Proposed by: Joe Orton

* Fix const compiler warning introduced by r407357. Noticed by: Joe Orton

* Handle the cases "no proxy request" and "reverse proxy request" in the same manner, when setting scheme and port_str. This is needed because if a cached entry is looked up by mod_cache's quick handler r->proxyreq is still unset in the reverse proxy case as it only gets set in the translate name hook (either by ProxyPass or mod_rewrite) which is run after the quick handler hook. This is different to the forward proxy case where it gets set before the quick handler is run (in the post_read_request hook). If a cache entry is created by the CACHE_SAVE filter we always have r->proxyreq set correctly. Also set scheme to ap_http_scheme(r) instead of "http" to handle SSL correctly. PR: 39593

Update the copyright year in all .c, .h and .xml files

* Fix PR38017 by handling the selection of the hostname in the same way for non proxied and reverse proxied requests. We need to handle both cases in the same manner as for the reverse proxy case we have the following situation: If a cached entry is looked up by mod_cache's quick handler r->proxyreq is still unset in the reverse proxy case as it only gets set in the translate name hook (either by ProxyPass or mod_rewrite) which is run after the quick handler hook. This is different to the forward proxy case where it gets set before the quick handler is run (in the post_read_request hook). If a cache entry is created by the CACHE_SAVE filter we always have r->proxyreq set correctly. So we must ensure that in the reverse proxy case we use the same code path and using the canonical name seems to be the right thing to do in the reverse proxy case.

No functional Change: Removing trailing whitespace. This also means that "blank" lines consisting of just spaces or tabs are now really blank lines

Fixes and cleanups for mod_cache; * Add r->uri to the debug messages in the quick handler; makes debugging easier. * Always reset headers_in for lookup's, some modules make subrequests and then rewrite the url. Having a conditional request at this point is not what they expect (nor reasonable for them to handle). * Don't store a per-request config on lookups; for the same reason. * Return DECLINED when in lookup mode and ap_meets_conditions() indicated we have the content but don't know if it's fresh or not. We have no idea whether the backend will have a 404, a 304 or any other kind of a response - so we have to assume we cannot handle the request. * remove the unused "url" argument from the cache_create_entity() function * Whitespace/comment fixups in mod_cache.h

remove some unused variables and re-name cache_select_url() to simply cache_select()

Improve the cache hit/miss ratio by canonicalising the url key. hostname's are matched case-insensitively, port-based vhosts are catered for and the scheme included for future multi-scheme caching compatibility.

Move the debuging log message about the removal of a url from cache_remove_url_filter to cache_remove_url. Submitted by: Rudiger Plum <ruediger.pluem vodafone.com> Reviewed by: Justin Erenkrantz

* modules/cache/cache_storage.c (cache_remove_url): Remove unused variables.

mod_cache: Implement remove URL via a filter. Remove entities from the cache when re-validation receives a 404 or other content-no-longer-present error. Suggested by: Paul Querna, Justin Erenkrantz Submitted by: Rudiger Plum <ruediger.pluem vodafone.com> Reviewed by: Justin Erenkrantz

Another mod_cache fixlet. * modules/cache/mod_cache.c (cache_url_handler): Add more debug output. Restore original request headers when CACHE_SAVE filter isn't added to fix up after the request. * modules/cache/cache_storage.c (cache_select_url): Add more debug output.

More mod_cache tweakage... * modules/cache/mod_cache.c (cache_save_filter): Instead of unconditionally returning a 304 when the original request was conditional and we issued a cache revalidating request, handle the request as if it came in while our cache was still valid. * modules/cache/cache_storage.c (cache_select_url): Strip off the conditional headers from the original request, prior to adding our own for the purpose of revalidating our cached response.

* modules/cache/mod_disk_cache.c (store_body): Fix format string warnings; print integers using _FMT strings. * modules/cache/cache_util.c (ap_cache_check_freshness): Remove unused variable. * modules/cache/cache_storage.c (cache_select_url): Remove unused variable.

More work to properly handle revalidated responses correctly. * modules/cache/mod_cache.c: If we add a new Expires value, tell our client; merge in headers properly (or better than before) so that we can update the header fields on a revalidated but with updated header fields. * modules/cache/mod_cache.h, modules/cache/cache_storage.c: Add preserve_orig flag to ap_cache_accept_headers to allow updating of fields. * modules/cache/mod_disk_cache.c: Load status value from disk.

More mod_cache tweakage. * modules/cache/cache_storage.c (cache_select_url): Add If-Modified-Since regardless of having an ETag or not. See: RFC2616, 14.26.

Return the proper status and headers when serving a revalidated response. * modules/cache/mod_cache.c (cache_save_filter): Load in the cached status and headers; send a flush rather than an EOS when the client request is conditional. * modules/cache/mod_cache.h: Export ap_cache_accept_headers. * modules/cache/cache_storage.c: Rename accept_headers to ap_cache_accept_headers.

Cleanup structures in mod_cache and friends to remove unused or unnecessary fields. Also resolves a number of latent bugs due to the wrong fields being accessed.

Update copyright year to 2005 and standardize on current copyright owner line.

At long last, promote mod_cache and friends out of experimental/. Also, take quick pass through docs files to remove experimental label for them. Reviewed by: Paul Querna, Bill Stoddard, Justin Erenkrantz