Re: svn commit: r1891730 - /httpd/httpd/branches/2.4.x/STATUS
Will throw this into my testsuite shredder today. Thank Yann, for bringing this in! > Am 22.07.2021 um 19:35 schrieb yla...@apache.org: > > Author: ylavic > Date: Thu Jul 22 17:35:21 2021 > New Revision: 1891730 > > URL: http://svn.apache.org/viewvc?rev=1891730&view=rev > Log: > Propose [skip ci]. > > Modified: >httpd/httpd/branches/2.4.x/STATUS > > Modified: httpd/httpd/branches/2.4.x/STATUS > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1891730&r1=1891729&r2=1891730&view=diff > == > --- httpd/httpd/branches/2.4.x/STATUS (original) > +++ httpd/httpd/branches/2.4.x/STATUS Thu Jul 22 17:35:21 2021 > @@ -247,6 +247,31 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: > > https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/194.patch > +1: jfclere: > > + *) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the > +balancer-manager, which can lead to a crash. > + trunk patch: http://svn.apache.org/r1891477 > + http://svn.apache.org/r1891591 > + 2.4.x patch: svn merge -c 1891477,1891591 ^/httpd/httpd/trunk . > + +1: ylavic, > + > + *) mpm_event: Fix graceful stop/restart of children processes if > connections > +are in lingering close for too long. > + trunk patch: http://svn.apache.org/r1891716 > + http://svn.apache.org/r1891717 > + http://svn.apache.org/r1891718 > + http://svn.apache.org/r1891719 > + http://svn.apache.org/r1891721 > + http://svn.apache.org/r1891724 > + http://svn.apache.org/r1891726 > + http://svn.apache.org/r1891727 > + http://svn.apache.org/r1891728 > + backport: wget > http://people.apache.org/~ylavic/patches/2.4.x-mpm_event_graceful_linger.patch > + + patch -p0 < 2.4.x-mpm_event_graceful_linger.patch > + + svn merge --record-only -c > 1891716-1891719,1891721,1891724,1891726-1891727 ^/httpd/httpd/trunk . > + + svn merge -c 1891728 ^/httpd/httpd/trunk . > + + make update-changes > + +1: ylavic, > + > > PATCHES/ISSUES THAT ARE BEING WORKED > [ New entries should be added at the START of the list ] > >
Add application/vnd.geogebra.slides to mime types
Dear httpd developers, I'd like to propose adding GeoGebra slides mime-type (recognized by IANA) to the mime-types recognized by httpd. I created a PR https://github.com/apache/httpd/pull/207 , but didn't get any feedback in a week so I'd like to ask here. If you'd like me to submit the patch in some other way, please let me know. Best regards, Zbynek
Re: disallow HTTP 0.9 by default?
I agree with this as well, I haven't had to use 0.9 in over a decade. +1 On Thu, 22 Jul 2021 at 12:03, Roy T. Fielding wrote: > > On Jul 22, 2021, at 12:29 AM, Stefan Eissing < > stefan.eiss...@greenbytes.de> wrote: > >> Am 21.07.2021 um 22:04 schrieb Eric Covener : > >> > >> I was chasing an unrelated thread about close_notify alerts and > >> reminded me -- is it time to change the default for > >> HttpProtocolOptions from Allow0.9 to Require1.0? > >> > >> As the manual says, the requirement was dropped in RFC 7230. It seems > >> like the kind of potential gadget in future desynch/smuggling kind of > >> attacks that shouldn't be on by default today. > >> > >> Any opinions? > > > > +1 > > > > I think the internet is a different place now from when 2.4 came out. > > Yep, we have long past the point where the Internet depends on header > fields > like Host being present to avoid various attacks. +1 > > Roy > >
Re: disallow HTTP 0.9 by default?
> On Jul 22, 2021, at 12:29 AM, Stefan Eissing > wrote: >> Am 21.07.2021 um 22:04 schrieb Eric Covener : >> >> I was chasing an unrelated thread about close_notify alerts and >> reminded me -- is it time to change the default for >> HttpProtocolOptions from Allow0.9 to Require1.0? >> >> As the manual says, the requirement was dropped in RFC 7230. It seems >> like the kind of potential gadget in future desynch/smuggling kind of >> attacks that shouldn't be on by default today. >> >> Any opinions? > > +1 > > I think the internet is a different place now from when 2.4 came out. Yep, we have long past the point where the Internet depends on header fields like Host being present to avoid various attacks. +1 Roy
Re: disallow HTTP 0.9 by default?
I know for a fact that this will bring me some headaches at work with a few F5 "ping" checks, but still, to heck with it! +1 El jue, 22 jul 2021 a las 12:39, Daniel Gruno () escribió: > > On 22/07/2021 10.02, Ruediger Pluem wrote: > > > > > > On 7/21/21 10:04 PM, Eric Covener wrote: > >> I was chasing an unrelated thread about close_notify alerts and > >> reminded me -- is it time to change the default for > >> HttpProtocolOptions from Allow0.9 to Require1.0? > >> > >> As the manual says, the requirement was dropped in RFC 7230. It seems > >> like the kind of potential gadget in future desynch/smuggling kind of > >> attacks that shouldn't be on by default today. > > > > +1 for Require1.0 on 2.4. Typically I would not agree because it can break > > existing applications, but are there really setups out > > there that work with HTTP 0.9? I don't believe so. Hence my +1. > > In which case one can just manually switch back to Allow0.9, right? :) > > +1 for Require1.0 > > > > > Regards > > > > Rüdiger > > > -- Daniel Ferradal HTTPD Project #httpd help at Libera.Chat
Re: disallow HTTP 0.9 by default?
On 22/07/2021 10.02, Ruediger Pluem wrote: On 7/21/21 10:04 PM, Eric Covener wrote: I was chasing an unrelated thread about close_notify alerts and reminded me -- is it time to change the default for HttpProtocolOptions from Allow0.9 to Require1.0? As the manual says, the requirement was dropped in RFC 7230. It seems like the kind of potential gadget in future desynch/smuggling kind of attacks that shouldn't be on by default today. +1 for Require1.0 on 2.4. Typically I would not agree because it can break existing applications, but are there really setups out there that work with HTTP 0.9? I don't believe so. Hence my +1. In which case one can just manually switch back to Allow0.9, right? :) +1 for Require1.0 Regards Rüdiger
Re: disallow HTTP 0.9 by default?
On Wed, Jul 21, 2021 at 04:04:13PM -0400, Eric Covener wrote: > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. > > Any opinions? +1 here too. Regards, Joe
Re: disallow HTTP 0.9 by default?
On Wed, Jul 21, 2021 at 10:04 PM Eric Covener wrote: > > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. > > Any opinions? +1
Re: disallow HTTP 0.9 by default?
On 7/21/21 10:04 PM, Eric Covener wrote: > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. > +1, httpd 0.9 is old enough and it's time to deprecate it. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: disallow HTTP 0.9 by default?
On Thu, Jul 22, 2021 at 10:02 AM Ruediger Pluem wrote: > > On 7/21/21 10:04 PM, Eric Covener wrote: > > I was chasing an unrelated thread about close_notify alerts and > > reminded me -- is it time to change the default for > > HttpProtocolOptions from Allow0.9 to Require1.0? > > > > As the manual says, the requirement was dropped in RFC 7230. It seems > > like the kind of potential gadget in future desynch/smuggling kind of > > attacks that shouldn't be on by default today. > > +1 for Require1.0 on 2.4. Typically I would not agree because it can break > existing applications, but are there really setups out > there that work with HTTP 0.9? I don't believe so. Hence my +1. Same, +1. Cheers; Yann.
Re: disallow HTTP 0.9 by default?
On 7/21/21 10:04 PM, Eric Covener wrote: > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. +1 for Require1.0 on 2.4. Typically I would not agree because it can break existing applications, but are there really setups out there that work with HTTP 0.9? I don't believe so. Hence my +1. Regards Rüdiger
Re: disallow HTTP 0.9 by default?
> Am 21.07.2021 um 22:04 schrieb Eric Covener : > > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. > > Any opinions? +1 I think the internet is a different place now from when 2.4 came out. - Stefan