adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get
changed Protocols to let vhosts override servers, removed old H2Engine example from readme
creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment
removed unnecessary lingering_close and sbh update on end of protocol upgrade handling
introducing ap_array_index in util, used in protocol and mod_h2
fixes existing protocol missing in selection if not explicitly proposed
new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging
removed accidental code
new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse
proxy configuration, a remote attacker could send a carefully crafted
request which could crash a server process, resulting in denial of
service.
Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
reporting this issue.
* server/util.c (ap_parse_token_list_strict): New function.
* modules/proxy/proxy_util.c (find_conn_headers): Use it here.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):
Send a 400 for a malformed Connection header.
Submitted by: Edward Lu, breser, covener
http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code
for clients requesting a hostname on a reused connection whose SNI (from the
TLS handshake) does not match.
PR 5802.
This allows HTTP/2 clients to fall back to a new connection as per:
https://tools.ietf.org/html/rfc7540#section-9.1.2
Proposed by: Stefan Eissing <stefan eissing.org>
Reviewed by: ylavic
c89
Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com
giving ap_array_index a start parameter, adding ap_array_contains
ap_process_request needs exportation for use in mod_h2 on Windows
final final change to the new ap_array_str_* functions after review
changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon
mod_ssl: fix compiler warning (bad cast).
improvements in ap_select_protocol(), supplied by yann ylavic
Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1705672 13f79535-47bb-0310-9956-ffa450edef68
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook.
Submitted by: breser
Backports: r1684524
Reviewed by: wrowe, ylavic, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1684525 13f79535-47bb-0310-9956-ffa450edef68
This makes <If> apply to all requests, not only to file base requests and
it allows to use <If> inside <Directory>, <Location>, and <Files> sections.
The merging of <If> sections always happens after the merging of <Location>
sections, even if the <If> section is embedded inside a <Directory> or
<Files> section.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1059867 13f79535-47bb-0310-9956-ffa450edef68
etc. causes problems because the authentication module calls
note_*_auth_failure if authentication fails. This is inappropriate if access is
later allowed because of the IP.
So, instead of calling the auth_checker hook even if authentication failed, we
introduce a new access_checker_ex hook that runs between the access_checker and
the check_user_id hooks. If an access_checker_ex functions returns OK, the
request will be allowed without authentication.
To make use of this, change mod_authz_core to walk the require blocks in the
access_checker_ex phase and deny/allow the request if the authz result does not
depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an
authz provider from an authz provider needing an authenticated user, the latter
must return the new AUTHZ_DENIED_NO_USER code.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@964156 13f79535-47bb-0310-9956-ffa450edef68
I added a few more fixes, and there are still more that might
need a doxygen expert.
PR: 48061
Submitted by: Brad Hards
Reviewed by: poirier
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@830527 13f79535-47bb-0310-9956-ffa450edef68
Using this basic framework, you can return SUSPENDED from an HTTP Handler,
and then register a callback that is invoked by the MPM at a later time.
This initial version only supports _timers_ as callbacks, but in the future I
would like to add things like wait for socket activity, on a socket specified by
the handler.
Once in a callback, It is then the responsibility of the callback fucntion
to finish the HTTP Request handling, but this alows you to do cool things like
a fully async proxy, COMET support, or even rate limiting.
To prove I'm not insane, I've inlcuded an example module, mod_dialup.
You can configure it like this:
<Location "/docs">
ModemStandard "V.32"
</Location>
And for static files inside that path, you will be rate limited to V.32 speeds,
aka 9.6 kilobits/second.
Does anyone besides Rüdiger read commit emails :-) ?
I know there are likely huge problems with this, but I would like to see how far
we can push the Event MPM, figure out what to do better, if there is anything,
and then really dive into the 3.0 development before ApacheCon.
* server/mpm/experimental/event/fdqueue.h:
(timer_event_t): New structure to hold timer events and callback functions.
* server/mpm/experimental/event/fdqueue.c
(ap_queue_empty): Modify to also look at Timer Ring.
(ap_queue_init): Initialize Timer Ring.
(ap_queue_push_timer): New function, pushes a timer event into the queue.
(ap_queue_pop_something): Renamed function, returns a timer event or
a socket/pool for a worker thread to run.
* server/mpm/experimental/event/event.c
(process_socket): If the connection is in SUSPENDED state, don't force it
into linger mode yet, the callback will have to take care of that.
(push_timer2worker): New shortcut function, pushes timer event into queue
for a worker to run.
(timer_free_ring): New global data structure to recycle memory used by
timer events.
(timer_ring): New global data structure to hold active timer events.
(g_timer_ring_mtx): Thread mutex to protect timer event data structures.
(ap_mpm_register_timed_callback): New Function, registers a callback to be
invoked by the MPM at a later time.
(listener_thread): Calculate our wakeup time based on the upcoming Event
Queue, and after pollset_poll runs, push any Timers that have passed
onto worker threads to run.
(worker_thread): Call new queue pop method, and if the Timer Event is
non-null, invoke the callback. Once the callback is done, push the
structure onto the timer_free_ring, to be recycled.
(child_main): Initialize new mutex and ring structures.
* server/config.c
(ap_invoke_handler): Allow SUSPENDED aa valid return code from handlers.
* modules/http/http_core.c
(ap_process_http_async_connection): Don't close the connection when in
SUSPENDED state.
* modules/http/http_request.c
(ap_process_request_after_handler): New function, body pulled from the old,
ap_process_async_request. Split to let handlers invoke this so they
don't need to know all of the details of finishing a request.
(ap_process_async_request): If the handler returns SUSPENDED, don't do
anything but return.
* include/ap_mmn.h: Bump MMN.
* include/ap_mpm.h
(ap_mpm_register_timed_callback): New function.
* include/httpd.h:
(SUSPENDED): New return code for handlers.
(request_rec::invoke_mtx): New mutex to protect callback invokcations
from being run before the original handler finishes running.
(conn_state_e): Add a suspended state.
* include/http_request.h
(ap_process_request_after_handler): New function to make it easier for
handlers to finish the HTTP Request.
* modules/test/config.m4: Add mod_dialup to build.
* modules/test/mod_dialup.c: New rate limiting module, requires the Event MPM
to work.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@697357 13f79535-47bb-0310-9956-ffa450edef68
This define serves no modern purpose, since every module in the wild, including
our own define it, for no purpose.
If you have functions which you do not want in the 'public' API, put them
in a private header, that is not installed, just like mod_ssl does.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645412 13f79535-47bb-0310-9956-ffa450edef68
configurations which match those of the initial request. Revert to
the original behaviour (call access control hooks for internal requests
with URIs different from the initial request) if any access control hooks
or providers are not registered as permitting this optimization.
Introduce wrappers for access control hook and provider registration
which can accept additional mode and flag data.
The configuration walk optimizations were originally proposed a while
ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2);
they have been used since then in production systems and appear to be
stable and effective. They permit certain combinations of modules
and clients to function efficiently, especially when a deeply recursive
series of internal requests, such as those generated by certain WebDAV
requests, are all subject to the identical authentication and authorization
directives.
The major change from the original proposal is a cleaner mechanism for
detecting modules which may expect the old behaviour. This has been
tested successfully with Subversion's mod_authz_svn, which specifically
requires the old behaviour when performing path-based authorization based
against its own private access control configuration files.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@644525 13f79535-47bb-0310-9956-ffa450edef68
working again. Also rounds out our fix to work around negotiated
directories which Greg Ames fixed; this addition in request.c simply
shortcuts all further processing.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93045 13f79535-47bb-0310-9956-ffa450edef68
strings to numbers in places where the methods are known at compile
time.
(Justin fixed the va_end() call to be correct.)
Submitted by: Brian Pane <bpane@pacbell.net>
Reviewed by: Justin Erenkrantz
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91078 13f79535-47bb-0310-9956-ffa450edef68
from the primary request, redirects and sub-requests.
This will significantly reduce opporunities for inconsistancy (such
as Ian observed, and as I repaired only a month ago.)
This promotes process_request_internal to an ap_ namespace protected
entity in server/request.c (from it's old home in http/http_request.c)
since this fn has no http specifics.
Reviewed (in concept): Cliff Woolley, Ian Holsman
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90832 13f79535-47bb-0310-9956-ffa450edef68
the directory_walk and file_walk for non-file requests. TRACE
shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the
directory_walk/file_walk happen as APR_HOOK_VERY_LAST in core.c.
A seperate patch to mod_proxy is required to short circuit both the
TRACE and directory_walk/file_walk stuff. That patch is next.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90665 13f79535-47bb-0310-9956-ffa450edef68
and add an ap_sub_req_lookup_dirent() to create a subrequest from the
results of an apr_dir_read() for mod_negotiation and mod_autoindex.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89437 13f79535-47bb-0310-9956-ffa450edef68
a request while it is being created. This hook is called for all
request_rec's, main request, sub request, and internal redirect.
When this hook is called, the the r->main, r->prev, r->next
pointers have been set, so modules can determine what kind of
request this is.
Currently, this is only used by the core module, but protocol modules
are going to need to have the ability to affect the request while it is
being read.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@88532 13f79535-47bb-0310-9956-ffa450edef68
