Hi,
on https://httpd.apache.org/security/vulnerabilities_24.html , both
CVE-2020-9490 and CVE-2020-11993 have the Subject "Push Diary Crash on
Specifically Crafted HTTP/2 Header". Shouldn't the Subject for
CVE-2020-11993 be something like "memory corruption due to concurrent
log pool usage"? Or
Hi,
Shouldn't CVE-2019-10097 be listed under 2.4.41, too?
Cheers,
Stefan
--- httpd/httpd/branches/2.4.x/CHANGES 2019/08/14 20:43:00 1865188
+++ httpd/httpd/branches/2.4.x/CHANGES 2019/08/14 20:52:45 1865189
@@ -1,8 +1,39 @@
-*-
On Tuesday, 11 July 2017 15:20:44 CEST Eric Covener wrote:
> Does anyone recall what kind of directives were misbehaving?
Sorry, I don't remember. But maybe all directives that expect useful
information in cmd_parms->path ? This is always "*If" in If-Sections.
Cheers,
Stefan
> It seems
> like
On Tuesday, 7 March 2017 12:56:04 CET William A Rowe Jr wrote:
> My comment was that having an alternate target name, e.g. httpd.prefork
> or httpd.worker ends up resulting in $prefix/conf/httpd.prefork.conf as the
> derived config file name (although that file is actually httpd.conf). The
> fact
On Tuesday, 7 March 2017 11:17:57 CET Eric Covener wrote:
> On Tue, Mar 7, 2017 at 10:32 AM, William A Rowe Jr
wrote:
> > It seems we should have the framework process the bin/envvars (in the
> > normal path, or /etc/apache2 in this case)... but that should be based
> > on
On Friday, 3 March 2017 22:59:10 CET Sam Tregar wrote:
> Hello all. I've been working on getting Apache::Test running on Debian and
> it's not going well. One problem seems to be that Debian's system Apache
> conf is not named what Apache::Test thinks it should be named (apache2.conf
> vs
Hi,
I may be missing something but this looks wrong to me:
apr_allocator uses a mutex to be thread safe. Pools use this mutex also to
protect sub-pool creation, cleanup registering, etc. When apr creates the
initial allocator and global_pool in apr_pool_initialize(), it also creates a
mutex
On Saturday, 24 December 2016 08:29:35 CET Rich Bowen wrote:
> From my perspective, watching Nginx gain traction through superior
> marketing, and channeling Dilbert's Pointy Haired Boss in assuming that
> everything which I have never done must be simple, I, for one, would
> like to see us
Hi,
it's quite rare that I have a bit of time for httpd nowadays. But I want to
comment on a mail that Jacob Champion wrote on -security that contains some
valid points about the lack of our test framework. I am posting this to -dev
with his permission.
On Wednesday, 21 December 2016
Hi Graham,
On Wed, 14 Sep 2016, Graham Leggett wrote:
> On 06 Sep 2016, at 12:06 AM, Stefan Fritsch <s...@sfritsch.de> wrote:
>
> > in trunk, when having a lot of slow long running transfers, most of them
> > seem
> > to hog a thread and only a few of them go in
Hi,
in trunk, when having a lot of slow long running transfers, most of them seem
to hog a thread and only a few of them go into async write completion mode.
Compare this to 2.4, where many transfers are doing async write completion and
only a small number of threads are busy.
Is this a known
On Tuesday, 14 June 2016 17:31:50 CEST Eric Covener wrote:
> On Wed, Apr 13, 2016 at 6:27 PM, Stefan Fritsch <s...@sfritsch.de> wrote:
> > Maybe it would be better to remove the logic to re-use scoreboard
> > slots of processes which have already terminated some threads.
>
Hi,
sorry for the late response.
On Wednesday, 18 May 2016 02:12:39 CEST Tianyin Xu wrote:
> I propose to apply the same good practices (such as mod_authz_owner &
> mod_authz_dbm) to all the authn/authz modules. Basically, I want to add log
> messages before each AUTHN/Z_DENIES to pinpoint:
>
>
Hi,
I got a report about a new crash in mod_perl tests with 2.4.20:
(gdb) bt
#0 apr_getnameinfo (hostname=hostname@entry=0x7fd4461ee368,
sockaddr=0x0, flags=flags@entry=0)
at /tmp/buildd/apr-1.5.2/network_io/unix/sockaddr.c:663
#1 0x55feaf0f513a in ap_get_useragent_host
On Monday 11 April 2016 18:12:43, Eric Covener wrote:
> On Mon, Apr 11, 2016 at 4:59 PM, wrote:
> > ServerLimit >= 10 * MaxRequestWorkers / ThreadsPerChild
>
> Hi Stefan -- I am curious -- prior to the recent patches, just
> having the extra capacity in ServerLimit didn't
On Friday 01 April 2016 14:03:12, montt...@heavyspace.ca wrote:
> On 2016-03-30 16:35, Jacob Champion wrote:
> >> Sorry, but that is not a good approach. You must assume that a
> >> local attacker calls suexec directly and passes arguments of his
> >> liking. That is the attack vector that
On Saturday 19 March 2016 11:09:40, montt...@heavyspace.ca wrote:
> Since its been a while since this issue was mentioned, this patch
> allows Apache to suexec files by a different (but still restricted
> by UID) owner, to avoid the security issue where apache forces you
> to suexec to files it
On Tuesday 29 March 2016 07:26:06, Jan Kaluža wrote:
> > I am not against the freebind feature as such, it's useful for
> > failover solutions/VRRP/etc. But I am strictly against advertising
> > this as a workaround for broken systemd design.
>
> We do not advertise it publicly as a workaround
On Monday 07 March 2016 12:41:25, Jan Kaluža wrote:
> This is needed for httpd startup with systemd when one wants to use
> particular IP address to bind. There is no way how to start httpd
> after the IP address has been configured in systemd and according
> to systemd developers, the
On Friday 04 December 2015 11:01:41, William A Rowe Jr wrote:
> > IMHO documenting the change would be enough.
>
> That's a good start for anyone tripping over 2.4.8-2.4.x, whether
> it is fixed or not.
Personally, I didn't know DER was supported. The docs only speak about
PEM, too. I agree
Hi,
can anyone with bugzilla fu please add 2.4.17 and mod_http2 to the
bugzilla selections? Thanks.
Cheers,
Stefan
On Sunday 04 October 2015 12:51:13, Graham Leggett wrote:
> On 04 Oct 2015, at 12:46 PM, Rainer Jung
wrote:
> > Yes, I agree. When starting to think closer, I noticed that the
> > string mode currently only supports a syntax that is pretty
> > different from the boolean
On Wednesday 30 September 2015 23:26:30, Rainer Jung wrote:
> I noticed that currently the expression parser in 2.4/trunk does not
> support the SSL:VARIABLE lookups that mod_rewrite supports.
>
> The expression parser uses ":" as an alternative function call
> syntax, so HTTP:VARIABLE is the
Moving the discussion to dev@
On Monday 05 October 2015 22:40:15, bugzi...@apache.org wrote:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=53555
>
> --- Comment #25 from Yann Ylavic <ylavic@gmail.com> ---
> (In reply to Stefan Fritsch from comment #24)
>
> > (I
On Thursday 01 October 2015 13:55:40, Rainer Jung wrote:
> Am 01.10.2015 um 12:31 schrieb Graham Leggett:
> > On 01 Oct 2015, at 12:26 PM, Rainer Jung
wrote:
> >> Since it gets more common to use the expression parser for string
> >> operations and not only for boolean
On Monday 16 February 2015 17:53:11, Tom Browder wrote:
As far as I can tell mod_macro is new in 2.4 yet I cannot find it
mentioned in new features. I think it is well worth advertising
since it has simplified multiple virtual hosting immensely.
It has been introduced later, in 2.4.5 (see
Hi,
there are several programs that honor the HTTP_PROXY environment
variable in upper case. This is of course problematic if such programs
are called inside CGIs because the variable can be set by an attacker
via the Proxy: header.
It goes without question that all these programs need to be
On Thursday 16 October 2014 02:38:15, Marian Marinov wrote:
I just want to point out that () is not the only possible string.
Actually what you want to catch is something like this: ^\(.*\)
I don't think so. Where did you get that information?
On Monday 29 September 2014 10:07:40, Nick Kew wrote:
Yes. It's catching potential attacks in r-headers_in.
The rest is paranoia-mode afterthoughts:
PATH_INFO/QUERY_STRING because they could contain something
interesting, subprocess_env just because it's there (there's
a code comment about
On Saturday 19 July 2014 20:04:09, Christophe JAILLET wrote:
Using the following regex:
ap_log_.?error.*(_ERR|_EMERG|_CRIT)[^A]*$
many places with missing APLOGNO can be found.
There are some false positives because the [^A]* at the end of the
regex is here to check, in a more or less
Hi,
I have been looking at backporting the cookie issue fix, and it looks
to me that it was introduced in
http://svn.apache.org/viewvc?view=revisionrevision=r1374538
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/loggers/mod_log_config.c?r1=1374538r2=1374537pathrev=1374538
Am Freitag, 10. Januar 2014, 08:38:51 schrieb Jeff Trawick:
[X] It is mandatory to provide best available description and any
available tracking information when committing fixes for
vulnerabilities to any branch, delaying committing of the fix if
the information shouldn't be provided yet.
Am Montag, 30. Dezember 2013, 19:50:53 schrieb minf...@apache.org:
Author: minfrin
Date: Mon Dec 30 19:50:52 2013
New Revision: 1554300
URL: http://svn.apache.org/r1554300
Log:
core: Support named groups and backreferences within the
LocationMatch, DirectoryMatch, FilesMatch and
Am Mittwoch, 1. Januar 2014, 14:06:17 schrieb Graham Leggett:
Maybe making ap_regname() accept an optional prefix string that
is
prepended to each name would be a good idea?
Maybe the use in LocationMatch and friends should add some
prefix to the names? Like m_ or match_ or m:?
Am Montag, 30. Dezember 2013, 16:48:51 schrieb Graham Leggett:
I am currently struggling to turn mod_dav on. In theory, it is just
Dav on, but in practice I am getting a 405 Method Not Allowed in
response to PROPFIND, and nothing in the error_log to give a clue
that anything is wrong.
Having
Does anyone disagree with the below change (not yet merged to 2.x
branches)? There is a similar paragraph in howto/auth.xml that I
intend to remove.
--
Author: sf
Date: Mon Dec 30 16:49:31 2013
New Revision: 1554276
URL: http://svn.apache.org/r1554276
Log:
digest auth is only
Am Montag, 30. Dezember 2013, 19:04:53 schrieb Graham Leggett:
The first is there is no way to switch mod_dir off - you add the
module that means on. If you need the module on in one virtual
host, but off in another you're stuffed.
Doesn't DirectoryIndex disabled do the trick?
Am Montag, 30. Dezember 2013, 18:11:56 schrieb Reindl Harald:
Am 30.12.2013 18:07, schrieb Graham Leggett:
On 30 Dec 2013, at 6:58 PM, Stefan Fritsch s...@sfritsch.de wrote:
Does anyone disagree with the below change (not yet merged to 2.x
branches)? There is a similar paragraph in howto
be correct for anything logged from inside main.c. I'd say
yes.
There is r952783:
===
Author: Stefan Fritsch s...@apache.org
Date: Tue Jun 8 19:30:24 2010 +
remove APLOG_USE_MODULE from main.c:
It causes build problems on Windows and the ap_log* calls
Hi Rainer,
Am Sonntag, 17. November 2013, 12:47:53 schrieb Rainer Jung:
URL: http://svn.apache.org/r1542615
Log:
Explicitly list in which directories to look for config*.m4 files.
--- httpd/httpd/trunk/build/config-stubs (original)
+++ httpd/httpd/trunk/build/config-stubs Sat Nov
Am Dienstag, 12. November 2013, 13:33:23 schrieb Jan Kaluža:
I think LDAPLibraryDebug is one user of stderr going to the error
log. As the logging is done by the ldap library, there is really
no way to change it. But I guess it would be acceptable if that
works only if logging to a file
Am Dienstag, 12. November 2013, 23:44:08 schrieb Graham Leggett:
On 12 Nov 2013, at 11:41 PM, William A. Rowe Jr. wrowe@rowe-
clan.net wrote:
Trying to apply
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-ta
gs/next-number?r1=1527925r2=1527924pathrev=1527925 ... there is
On Thu, 7 Nov 2013, Joe Orton wrote:
On Thu, Oct 17, 2013 at 12:33:50PM +, Plüm, Rüdiger, Vodafone Group wrote:
Hmm. This points out another issue when using an error log provider for the
main server log:
We lose everything that the server or other programs like CGI-scripts write
On Mon, 4 Nov 2013, Graham Leggett wrote:
Looking a little bit deeper, we find the following:
- The event MPM seems to want to perform write completion on the very
last filter in the chain only, which seems completely arbitrary - why
should another filter (like mod_ssl) be prevented from
On Mon, 14 Oct 2013, Jim Jagielski wrote:
On Oct 14, 2013, at 10:09 AM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
Which one?
sock://var/run/server.sock|http://localhost/foo/bar
or
http://localhost/foo/bar|sock:/var/run.s.sock
I guess we could
Am Samstag, 28. September 2013, 09:19:28 schrieb Eric Covener:
I've come back to this because I've struggled in another area with
access_checker vs. access_checker_ex. I really think we need basic
access control outside of Require and Satisfy.
I have a copy of the Forbidden directive in
Am Donnerstag, 15. August 2013, 02:36:25 schrieb Graham Leggett:
On 14 Aug 2013, at 22:43, Stefan Fritsch s...@sfritsch.de wrote:
Unfortunately, I haven't been able to trigger the new code path in
mod_ssl being actually used. Do you have any example
setup/situation, where
Am Donnerstag, 15. August 2013, 10:45:25 schrieb Graham Leggett:
On 15 Aug 2013, at 09:56, Stefan Fritsch s...@sfritsch.de wrote:
I have understood that. But I would have liked to see the sense
code in action, but failed to trigger it. At least
t/ssl/pr12355.t in the test suite uses
Am Dienstag, 6. August 2013, 10:24:15 schrieb Paul Querna:
1) Disabling HTTP compression
2) Separating secrets from user input
3) Randomizing secrets per request
4) Masking secrets (effectively randomizing by XORing with a random
secret per request)
5) Protecting vulnerable pages with CSRF
On Mon, 5 Aug 2013, Graham Leggett wrote:
Are you seeing a specific problem?
Well, when I download a large file over a slow link, the request does not
enter write completion state but rather the worker thread is still hogged
for (nearly) the entire download.
The way openssl's async behaviour
Am Montag, 5. August 2013, 09:57:16 schrieb Jim Jagielski:
On Aug 5, 2013, at 4:00 AM, Stefan Fritsch s...@sfritsch.de wrote:
An ideal solution would put the buffering/decision for
blocking/non-blocking into ap_pass_brigade(). This way other
filters like deflate could also be called
Hi,
I did some testing/reviewing of the ssl/event backport proposal
* core, mod_ssl: Lift the restriction that prevents mod_ssl taking
full advantage of the event MPM. Enable the ability for a module
to reverse the sense of a poll event from a read to a write or
vice versa.
The
Am Freitag, 2. August 2013, 23:05:09 schrieb Ben Reser:
If all of your authz/authn providers are using the CONF flag and
you're getting duplicated authz processing for subrequests that have
the same conf applied to them then it's possible there's a bug
here. I haven't ever specifically looked
Am Freitag, 2. August 2013, 11:21:56 schrieb Eric Covener:
I think this does not work for GET requests or request without a
request body.
Just re-read spec, you are right -- we are abusing this in a module
as a sort of extended handshake even w/ no body, but not against
heterogenous
Am Montag, 22. Juli 2013, 19:58:11 schrieb Steinar H. Gunderson:
On Wed, Jul 10, 2013 at 03:07:56PM -0400, Jeff Trawick wrote:
I guess it seems to work in the earlier e-mail is the validation
that the API is sufficient for MPM-ITK.
I see that 2.4.6 has been released, with no mention of
Hi Lubomir,
On Friday 12 July 2013, Lubomir Rintel wrote:
I'm have submitted the following-up patches adding SASL
authentication to LDAP modules. Some wise person on an IRC channel
suggested that I'm breaking API and it's a good idea to take this
to the list as an extra work might be needed.
On Thursday 11 July 2013, Jim Jagielski wrote:
The pre-release test tarballs for Apache httpd 2.4.5 can be found
at the usual place:
http://httpd.apache.org/dev/dist/
I'm calling a VOTE on releasing these as Apache httpd 2.4.5 GA.
NOTE: The -deps tarballs are included here *only* to
On Wednesday 10 July 2013, William A. Rowe Jr. wrote:
On Wed, 10 Jul 2013 21:18:06 +1000
Noel Butler noel.but...@ausics.net wrote:
on holiday with a dog slow 3G vpn tonight, so I'll be brief (and
wont see any replies until I return on Sunday...)
I have never agreed with any release
On Wednesday 10 July 2013, William A. Rowe Jr. wrote:
Jim Jagielski j...@jagunet.com wrote:
In any case, I *am* concerned that w seem to have quite a bit of
difficulty in getting 3 +1s a lot of the time and that the
backport process from trunk to 2.4 is becoming more and more
painful.
On Wednesday 10 July 2013, Steinar H. Gunderson wrote:
I don't like all that much having to duplicate the “official” hook
(in particular the ap_make_full_path() call), but I guess it's
better than what used to be there, and it's only two lines.
Yes, that's the price to pay for the more
On Sunday 07 July 2013, Daniel Lescohier wrote:
Another option:
typedef struct {
apr_uint32_t stamp;
apr_uint32_t counter;
apr_uint16_t stamp_fraction;
char root[ROOT_SIZE];
} unique_id_rec;
where ROOT_SIZE=8, and stamp_fraction is set on every request to
On Tuesday 09 July 2013, Joe Orton wrote:
On Tue, Jul 09, 2013 at 10:00:19AM +0200, Jan Kaluza wrote:
I agree 20 bytes could be too much. I have changed my patch to
have only 10 bytes long root. I will check the Daniel's ideas
mentioned in another mail in this thread and try to implement
On Sun, 7 Jul 2013, j...@apache.org wrote:
Author: jim
Date: Sun Jul 7 14:05:37 2013
New Revision: 1500437
URL: http://svn.apache.org/r1500437
Log:
conf-mutex is not used... Also, ensure that pool
use is protected
Modified:
httpd/httpd/trunk/modules/proxy/proxy_util.c
On Thursday 27 June 2013, Eric Covener wrote:
The venerable INFO level message:
core_output_filter: writing data to the network
Seems to be gone in 2.4 and not replaced with anything but %X in
the access log.
Should we be issuing _something_ every time c-aborted is set in
On Wednesday 26 June 2013, Jan Kaluža wrote:
currently mod_unique_id uses apr_gethostname(...) and PID pair as a
base to generate unique ID. The way how it's implemented brings
some problems:
1. For IPv6-only hosts it uses low-order bits of IPv6 address as if
they were unique, which is
On Wednesday 26 June 2013, Daniel Lescohier wrote:
When I looked into the ap random functions, I didn't like the
implementation, because I didn't see anywhere in the httpd codebase
that entropy is periodically added to the entropy pool. After
reading the details of how the Linux entropy pool
On Wed, 3 Jul 2013, Ruediger Pluem wrote:
s...@apache.org wrote:
Author: sf
Date: Tue Jul 2 11:26:41 2013
New Revision: 1498880
URL: http://svn.apache.org/r1498880
Log:
Replace pre_htaccess hook with more flexible open_htaccess hook
Modified:
httpd/httpd/trunk/CHANGES
Jim Jagielski j...@jagunet.com schrieb:
I like the idea as well... The only issue I see is wondering
if/when we'll have the implementation.
On Jun 25, 2013, at 9:12 AM, Jeff Trawick traw...@gmail.com wrote:
On Sun, Jun 9, 2013 at 5:57 AM, Stefan Fritsch s...@sfritsch.de
wrote:
Hi,
first
On Tuesday 18 June 2013, Jim Jagielski wrote:
I will be removing this backport request, but I'd ask sf to
actually address his concerns by actually working on the code
instead of just blocking it for whatever reason.
That's not what I intended. I did not vote -1. The comments were meant
to
On Thursday 13 June 2013, Roy T. Fielding wrote:
On Jun 12, 2013, at 12:34 PM, s...@apache.org wrote:
Author: sf
Date: Wed Jun 12 19:34:19 2013
New Revision: 1492395
URL: http://svn.apache.org/r1492395
Log:
Actually use the secret when generating nonces.
This change may cause
On Friday 14 June 2013, Stefan Fritsch wrote:
Using a global pointer to an allocated pool variable is
not even remotely safe when that pool gets deallocated.
And a routine that gets called within .htaccess files is not an
appropriate place to set a server-wide value.
It's the process
Hi André,
I consider this a new vote and therefore have removed your -1. If you
still are -1, please add it to STATUS again.
On Friday 14 June 2013, s...@apache.org wrote:
Author: sf
Date: Fri Jun 14 21:07:19 2013
New Revision: 1493247
URL: http://svn.apache.org/r1493247
Log:
update
On Wednesday 12 June 2013, Jim Jagielski wrote:
2 backport proposals looking 4 3vote-luv
* skiplist: Add skiplist functionality
There doesn't seem to be any user of the skiplist than
register_timed_callback, and there doesn't seem to be any user of
register_timed_callback besides
On Tuesday 11 June 2013, André Malo wrote:
trunk patch: http://svn.apache.org/r1491155
2.4.x patch: trunk patch works
nd: why would you do that in a stable branch?
+ sf: Because it is only annoying and serves no purpose
anymore. If you + want, we can
On Wednesday 12 June 2013, William A. Rowe Jr. wrote:
On Wed, 12 Jun 2013 05:41:35 -0700 (PDT)
Petr Sumbera petr.sumb...@oracle.com wrote:
Hi guys,
shouldn't Apache 2.2 contain the same change which went for 2.4?
http://svn.apache.org/viewvc?view=revisionrevision=1400962
In
On Wednesday 12 June 2013, William A. Rowe Jr. wrote:
In fact, the patch's docs text is wrong on the face of it;
Enabling compression causes security issues in most setups (the
so called +CRIME attack)
This is true of specific setups where the user agent simultaneously
shares a
On Monday 10 June 2013, Tim Bannister wrote:
On 10 Jun 2013, at 15:17, Graham Leggett minf...@sharp.fm wrote:
On 10 Jun 2013, at 3:35 PM, Eric Covener cove...@gmail.com
wrote:
I'd like to add an immutable Forbid directive to the core and
use it in some places in the default configuration
On Monday 10 June 2013, Plüm, Rüdiger, Vodafone Group wrote:
I'd like to add an immutable Forbid directive to the core and
use it in some places in the default configuration instead of
require all denied.
http://people.apache.org/~covener/forbid.diff
This protects from a
On Monday 10 June 2013, Eric Covener wrote:
Is there some historical or other reason that the location has
higher precedence that directory/files?
I don't know either, but I could imagine that it was just easier or
more efficient to implement in this order, considering things like
config walk
Hi,
first of all, sorry that it took me so long to review at this.
The current pre_access hook is executed before opening the htaccess
and then can abort the request with a HTTP error code.
Wouldn't a hook for opening the htaccess file make more sense because
it would have more possible use
On Saturday 08 June 2013, Rainer Jung wrote:
I suggest to switch mod_lua in 2.4 to CTR mode.
[ ] +1: I support this proposal
+1
On Saturday 11 May 2013, Reindl Harald wrote:
https://issues.apache.org/bugzilla/show_bug.cgi?id=41270 is most
likely unrelated to the problem i see, but nobody and nothing
needs 30 seconds to complete a TCP connection, most requests
including the time of a php-script does not take more than
On Sat, 4 May 2013, Micha Lenk wrote:
I am pretty sure that this is a thread-unsafe pool usage.
create_proxy_config() puts the global config pool into
(proxy_server_conf)-pool. It is later (during request processing)
used all over the place without further locking. This must be a sub-
On Mon, 6 May 2013, Thomas Eckert wrote:
Based on Stefan's reply I replaced mod_proxy's config pool with a sub-pool
and wrapped a mutex around the pool usage. Basic testing went well but I
have to do some more thorough parallel testing.
Nice.
One thing which had me confused was the
On Thursday 02 May 2013, Thomas Eckert wrote:
Lately, I've been seeing httpd/mod_proxy seg faulting in reverse
proxy setups, frequency increasing.
I am pretty sure that this is a thread-unsafe pool usage.
create_proxy_config() puts the global config pool into
(proxy_server_conf)-pool. It is
On Wednesday 01 May 2013, Graham Leggett wrote:
Of course it might have an effect - the real important question is
will it have a useful effect.
A bot that gives up scanning a box that by definition isn't
vulnerable to that bot (thus the 404) doesn't achieve anything
useful, the bot failed
Hi,
On Thursday 18 April 2013, Igor Galić wrote:
From an IRC conversation in #httpd and #httpd-dev emerged the
idea to interpolate %{variables} in all directives.
According to sf we have somewhere a ~10 line code fragment
which does that without much overhead (not benchmarked) when
On Sunday 31 March 2013, Marion Christophe JAILLET wrote:
doc also has to be clean the same way.
The commit should not cause any user visible change. The relevant
config directives errored out with 'not implemented' before the commit
and still do.
The doc needs some work in any case, though.
On Sunday 31 March 2013, Marion Christophe JAILLET wrote:
they are 3 similar constructions in server/log.c
Thanks. Fixed
Le 31/03/2013 22:13, s...@apache.org a écrit :
Author: sf
Date: Sun Mar 31 20:13:48 2013
New Revision: 1463045
URL: http://svn.apache.org/r1463045
Log:
Hi Pascal,
On Tuesday 26 March 2013, Pascal Junod (Mailing Lists) wrote:
Dear Apache developpers,
You might want to clean a bit the code of
modules/aaa/mod_auth_digest.c
This blog post
http://crypto.junod.info/2013/03/25/awakening-zombie-code-in-apache
-httpd/
explains why and
, Jim Jagielski j...@jagunet.com wrote:
On Mar 18, 2013, at 4:56 PM, Stefan Fritsch s...@sfritsch.de
wrote:
Alternatively,
mod_reqtimeout could offer an API to allow modules to disable
it. But I think that is the worse of the two solutions.
Actually, I think that's the most logical
On Tuesday 19 March 2013, Marion Christophe JAILLET wrote:
Le 18/03/2013 22:43, Stefan Fritsch a écrit :
On Thursday 14 March 2013, you wrote:
BTW, I tried to activate pool debug with using
|-enable-pool-debug=all but the server crashes while starting
|on
my test machine.
Do
On Wednesday 06 March 2013, Micha Lenk wrote:
However, using mod_websocket from the mentioned Github location, I
discovered that it has timeout issues when mod_reqtimeout is loaded
too (unless request body timeouts are disabled). Apparently
mod_reqtimeout now enforces timeouts in
On Monday 18 March 2013, Graham Leggett wrote:
This code came from mod_auth_digest, which could probably also be
simplified:
Done, thanks.
On Thursday 14 March 2013, you wrote:
BTW, I tried to activate pool debug with using
|-enable-pool-debug=all but the server crashes while starting on
my test machine.
Do you know if it is supposed to work (and I do something wrong) or
no one uses it with httpd ?
I am sure that I have used
Note that there is some macro magic in http_log.h that does this
automatically on C99 compilers. There is nothing wrong with doing the
check explicitly, and it is definitely a good idea if the saved function
call is very expensive. But in general other improvements may have more
impact and
On Monday 11 March 2013, Marion Christophe JAILLET wrote:
AFIAK, __attribute__ is gcc specific. What about non-gcc
compilers?
What's might be a consequence of a compiler ignoring it (as MSVC
does), or will it break any other non-gcc compilers?
Gregg
I proposed it because there
On Fri, 8 Mar 2013, Daniel Gruno wrote:
On 03/08/2013 08:22 PM, Jim Jagielski wrote:
From what I can see, that's exactly what it does...
I plan on testing this weekend. Daniel, do you have any
testing suites you use?
I have some additions to the Perl framework we use, but that's mostly
for
On Tuesday 26 February 2013, Christophe JAILLET wrote:
My understanding is that:
- apr_brigade_[putc|puts|write...] try to reuse last bucket if
possible, avoiding memory allocation
- if needed (not enough space available, not allowed to write
in the last bucket), it creates a heap
[moving to dev@apr, please remove dev@httpd when replying]
On Wednesday 20 February 2013, Noel Butler wrote:
On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote:
Which remains my point... our current 2.4 and 2.2 candidates
should suffer the same flaw.
Confirmed, 2.2 candidate
1 - 100 of 891 matches
Mail list logo