Change the recursion used for edit* to a loop using the new ap_regexec_ex()
function taking the current position (offset) in the subject string.
After an empty match do the same thing as pcre2_substitute() (or Perl's /g),
that is: don't allow for another empty match at the same positition by setting
the AP_REG_NOTEMPTY_ATSTART option. If there is a non-empty match use it,
otherwise skip/consume the first character and continue from there.
* modules/metadata/mod_headers.c:
Rename the hdr_edit_r enum for edit* to hdr_edit_all to better express what
is does (and since the action is not recursive anymore).
* modules/metadata/mod_headers.c(push_string, push_match):
New helpers to consume the subject and substitutions in an array of iovec.
* modules/metadata/mod_headers.c(process_regexp):
Implement the new logic, using push_match() and push_string() to fill the
iovec array finally passed to apr_strcatv() for the resulting string.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1915271 13f79535-47bb-0310-9956-ffa450edef68
the STORE API. Separates compile-time support for the STORE API
(supported in 3.x) from support for the ENGINE API (deprecated in
3.x).
* modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for
OpenSSL 3.0+.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri,
modssl_load_keypair_store): New functions.
(modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine.
(modssl_load_engine_keypair): Reimplement to use new STORE-based
functions if SSLCryptoDevice was not configured, or else old
ENGINE implementation.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs
also for the OpenSSL 3.x STORE API.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log
message on error paths for the provider/STORE case.
Signed-off-by: Ingo Franzki <ifranzki linux.ibm.com>
Submitted by: Ingo Franzki <ifranzki linux.ibm.com>
Github: closes#397, closes#398
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1914365 13f79535-47bb-0310-9956-ffa450edef68
Also, always allow for "SSLCryptoDevice builtin" even if the ENGINE API is not
available, OPENSSL_NO_ENGINE or more generally with the new API (providers)
available since OpenSSL >= 3.
* ssl_private.h: Set MODSSL_HAVE_ENGINE_API to 0 if OPENSSL_NO_ENGINE.
* mod_ssl.c, ssl_engine_config.c: Don't depend on HAVE_OPENSSL_ENGINE_H and
HAVE_ENGINE_INIT to provide [ssl_cmd_]SSLCryptoDevice.
Submitted by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913815 13f79535-47bb-0310-9956-ffa450edef68
handler. [Rainer Jung]
Fix possible NULL deref when logging the error that an authentication
resource could not be retrieved from the ACME server. [Stefan Eissing]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913466 13f79535-47bb-0310-9956-ffa450edef68
* modules/dav/fs/dbm.c (dav_dbm_open_direct): Take a dbmtype argument
and use it to select the apr_dbm driver type.
(dav_dbm_open): Continue to use the "default" propdb type to open
the property databases.
* modules/dav/fs/lock.c: Store and pass through the lockdb_type
through.
* modules/dav/fs/mod_dav_fs.c (dav_get_lockdb_path): Return the dbm
type via an output argument.
(dav_fs_cmd_davlockdbtype): New config directive.
(dav_fs_merge_server_config): Merge the dbm type.
(dav_fs_post_config): Set the default lockdb type.
* modules/dav/fs/repos.h: Update prototypes as above; internal API
only so no compat concerns.
Github: closes#386
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1912718 13f79535-47bb-0310-9956-ffa450edef68
- New directive `MDMatchNames all|servernames` to allow more control over how
MDomains are matched to VirtualHosts.
- New directive `MDChallengeDns01Version`. Setting this to `2` will provide
the command also with the challenge value on `teardown` invocation. In version
1, the default, only the `setup` invocation gets this parameter.
Refs #312. Thanks to @domrim for the idea.
- For Managed Domain in "manual" mode, the checks if all used ServerName and
ServerAlias are part of the MDomain now reports a warning instead of an error
(AH10040) when not all names are present.
- MDChallengeDns01 can now be configured for individual domains.
Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1910996 13f79535-47bb-0310-9956-ffa450edef68
of HTTP/2 requests in a forward proxy configuration.
General forward proxying is enabled via `ProxyRequests`. If the
HTTP/2 protocol is also enabled for such a server/host, this new
directive is needed in addition.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1910656 13f79535-47bb-0310-9956-ffa450edef68
mod_rewrite: Fix a recent regression where a rule with both a trailing
'?' and the [QSA] flag did not have the query appended. PR66672
Submitted By: Frank Meier <frank.meier ergon.ch>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1910633 13f79535-47bb-0310-9956-ffa450edef68
described in RFC 8441. A new directive 'H2WebSockets on|off' has been
added. The feature is by default not enabled.
As also discussed in the manual, this feature should work for setups
using "ProxyPass backend-url upgrade=websocket" without further changes.
Special server modules for WebSockets will have to be adapted,
most likely, as the handling if IO events is different with HTTP/2.
HTTP/2 WebSockets are supported on platforms with native pipes. This
excludes Windows.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1910507 13f79535-47bb-0310-9956-ffa450edef68
output handling. This occured only when the last request on a HTTP/2
connection had been processed and the session decided to shut down.
This could lead to an attempt to send a final GOAWAY while the previous
write was still in progress. See PR 66646.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1910386 13f79535-47bb-0310-9956-ffa450edef68
ap_die() to judge if it can send out a response. Bump mmn.
Enable test cases that check errors during response body to
appear as error on client side.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1910161 13f79535-47bb-0310-9956-ffa450edef68
connection when sending data on the frontend one. This caused crashes
or infinite loops in rare situations.
* mod_proxy_http2: fixed a bug in retry/response handling that could lead
to wrong status codes or HTTP messages send at the end of response bodies
exceeding the announced content-length.
* mod_proxy_http2: fix retry handling to not leak temporary errors.
On detecting that that an existing connection was shutdown by the other
side, a 503 response leaked even though the request was retried on a
fresh connection.
* mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
the wrong order when a bucket_beam was destroyed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1910157 13f79535-47bb-0310-9956-ffa450edef68
On detecting that that an existing connection was shutdown by the other
side, a 503 response leaked even though the request was retried on a
fresh connection.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1909989 13f79535-47bb-0310-9956-ffa450edef68
- New directive 'H2EarlyHint name value' to add headers to a response,
picked up already when a "103 Early Hints" response is sent. 'name' and
'value' must comply to the HTTP field restrictions.
This directive can be repeated several times and header fields of the
same names add. Sending a 'Link' header with 'preload' relation will
also cause a HTTP/2 PUSH if enabled and supported by the client.
- Fixed an issue where requests were not logged and accounted in a timely
fashion when the connection returns to "keepalive" handling, e.g. when
the request served was the last outstanding one.
This led to late appearance in access logs with wrong duration times
reported.
- Accurately report the bytes sent for a request in the '%O' Log format.
This addresses #203, a long outstanding issue where mod_h2 has reported
numbers over-eagerly from internal buffering and not what has actually
been placed on the connection.
The numbers are now the same with and without H2CopyFiles enabled.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1909769 13f79535-47bb-0310-9956-ffa450edef68
we can have decoded '%''s in the URI that got sent to us in the original URL
as %25. Don't error out in this case but just fall through and have them
encoded to %25 when forwarding to the backend.
PR: 66580
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1909464 13f79535-47bb-0310-9956-ffa450edef68
%{z} prints the timezone offset (i.e. "[+-]nnnn") and %{strftime-format} allows
any %-format handled by [apr_]strftime().
* include/util_time.h():
Define new AP_CTIME_OPTION_GMTOFF option for ap_recent_ctime_ex().
* server/util_time.c(ap_recent_ctime_ex):
Handle AP_CTIME_OPTION_GMTOFF to print "[+-]nnnn" timezone.
* server/log.c(log_ctime):
If the format contains a '%' it's for strftime(), otherwise it's builtin
with new 'z' as AP_CTIME_OPTION_GMTOFF.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908380 13f79535-47bb-0310-9956-ffa450edef68
In case that AllowEncodedSlashes is set to NoDecode do not double encode
encoded slashes in the URL sent by the reverse proxy to the backend.
* include/ap_mmn.h: Document the addition of ap_proxy_canonenc_ex to the API.
* modules/proxy/mod_proxy.h: Declare ap_proxy_canonenc_ex and define flag
values.
* modules/proxy/proxy_util.c: Implement ap_proxy_canonenc_ex by modifying
ap_proxy_canonenc accordingly and reimplement ap_proxy_canonenc to
use ap_proxy_canonenc_ex with the appropriate flag.
* modules/http2/mod_proxy_http2.c, modules/proxy/mod_proxy_*.c: Set the
correct flag based on the AllowEncodedSlashes configuration and use
ap_proxy_canonenc_ex instead of ap_proxy_canonenc.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908341 13f79535-47bb-0310-9956-ffa450edef68
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
- MDChallengeDns01 can now be configured for individual domains.
Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908080 13f79535-47bb-0310-9956-ffa450edef68
