Yann Ylavic [Mon, 22 Jun 2020 10:32:15 +0000 (10:32 +0000)]
Add pre_translate_name hook running before URI-path decoding.
This allows any module to work with un-decoded URI-path (besides
unreserved characters) in r->uri, and eventually to avoid decoding by
returning OK.
The first candidate is mod_proxy (following commit) when
ProxyMappingDecoded is disabled, such that the forwarded URI is
equivalent to the original one.
Yann Ylavic [Mon, 22 Jun 2020 10:29:27 +0000 (10:29 +0000)]
Add ap_normalize_path() to replace ap_getparents() (with options).
include/httpd.h: Declare ap_normalize_path() and flags.
AP_NORMALIZE_ALLOW_RELATIVE:
Don't require that the path be absolute as per RFC 7230.
This is needed for lookup subrequests.
AP_NORMALIZE_NOT_ABOVE_ROOT:
Check that directory traversal ("..") don't go above root, or
initial directory with relative paths.
AP_NORMALIZE_DECODE_UNRESERVED:
Decode unreserved characters (like '.') first since they have
the same semantics encoded and decoded.
AP_NORMALIZE_MERGE_SLASHES:
Merge multiple slahes into a single one.
AP_NORMALIZE_DROP_PARAMETERS:
Ignore path parameters (";foo=bar"). Not used by httpd but since
ap_normalize_path() is taken from mod_jk's jk_servlet_normalize()
it can allow them to use the upstream version now.
server/util.c: Implement ap_normalize_path().
modules/dav/main/util.c: Replace call to ap_getparents() using
ap_normalize_path() with AP_NORMALIZE_DECODE_UNRESERVED flag since
the path comes from an obsolute URL (thus potentially %-encoded).
modules/generators/mod_autoindex.c: Replace call to ap_getparents() using
ap_normalize_path() with AP_NORMALIZE_ALLOW_RELATIVE and
AP_NORMALIZE_NOT_ABOVE_ROOT flags to be consistent with original code.
include/ap_mmn.h: MINOR bump for ap_normalize_path().
Ruediger Pluem [Fri, 19 Jun 2020 11:45:16 +0000 (11:45 +0000)]
* Revert r1878939, r1878938, r1878936, the changes to
modules/http2/h2_request.c and CHANGES of r1878926 and r1878708 as a result of
https://lists.apache.org/thread.html/red499ac4750b88e5943c25abb86434c59dfff4d4f386ffc53742755d%40%3Cdev.httpd.apache.org%3E
and
https://lists.apache.org/thread.html/ra79eee019e2357703b0ea81153458a29817b58ce92e3605949eee1fe%40%3Cdev.httpd.apache.org%3E
Stefan Eissing [Wed, 17 Jun 2020 15:10:29 +0000 (15:10 +0000)]
*) mod_http2: workaround to facilitate use of common internal protocol/method/uri
checks. The module now handles master/secondary connections and has marked
methods according to use.
Joe Orton [Tue, 16 Jun 2020 14:31:26 +0000 (14:31 +0000)]
mod_ldap: Use the LDAP API directly to implement the rebind callback
for modern versions of OpenLDAP, avoiding the overhead of the apr-util
implementation.
* modules/ldap/util_ldap.c:
Define USE_APR_LDAP_REBIND if a modern version of OpenSSL is used.
(uldap_rebind_proc): New function.
(uldap_rebind_init, uldap_rebind_add): Define, using either the
callback or the (bad) APR-util versions.
(uldap_connection_unbind): Clear the rebind pool to remove rebind
references prior to destroying the LDAP *.
Omit for !USE_APR_LDAP_REBIND.
(uldap_connection_init): Use new wrappers, only create the rebind
pool if USE_APR_LDAP_REBIND.
* include/util_ldap.h: Don't include apr_ldap_rebind.h here.
Try to fix once and for all, our "en" html file generation issues with different Java version.
Switch "en" doc files to UTF-8.
We should also change "en.xml" with:
<target-ext>.html.en.utf8</target-ext>
and run:
./build.sh bootstrap
./build.sh
to be consistent with other languages.
Before making a lot of noise, first give some time to see how this works in RL.
make sure the $n of the regular expressions is not included the name of the worker.
for example, the example:
ProxyPassMatch "^(/.*\.gif)$" "http://backend.example.com:8000$1"
was giving:
AH00526: Syntax error on line nnn of bla/conf/httpd.conf:
ProxyPass Unable to parse URL: http://backend.example.com:8000$1
Stefan Eissing [Wed, 3 Jun 2020 12:01:50 +0000 (12:01 +0000)]
*) mod_proxy_http2: the "ping" proxy parameter
(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
when checking the liveliness of a new or reused h2 connection to the backend.
With short durations, this makes load-balancing more responsive. The module
will hold back requests until ping conditions are met, using features of the
HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
Yann Ylavic [Mon, 1 Jun 2020 15:40:03 +0000 (15:40 +0000)]
mod_proxy_http: put request/response splitting checks under the same comment.
If stream_reqbody() detects a Content-Length vs bytes streamed mismatch it
means that a module's filter played bad games, such inconsistency on the client
connection would have been caught by ap_http_filter().
So move AH01087 logic to AH01086, under the same comment and log message, and
always return HTTP_INTERNAL_SERVER because the client is not the culprit here.
Yann Ylavic [Fri, 29 May 2020 17:05:29 +0000 (17:05 +0000)]
mod_proxy_http: don't strip EOS when spooling request body to file.
To prevent stream_reqbody() from sending the FILE and EOS bucket in separate
brigades, and thus apr_file_setaside() to trigger if network congestion occurs
with the backend, restore the EOS in spool_reqbody_cl() which was stripped
when spooling the request body to a file.
Until APR r1878279 is released (and installed by users), apr_file_setaside()
on a temporary file (mktemp) will simply drop the file cleanup, leaking the
fd and inode..
Ruediger Pluem [Mon, 25 May 2020 05:50:12 +0000 (05:50 +0000)]
Fix a NULL pointer dereference
* server/scoreboard.c (ap_increment_counts): In certain cases like certain
invalid requests r->method might be NULL here. r->method_number defaults
to M_GET and hence is M_GET in these cases.
Don't let invalid invalid Content-Length header go beyond ap_read_request()
and protocol validation. The check in ap_http_filter() is still useful if
some modules mangles the header, but it's too late for the usual case.
It helps simplifying a lot of duplicated code based on apr_strtoff(), while
also rejecting leading plus/minus signs which are dissalowed in Content-Length
and (Content-)Range headers.
Yann Ylavic [Fri, 15 May 2020 12:27:13 +0000 (12:27 +0000)]
ap_filter_output_pending(): test where each filter should yield after running.
Since running a filter may pass data next to it, ap_filter_output_pending()
should test for ap_filter_should_yield(f->next) after each f call, otherwise
it won't take into account new pending data in filters it just walked.
Yann Ylavic [Thu, 14 May 2020 09:02:13 +0000 (09:02 +0000)]
mod_proxy: binary search for ProxyErrorOverride status codes.
The list can be rather long, speed up runtime by sorting the status codes in
error_override_codes and using binary search from ap_proxy_should_override().
Yann Ylavic [Tue, 12 May 2020 12:20:57 +0000 (12:20 +0000)]
mod_proxy_http: handle Upgrade requests and upgraded protocol forwarding.
If the request Upgrade header matches the worker upgrade= parameter and
the backend switches the protocol, do the tunneling in mod_proxy_http.
This allows to keep the protocol to HTTP until the backend really
switches the protocol, and apply usual output filters.
When configured to forward Upgrade mechanism, we want the backend to be
able to announce its Upgrade protocol to the client (e.g. with 426
Upgrade Required response) and thus forward back the Upgrade header that
matches the one(s) configured in the worker upgrade= parameter.
modules/proxy/mod_proxy.h:
modules/proxy/proxy_util.c:
ap_proxy_worker_can_upgrade(): added helper to determine whether a
proxy worker is configured to forward an Upgrade protocol.
include/ap_mmn.h:
Bump MMN minor for ap_proxy_worker_can_upgrade().
modules/proxy/mod_proxy.c:
set_worker_param(): handle worker parameter upgrade=ANY as upgrade=*
(should the "any" protocol scheme be something some day..).
modules/proxy/mod_proxy_wstunnel.c:
proxy_wstunnel_handler(): use ap_proxy_worker_can_upgrade() to match
the Upgrade header. Axe handling of upgrade=NONE, it makes no sense to
Upgrade a connection if the client did not ask for it, nor to configure
mod_proxy_wstunnel to use a worker with upgrade=NONE by the way.
modules/proxy/mod_proxy_http.c:
proxy_http_req_t: add fields force10 (force HTTP/1.0) and upgrade (value
of the Upgrade header sent by the client if it matches the configuration,
NULL otherwise).
proxy_http_handler(): use ap_proxy_worker_can_upgrade() to determine
whether the request is electable for end to end protocol upgrading and set
req->upgrade accordingly.
terminate_headers(): handle Connection and Upgrade headers to send to the
backend, according to req->force10 and req->upgrade set before.
ap_proxy_http_prefetch(): use req->force10 and terminate_headers().
send_continue_body(): added helper to send the body retained for end to
end 100-continue handling.
ap_proxy_http_process_response(): use ap_proxy_worker_can_upgrade() to
match the response Upgrade header and forward it back if it matches the
configured one(s). That is for 101 Switching Protocol obviously but also
any other status code which is not overidden, at the backend wish. If the
protocol is switching, create a proxy tunnel and run it, using the minimal
timeout from the client or backend connection.
Yann Ylavic [Sun, 10 May 2020 15:15:21 +0000 (15:15 +0000)]
util_expr: allow to specify only one of ap_expr_eval_ctx_t's r/c/s.
Depending on where the expression is evaluated, a request_rec might not be
available, so allow to specify only a conn_rec or a server_rec (at least) in
the passed in ap_expr_eval_ctx_t.
projects / thirdparty / apache / httpd.git / log
