diff options
author | Stefan Eissing <icing@apache.org> | 2015-11-19 14:58:52 +0000 |
---|---|---|
committer | Stefan Eissing <icing@apache.org> | 2015-11-19 14:58:52 +0000 |
commit | ca04f6867dab2c831da80bf09a67594e8da1e47c (patch) | |
tree | 413b4bc22efb7c8994bd49dd4b9eef181c30c42e | |
parent | 8fbd8b191af5ec3218e91d3ae41a16d5813c7f5d (diff) | |
parent | 576f3d75227d44f6a79dd91dfcbeb81b6f6e3e40 (diff) | |
download | httpd-ca04f6867dab2c831da80bf09a67594e8da1e47c.tar.gz |
update merge of changes in 2.4.x
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.17-protocols-changes@1715192 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 3 | ||||
-rw-r--r-- | STATUS | 46 | ||||
-rw-r--r-- | docs/manual/mod/core.html.fr | 27 | ||||
-rw-r--r-- | docs/manual/mod/core.xml.fr | 31 | ||||
-rw-r--r-- | docs/manual/mod/core.xml.meta | 2 | ||||
-rw-r--r-- | docs/manual/mod/mod_ssl.html.fr | 25 | ||||
-rw-r--r-- | docs/manual/mod/mod_ssl.xml.fr | 29 | ||||
-rw-r--r-- | docs/manual/mod/mod_ssl.xml.meta | 2 | ||||
-rw-r--r-- | docs/manual/mod/quickreference.html.fr | 4 | ||||
-rw-r--r-- | modules/aaa/mod_authn_anon.c | 4 | ||||
-rw-r--r-- | modules/aaa/mod_authnz_ldap.c | 4 | ||||
-rw-r--r-- | modules/ssl/ssl_engine_io.c | 102 | ||||
-rw-r--r-- | server/core.c | 5 |
13 files changed, 187 insertions, 97 deletions
@@ -24,6 +24,9 @@ Changes with Apache 2.4.17 to avoid reusing it should the close be effective after some new request is ready to be sent. [Yann Ylavic] + *) mod_ssl: Make the output filter more friendly with deferred write and + response pipelining. [Yann Ylavic, Joe Orton] + *) mod_substitute: Allow to configure the patterns merge order with the new SubstituteInheritBefore on|off directive. PR 57641 [Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe] @@ -127,19 +127,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: 2.4.x patch: https://people.apache.org/~minfrin/httpd-mod_alias-expr2.patch +1: minfrin - * mod_ssl: Make the output filter more friendly with deferred write and - response pipelining. - trunk patch: http://svn.apache.org/r1705194 - http://svn.apache.org/r1705823 - http://svn.apache.org/r1705826 - http://svn.apache.org/r1705828 - http://svn.apache.org/r1705833 - http://svn.apache.org/r1706275 - http://svn.apache.org/r1707230 - http://svn.apache.org/r1707231 - 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-mod_ssl-deferred_friendly-v3.patch - +1: ylavic - * core: Fix crash in ap_mpm_pod_check call caused by NULL dereference of its parameter when starting httpd as single process (httpd -X). trunk patch: http://svn.apache.org/r1711479 @@ -161,7 +148,38 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-check_pipeline_blank_lines.patch (trunk works, meant to ease review) +1: ylavic, minfrin - + icing: test 3 fails for me in t/security/CVE-2005-3357.t + ylavic: not related (at least not the cause), fixed in r1715023. + + *) core/mod_ssl: + - master conn_rec* addition to conn_rec + - minor mmn bump + - improved ALPN and Upgrade handling + - allowing requests for servers whose TLS configuration is compatible + to the SNI server ones + - disabling TLS renegotiation for slave connections + changes are necessary for update modules/http2 + trunk patch: http://svn.apache.org/r1708107 + http://svn.apache.org/r1709587 + http://svn.apache.org/r1709602 + http://svn.apache.org/r1709995 + http://svn.apache.org/r1710231 + http://svn.apache.org/r1710419 + http://svn.apache.org/r1710572 + http://svn.apache.org/r1710583 + + manual addition of "conn_rec *master;" + 2.4.x patch: https://raw.githubusercontent.com/icing/mod_h2/master/sandbox/httpd/patches/2.4.17-protocols.patch + branch mergeable to 2.4.x: ^/httpd/httpd/branches/2.4.17-protocols-changes + +1: icing, jim + ylavic: +1 with r1715023. + + *) mod_ssl: For the "SSLStaplingReturnResponderErrors off" case, make sure + to only staple responses with certificate status "good" + trunk patch: https://svn.apache.org/r1711728 + https://svn.apache.org/r1713209 (missing LOGNO only) + 2.4.x patch: trunk works (modulo CHANGES) + +1: kbrand, icing + PATCHES/ISSUES THAT ARE BEING WORKED diff --git a/docs/manual/mod/core.html.fr b/docs/manual/mod/core.html.fr index 4c0b793fd3..fb35446308 100644 --- a/docs/manual/mod/core.html.fr +++ b/docs/manual/mod/core.html.fr @@ -33,8 +33,6 @@ <a href="../ja/mod/core.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | <a href="../tr/mod/core.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> </div> -<div class="outofdate">Cette traduction peut être périmée. Vérifiez la version - anglaise pour les changements récents.</div> <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Fonctionnalités de base du serveur HTTP Apache toujours disponibles</td></tr> <tr><th><a href="module-dict.html#Status">Statut:</a></th><td>Core</td></tr></table> @@ -3947,19 +3945,30 @@ seulement depuis la version 2.3.3 sous Windows.</td></tr> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="qualifyredirecturl" id="qualifyredirecturl">Directive</a> <a name="QualifyRedirectURL" id="QualifyRedirectURL">QualifyRedirectURL</a></h2> <table class="directive"> -<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls whether the REDIRECT_URL environent variable is - fully qualified</td></tr> +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Vérifie si la variable d'environnement REDIRECT_URL est +pleinement qualifiée</td></tr> <tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>QualifyRedirectURL ON|OFF</code></td></tr> <tr><th><a href="directive-dict.html#Default">Défaut:</a></th><td><code>QualifyRedirectURL OFF</code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration du serveur, serveur virtuel, répertoire</td></tr> <tr><th><a href="directive-dict.html#Override">AllowOverride:</a></th><td>FileInfo</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Core</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>core</td></tr> -<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Directive supported in 2.4.18 and later. 2.4.17 acted -as if 'QualifyRedirectURL ON' was configured.</td></tr> -</table><p>La documentation de cette directive - n'a pas encore t traduite. Veuillez vous reporter la version - en langue anglaise.</p></div> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Directive supportée à partir de la version 2.4.18 du +serveur HTTP Apache. Jusqu'à la version 2.4.17, le serveur se comportait +comme si la directive QualifyRedirectURL était définie à ON.</td></tr> +</table> + <p>Cette directive permet de s'assurer que le serveur vérifiera que + la variable d'environnement REDIRECT_URL est bien pleinement + qualifiée. Par défaut, cette variable contient l'URL textuellement + demandée par le client, par exemple "/index.html". Avec <code class="directive"><a href="#qualifyredirecturl on">QualifyRedirectURL ON</a></code>, la même requête + affectera à la variable REDIRECT_URL une valeur du style + "http://www.example.com/index.html".</p> + <p>Même si cette directive n'est pas définie, lorsqu'une requête est + soumise avec une URL pleinement qualifiée, la variable REDIRECT_URL + contiendra quand-même une URL pleinement qualifiée. + </p> + +</div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="rlimitcpu" id="rlimitcpu">Directive</a> <a name="RLimitCPU" id="RLimitCPU">RLimitCPU</a></h2> <table class="directive"> diff --git a/docs/manual/mod/core.xml.fr b/docs/manual/mod/core.xml.fr index eb9c3d94fa..614759e5b7 100644 --- a/docs/manual/mod/core.xml.fr +++ b/docs/manual/mod/core.xml.fr @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> <?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?> -<!-- English Revision: 1705784:1712268 (outdated) --> +<!-- English Revision: 1712268 --> <!-- French translation : Lucien GENTIS --> <!-- Reviewed by : Vincent Deffontaines --> @@ -5069,4 +5069,33 @@ Apache</compatibility> </usage> </directivesynopsis> +<directivesynopsis> +<name>QualifyRedirectURL</name> +<description>Vérifie si la variable d'environnement REDIRECT_URL est +pleinement qualifiée</description> +<syntax>QualifyRedirectURL ON|OFF</syntax> +<default>QualifyRedirectURL OFF</default> +<contextlist><context>server config</context><context>virtual host</context> +<context>directory</context> +</contextlist> +<override>FileInfo</override> +<compatibility>Directive supportée à partir de la version 2.4.18 du +serveur HTTP Apache. Jusqu'à la version 2.4.17, le serveur se comportait +comme si la directive QualifyRedirectURL était définie à ON.</compatibility> + +<usage> + <p>Cette directive permet de s'assurer que le serveur vérifiera que + la variable d'environnement REDIRECT_URL est bien pleinement + qualifiée. Par défaut, cette variable contient l'URL textuellement + demandée par le client, par exemple "/index.html". Avec <directive + module="core">QualifyRedirectURL ON</directive>, la même requête + affectera à la variable REDIRECT_URL une valeur du style + "http://www.example.com/index.html".</p> + <p>Même si cette directive n'est pas définie, lorsqu'une requête est + soumise avec une URL pleinement qualifiée, la variable REDIRECT_URL + contiendra quand-même une URL pleinement qualifiée. + </p> +</usage> +</directivesynopsis> + </modulesynopsis> diff --git a/docs/manual/mod/core.xml.meta b/docs/manual/mod/core.xml.meta index b9d96ee4c5..e78755527a 100644 --- a/docs/manual/mod/core.xml.meta +++ b/docs/manual/mod/core.xml.meta @@ -10,7 +10,7 @@ <variant outdated="yes">de</variant> <variant>en</variant> <variant outdated="yes">es</variant> - <variant outdated="yes">fr</variant> + <variant>fr</variant> <variant outdated="yes">ja</variant> <variant outdated="yes">tr</variant> </variants> diff --git a/docs/manual/mod/mod_ssl.html.fr b/docs/manual/mod/mod_ssl.html.fr index 7779cd98e1..bbe29c685a 100644 --- a/docs/manual/mod/mod_ssl.html.fr +++ b/docs/manual/mod/mod_ssl.html.fr @@ -29,8 +29,6 @@ <p><span>Langues Disponibles: </span><a href="../en/mod/mod_ssl.html" hreflang="en" rel="alternate" title="English"> en </a> | <a href="../fr/mod/mod_ssl.html" title="Français"> fr </a></p> </div> -<div class="outofdate">Cette traduction peut être périmée. Vérifiez la version - anglaise pour les changements récents.</div> <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Chiffrement de haut niveau basé sur les protocoles Secure Sockets Layer (SSL) et Transport Layer Security (TLS)</td></tr> <tr><th><a href="module-dict.html#Status">Statut:</a></th><td>Extension</td></tr> @@ -52,6 +50,8 @@ pour fournir le moteur de chiffrement.</p> <li><img alt="" src="../images/down.gif" /> <a href="#logformats">Formats de journaux personnalisés</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#notes">Information à propos de la requête</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#expressionparser">Extension pour l'interprétation +des expressions</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#authzproviders">Fournisseurs d'autorisation disponibles avec Require</a></li> </ul><h3 class="directives">Directives</h3> @@ -368,6 +368,25 @@ format <code>%{<em>nom</em>}n</code> via le module </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="section"> +<h2><a name="expressionparser" id="expressionparser">Extension pour l'interprétation +des expressions</a></h2> + +<p>Lorsque <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> est compilé statiquement avec +Apache, ou même chargé dynamiquement (en tant que module DSO), toute <a name="envvars">variable</a> en provenance de <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> peut +être utilisée pour l'<a href="../expr.html">interprétation des +expression ap_expr</a>. Les variables peuvent être référencées en +utilisant la syntaxe ``<code>%{</code><em>varname</em><code>}</code>''. +A partir de la version 2.4.18, on peut aussi utiliser la syntaxe de +style <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> +``<code>%{SSL:</code><em>varname</em><code>}</code>'', ou la syntaxe de +style fonction ``<code>ssl(</code><em>varname</em><code>)</code>''.</p> +<div class="example"><h3>Exemple (en utilisant <code class="module"><a href="../mod/mod_headers.html">mod_headers</a></code>)</h3><pre class="prettyprint lang-config">Header set X-SSL-PROTOCOL "expr=%{SSL_PROTOCOL}" +Header set X-SSL-CIPHER "expr=%{SSL:SSL_CIPHER}"</pre> +</div> +<p>Cette fonctionnalité est disponible même si l'option +<code>StdEnvVars</code> de la directive <code class="directive"><a href="#ssloptions">SSLOptions</a></code> n'a pas été définie.</p> +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> <h2><a name="authzproviders" id="authzproviders">Fournisseurs d'autorisation disponibles avec Require</a></h2> @@ -1418,7 +1437,7 @@ Les <em>option</em>s disponibles sont :</p> <div class="example"><h3>Exemple</h3><pre class="prettyprint lang-config">SSLOptions +FakeBasicAuth -StrictRequire <Files ~ "\.(cgi|shtml)$"> SSLOptions +StdEnvVars -ExportCertData -<Files></pre> +</Files></pre> </div> </div> diff --git a/docs/manual/mod/mod_ssl.xml.fr b/docs/manual/mod/mod_ssl.xml.fr index a4796f1aa8..41f65b700f 100644 --- a/docs/manual/mod/mod_ssl.xml.fr +++ b/docs/manual/mod/mod_ssl.xml.fr @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> <?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?> -<!-- English Revision: 1707123:1711549 (outdated) --> +<!-- English Revision: 1711549 --> <!-- French translation : Lucien GENTIS --> <!-- Reviewed by : Vincent Deffontaines --> @@ -289,6 +289,31 @@ format <code>%{<em>nom</em>}n</code> via le module </dl> </section> + +<section id="expressionparser"><title>Extension pour l'interprétation +des expressions</title> + +<p>Lorsque <module>mod_ssl</module> est compilé statiquement avec +Apache, ou même chargé dynamiquement (en tant que module DSO), toute <a +name="envvars">variable</a> en provenance de <module>mod_ssl</module> peut +être utilisée pour l'<a href="../expr.html">interprétation des +expression ap_expr</a>. Les variables peuvent être référencées en +utilisant la syntaxe ``<code>%{</code><em>varname</em><code>}</code>''. +A partir de la version 2.4.18, on peut aussi utiliser la syntaxe de +style <module>mod_rewrite</module> +``<code>%{SSL:</code><em>varname</em><code>}</code>'', ou la syntaxe de +style fonction ``<code>ssl(</code><em>varname</em><code>)</code>''.</p> +<example><title>Exemple (en utilisant <module>mod_headers</module>)</title> +<highlight language="config"> +Header set X-SSL-PROTOCOL "expr=%{SSL_PROTOCOL}" +Header set X-SSL-CIPHER "expr=%{SSL:SSL_CIPHER}" +</highlight> +</example> +<p>Cette fonctionnalité est disponible même si l'option +<code>StdEnvVars</code> de la directive <directive +module="mod_ssl">SSLOptions</directive> n'a pas été définie.</p> +</section> + <section id="authzproviders"><title>Fournisseurs d'autorisation disponibles avec Require</title> @@ -1659,7 +1684,7 @@ Les <em>option</em>s disponibles sont :</p> SSLOptions +FakeBasicAuth -StrictRequire <Files ~ "\.(cgi|shtml)$"> SSLOptions +StdEnvVars -ExportCertData -<Files> +</Files> </highlight> </example> </usage> diff --git a/docs/manual/mod/mod_ssl.xml.meta b/docs/manual/mod/mod_ssl.xml.meta index be20a51f56..736a11a017 100644 --- a/docs/manual/mod/mod_ssl.xml.meta +++ b/docs/manual/mod/mod_ssl.xml.meta @@ -8,6 +8,6 @@ <variants> <variant>en</variant> - <variant outdated="yes">fr</variant> + <variant>fr</variant> </variants> </metafile> diff --git a/docs/manual/mod/quickreference.html.fr b/docs/manual/mod/quickreference.html.fr index d00f963b26..d25379fc48 100644 --- a/docs/manual/mod/quickreference.html.fr +++ b/docs/manual/mod/quickreference.html.fr @@ -965,8 +965,8 @@ mod_status</td></tr> mandatées</td></tr> <tr class="odd"><td><a href="mod_proxy.html#proxyvia">ProxyVia On|Off|Full|Block</a></td><td> Off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Information fournie dans l'en-tête de réponse HTTP <code>Via</code> pour les requêtes mandatées</td></tr> -<tr><td><a href="core.html#qualifyredirecturl" id="Q" name="Q">QualifyRedirectURL ON|OFF</a></td><td> OFF </td><td>svd</td><td>C</td></tr><tr><td class="descr" colspan="4">Controls whether the REDIRECT_URL environent variable is - fully qualified</td></tr> +<tr><td><a href="core.html#qualifyredirecturl" id="Q" name="Q">QualifyRedirectURL ON|OFF</a></td><td> OFF </td><td>svd</td><td>C</td></tr><tr><td class="descr" colspan="4">Vérifie si la variable d'environnement REDIRECT_URL est +pleinement qualifiée</td></tr> <tr class="odd"><td><a href="mod_autoindex.html#readmename" id="R" name="R">ReadmeName <var>nom-fichier</var></a></td><td></td><td>svdh</td><td>B</td></tr><tr class="odd"><td class="descr" colspan="4">Nom du fichier dont le contenu sera inséré à la fin de l'index</td></tr> <tr><td><a href="mpm_common.html#receivebuffersize">ReceiveBufferSize <var>octets</var></a></td><td> 0 </td><td>s</td><td>M</td></tr><tr><td class="descr" colspan="4">Taille du tampon TCP en entrée</td></tr> diff --git a/modules/aaa/mod_authn_anon.c b/modules/aaa/mod_authn_anon.c index 21e0da8560..82559bcc75 100644 --- a/modules/aaa/mod_authn_anon.c +++ b/modules/aaa/mod_authn_anon.c @@ -57,7 +57,7 @@ #include "mod_auth.h" typedef struct anon_auth_user { - char *user; + const char *user; struct anon_auth_user *next; } anon_auth_user; @@ -103,7 +103,7 @@ static const char *anon_set_string_slots(cmd_parms *cmd, else { first = conf->users; conf->users = apr_palloc(cmd->pool, sizeof(*conf->users)); - conf->users->user = apr_pstrdup(cmd->pool, arg); + conf->users->user = arg; conf->users->next = first; } } diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 211e4f7485..370016f709 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -1627,7 +1627,7 @@ static const char *set_bind_pattern(cmd_parms *cmd, void *_cfg, const char *exp, } sec->bind_regex = regexp; - sec->bind_subst = apr_pstrdup(cmd->pool, subst); + sec->bind_subst = subst; return NULL; } @@ -1655,7 +1655,7 @@ static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg result = ap_get_exec_line(cmd->pool, (const char*)argv[0], (const char * const *)argv); - if(!result) { + if (!result) { return apr_pstrcat(cmd->pool, "Unable to get bind password from exec of ", arg+5, NULL); diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index e819d75dbb..44ed8dad56 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -187,6 +187,7 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl) { bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); apr_bucket *e; + int need_flush; /* Abort early if the client has initiated a renegotiation. */ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { @@ -205,6 +206,26 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl) e = apr_bucket_transient_create(in, inl, outctx->bb->bucket_alloc); APR_BRIGADE_INSERT_TAIL(outctx->bb, e); + /* In theory, OpenSSL should flush as necessary, but it is known + * not to do so correctly in some cases (< 0.9.8m; see PR 46952), + * or on the proxy/client side (after ssl23_client_hello(), e.g. + * ssl/proxy.t test suite). + * + * Historically, this flush call was performed only for an SSLv2 + * connection or for a proxy connection. Calling _out_flush can + * be expensive in cases where requests/reponses are pipelined, + * so limit the performance impact to handshake time. + */ +#if OPENSSL_VERSION_NUMBER < 0x0009080df + need_flush = !SSL_is_init_finished(outctx->filter_ctx->pssl) +#else + need_flush = SSL_in_connect_init(outctx->filter_ctx->pssl); +#endif + if (need_flush) { + e = apr_bucket_flush_create(outctx->bb->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(outctx->bb, e); + } + if (bio_filter_out_pass(outctx) < 0) { return -1; } @@ -445,21 +466,6 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) return -1; } - /* In theory, OpenSSL should flush as necessary, but it is known - * not to do so correctly in some cases; see PR 46952. - * - * Historically, this flush call was performed only for an SSLv2 - * connection or for a proxy connection. Calling _out_flush - * should be very cheap in cases where it is unnecessary (and no - * output is buffered) so the performance impact of doing it - * unconditionally should be minimal. - */ - if (bio_filter_out_flush(inctx->bio_out) < 0) { - bio_filter_out_ctx_t *outctx = inctx->bio_out->ptr; - inctx->rc = outctx->rc; - return -1; - } - BIO_clear_retry_flags(bio); if (!inctx->bb) { @@ -1594,49 +1600,30 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, return ssl_io_filter_error(f, bb, status); } - while (!APR_BRIGADE_EMPTY(bb)) { + while (!APR_BRIGADE_EMPTY(bb) && status == APR_SUCCESS) { apr_bucket *bucket = APR_BRIGADE_FIRST(bb); - /* If it is a flush or EOS, we need to pass this down. - * These types do not require translation by OpenSSL. - */ - if (APR_BUCKET_IS_EOS(bucket) || APR_BUCKET_IS_FLUSH(bucket)) { - if (bio_filter_out_flush(filter_ctx->pbioWrite) < 0) { - status = outctx->rc; - break; - } - - if (APR_BUCKET_IS_EOS(bucket)) { - /* - * By definition, nothing can come after EOS. - * which also means we can pass the rest of this brigade - * without creating a new one since it only contains the - * EOS bucket. - */ - - if ((status = ap_pass_brigade(f->next, bb)) != APR_SUCCESS) { - return status; - } - break; - } - else { - /* bio_filter_out_flush() already passed down a flush bucket - * if there was any data to be flushed. - */ - apr_bucket_delete(bucket); + if (APR_BUCKET_IS_METADATA(bucket)) { + /* Pass through metadata buckets untouched. EOC is + * special; terminate the SSL layer first. */ + if (AP_BUCKET_IS_EOC(bucket)) { + ssl_filter_io_shutdown(filter_ctx, f->c, 0); } - } - else if (AP_BUCKET_IS_EOC(bucket)) { - /* The EOC bucket indicates connection closure, so SSL - * shutdown must now be performed. */ - ssl_filter_io_shutdown(filter_ctx, f->c, 0); - if ((status = ap_pass_brigade(f->next, bb)) != APR_SUCCESS) { - return status; - } - break; + AP_DEBUG_ASSERT(APR_BRIGADE_EMPTY(outctx->bb)); + + /* Metadata buckets are passed one per brigade; it might + * be more efficient (but also more complex) to use + * outctx->bb as a true buffer and interleave these with + * data buckets. */ + APR_BUCKET_REMOVE(bucket); + APR_BRIGADE_INSERT_HEAD(outctx->bb, bucket); + status = ap_pass_brigade(f->next, outctx->bb); + if (status == APR_SUCCESS && f->c->aborted) + status = APR_ECONNRESET; + apr_brigade_cleanup(outctx->bb); } else { - /* filter output */ + /* Filter a data bucket. */ const char *data; apr_size_t len; @@ -1649,7 +1636,9 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, break; } rblock = APR_BLOCK_READ; - continue; /* and try again with a blocking read. */ + /* and try again with a blocking read. */ + status = APR_SUCCESS; + continue; } rblock = APR_NONBLOCK_READ; @@ -1660,11 +1649,8 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, status = ssl_filter_write(f, data, len); apr_bucket_delete(bucket); - - if (status != APR_SUCCESS) { - break; - } } + } return status; diff --git a/server/core.c b/server/core.c index b94da9ab8a..7ed6d9cc1b 100644 --- a/server/core.c +++ b/server/core.c @@ -1736,7 +1736,7 @@ static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *c d->override_list = apr_table_make(cmd->pool, argc); - for (i=0;i<argc;i++){ + for (i = 0; i < argc; i++) { if (!strcasecmp(argv[i], "None")) { if (argc != 1) { return "'None' not allowed with other directives in " @@ -1747,6 +1747,7 @@ static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *c else { const command_rec *result = NULL; module *mod = ap_top_module; + result = ap_find_command_in_modules(argv[i], &mod); if (result == NULL) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server, @@ -1765,7 +1766,7 @@ static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *c continue; } else { - apr_table_set(d->override_list, argv[i], "1"); + apr_table_setn(d->override_list, argv[i], "1"); } } } |