293 Commits

Author SHA1 Message Date
8e529cecca * mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
integers, used in push diaries and proxy window size calculations.
    PR69741 [Benjamin P. Kallus]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927235 13f79535-47bb-0310-9956-ffa450edef68
2025-07-15 06:35:04 +00:00
e5a19d43e0 mod_ssl: Accept expired client certs with optional_no_ca mode.
* modules/ssl/ssl_private.h (ssl_verify_error_is_optional): Add
  X509_V_ERR_CERT_HAS_EXPIRED to the list of error exceptions
  permitted for "optional_no_ca" mode.

Submitted by: Naveen Albert <apache2 phreaknet.org>
PR: 60028
Github: closes #509


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926714 13f79535-47bb-0310-9956-ffa450edef68
2025-06-25 07:55:26 +00:00
9771a826fd Add the escapehtml function to the expression API
Add the escapehtml function to the expression API, allowing to escape HTML
strings to guard against HTML injections.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926342 13f79535-47bb-0310-9956-ffa450edef68
2025-06-10 15:31:19 +00:00
4e2976c49a Add a change entry to give credits to the author.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926191 13f79535-47bb-0310-9956-ffa450edef68
2025-06-06 20:26:38 +00:00
052328156d Add a change entry to give credits to the author.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926189 13f79535-47bb-0310-9956-ffa450edef68
2025-06-06 20:21:30 +00:00
39265983d1 * modules/dav/fs/repos.c (dav_fs_remove_resource):
Return a 404 if apr_file_remove() fails with an ENOENT error,
  likely due to a race with another DELETE.

PR: 60746
Github: closes #535


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926172 13f79535-47bb-0310-9956-ffa450edef68
2025-06-06 10:36:00 +00:00
2de0d11e9b *) mod_md: update to version 2.5.2
- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
       with EC keys before RSA ones. Fixes #377. [Stefan Eissing]
     - Fixed missing newlines in the status page output. [Andreas Groth]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1925979 13f79535-47bb-0310-9956-ffa450edef68
2025-05-30 12:45:59 +00:00
b84e2e2068 *) mod_http2: update to version 2.0.32
The code setting the connection window size was set wrong,
     preventing `H2WindowSize` to work.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1925975 13f79535-47bb-0310-9956-ffa450edef68
2025-05-30 12:20:22 +00:00
c15471ee3b mod_proxy: restore reuse of ProxyRemote connections when possible.
Fixes a regression from 2.4.59 (r1913907).

For a reverse proxy setup with a worker (enablereuse=on) and a
forward/CONNECT ProxyRemote to reach it, an open connection/tunnel
to/through the remote proxy for the same origin server (and using the
same proxy auth) should be reusable. Avoid closing them like r1913534
did.

* modules/proxy/proxy_util.c:
  Rename the struct to remote_connect_info since it's only used for
  connecting through remote CONNECT proxies. Axe the use_http_connect
  field, always true.

* modules/proxy/proxy_util.c(ap_proxy_connection_reusable):
  Remote CONNECT (forward) proxy connections can be reused if the auth
  and origin server infos are the same, so conn->forward != NULL is not
  a condition to prevent reusability.

* modules/proxy/proxy_util.c(ap_proxy_determine_connection):
  Fix the checks around conn->forward reuse and connection cleanup if
  that's not possible.

Submitted by: jfclere, ylavic
GH: closes #531


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1925743 13f79535-47bb-0310-9956-ffa450edef68
2025-05-22 14:38:41 +00:00
e36237899d * Temporarily add back the query string to the URL as it might contain the
routing information for sticky sessions.

PR: 69443


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1925109 13f79535-47bb-0310-9956-ffa450edef68
2025-04-16 11:29:25 +00:00
e6cfbfa30d mod_ssl: Check the SSLProtocol directive when loading the configuration
Previously, the SSLProtocol directive was checked at runtime. Apache quit if
the directive contained an invalid combination of protocols, and logged the
message "AH02231: No SSL protocols available [hint: SSLProtocol]".

With this change, most invalid SSLProtocol directives are detected when
checking the configuration, e.g. with \"httpd -t -f httpd.conf\".

Examples of invalid protocol combinations that are caught:
* SSLProtocol "-TLSv1"
* SSLProtocol "-all"
* SSLProtocol "TLSv1.2 -TLSv1.2"

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes #523


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924955 13f79535-47bb-0310-9956-ffa450edef68
2025-04-09 08:01:24 +00:00
5a148b5b9d mod_ssl: Remove warning over potential uninitialised value
for ssl protocol prior to protocol selection.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924757 13f79535-47bb-0310-9956-ffa450edef68
2025-04-03 14:36:16 +00:00
303ca68847 * mod_proxy_http2: revert r1912193 for detecting broken backend connections
as this interferes with backend selection who a node is unresponsive.
    PR69624.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924554 13f79535-47bb-0310-9956-ffa450edef68
2025-03-24 12:48:09 +00:00
f3448d02da *) mod_http2: Fix handling of 304 responses from mod_cache. PR 69580.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924267 13f79535-47bb-0310-9956-ffa450edef68
2025-03-10 10:09:43 +00:00
b1a1473add fix module name in change entry
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924164 13f79535-47bb-0310-9956-ffa450edef68
2025-03-04 09:09:37 +00:00
e1fe1d8505 *) mod_md: update to version 2.0.30
- Fixed bug in handling over long response headers. When the 64 KB limit
       of nghttp2 was exceeded, the request was not reset and the client was
       left hanging, waiting for it. Now the stream is reset.
     - Added new directive `H2MaxHeaderBlockLen` to set the limit on response
       header sizes.
     - Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
       connection was reset.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924145 13f79535-47bb-0310-9956-ffa450edef68
2025-03-03 12:32:31 +00:00
826f90e639 mod_lua: Fix memory handling in output filters.
* modules/lua/mod_lua.c (lua_output_filter_handle): Fix brigade
  iteration to use constant memory.

Submitted by: G.Grandes <guillermo.grandes gmail.com>
PR: 69590
Github: closes #517


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924095 13f79535-47bb-0310-9956-ffa450edef68
2025-02-28 08:24:10 +00:00
e3d014c009 *) scoreboard/mod_http2: record durations of HTTP/2 requests.
PR 69579 [Pierre Brochard <pierre.brochard.1982@m4x.org>]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923754 13f79535-47bb-0310-9956-ffa450edef68
2025-02-12 09:43:40 +00:00
3af0d142f1 * Allow to unset cookies via negative lifetime values
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923725 13f79535-47bb-0310-9956-ffa450edef68
2025-02-11 10:29:03 +00:00
1db5c2359a Add API exposing the DavBasePath setting for use by DAV repository
backend modules (mod_dav_svn needs this for POST method handling).

* modules/dav/main/mod_dav.c (dav_get_base_path): New function.

* include/ap_mmn.h: Bump MMN minor.

Github: closes #513


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923639 13f79535-47bb-0310-9956-ffa450edef68
2025-02-07 11:09:25 +00:00
e07b7a2abd *) mod_md: update to v2.5.1
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923592 13f79535-47bb-0310-9956-ffa450edef68
2025-02-05 12:30:07 +00:00
3431795597 Add a Changes entry related to r1917017
While at it, fix a small style issue (tab vs spaces)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923218 13f79535-47bb-0310-9956-ffa450edef68
2025-01-19 10:59:10 +00:00
202d0068d8 *) mod_md: update to version 2.4.31
- Improved error reporting when waiting for ACME server to verify domains
       or finalizing the order fails, e.g. times out.
     - Increasing the timeouts to wait for ACME server to verify domain names
       and issue the certificate from 30 seconds to 5 minutes.
     - Change a log level from error to debug when Stapling is enabled but a
       certificate carries no OCSP responder URL.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923148 13f79535-47bb-0310-9956-ffa450edef68
2025-01-15 12:48:52 +00:00
6433e92520 * Do not add a space before '|' when setting the value for stickysession in the
balancer manager as this breaks the stickysession configuration once a new
  configuration is submitted by the balancer manager.

PR: 69510
Submitted by: Yutaka Tokunou <tokunou.yutaka@fujitsu.com>
Reviewed by: rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1923101 13f79535-47bb-0310-9956-ffa450edef68
2025-01-13 13:37:40 +00:00
cae775f2f6 *) mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME
       server fail to ignore it. [Michael Kaufmann (@mkauf)]
     - Fixed missing label+newline in server-status plain text output when
       MDStapling is enabled.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1922279 13f79535-47bb-0310-9956-ffa450edef68
2024-12-03 09:47:26 +00:00
584286f25d * Use iobuffersize set on worker level for the IO buffer size.
PR: 69402
Submitted by: Jari Ahonen <jah@progress.com>
Reviewed by: rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1922115 13f79535-47bb-0310-9956-ffa450edef68
2024-11-26 13:01:08 +00:00
50df6c8cc0 Revert r1921336.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921357 13f79535-47bb-0310-9956-ffa450edef68
2024-10-16 11:41:52 +00:00
fbf57b8bef mod_ssl: Disallow SSLOpenSSLConfCmd within vhost context since it
has global effect.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOpenSSLConfCmd):
  Disallow use within vhost context.

PR: 69397


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921336 13f79535-47bb-0310-9956-ffa450edef68
2024-10-15 14:30:19 +00:00
b814e49373 Add changes-entries/ file missed from r1921305.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921306 13f79535-47bb-0310-9956-ffa450edef68
2024-10-14 13:38:04 +00:00
61db0638bf mod_lua: Make r.ap_auth_type writable
This completes the option of setting the remote user by the authentication
mechanism which actually verified the user.

One possible usecase is that a proxied (upstream) server performs the
authentication, but the access log of HTTPd does not contain this information.
The upstream server can pass this kind of information back to HTTPd and both
servers will have consistent access logs.

Submitted by: Michael Osipov <michaelo apache.org>
PR: 62497
Github: closes #67


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921260 13f79535-47bb-0310-9956-ffa450edef68
2024-10-11 16:20:44 +00:00
e9915b2bdb mod_ssl: Add SSLClientHelloVars directive which exposes various
ClientHello properties in new SSL_CLIENTHELLO_* variables.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup_vars): Add
  SSL_CLIENTHELLO_* vars.
  (copy_clienthello_vars): New function.
  (ssl_callback_ClientHello): Call it when needed.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_clienthello): New
  function.
  (ssl_var_lookup_ssl): Call it for SSL_CLIENTHELLO_*.

* modules/ssl/ssl_private.h (modssl_clienthello_vars): Add type.
  (SSLConnRec): Add clienthello_vars pointer.

* modules/ssl/ssl_engine_config.c, modules/ssl/mod_ssl.c: Add handling
  of new SSLClientHelloVars directive.

Submitted by: Charles Smutz <csmutz gmail.com>
Github: closes #483


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921074 13f79535-47bb-0310-9956-ffa450edef68
2024-10-01 16:09:11 +00:00
af10058840 *) mod_md: update to version 2.4.28
- When the server starts, it looks for new, staged certificates to
       activate. If the staged set of files in 'md/staging/<domain>' is messed
       up, this could prevent further renewals to happen. Now, when the staging
       set is present, but could not be activated due to an error, purge the
       whole directory. [icing]
     - Fix certificate retrieval on ACME renewal to not require a 'Location:'
       header returned by the ACME CA. This was the way it was done in ACME
       before it became an IETF standard. Let's Encrypt still supports this,
       but other CAs do not. [icing]
     - Restore compatibility with OpenSSL < 1.1. [ylavic]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920747 13f79535-47bb-0310-9956-ffa450edef68
2024-09-17 11:38:19 +00:00
988f449632 removed experimental mod_tls. source, documenation and test cases
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920744 13f79535-47bb-0310-9956-ffa450edef68
2024-09-17 11:06:04 +00:00
3cdd54ce63 update changes
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920740 13f79535-47bb-0310-9956-ffa450edef68
2024-09-17 10:37:57 +00:00
b9588ebe06 mod_ssl: Fix regression in r1914365 preventing pkcs11: key/cert lookup
via the ENGINE API without SSLCryptoDevice configured.

* modules/ssl/ssl_engine_pphrase.c
  (modssl_load_keypair_engine): Return APR_ENOTIMPL if the ENGINE
  could not be loaded for the key.
  (modssl_load_engine_keypair): Always try loading via ENGINE
  (as prior to r1914365) but fall back to the STORE API for
  the new APR_ENOTIMPL case.

Github: closes #480


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920597 13f79535-47bb-0310-9956-ffa450edef68
2024-09-12 16:04:39 +00:00
43721ffcee * modules/core/mod_macro.c (process_content): Return error if there's
enough not space to store the macro. Replaced MAX_STRING_LEN by
  sizeof(line).

PR: 69258
Submitted by: Marc Stern <marc.stern approach-cyber.com>
Github: closes #479


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920588 13f79535-47bb-0310-9956-ffa450edef68
2024-09-12 08:36:55 +00:00
197ed77816 * Mention the additional bug [skip ci]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920572 13f79535-47bb-0310-9956-ffa450edef68
2024-09-11 16:06:04 +00:00
c9dc4bb61b mod_rewrite, mod_proxy: mod_proxy to cononicalize rewritten [P] URLs. PR 69235.
When mod_rewrite sets a "proxy:" URL with [P], it should be canonicalized by
mod_proxy still, notably to handle any "unix:" local socket part.

To avoid double encoding in perdir context, a follow up commit should remove the
ap_escape_uri() done in mod_rewrite since it's now on mod_proxy to canonicalize,
per PR 69260.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920570 13f79535-47bb-0310-9956-ffa450edef68
2024-09-11 15:30:08 +00:00
6e9594c220 Windows: fix "Include" of UNC paths
... by making UNCList EXEC_ON_READ (since Include is EXEC_ON_READ)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920564 13f79535-47bb-0310-9956-ffa450edef68
2024-09-11 13:04:51 +00:00
79990b070f mod_ssl: Add SSL_HANDSHAKE_RTT environment variable.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl): Support
  SSL_HANDSHAKE_RTT.  (ssl_var_lookup_ssl_handshake_rtt): New
  function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup_vars): Add
  SSL_HANDSHAKE_RTT.

Submitted by: csmutz
Github: closes #477


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920297 13f79535-47bb-0310-9956-ffa450edef68
2024-08-30 15:36:29 +00:00
c4f35264e9 don't merge slashes on perdir prefix
Submitted by: Eric Covener 

Github: closes #472


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919860 13f79535-47bb-0310-9956-ffa450edef68
2024-08-13 14:12:35 +00:00
f1eda2be4d Follow up to r1919620: Restore r->filename re-encoding for ProxyPass URLs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919628 13f79535-47bb-0310-9956-ffa450edef68
2024-08-02 00:53:53 +00:00
4864be2599 Follow up to r1919620: CHANGES entry indent.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919621 13f79535-47bb-0310-9956-ffa450edef68
2024-08-01 15:20:16 +00:00
13963ef367 mod_proxy_fcgi: Don't re-encode SCRIPT_FILENAME. PR 69203
Before r1918550 (r1918559 in 2.4.60), "SetHandler proxy:..." configurations
did not pass through proxy_fixup() hence the proxy_canon_handler hooks, leaving
fcgi's SCRIPT_FILENAME environment variable (from r->filename) decoded, or more
exactly not re-encoded.

We still want to call ap_proxy_canon_url() for "fcgi:" to handle/strip the UDS
"unix:" case and check that r->filename is valid and contains no controls, but
proxy_fcgi_canon() will not ap_proxy_canonenc_ex() thus re-encode anymore.

Note that this will do the same for "ProxyPass fcgi:...", there is no reason
that using SetHandler or ProxyPass don't result in the same thing. If an opt
in/out makes sense we should probably look at ProxyFCGIBackendType.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919620 13f79535-47bb-0310-9956-ffa450edef68
2024-08-01 14:43:58 +00:00
58c4d2005d Follow up to r1919617: Better CHANGES entry per Eric.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919619 13f79535-47bb-0310-9956-ffa450edef68
2024-08-01 13:00:35 +00:00
2f1f9c5df0 mod_proxy: Fix selection of ProxyPassMatch workers with host/port substitution. PR 69233.
With "ProxyPassMatch ^/([^/]+)/(.*)$ https://$1/$2", ap_proxy_get_worker_ex()
should not consider the length of scheme://host part of the given URL because
of the globbing match on the host part.

Fix it by setting worker->s>is_host_matchable when creating a worker with host
substitution and avoiding the min_match check in worker_matches() in this case.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919617 13f79535-47bb-0310-9956-ffa450edef68
2024-08-01 11:35:26 +00:00
f78f41ec51 *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs
in <Location> (incomplete fix in 2.4.62). PR 69160.

When SetHandler "unix:..." is used in a <Location "/path"> block, the path 
gets appended (including $DOCUMENT_ROOT somehow) to r->filename hence the
current checks in fixup_uds_filename() to add "localhost" when missing don't
work. Fix them.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919532 13f79535-47bb-0310-9956-ffa450edef68
2024-07-26 14:36:25 +00:00
a1a93beb58 mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F. PR 69197.
Track in do_expand() whether a '?' in the uri-path comes from a literal in
the substitution string or from an expansion (variable, lookup, ...).
In the former case it's safe to assume that it's the query-string separator
but for the other case it's not (could be a decoded %3f from r->uri).

This allows to avoid [UnsafeAllow3F] for most cases.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919325 13f79535-47bb-0310-9956-ffa450edef68
2024-07-17 20:50:12 +00:00
6716ada174 mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:"
           sockets with BalancerMember(s).  PR 69168.

* modules/proxy/proxy_util.h, modules/proxy/proxy_util.c:
  Move proxy_interpolate() from mod_proxy.c to ap_proxy_interpolate(),
  exported locally only (non public).
  Move proxy_fixup() from mod_proxy.c to ap_proxy_canon_url(), exported
  locally only too (non public).
  Rollback ap_proxy_fixup_uds_filename() to a local fixup_uds_filename()
  usable from proxy_util.c only. The public function will be removed in
  a following commit.

* modules/proxy/mod_proxy.h:
  Note that ap_proxy_fixup_uds_filename() is deprecated.

* modules/proxy/mod_proxy.c:
  Just use ap_proxy_canon_url() from proxy_fixup() and proxy_handler()
  for SetHandler URLs.

* modules/proxy/mod_proxy_balancer.c:
  Do not canonicalize the path from proxy_balancer_canon() anymore but
  rather from balancer_fixup() where the balancer URL is rewritten to
  the BalancerMember URL.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919022 13f79535-47bb-0310-9956-ffa450edef68
2024-07-08 13:59:50 +00:00
530106b2c1 mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs. PR 69160
The hostname part of the URL is not mandated for UDS though the canon_handler
hooks will require it, so add "localhost" if it's missing (won't be used anyway
for an AF_UNIX socket).

This can trigger with SetHandler "unix:" URLs which are now also fixed up.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1919015 13f79535-47bb-0310-9956-ffa450edef68
2024-07-08 12:35:35 +00:00