diff options
| author | Yann Ylavic <ylavic@apache.org> | 2023-03-02 16:24:08 +0100 |
|---|---|---|
| committer | Yann Ylavic <ylavic@apache.org> | 2023-03-02 16:24:08 +0100 |
| commit | 6c9b8075bc1ce8e88f6df067ecb737f078b8ea23 (patch) | |
| tree | 841d6c45b6aaedc258fec3640cd2618d40e54e8e | |
| parent | mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation (diff) | |
| download | apache2-6c9b8075bc1ce8e88f6df067ecb737f078b8ea23.tar.xz apache2-6c9b8075bc1ce8e88f6df067ecb737f078b8ea23.zip | |
Sync changes [skip ci]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1907983 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | CHANGES | 82 | ||||
| -rw-r--r-- | changes-entries/DAVLockDiscovery.txt | 2 | ||||
| -rw-r--r-- | changes-entries/DAVReadOnly_in_dav_method_propfind.txt | 2 | ||||
| -rw-r--r-- | changes-entries/ajp_invalid_number_of_headers.txt | 2 | ||||
| -rw-r--r-- | changes-entries/enablereuse.txt | 3 | ||||
| -rw-r--r-- | changes-entries/h2-rst-access-500-fix.txt | 4 | ||||
| -rw-r--r-- | changes-entries/h2_header_strictness.txt | 5 | ||||
| -rw-r--r-- | changes-entries/h2_max_data_frame_len.txt | 7 | ||||
| -rw-r--r-- | changes-entries/h2_proxy_content_type.txt | 4 | ||||
| -rw-r--r-- | changes-entries/h2_proxy_host.txt | 4 | ||||
| -rw-r--r-- | changes-entries/h2_trailers.txt | 5 | ||||
| -rw-r--r-- | changes-entries/mapping_encode.txt | 2 | ||||
| -rw-r--r-- | changes-entries/md_locks_and_fix.txt | 8 | ||||
| -rw-r--r-- | changes-entries/pr66130.txt | 2 | ||||
| -rw-r--r-- | changes-entries/pr66403.txt | 2 | ||||
| -rw-r--r-- | changes-entries/pr66421.txt | 4 | ||||
| -rw-r--r-- | changes-entries/proxy_uwsgi_response_validation.txt | 2 | ||||
| -rw-r--r-- | changes-entries/rotatlogs_truncate_rotated.txt | 2 | ||||
| -rw-r--r-- | changes-entries/ssl_proxy_bind.txt | 5 |
19 files changed, 82 insertions, 65 deletions
@@ -1,6 +1,88 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_http2: field values (headers and trailers) are stripped of + leading/trailing whitespace (space +htab) before being processed + or send in a response. This is compatible behaviour to HTTP/1.1 + parsers that strip incoming headers of such characters. + [Stefan Eissing] + + *) build: Use 'command -v' instead of 'which' which is more portable. + PR 66130 [Sam James <sam@gentoo.org>] + + *) mod_dav: Allow to disable lock discovery via an DAVLockDiscovery + expression (per-request). PR 66313. [Emmanuel Dreyfus <manu netbsd.org>] + + *) mod_ssl: when a proxy connection had handled a request using SSL, an + error was logged when "SSLProxyEngine" was only configured in the + location/proxy section and not the overall server. The connection + continued to work, the error log was in error. Fixed PR66190. + [Stefan Eissing] + + *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when + some dollar substitution (backreference) happens in the hostname or port + part of the URL. [Yann Ylavic] + + *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be + truncated without the initial logfile being truncated. [Eric Covener] + + *) mod_md: a new directive `MDStoreLocks` can be used on cluster + setups with a shared file system for `MDStoreDir` to order + activation of renewed certificates when several cluster nodes are + restarted at the same time. Store locks are not enabled by default. + Restored curl_easy cleanup behaviour from v2.4.14 and refactored + the use of curl_multi for OCSP requests to work with that. + Fixes <https://github.com/icing/mod_md/issues/293>. + + *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number + of headers. [Ruediger Pluem] + + *) mod_proxy_http2: apply the standard httpd content type handling + to responses from the backend, as other proxy modules do. Fixes PR 66391. + Thanks to Jérôme Billiras for providing the patch. + [Stefan Eissing] + + *) mod_http2: fixed trailer handling. Empty response bodies + prevented trailers from being sent to a client. See + <https://github.com/icing/mod_h2/issues/233> for how + this affected gRPC use. + [Stefan Eissing] + + *) mod_proxy_http2: use only the ':authority' header to forward 'Host' + information to a backend. Deduce ':authority' from what the client + sent when 'ProxyPreserveHost' is on. + [Stefan Eissing] + + *) core: Improve the AH00124 error message about too many redirects by logging + the URI of the request. PR 66403 [Ruediger Pluem] + + *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. + [Yann Ylavic] + + *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum + amount of response body bytes put into a single HTTP/2 DATA frame. + Setting this to 0 places no limit (but the max size allowed by the + protocol is observed). + The module, by default, tries to use the maximum size possible, which is + somewhat around 16KB. This sets the maximum. When less response data is + available, smaller frames will be sent. + + *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors + reported in access logs and error documents. The processing of the + reset was correct, only unneccesary reporting was caused. + [Stefan Eissing] + + *) mod_proxy: Fix double encoding of the uri-path of the request forwarded + to the origin server, when using mapping=encoded|servlet. [Yann Ylavic] + + *) mod_dav: Open the lock database read-only when possible. + PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu] + + *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to + allow connections of any age to be reused. Up to now, a negative value + was handled as an error when parsing the configuration file. PR 66421. + [nailyk <bzapache nailyk.fr>, Christophe Jaillet] + *) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302. [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>] diff --git a/changes-entries/DAVLockDiscovery.txt b/changes-entries/DAVLockDiscovery.txt deleted file mode 100644 index 1696d60465..0000000000 --- a/changes-entries/DAVLockDiscovery.txt +++ /dev/null @@ -1,2 +0,0 @@ - *) mod_dav: Allow to disable lock discovery via an DAVLockDiscovery - expression (per-request). PR 66313. [Emmanuel Dreyfus <manu netbsd.org>] diff --git a/changes-entries/DAVReadOnly_in_dav_method_propfind.txt b/changes-entries/DAVReadOnly_in_dav_method_propfind.txt deleted file mode 100644 index b018ae8950..0000000000 --- a/changes-entries/DAVReadOnly_in_dav_method_propfind.txt +++ /dev/null @@ -1,2 +0,0 @@ - *) mod_dav: Open the lock database read-only when possible. - PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu] diff --git a/changes-entries/ajp_invalid_number_of_headers.txt b/changes-entries/ajp_invalid_number_of_headers.txt deleted file mode 100644 index 8657304608..0000000000 --- a/changes-entries/ajp_invalid_number_of_headers.txt +++ /dev/null @@ -1,2 +0,0 @@ - *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number - of headers. [Ruediger Pluem] diff --git a/changes-entries/enablereuse.txt b/changes-entries/enablereuse.txt deleted file mode 100644 index b8e1a3f617..0000000000 --- a/changes-entries/enablereuse.txt +++ /dev/null @@ -1,3 +0,0 @@ - *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when - some dollar substitution (backreference) happens in the hostname or port - part of the URL. [Yann Ylavic] diff --git a/changes-entries/h2-rst-access-500-fix.txt b/changes-entries/h2-rst-access-500-fix.txt deleted file mode 100644 index d165fa3bc8..0000000000 --- a/changes-entries/h2-rst-access-500-fix.txt +++ /dev/null @@ -1,4 +0,0 @@ - *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors - reported in access logs and error documents. The processing of the - reset was correct, only unneccesary reporting was caused. - [Stefan Eissing] diff --git a/changes-entries/h2_header_strictness.txt b/changes-entries/h2_header_strictness.txt deleted file mode 100644 index 7cac6147e0..0000000000 --- a/changes-entries/h2_header_strictness.txt +++ /dev/null @@ -1,5 +0,0 @@ - *) mod_http2: field values (headers and trailers) are stripped of - leading/trailing whitespace (space +htab) before being processed - or send in a response. This is compatible behaviour to HTTP/1.1 - parsers that strip incoming headers of such characters. - [Stefan Eissing] diff --git a/changes-entries/h2_max_data_frame_len.txt b/changes-entries/h2_max_data_frame_len.txt deleted file mode 100644 index f32f6e076e..0000000000 --- a/changes-entries/h2_max_data_frame_len.txt +++ /dev/null @@ -1,7 +0,0 @@ - *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum - amount of response body bytes put into a single HTTP/2 DATA frame. - Setting this to 0 places no limit (but the max size allowed by the - protocol is observed). - The module, by default, tries to use the maximum size possible, which is - somewhat around 16KB. This sets the maximum. When less response data is - available, smaller frames will be sent. diff --git a/changes-entries/h2_proxy_content_type.txt b/changes-entries/h2_proxy_content_type.txt deleted file mode 100644 index d35f7c2ea7..0000000000 --- a/changes-entries/h2_proxy_content_type.txt +++ /dev/null @@ -1,4 +0,0 @@ - *) mod_proxy_http2: apply the standard httpd content type handling - to responses from the backend, as other proxy modules do. Fixes PR 66391. - Thanks to Jérôme Billiras for providing the patch. - [Stefan Eissing]
\ No newline at end of file diff --git a/changes-entries/h2_proxy_host.txt b/changes-entries/h2_proxy_host.txt deleted file mode 100644 index bbf34d648c..0000000000 --- a/changes-entries/h2_proxy_host.txt +++ /dev/null @@ -1,4 +0,0 @@ - *) mod_proxy_http2: use only the ':authority' header to forward 'Host' - information to a backend. Deduce ':authority' from what the client - sent when 'ProxyPreserveHost' is on. - [Stefan Eissing]
\ No newline at end of file diff --git a/changes-entries/h2_trailers.txt b/changes-entries/h2_trailers.txt deleted file mode 100644 index eb5453371a..0000000000 --- a/changes-entries/h2_trailers.txt +++ /dev/null @@ -1,5 +0,0 @@ - *) mod_http2: fixed trailer handling. Empty response bodies - prevented trailers from being sent to a client. See - <https://github.com/icing/mod_h2/issues/233> for how - this affected gRPC use. - [Stefan Eissing]
\ No newline at end of file diff --git a/changes-entries/mapping_encode.txt b/changes-entries/mapping_encode.txt deleted file mode 100644 index fc7e6e5008..0000000000 --- a/changes-entries/mapping_encode.txt +++ /dev/null @@ -1,2 +0,0 @@ - *) mod_proxy: Fix double encoding of the uri-path of the request forwarded - to the origin server, when using mapping=encoded|servlet. [Yann Ylavic] diff --git a/changes-entries/md_locks_and_fix.txt b/changes-entries/md_locks_and_fix.txt deleted file mode 100644 index c70ef1fc28..0000000000 --- a/changes-entries/md_locks_and_fix.txt +++ /dev/null @@ -1,8 +0,0 @@ - *) mod_md: a new directive `MDStoreLocks` can be used on cluster - setups with a shared file system for `MDStoreDir` to order - activation of renewed certificates when several cluster nodes are - restarted at the same time. Store locks are not enabled by default. - - Restored curl_easy cleanup behaviour from v2.4.14 and refactored - the use of curl_multi for OCSP requests to work with that. - Fixes <https://github.com/icing/mod_md/issues/293>. diff --git a/changes-entries/pr66130.txt b/changes-entries/pr66130.txt deleted file mode 100644 index f3254688f4..0000000000 --- a/changes-entries/pr66130.txt +++ /dev/null @@ -1,2 +0,0 @@ - *) build: Use 'command -v' instead of 'which' which is more portable. - PR 66130 [Sam James <sam@gentoo.org>] diff --git a/changes-entries/pr66403.txt b/changes-entries/pr66403.txt deleted file mode 100644 index 551f38fd21..0000000000 --- a/changes-entries/pr66403.txt +++ /dev/null @@ -1,2 +0,0 @@ - *) core: Improve the AH00124 error message about too many redirects by logging - the URI of the request. PR 66403 [Ruediger Pluem] diff --git a/changes-entries/pr66421.txt b/changes-entries/pr66421.txt deleted file mode 100644 index 94d4c42ada..0000000000 --- a/changes-entries/pr66421.txt +++ /dev/null @@ -1,4 +0,0 @@ - *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to - allow connections of any age to be reused. Up to now, a negative value - was handled as an error when parsing the configuration file. PR 66421. - [nailyk <bzapache nailyk.fr>, Christophe Jaillet] diff --git a/changes-entries/proxy_uwsgi_response_validation.txt b/changes-entries/proxy_uwsgi_response_validation.txt deleted file mode 100644 index 2cdb6c6300..0000000000 --- a/changes-entries/proxy_uwsgi_response_validation.txt +++ /dev/null @@ -1,2 +0,0 @@ - *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. - [Yann Ylavic] diff --git a/changes-entries/rotatlogs_truncate_rotated.txt b/changes-entries/rotatlogs_truncate_rotated.txt deleted file mode 100644 index 2cc69366ea..0000000000 --- a/changes-entries/rotatlogs_truncate_rotated.txt +++ /dev/null @@ -1,2 +0,0 @@ - *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be - truncated without the initial logfile being truncated. [Eric Covener] diff --git a/changes-entries/ssl_proxy_bind.txt b/changes-entries/ssl_proxy_bind.txt deleted file mode 100644 index 4eba294bd8..0000000000 --- a/changes-entries/ssl_proxy_bind.txt +++ /dev/null @@ -1,5 +0,0 @@ - *) mod_ssl: when a proxy connection had handled a request using SSL, an - error was logged when "SSLProxyEngine" was only configured in the - location/proxy section and not the overall server. The connection - continued to work, the error log was in error. Fixed PR66190. - [Stefan Eissing] |