Rich Bowen [Thu, 18 Jun 2026 12:13:12 +0000 (12:13 +0000)]
docs: Editorial pass on howto/http2.xml
- Grammar and spelling fixes throughout (fixes bz#70115)
- Wrap overlong lines to match document style
- Replace dead browser extension links with current equivalents
- Update caniuse link to https
- Simplify browser support list (all modern browsers support HTTP/2)
- Note Server Push deprecation per RFC 9113; point to Early Hints
- Note Accept-Push-Policy draft expired and was never adopted
Rich Bowen [Wed, 17 Jun 2026 20:56:52 +0000 (20:56 +0000)]
docs: Modernize howto/http2.xml
- Update all RFC references from 7540 to 9113 (which obsoletes it)
- Remove duplicated RFC link in protocol overview
- Add Server Push deprecation note (deprecated in RFC 9113 §8.4,
removed by Chrome 106+/Edge 106+; recommend 103 Early Hints)
- Update Homebrew note: remove obsolete --with-openssl/--with-nghttp2
flags (Homebrew removed formula options in 2019; curl includes
HTTP/2 support by default now)
- Fix typos: "consistent releases" → "consistent across releases",
"as RFC do" → "as RFCs do", "they are" → "there are",
"at at time" → "at a time", "avoiding to re-instantiate" →
"avoiding the need to re-instantiate", "head of blocking" →
"head-of-line blocking"
Rainer Jung [Tue, 16 Jun 2026 19:28:00 +0000 (19:28 +0000)]
mod_md: New directive: MDHttpProxyCACertificateFile
Sets the CA certificates to use for connections to the HTTPS proxy that has
been configured with MDHttpProxy.
Rich Bowen [Tue, 16 Jun 2026 18:35:00 +0000 (18:35 +0000)]
docs: Clarify who dispatches I/O events in motorz PollersPerChild (bz 70105)
The existing wording used "a single child can...dispatch I/O events"
which was ambiguous when the preceding paragraph already said pollers
do the dispatching. Reword to make the subject explicit: each poller
thread independently accepts and dispatches to the worker pool, so
adding pollers parallelizes those operations within a child process.
Rich Bowen [Tue, 16 Jun 2026 18:16:02 +0000 (18:16 +0000)]
docs: Add module processing order diagram to rewrite/tech.xml
Side-by-side comparison showing the order reversal between server and
per-directory context: mod_rewrite runs before mod_alias in server
context (both in URL-to-filename phase), but mod_alias runs first in
per-directory context because mod_rewrite moves to the later Fixup
phase. Color-coded boxes make the reversal immediately visible.
Rich Bowen [Tue, 16 Jun 2026 17:33:09 +0000 (17:33 +0000)]
docs: Improve alt text on existing rewrite diagrams for accessibility
Replace vague or duplicated alt attributes with descriptive text that
conveys the content of each diagram to screen reader users:
- rewrite_process_uri.png: describes per-rule control flow
- rewrite_backreferences.png: describes \$1-\$9 and %1-%9 flow
- syntax_rewriterule.png: describes three-component syntax
- syntax_rewritecond.png: describes TestString and CondPattern components
Rich Bowen [Tue, 16 Jun 2026 17:32:20 +0000 (17:32 +0000)]
docs: Add simplified mod_rewrite overview diagram to rewrite/intro.xml
New flowchart at the end of the Introduction section showing the basic
request processing loop: RewriteEngine check, iterate rules, pattern
match, RewriteCond evaluation, substitution, and L/END flag termination.
Explicitly labeled as a simplified overview with a link to tech.xml for
the full processing model. Supplements existing prose for visual
learners without replacing accessible text content.
Rich Bowen [Tue, 16 Jun 2026 17:14:54 +0000 (17:14 +0000)]
docs: Add flag quick-reference table to rewrite/flags.xml
Categorized table at the top of the flags page grouping flags by
purpose (flow control, redirection/proxying, access control, URL/query
string, metadata/handlers, cookie) with brief effect descriptions and
common combo examples showing how flags are stacked in practice.
Rich Bowen [Tue, 16 Jun 2026 16:34:15 +0000 (16:34 +0000)]
docs: Add path stripping and RewriteBase flowchart to rewrite/htaccess.xml
New diagram showing the per-directory URL transformation pipeline:
incoming URL-path → strip directory prefix → pattern match → substitution
→ three-way branch depending on result type (relative path gets
RewriteBase prepended then subrequest; absolute path goes directly to
subrequest; absolute URI triggers external redirect with no subrequest).
Rich Bowen [Tue, 16 Jun 2026 15:23:56 +0000 (15:23 +0000)]
docs: Add SVG diagram style guide and PNG generation instructions
New README.md in docs/manual/images/ documents the font, color, and
layout conventions used for flowchart SVGs, includes the full SVG
boilerplate template, and provides rsvg-convert install/usage
instructions for macOS (brew), Fedora/RHEL (dnf), and Debian/Ubuntu
(apt-get).
Rich Bowen [Tue, 16 Jun 2026 15:09:59 +0000 (15:09 +0000)]
docs: Add [L] flag looping flowchart to rewrite/htaccess.xml
New diagram illustrating how [L] in per-directory context triggers an
internal subrequest that re-enters the ruleset, potentially causing
infinite loops. Shows the [END] flag exit path, the condition-guard
exit path, and the unguarded loop that results in a 500 error.
SVG source and PNG placed in docs/manual/images/. Image referenced
from the "The [L] flag and looping" section of htaccess.xml using the
same figure markup pattern as existing tech.xml diagrams.
Rich Bowen [Tue, 16 Jun 2026 14:41:09 +0000 (14:41 +0000)]
docs: Clarify CGI meta-variables terminology in env.xml (bz 70095)
The introductory paragraph incorrectly implied that HTTP defines
environment variables. Reword to accurately describe the relationship:
RFC 3875 defines meta-variables (many derived from HTTP headers), and
httpd exposes them as environment variables.
Rich Bowen [Mon, 15 Jun 2026 19:14:34 +0000 (19:14 +0000)]
Sync trunk mod_rewrite doc with enhancements to 2.4
At some point, I made an update to the 2.4 doc and didn't make it in
trunk. This improves the "what gets matched" and "per-directory" bits of
the RewriteRule doc.
Rich Bowen [Mon, 15 Jun 2026 18:27:50 +0000 (18:27 +0000)]
Reorg of TestString section of RewriteCond doc
bz#70093 recommended merging all of the RewriteCon test string stuff
into one massive flat list, and the more I worked on it, the more it
seemed that this would make the document more confusing and more
overwhelming. It's already a massive doc, and presenting it without any
internal subdivision makes it a huge wall of text and unreadable.
Instead, it's subdivided into categories of stuff that can go in a
RewriteCond test strong.
Resolves 70093, although in a very different way from what was
requested.
Rich Bowen [Thu, 11 Jun 2026 20:10:17 +0000 (20:10 +0000)]
Refocus install.xml on source builds; style cleanup
- Rewrite summary to lead with "released as source code" framing
- Move RPM/DEB quick-install content to "Third-party packages" at end
- Simplify "Overview for the impatient" to source-build steps only
- Update PCRE requirement to PCRE2 (matching configure.in)
- Fix bare "Apache" → "httpd" throughout (per style guide)
- Remove all double-space-after-period instances
- Rewrite timekeeping paragraph (drop pun, modernize)
- Add <highlight language="sh"> to all shell example blocks
- Rename win_compiling.xml title: "Compiling Apache httpd for Microsoft Windows"
Rich Bowen [Thu, 11 Jun 2026 12:57:46 +0000 (12:57 +0000)]
mod_rewrite: Clarify Substitution description
The opening sentence of the Substitution section implied that Pattern
always matches when a rule fires, which is incorrect for negated rules.
Reword to be neutral about how the rule was triggered, and add a
cross-reference to "What is matched?" for context.
Joe Orton [Thu, 11 Jun 2026 11:38:41 +0000 (11:38 +0000)]
* modules/generators/mod_cgid.c (close_unix_socket): Return errno
on failure rather than -1.
(sock_write): Handle short writes.
(cgid_init): Fix off-by-one in socket path truncation.
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
GitHub: resolves PR#669
Joe Orton [Thu, 11 Jun 2026 11:38:22 +0000 (11:38 +0000)]
* modules/generators/mod_cgid.c (get_req): Fix wrong sizeof in
allocation of core_request_config, which used sizeof(core_module).
(cgid_server): Fix stale rv passed to ap_log_error for passed fd
debug message.
(include_cmd): Fix double registration of cleanup_script which
could kill a garbage pid when get_cgi_pid failed. Check return
value of send_req. Change return type to apr_status_t to match
declaration in cgi_common.h
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
GitHub: PR#669
Joe Orton [Thu, 11 Jun 2026 11:37:45 +0000 (11:37 +0000)]
* modules/generators/mod_cgid.c (cgid_req_t): Change env_count to
unsigned. Define ENV_COUNT_MAX.
(get_req): Add upper bounds for uri_len, args_len, and env_count.
Validate per-variable length in environment reading loop.
Move validation before use of loglevel.
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
GitHub: PR#669
Submitted by: jorton Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@193517213f79535-47bb-0310-9956-ffa450edef68
Joe Orton [Tue, 9 Jun 2026 16:39:56 +0000 (16:39 +0000)]
* test/modules/core: Add test case for CVE_2026-43951.
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@193517113f79535-47bb-0310-9956-ffa450edef68
Joe Orton [Tue, 9 Jun 2026 06:39:25 +0000 (06:39 +0000)]
* configure.in: Fix cross-compilation:
./configure fails finding .pc files, because it uses the build
architecture pkg-config. It should be using AC_PATH_TOOL (or better
PKG_PROG_PKG_CONFIG) rather than AC_PATH_PROG.
Joe Orton [Mon, 8 Jun 2026 13:13:49 +0000 (13:13 +0000)]
CI: Configure GitHub workflows to use concurrency cancel-in-progress for
pull requests
see recommended best practices at Apache
https://cwiki.apache.org/confluence/pages/viewpage.action?spaceKey=INFRA&title=GitHub+Actions+Recommended+Practices
Rich Bowen [Fri, 5 Jun 2026 19:55:22 +0000 (19:55 +0000)]
Update misc/relevant_standards to reflect current RFCs
Replace obsolete RFC references (2616, 2396, 4346, 2617) with their
modern successors. Add sections for TLS, proxying, WebSocket, CGI, and
WebDAV. Remove HTML section (httpd does not validate content markup).
Remove stale "not yet complete" notice and dead skrb.org errata link.
Jim Jagielski [Fri, 5 Jun 2026 19:07:15 +0000 (19:07 +0000)]
Perl test asserts the opposite of what the server does, and only "passes"
because LWP fabricates the header client-side. Clean this mess up. LWP
is weird.
Jim Jagielski [Fri, 5 Jun 2026 17:48:53 +0000 (17:48 +0000)]
test: port recent httpd-tests 2.4.68 changes to pytest_suite
Reflect the following t/ changes into test/pytest_suite:
* expr: file()/filesize() are restricted in 2.4.68+; gate the
expected results (None => parse error 500) and move file()
into the 2.3.13 block.
* mod_headers: support an optional expected-status field; add
malformed-regex -> 500 and 2.4.68 file()-in-htaccess -> 500.
* mod_dav: PUT to a .DAV state subdir is blocked (403) in
2.4.68+, else 201.
* mod_proxy_html: add multi-substitution buffer-realloc tests
(literal and regex) with ProxyHTMLBufSize 256.
Joe Orton [Fri, 5 Jun 2026 16:54:38 +0000 (16:54 +0000)]
* modules/proxy/mod_proxy_beacon.c (beacon_resolve, beacon_parse_url,
beacon_verify): Use ap_strstr_c and ap_strchr_c for const-correct
string searches, fixing -Werror=discarded-qualifiers errors.
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@193504013f79535-47bb-0310-9956-ffa450edef68
Joe Orton [Thu, 4 Jun 2026 15:48:00 +0000 (15:48 +0000)]
* modules/proxy/mod_proxy_ftp.c (proxy_ftp_dir_filter): Use
ap_os_escape_path() with ap_escape_html() instead of
ap_escape_uri() for href attributes in generated directory
listing links.
Rich Bowen [Thu, 4 Jun 2026 15:22:55 +0000 (15:22 +0000)]
docs: Rewrite AllowOverride Options= warning
The existing note about implicit disabling of Options was difficult
to parse. Rewrite as a type="warning" note with:
- Clear statement that the restriction controls enabling, not disabling
- Explanation of absolute vs relative (+/-) Options syntax
- Concrete example showing how inherited options get implicitly disabled
Joe Orton [Thu, 4 Jun 2026 09:03:50 +0000 (09:03 +0000)]
mod_proxy_html: Simplify to use the ap_varbuf API.
* modules/filters/mod_proxy_html.c: Include util_varbuf.h.
(saxctxt): Replace buf/offset/avail members with struct ap_varbuf vb.
(DEFAULT_BUFSZ): New macro.
(normalise): Take struct ap_varbuf * parameter instead of char *.
(preserve, pappend): Remove functions, replaced by ap_varbuf_grow
and ap_varbuf_strmemcat respectively.
(dump_content): Use ap_varbuf for regex substitutions via
ap_varbuf_regsub, avoiding manual buffer resizing with
preserve/memmove/memcpy. Use a temporary ap_varbuf for building
regex replacement results.
(pcharacters, pcomment): Use ap_varbuf_strmemcat and ap_varbuf_strcat
in place of pappend.
(pendElement): Check vb.strlen instead of offset.
(pstartElement): Use ap_varbuf for attribute URL rewriting with the
same ap_varbuf_regsub approach. Use a temporary ap_varbuf for
regex replacements.
(proxy_html_filter): Initialize the ap_varbuf with a clamped bufsz.
(proxy_html_merge): Use DEFAULT_BUFSZ macro.
Assisted-by: Claude Opus 4.6 (claude-opus-4-6)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@193497513f79535-47bb-0310-9956-ffa450edef68
Jim Jagielski [Wed, 3 Jun 2026 23:23:47 +0000 (23:23 +0000)]
pytest_suite: port Perl todo/xfail gaps found when testing against 2.4.x
Three test files had behaviour differences between the Python port and
the original Perl framework tests when run against a 2.4.x build
(tested with Apache/2.4.68-dev at /opt/local2/apache2).
test_pr64339.py -- LWP vs httpx default charset for raw bodies
For /doc.notxml the proxy returns Content-Type: application/notreallyxml
with no charset and a Latin-1 body. LWP defaults to ISO-8859-1 for
charset-less responses; httpx defaults to UTF-8, decoding 0xF3 as a
replacement character and failing the body match. Add _lwp_text() to
mirror LWP: use the Content-Type charset when present, else Latin-1.
test_session.py -- port Perl @todo for PR 58171 and PR 56052
session.t marks subtests 53/54 (Session writable after decode failure,
PR 58171) and 88/89 (Session writable after expired, PR 56052) as
unconditional @todo. The Python port dropped this bookkeeping. On
2.4.x, ap_session_load() sets zz=NULL on a decode failure and allocates
a fresh session the memoising provider never sees, so nothing is saved;
trunk uses memset-in-place to preserve the provider pointer. Add a
_check(..., todo=True) helper that downgrades failures to warnings,
matching Perl's todo semantics for both subtests.
test_proxy_html.py -- xfail two metafix cases that fail on 2.4.x
other header with Content-Type present: mod_proxy_html metafix emits
no http-equiv headers for meta_contenttype.html because the leading
charset Content-Type meta is consumed by the xml2enc path on 2.4.x.
empty content value: metafix locates the content value via a
case-insensitive search for 'content'; the header name X-Empty-Content
itself matches first, so no value is extracted. Gate both via
pytest.xfail when the server is < 2.5.0, leaving assertions active on
trunk.
Jim Jagielski [Wed, 3 Jun 2026 22:32:17 +0000 (22:32 +0000)]
test/pyhttpd: move pyproject.toml and uv.lock under pyhttpd/
The pyproject.toml and uv.lock belong to the pyhttpd test suite, so move
them from test/ into test/pyhttpd/ where the package itself lives.
Update runtests-pyhttpd.sh to use 'uv sync --project pyhttpd/' and
reference the venv at pyhttpd/.venv/. Fix pyhttpd/env.py to look for
the venv at the same level (pyhttpd/.venv/) instead of the parent dir.
projects / thirdparty / apache / httpd.git / log
