Jim Jagielski [Tue, 7 Jan 2025 15:04:23 +0000 (15:04 +0000)]
*) Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
Make sure that when ldap searches are too long, we explicitly log the
error.
Jim Jagielski [Tue, 7 Jan 2025 15:00:40 +0000 (15:00 +0000)]
*) Easy patches: synch 2.4.x and trunk
- server: Use apr_size_t instead of int to harden against overflows
- mod_http2: DOXYGEN has nothing to do here, just remove this
strange "#if defined(DOXYGEN)"
- test: make the compiler happy when using --enable-maintainer-mode
- mod_proxy: Fix format string type check
- mod_http2: Fix comment, no functional change
- <various>: Remove unnecessary APLOGNO() use in TRACE-level logging
- mod_cache_socache: Update comment only, to remove reference to
session cache
- mod_dav: Fix error message formatting if an unauthenticated user
tries to use an authenticated user's lock token
- <none>: trigger ci
- server: Fix typo in comment
Joe Orton [Tue, 7 Jan 2025 08:45:31 +0000 (08:45 +0000)]
Merge r1921971 from trunk:
* modules/aaa/mod_authnz_ldap.c (create_authnz_ldap_dir_config): Fix allocation
of sgAttributes, found by gcc -fanalyzer:
modules/aaa/mod_authnz_ldap.c: scope_hint: In function 'create_authnz_ldap_dir_config'
modules/aaa/mod_authnz_ldap.c:356:23: warning[-Wanalyzer-allocation-size]: allocated buffer size is not a multiple of the pointee's size
Joe Orton [Thu, 12 Dec 2024 17:54:24 +0000 (17:54 +0000)]
Merge r1921310, r1922412 from trunk: [CTR for CI changes]
CI: Further fixes for ubuntu-latest image updates on GitHub Actions.
CI: Switch down to GCC 12, the ubuntu-latest image is not consistently
an Ubuntu 24.04 environment yet, this version should be available in
both the -22.04 and -24.04 images.
Stefan Eissing [Tue, 3 Dec 2024 09:59:46 +0000 (09:59 +0000)]
Merge /httpd/httpd/trunk:r1922279
*) mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
- Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
Eric Covener [Sun, 1 Dec 2024 14:17:01 +0000 (14:17 +0000)]
Merge r1922246 from trunk:
Don't use AuthFormLoginRequiredLocation in inline
Intro to inline says:
If a non-authenticated user attempts to access a page protected by
mod_auth_form that isn't configured with a AuthFormLoginRequiredLocation
directive, a HTTP_UNAUTHORIZED status code is returned to the browser
indicating to the user that they are not authorized to view the page.
The entire point seems to be to keep the URL the same by using an internal redirect
via ErrorDocument, and AuthFormLoginRequiredLocation conflicts with it.
Submitted By: Rishikeshan Lavakumar/Sulochana <oss AT @rishikeshan.com>
Before r1918550 (r1918559 in 2.4.60), "SetHandler proxy:..." configurations
did not pass through proxy_fixup() hence the proxy_canon_handler hooks, leaving
fcgi's SCRIPT_FILENAME environment variable (from r->filename) decoded, or more
exactly not re-encoded.
We still want to call ap_proxy_canon_url() for "fcgi:" to handle/strip the UDS
"unix:" case and check that r->filename is valid and contains no controls, but
proxy_fcgi_canon() will not ap_proxy_canonenc_ex() thus re-encode anymore.
Note that this will do the same for "ProxyPass fcgi:...", there is no reason
that using SetHandler or ProxyPass don't result in the same thing. If an opt
in/out makes sense we should probably look at ProxyFCGIBackendType.
Follow up to r1919620: CHANGES entry indent.
Follow up to r1919620: init path after "proxy:" is skipped.
Follow up to r1919620: Restore r->filename re-encoding for ProxyPass URLs.
Joe Orton [Tue, 15 Oct 2024 11:33:02 +0000 (11:33 +0000)]
Merge r1921311 from trunk: [RTC exception for CI]
CI: Use the image version in the cache keys. This is likely a simpler
and more robust fix for the issues with Perl XS builds being cached.
Root cause was likely "ubuntu-latest" changing from 22.04 to 24.04.
Cache keys will now change when that happens again, preventing reuse
of cached builds across OS versions.
Ruediger Pluem [Mon, 14 Oct 2024 06:56:45 +0000 (06:56 +0000)]
Merge r1838684, r1920570, r1920571, r1920572 from trunk:
When a rewrite to proxy is configured in the server config, a check is made to make sure mod_proxy is active. But the same is not done if a rewrite to proxy is configured in an .htaccess file.
Basically this patch is the block of code from hook_uri2file that does the proxy check, copied to hook_fixup.
Patch provided by Michael Streeter [mstreeter1 gmail.com], slightly modified to use a new APLOGNO
PR 56264
mod_rewrite, mod_proxy: mod_proxy to cononicalize rewritten [P] URLs. PR 69235.
When mod_rewrite sets a "proxy:" URL with [P], it should be canonicalized by
mod_proxy still, notably to handle any "unix:" local socket part.
To avoid double encoding in perdir context, a follow up commit should remove the
ap_escape_uri() done in mod_rewrite since it's now on mod_proxy to canonicalize,
per PR 69260.
* Leave the proper escaping of the URL and the adding of r->args to the
proxy module which runs after us after r1920570.
Just take care to add r->args in case the proxy rule has the
[NE] flag set and tell the proxy module to not escape in this case.
Eric Covener [Fri, 27 Sep 2024 13:11:05 +0000 (13:11 +0000)]
*) mod_rewrite: Improve safe question mark detection
Trunk version of patch:
https://svn.apache.org/r1920566
Backport version for 2.4.x of patch:
Trunk version of patch works
svn merge -c 1920566 ^/httpd/httpd/trunk .
+1: rpluem, covener, jorton
Eric Covener [Fri, 27 Sep 2024 13:08:17 +0000 (13:08 +0000)]
*) Windows: Make UNCList EXEC_ON_READ to be early enough for
`Include //computername/include.conf`. PR69313
Trunk version of patch:
https://svn.apache.org/r1920564
Backport version for 2.4.x of patch:
svn merge -c r1920564 ^/httpd/httpd/trunk .
+1 covener, rpluem, steffenal
Eric Covener [Fri, 27 Sep 2024 13:06:46 +0000 (13:06 +0000)]
Merge r1919532, r1919533 from trunk:
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs
in <Location> (incomplete fix in 2.4.62). PR 69160.
When SetHandler "unix:..." is used in a <Location "/path"> block, the path
gets appended (including $DOCUMENT_ROOT somehow) to r->filename hence the
current checks in fixup_uds_filename() to add "localhost" when missing don't
work. Fix them.
mod_proxy: Allow for empty UDS URL hostname in ProxyPass workers too.
Using "unix:/udspath|scheme:" or "unix:/udspath|scheme://" for a ProxyPass URL
does not work currently, while it works for SetHandler "proxy:unix:...".
*) mod_md: update to version 2.4.28
- When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in 'md/staging/<domain>' is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
- Fix certificate retrieval on ACME renewal to not require a 'Location:'
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let's Encrypt still supports this,
but other CAs do not. [icing]
- Restore compatibility with OpenSSL < 1.1. [ylavic]
Stefan Eissing [Tue, 17 Sep 2024 11:17:23 +0000 (11:17 +0000)]
Merged /httpd/httpd/trunk:r1920744
*) mod_tls: removed the experimental module. It now is availble standalone
from https://github.com/icing/mod_tls. The rustls provided API is not
stable and does not align with the httpd release cycle.
projects / thirdparty / apache / httpd.git / log
