at the same time, don't lose errors occuring while forwarding on the first
side when none occurs next on the other side, and abort.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657636 13f79535-47bb-0310-9956-ffa450edef68
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.
[Edward Lu <Chaosed0 gmail.com>]
Discovered by Guido Vranken <guidovranken gmail.com>
Submitted by: Edward Lu
Committed by: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
when the FIN bit was set. Results in PING not being recognized
by mod_lua. PR57524
Submitted By: Edward Lu
Committed By: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657256 13f79535-47bb-0310-9956-ffa450edef68
on startup or restart when the module is linked statically. PR 57525
Submitted by: apache.org tech.futurequest.net
Committed by: Yann Ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1656669 13f79535-47bb-0310-9956-ffa450edef68
in virtualhost context (new version of r1653906 reverted by r1653993).
Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
Committed/modified By: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653997 13f79535-47bb-0310-9956-ffa450edef68
The issue with r1653906 is that existing configurations like
"SSLProtocol -SSLv3" (where the default is assumed to be ALL)
won't work anymore.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653993 13f79535-47bb-0310-9956-ffa450edef68
the old thread may work on a new connection and assign the same ID in parallel.
Submitted By: Michael Thorpe
Committed By: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1651088 13f79535-47bb-0310-9956-ffa450edef68
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
of subjectAltName entries for the "StdEnvVars" case
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
or with full-list extraction to the environment ("StdEnvVars")
* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype
* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
entry types appearing in user or server certificates (i.e., rfc822Name
and dNSName), for the time being.
* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
and SSL_X509_getSAN prototypes
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650047 13f79535-47bb-0310-9956-ffa450edef68
opting in to connection reuse and other proxy options (max=, etc).
adds 'enablereuse' proxyoption and a minor MMN bump to share
proxy_desocketfy outside of mod_proxy.c, which is required to
match workers to URLs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1647009 13f79535-47bb-0310-9956-ffa450edef68
Connection reuse has been disabled since r1032345 at the end of
2011.
Attempt to reverse the polarity of the connection reuse doc which
has been wrong for a long time.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1647005 13f79535-47bb-0310-9956-ffa450edef68
- We need to fail if we do NOT match.
- ETag comparison only makes sense if we have an ETag
PR: 57358
Submitted by: Kunihiko Sakamoto <ksakamoto google.com>
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1646282 13f79535-47bb-0310-9956-ffa450edef68
When this occurs, the redirect (internal) request reaches ssl_hook_Access()
and make SSL_do_handshake crash probably because we force the renegotiation
based on an incomplete SSL state.
To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given
SSL connection is not in a valid (handshaken) state.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1644498 13f79535-47bb-0310-9956-ffa450edef68
mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
used in multiple Require directives with different arguments.
PR57204 [Edward Lu <Chaosed0 gmail.com>]
Submitted By: Edward Lu
Committed By: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1642499 13f79535-47bb-0310-9956-ffa450edef68
Previously, any time you used a relative substitution in
per-directory/htaccess context, you needed to specify
a RewriteBase. But in case where the context document root
and context prefix are known via e.g. mod_userdir
or mod_alias, and the substitution is under the context
document root, we can determine the replacement automatically.
This makes htaccess files or config snippets a bit more
portable.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1642484 13f79535-47bb-0310-9956-ffa450edef68
(and it is too late to use the same CVE anyway).
The code changes to mod_authnz_fcgi are retained in order
to keep the similar code in sync between the two modules.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1640331 13f79535-47bb-0310-9956-ffa450edef68
Fix a potential crash with response headers' size above 8K.
The code changes to mod_authnz_fcgi keep the handle_headers()
function in sync between the two modules. mod_authnz_fcgi
does not have this issue because it allocated a separate byte
for terminating '\0'.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1640036 13f79535-47bb-0310-9956-ffa450edef68
