Rich Bowen [Fri, 19 Jun 2026 14:26:22 +0000 (14:26 +0000)]
docs: howto/ssi.xml complete rewrite for style and tone
- Full rewrite for style guide compliance and tone normalization
- Remove all first-person ("I'll talk about...")
- Remove TeX-style ``quoting'' throughout
- Remove dated references (hit counters, guestbooks, Win32)
- Reposition as "a practical, lightweight technique"
- Remove duplicated content between summary, body, and conclusion
- Fix bare "Apache" → "httpd"
- Update example date to 2026
- Add <example> wrappers around all <highlight> blocks
Rich Bowen [Fri, 19 Jun 2026 14:22:34 +0000 (14:22 +0000)]
docs: howto/htaccess.xml editorial cleanup
- Update example log dates to 2026
- Change error log highlight blocks from language="config" to "sh"
- Remove filler phrases: "in order to", "a lot of", "it is important
to remember that", "simply"
- Convert inline "Note that..." prose to <note> blocks
Rich Bowen [Fri, 19 Jun 2026 12:23:41 +0000 (12:23 +0000)]
docs: howto/cgi.xml tone normalization and mod_cgi/mod_cgid explanation
- Add paragraph explaining why two CGI modules exist: mod_cgid for
threaded MPMs (event, worker), mod_cgi for non-threaded (prefork)
and Windows; note they are configuration-compatible
- Link to both module reference pages for implementation details
- Clean up LoadModule note block (remove duplicate "A correctly
configured directive may look like this")
- Remove "Of course" asides and "In order to" constructions
- "There are two main differences" → direct statement
- Move bug-database advisory into <note> block
- Convert remaining Perl references to Python
Rich Bowen [Fri, 19 Jun 2026 12:16:23 +0000 (12:16 +0000)]
docs: howto/auth.xml tone normalization and deduplication
- Replace host-based access control section (Require ip/host examples)
with brief explanation and cross-reference to access.html howto
- Remove dated "HTTPD 2.3/2.4 introduces" from socache section
- Grammar and spelling fixes throughout
Rich Bowen [Thu, 18 Jun 2026 12:13:12 +0000 (12:13 +0000)]
docs: Editorial pass on howto/http2.xml
- Grammar and spelling fixes throughout (fixes bz#70115)
- Wrap overlong lines to match document style
- Replace dead browser extension links with current equivalents
- Update caniuse link to https
- Simplify browser support list (all modern browsers support HTTP/2)
- Note Server Push deprecation per RFC 9113; point to Early Hints
- Note Accept-Push-Policy draft expired and was never adopted
Rich Bowen [Wed, 17 Jun 2026 20:56:52 +0000 (20:56 +0000)]
docs: Modernize howto/http2.xml
- Update all RFC references from 7540 to 9113 (which obsoletes it)
- Remove duplicated RFC link in protocol overview
- Add Server Push deprecation note (deprecated in RFC 9113 §8.4,
removed by Chrome 106+/Edge 106+; recommend 103 Early Hints)
- Update Homebrew note: remove obsolete --with-openssl/--with-nghttp2
flags (Homebrew removed formula options in 2019; curl includes
HTTP/2 support by default now)
- Fix typos: "consistent releases" → "consistent across releases",
"as RFC do" → "as RFCs do", "they are" → "there are",
"at at time" → "at a time", "avoiding to re-instantiate" →
"avoiding the need to re-instantiate", "head of blocking" →
"head-of-line blocking"
Rainer Jung [Tue, 16 Jun 2026 19:28:00 +0000 (19:28 +0000)]
mod_md: New directive: MDHttpProxyCACertificateFile
Sets the CA certificates to use for connections to the HTTPS proxy that has
been configured with MDHttpProxy.
Rich Bowen [Tue, 16 Jun 2026 18:35:00 +0000 (18:35 +0000)]
docs: Clarify who dispatches I/O events in motorz PollersPerChild (bz 70105)
The existing wording used "a single child can...dispatch I/O events"
which was ambiguous when the preceding paragraph already said pollers
do the dispatching. Reword to make the subject explicit: each poller
thread independently accepts and dispatches to the worker pool, so
adding pollers parallelizes those operations within a child process.
Rich Bowen [Tue, 16 Jun 2026 18:16:02 +0000 (18:16 +0000)]
docs: Add module processing order diagram to rewrite/tech.xml
Side-by-side comparison showing the order reversal between server and
per-directory context: mod_rewrite runs before mod_alias in server
context (both in URL-to-filename phase), but mod_alias runs first in
per-directory context because mod_rewrite moves to the later Fixup
phase. Color-coded boxes make the reversal immediately visible.
Rich Bowen [Tue, 16 Jun 2026 17:33:09 +0000 (17:33 +0000)]
docs: Improve alt text on existing rewrite diagrams for accessibility
Replace vague or duplicated alt attributes with descriptive text that
conveys the content of each diagram to screen reader users:
- rewrite_process_uri.png: describes per-rule control flow
- rewrite_backreferences.png: describes \$1-\$9 and %1-%9 flow
- syntax_rewriterule.png: describes three-component syntax
- syntax_rewritecond.png: describes TestString and CondPattern components
Rich Bowen [Tue, 16 Jun 2026 17:32:20 +0000 (17:32 +0000)]
docs: Add simplified mod_rewrite overview diagram to rewrite/intro.xml
New flowchart at the end of the Introduction section showing the basic
request processing loop: RewriteEngine check, iterate rules, pattern
match, RewriteCond evaluation, substitution, and L/END flag termination.
Explicitly labeled as a simplified overview with a link to tech.xml for
the full processing model. Supplements existing prose for visual
learners without replacing accessible text content.
Rich Bowen [Tue, 16 Jun 2026 17:14:54 +0000 (17:14 +0000)]
docs: Add flag quick-reference table to rewrite/flags.xml
Categorized table at the top of the flags page grouping flags by
purpose (flow control, redirection/proxying, access control, URL/query
string, metadata/handlers, cookie) with brief effect descriptions and
common combo examples showing how flags are stacked in practice.
Rich Bowen [Tue, 16 Jun 2026 16:34:15 +0000 (16:34 +0000)]
docs: Add path stripping and RewriteBase flowchart to rewrite/htaccess.xml
New diagram showing the per-directory URL transformation pipeline:
incoming URL-path → strip directory prefix → pattern match → substitution
→ three-way branch depending on result type (relative path gets
RewriteBase prepended then subrequest; absolute path goes directly to
subrequest; absolute URI triggers external redirect with no subrequest).
Rich Bowen [Tue, 16 Jun 2026 15:23:56 +0000 (15:23 +0000)]
docs: Add SVG diagram style guide and PNG generation instructions
New README.md in docs/manual/images/ documents the font, color, and
layout conventions used for flowchart SVGs, includes the full SVG
boilerplate template, and provides rsvg-convert install/usage
instructions for macOS (brew), Fedora/RHEL (dnf), and Debian/Ubuntu
(apt-get).
Rich Bowen [Tue, 16 Jun 2026 15:09:59 +0000 (15:09 +0000)]
docs: Add [L] flag looping flowchart to rewrite/htaccess.xml
New diagram illustrating how [L] in per-directory context triggers an
internal subrequest that re-enters the ruleset, potentially causing
infinite loops. Shows the [END] flag exit path, the condition-guard
exit path, and the unguarded loop that results in a 500 error.
SVG source and PNG placed in docs/manual/images/. Image referenced
from the "The [L] flag and looping" section of htaccess.xml using the
same figure markup pattern as existing tech.xml diagrams.
Rich Bowen [Tue, 16 Jun 2026 14:41:09 +0000 (14:41 +0000)]
docs: Clarify CGI meta-variables terminology in env.xml (bz 70095)
The introductory paragraph incorrectly implied that HTTP defines
environment variables. Reword to accurately describe the relationship:
RFC 3875 defines meta-variables (many derived from HTTP headers), and
httpd exposes them as environment variables.
Rich Bowen [Mon, 15 Jun 2026 19:14:34 +0000 (19:14 +0000)]
Sync trunk mod_rewrite doc with enhancements to 2.4
At some point, I made an update to the 2.4 doc and didn't make it in
trunk. This improves the "what gets matched" and "per-directory" bits of
the RewriteRule doc.
Rich Bowen [Mon, 15 Jun 2026 18:27:50 +0000 (18:27 +0000)]
Reorg of TestString section of RewriteCond doc
bz#70093 recommended merging all of the RewriteCon test string stuff
into one massive flat list, and the more I worked on it, the more it
seemed that this would make the document more confusing and more
overwhelming. It's already a massive doc, and presenting it without any
internal subdivision makes it a huge wall of text and unreadable.
Instead, it's subdivided into categories of stuff that can go in a
RewriteCond test strong.
Resolves 70093, although in a very different way from what was
requested.
Rich Bowen [Thu, 11 Jun 2026 20:10:17 +0000 (20:10 +0000)]
Refocus install.xml on source builds; style cleanup
- Rewrite summary to lead with "released as source code" framing
- Move RPM/DEB quick-install content to "Third-party packages" at end
- Simplify "Overview for the impatient" to source-build steps only
- Update PCRE requirement to PCRE2 (matching configure.in)
- Fix bare "Apache" → "httpd" throughout (per style guide)
- Remove all double-space-after-period instances
- Rewrite timekeeping paragraph (drop pun, modernize)
- Add <highlight language="sh"> to all shell example blocks
- Rename win_compiling.xml title: "Compiling Apache httpd for Microsoft Windows"
Rich Bowen [Thu, 11 Jun 2026 12:57:46 +0000 (12:57 +0000)]
mod_rewrite: Clarify Substitution description
The opening sentence of the Substitution section implied that Pattern
always matches when a rule fires, which is incorrect for negated rules.
Reword to be neutral about how the rule was triggered, and add a
cross-reference to "What is matched?" for context.
Joe Orton [Thu, 11 Jun 2026 11:38:41 +0000 (11:38 +0000)]
* modules/generators/mod_cgid.c (close_unix_socket): Return errno
on failure rather than -1.
(sock_write): Handle short writes.
(cgid_init): Fix off-by-one in socket path truncation.
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
GitHub: resolves PR#669
Joe Orton [Thu, 11 Jun 2026 11:38:22 +0000 (11:38 +0000)]
* modules/generators/mod_cgid.c (get_req): Fix wrong sizeof in
allocation of core_request_config, which used sizeof(core_module).
(cgid_server): Fix stale rv passed to ap_log_error for passed fd
debug message.
(include_cmd): Fix double registration of cleanup_script which
could kill a garbage pid when get_cgi_pid failed. Check return
value of send_req. Change return type to apr_status_t to match
declaration in cgi_common.h
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
GitHub: PR#669
Joe Orton [Thu, 11 Jun 2026 11:37:45 +0000 (11:37 +0000)]
* modules/generators/mod_cgid.c (cgid_req_t): Change env_count to
unsigned. Define ENV_COUNT_MAX.
(get_req): Add upper bounds for uri_len, args_len, and env_count.
Validate per-variable length in environment reading loop.
Move validation before use of loglevel.
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
GitHub: PR#669
Submitted by: jorton Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@193517213f79535-47bb-0310-9956-ffa450edef68
Joe Orton [Tue, 9 Jun 2026 16:39:56 +0000 (16:39 +0000)]
* test/modules/core: Add test case for CVE_2026-43951.
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@193517113f79535-47bb-0310-9956-ffa450edef68
Joe Orton [Tue, 9 Jun 2026 06:39:25 +0000 (06:39 +0000)]
* configure.in: Fix cross-compilation:
./configure fails finding .pc files, because it uses the build
architecture pkg-config. It should be using AC_PATH_TOOL (or better
PKG_PROG_PKG_CONFIG) rather than AC_PATH_PROG.
Joe Orton [Mon, 8 Jun 2026 13:13:49 +0000 (13:13 +0000)]
CI: Configure GitHub workflows to use concurrency cancel-in-progress for
pull requests
see recommended best practices at Apache
https://cwiki.apache.org/confluence/pages/viewpage.action?spaceKey=INFRA&title=GitHub+Actions+Recommended+Practices
Rich Bowen [Fri, 5 Jun 2026 19:55:22 +0000 (19:55 +0000)]
Update misc/relevant_standards to reflect current RFCs
Replace obsolete RFC references (2616, 2396, 4346, 2617) with their
modern successors. Add sections for TLS, proxying, WebSocket, CGI, and
WebDAV. Remove HTML section (httpd does not validate content markup).
Remove stale "not yet complete" notice and dead skrb.org errata link.
Jim Jagielski [Fri, 5 Jun 2026 19:07:15 +0000 (19:07 +0000)]
Perl test asserts the opposite of what the server does, and only "passes"
because LWP fabricates the header client-side. Clean this mess up. LWP
is weird.
Jim Jagielski [Fri, 5 Jun 2026 17:48:53 +0000 (17:48 +0000)]
test: port recent httpd-tests 2.4.68 changes to pytest_suite
Reflect the following t/ changes into test/pytest_suite:
* expr: file()/filesize() are restricted in 2.4.68+; gate the
expected results (None => parse error 500) and move file()
into the 2.3.13 block.
* mod_headers: support an optional expected-status field; add
malformed-regex -> 500 and 2.4.68 file()-in-htaccess -> 500.
* mod_dav: PUT to a .DAV state subdir is blocked (403) in
2.4.68+, else 201.
* mod_proxy_html: add multi-substitution buffer-realloc tests
(literal and regex) with ProxyHTMLBufSize 256.
Joe Orton [Fri, 5 Jun 2026 16:54:38 +0000 (16:54 +0000)]
* modules/proxy/mod_proxy_beacon.c (beacon_resolve, beacon_parse_url,
beacon_verify): Use ap_strstr_c and ap_strchr_c for const-correct
string searches, fixing -Werror=discarded-qualifiers errors.
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@193504013f79535-47bb-0310-9956-ffa450edef68
Joe Orton [Thu, 4 Jun 2026 15:48:00 +0000 (15:48 +0000)]
* modules/proxy/mod_proxy_ftp.c (proxy_ftp_dir_filter): Use
ap_os_escape_path() with ap_escape_html() instead of
ap_escape_uri() for href attributes in generated directory
listing links.
Rich Bowen [Thu, 4 Jun 2026 15:22:55 +0000 (15:22 +0000)]
docs: Rewrite AllowOverride Options= warning
The existing note about implicit disabling of Options was difficult
to parse. Rewrite as a type="warning" note with:
- Clear statement that the restriction controls enabling, not disabling
- Explanation of absolute vs relative (+/-) Options syntax
- Concrete example showing how inherited options get implicitly disabled
Joe Orton [Thu, 4 Jun 2026 09:03:50 +0000 (09:03 +0000)]
mod_proxy_html: Simplify to use the ap_varbuf API.
* modules/filters/mod_proxy_html.c: Include util_varbuf.h.
(saxctxt): Replace buf/offset/avail members with struct ap_varbuf vb.
(DEFAULT_BUFSZ): New macro.
(normalise): Take struct ap_varbuf * parameter instead of char *.
(preserve, pappend): Remove functions, replaced by ap_varbuf_grow
and ap_varbuf_strmemcat respectively.
(dump_content): Use ap_varbuf for regex substitutions via
ap_varbuf_regsub, avoiding manual buffer resizing with
preserve/memmove/memcpy. Use a temporary ap_varbuf for building
regex replacement results.
(pcharacters, pcomment): Use ap_varbuf_strmemcat and ap_varbuf_strcat
in place of pappend.
(pendElement): Check vb.strlen instead of offset.
(pstartElement): Use ap_varbuf for attribute URL rewriting with the
same ap_varbuf_regsub approach. Use a temporary ap_varbuf for
regex replacements.
(proxy_html_filter): Initialize the ap_varbuf with a clamped bufsz.
(proxy_html_merge): Use DEFAULT_BUFSZ macro.
Assisted-by: Claude Opus 4.6 (claude-opus-4-6)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@193497513f79535-47bb-0310-9956-ffa450edef68
projects / thirdparty / apache / httpd.git / log
