Bug report for Apache httpd-2 [2017/02/19]

2017-02-18 Thread bugzilla 
+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
| 8713|Inf|Min|2002-05-01|No Errorlog on PROPFIND/Depth:Infinity|
| 8867|Opn|Cri|2002-05-07|exports.c generation fails when using a symlink to|
|10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i|
|11294|New|Enh|2002-07-30|desired vhost_alias option|
|11580|Opn|Enh|2002-08-09|generate Content-Location headers |
|12033|Opn|Nor|2002-08-26|Graceful restart immediately result in [warn] long|
|13599|Inf|Nor|2002-10-14|autoindex formating broken for multibyte sequences|
|13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation  |
|14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR|
|14496|New|Enh|2002-11-13|Cannot upgrade any version on Windows. Must uninst|
|14922|Inf|Enh|2002-11-28| is currently hardcoded to 'apache2'  |
|15719|Inf|Nor|2002-12-30|WebDAV MOVE to destination URI which is content-ne|
|16761|Inf|Nor|2003-02-04|CustomLog with pipe spawns process during config  |
|16811|Ass|Maj|2003-02-05|mod_autoindex always return webpages in UTF-8.|
|17107|New|Min|2003-02-16|Windows should not install printenv   |
|17114|New|Enh|2003-02-17|Please add strip and install-strip targets to Make|
|17244|Ass|Nor|2003-02-20|./configure --help gives false information regardi|
|17497|Opn|Nor|2003-02-27|mod_mime_magic generates incorrect response header|
|18325|New|Enh|2003-03-25|PAM support for suEXEC|
|18334|Inf|Cri|2003-03-25|Server crashes when authenticating users against L|
|19670|New|Enh|2003-05-05|content type header supplied upon PUT is thrown aw|
|20036|Ass|Nor|2003-05-19|Trailing Dots stripped from PATH_INFO environment |
|21260|New|Nor|2003-07-02|CacheMaxExpire directive not enforced !   |
|21533|Ass|Cri|2003-07-11|Multiple levels of htacces files can cause mod_aut|
|22484|Opn|Maj|2003-08-16|semaphore problem takes httpd down|
|22686|Opn|Nor|2003-08-25|ab: apr_poll: The timeout specified has expired (7|
|22898|Opn|Nor|2003-09-02|nph scripts with two HTTP header  |
|23167|Inf|Cri|2003-09-14|--enable-layout never goes to apr apr-util|
|23181|New|Nor|2003-09-15|Status 304 (Not modified) and chunking leads to an|
|23238|New|Cri|2003-09-18|non-async-signal-safe operations from signal handl|
|23330|New|Enh|2003-09-22|Enhance ApacheMonitor to view and control Tomcat s|
|23911|Opn|Cri|2003-10-18|CGI processes left defunct/zombie under 2.0.54|
|24031|New|Enh|2003-10-23|Passphrase protected private key in SSLProxyMachin|
|24095|Opn|Cri|2003-10-24|ERROR "Parent: child process exited with status 32|
|24437|Opn|Nor|2003-11-05|mod_auth_ldap doubly-escapes backslash (\) charact|
|24890|Opn|Nor|2003-11-21|Apache config parser should not be local aware ( g|
|25014|New|Enh|2003-11-26|A flexible interface for mod_log_config   |
|25201|New|Enh|2003-12-04|Provide Cache Purge operation |
|25240|Inf|Enh|2003-12-05|SSL Library Error: 336105671 logged as information|
|25435|New|Enh|2003-12-11|sethandler and directoryindex not playing nice|
|25469|Opn|Enh|2003-12-12|create AuthRoot for defining paths to auth files  |
|25484|Ass|Nor|2003-12-12|Non-service Apache cannot be stopped in WinXP |
|25543|Inf|Nor|2003-12-15|mod_proxy_ajp overwrites existing response headers|
|25667|New|Nor|2003-12-19|Memory leak in function ssl_scache_dbm_retrieve().|
|25863|New|Enh|2004-01-02|new per-host initialization hooks |
|26005|New|Nor|2004-01-08|SERVER_NAME incorrect when using IPv6 address in U|
|26142|New|Maj|2004-01-14|EnableSendFile Off for Windows XP Home|
|26153|Opn|Cri|2004-01-15|Apache cygwin directory traversal vulnerability   |
|26368|New|Min|2004-01-23|File extensions in AddDescription treated as part |
|26446|New|Nor|2004-01-26|flush buckets followed by eos bucket emit multiple|
|26478|New|Enh|2004-01-28|mod_dav does not expose a method for setting the D|
|26835|New|Enh|

Re: svn commit: r1783256 - /httpd/httpd/branches/2.4.x/STATUS

2017-02-18 Thread Daniel Ruggeri 

On 2/16/2017 11:48 AM, wr...@apache.org wrote:
> Author: wrowe
> Date: Thu Feb 16 17:48:28 2017
> New Revision: 1783256
>
> URL: http://svn.apache.org/viewvc?rev=1783256&view=rev
> Log:
> Slow two still-wobbly horses
>
> Modified:
> httpd/httpd/branches/2.4.x/STATUS
>
> Modified: httpd/httpd/branches/2.4.x/STATUS
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1783256&r1=1783255&r2=1783256&view=diff
> ==
> --- httpd/httpd/branches/2.4.x/STATUS (original)
> +++ httpd/httpd/branches/2.4.x/STATUS Thu Feb 16 17:48:28 2017
> @@ -167,6 +167,9 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>   2.4 convenience patch (includes CHANGES):
>
> http://people.apache.org/~druggeri/patches/RemoteIPProxyProtocol.2.4.x.patch
>   +1: druggeri, jim
> + -1: wrowe (as noted on list, not limiting to inbound primary pre_conn
> +scope correctly; lots of redundant code happpening 
> per-request
> +for a per-connection behavior. Investigating further.)
>  

Hi, Bill;
   I've replied about the pre_connnection situation - hoping someone can
give the proposed patch a test as I don't have a handy H2 testbed.

On the other comment, can you help me understand what redundant code is
happening per-request? When manipulating the request, there are only
four things happening differently:
1. A check that we have data stored away from the connection filter
2. A check that the connection data has a client IP
3. The assignment of the data to the request_rec's structure and logging
at TRACE1
4. If no data was found, a check to see if it was optional and a logging
statement/return according to that result

This should all be quite straight forward per request... In fact, it's a
much shorter logical path and less work than having to parse the
X-Forwarded-For header.


>*) mod_brotli: Backport of mod_brotli filter
>   trunk patch: http://svn.apache.org/r1761714
> @@ -176,6 +179,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>http://svn.apache.org/r1779077
>   2.4.x patch: http://home.apache.org/~jim/patches/brotli-2.4.patch
>   +1: jim, jorton,
> + -1: wrowe (Premature, waiting on github.com/google/brotli stable 
> release)
>   jailletc36: doc should also be back-ported (r1779091 + r1779699)
>  
>*) mod_ssl: work around leaks on (graceful) restart.
>
>

-- 
Daniel Ruggeri

Re: mod_remoteip and mod_http2 combined

2017-02-18 Thread Daniel Ruggeri 
On 2017-02-15 09:07 (-0600), William A Rowe Jr  wrote: 
> On Wed, Feb 15, 2017 at 9:02 AM, Sander Hoentjen  wrote:
> >
> > mod_remote ip has:
> > /* mod_proxy creates outgoing connections - we don't want those */
> > if (!remoteip_is_server_port(c->local_addr->port)) {
> > return DECLINED;
> > }
> > I am guessing something similar is needed for h2 connections?
> 
> I suspect that the mod_remoteip logic is wrong, that it should be guarding
> against any subordinate connections and examining only explicitly configured
> ports / origin IPs. the PROXY protocol is not part of the HTTP protocol and
> incompatible with it, so the trust list logic isn't directly compatible (this 
> is
> clearly explained in the PROXY pseudo-RFC.)
> 

Hi, Bill. That is what the module is doing. The original authors wrote it to 
have a list of virtual hosts it is explicitly enabled for and explicitly 
disabled for. I added a third list for optional vhosts. In the pre_connection 
hook, it checks to see if the connection's local_addr (which should normally be 
the server's IP) is explicitly configured to enable PROXY handling. It then 
checks to see if the local port is a server port.

Looking at the logs shared, 192.168.122.249:84 is the server IP:Port combo and 
is also the local IP:Port from mod_h2. If h2 sets the master of this 
connection, then we could skip the whole ordeal with this patch:

Index: modules/metadata/mod_remoteip.c
===
--- modules/metadata/mod_remoteip.c (revision 1781701)
+++ modules/metadata/mod_remoteip.c (working copy)
@@ -862,6 +862,10 @@
 remoteip_conn_config_t *conn_conf;
 int optional;

+if (c->master != NULL) {
+return DECLINED;
+}
+
 conf = ap_get_module_config(ap_server_conf->module_config,
 &remoteip_module);

.. but I don't know if that potentially means we are looking at the wrong 
connection.

Sander, would it be possible to try this out?

Re: svn commit: r1781701 - in /httpd/httpd/trunk: docs/manual/mod/mod_remoteip.xml modules/metadata/mod_remoteip.c

2017-02-18 Thread Daniel Ruggeri 
On 2/6/2017 2:51 PM, Ruediger Pluem wrote:
>
> On 02/04/2017 09:14 PM, drugg...@apache.org wrote:
>> Author: druggeri
>> Date: Sat Feb  4 20:14:18 2017
>> New Revision: 1781701
>>
>> URL: http://svn.apache.org/viewvc?rev=1781701&view=rev
>> Log:
>> Change tactic for PROXY processing in Optional case
>>
>> Modified:
>> httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
>> httpd/httpd/trunk/modules/metadata/mod_remoteip.c
>>
>> Modified: httpd/httpd/trunk/modules/metadata/mod_remoteip.c
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_remoteip.c?rev=1781701&r1=1781700&r2=1781701&view=diff
>> ==
>> --- httpd/httpd/trunk/modules/metadata/mod_remoteip.c (original)
>> +++ httpd/httpd/trunk/modules/metadata/mod_remoteip.c Sat Feb  4 20:14:18 
>> 2017
>> @@ -1085,28 +1091,53 @@ static apr_status_t remoteip_input_filte
>>  memcpy(ctx->header + ctx->rcvd, ptr, len);
>>  ctx->rcvd += len;
>>  
>> -/* Put this bucket into our temporary storage brigade because
>> -   we may permit a request without a header. In that case, the
>> -   data in the temporary storage brigade just gets copied
>> -   to bb_out */
>> -APR_BUCKET_REMOVE(b);
>> -apr_bucket_setaside(b, f->c->pool);
>> -APR_BRIGADE_INSERT_TAIL(ctx->store_bb, b);
>> +apr_bucket_delete(b);
>>  psts = HDR_NEED_MORE;
>>  
>>  if (ctx->version == 0) {
>>  /* reading initial chunk */
>>  if (ctx->rcvd >= MIN_HDR_LEN) {
>>  ctx->version = remoteip_determine_version(f->c, 
>> ctx->header);
>> -if (ctx->version < 0) {
>> -psts = HDR_MISSING;
>> -}
>> -else if (ctx->version == 1) {
>> -ctx->mode = AP_MODE_GETLINE;
>> -ctx->need = sizeof(proxy_v1);
>> +
>> +/* We've read enough to know that a header is present. 
>> In peek mode
>> +   we purge the bb and can decide to step aside or 
>> switch to
>> +   non-speculative read to consume the data */
>> +if (ctx->peeking) {
>> +apr_brigade_destroy(ctx->bb);
> apr_brigade_cleanup is better instead of destroy and create afterwards.

Agreed - updated


>
>> +
>> +if (ctx->version < 0) {
>> +ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, f->c, 
>> APLOGNO(03512)
>> +  "RemoteIPProxyProtocol: PROXY 
>> header is missing from "
>> +  "request. Stepping aside.");
>> +ctx->bb = NULL;
>> +ctx->done = 1;
>> +return ap_get_brigade(f->next, bb_out, mode, 
>> block, readbytes);
>> +}
>> +else {
>> +/* Rest ctx to initial values */
>> +ctx->rcvd = 0;
>> +ctx->need = MIN_HDR_LEN;
>> +ctx->version = 0;
>> +ctx->bb = apr_brigade_create(f->c->pool, 
>> f->c->bucket_alloc);
>> +ctx->done = 0;
>> +ctx->mode = AP_MODE_READBYTES;
>> +ctx->peeking = 0;
>> +
>> +ap_get_brigade(f->next, ctx->bb, ctx->mode, 
>> block,
>> +   ctx->need - ctx->rcvd);
>> +}
>>  }
>> -else if (ctx->version == 2) {
>> -ctx->need = MIN_V2_HDR_LEN;
>> +else {
>> +if (ctx->version < 0) {
>> +psts = HDR_MISSING;
>> +}
>> +else if (ctx->version == 1) {
>> +ctx->mode = AP_MODE_GETLINE;
>> +ctx->need = sizeof(proxy_v1);
>> +}
>> +else if (ctx->version == 2) {
>> +ctx->need = MIN_V2_HDR_LEN;
>> +}
>>  }
>>  }
>>  }
>
> Other comments:
>
> If you are reading in SPECULATIVE mode and renter the filter (e.g. 
> MIN_HDR_LEN bytes were not available and you were
> reading non blocking) or if you just do a second ap_get_brigade in the outer 
> loop, the returned brigade will contain
> all the data you had already seen plus potential new data. So you don't need 
> to tuck it away in ctx->header.

I think it's still necessary to copy each bucket's data to ctx->header
unless there's a guarantee that the bytes in t

Re: FYI brotli

2017-02-18 Thread Jim Jagielski 
Just a FYI that it looks like a 0.6.x version of the
lib will be released v. soon with all that is needed for
the module to work and compile as-is... 1.0.0 will be
released a little bit later which will simply deprecate/remove
the OLD API, which we don't use anyway... That is, the lib
change from 0.6.x to 1.0.0 will require no code change at
all.

Re: svn commit: r1783413 - in /httpd/httpd/branches/2.4.x: ./ STATUS server/mpm/event/event.c

2017-02-18 Thread Jim Jagielski 
CHANGES is usually for PR listing and significant user-land
changes and not necessarily and full listing of all fixes...
That's what the commit logs are for :)

> On Feb 17, 2017, at 1:49 PM, Marion & Christophe JAILLET 
>  wrote:
> 
> No CHANGES entry?
> 
> CJ
> 
> 
> Le 17/02/2017 à 16:36, j...@apache.org a écrit :
>> Author: jim
>> Date: Fri Feb 17 15:36:02 2017
>> New Revision: 1783413
>> 
>> URL: http://svn.apache.org/viewvc?rev=1783413&view=rev
>> Log:
>> Merge r1774541 from trunk:
>> 
>> event: close a race condition where we might re-enable listeners while they
>> are already or about to be closed.
>> 
>> 
>> Submitted by: ylavic
>> Reviewed by: ylavic, jim, wrowe
>> 
>> Modified:
>> httpd/httpd/branches/2.4.x/   (props changed)
>> httpd/httpd/branches/2.4.x/STATUS
>> httpd/httpd/branches/2.4.x/server/mpm/event/event.c