Rich Bowen [Fri, 5 Jun 2026 19:55:38 +0000 (19:55 +0000)]
Update misc/relevant_standards to reflect current RFCs
Replace obsolete RFC references (2616, 2396, 4346, 2617) with their
modern successors. Add sections for TLS, proxying, WebSocket, CGI, and
WebDAV. Remove HTML section (httpd does not validate content markup).
Remove stale "not yet complete" notice and dead skrb.org errata link.
Joe Orton [Thu, 4 Jun 2026 15:48:59 +0000 (15:48 +0000)]
Merge r1934981 from trunk:
* modules/proxy/mod_proxy_ftp.c (proxy_ftp_dir_filter): Use
ap_os_escape_path() with ap_escape_html() instead of
ap_escape_uri() for href attributes in generated directory
listing links.
Rich Bowen [Thu, 4 Jun 2026 15:23:59 +0000 (15:23 +0000)]
docs: Rewrite AllowOverride Options= warning
The existing note about implicit disabling of Options was difficult
to parse. Rewrite as a type="warning" note with:
- Clear statement that the restriction controls enabling, not disabling
- Explanation of absolute vs relative (+/-) Options syntax
- Concrete example showing how inherited options get implicitly disabled
Joe Orton [Thu, 4 Jun 2026 11:22:27 +0000 (11:22 +0000)]
Merge r1934975 from trunk:
mod_proxy_html: Simplify to use the ap_varbuf API.
* modules/filters/mod_proxy_html.c: Include util_varbuf.h.
(saxctxt): Replace buf/offset/avail members with struct ap_varbuf vb.
(DEFAULT_BUFSZ): New macro.
(normalise): Take struct ap_varbuf * parameter instead of char *.
(preserve, pappend): Remove functions, replaced by ap_varbuf_grow
and ap_varbuf_strmemcat respectively.
(dump_content): Use ap_varbuf for regex substitutions via
ap_varbuf_regsub, avoiding manual buffer resizing with
preserve/memmove/memcpy. Use a temporary ap_varbuf for building
regex replacement results.
(pcharacters, pcomment): Use ap_varbuf_strmemcat and ap_varbuf_strcat
in place of pappend.
(pendElement): Check vb.strlen instead of offset.
(pstartElement): Use ap_varbuf for attribute URL rewriting with the
same ap_varbuf_regsub approach. Use a temporary ap_varbuf for
regex replacements.
(proxy_html_filter): Initialize the ap_varbuf with a clamped bufsz.
(proxy_html_merge): Use DEFAULT_BUFSZ macro.
Assisted-by: Claude Opus 4.6 (claude-opus-4-6)
Reviewed by: covener, jfclere, jorton
Joe Orton [Thu, 4 Jun 2026 08:50:44 +0000 (08:50 +0000)]
Merge r1933586, r1916058, r1916068, r1933631, r1929891 from trunk:
Fix OpenSSL 4.0 compatibility and test that in CI.
CI: Update to test OpenSSL 4.0.0 explicitly.
CI: No longer disable deprecated-declaration warnings for OpenSSL 3.4 -Werror build.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Change name to
const X509_NAME *.
(ssl_callback_proxy_cert): Change ca_name, issuer, and ca_issuer to
const X509_NAME *.
* modules/ssl/ssl_engine_log.c (ssl_log_cert_error): Change cert
parameter to const X509 *. Use X509_get0_serialNumber,
X509_get0_notBefore, and X509_get0_notAfter instead of non-const
variants.
(ssl_log_xerror, ssl_log_cxerror, ssl_log_rxerror): Change cert
parameter to const X509 *.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Change
xsname parameter to const X509_NAME *.
(ssl_var_lookup_ssl_cert_dn_oneline): Change xsname parameter to
const X509_NAME *.
(ssl_var_lookup_ssl_cert): Change xsname to const X509_NAME *.
(ssl_var_lookup_ssl_cert_rfc4523_cea): Change issuer to const
X509_NAME *.
* modules/ssl/ssl_private.h (ssl_log_xerror, ssl_log_cxerror,
ssl_log_rxerror): Update declarations to use const X509 *.
* modules/ssl/ssl_util_ssl.c (modssl_X509_NAME_to_string): Change dn
parameter to const X509_NAME *.
(getIDs): Change subj to const X509_NAME *.
* modules/ssl/ssl_util_ssl.h (modssl_X509_NAME_to_string): Update
declaration to use const X509_NAME *.
* support/ab.c (ssl_print_cert_info): Change dn to const X509_NAME *.
mod_ssl: use ASN1_STRING accessor API in dump_extn_value:
* modules/ssl/ssl_engine_vars.c (dump_extn_value): Use
ASN1_STRING_get0_data() and ASN1_STRING_length() rather than
directly dereferencing the ASN1_OCTET_STRING structure, which is
opaque in OpenSSL 4.0.
* modules/ssl/ssl_private.h: Add compat macros for
ASN1_STRING_get0_data and ASN1_STRING_length for pre-1.1 API.
mod_ssl: constify ASN1_TIME pointers, use X509_get0_not{Before,After}:
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_valid,
ssl_var_lookup_ssl_cert_remain): Constify ASN1_TIME * parameter.
(ssl_var_lookup_ssl_cert): Use X509_get0_notBefore() and
X509_get0_notAfter() which return const pointers.
(ssl_var_lookup_ssl_cert_remain): Use ASN1_TIME_check() directly
rather than INVALID_ASN1_TIME macro which dereferences the
ASN1_TIME structure.
(dump_extn_value): Constify ASN1_OCTET_STRING * parameter.
* modules/ssl/ssl_private.h: Add compat macros for
X509_get0_before and X509_get0_after for pre-1.1 API.
mod_ssl: constify X509_NAME_ENTRY and X509_EXTENSION pointers:
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn,
extract_dn): Constify X509_NAME_ENTRY * variables, constify
X509_NAME * parameter of extract_dn, drop unnecessary casts
on X509_NAME_ENTRY_get_object() calls.
(ssl_ext_list): Use MODSSL_X509_EXT_CONST for X509_EXTENSION *
since X509_EXTENSION accessors are only constified in OpenSSL 4.
* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h
(modssl_X509_NAME_ENTRY_to_string): Constify X509_NAME_ENTRY *
parameter.
* modules/ssl/ssl_private.h: Add MODSSL_X509_EXT_CONST, defined
as const for OpenSSL 4+ and empty otherwise.
* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Constify
ASN1_STRING * argument.
* modules/ssl/ssl_engine_ocsp.c (extract_responder_uri): Use
modssl_ASN1_STRING_convert instead of directly accessing ASN1_STRING
data pointer.
* modules/ssl/ssl_util_ssl.c (modssl_ASN1_STRING_convert): Rename from
asn1_string_convert and export function.
(asn1_string_to_utf8): Update to use modssl_ASN1_STRING_convert.
(modssl_X509_NAME_ENTRY_to_string): Update to use
modssl_ASN1_STRING_convert.
* modules/ssl/ssl_util_ssl.h (modssl_ASN1_STRING_convert): Declare new
function.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CI: Add OpenSSL 3.1 builds, including a no-engine build.
(attempt to use 3.2 failed, unsure why)
- add OpenSSL build binaries to $PATH
CI: add OpenSSL 3.2, test OpenSSL 3.x using Apache::Test
trunk to pick up r1916067.
CI: The OpenSSL no-engine config option is redundant as of 4.0, remove.
CI: Try to fix ab failures during OpenSSL ech job, set RPATH via LDFLAGS
CI: For OpenSSL branch builds, always build a fresh version of the
OpenSSL branch and cache the commit hash to allow checking for freshness.
Also clone with --depth=1 to save time+bandwidth.
Joe Orton [Wed, 3 Jun 2026 16:47:03 +0000 (16:47 +0000)]
Merge r1933910, r1934871, r1934917, r1934873 from trunk: [CTR for non-Unix build + CI changes]
CMake: update min version required
GitHub: closes #640
Submitted by: Jeff McKenna <jmckenna gatewaygeomatics.com>
Fix Windows GHA build.
* .github/workflows/windows.yml
(): Use Enter-VsDevShell to find VS installation and save
environment variables to GITHUB_ENV.
CI: Update used actions to use newer Node.js than 20
CI: Update upload-artifact action, drop unnecessary Ubuntu 22.04 fix
CI: Drop 'shell: cmd', use PowerShell for the Windows workflow
CI: Print used CMake version for Windows workflow
Submitted by: Vladimír Chlup <vchlup ibm.com>
Github: closes #660
Eric Covener [Tue, 2 Jun 2026 17:14:41 +0000 (17:14 +0000)]
Merge r1934210 from trunk:
mod_ssl: Set auth type to \"ClientCert\" after authentication
When client certificate authentication has been performed r->ap_auth_type was
never populated and env AUTH_TYPE was empty.
We now set auth type to \"ClientCert\".
Eric Covener [Tue, 2 Jun 2026 17:13:55 +0000 (17:13 +0000)]
Merge r1933908 from trunk:
mod_ssl: Expose serialNumber (2.5.4.5) as standard env var from certificate DN
serialNumber (2.5.4.5) is a standard LDAP attribute embedded in the subject's
and/or issuer's DN, extract it by standard means from the DN and expose
via StdEnvVars.
PR: 35154 Co-authored-by: Michael Osipov <michaelo@apache.org>
Submitted by: Benjamin Demarteau <benjamin.demarteau@liege.be>
Reviewed By: michaelo, jorton, rpluem
Github: closes #644
Eric Covener [Tue, 2 Jun 2026 13:20:28 +0000 (13:20 +0000)]
Merge r1931949, r1934628, r1934678, r1934743 from trunk:
*) mod_http2: update to version 2.0.39
Remove streams own memory allocator after reports of memory problems
with third party modules.
*) mod_http2: update to version 2.0.40
Fix error handling on upload requests when server runs out of file
handles that left beam bucket callbacks in place, potentially using
no longer valid references. Only applies on platforms with pipes
and file descriptor limits not healthy for a network server.
*) mod_http2: update to version 2.0.41
Fix cookie header accounting against LimitRequestFields.
*) mod_http2: update to version 2.0.42
Fix excessive file description use for non-TLS frontend connections when
sending files. Fixes <https://github.com/icing/mod_h2/issues/325>
Submitted By: icing
Reviewed By: various (icing, steffenal, covener jim)
Rich Bowen [Tue, 2 Jun 2026 12:56:53 +0000 (12:56 +0000)]
Fix RedirectMatch regex in ACME exemption recipe (bug 70084)
The negative lookahead (?!...) is zero-width and non-capturing, so
the original pattern matched only the leading slash and \$1 was
undefined. Add a capturing group (.*)$ after the lookahead so that
\$1 contains the remainder of the URL-path.
Joe Orton [Mon, 1 Jun 2026 13:03:36 +0000 (13:03 +0000)]
Merge r1926172 from trunk:
* modules/dav/fs/repos.c (dav_fs_remove_resource):
Return a 404 if apr_file_remove() fails with an ENOENT error,
likely due to a race with another DELETE.
Rich Bowen [Wed, 27 May 2026 03:46:07 +0000 (03:46 +0000)]
Backport rewrite guide improvements from trunk
Sync reorganized and expanded mod_rewrite documentation from trunk:
- Rewritten index with structured navigation
- Expanded flags reference with new examples (chain, cookie, DPI)
- Renamed htaccess doc to 'Per-directory Rewrites' with new sections
on path stripping, RewriteBase, and loop behavior
- Expanded tech.xml with detailed per-directory processing explanation
- New recipes in remapping.xml: HTTPS behind load balancer, ACME
exemption, trailing-slash handling, front-controller patterns
- Added prg: map Python example in rewritemap.xml
- Cross-reference links and glossary terms throughout
- Fixed incorrect <since> tags: SameSite is 2.4.47, UnsafePrefixStat
is 2.4.60, UNC is 2.4.63 (were erroneously marked 2.5.1)
- Removed N flag iteration-limit paragraph (trunk-only feature)
Rich Bowen [Tue, 26 May 2026 10:11:24 +0000 (10:11 +0000)]
docs: Modernize install.xml
- Remove mirrors reference and binary releases (both retired)
- Update all external links to https
- Update version examples to current 2.4.66/2.4.67
- Replace two-step gzip/tar with single tar xzf
- Reword download section for source builds
- Consolidate verification link to verification.html
- Remove minimizing language (easy, simple, simply)
- Add language="sh" to all highlight blocks
- Update disk space: 200 MB build (was 50), 50 MB installed (was 10)
- Replace deprecated ntpdate/xntpd with systemd-timesyncd/chrony
- Remove outdated Perl 5.003 version floor
- Update release examples from dead 2.0/2.2 to 2.4/2.6
- Update 'Mac OS X, Solaris' to 'macOS'
- Requirements intro: 'building' → 'building and running'
Rich Bowen [Mon, 25 May 2026 20:21:01 +0000 (20:21 +0000)]
docs: Add SVG source for RewriteCond syntax diagram, regenerate PNG
Recreate syntax_rewritecond as editable SVG with color-coded callouts
for TestString, CondPattern, and [Flags]. Matches style of RewriteRule
syntax diagram.
Rich Bowen [Mon, 25 May 2026 19:04:11 +0000 (19:04 +0000)]
docs: Add SVG source for rewrite_process_uri, regenerate PNG
Recreate the ruleset processing flowchart as editable SVG. Adds
explicit 'no more rules' exit path and names RewriteCond in the
conditions diamond for clarity. Regenerate PNG from SVG source.
Rich Bowen [Mon, 25 May 2026 18:41:58 +0000 (18:41 +0000)]
docs: Add backreference flow diagram (Figure 3) in rewrite/tech
Add SVG source and regenerated PNG for mod_rewrite_fig2 showing how
backreferences flow: $N from RewriteRule Pattern (matched first) to
all RewriteCond TestStrings and Substitution; %N from last matched
CondPattern to Substitution. Insert as Figure 3 in tech.html. Add
crosslink from intro.html backreferences section to the new diagram.
Remove obsolete GIF.
Rich Bowen [Mon, 25 May 2026 18:21:56 +0000 (18:21 +0000)]
docs: Insert mod_rewrite overview flowchart as Figure 1 in rewrite/tech
Add new per-request rewrite process diagram (Figure 1) showing both
per-server and per-directory phases with RewriteCond evaluation.
Renumber existing ruleset diagram to Figure 2.
Rich Bowen [Mon, 25 May 2026 18:20:00 +0000 (18:20 +0000)]
docs: Add SVG source for rewrite overview flowchart
Add editable SVG source for mod_rewrite_fig1. Regenerate PNG from SVG.
Insert as Figure 1 in rewrite/tech.html showing the full per-request
rewrite process (per-server rules, redirect check, per-directory rules,
including RewriteCond evaluation). Remove obsolete GIF. Renumber existing
diagram to Figure 2.
Rich Bowen [Mon, 25 May 2026 17:48:25 +0000 (17:48 +0000)]
docs: Normalize "server-variables" to "server variables" in mod_rewrite
Remove hyphenation from "Server-Variables"/"server-variables" in
mod/mod_rewrite.xml and rewrite/flags.xml — no RFC precedent exists
for the hyphenated form (RFC 3875 uses "meta-variables"). Rework the
module summary to clarify that HTTP headers and timestamps are a
subset of server variables, not separate categories. Link the term
to its definition in RewriteCond.
Rich Bowen [Mon, 25 May 2026 17:21:23 +0000 (17:21 +0000)]
docs: Clarify DPI flag wording re: PATH_INFO vs URL-path
The opening sentence of the DPI|discardpath section implied PATH_INFO
was a "portion of" the URL-path/URI, while the next sentence described
it as a separate value concatenated to the URL-path/URI. Reword to
make clear that PATH_INFO is appended, not an inherent component.
Also add glossary links for URL-path (trunk only).
Rich Bowen [Mon, 25 May 2026 16:35:10 +0000 (16:35 +0000)]
Add crosslinks between env.html and expr.html
env.html now references expr.html for the modern expression-based
approach to conditional headers, access control, and logging.
The CGI variables section links to the complete variable reference
on expr.html (including REQUEST_URI, REMOTE_ADDR, etc.).
expr.html now links back to env.html for how environment variables
are set (SetEnv, SetEnvIf, [E=...]) and for the special-purpose
variable list.
projects / thirdparty / apache / httpd.git / log
