[trafficserver] branch master updated (6d9d1ba -> d0adba9)
This is an automated email from the ASF dual-hosted git repository. sudheerv pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 6d9d1ba Update buffer-writer.en.rst (wrong header link) (#6934) add d0adba9 Prevent use-after-free of TransactionPlugin (#6937) No new revisions were added by this update. Summary of changes: include/tscpp/api/TransactionPlugin.h | 2 ++ src/tscpp/api/TransactionPlugin.cc| 6 ++ src/tscpp/api/utils_internal.cc | 16 ++-- src/tscpp/api/utils_internal.h| 2 +- 4 files changed, 19 insertions(+), 7 deletions(-)
[trafficserver] branch master updated (6d9d1ba -> d0adba9)
This is an automated email from the ASF dual-hosted git repository. sudheerv pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 6d9d1ba Update buffer-writer.en.rst (wrong header link) (#6934) add d0adba9 Prevent use-after-free of TransactionPlugin (#6937) No new revisions were added by this update. Summary of changes: include/tscpp/api/TransactionPlugin.h | 2 ++ src/tscpp/api/TransactionPlugin.cc| 6 ++ src/tscpp/api/utils_internal.cc | 16 ++-- src/tscpp/api/utils_internal.h| 2 +- 4 files changed, 19 insertions(+), 7 deletions(-)
[trafficserver] branch master updated (6d9d1ba -> d0adba9)
This is an automated email from the ASF dual-hosted git repository. sudheerv pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 6d9d1ba Update buffer-writer.en.rst (wrong header link) (#6934) add d0adba9 Prevent use-after-free of TransactionPlugin (#6937) No new revisions were added by this update. Summary of changes: include/tscpp/api/TransactionPlugin.h | 2 ++ src/tscpp/api/TransactionPlugin.cc| 6 ++ src/tscpp/api/utils_internal.cc | 16 ++-- src/tscpp/api/utils_internal.h| 2 +- 4 files changed, 19 insertions(+), 7 deletions(-)
[trafficserver] branch 8.1.x updated: Updated ChangeLog
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 8.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/8.1.x by this push: new 5eb812a Updated ChangeLog 5eb812a is described below commit 5eb812a4a5e475c0f50d3ced701c1bf5227c72d1 Author: Leif Hedstrom AuthorDate: Tue Jun 23 14:56:31 2020 -0600 Updated ChangeLog --- CHANGELOG-8.1.0 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG-8.1.0 b/CHANGELOG-8.1.0 index 8085dd4..7e18af5 100644 --- a/CHANGELOG-8.1.0 +++ b/CHANGELOG-8.1.0 @@ -189,6 +189,7 @@ Changes with Apache Traffic Server 8.1.0 #6708 - Adding logging fields for collapsed forwarding metrics #6711 - cache_range_request autests: make more robust and clean up. #6729 - Fix a bug that current_active_client_connections doesn't decrease + #6747 - Fix old MIMEHdr handling of HPACK #6750 - backports parent.config ignore_self_detect flag to 8.1.x #6753 - Fix HPACK Dynamic Table Cleanup #6756 - Correct `schedule_every_local` to schedule locally @@ -202,3 +203,4 @@ Changes with Apache Traffic Server 8.1.0 #6862 - Fix brotli plugin #6876 - Make Http2ClientSession inactive on EOS event #6885 - Revert 4028 for 8.1.x branch + #6936 - Fix rare SSN/TXN Start/Close Hook misorderings (#6364)
[trafficserver] branch 8.1.x updated: Fix rare SSN/TXN Start/Close Hook misorderings (#6364) (#6936)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 8.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/8.1.x by this push: new 0912e18 Fix rare SSN/TXN Start/Close Hook misorderings (#6364) (#6936) 0912e18 is described below commit 0912e182a97a49b23af87c9ccdde159dbb5e86f8 Author: Masaori Koshiba AuthorDate: Wed Jun 24 05:50:23 2020 +0900 Fix rare SSN/TXN Start/Close Hook misorderings (#6364) (#6936) Cherry-pick 37cc7b82 for openclose_h2 AuTest. - without changes in test/gold_tests/ - without changes of removing `client_vc->do_io_close()` from `Http1ClientSession::do_io_close()` and `Http2ClientSession::do_io_close()`. Because it made a bunch of crashes. - Fix rare SSN/TXN Start/Close Hook misorderings - Fix h2spec test failure Co-authored-by: a-a-ron acan...@verizonmedia.com (cherry picked from commit 37cc7b82af19382cd56d4ad3e7ba393fc9f7bff0) Conflicts: proxy/ProxyClientSession.cc proxy/ProxySession.h proxy/http/HttpSM.cc proxy/http/Http1ClientSession.cc proxy/http2/Http2Stream.cc proxy/http2/Http2ClientSession.cc tests/gold_tests/continuations/openclose.test.py tests/gold_tests/continuations/openclose_h2.test.py tests/gold_tests/pluginTest/test_hooks/log.gold tests/gold_tests/pluginTest/test_hooks/test_hooks.test.py tests/tools/plugins/ssntxnorder_verify.cc --- proxy/ProxyClientSession.cc | 7 --- proxy/ProxyClientSession.h | 2 +- proxy/http/HttpSM.cc| 34 +- proxy/http/HttpSM.h | 4 ++-- proxy/http2/Http2ClientSession.cc | 2 +- proxy/http2/Http2ConnectionState.cc | 22 +++--- proxy/http2/Http2ConnectionState.h | 8 +++- proxy/http2/Http2Stream.cc | 6 +++--- 8 files changed, 50 insertions(+), 35 deletions(-) diff --git a/proxy/ProxyClientSession.cc b/proxy/ProxyClientSession.cc index 1fe9daa..44d8dca 100644 --- a/proxy/ProxyClientSession.cc +++ b/proxy/ProxyClientSession.cc @@ -130,7 +130,7 @@ ProxyClientSession::state_api_callout(int event, void *data) if (!schedule_event) { // Don't bother to schedule is there is already one out. schedule_event = mutex->thread_holding->schedule_in(this, HRTIME_MSECONDS(10)); } -return 0; +return -1; } } @@ -160,7 +160,7 @@ ProxyClientSession::state_api_callout(int event, void *data) return 0; } -void +int ProxyClientSession::do_api_callout(TSHttpHookID id) { ink_assert(id == TS_HTTP_SSN_START_HOOK || id == TS_HTTP_SSN_CLOSE_HOOK); @@ -171,10 +171,11 @@ ProxyClientSession::do_api_callout(TSHttpHookID id) if (this->hooks_on && this->has_hooks()) { SET_HANDLER(::state_api_callout); -this->state_api_callout(EVENT_NONE, nullptr); +return this->state_api_callout(EVENT_NONE, nullptr); } else { this->handle_api_return(TS_EVENT_HTTP_CONTINUE); } + return 0; } void diff --git a/proxy/ProxyClientSession.h b/proxy/ProxyClientSession.h index 76dc0c6..5e44262 100644 --- a/proxy/ProxyClientSession.h +++ b/proxy/ProxyClientSession.h @@ -159,7 +159,7 @@ public: } // Initiate an API hook invocation. - void do_api_callout(TSHttpHookID id); + int do_api_callout(TSHttpHookID id); // Override if your session protocol allows this. virtual bool diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 13b4f7d..56e5e0e 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -333,13 +333,14 @@ HttpSM::set_ua_half_close_flag() ua_txn->set_half_close_flag(true); } -inline void +inline int HttpSM::do_api_callout() { if (hooks_set) { -do_api_callout_internal(); +return do_api_callout_internal(); } else { handle_api_return(); +return 0; } } @@ -365,7 +366,16 @@ HttpSM::state_add_to_list(int event, void * /* data ATS_UNUSED */) } t_state.api_next_action = HttpTransact::SM_ACTION_API_SM_START; - do_api_callout(); + if (do_api_callout() < 0) { +// Didn't get the hook continuation lock. Clear the read and wait for next event +if (ua_entry->read_vio) { + // Seems like ua_entry->read_vio->disable(); should work, but that was + // not sufficient to stop the state machine from processing IO events until the + // TXN_START hooks had completed + ua_entry->read_vio = ua_entry->vc->do_io_read(nullptr, 0, nullptr); +} +return EVENT_CONT; + } return EVENT_DONE; } @@ -519,6 +529,7 @@ HttpSM::attach_client_session(ProxyClientTransaction *client_vc, IOBufferReader ++reentrancy_count; // Add our state sm to the sm list state_add_to_list(EVENT_NONE, nullptr); + // This is another external entry point and it is possible for
[trafficserver] branch 9.0.x updated: Updated ChangeLog
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new 18f8669 Updated ChangeLog 18f8669 is described below commit 18f86698227b21118baaabcd5b39f86f4edd4a2d Author: Leif Hedstrom AuthorDate: Tue Jun 23 14:49:03 2020 -0600 Updated ChangeLog --- CHANGELOG-9.0.0 | 17 - 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG-9.0.0 b/CHANGELOG-9.0.0 index 5e96621..9ac68dc 100644 --- a/CHANGELOG-9.0.0 +++ b/CHANGELOG-9.0.0 @@ -656,6 +656,7 @@ Changes with Apache Traffic Server 9.0.0 #5906 - Cleanup: unifdef TRACK_BUFFER_USER #5907 - Fix macOS build #5908 - ProxySession cleanup: moving inline functions to .h + #5917 - Make compress plugin normalization of Accept-Encoding header compatible with normalization in core TS. #5919 - Rearrange config reload notifications #5922 - Make code buildable with BoringSSL #5926 - Fix AuTest for HTTP/2 using httpbin @@ -851,6 +852,7 @@ Changes with Apache Traffic Server 9.0.0 #6493 - Make all_headers test more resilient to timing #6500 - traffic_dump: Make the client-request node gathered in a global hook #6501 - Remove method that does nothing. + #6502 - Change Proxy Header Regression tests into Catch unit tests. #6508 - Include start line of HTTP messages in xdebug probe output. #6513 - Moves hosting.config finished loading message outside of parsing loop #6516 - Fix SDK_API_TSSslServerContextCreate @@ -906,7 +908,6 @@ Changes with Apache Traffic Server 9.0.0 #6700 - traffic_dump: add nullptr check for sni string #6701 - slice plugin: add --include-regex, --exclude-regex parameters #6704 - Removes ATS version from gold files - #6711 - cache_range_request autests: make more robust and clean up. #6714 - Add Access log fields for ProxyProtocol Context #6717 - Fixup .gitignores to match repo reality #6718 - gcc10: fixed warning about returning local variable in int64_to_str() @@ -914,6 +915,7 @@ Changes with Apache Traffic Server 9.0.0 #6727 - traffic_dump: add tls information to dump. #6730 - Add HttpTransact::get_max_age and TSHttpTxnGetMaxAge #6731 - Fix g++ 10 compile errors. + #6733 - Various python fixes #6734 - Update expired test certificates for cert_update #6735 - Remove unused index for SSL application specific data #6736 - Generalize callbacks for TLS session resumption @@ -926,6 +928,7 @@ Changes with Apache Traffic Server 9.0.0 #6755 - Add metrics to track default inactivity timed out connections #6757 - ASAN: Fixed one definition rule violation #6758 - Fix set manipulation in dual cert resolution + #6759 - Promote netvc to ProxySession #6760 - Do not fail multicert load if line does not create entry #6768 - clang-analyzer: Fix dead nested assignment issues #6770 - Weird characters in debug message @@ -933,6 +936,7 @@ Changes with Apache Traffic Server 9.0.0 #6774 - Fixed `AddressSanitizer: odr-violation` #6781 - 1. Set a non-zero default value for TLS Client Handshake Timeout #6789 - Adding HTTP Status code 451 for Unavailable For Legal Reasons (RFC 7725) + #6794 - Remove whitespace from header field name in http response due to RFC7230:3.2.4 (#6793) #6797 - Adding HTTP status 451 in apidefs as well (See PR#6789) #6798 - clang-analyzer: uninitialized va_list #6800 - Add TXN_CLOSE hook to CPPAPI TransactionPlugin @@ -965,4 +969,15 @@ Changes with Apache Traffic Server 9.0.0 #6884 - microserver error handling: SSLError check and debug. #6891 - Make h2spec test more resiliant by extending timeout #6892 - Fix compiler issue with ICC 19.1 + #6896 - Fix dual_cert_select test to run with older openssl binary #6898 - set sni_name with remapped origin name if sni_policy is not the default value + #6903 - Disable max_connections_active_in default and fix close logic + #6906 - Make QPACK.h self-contained + #6915 - Make compress Au test less flakey. + #6916 - Ensure read_avail is set for the first non-empty block + #6917 - Disable lua_stats autest until we can reliably wait for stats + #6918 - example: Move to blocklists and allowlists + #6920 - Removes SSLNetVConnection::sslContextSet + #6923 - Fixed bug in the calculation of the header block fragment length + #6925 - Prevent stale netvc access on SSL Callbacks + #6929 - build: Require OCSP headers for OCSP-enablement
[trafficserver] branch 8.1.x updated: Fix rare SSN/TXN Start/Close Hook misorderings (#6364) (#6936)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 8.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/8.1.x by this push: new 0912e18 Fix rare SSN/TXN Start/Close Hook misorderings (#6364) (#6936) 0912e18 is described below commit 0912e182a97a49b23af87c9ccdde159dbb5e86f8 Author: Masaori Koshiba AuthorDate: Wed Jun 24 05:50:23 2020 +0900 Fix rare SSN/TXN Start/Close Hook misorderings (#6364) (#6936) Cherry-pick 37cc7b82 for openclose_h2 AuTest. - without changes in test/gold_tests/ - without changes of removing `client_vc->do_io_close()` from `Http1ClientSession::do_io_close()` and `Http2ClientSession::do_io_close()`. Because it made a bunch of crashes. - Fix rare SSN/TXN Start/Close Hook misorderings - Fix h2spec test failure Co-authored-by: a-a-ron acan...@verizonmedia.com (cherry picked from commit 37cc7b82af19382cd56d4ad3e7ba393fc9f7bff0) Conflicts: proxy/ProxyClientSession.cc proxy/ProxySession.h proxy/http/HttpSM.cc proxy/http/Http1ClientSession.cc proxy/http2/Http2Stream.cc proxy/http2/Http2ClientSession.cc tests/gold_tests/continuations/openclose.test.py tests/gold_tests/continuations/openclose_h2.test.py tests/gold_tests/pluginTest/test_hooks/log.gold tests/gold_tests/pluginTest/test_hooks/test_hooks.test.py tests/tools/plugins/ssntxnorder_verify.cc --- proxy/ProxyClientSession.cc | 7 --- proxy/ProxyClientSession.h | 2 +- proxy/http/HttpSM.cc| 34 +- proxy/http/HttpSM.h | 4 ++-- proxy/http2/Http2ClientSession.cc | 2 +- proxy/http2/Http2ConnectionState.cc | 22 +++--- proxy/http2/Http2ConnectionState.h | 8 +++- proxy/http2/Http2Stream.cc | 6 +++--- 8 files changed, 50 insertions(+), 35 deletions(-) diff --git a/proxy/ProxyClientSession.cc b/proxy/ProxyClientSession.cc index 1fe9daa..44d8dca 100644 --- a/proxy/ProxyClientSession.cc +++ b/proxy/ProxyClientSession.cc @@ -130,7 +130,7 @@ ProxyClientSession::state_api_callout(int event, void *data) if (!schedule_event) { // Don't bother to schedule is there is already one out. schedule_event = mutex->thread_holding->schedule_in(this, HRTIME_MSECONDS(10)); } -return 0; +return -1; } } @@ -160,7 +160,7 @@ ProxyClientSession::state_api_callout(int event, void *data) return 0; } -void +int ProxyClientSession::do_api_callout(TSHttpHookID id) { ink_assert(id == TS_HTTP_SSN_START_HOOK || id == TS_HTTP_SSN_CLOSE_HOOK); @@ -171,10 +171,11 @@ ProxyClientSession::do_api_callout(TSHttpHookID id) if (this->hooks_on && this->has_hooks()) { SET_HANDLER(::state_api_callout); -this->state_api_callout(EVENT_NONE, nullptr); +return this->state_api_callout(EVENT_NONE, nullptr); } else { this->handle_api_return(TS_EVENT_HTTP_CONTINUE); } + return 0; } void diff --git a/proxy/ProxyClientSession.h b/proxy/ProxyClientSession.h index 76dc0c6..5e44262 100644 --- a/proxy/ProxyClientSession.h +++ b/proxy/ProxyClientSession.h @@ -159,7 +159,7 @@ public: } // Initiate an API hook invocation. - void do_api_callout(TSHttpHookID id); + int do_api_callout(TSHttpHookID id); // Override if your session protocol allows this. virtual bool diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 13b4f7d..56e5e0e 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -333,13 +333,14 @@ HttpSM::set_ua_half_close_flag() ua_txn->set_half_close_flag(true); } -inline void +inline int HttpSM::do_api_callout() { if (hooks_set) { -do_api_callout_internal(); +return do_api_callout_internal(); } else { handle_api_return(); +return 0; } } @@ -365,7 +366,16 @@ HttpSM::state_add_to_list(int event, void * /* data ATS_UNUSED */) } t_state.api_next_action = HttpTransact::SM_ACTION_API_SM_START; - do_api_callout(); + if (do_api_callout() < 0) { +// Didn't get the hook continuation lock. Clear the read and wait for next event +if (ua_entry->read_vio) { + // Seems like ua_entry->read_vio->disable(); should work, but that was + // not sufficient to stop the state machine from processing IO events until the + // TXN_START hooks had completed + ua_entry->read_vio = ua_entry->vc->do_io_read(nullptr, 0, nullptr); +} +return EVENT_CONT; + } return EVENT_DONE; } @@ -519,6 +529,7 @@ HttpSM::attach_client_session(ProxyClientTransaction *client_vc, IOBufferReader ++reentrancy_count; // Add our state sm to the sm list state_add_to_list(EVENT_NONE, nullptr); + // This is another external entry point and it is possible for
[trafficserver] branch 9.0.x updated: Updated ChangeLog
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new 18f8669 Updated ChangeLog 18f8669 is described below commit 18f86698227b21118baaabcd5b39f86f4edd4a2d Author: Leif Hedstrom AuthorDate: Tue Jun 23 14:49:03 2020 -0600 Updated ChangeLog --- CHANGELOG-9.0.0 | 17 - 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG-9.0.0 b/CHANGELOG-9.0.0 index 5e96621..9ac68dc 100644 --- a/CHANGELOG-9.0.0 +++ b/CHANGELOG-9.0.0 @@ -656,6 +656,7 @@ Changes with Apache Traffic Server 9.0.0 #5906 - Cleanup: unifdef TRACK_BUFFER_USER #5907 - Fix macOS build #5908 - ProxySession cleanup: moving inline functions to .h + #5917 - Make compress plugin normalization of Accept-Encoding header compatible with normalization in core TS. #5919 - Rearrange config reload notifications #5922 - Make code buildable with BoringSSL #5926 - Fix AuTest for HTTP/2 using httpbin @@ -851,6 +852,7 @@ Changes with Apache Traffic Server 9.0.0 #6493 - Make all_headers test more resilient to timing #6500 - traffic_dump: Make the client-request node gathered in a global hook #6501 - Remove method that does nothing. + #6502 - Change Proxy Header Regression tests into Catch unit tests. #6508 - Include start line of HTTP messages in xdebug probe output. #6513 - Moves hosting.config finished loading message outside of parsing loop #6516 - Fix SDK_API_TSSslServerContextCreate @@ -906,7 +908,6 @@ Changes with Apache Traffic Server 9.0.0 #6700 - traffic_dump: add nullptr check for sni string #6701 - slice plugin: add --include-regex, --exclude-regex parameters #6704 - Removes ATS version from gold files - #6711 - cache_range_request autests: make more robust and clean up. #6714 - Add Access log fields for ProxyProtocol Context #6717 - Fixup .gitignores to match repo reality #6718 - gcc10: fixed warning about returning local variable in int64_to_str() @@ -914,6 +915,7 @@ Changes with Apache Traffic Server 9.0.0 #6727 - traffic_dump: add tls information to dump. #6730 - Add HttpTransact::get_max_age and TSHttpTxnGetMaxAge #6731 - Fix g++ 10 compile errors. + #6733 - Various python fixes #6734 - Update expired test certificates for cert_update #6735 - Remove unused index for SSL application specific data #6736 - Generalize callbacks for TLS session resumption @@ -926,6 +928,7 @@ Changes with Apache Traffic Server 9.0.0 #6755 - Add metrics to track default inactivity timed out connections #6757 - ASAN: Fixed one definition rule violation #6758 - Fix set manipulation in dual cert resolution + #6759 - Promote netvc to ProxySession #6760 - Do not fail multicert load if line does not create entry #6768 - clang-analyzer: Fix dead nested assignment issues #6770 - Weird characters in debug message @@ -933,6 +936,7 @@ Changes with Apache Traffic Server 9.0.0 #6774 - Fixed `AddressSanitizer: odr-violation` #6781 - 1. Set a non-zero default value for TLS Client Handshake Timeout #6789 - Adding HTTP Status code 451 for Unavailable For Legal Reasons (RFC 7725) + #6794 - Remove whitespace from header field name in http response due to RFC7230:3.2.4 (#6793) #6797 - Adding HTTP status 451 in apidefs as well (See PR#6789) #6798 - clang-analyzer: uninitialized va_list #6800 - Add TXN_CLOSE hook to CPPAPI TransactionPlugin @@ -965,4 +969,15 @@ Changes with Apache Traffic Server 9.0.0 #6884 - microserver error handling: SSLError check and debug. #6891 - Make h2spec test more resiliant by extending timeout #6892 - Fix compiler issue with ICC 19.1 + #6896 - Fix dual_cert_select test to run with older openssl binary #6898 - set sni_name with remapped origin name if sni_policy is not the default value + #6903 - Disable max_connections_active_in default and fix close logic + #6906 - Make QPACK.h self-contained + #6915 - Make compress Au test less flakey. + #6916 - Ensure read_avail is set for the first non-empty block + #6917 - Disable lua_stats autest until we can reliably wait for stats + #6918 - example: Move to blocklists and allowlists + #6920 - Removes SSLNetVConnection::sslContextSet + #6923 - Fixed bug in the calculation of the header block fragment length + #6925 - Prevent stale netvc access on SSL Callbacks + #6929 - build: Require OCSP headers for OCSP-enablement
[trafficserver] branch 9.0.x updated (40135f7 -> eecc5d2)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 40135f7 Disable lua_stats autest until we can reliably wait for stats new 629c72f Charge Proxy Header Regression tests into Catch unit tests. new eecc5d2 We should remove whitespace from fieldname in http response due to RFC7230:3.2.4(#6793) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .gitignore |1 + include/tscore/Regression.h|2 - proxy/hdrs/HTTP.cc | 12 +- proxy/hdrs/HdrTest.cc | 2191 proxy/hdrs/HdrTest.h | 77 -- proxy/hdrs/MIME.cc |9 +- proxy/hdrs/MIME.h |9 +- proxy/hdrs/Makefile.am |6 - proxy/hdrs/unit_tests/test_HdrUtils.cc |6 +- proxy/hdrs/unit_tests/test_Hdrs.cc | 1920 +++- src/traffic_server/InkAPI.cc |3 +- src/traffic_server/traffic_server.cc | 15 - 12 files changed, 1943 insertions(+), 2308 deletions(-) delete mode 100644 proxy/hdrs/HdrTest.cc delete mode 100644 proxy/hdrs/HdrTest.h
[trafficserver] 01/02: Charge Proxy Header Regression tests into Catch unit tests.
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 629c72f08714730c9c3a4b93d7b5fa10f9f120ff Author: Walter Karas AuthorDate: Tue Mar 10 18:43:12 2020 -0500 Charge Proxy Header Regression tests into Catch unit tests. (cherry picked from commit 4228868a365d9774740cd153ed107768239352d3) --- .gitignore |1 + include/tscore/Regression.h |2 - proxy/hdrs/HdrTest.cc| 2191 -- proxy/hdrs/HdrTest.h | 77 -- proxy/hdrs/Makefile.am |6 - proxy/hdrs/unit_tests/test_Hdrs.cc | 1920 - src/traffic_server/traffic_server.cc | 15 - 7 files changed, 1920 insertions(+), 2292 deletions(-) diff --git a/.gitignore b/.gitignore index 20c2bfa..b9563ec 100644 --- a/.gitignore +++ b/.gitignore @@ -123,6 +123,7 @@ proxy/http3/test_libhttp3 proxy/http3/test_qpack proxy/logging/test_LogUtils proxy/logging/test_LogUtils2 +proxy/logging/test_RolledLogDeleter plugins/header_rewrite/header_rewrite_test plugins/experimental/cookie_remap/test_cookiejar diff --git a/include/tscore/Regression.h b/include/tscore/Regression.h index e34a497..8ebbe8c 100644 --- a/include/tscore/Regression.h +++ b/include/tscore/Regression.h @@ -54,8 +54,6 @@ #define REGRESSION_TEST_QUICK 1 #define REGRESSION_TEST_NIGHTLY 2 #define REGRESSION_TEST_EXTENDED 3 -// use only for testing TS error handling! -#define REGRESSION_TEST_FATAL 4 // regression options #define REGRESSION_OPT_EXCLUSIVE (1 << 0) diff --git a/proxy/hdrs/HdrTest.cc b/proxy/hdrs/HdrTest.cc deleted file mode 100644 index 4678416..000 --- a/proxy/hdrs/HdrTest.cc +++ /dev/null @@ -1,2191 +0,0 @@ -/** @file - - A brief file description - - @section license License - - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - */ - -/ - - HdrTest.cc - - Description: - Unit test code for sanity checking the header system is functioning - properly - - - / - -#include "tscore/ink_platform.h" -#include "tscore/ink_memory.h" -#include "tscore/ink_time.h" - -#include "tscore/Arena.h" -#include "HTTP.h" -#include "MIME.h" -#include "tscore/Regex.h" -#include "URL.h" -#include "HttpCompat.h" - -#include "HdrTest.h" - -// -// Main Test Driver // -// - -int -HdrTest::go(RegressionTest *t, int /* atype ATS_UNUSED */) -{ - HdrTest::rtest = t; - int status = 1; - - hdrtoken_init(); - url_init(); - mime_init(); - http_init(); - - status = status & test_http_hdr_print_and_copy(); - status = status & test_comma_vals(); - status = status & test_parse_comma_list(); - status = status & test_set_comma_vals(); - status = status & test_delete_comma_vals(); - status = status & test_extend_comma_vals(); - status = status & test_insert_comma_vals(); - status = status & test_accept_language_match(); - status = status & test_accept_charset_match(); - status = status & test_parse_date(); - status = status & test_format_date(); - status = status & test_url(); - status = status & test_arena(); - status = status & test_regex(); - status = status & test_http_mutation(); - status = status & test_mime(); - status = status & test_http(); - - return (status ? REGRESSION_TEST_PASSED : REGRESSION_TEST_FAILED); -} - - -// Individual Tests --- return 1 on success, 0 on failure // - - -int -HdrTest::test_parse_date() -{ - static struct { -const char *fast; -const char *slow; - } dates[] = { -{"Sun, 06 Nov 1994 08:49:37 GMT", "Sunday, 06-Nov-1994 08:49:37 GMT"}, -{"Mon, 07 Nov 1994 08:49:37 GMT", "Monday, 07-Nov-1994 08:49:37 GMT"}, -{"Tue, 08 Nov 1994 08:49:37 GMT", "Tuesday, 08-Nov-1994 08:49:37 GMT"}, -{"Wed, 09 Nov 1994 08:49:37 GMT", "Wednesday, 09-Nov-1994 08:49:37 GMT"}, -{"Thu, 10 Nov 1994 08:49:37 GMT",
[trafficserver] 02/02: We should remove whitespace from fieldname in http response due to RFC7230:3.2.4(#6793)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit eecc5d271795a006d00af074eadb931e18c53622 Author: yangjian AuthorDate: Fri May 15 16:49:32 2020 +0800 We should remove whitespace from fieldname in http response due to RFC7230:3.2.4(#6793) (cherry picked from commit b13e348778845dd9aa08bd0fd872190897c8c0f7) --- proxy/hdrs/HTTP.cc | 12 ++-- proxy/hdrs/MIME.cc | 9 +++-- proxy/hdrs/MIME.h | 9 + proxy/hdrs/unit_tests/test_HdrUtils.cc | 6 +++--- proxy/hdrs/unit_tests/test_Hdrs.cc | 2 +- src/traffic_server/InkAPI.cc | 3 ++- 6 files changed, 24 insertions(+), 17 deletions(-) diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc index 7f0dc82..c557172 100644 --- a/proxy/hdrs/HTTP.cc +++ b/proxy/hdrs/HTTP.cc @@ -959,8 +959,8 @@ http_parser_parse_req(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const return PARSE_RESULT_ERROR; } - ParseResult ret = -mime_parser_parse(>m_mime_parser, heap, hh->m_fields_impl, start, end, must_copy_strings, eof, max_hdr_field_size); + ParseResult ret = mime_parser_parse(>m_mime_parser, heap, hh->m_fields_impl, start, end, must_copy_strings, eof, + false, max_hdr_field_size); // If we're done with the main parse do some validation if (ret == PARSE_RESULT_DONE) { ret = validate_hdr_host(hh); // check HOST header @@ -1116,8 +1116,8 @@ http_parser_parse_req(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const parser->m_parsing_http = false; } - ParseResult ret = -mime_parser_parse(>m_mime_parser, heap, hh->m_fields_impl, start, end, must_copy_strings, eof, max_hdr_field_size); + ParseResult ret = mime_parser_parse(>m_mime_parser, heap, hh->m_fields_impl, start, end, must_copy_strings, eof, false, + max_hdr_field_size); // If we're done with the main parse do some validation if (ret == PARSE_RESULT_DONE) { ret = validate_hdr_host(hh); // check HOST header @@ -1287,7 +1287,7 @@ http_parser_parse_resp(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const end= real_end; parser->m_parsing_http = false; - return mime_parser_parse(>m_mime_parser, heap, hh->m_fields_impl, start, end, must_copy_strings, eof); + return mime_parser_parse(>m_mime_parser, heap, hh->m_fields_impl, start, end, must_copy_strings, eof, true); } #endif @@ -1403,7 +1403,7 @@ http_parser_parse_resp(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const parser->m_parsing_http = false; } - return mime_parser_parse(>m_mime_parser, heap, hh->m_fields_impl, start, end, must_copy_strings, eof); + return mime_parser_parse(>m_mime_parser, heap, hh->m_fields_impl, start, end, must_copy_strings, eof, true); } /*- diff --git a/proxy/hdrs/MIME.cc b/proxy/hdrs/MIME.cc index a3024dc..db3cdd7 100644 --- a/proxy/hdrs/MIME.cc +++ b/proxy/hdrs/MIME.cc @@ -2512,7 +2512,7 @@ mime_parser_clear(MIMEParser *parser) ParseResult mime_parser_parse(MIMEParser *parser, HdrHeap *heap, MIMEHdrImpl *mh, const char **real_s, const char *real_e, - bool must_copy_strings, bool eof, size_t max_hdr_field_size) + bool must_copy_strings, bool eof, bool remove_ws_from_field_name, size_t max_hdr_field_size) { ParseResult err; bool line_is_real; @@ -2572,8 +2572,13 @@ mime_parser_parse(MIMEParser *parser, HdrHeap *heap, MIMEHdrImpl *mh, const char // server MUST reject any received request message that contains // whitespace between a header field-name and colon with a response code // of 400 (Bad Request). +// A proxy MUST remove any such whitespace from a response message before +// fowarding the message downstream. if (is_ws(field_name.back())) { - return PARSE_RESULT_ERROR; + if (!remove_ws_from_field_name) { +return PARSE_RESULT_ERROR; + } + field_name.rtrim_if(::is_ws); } // find value first diff --git a/proxy/hdrs/MIME.h b/proxy/hdrs/MIME.h index a1e9dbc..b15d665 100644 --- a/proxy/hdrs/MIME.h +++ b/proxy/hdrs/MIME.h @@ -761,7 +761,7 @@ void mime_field_value_append(HdrHeap *heap, MIMEHdrImpl *mh, MIMEField *field, c void mime_parser_init(MIMEParser *parser); void mime_parser_clear(MIMEParser *parser); ParseResult mime_parser_parse(MIMEParser *parser, HdrHeap *heap, MIMEHdrImpl *mh, const char **real_s, const char *real_e, - bool must_copy_strings, bool eof, size_t max_hdr_field_size = 131070); + bool must_copy_strings, bool eof, bool remove_ws_from_field_name, size_t max_hdr_field_size = 131070);
[trafficserver] branch 9.0.x updated: Disable lua_stats autest until we can reliably wait for stats
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new 40135f7 Disable lua_stats autest until we can reliably wait for stats 40135f7 is described below commit 40135f764bccee7146ec11ee7130231074262c34 Author: Susan Hinrichs AuthorDate: Thu Jun 18 15:34:22 2020 + Disable lua_stats autest until we can reliably wait for stats (cherry picked from commit 2f645db0b838317d542f1696ab2df8c4d19cb94a) --- tests/gold_tests/pluginTest/lua/lua_states_stats.test.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/gold_tests/pluginTest/lua/lua_states_stats.test.py b/tests/gold_tests/pluginTest/lua/lua_states_stats.test.py index 90c04bc..a17182d 100644 --- a/tests/gold_tests/pluginTest/lua/lua_states_stats.test.py +++ b/tests/gold_tests/pluginTest/lua/lua_states_stats.test.py @@ -24,6 +24,7 @@ Test lua states and stats functionality Test.SkipUnless( Condition.PluginExists('tslua.so'), ) +Test.SkipIf(Condition.true("Test cannot deterministically wait until the stats appear")) Test.ContinueOnFail = True # Define default ATS
[trafficserver] branch 9.0.x updated: Removes SSLNetVConnection::sslContextSet
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new a969312 Removes SSLNetVConnection::sslContextSet a969312 is described below commit a969312ad5a1facfc65696c7b05a760ee1b173ca Author: Randall Meyer AuthorDate: Thu Jun 18 10:47:21 2020 -0700 Removes SSLNetVConnection::sslContextSet This was introduced in 044da6999442449434b282d8b537d8858505bbfc but was never used (cherry picked from commit fcbcd73f86b7d3835e632e4f26579efda9f51a17) --- iocore/net/P_SSLNetVConnection.h | 4 iocore/net/SSLNetVConnection.cc | 12 2 files changed, 16 deletions(-) diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 4e63e63..8f09590 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -177,10 +177,6 @@ public: /// Reenable the VC after a pre-accept or SNI hook is called. virtual void reenable(NetHandler *nh, int event = TS_EVENT_CONTINUE); - /// Set the SSL context. - /// @note This must be called after the SSL endpoint has been created. - virtual bool sslContextSet(void *ctx); - int64_t read_raw_data(); void diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 405158f..5209a93 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -1652,18 +1652,6 @@ SSLNetVConnection::reenable(NetHandler *nh, int event) } bool -SSLNetVConnection::sslContextSet(void *ctx) -{ - bool zret = true; - if (ssl) { -SSL_set_SSL_CTX(ssl, static_cast(ctx)); - } else { -zret = false; - } - return zret; -} - -bool SSLNetVConnection::callHooks(TSEvent eventId) { // Only dealing with the SNI/CERT hook so far.
[trafficserver] branch 9.0.x updated: Ensure read_avail is set for the first non-empty block (#6916)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new d1ee5ed Ensure read_avail is set for the first non-empty block (#6916) d1ee5ed is described below commit d1ee5ed6b717d1833860c26ebeb1b99a2dd3f7d4 Author: Sudheer Vinukonda AuthorDate: Thu Jun 18 14:42:49 2020 -0700 Ensure read_avail is set for the first non-empty block (#6916) Also add defense to prevent Heap buffer overflow (from ASAN report in prod) (cherry picked from commit f214fcfc6861706d0881abe4983a9ab8630f07f7) --- src/traffic_server/FetchSM.cc | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/traffic_server/FetchSM.cc b/src/traffic_server/FetchSM.cc index f682311..0cb2919 100644 --- a/src/traffic_server/FetchSM.cc +++ b/src/traffic_server/FetchSM.cc @@ -367,6 +367,10 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader) return; } + /* Read the data out of the reader */ + if (reader->block != NULL) +reader->skip_empty_blocks(); + read_avail = reader->read_avail(); Debug(DEBUG_TAG, "[%s] total avail %" PRId64, __FUNCTION__, read_avail); if (!read_avail) { @@ -377,10 +381,6 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader) info= (char *)ats_malloc(sizeof(char) * (read_avail + 1)); client_response = info; - /* Read the data out of the reader */ - if (reader->block != NULL) -reader->skip_empty_blocks(); - blk = reader->block.get(); // This is the equivalent of TSIOBufferBlockReadStart() @@ -391,7 +391,7 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader) int bytes_used = 0; header_done= 1; if (client_response_hdr.parse_resp(_parser, reader, _used, 0) == PARSE_RESULT_DONE) { - if (bytes_used > 0) { + if ((bytes_used > 0) && (bytes_used <= read_avail)) { memcpy(info, buf, bytes_used); info += bytes_used; client_bytes += bytes_used; @@ -418,7 +418,7 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader) buf = blk->start() + reader->start_offset; read_done = blk->read_avail() - reader->start_offset; - if (read_done > 0) { + if ((read_done > 0) && ((read_done <= read_avail))) { memcpy(info, buf, read_done); reader->consume(read_done); read_avail -= read_done; @@ -453,7 +453,7 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader) buf = blk->start() + reader->start_offset; read_done = blk->read_avail() - reader->start_offset; - if (read_done > 0) { + if ((read_done > 0) && (read_done <= read_avail)) { memcpy(info, buf, read_done); reader->consume(read_done); read_avail -= read_done;
[trafficserver] branch 8.1.x updated: Fix old MIMEHdr handling of HPACK
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 8.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/8.1.x by this push: new ae4bf85 Fix old MIMEHdr handling of HPACK ae4bf85 is described below commit ae4bf85dc5086667e505bc270ff61c0dde0d68ad Author: Masaori Koshiba AuthorDate: Fri May 8 12:27:44 2020 +0900 Fix old MIMEHdr handling of HPACK 1. Clear all MIMEFields from old MIMEHdr when new entry is larger than the maximum size 2. Delete MIMEFields from old MIMEHdr on eviction (cherry picked from commit c2d6405b19a7b3234b74221f281f687955da81bd) --- proxy/http2/HPACK.cc | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/proxy/http2/HPACK.cc b/proxy/http2/HPACK.cc index 97a2626..774ed2e 100644 --- a/proxy/http2/HPACK.cc +++ b/proxy/http2/HPACK.cc @@ -372,6 +372,14 @@ HpackDynamicTable::add_header_field(const MIMEField *field) // table causes the table to be emptied of all existing entries. this->_headers.clear(); this->_mhdr->fields_clear(); + +if (this->_mhdr_old) { + this->_mhdr_old->fields_clear(); + this->_mhdr_old->destroy(); + delete this->_mhdr_old; + this->_mhdr_old = nullptr; +} + this->_current_size = 0; } else { this->_current_size += header_size; @@ -430,7 +438,13 @@ HpackDynamicTable::_evict_overflowed_entries() (*h)->value_get(_len); this->_current_size -= ADDITIONAL_OCTETS + name_len + value_len; -this->_mhdr->field_delete(*h, false); + +if (this->_mhdr_old && this->_mhdr_old->fields_count() != 0) { + this->_mhdr_old->field_delete(*h, false); +} else { + this->_mhdr->field_delete(*h, false); +} + this->_headers.pop_back(); if (this->_current_size <= this->_maximum_size) {
[trafficserver] branch 9.0.x updated: Fix old MIMEHdr handling of HPACK
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new edfa82d Fix old MIMEHdr handling of HPACK edfa82d is described below commit edfa82d740b6adac67f972636ff4e1ce2b4c2629 Author: Masaori Koshiba AuthorDate: Fri May 8 12:27:44 2020 +0900 Fix old MIMEHdr handling of HPACK 1. Clear all MIMEFields from old MIMEHdr when new entry is larger than the maximum size 2. Delete MIMEFields from old MIMEHdr on eviction (cherry picked from commit c2d6405b19a7b3234b74221f281f687955da81bd) --- proxy/http2/HPACK.cc | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/proxy/http2/HPACK.cc b/proxy/http2/HPACK.cc index 4ed3ba7..2680600 100644 --- a/proxy/http2/HPACK.cc +++ b/proxy/http2/HPACK.cc @@ -372,6 +372,14 @@ HpackDynamicTable::add_header_field(const MIMEField *field) // table causes the table to be emptied of all existing entries. this->_headers.clear(); this->_mhdr->fields_clear(); + +if (this->_mhdr_old) { + this->_mhdr_old->fields_clear(); + this->_mhdr_old->destroy(); + delete this->_mhdr_old; + this->_mhdr_old = nullptr; +} + this->_current_size = 0; } else { this->_current_size += header_size; @@ -430,7 +438,13 @@ HpackDynamicTable::_evict_overflowed_entries() (*h)->value_get(_len); this->_current_size -= ADDITIONAL_OCTETS + name_len + value_len; -this->_mhdr->field_delete(*h, false); + +if (this->_mhdr_old && this->_mhdr_old->fields_count() != 0) { + this->_mhdr_old->field_delete(*h, false); +} else { + this->_mhdr->field_delete(*h, false); +} + this->_headers.pop_back(); if (this->_current_size <= this->_maximum_size) {
[trafficserver] branch 9.0.x updated: build: Require OCSP headers for OCSP-enablement
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new 82ae0cd build: Require OCSP headers for OCSP-enablement 82ae0cd is described below commit 82ae0cddaf2556cc57f6698685991e237de76f44 Author: Randall Meyer AuthorDate: Fri Jun 19 11:16:43 2020 -0700 build: Require OCSP headers for OCSP-enablement This fixes a false detection of OCSP when the headers are not present, but the found libraries contain OCSP symbols (cherry picked from commit b0a42aba80db3eb82d23c598d51f42f8be906d50) --- build/crypto.m4 | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/build/crypto.m4 b/build/crypto.m4 index 64787b4..331be06 100644 --- a/build/crypto.m4 +++ b/build/crypto.m4 @@ -259,10 +259,13 @@ AC_DEFUN([TS_CHECK_CRYPTO_OCSP], [ _ocsp_saved_LIBS=$LIBS TS_ADDTO(LIBS, [$OPENSSL_LIBS]) - AC_CHECK_HEADERS(openssl/ocsp.h) - AC_CHECK_FUNCS(OCSP_sendreq_new OCSP_REQ_CTX_add1_header OCSP_REQ_CTX_set1_req, [enable_tls_ocsp=yes], [enable_tls_ocsp=no]) + AC_CHECK_HEADERS(openssl/ocsp.h, [ocsp_have_headers=1], [enable_tls_ocsp=no]) - LIBS=$_ocsp_saved_LIBS + if test "$ocsp_have_headers" == "1"; then +AC_CHECK_FUNCS(OCSP_sendreq_new OCSP_REQ_CTX_add1_header OCSP_REQ_CTX_set1_req, [enable_tls_ocsp=yes], [enable_tls_ocsp=no]) + +LIBS=$_ocsp_saved_LIBS + fi AC_MSG_CHECKING(whether OCSP is supported) AC_MSG_RESULT([$enable_tls_ocsp])
[trafficserver] 01/03: Fix dual_cert_select test to run with older openssl binary (#6896)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 2573f0cc5e8e6c45693d814bba3bd81a87230c87 Author: Susan Hinrichs AuthorDate: Mon Jun 22 08:53:25 2020 -0500 Fix dual_cert_select test to run with older openssl binary (#6896) Co-authored-by: Susan Hinrichs (cherry picked from commit ae9af297279f2c386d550f69fb731ff9fc43ef3a) --- .../tls/tls_check_dual_cert_selection.test.py | 46 ++ 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py b/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py index bc2682a..633144a 100644 --- a/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py +++ b/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py @@ -20,7 +20,8 @@ Test.Summary = ''' Test ATS offering both RSA and EC certificates ''' -Test.SkipUnless(Condition.HasOpenSSLVersion('1.1.1')) +import os +import re # Define default ATS ts = Test.MakeATSProcess("ts", select_ports=True, enable_tls=True) @@ -59,7 +60,7 @@ ts.Disk.ssl_multicert_config.AddLines([ ts.Disk.records_config.update({ 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), -'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2', +'proxy.config.ssl.server.cipher_suite': 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256', 'proxy.config.url_remap.pristine_host_hdr': 1, 'proxy.config.dns.nameservers': '127.0.0.1:{0}'.format(dns.Variables.Port), 'proxy.config.exec_thread.autoconfig.scale': 1.0, @@ -71,59 +72,72 @@ ts.Disk.records_config.update({ dns.addRecords(records={"foo.com.": ["127.0.0.1"]}) dns.addRecords(records={"bar.com.": ["127.0.0.1"]}) -# Should receive a EC cert +foo_ec_string = "" +foo_rsa_string = "" +san_ec_string = "" +san_rsa_string = "" +with open(os.path.join(Test.TestDirectory,'ssl', 'signed-foo-ec.pem'), 'r') as myfile: +foo_ec_string = re.escape(myfile.read()) +with open(os.path.join(Test.TestDirectory,'ssl', 'signed-foo.pem'), 'r') as myfile: +foo_rsa_string = re.escape(myfile.read()) +with open(os.path.join(Test.TestDirectory,'ssl', 'signed-san-ec.pem'), 'r') as myfile: +san_ec_string = re.escape(myfile.read()) +with open(os.path.join(Test.TestDirectory,'ssl', 'signed-san.pem'), 'r') as myfile: +san_rsa_string = re.escape(myfile.read()) + +# Should receive a EC cert since ATS cipher list prefers EC tr = Test.AddTestRun("Default for foo should return EC cert") tr.Setup.Copy("ssl/signer.pem") -tr.Processes.Default.Command = "echo foo | openssl s_client -servername foo.com -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername foo.com -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port, foo_ec_string) tr.ReturnCode = 0 tr.Processes.Default.StartBefore(server) tr.Processes.Default.StartBefore(dns) tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.ssl_port)) tr.StillRunningAfter = server tr.StillRunningAfter = ts -tr.Processes.Default.Streams.All += Testers.ContainsExpression("Peer signature type: ECDSA", "Should select EC cert") +tr.Processes.Default.Streams.All += Testers.ContainsExpression(foo_ec_string, "Should select EC cert",reflags=re.S | re.M) # Should receive a RSA cert tr = Test.AddTestRun("Only offer RSA ciphers, should receive RSA cert") -tr.Processes.Default.Command = "echo foo | openssl s_client -servername foo.com -sigalgs 'RSA-PSS+SHA256' -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername foo.com -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) tr.ReturnCode = 0 tr.StillRunningAfter = server tr.StillRunningAfter = ts -tr.Processes.Default.Streams.All += Testers.ContainsExpression("Peer signature type: RSA-PSS", "Should select RSA cert") +tr.Processes.Default.Streams.All += Testers.ContainsExpression(foo_rsa_string, "Should select RSA cert",reflags=re.S | re.M) # Should receive a EC cert -tr = Test.AddTestRun("Default for one.com should return EC cert") -tr.Processes.Default.Command = "echo foo | openssl s_client -servername one.com -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr = Test.AddTestRun("Default for two.com should return EC cert") +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername two.com -connect
[trafficserver] 03/03: Make QPACK.h self-contained
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit d62f1eceaeb8149ab8402a76fa04b8a1cc0fae5b Author: Masakazu Kitajo AuthorDate: Wed Jun 17 13:47:09 2020 +0900 Make QPACK.h self-contained (cherry picked from commit 763aa8e14b5717da980bc8ef9746a34c93b63809) --- proxy/http3/QPACK.h | 6 ++ 1 file changed, 6 insertions(+) diff --git a/proxy/http3/QPACK.h b/proxy/http3/QPACK.h index feb1068..f8f1889 100644 --- a/proxy/http3/QPACK.h +++ b/proxy/http3/QPACK.h @@ -23,11 +23,17 @@ #pragma once +#include + #include "I_EventSystem.h" #include "I_Event.h" +#include "I_IOBuffer.h" +#include "tscore/Arena.h" #include "tscpp/util/IntrusiveDList.h" #include "MIME.h" +#include "HTTP.h" #include "QUICApplication.h" +#include "QUICConnection.h" class HTTPHdr;
[trafficserver] branch 9.0.x updated (4b14114 -> d62f1ec)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 4b14114 example: Move to blocklists and allowlists new 2573f0c Fix dual_cert_select test to run with older openssl binary (#6896) new 5c4bd01 Prevent stale netvc access on SSL Callbacks (#6925) new d62f1ec Make QPACK.h self-contained The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: iocore/net/SSLNetVConnection.cc| 4 +- iocore/net/SSLUtils.cc | 36 - proxy/http3/QPACK.h| 6 +++ .../tls/tls_check_dual_cert_selection.test.py | 46 ++ 4 files changed, 73 insertions(+), 19 deletions(-)
[trafficserver] 02/03: Prevent stale netvc access on SSL Callbacks (#6925)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 5c4bd018d910d47f2e89bb26bac7733ba6039ee7 Author: Sudheer Vinukonda AuthorDate: Mon Jun 22 05:44:47 2020 -0700 Prevent stale netvc access on SSL Callbacks (#6925) Since SSL Callbacks are asynchronous in nature, it's possible the associated NetVC is already freed causing a potential use-after-free problem. (cherry picked from commit c7e80542aa1a5323399226f636ef196955f60791) --- iocore/net/SSLNetVConnection.cc | 4 ++-- iocore/net/SSLUtils.cc | 36 +++- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 94a9815..405158f 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -1505,7 +1505,7 @@ SSLNetVConnection::advertise_next_protocol(SSL *ssl, const unsigned char **out, { SSLNetVConnection *netvc = SSLNetVCAccess(ssl); - ink_release_assert(netvc != nullptr); + ink_release_assert(netvc && netvc->ssl == ssl); if (netvc->getNPN(out, outlen)) { // Successful return tells OpenSSL to advertise. @@ -1522,7 +1522,7 @@ SSLNetVConnection::select_next_protocol(SSL *ssl, const unsigned char **out, uns { SSLNetVConnection *netvc = SSLNetVCAccess(ssl); - ink_release_assert(netvc != nullptr); + ink_release_assert(netvc && netvc->ssl == ssl); const unsigned char *npnptr = nullptr; unsigned int npnsize= 0; if (netvc->getNPN(, )) { diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 9387a65..56fae1d 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -250,6 +250,12 @@ set_context_cert(SSL *ssl) bool found = true; int retval = 1; + if (!netvc || netvc->ssl != ssl) { +Debug("ssl.error", "set_context_cert call back on stale netvc"); +retval = 0; // Error +goto done; + } + Debug("ssl", "set_context_cert ssl=%p server=%s handshake_complete=%d", ssl, servername, netvc->getSSLHandShakeComplete()); // catch the client renegotiation early on @@ -317,6 +323,11 @@ ssl_verify_client_callback(int preverify_ok, X509_STORE_CTX *ctx) auto *ssl= static_cast(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); SSLNetVConnection *netvc = SSLNetVCAccess(ssl); + if (!netvc || netvc->ssl != ssl) { +Debug("ssl.error", "ssl_verify_client_callback call back on stale netvc"); +return false; + } + netvc->set_verify_cert(ctx); netvc->callHooks(TS_EVENT_SSL_VERIFY_CLIENT); netvc->set_verify_cert(nullptr); @@ -355,6 +366,12 @@ ssl_client_hello_callback(SSL *s, int *al, void *arg) const char *servername = nullptr; const unsigned char *p; size_t remaining, len; + + if (!netvc || netvc->ssl != s) { +Debug("ssl.error", "ssl_client_hello_callback call back on stale netvc"); +return SSL_CLIENT_HELLO_ERROR; + } + // Parse the server name if the get extension call succeeds and there are more than 2 bytes to parse if (SSL_client_hello_get0_ext(s, TLSEXT_TYPE_server_name, , ) && remaining > 2) { // Parse to get to the name, originally from test/handshake_helper.c in openssl tree @@ -414,6 +431,11 @@ ssl_cert_callback(SSL *ssl, void * /*arg*/) bool reenabled; int retval = 1; + if (!netvc || netvc->ssl != ssl) { +Debug("ssl.error", "ssl_cert_callback call back on stale netvc"); +return 0; + } + // If we are in tunnel mode, don't select a cert. Pause! if (HttpProxyPort::TRANSPORT_BLIND_TUNNEL == netvc->attributes) { return -1; // Pause @@ -447,6 +469,12 @@ static int ssl_servername_callback(SSL *ssl, int * /* ad */, void * /*arg*/) { SSLNetVConnection *netvc = SSLNetVCAccess(ssl); + + if (!netvc || netvc->ssl != ssl) { +Debug("ssl.error", "ssl_servername_callback call back on stale netvc"); +return SSL_TLSEXT_ERR_ALERT_FATAL; + } + netvc->callHooks(TS_EVENT_SSL_SERVERNAME); const char *name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); @@ -1019,7 +1047,12 @@ ssl_callback_info(const SSL *ssl, int where, int ret) SSLNetVConnection *netvc = SSLNetVCAccess(ssl); - if (netvc && (where & SSL_CB_ACCEPT_LOOP) && netvc->getSSLHandShakeComplete() == true && + if (!netvc || netvc->ssl != ssl) { +Debug("ssl.error", "ssl_callback_info call back on stale netvc"); +return; + } + + if ((where & SSL_CB_ACCEPT_LOOP) && netvc->getSSLHandShakeComplete() == true && SSLConfigParams::ssl_allow_client_renegotiation == false) { int state = SSL_get_state(ssl); @@ -1790,6 +1823,7 @@ SSLAccept(SSL *ssl) #if TS_HAS_TLS_EARLY_DATA SSLNetVConnection *netvc = SSLNetVCAccess(ssl); + if (SSLConfigParams::server_max_early_data > 0 && !netvc->early_data_finish) { size_t nread; if
[trafficserver] 02/03: Make compress Au test less flakey. (#6915)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit acb03919b697afb81a73fe9319bfa79da175 Author: Walt Karas AuthorDate: Mon Jun 22 17:51:23 2020 -0500 Make compress Au test less flakey. (#6915) (cherry picked from commit 74366b963fd18e97d80e9c91681fe232678d6faf) --- tests/gold_tests/pluginTest/compress/compress.gold | 42 +++--- .../pluginTest/compress/compress.test.py | 11 -- tests/gold_tests/pluginTest/compress/greplog.sh| 2 +- 3 files changed, 30 insertions(+), 25 deletions(-) diff --git a/tests/gold_tests/pluginTest/compress/compress.gold b/tests/gold_tests/pluginTest/compress/compress.gold index ff02ed6..05c8eb5 100644 --- a/tests/gold_tests/pluginTest/compress/compress.gold +++ b/tests/gold_tests/pluginTest/compress/compress.gold @@ -6,7 +6,7 @@ < Content-Encoding: br < Vary: Accept-Encoding < Content-Length: 46 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/gzip > Accept-Encoding: gzip @@ -15,7 +15,7 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/br > Accept-Encoding: br @@ -24,14 +24,14 @@ < Content-Encoding: br < Vary: Accept-Encoding < Content-Length: 46 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/deflate > Accept-Encoding: deflate < HTTP/1.1 200 OK < Content-Type: text/javascript < Content-Length: 1049 - +=== > GET http://ae-1/obj1 HTTP/1.1 > X-Ats-Compress-Test: 1/gzip, deflate, sdch, br > Accept-Encoding: gzip, deflate, sdch, br @@ -40,7 +40,7 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-1/obj1 HTTP/1.1 > X-Ats-Compress-Test: 1/gzip > Accept-Encoding: gzip @@ -49,21 +49,21 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-1/obj1 HTTP/1.1 > X-Ats-Compress-Test: 1/br > Accept-Encoding: br < HTTP/1.1 200 OK < Content-Type: text/javascript < Content-Length: 1049 - +=== > GET http://ae-1/obj1 HTTP/1.1 > X-Ats-Compress-Test: 1/deflate > Accept-Encoding: deflate < HTTP/1.1 200 OK < Content-Type: text/javascript < Content-Length: 1049 - +=== > GET http://ae-2/obj2 HTTP/1.1 > X-Ats-Compress-Test: 2/gzip, deflate, sdch, br > Accept-Encoding: gzip, deflate, sdch, br @@ -72,7 +72,7 @@ < Content-Encoding: br < Vary: Accept-Encoding < Content-Length: 46 - +=== > GET http://ae-2/obj2 HTTP/1.1 > X-Ats-Compress-Test: 2/gzip > Accept-Encoding: gzip @@ -81,7 +81,7 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-2/obj2 HTTP/1.1 > X-Ats-Compress-Test: 2/br > Accept-Encoding: br @@ -90,14 +90,14 @@ < Content-Encoding: br < Vary: Accept-Encoding < Content-Length: 46 - +=== > GET http://ae-2/obj2 HTTP/1.1 > X-Ats-Compress-Test: 2/deflate > Accept-Encoding: deflate < HTTP/1.1 200 OK < Content-Type: text/javascript < Content-Length: 1049 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/gzip;q=0.666 > Accept-Encoding: gzip;q=0.666 @@ -106,7 +106,7 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/gzip;q=0.666x > Accept-Encoding: gzip;q=0.666x @@ -115,7 +115,7 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/gzip;q=#0.666 > Accept-Encoding: gzip;q=#0.666 @@ -124,7 +124,7 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/gzip; Q = 0.666 > Accept-Encoding: gzip; Q = 0.666 @@ -133,14 +133,14 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/gzip;q=0.0 > Accept-Encoding: gzip;q=0.0 < HTTP/1.1 200 OK < Content-Type: text/javascript < Content-Length: 1049 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/gzip;q=-0.1 > Accept-Encoding: gzip;q=-0.1 @@ -149,7 +149,7 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/aaa, gzip;q=0.666, bbb > Accept-Encoding: aaa, gzip;q=0.666, bbb @@ -158,7 +158,7 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/ br ; q=0.666, bbb > Accept-Encoding: br ; q=0.666, bbb @@ -167,7 +167,7 @@ < Content-Encoding: br < Vary: Accept-Encoding < Content-Length: 46 - +=== > GET http://ae-0/obj0 HTTP/1.1 > X-Ats-Compress-Test: 0/aaa, gzip;q=0.666 , > Accept-Encoding: aaa, gzip;q=0.666 , @@ -176,4 +176,4 @@ < Content-Encoding: gzip < Vary: Accept-Encoding < Content-Length: 71 - +=== diff
[trafficserver] branch 9.0.x updated (c02d480 -> 4b14114)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from c02d480 Disable max_connections_active_in default now that featur works (#6903) new 907a43b Make compress plugin normalization of Accept-Encoding header compatible with normalization in core TS. new acb0391 Make compress Au test less flakey. (#6915) new 4b14114 example: Move to blocklists and allowlists The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: example/plugins/c-api/Makefile.am | 12 +- example/plugins/c-api/blacklist_1/readme.txt | 17 -- .../blacklist_0.c => blocklist_0/blocklist_0.c}| 12 +- .../blacklist.txt => blocklist_1/blocklist.txt}| 0 .../blacklist_1.c => blocklist_1/blocklist_1.c}| 36 ++-- example/plugins/c-api/blocklist_1/readme.txt | 17 ++ .../ssl_sni_allowlist.cc} | 8 +- plugins/compress/misc.cc | 76 --- tests/gold_tests/pluginTest/compress/compress.gold | 225 + .../pluginTest/compress/compress.test.py | 150 -- .../pluginTest/compress/compress_userver.gold | 21 ++ tests/gold_tests/pluginTest/compress/greplog.sh| 2 +- 12 files changed, 272 insertions(+), 304 deletions(-) delete mode 100644 example/plugins/c-api/blacklist_1/readme.txt rename example/plugins/c-api/{blacklist_0/blacklist_0.c => blocklist_0/blocklist_0.c} (93%) rename example/plugins/c-api/{blacklist_1/blacklist.txt => blocklist_1/blocklist.txt} (100%) rename example/plugins/c-api/{blacklist_1/blacklist_1.c => blocklist_1/blocklist_1.c} (90%) create mode 100644 example/plugins/c-api/blocklist_1/readme.txt rename example/plugins/c-api/{ssl_sni_whitelist/ssl_sni_whitelist.cc => ssl_sni_allowlist/ssl_sni_allowlist.cc} (92%) create mode 100644 tests/gold_tests/pluginTest/compress/compress_userver.gold
[trafficserver] 03/03: example: Move to blocklists and allowlists
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 4b14114474f8abacc58fd4a5d560fca5c4dc538e Author: Randall Meyer AuthorDate: Thu Jun 18 09:04:37 2020 -0700 example: Move to blocklists and allowlists This change renames the blacklist* to blocklist* and ssl_sni_whitelist to ssl_sni_allowlist (cherry picked from commit 9ae1a7666ae0419173894b1a11c16f74f0541878) --- example/plugins/c-api/Makefile.am | 12 example/plugins/c-api/blacklist_1/readme.txt | 17 -- .../blacklist_0.c => blocklist_0/blocklist_0.c}| 12 .../blacklist.txt => blocklist_1/blocklist.txt}| 0 .../blacklist_1.c => blocklist_1/blocklist_1.c}| 36 +++--- example/plugins/c-api/blocklist_1/readme.txt | 17 ++ .../ssl_sni_allowlist.cc} | 8 ++--- 7 files changed, 51 insertions(+), 51 deletions(-) diff --git a/example/plugins/c-api/Makefile.am b/example/plugins/c-api/Makefile.am index b63f81e..97abebb 100644 --- a/example/plugins/c-api/Makefile.am +++ b/example/plugins/c-api/Makefile.am @@ -26,8 +26,8 @@ example_Plugins = \ add_header.la \ append_transform.la \ basic_auth.la \ - blacklist_0.la \ - blacklist_1.la \ + blocklist_0.la \ + blocklist_1.la \ bnull_transform.la \ cert_update.la \ request_buffer.la \ @@ -54,7 +54,7 @@ example_Plugins = \ server_transform.la \ session_hooks.la \ ssl_preaccept.la \ - ssl_sni_whitelist.la \ + ssl_sni_allowlist.la \ ssl_sni.la \ statistic.la \ thread_1.la \ @@ -71,8 +71,8 @@ endif add_header_la_SOURCES = add_header/add_header.c append_transform_la_SOURCES = append_transform/append_transform.c basic_auth_la_SOURCES = basic_auth/basic_auth.c -blacklist_0_la_SOURCES = blacklist_0/blacklist_0.c -blacklist_1_la_SOURCES = blacklist_1/blacklist_1.c +blocklist_0_la_SOURCES = blocklist_0/blocklist_0.c +blocklist_1_la_SOURCES = blocklist_1/blocklist_1.c bnull_transform_la_SOURCES = bnull_transform/bnull_transform.c cert_update_la_SOURCES = cert_update/cert_update.cc request_buffer_la_SOURCES = request_buffer/request_buffer.c @@ -98,7 +98,7 @@ server_push_la_SOURCES = server_push/server_push.c server_transform_la_SOURCES = server_transform/server_transform.c ssl_preaccept_la_SOURCES = ssl_preaccept/ssl_preaccept.cc ssl_sni_la_SOURCES = ssl_sni/ssl_sni.cc -ssl_sni_whitelist_la_SOURCES = ssl_sni_whitelist/ssl_sni_whitelist.cc +ssl_sni_allowlist_la_SOURCES = ssl_sni_allowlist/ssl_sni_allowlist.cc disable_http2_la_SOURCES = disable_http2/disable_http2.cc verify_cert_la_SOURCES = verify_cert/verify_cert.cc statistic_la_SOURCES = statistic/statistic.cc diff --git a/example/plugins/c-api/blacklist_1/readme.txt b/example/plugins/c-api/blacklist_1/readme.txt deleted file mode 100644 index 0e7cf27..000 --- a/example/plugins/c-api/blacklist_1/readme.txt +++ /dev/null @@ -1,17 +0,0 @@ -How to run the blacklist plugin -=== - -1. Modify blacklist.cgi to specify the location of perl and traffic server. -2. Copy blacklist.cgi, blacklist_1.so, PoweredByInktomi.gif to the directory - specified by the variable proxy.config.plugin.plugin_dir. -3. Modify plugin.config to load the blacklist plugin. - - - -About the blacklist plugin -== - -The blacklist plugin allows Traffic Server to compare all incoming request -origin servers with a blacklisted set of web servers. If the requested origin -server is blacklisted, Traffic Server sends the client a message saying that -access is denied. diff --git a/example/plugins/c-api/blacklist_0/blacklist_0.c b/example/plugins/c-api/blocklist_0/blocklist_0.c similarity index 93% rename from example/plugins/c-api/blacklist_0/blacklist_0.c rename to example/plugins/c-api/blocklist_0/blocklist_0.c index 5ca5179..a7da67c 100644 --- a/example/plugins/c-api/blacklist_0/blacklist_0.c +++ b/example/plugins/c-api/blocklist_0/blocklist_0.c @@ -22,8 +22,8 @@ */ /* - * blacklist_0.c: - * original version of blacklist-1, now used for internal testing + * blocklist_0.c: + * original version of blocklist-1, now used for internal testing * * * Usage: @@ -34,7 +34,7 @@ #include #include -#define PLUGIN_NAME "blacklist_0" +#define PLUGIN_NAME "blocklist_0" static char **sites; static int nsites; @@ -69,7 +69,7 @@ handle_dns(TSHttpTxn txnp, TSCont contp) } for (i = 0; i < nsites; i++) { if (strncmp(host, sites[i], host_length) == 0) { - printf("blacklisting site: %s\n", sites[i]); + printf("blocklisting site: %s\n", sites[i]); TSHttpTxnHookAdd(txnp, TS_HTTP_SEND_RESPONSE_HDR_HOOK, contp); TSHandleMLocRelease(bufp, hdr_loc, url_loc); TSHandleMLocRelease(bufp, TS_NULL_MLOC,
[trafficserver] 01/03: Make compress plugin normalization of Accept-Encoding header compatible with normalization in core TS.
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 907a43b6d607a9c727e4c72b82f5c0e80ae9dce4 Author: Walter Karas AuthorDate: Fri Aug 23 19:28:19 2019 -0500 Make compress plugin normalization of Accept-Encoding header compatible with normalization in core TS. Specifically, remove parameters on values, but if there is a valid q parameter which is equal to 0.0, remove the associated value from the value list. (cherry picked from commit 15a6890366ff9a791afec71580b0c03f6baccf5e) --- plugins/compress/misc.cc | 76 ++--- tests/gold_tests/pluginTest/compress/compress.gold | 183 - .../pluginTest/compress/compress.test.py | 139 +--- .../pluginTest/compress/compress_userver.gold | 21 +++ 4 files changed, 191 insertions(+), 228 deletions(-) diff --git a/plugins/compress/misc.cc b/plugins/compress/misc.cc index 4bf579c..56c3fa9 100644 --- a/plugins/compress/misc.cc +++ b/plugins/compress/misc.cc @@ -23,6 +23,7 @@ #include "ts/ts.h" #include "tscore/ink_defs.h" +#include "tscpp/util/TextView.h" #include "misc.h" #include @@ -41,40 +42,69 @@ gzip_free(voidpf /* opaque ATS_UNUSED */, voidpf address) TSfree(address); } +namespace +{ +// Strips parameters from value. Returns cleared TextView if a q=f parameter present, where f is less than or equal to +// zero. +// +void +strip_ae_value(ts::TextView ) +{ + ts::TextView compression{value.take_prefix_at(';')}; + compression.trim(" \t"); + while (value) { +ts::TextView param{value.take_prefix_at(';')}; +ts::TextView name{param.take_prefix_at('=')}; +name.trim(" \t"); +if (strcasecmp("q", name) == 0) { + // If q value is valid and is zero, suppress compression types. + param.trim(" \t"); + if (param) { +ts::TextView whole{param.take_prefix_at('.')}; +whole.ltrim(" \t"); +if ("0" == whole) { + param.trim('0'); + if (!param) { +// Suppress compression type. +compression.clear(); +break; + } +} + } +} + } + value = compression; +} +} // end anonymous namespace + void normalize_accept_encoding(TSHttpTxn /* txnp ATS_UNUSED */, TSMBuffer reqp, TSMLoc hdr_loc) { TSMLoc field = TSMimeHdrFieldFind(reqp, hdr_loc, TS_MIME_FIELD_ACCEPT_ENCODING, TS_MIME_LEN_ACCEPT_ENCODING); - int deflate = 0; - int gzip = 0; - int br = 0; + bool deflate = false; + bool gzip= false; + bool br = false; // remove the accept encoding field(s), // while finding out if gzip or deflate is supported. while (field) { -TSMLoc tmp; - -if (!deflate && !gzip) { - int value_count = TSMimeHdrFieldValuesCount(reqp, hdr_loc, field); - - while (value_count > 0) { -int val_len = 0; -const char *val; - ---value_count; -val = TSMimeHdrFieldValueStringGet(reqp, hdr_loc, field, value_count, _len); - -if (val_len == static_cast(strlen("br"))) { - br = !strncmp(val, "br", val_len); -} -if (val_len == static_cast(strlen("gzip"))) { - gzip = !strncmp(val, "gzip", val_len); -} else if (val_len == static_cast(strlen("deflate"))) { - deflate = !strncmp(val, "deflate", val_len); +int val_len; +const char *values_ = TSMimeHdrFieldValueStringGet(reqp, hdr_loc, field, -1, _len); +if (values_ && val_len) { + ts::TextView values(values_, val_len); + while (values) { +ts::TextView next{values.take_prefix_at(',')}; +strip_ae_value(next); +if (strcasecmp("gzip", next) == 0) { + gzip = true; +} else if (strcasecmp("br", next) == 0) { + br = true; +} else if (strcasecmp("deflate", next) == 0) { + deflate = true; } } } -tmp = TSMimeHdrFieldNextDup(reqp, hdr_loc, field); +TSMLoc tmp = TSMimeHdrFieldNextDup(reqp, hdr_loc, field); TSMimeHdrFieldDestroy(reqp, hdr_loc, field); // catch retval? TSHandleMLocRelease(reqp, hdr_loc, field); field = tmp; diff --git a/tests/gold_tests/pluginTest/compress/compress.gold b/tests/gold_tests/pluginTest/compress/compress.gold index af5b4f0..ff02ed6 100644 --- a/tests/gold_tests/pluginTest/compress/compress.gold +++ b/tests/gold_tests/pluginTest/compress/compress.gold @@ -1,5 +1,5 @@ > GET http://ae-0/obj0 HTTP/1.1 -> X-Ats-Compress-Test: ts/0/gzip, deflate, sdch, br +> X-Ats-Compress-Test: 0/gzip, deflate, sdch, br > Accept-Encoding: gzip, deflate, sdch, br < HTTP/1.1 200 OK < Content-Type: text/javascript @@ -8,7 +8,7 @@ < Content-Length: 46 > GET http://ae-0/obj0 HTTP/1.1 -> X-Ats-Compress-Test: ts/0/gzip +> X-Ats-Compress-Test: 0/gzip > Accept-Encoding: gzip < HTTP/1.1 200 OK < Content-Type: text/javascript @@ -17,7
[trafficserver] 02/02: Disable max_connections_active_in default now that featur works (#6903)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit c02d4804f4dc226164a8b391eedd79a0f71e4468 Author: Susan Hinrichs AuthorDate: Mon Jun 22 17:54:13 2020 -0500 Disable max_connections_active_in default now that featur works (#6903) Co-authored-by: Susan Hinrichs (cherry picked from commit 54cff079598f67e01a80a3badb9f7c772562df74) --- iocore/net/P_UnixNet.h | 2 +- iocore/net/UnixNet.cc | 11 --- mgmt/RecordsConfig.cc | 2 +- proxy/http2/Http2ClientSession.cc | 1 + tests/gold_tests/h2/h2active_timeout.py | 29 + tests/gold_tests/h2/http2.test.py | 2 +- 6 files changed, 29 insertions(+), 18 deletions(-) diff --git a/iocore/net/P_UnixNet.h b/iocore/net/P_UnixNet.h index da1057d..82c7884 100644 --- a/iocore/net/P_UnixNet.h +++ b/iocore/net/P_UnixNet.h @@ -297,7 +297,7 @@ public: void process_enabled_list(); void process_ready_list(); void manage_keep_alive_queue(); - bool manage_active_queue(bool ignore_queue_size); + bool manage_active_queue(NetEvent *ne, bool ignore_queue_size); void add_to_keep_alive_queue(NetEvent *ne); void remove_from_keep_alive_queue(NetEvent *ne); bool add_to_active_queue(NetEvent *ne); diff --git a/iocore/net/UnixNet.cc b/iocore/net/UnixNet.cc index 653b675..f368e07 100644 --- a/iocore/net/UnixNet.cc +++ b/iocore/net/UnixNet.cc @@ -111,7 +111,7 @@ public: // Therefore we don't have to check all the NetEvents as much as open_list. // Cleanup the active and keep-alive queues periodically -nh.manage_active_queue(true); // close any connections over the active timeout +nh.manage_active_queue(nullptr, true); // close any connections over the active timeout nh.manage_keep_alive_queue(); return 0; @@ -565,7 +565,7 @@ NetHandler::signalActivity() } bool -NetHandler::manage_active_queue(bool ignore_queue_size = false) +NetHandler::manage_active_queue(NetEvent *enabling_ne, bool ignore_queue_size = false) { const int total_connections_in = active_queue_size + keep_alive_queue_size; Debug("v_net_queue", @@ -594,6 +594,11 @@ NetHandler::manage_active_queue(bool ignore_queue_size = false) int total_idle_count = 0; for (; ne != nullptr; ne = ne_next) { ne_next = ne->active_queue_link.next; +// It seems dangerous closing the current ne at this point +// Let the activity_cop deal with it +if (ne == enabling_ne) { + continue; +} if ((ne->inactivity_timeout_in && ne->next_inactivity_timeout_at <= now) || (ne->active_timeout_in && ne->next_activity_timeout_at <= now)) { _close_ne(ne, now, handle_event, closed, total_idle_time, total_idle_count); @@ -741,7 +746,7 @@ NetHandler::add_to_active_queue(NetEvent *ne) bool active_queue_full = false; // if active queue is over size then close inactive connections - if (manage_active_queue() == false) { + if (manage_active_queue(ne) == false) { active_queue_full = true; } diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index a70200d..2f293bc 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -400,7 +400,7 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, "proxy.config.net.max_connections_in", RECD_INT, "3", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL} , - {RECT_CONFIG, "proxy.config.net.max_connections_active_in", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL} + {RECT_CONFIG, "proxy.config.net.max_connections_active_in", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL} , // ### diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc index 638679f..8045883 100644 --- a/proxy/http2/Http2ClientSession.cc +++ b/proxy/http2/Http2ClientSession.cc @@ -346,6 +346,7 @@ Http2ClientSession::main_event_handler(int event, void *edata) case VC_EVENT_INACTIVITY_TIMEOUT: case VC_EVENT_ERROR: case VC_EVENT_EOS: +Http2SsnDebug("Closing event %d", event); this->set_dying_event(event); this->do_io_close(); if (_vc != nullptr) { diff --git a/tests/gold_tests/h2/h2active_timeout.py b/tests/gold_tests/h2/h2active_timeout.py index aa79cb1..d2f47f2 100644 --- a/tests/gold_tests/h2/h2active_timeout.py +++ b/tests/gold_tests/h2/h2active_timeout.py @@ -22,23 +22,25 @@ import argparse import time -def makerequest(port): +def makerequest(port, active_timeout): hyper.tls._context = hyper.tls.init_context() hyper.tls._context.check_hostname = False hyper.tls._context.verify_mode = hyper.compat.ssl.CERT_NONE conn = HTTPConnection('localhost:{0}'.format(port), secure=True) -active_timeout = 3 -request_interval = 0.1 -loop_cnt = int((active_timeout + 2)
[trafficserver] 01/02: python: Remove unused variables
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit fcc10e3ef0f5e66cf03af7a0b53bdf29851a9c2e Author: Randall Meyer AuthorDate: Fri May 1 19:13:19 2020 + python: Remove unused variables Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com> (cherry picked from commit d1efcb490c3db090e11f7721006be5362fe52c89) --- doc/ext/traffic-server.py | 4 ++-- plugins/experimental/traffic_dump/post_process.py | 2 +- tests/gold_tests/h2/h2active_timeout.py | 2 +- tests/gold_tests/h2/h2chunked.py | 2 +- tests/gold_tests/slow_post/slow_post_client.py| 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/ext/traffic-server.py b/doc/ext/traffic-server.py index 0fb2044..9cf7c9d 100644 --- a/doc/ext/traffic-server.py +++ b/doc/ext/traffic-server.py @@ -116,7 +116,7 @@ class TSConfVar(std.Target): title.set_class(self.options.get('class')) # This has to be a distinct node before the title. if nested then # the browser will scroll forward to just past the title. -anchor = nodes.target('', '', names=[cv_name]) +nodes.target('', '', names=[cv_name]) # Second (optional) arg is 'msgNode' - no idea what I should pass for that # or if it even matters, although I now think it should not be used. self.state.document.note_explicit_target(title) @@ -240,7 +240,7 @@ class TSStat(std.Target): # This has to be a distinct node before the title. if nested then # the browser will scroll forward to just past the title. -anchor = nodes.target('', '', names=[stat_name]) +nodes.target('', '', names=[stat_name]) # Second (optional) arg is 'msgNode' - no idea what I should pass for that # or if it even matters, although I now think it should not be used. self.state.document.note_explicit_target(title) diff --git a/plugins/experimental/traffic_dump/post_process.py b/plugins/experimental/traffic_dump/post_process.py index d2dbe96..42f76d8 100755 --- a/plugins/experimental/traffic_dump/post_process.py +++ b/plugins/experimental/traffic_dump/post_process.py @@ -387,7 +387,7 @@ def main(): nthreads = min(max(subdir_q.qsize(), 1), args.num_threads) # Start up the threads. -for i in range(nthreads): +for _ in range(nthreads): t = Thread(target=post_process, args=(args.in_dir, subdir_q, args.out_dir, args.num_sessions, args.no_human_readable, diff --git a/tests/gold_tests/h2/h2active_timeout.py b/tests/gold_tests/h2/h2active_timeout.py index 0b7d5ac..aa79cb1 100644 --- a/tests/gold_tests/h2/h2active_timeout.py +++ b/tests/gold_tests/h2/h2active_timeout.py @@ -32,7 +32,7 @@ def makerequest(port): active_timeout = 3 request_interval = 0.1 loop_cnt = int((active_timeout + 2) / request_interval) -for i in range(loop_cnt): +for _ in range(loop_cnt): try: conn.request('GET', '/') time.sleep(request_interval) diff --git a/tests/gold_tests/h2/h2chunked.py b/tests/gold_tests/h2/h2chunked.py index 97938ec..a7fee07 100644 --- a/tests/gold_tests/h2/h2chunked.py +++ b/tests/gold_tests/h2/h2chunked.py @@ -41,7 +41,7 @@ def makerequest(port, _url): sites = {'/'} request_ids = [] -for site in sites: +for _ in sites: request_id = conn.request('GET', url=_url) request_ids.append(request_id) diff --git a/tests/gold_tests/slow_post/slow_post_client.py b/tests/gold_tests/slow_post/slow_post_client.py index a132a67..47fb4b4 100644 --- a/tests/gold_tests/slow_post/slow_post_client.py +++ b/tests/gold_tests/slow_post/slow_post_client.py @@ -34,7 +34,7 @@ def slow_post(port, slow_time): def makerequest(port, connection_limit): client_timeout = 3 -for i in range(connection_limit): +for _ in range(connection_limit): t = threading.Thread(target=slow_post, args=(port, client_timeout + 10)) t.daemon = True t.start()
[trafficserver] branch 9.0.x updated (c7e9fee -> c02d480)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from c7e9fee Fixed bug in the calculation of the header block fragment length (#6923) new fcc10e3 python: Remove unused variables new c02d480 Disable max_connections_active_in default now that featur works (#6903) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: doc/ext/traffic-server.py | 4 ++-- iocore/net/P_UnixNet.h| 2 +- iocore/net/UnixNet.cc | 11 ++--- mgmt/RecordsConfig.cc | 2 +- plugins/experimental/traffic_dump/post_process.py | 2 +- proxy/http2/Http2ClientSession.cc | 1 + tests/gold_tests/h2/h2active_timeout.py | 29 +-- tests/gold_tests/h2/h2chunked.py | 2 +- tests/gold_tests/h2/http2.test.py | 2 +- tests/gold_tests/slow_post/slow_post_client.py| 2 +- 10 files changed, 34 insertions(+), 23 deletions(-)
[trafficserver] branch 9.0.x updated: Fixed bug in the calculation of the header block fragment length (#6923)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new c7e9fee Fixed bug in the calculation of the header block fragment length (#6923) c7e9fee is described below commit c7e9fee34baba2449fd830388a2da50ab50511ea Author: Bryan Call AuthorDate: Mon Jun 22 16:25:51 2020 -0700 Fixed bug in the calculation of the header block fragment length (#6923) Co-authored-by: Masaori Koshiba (cherry picked from commit 481778679af293ff5558ed965481af683f703531) --- proxy/http2/HPACK.cc| 6 - proxy/http2/Http2ConnectionState.cc | 49 + proxy/http2/Http2Stream.h | 6 ++--- 3 files changed, 35 insertions(+), 26 deletions(-) diff --git a/proxy/http2/HPACK.cc b/proxy/http2/HPACK.cc index 97a2626..4ed3ba7 100644 --- a/proxy/http2/HPACK.cc +++ b/proxy/http2/HPACK.cc @@ -833,7 +833,11 @@ hpack_decode_header_block(HpackIndexingTable _table, HTTPHdr *hdr, cons field->name_get(_len); field->value_get(_len); -total_header_size += name_len + value_len; + +// [RFC 7540] 6.5.2. SETTINGS_MAX_HEADER_LIST_SIZE: +// The value is based on the uncompressed size of header fields, including the length of the name and value in octets plus an +// overhead of 32 octets for each header field. +total_header_size += name_len + value_len + ADDITIONAL_OCTETS; if (total_header_size > max_header_size) { return HPACK_ERROR_SIZE_EXCEEDED_ERROR; diff --git a/proxy/http2/Http2ConnectionState.cc b/proxy/http2/Http2ConnectionState.cc index ecb8cf4..53eac3b 100644 --- a/proxy/http2/Http2ConnectionState.cc +++ b/proxy/http2/Http2ConnectionState.cc @@ -257,13 +257,6 @@ rcv_headers_frame(Http2ConnectionState , const Http2Frame ) return Http2Error(Http2ErrorClass::HTTP2_ERROR_CLASS_NONE); } - // keep track of how many bytes we get in the frame - stream->request_header_length += payload_length; - if (stream->request_header_length > Http2::max_header_list_size) { -return Http2Error(Http2ErrorClass::HTTP2_ERROR_CLASS_STREAM, Http2ErrorCode::HTTP2_ERROR_PROTOCOL_ERROR, - "recv headers payload for headers greater than header length"); - } - Http2HeadersParameter params; uint32_t header_block_fragment_offset = 0; uint32_t header_block_fragment_length = payload_length; @@ -282,7 +275,8 @@ rcv_headers_frame(Http2ConnectionState , const Http2Frame ) "recv headers failed to parse"); } -if (params.pad_length > payload_length) { +// Payload length can't be smaller than the pad length +if ((params.pad_length + HTTP2_HEADERS_PADLEN_LEN) > header_block_fragment_length) { return Http2Error(Http2ErrorClass::HTTP2_ERROR_CLASS_CONNECTION, Http2ErrorCode::HTTP2_ERROR_PROTOCOL_ERROR, "recv headers pad > payload length"); } @@ -298,7 +292,7 @@ rcv_headers_frame(Http2ConnectionState , const Http2Frame ) frame.reader()->memcpy(buf, HTTP2_PRIORITY_LEN, header_block_fragment_offset); if (!http2_parse_priority_parameter(make_iovec(buf, HTTP2_PRIORITY_LEN), params.priority)) { return Http2Error(Http2ErrorClass::HTTP2_ERROR_CLASS_CONNECTION, Http2ErrorCode::HTTP2_ERROR_PROTOCOL_ERROR, -"recv headers prioirity parameters failed parse"); +"recv headers priority parameters failed parse"); } // Protocol error if the stream depends on itself if (stream_id == params.priority.stream_dependency) { @@ -306,6 +300,12 @@ rcv_headers_frame(Http2ConnectionState , const Http2Frame ) "recv headers self dependency"); } +// Payload length can't be smaller than the priority length +if (HTTP2_PRIORITY_LEN > header_block_fragment_length) { + return Http2Error(Http2ErrorClass::HTTP2_ERROR_CLASS_CONNECTION, Http2ErrorCode::HTTP2_ERROR_PROTOCOL_ERROR, +"recv priority length > payload length"); +} + header_block_fragment_offset += HTTP2_PRIORITY_LEN; header_block_fragment_length -= HTTP2_PRIORITY_LEN; } @@ -325,11 +325,19 @@ rcv_headers_frame(Http2ConnectionState , const Http2Frame ) } } + stream->header_blocks_length = header_block_fragment_length; + + // ATS advertises SETTINGS_MAX_HEADER_LIST_SIZE as a limit of total header blocks length. (Details in [RFC 7560] 10.5.1.) + // Make it double to relax the limit in cases of 1) HPACK is used naively, or 2) Huffman Encoding generates large header blocks. + // The total "decoded" header length is strictly checked by hpack_decode_header_block(). + if (stream->header_blocks_length > std::max(Http2::max_header_list_size, Http2::max_header_list_size * 2)) { +return
[trafficserver-site] branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/trafficserver-site.git The following commit(s) were added to refs/heads/asf-site by this push: new c0f4125 Automatic Site Publish by Buildbot c0f4125 is described below commit c0f4125dbb54ad5646b0709da6f65eff0ee6b077 Author: buildbot AuthorDate: Tue Jun 23 17:52:36 2020 + Automatic Site Publish by Buildbot --- content/downloads.html | 46 +- content/index.html | 20 +++- 2 files changed, 20 insertions(+), 46 deletions(-) diff --git a/content/downloads.html b/content/downloads.html index 4e844ed..1102154 100644 --- a/content/downloads.html +++ b/content/downloads.html @@ -61,9 +61,9 @@ - The latest stable release of Apache Traffic Server is 8.0.7, released on 2020-04-16. -In addition, we continue to support the v7.1.x LTS release train, currently v7.1.10 -which was released on 2020-04-16. We follow the http://semver.org;>Semantic Versioning + The latest stable release of Apache Traffic Server is 8.0.8, released on 2020-06-23. +In addition, we continue to support the v7.1.x LTS release train, currently v7.1.11 +which was released on 2020-06-23. We follow the http://semver.org;>Semantic Versioning scheme. The goal is to release patch releases frequently, and minor releases as needed. Within the major versions, all such patch and minor releases are all compatible. When downloading from a mirror, please be sure to https://www.apache.org/info/verification.html;>verify the hash and OpenPGP @@ -72,40 +72,28 @@ the PGP signatures the https://www.apache.org/dist/trafficserver/KEYS;> will be needed. You can also https://archive.apache.org/dist/trafficserver/;>browse through all releases and hash signatures. -Current v8.x Release -- 8.0.7 -Apache Traffic Server v8.0.7 was released on April 16th, 2020. - [https://www.apache.org/dist/trafficserver/trafficserver-8.0.7.tar.bz2.asc;>PGP] - [https://www.apache.org/dist/trafficserver/trafficserver-8.0.7.tar.bz2.sha512;>SHA512] -https://www.apache.org/dyn/closer.cgi/trafficserver/trafficserver-8.0.7.tar.bz2; class="download_ts">Traffic Server 8.0.7 -v8.0.7 is our latest stable release. Additional details for this release are in the -https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.7;>CHANGELOG +Current v8.x Release -- 8.0.8 +Apache Traffic Server v8.0.8 was released on June 23rd, 2020. + [https://www.apache.org/dist/trafficserver/trafficserver-8.0.8.tar.bz2.asc;>PGP] + [https://www.apache.org/dist/trafficserver/trafficserver-8.0.8.tar.bz2.sha512;>SHA512] +https://www.apache.org/dyn/closer.cgi/trafficserver/trafficserver-8.0.8.tar.bz2; class="download_ts">Traffic Server 8.0.8 +v8.0.8 is our latest stable release. Additional details for this release are in the +https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.8;>CHANGELOG and the the related https://github.com/apache/trafficserver/milestone/37?closed=1;>Github Issues and PRs. For details on the v8.0.x release, please see https://cwiki.apache.org/confluence/display/TS/What's+New+in+v8.0.x">8.0.x News. There are also details about https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v8.0;>upgrading to 8.x. -Current v7.x Release -- 7.1.10 -Apache Traffic Server v7.1.10 was released on April 16th, 2020. - [https://www.apache.org/dist/trafficserver/trafficserver-7.1.10.tar.bz2.asc;>PGP] - [https://www.apache.org/dist/trafficserver/trafficserver-7.1.10.tar.bz2.sha512;>SHA512] -https://www.apache.org/dyn/closer.cgi/trafficserver/trafficserver-7.1.10.tar.bz2; class="download_ts">Traffic Server 7.1.10 -v7.1.10 is our latest stable release. Additional details for this release are in the -https://raw.githubusercontent.com/apache/trafficserver/7.1.x/CHANGELOG-7.1.10;>CHANGELOG +Current v7.x Release -- 7.1.11 +Apache Traffic Server v7.1.11 was released on June 23rd, 2020. + [https://www.apache.org/dist/trafficserver/trafficserver-7.1.11.tar.bz2.asc;>PGP] + [https://www.apache.org/dist/trafficserver/trafficserver-7.1.11.tar.bz2.sha512;>SHA512] +https://www.apache.org/dyn/closer.cgi/trafficserver/trafficserver-7.1.11.tar.bz2; class="download_ts">Traffic Server 7.1.11 +v7.1.11 is our latest stable release. Additional details for this release are in the +https://raw.githubusercontent.com/apache/trafficserver/7.1.x/CHANGELOG-7.1.11;>CHANGELOG and the the related https://github.com/apache/trafficserver/milestone/39?closed=1;>Github Issues and PRs. For details on the v7.1.x release train, please see https://cwiki.apache.org/confluence/display/TS/What's+New+in+v7.1.x">7.1.x News. There are also details about https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v7.0;>upgrading to 7.x. -Current v6.x Release -- 6.2.3 -Apache Traffic Server 6.2.3 was
[trafficserver-site] branch asf-site updated: Added 7.1.11 and 8.0.8 releases
This is an automated email from the ASF dual-hosted git repository. bcall pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/trafficserver-site.git The following commit(s) were added to refs/heads/asf-site by this push: new bb9d846 Added 7.1.11 and 8.0.8 releases bb9d846 is described below commit bb9d8460b642e3b6780758f7ae8c6c3331ab10af Author: Bryan Call AuthorDate: Tue Jun 23 10:52:11 2020 -0700 Added 7.1.11 and 8.0.8 releases --- source/markdown/downloads.mdtext | 51 ++-- source/markdown/index.html | 20 +++- 2 files changed, 20 insertions(+), 51 deletions(-) diff --git a/source/markdown/downloads.mdtext b/source/markdown/downloads.mdtext index 97f8d54..f8aeab9 100644 --- a/source/markdown/downloads.mdtext +++ b/source/markdown/downloads.mdtext @@ -19,9 +19,9 @@ RSS: /rss/releases.rss -The latest stable release of Apache Traffic Server is 8.0.7, released on 2020-04-16. -In addition, we continue to support the v7.1.x LTS release train, currently v7.1.10 -which was released on 2020-04-16. We follow the [Semantic Versioning](http://semver.org) +The latest stable release of Apache Traffic Server is 8.0.8, released on 2020-06-23. +In addition, we continue to support the v7.1.x LTS release train, currently v7.1.11 +which was released on 2020-06-23. We follow the [Semantic Versioning](http://semver.org) scheme. The goal is to release patch releases frequently, and minor releases as needed. Within the major versions, all such patch and minor releases are all compatible. @@ -32,55 +32,38 @@ will be needed. You can also [browse through all releases](https://archive.apache.org/dist/trafficserver/) and hash signatures. -# Current v8.x Release -- 8.0.7 # {#8.0.7} +# Current v8.x Release -- 8.0.8 # {#8.0.8} - Apache Traffic Server v8.0.7 was released on April 16th, 2020. - [[`PGP`](https://www.apache.org/dist/trafficserver/trafficserver-8.0.7.tar.bz2.asc)] - [[`SHA512`](https://www.apache.org/dist/trafficserver/trafficserver-8.0.7.tar.bz2.sha512)] + Apache Traffic Server v8.0.8 was released on June 23rd, 2020. + [[`PGP`](https://www.apache.org/dist/trafficserver/trafficserver-8.0.8.tar.bz2.asc)] + [[`SHA512`](https://www.apache.org/dist/trafficserver/trafficserver-8.0.8.tar.bz2.sha512)] - https://www.apache.org/dyn/closer.cgi/trafficserver/trafficserver-8.0.7.tar.bz2; class="download_ts">Traffic Server 8.0.7 + https://www.apache.org/dyn/closer.cgi/trafficserver/trafficserver-8.0.8.tar.bz2; class="download_ts">Traffic Server 8.0.8 -v8.0.7 is our latest stable release. Additional details for this release are in the -[CHANGELOG](https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.7) +v8.0.8 is our latest stable release. Additional details for this release are in the +[CHANGELOG](https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.8) and the the related [Github Issues and PRs](https://github.com/apache/trafficserver/milestone/37?closed=1). For details on the v8.0.x release, please see [8.0.x News](https://cwiki.apache.org/confluence/display/TS/What's+New+in+v8.0.x). There are also details about [upgrading to 8.x](https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v8.0). -# Current v7.x Release -- 7.1.10 # {#7.1.10} +# Current v7.x Release -- 7.1.11 # {#7.1.11} - Apache Traffic Server v7.1.10 was released on April 16th, 2020. - [[`PGP`](https://www.apache.org/dist/trafficserver/trafficserver-7.1.10.tar.bz2.asc)] - [[`SHA512`](https://www.apache.org/dist/trafficserver/trafficserver-7.1.10.tar.bz2.sha512)] + Apache Traffic Server v7.1.11 was released on June 23rd, 2020. + [[`PGP`](https://www.apache.org/dist/trafficserver/trafficserver-7.1.11.tar.bz2.asc)] + [[`SHA512`](https://www.apache.org/dist/trafficserver/trafficserver-7.1.11.tar.bz2.sha512)] - https://www.apache.org/dyn/closer.cgi/trafficserver/trafficserver-7.1.10.tar.bz2; class="download_ts">Traffic Server 7.1.10 + https://www.apache.org/dyn/closer.cgi/trafficserver/trafficserver-7.1.11.tar.bz2; class="download_ts">Traffic Server 7.1.11 -v7.1.10 is our latest stable release. Additional details for this release are in the -[CHANGELOG](https://raw.githubusercontent.com/apache/trafficserver/7.1.x/CHANGELOG-7.1.10) +v7.1.11 is our latest stable release. Additional details for this release are in the +[CHANGELOG](https://raw.githubusercontent.com/apache/trafficserver/7.1.x/CHANGELOG-7.1.11) and the the related [Github Issues and PRs](https://github.com/apache/trafficserver/milestone/39?closed=1). For details on the v7.1.x release train, please see [7.1.x News](https://cwiki.apache.org/confluence/display/TS/What's+New+in+v7.1.x). There are also details about [upgrading to 7.x](https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v7.0). -# Current v6.x Release -- 6.2.3 # {#6.2.3} - - Apache Traffic Server 6.2.3 was released
svn commit: r40158 - in /release/trafficserver: trafficserver-7.1.11.tar.bz2 trafficserver-7.1.11.tar.bz2.asc trafficserver-7.1.11.tar.bz2.sha512
Author: bcall Date: Tue Jun 23 17:33:45 2020 New Revision: 40158 Log: Release 7.1.11 Added: release/trafficserver/trafficserver-7.1.11.tar.bz2 (with props) release/trafficserver/trafficserver-7.1.11.tar.bz2.asc (with props) release/trafficserver/trafficserver-7.1.11.tar.bz2.sha512 Added: release/trafficserver/trafficserver-7.1.11.tar.bz2 == Binary file - no diff available. Propchange: release/trafficserver/trafficserver-7.1.11.tar.bz2 -- svn:mime-type = application/x-bzip2 Added: release/trafficserver/trafficserver-7.1.11.tar.bz2.asc == Binary file - no diff available. Propchange: release/trafficserver/trafficserver-7.1.11.tar.bz2.asc -- svn:mime-type = application/pgp-signature Added: release/trafficserver/trafficserver-7.1.11.tar.bz2.sha512 == --- release/trafficserver/trafficserver-7.1.11.tar.bz2.sha512 (added) +++ release/trafficserver/trafficserver-7.1.11.tar.bz2.sha512 Tue Jun 23 17:33:45 2020 @@ -0,0 +1 @@ +c1c39d14bad1109ac30872607cfbb957bcdbb993eb96bc6e04ce53a208322b931698276684e122b43a6da5e62494b7193204eb288fdb9e16a6fb0106c98f8a6f *trafficserver-7.1.11.tar.bz2
svn commit: r40157 - in /release/trafficserver: trafficserver-8.0.8.tar.bz2 trafficserver-8.0.8.tar.bz2.asc trafficserver-8.0.8.tar.bz2.sha512
Author: bcall Date: Tue Jun 23 17:32:56 2020 New Revision: 40157 Log: Release 8.0.8 Added: release/trafficserver/trafficserver-8.0.8.tar.bz2 (with props) release/trafficserver/trafficserver-8.0.8.tar.bz2.asc (with props) release/trafficserver/trafficserver-8.0.8.tar.bz2.sha512 Added: release/trafficserver/trafficserver-8.0.8.tar.bz2 == Binary file - no diff available. Propchange: release/trafficserver/trafficserver-8.0.8.tar.bz2 -- svn:mime-type = application/x-bzip2 Added: release/trafficserver/trafficserver-8.0.8.tar.bz2.asc == Binary file - no diff available. Propchange: release/trafficserver/trafficserver-8.0.8.tar.bz2.asc -- svn:mime-type = application/pgp-signature Added: release/trafficserver/trafficserver-8.0.8.tar.bz2.sha512 == --- release/trafficserver/trafficserver-8.0.8.tar.bz2.sha512 (added) +++ release/trafficserver/trafficserver-8.0.8.tar.bz2.sha512 Tue Jun 23 17:32:56 2020 @@ -0,0 +1 @@ +e412c14f424456f0b813d1e7a05e6e1d4d428ef85c9186dc657c61abc287a9887fd7cd120e43d8b7f406c8aee8279e5311c2f417a0ff3ba347cc391e6a28afea *trafficserver-8.0.8.tar.bz2
[trafficserver] annotated tag 7.1.11 updated (50d569d -> 98c77e2)
This is an automated email from the ASF dual-hosted git repository. bcall pushed a change to annotated tag 7.1.11 in repository https://gitbox.apache.org/repos/asf/trafficserver.git. *** WARNING: tag 7.1.11 was modified! *** from 50d569d (commit) to 98c77e2 (tag) tagging 50d569d13cfa3bf7328e2483380794507ad8e24b (commit) replaces 7.1.10 by Bryan Call on Tue Jun 23 10:21:21 2020 -0700 - Log - Release Candidate 7.1.11 -BEGIN PGP SIGNATURE- iQIcBAABAgAGBQJe8joRAAoJEE0VQRC4RQjsk4oP/0tkc0a/qqDD/yV4adpn9csy xUxBfG16TPjoPwSqlWF7bE91M2iBmPi7wOpW3/XPuLbbsLyJVBMEgD7v4g7M6NzE WzaqR9p3YI3Yxvn/W5MGxU03QNwOqa0eVN2Q8XAEBAVjJ3bwdjYTFvmi2w+h9Esh KA2HK1zSvzlgrpyCXrad7MQmy7lx1h4TDZCDpna+GvY010kRiF59+9QwOe4SgIu+ 5XjZ2j50//2DflQiSSgQEik2G6GhIuNdCVRLpJvUJksy8enZ1QDl7mVM9l/mYcSu TjpRngD5MLHjA8UKJLcIa7hEQKDD0CvYmXJOVUPndgEUtk+syPJ+PNBiFzN8TZ9U LpbzlyKtIVSH0ODvzKx1qej5b0RE2w3+YpW1YYNG/7v5ZOVuxpoUj5JtVYVQHFCd HwEKSjMnVH6ORqI893ih3iGNORps8J6ylVfrpI+ydpo5l9CT17vWfR3xMDN9URXi FRTNP2R36rExBozzy5mmLRaDWqsu2l0acOe/OxSFy4bd5gswAKv3/LnME/5o1nN8 r8cSBY69l4uJgW6LsGCO40EzRBfeOskO+Wr4RhMXUK+7cRZewbGn8dLSN7lexXa2 0W6w+3YfEs7jlGEXg22fQMvw8k9Bd64EY9N5K+SnK58+pKQSu017JrBHiz1HZO7y uHGrG4MjZFHm2XLlwKHA =Ikj/ -END PGP SIGNATURE- --- No new revisions were added by this update. Summary of changes:
[trafficserver] annotated tag 8.0.8 updated (a29528d -> f6dfe29)
This is an automated email from the ASF dual-hosted git repository. bcall pushed a change to annotated tag 8.0.8 in repository https://gitbox.apache.org/repos/asf/trafficserver.git. *** WARNING: tag 8.0.8 was modified! *** from a29528d (commit) to f6dfe29 (tag) tagging a29528dffb8ea1c6fa57fe0c76ca1ec9d0f08694 (commit) replaces 8.0.7 by Bryan Call on Tue Jun 23 10:01:00 2020 -0700 - Log - Release Candidate 8.0.8 -BEGIN PGP SIGNATURE- iQIcBAABAgAGBQJe8jVMAAoJEE0VQRC4RQjsTOkQAI/J/uMWqTba3lHKlca1WCGv ojeDqv2Y8N4jgah3No/IHT3G8TZA3UmZR2bRtM/31LRfv1Q/tvz+4m9Ty7m/CRV8 3XcZxiJeBumM881lkF4K9LpFW6d54QFlJ19YGK9D08jHJ+Z0TbZSksbQbX5dHddN jWiMyDEzXM+3NC6pTwS0uZ0lFUbbyOo8UApS8g/CvVj5RLl0AwkM2ynL25lEF7dT 6yrPNhf2ulJb05klZQ79qxp4NCXg/Ue90lqnAXHyha4H1pP2q32dVtmkubSXCVJn hX39x11hpFy+CBJndp00FIpoJgrJnNjSoDiKTlngXSdMh13W+UScL3Z+YvSEfWDK XMAQF3RBrpBxZ9KJkc4OhaKsqKo9uLr8eHARrZaXkEhPRCATQVFmeab6y7rE3CHL aNoECiwAxE/eZwOZTYAPArIpK2qkTH+H5rBM0X/o7agZoGmHUvR496NAQbubJYcS yP2q/A5LE+hjVtQ2HYa6fZaGYsm2ybY0+a5SpB/dXud8x+iOl73L4nUwIVnDEMAV GtcCI4MaQRHiseZqWHlsNmGPJy9Fdd1dOuZ+VqZeT3luxcQHlgp91LG53XA0CqHO wTwT1ugjvPz/gp1lRK3jQCOkhpuL+g2iz4+eoi6xWoz3gYzc+iUsGeM6Afu/051o vk5Rkvk4/oLavv4tFOkb =Vmtr -END PGP SIGNATURE- --- No new revisions were added by this update. Summary of changes:
[trafficserver] branch master updated: Update buffer-writer.en.rst (wrong header link) (#6934)
This is an automated email from the ASF dual-hosted git repository. eze pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 6d9d1ba Update buffer-writer.en.rst (wrong header link) (#6934) 6d9d1ba is described below commit 6d9d1ba25b76ae3f9a1cef261860bfd0b281508b Author: Evan Zelkowitz AuthorDate: Tue Jun 23 09:09:30 2020 -0700 Update buffer-writer.en.rst (wrong header link) (#6934) Docs point to a non-existent header file --- doc/developer-guide/internal-libraries/buffer-writer.en.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/developer-guide/internal-libraries/buffer-writer.en.rst b/doc/developer-guide/internal-libraries/buffer-writer.en.rst index 5541caf..bae7c06 100644 --- a/doc/developer-guide/internal-libraries/buffer-writer.en.rst +++ b/doc/developer-guide/internal-libraries/buffer-writer.en.rst @@ -107,7 +107,7 @@ Usage + The header files are divided in to two variants. :ts:git:`include/tscore/BufferWriter.h` provides the basic -capabilities of buffer output control. :ts:git:`include/tscore/BufferWriterFormat.h` provides the basic +capabilities of buffer output control. :ts:git:`include/tscore/BufferWriterForward.h` provides the basic :ref:`formatted output mechanisms `, primarily the implementation and ancillary classes for :class:`BWFSpec` which is used to build formatters.