Joe Orton [Tue, 14 Jul 2026 09:25:34 +0000 (09:25 +0000)]
* test/pyhttpd/log.py (HttpdErrorLog): Add regex patterns to detect
crash and sanitizer error messages in error log, and treat matching
lines as errors during log checking.
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
GitHub: closes #684
Joe Orton [Mon, 6 Jul 2026 12:51:39 +0000 (12:51 +0000)]
* modules/aaa/mod_auth_digest.c: Use apr_uint32_t for the
one-time-nonce counter.
(gen_nonce): Drop the fallback case for non-shmem builds
where otn_counter could be NULL previously. Use atomics
to increment the counter.
Joe Orton [Mon, 6 Jul 2026 12:51:01 +0000 (12:51 +0000)]
* modules/aaa/mod_auth_digest.c (set_algorithm): Note that
conf->algorithm is a constant ("MD5") so there is no point
in overriding it at runtime. Simplify error case.
Joe Orton [Mon, 6 Jul 2026 12:50:48 +0000 (12:50 +0000)]
* modules/aaa/mod_auth_digest.c: Remove "weird" override of AuthName
directive, which adds complexity for little benefit (avoids putting
20 bytes through SHA1 for each auth attempt).
(set_realm): Remove function.
(gen_nonce_hash): Create the nonce hash here from scratch.
(create_digest_dir_config): Always allocate a config struct.
Remove unused dir_name field from digest_config_rec.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
GitHub: PR #661
Joe Orton [Mon, 6 Jul 2026 12:50:18 +0000 (12:50 +0000)]
mod_auth_digest: Drop RFC 2069 and configurable qop support.
(RFC 2617, which replaced 2069, is now 26 years old)
* modules/aaa/mod_auth_digest.c (digest_config_rec): Remove qop_list
field.
(create_digest_dir_config): Remove qop_list initialization.
(set_qop): Deprecate AuthDigestQop, only "auth" is supported.
(note_digest_auth_failure): Always send qop="auth".
(check_nc): Remove handling for qop=none.
(old_digest): Remove function.
(authenticate_digest_user): Reject requests with missing or
non-"auth" qop value rather than falling back to RFC 2069.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
GitHub: PR #661
Joe Orton [Mon, 6 Jul 2026 12:01:57 +0000 (12:01 +0000)]
mod_dav: Refactor Lock-Token parsing into dav_parse_locktoken()
helper in util.c, replacing duplicated inline parsing in
mod_dav.c and ms_wdv.c.
* modules/dav/main/util.c (dav_parse_locktoken): New function.
* modules/dav/main/mod_dav.h (dav_parse_locktoken): Declare it.
* modules/dav/main/mod_dav.c (dav_method_unlock): Use
dav_parse_locktoken() instead of inline bracket parsing.
* modules/dav/main/ms_wdv.c (dav_process_ms_wdv_lock): Likewise.
(dav_process_ms_wdv_if_header): Add length check before indexing
the If header value to avoid reading past an empty string.
Joe Orton [Mon, 6 Jul 2026 11:51:31 +0000 (11:51 +0000)]
* modules/proxy/balancers/mod_lbmethod_heartbeat.c (hb_parse_int):
New helper replacing atoi() with safe integer parsing via
apr_strtoi64, with range validation.
(readfile_heartbeats): Use hb_parse_int for busy, ready,
lastseen, and port fields.
(find_best_hb): Add overflow-safe saturation arithmetic for
openslots accumulation and the pick loop upper bound.
Ivan Zhakov [Mon, 29 Jun 2026 10:10:40 +0000 (10:10 +0000)]
Cast cmd_parms.info to correct type (apr_size_t).
APR_OFFSETOF() returns apr_size_t and functions
like ap_set_string_slot() stores it in cmd_parms.info.
* modules/filters/mod_sed.c
(sed_add_expr):
* modules/http/mod_mime.c
(attrib_info): Use apr_size_t instead of int for offset
field.
(add_extension_info, remove_extension_info): Cast
cmd_parms.info to apr_size instead of int.
* server/config.c
(ap_set_string_slot, ap_set_int_slot, ap_set_string_slot_lower,
ap_set_flag_slot, ap_set_flag_slot_char, ap_set_file_slot):
Cast cmd_parms.info to apr_size instead of int.
* server/core.c
(set_server_string_slot): Cast cmd_parms.info to apr_size instead
of int.
Joe Orton [Tue, 23 Jun 2026 08:44:27 +0000 (08:44 +0000)]
Fix pre-1.1.0 compat macros for X509_get0_notBefore/notAfter/serialNumber
The compat macros added in 83d565f for pre-1.1.0 OpenSSL used incorrect
names (X509_get0_before/X509_get0_after) which don't match the actual
API names used in the code (X509_get0_notBefore/X509_get0_notAfter).
This caused link failures when building against OpenSSL 1.0.2.
Also add missing X509_get0_serialNumber compat macro which was used in
ssl_engine_log.c but never shimmed for pre-1.1.0.
Rich Bowen [Mon, 22 Jun 2026 17:21:58 +0000 (17:21 +0000)]
docs: Rewrite log rotation section in logs.xml
- Replace hand-rolled mv/graceful/sleep/gzip recipe with modern
practices: rotatelogs (recommended) and system logrotate
- Add examples for time-based, size-based, and strftime-pattern rotation
- Rewrite piped logs section: tighten prose, remove redundant
rotatelogs example, wrap highlight blocks in <example> tags
- Remove "In order to", "simply", bare "Apache" references
Rich Bowen [Fri, 19 Jun 2026 14:26:22 +0000 (14:26 +0000)]
docs: howto/ssi.xml complete rewrite for style and tone
- Full rewrite for style guide compliance and tone normalization
- Remove all first-person ("I'll talk about...")
- Remove TeX-style ``quoting'' throughout
- Remove dated references (hit counters, guestbooks, Win32)
- Reposition as "a practical, lightweight technique"
- Remove duplicated content between summary, body, and conclusion
- Fix bare "Apache" → "httpd"
- Update example date to 2026
- Add <example> wrappers around all <highlight> blocks
Rich Bowen [Fri, 19 Jun 2026 14:22:34 +0000 (14:22 +0000)]
docs: howto/htaccess.xml editorial cleanup
- Update example log dates to 2026
- Change error log highlight blocks from language="config" to "sh"
- Remove filler phrases: "in order to", "a lot of", "it is important
to remember that", "simply"
- Convert inline "Note that..." prose to <note> blocks
Rich Bowen [Fri, 19 Jun 2026 12:23:41 +0000 (12:23 +0000)]
docs: howto/cgi.xml tone normalization and mod_cgi/mod_cgid explanation
- Add paragraph explaining why two CGI modules exist: mod_cgid for
threaded MPMs (event, worker), mod_cgi for non-threaded (prefork)
and Windows; note they are configuration-compatible
- Link to both module reference pages for implementation details
- Clean up LoadModule note block (remove duplicate "A correctly
configured directive may look like this")
- Remove "Of course" asides and "In order to" constructions
- "There are two main differences" → direct statement
- Move bug-database advisory into <note> block
- Convert remaining Perl references to Python
Rich Bowen [Fri, 19 Jun 2026 12:16:23 +0000 (12:16 +0000)]
docs: howto/auth.xml tone normalization and deduplication
- Replace host-based access control section (Require ip/host examples)
with brief explanation and cross-reference to access.html howto
- Remove dated "HTTPD 2.3/2.4 introduces" from socache section
- Grammar and spelling fixes throughout
Rich Bowen [Thu, 18 Jun 2026 12:13:12 +0000 (12:13 +0000)]
docs: Editorial pass on howto/http2.xml
- Grammar and spelling fixes throughout (fixes bz#70115)
- Wrap overlong lines to match document style
- Replace dead browser extension links with current equivalents
- Update caniuse link to https
- Simplify browser support list (all modern browsers support HTTP/2)
- Note Server Push deprecation per RFC 9113; point to Early Hints
- Note Accept-Push-Policy draft expired and was never adopted
Rich Bowen [Wed, 17 Jun 2026 20:56:52 +0000 (20:56 +0000)]
docs: Modernize howto/http2.xml
- Update all RFC references from 7540 to 9113 (which obsoletes it)
- Remove duplicated RFC link in protocol overview
- Add Server Push deprecation note (deprecated in RFC 9113 §8.4,
removed by Chrome 106+/Edge 106+; recommend 103 Early Hints)
- Update Homebrew note: remove obsolete --with-openssl/--with-nghttp2
flags (Homebrew removed formula options in 2019; curl includes
HTTP/2 support by default now)
- Fix typos: "consistent releases" → "consistent across releases",
"as RFC do" → "as RFCs do", "they are" → "there are",
"at at time" → "at a time", "avoiding to re-instantiate" →
"avoiding the need to re-instantiate", "head of blocking" →
"head-of-line blocking"
Rainer Jung [Tue, 16 Jun 2026 19:28:00 +0000 (19:28 +0000)]
mod_md: New directive: MDHttpProxyCACertificateFile
Sets the CA certificates to use for connections to the HTTPS proxy that has
been configured with MDHttpProxy.
Rich Bowen [Tue, 16 Jun 2026 18:35:00 +0000 (18:35 +0000)]
docs: Clarify who dispatches I/O events in motorz PollersPerChild (bz 70105)
The existing wording used "a single child can...dispatch I/O events"
which was ambiguous when the preceding paragraph already said pollers
do the dispatching. Reword to make the subject explicit: each poller
thread independently accepts and dispatches to the worker pool, so
adding pollers parallelizes those operations within a child process.
Rich Bowen [Tue, 16 Jun 2026 18:16:02 +0000 (18:16 +0000)]
docs: Add module processing order diagram to rewrite/tech.xml
Side-by-side comparison showing the order reversal between server and
per-directory context: mod_rewrite runs before mod_alias in server
context (both in URL-to-filename phase), but mod_alias runs first in
per-directory context because mod_rewrite moves to the later Fixup
phase. Color-coded boxes make the reversal immediately visible.
Rich Bowen [Tue, 16 Jun 2026 17:33:09 +0000 (17:33 +0000)]
docs: Improve alt text on existing rewrite diagrams for accessibility
Replace vague or duplicated alt attributes with descriptive text that
conveys the content of each diagram to screen reader users:
- rewrite_process_uri.png: describes per-rule control flow
- rewrite_backreferences.png: describes \$1-\$9 and %1-%9 flow
- syntax_rewriterule.png: describes three-component syntax
- syntax_rewritecond.png: describes TestString and CondPattern components
Rich Bowen [Tue, 16 Jun 2026 17:32:20 +0000 (17:32 +0000)]
docs: Add simplified mod_rewrite overview diagram to rewrite/intro.xml
New flowchart at the end of the Introduction section showing the basic
request processing loop: RewriteEngine check, iterate rules, pattern
match, RewriteCond evaluation, substitution, and L/END flag termination.
Explicitly labeled as a simplified overview with a link to tech.xml for
the full processing model. Supplements existing prose for visual
learners without replacing accessible text content.
Rich Bowen [Tue, 16 Jun 2026 17:14:54 +0000 (17:14 +0000)]
docs: Add flag quick-reference table to rewrite/flags.xml
Categorized table at the top of the flags page grouping flags by
purpose (flow control, redirection/proxying, access control, URL/query
string, metadata/handlers, cookie) with brief effect descriptions and
common combo examples showing how flags are stacked in practice.
Rich Bowen [Tue, 16 Jun 2026 16:34:15 +0000 (16:34 +0000)]
docs: Add path stripping and RewriteBase flowchart to rewrite/htaccess.xml
New diagram showing the per-directory URL transformation pipeline:
incoming URL-path → strip directory prefix → pattern match → substitution
→ three-way branch depending on result type (relative path gets
RewriteBase prepended then subrequest; absolute path goes directly to
subrequest; absolute URI triggers external redirect with no subrequest).
Rich Bowen [Tue, 16 Jun 2026 15:23:56 +0000 (15:23 +0000)]
docs: Add SVG diagram style guide and PNG generation instructions
New README.md in docs/manual/images/ documents the font, color, and
layout conventions used for flowchart SVGs, includes the full SVG
boilerplate template, and provides rsvg-convert install/usage
instructions for macOS (brew), Fedora/RHEL (dnf), and Debian/Ubuntu
(apt-get).
Rich Bowen [Tue, 16 Jun 2026 15:09:59 +0000 (15:09 +0000)]
docs: Add [L] flag looping flowchart to rewrite/htaccess.xml
New diagram illustrating how [L] in per-directory context triggers an
internal subrequest that re-enters the ruleset, potentially causing
infinite loops. Shows the [END] flag exit path, the condition-guard
exit path, and the unguarded loop that results in a 500 error.
SVG source and PNG placed in docs/manual/images/. Image referenced
from the "The [L] flag and looping" section of htaccess.xml using the
same figure markup pattern as existing tech.xml diagrams.
Rich Bowen [Tue, 16 Jun 2026 14:41:09 +0000 (14:41 +0000)]
docs: Clarify CGI meta-variables terminology in env.xml (bz 70095)
The introductory paragraph incorrectly implied that HTTP defines
environment variables. Reword to accurately describe the relationship:
RFC 3875 defines meta-variables (many derived from HTTP headers), and
httpd exposes them as environment variables.
Rich Bowen [Mon, 15 Jun 2026 19:14:34 +0000 (19:14 +0000)]
Sync trunk mod_rewrite doc with enhancements to 2.4
At some point, I made an update to the 2.4 doc and didn't make it in
trunk. This improves the "what gets matched" and "per-directory" bits of
the RewriteRule doc.