Re: Question on sub requests and output filter context.
On Thu, 15 Sep 2011 11:52:38 +0100 Martin Townsend martin.towns...@power-oasis.com wrote: Should this new filter also inherit the output filters context? Am I doing something wrong with my use of mod_include? I've tried moving my filter so it's after mod_include but still the same problem. This looks reminiscent of https://issues.apache.org/bugzilla/show_bug.cgi?id=17629 a bug that lurked a long time before being fixed! I suggest you read that - particularly comment 30 and later, and see if it sheds any light on your problem. -- Nick Kew
Re: PATCH: mod_log_config, CookieLog
On 19 Sep 2011, at 1:28 AM, Rich Bowen wrote: The CookieLog directive has been documented as deprecated since mod_log_config was introduced, back in the 1.2 days. Any objection to axing it? Axe it, +1. Regards, Graham -- smime.p7s Description: S/MIME cryptographic signature
Re: svn commit: r1172010 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
On 9/19/2011 12:55 AM, Ruediger Pluem wrote:
On 09/17/2011 06:25 PM, drugg...@apache.org wrote:
Author: druggeri
Date: Sat Sep 17 16:25:17 2011
New Revision: 1172010
URL: http://svn.apache.org/viewvc?rev=1172010view=rev
Log:
Log better information and prevent leak of an X509 structure for
SSLProxyMachineCertificateChainFile
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1172010r1=1172009r2=1172010view=diff
==
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Sep 17 16:25:17
2011
@@ -1181,21 +1181,57 @@ static void ssl_init_proxy_certs(server_
X509_STORE_load_locations(store, pkp-ca_cert_file, NULL);
for (n = 0; n ncerts; n++) {
-int i;
+int i, res;
+char cert_cn[256];
+
X509_INFO *inf = sk_X509_INFO_value(pkp-certs, n);
+X509_NAME *name = X509_get_subject_name(inf-x509);
+X509_NAME_oneline(name, cert_cn, sizeof(cert_cn));
X509_STORE_CTX_init(sctx, store, inf-x509, NULL);
-X509_verify_cert(sctx);
-ERR_clear_error();
+res=X509_verify_cert(sctx);
Style violation.
chain = X509_STORE_CTX_get1_chain(sctx);
-sk_X509_shift(chain);
+
+if (res == 1) {
+/* Removing the client cert if verification is OK
+ * could save a loop when choosing which cert to send
+ * when more than one is available */
+/* XXX: This is not needed if we collapse the two
+ * checks in ssl_engine_kernel in the future */
+X509_free(sk_X509_shift(chain));
+}
+else {
+int n=X509_STORE_CTX_get_error(sctx);
Overwriting a symbol from the loop is IMHO bad and makes code hard to read.
Please use
another name instead of n. Besides we have a style violation here again.
+ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ SSL proxy client cert chain verification failed
for %s: %s,
+ cert_cn, X509_verify_cert_error_string(n));
+}
+ERR_clear_error();
i=sk_X509_num(chain);
pkp-ca_certs[n] = chain;
+
+if (i == 0 || (res != 1 i == 1) ) {
+/* zero or only the client cert won't be very useful
+ * due to verification failure */
+sk_X509_pop_free(chain, X509_free);
+i = 0;
+pkp-ca_certs[n] = NULL;
+}
+
X509_STORE_CTX_cleanup(sctx);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- client certificate %i has loaded %i
- intermediate CA%s, n, i, i == 1 ? : s);
+ loaded %i intermediate CA%s for cert %i (%s),
+ i, i == 1 ? : s, n, cert_cn);
+if (i 0) {
+int j;
+for (j=0; ji; j++) {
+char ca_cn[256];
+X509_NAME *ca_name =
X509_get_subject_name(sk_X509_value(chain, j));
+X509_NAME_oneline(ca_name, ca_cn, sizeof(ca_cn));
+ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, %i: %s, j,
ca_cn);
+}
+}
}
X509_STORE_CTX_free(sctx);
Regards
Rüdiger
Thank you. Fixed in r1172562.
--
Daniel Ruggeri
mod_proxy_fcgi + mod_proxy_balancer vs. php-fpm and query strings
I am having a couple of problems WRT using mod_proxy_fcgi inside a balancer
proxied to php-fpm. There are lots of variables in this scenario, but I think I
have narrowed the issues down. The setup looks like this:
httpd - balancer - fcgi balancer members - php-fpm
Issue 1: PHP-FPM does not handle the proxy:balancer prefix in
SCRIPT_FILENAME. It does handle proxy:fcgi as a special case (see
https://bugs.php.net/bug.php?id=54152 fix by jim). So, it seems we need to also
add a proxy:balancer exception there unless a balanced mod_proxy_fcgi member
should actually be using proxy:fcgi instead. What are people's thoughts on
the prefix that should be sent by httpd in this case? To address this for now,
I have modified PHP (fpm_main.c alongside jim's existing changes).
Issue 2: Once I got Issue 1 addressed, everything started working except in the
case of a query string. I spent considerable time tracing and trying to figure
out where the issue is occurring, but I am hoping one of you who is much more
familiar with the code than I will be able to say, Oh, look right here. The
problem is that the query string is getting appended to SCRIPT_FILENAME if
proxied through a balancer. FPM does not like this. It does not seem to happen
in the case of proxying directly to fcgi://..., but once I change this to
balancer://..., the query string gets added to SCRIPT_FILENAME. I believe
this happened with both ProxyPass* and mod_rewrite [P]. In mod_rewrite, this
should get handled in splitout_queryargs(), but somehow it is getting added
back (probably in proxy_balancer_canon() which adds the query string back to
r-filename?). For right now, I have done a brute-force fix for this by
adding the code below to the beginning of send_environment() in
mod_proxy_fcgi.c, before the calls to ap_add_common_vars() and
ap_add_cgi_vars(). I am guessing that this isn't the ultimate fix for this
issue, so I am interested in others' thoughts.
+/* Remove query string from r-filename (r-args is already set and passed
via QUERY_STRING) */
+q = ap_strchr_c(r-filename, '?');
+if (q != NULL) {
+*q = '\0';
+}
Re: PATCH: mod_log_config, CookieLog
bye bye :)
On Sep 18, 2011, at 7:28 PM, Rich Bowen wrote:
The CookieLog directive has been documented as deprecated since
mod_log_config was introduced, back in the 1.2 days. Any objection to axing
it?
Index: docs/manual/mod/mod_log_config.xml
===
--- docs/manual/mod/mod_log_config.xml(revision 1172391)
+++ docs/manual/mod/mod_log_config.xml(working copy)
@@ -361,23 +361,6 @@
/directivesynopsis
directivesynopsis
-nameCookieLog/name
-descriptionSets filename for the logging of cookies/description
-syntaxCookieLog varfilename/var/syntax
-contextlistcontextserver config/contextcontextvirtual host/context
-/contextlist
-compatibilityThis directive is deprecated./compatibility
-
-usage
-pThe directiveCookieLog/directive directive sets the
-filename for logging of cookies. The filename is relative to the
-directive module=coreServerRoot/directive. This directive is
-included only for compatibility with codemod_cookies/code,
-and is deprecated./p
-/usage
-/directivesynopsis
-
-directivesynopsis
nameCustomLog/name
descriptionSets filename and format of log file/description
syntaxCustomLog varfile/var|varpipe/var
Index: modules/loggers/mod_log_config.c
===
--- modules/loggers/mod_log_config.c (revision 1172391)
+++ modules/loggers/mod_log_config.c (working copy)
@@ -31,9 +31,6 @@
*Log to file fn with format given by the format
*argument
*
- *CookieLog fnFor backwards compatability with old Cookie
- *logging module - now deprecated.
- *
* There can be any number of TransferLog and CustomLog
* commands. Each request will be logged to _ALL_ the
* named files, in the appropriate format.
@@ -1284,11 +1281,6 @@
return add_custom_log(cmd, dummy, fn, NULL, NULL);
}
-static const char *set_cookie_log(cmd_parms *cmd, void *dummy, const char
*fn)
-{
-return add_custom_log(cmd, dummy, fn, %{Cookie}n \%r\ %t, NULL);
-}
-
static const char *set_buffered_logs_on(cmd_parms *parms, void *dummy, int
flag)
{
buffered_logs = flag;
@@ -1311,8 +1303,6 @@
the filename of the access log),
AP_INIT_TAKE12(LogFormat, log_format, NULL, RSRC_CONF,
a log format string (see docs) and an optional format name),
-AP_INIT_TAKE1(CookieLog, set_cookie_log, NULL, RSRC_CONF,
- the filename of the cookie log),
AP_INIT_FLAG(BufferedLogs, set_buffered_logs_on, NULL, RSRC_CONF,
Enable Buffered Logging (experimental)),
{NULL}
--
Rich Bowen
rbo...@rcbowen.com
rbo...@apache.org
Re: Pushing for httpd 2.4.0 GA
On Sep 18, 2011, at 6:17 PM, Rich Bowen wrote: - mod_lbmethod_bybusyness - mod_lbmethod_byrequests - mod_lbmethod_bytraffic Do we really need full doccos for these sub modules? No matter what, these would be easy to do since mod_proxy and mod_proxy_balancer pretty much describe them anyway ;)
Re: Pushing for httpd 2.4.0 GA
On Sep 18, 2011, at 6:52 PM, Rainer Jung wrote: - mod_heartbeat - mod_heartmonitor Those two were mainly provided by Jean-Frederic (AFAIR). I think these were Pauls… - mod_lbmethod_heartbeat As was this.
Re: Pushing for httpd 2.4.0 GA
On Sep 18, 2011, at 6:52 PM, Rainer Jung wrote: - mpm_simple mpm_simple likely to get dropped for 2.4, see our main STATUS file I hope to spent some time diving into mod_simple… I have some uncommitted patches that I need to re-look at.
Re: Pushing for httpd 2.4.0 GA
On Sep 19, 2011, at 8:58 AM, Jim Jagielski wrote: On Sep 18, 2011, at 6:17 PM, Rich Bowen wrote: - mod_lbmethod_bybusyness - mod_lbmethod_byrequests - mod_lbmethod_bytraffic Do we really need full doccos for these sub modules? No matter what, these would be easy to do since mod_proxy and mod_proxy_balancer pretty much describe them anyway ;) Someone's created enough of a doc to say what the module is after someone spots it in httpd -M and wants to know what it is. I'll update them to not promise more. That is, they currently say This document is still under development, but I think what's there is probably sufficient for the purpose. -- Rich Bowen rbo...@rcbowen.com rbo...@apache.org
Re: mod_proxy_fcgi + mod_proxy_balancer vs. php-fpm and query strings
On September 19, 2011 8:37 , Jim Riggs apache-li...@riggs.me wrote:
httpd - balancer - fcgi balancer members - php-fpm
Issue 1: PHP-FPM does not handle the proxy:balancer prefix in SCRIPT_FILENAME. It does handle
proxy:fcgi as a special case (see https://bugs.php.net/bug.php?id=54152 fix by jim). So, it seems we need
to also add a proxy:balancer exception there unless a balanced mod_proxy_fcgi member should actually be
using proxy:fcgi instead. What are people's thoughts on the prefix that should be sent by httpd in this
case? To address this for now, I have modified PHP (fpm_main.c alongside jim's existing changes).
As the person who wrote the changes that Jim later modified and
committed, this seems reasonable to me, assuming it is correct (I say
assuming only because I have never used mod_proxy_fcgi in a balancer
configuration).
Issue 2: Once I got Issue 1 addressed, everything started working except in the case of a query string. I spent
considerable time tracing and trying to figure out where the issue is occurring, but I am hoping one of you who is much
more familiar with the code than I will be able to say, Oh, look right here. The problem is that the query
string is getting appended to SCRIPT_FILENAME if proxied through a balancer. FPM does not like this. It does not seem to
happen in the case of proxying directly to fcgi://..., but once I change this to balancer://...,
the query string gets added to SCRIPT_FILENAME. I believe this happened with both ProxyPass* and mod_rewrite [P]. In
mod_rewrite, this should get handled in splitout_queryargs(), but somehow it is getting added back (probably in
proxy_balancer_canon() which adds the query string back to r-filename?). For right now, I have done a brute-force
fix for this by adding the code below to the beginning of send_environment() in mod_proxy_fcgi.c, before the
calls to ap_add_common_vars() and ap_add_cgi_vars(). I am guessing that this isn't the ultimate fix for this issue, so I
am interested in others' thoughts.
+/* Remove query string from r-filename (r-args is already set and passed
via QUERY_STRING) */
+q = ap_strchr_c(r-filename, '?');
+if (q != NULL) {
+*q = '\0';
+}
This sounds like it is related to
https://issues.apache.org/bugzilla/show_bug.cgi?id=51077 as well.
Probably a new patch is needed to consistently and properly fix all of
the cases (regular, mod_proxy_{f,s}cgi, mod_proxy_{f,s}cgi + balancer).
--
Mark Montague
m...@catseye.org
Re: Question on sub requests and output filter context.
On 18/09/2011 11:34, Sorin Manolache wrote:
On Thu, Sep 15, 2011 at 12:52, Martin Townsend
martin.towns...@power-oasis.com wrote:
Hi,
I have an output filter that parses custom tags to retrieve data from an
application running on the same device.
Everything was working well until I tried to move some HTML into Server Side
Include pages. Snippet below:
?smu smu extio_sensor_read mappings ?
?smu smu extio_read front_ana all led ?
?smu smu extio_read rear_ana all led ?
!--#include virtual=/include/SSI_SensorStatus.html --
!--#include virtual=/include/SSI_SensorStatusAnalogRear.html --
The first three commands will populate hash tables that are saved in my
output filters context.
The HTML in the included pages then use custom tags to query the hash tables
but for some reason the hash tables are NULL.
Having stepped through with the debugger I can see that the pointer to the
output filter when processing the main HTML page is different to the one
when parsing custom tags in SSI pages. Looking through mod_include I can
see it creates a sub request for include and sub requests call
make_sub_request to create a new filter. Should this new filter also
inherit the output filters context? Am I doing something wrong with my use
of mod_include? I've tried moving my filter so it's after mod_include but
still the same problem.
I'm using Server version: Apache/2.2.19 (Unix) on an ARM board.
Best Regards,
Martin.
How do you construct the context of your filter? At the first
invokation of the filter or in the init function of the filter?
In the second case, it could be that you construct the context twice,
the first time in the main request processing and the second time in
the subrequest processing.
In my opinion, apache uses the same filter structure in both the main
and the sub request. In mod_includes apache creates a subrequest,
passing f-next to it. Thus, the first filter in the filter chain of
the subrequest is the filter succeeding the INCLUDES filter. In my
opinion, if you place your filter before the INCLUDES filter, your
filter should not be called in the subrequest if yours is a
AP_FTYPE_RESOURCE filter. If you place your filter after the INCLUDES
filter, the hash tables you mention are not initialised at the time
when your filter processes the responses of the includes subrequests.
I am not sure of what I'm saying because I have no experience in how
mod_includes interacts with other filters. Anyway, I hope this helps.
Have a look in server/request.c at make_sub_request. The subrequest
inherits the protocol filters of the main request, but not all of the
non-protocol output filters of the main request. Maybe you should make
your filter a AP_FTYPE_PROTOCOL filter such that it is not removed
from the chain by mod_includes.
S
Hi,
Thanks for the reply, I create the context when the filter is invoked,
below is my output filter hook that I use.
apr_status_t
smu_output_filter(
ap_filter_t * filter_in_p,
apr_bucket_brigade * bb_in_p
) {
if(APR_BRIGADE_EMPTY(bb_in_p)) {
return APR_SUCCESS;
}
/* If this filter has been called for the first time then create a
new one */
if(!filter_in_p-ctx) {
rv = mod_smu_output_filter_ctx_init(filter_in_p);
if(rv != APR_SUCCESS) {
/* If we fail to initialise let other filters try and
finish. */
return ap_pass_brigade(filter_in_p-next, bb_in_p);
}
}
Here is the code that registers it
ap_register_output_filter(
smu_output_filter_name,
smu_output_filter,
NULL,
AP_FTYPE_RESOURCE + 2);
So it should be after the include filter.
I've stepped through the code and the filter_in_p-ctx of the sub
request is NULL so I then create a new one. As Joachim suggests this is
expected behaviour I need a method of storing my hash tables so they are
preserved across requests and sub requests. So 2 questions
1) In my output filter can I get the context of the main requests filter
and use this in the sub request.
2) If not what other mechanism can I use, as these hash tables only need
to persist for the lifetime of the request is there something in the
request structure. Maybe use the notes table where the value
parameter is cast to a pointer to a hash table.
Thanks in advance,
Martin.
Re: mod_proxy_fcgi + mod_proxy_balancer vs. php-fpm and query strings
I'll look at all this when I have some time in a few days…
On Sep 19, 2011, at 10:32 AM, Mark Montague wrote:
On September 19, 2011 8:37 , Jim Riggs apache-li...@riggs.me wrote:
httpd - balancer - fcgi balancer members - php-fpm
Issue 1: PHP-FPM does not handle the proxy:balancer prefix in
SCRIPT_FILENAME. It does handle proxy:fcgi as a special case (see
https://bugs.php.net/bug.php?id=54152 fix by jim). So, it seems we need to
also add a proxy:balancer exception there unless a balanced mod_proxy_fcgi
member should actually be using proxy:fcgi instead. What are people's
thoughts on the prefix that should be sent by httpd in this case? To address
this for now, I have modified PHP (fpm_main.c alongside jim's existing
changes).
As the person who wrote the changes that Jim later modified and committed,
this seems reasonable to me, assuming it is correct (I say assuming only
because I have never used mod_proxy_fcgi in a balancer configuration).
Issue 2: Once I got Issue 1 addressed, everything started working except in
the case of a query string. I spent considerable time tracing and trying to
figure out where the issue is occurring, but I am hoping one of you who is
much more familiar with the code than I will be able to say, Oh, look right
here. The problem is that the query string is getting appended to
SCRIPT_FILENAME if proxied through a balancer. FPM does not like this. It
does not seem to happen in the case of proxying directly to fcgi://...,
but once I change this to balancer://..., the query string gets added to
SCRIPT_FILENAME. I believe this happened with both ProxyPass* and
mod_rewrite [P]. In mod_rewrite, this should get handled in
splitout_queryargs(), but somehow it is getting added back (probably in
proxy_balancer_canon() which adds the query string back to r-filename?).
For right now, I have done a brute-force fix for this by adding the code
below to the beginning of send_environment() in mod_proxy_fcgi.c, before the
calls to ap_add_common_vars() and ap_add_cgi_vars(). I am guessing that this
isn't the ultimate fix for this issue, so I am interested in others'
thoughts.
+/* Remove query string from r-filename (r-args is already set and
passed via QUERY_STRING) */
+q = ap_strchr_c(r-filename, '?');
+if (q != NULL) {
+*q = '\0';
+}
This sounds like it is related to
https://issues.apache.org/bugzilla/show_bug.cgi?id=51077 as well. Probably a
new patch is needed to consistently and properly fix all of the cases
(regular, mod_proxy_{f,s}cgi, mod_proxy_{f,s}cgi + balancer).
--
Mark Montague
m...@catseye.org
Re: EOL for 2.0
On 9/17/2011 8:59 PM, Rich Bowen wrote: On Sep 16, 2011, at 11:59 AM, William A. Rowe Jr. wrote: On 9/16/2011 12:51 AM, Issac Goldstand wrote: IIRC, we talked about making 2.0 EOL when we make the next release, but I don't think we ever formalized the decision. Does anyone have comments for or against announcing 2.0 End-Of-Life at a set time (say 3 months) following the release of 2.4? Yes, I'd prefer we set a 12 month sunset on 2.0 in conjunction with the 2.4 release, not 3 months later when nobody is paying attention. +1. While I'd like to be rid of it earlier, I think 3 months is too fast. 12 months may be too long, but we lose nothing by setting it there rather than too short. A 12 mos sunset is what we declared for 1.3 (or that is effectively what happened)... we announced the final 1.3.42, and over the following 12 mos, we examined various security complaints and found that none really applied. In that time we turned off httpd-1.3 in bugzilla and warned everyone of its end of life, no further releases. And at the end of those 12 mos (13-14 actually) I pulled httpd-1.3.42 off of downloads.xml, out of dist/httpd/, and removed various other references. There is now simply a few remaining references to archive.a.o, which will incidentally mention this is where old 1.3 can be found. We can easily do the same with 2.0.64; no further bugfix releases expected, and security fixes will end 12 months from the release of 2.4.0. That is what sunset refers to, very limited support before being entirely abandoned. We didn't even promise to go this far in 1.3 (we said security -patches- would be announced during its sunset). During those 12 mos, various sites made their own calls on statements about their third party modules for 1.3, ranging from 'we quit updating effective immediately' to 'we'll keep supporting and updating our module, irrespective of the ASF's project'. Which is all fine, it is entirely their individual choice as individual projects. But we framed the conversation so they could each come up with their own messaging to their own end users.
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
I am pretty sure that this kind of change has been vetoed numerous times in the past. What has changed? Roy On Sep 19, 2011, at 9:25 AM, s...@apache.org wrote: Author: sf Date: Mon Sep 19 16:25:42 2011 New Revision: 1172686 URL: http://svn.apache.org/viewvc?rev=1172686view=rev Log: Add wrappers for malloc, calloc, realloc that check for out of memory situations. Use them in most places where malloc, and friends are used. This results in clean error messages in an out of memory situation instead of segfaulting or silently malfunctioning. In some places, it just allows to remove some logging code. PR 51568, PR 51569, PR 51571. Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/include/ap_config.h httpd/httpd/trunk/include/ap_mmn.h httpd/httpd/trunk/include/httpd.h httpd/httpd/trunk/modules/cache/cache_cache.c httpd/httpd/trunk/modules/cache/cache_hash.c httpd/httpd/trunk/modules/cache/cache_pqueue.c httpd/httpd/trunk/modules/cache/mod_socache_dbm.c httpd/httpd/trunk/modules/examples/mod_case_filter_in.c httpd/httpd/trunk/modules/proxy/proxy_util.c httpd/httpd/trunk/modules/ssl/ssl_util.c httpd/httpd/trunk/server/config.c httpd/httpd/trunk/server/main.c httpd/httpd/trunk/server/mpm/event/event.c httpd/httpd/trunk/server/mpm/worker/worker.c httpd/httpd/trunk/server/mpm_unix.c httpd/httpd/trunk/server/scoreboard.c httpd/httpd/trunk/server/util.c Modified: httpd/httpd/trunk/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1172686r1=1172685r2=1172686view=diff == --- httpd/httpd/trunk/CHANGES [utf-8] (original) +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Sep 19 16:25:42 2011 @@ -12,6 +12,10 @@ Changes with Apache 2.3.15 PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, lowprio20 gmail.com] + *) Add wrappers for malloc, calloc, realloc that check for out of memory + situations and use them in many places. PR 51568, PR 51569, PR 51571. + [Stefan Fritsch] + *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is false but RLIMIT_* are defined. PR51371. [Eric Covener] Modified: httpd/httpd/trunk/include/ap_config.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_config.h?rev=1172686r1=1172685r2=1172686view=diff == --- httpd/httpd/trunk/include/ap_config.h (original) +++ httpd/httpd/trunk/include/ap_config.h Mon Sep 19 16:25:42 2011 @@ -182,4 +182,12 @@ #define ap_func_attr_sentinel #endif +#if ( defined(__GNUC__) \ + (__GNUC__ = 4 || ( __GNUC__ == 3 __GNUC_MINOR__ = 4))) \ +|| __has_attribute(warn_unused_result) +#define ap_func_attr_warn_unused_result __attribute__((warn_unused_result)) +#else +#define ap_func_attr_warn_unused_result +#endif + #endif /* AP_CONFIG_H */ Modified: httpd/httpd/trunk/include/ap_mmn.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1172686r1=1172685r2=1172686view=diff == --- httpd/httpd/trunk/include/ap_mmn.h (original) +++ httpd/httpd/trunk/include/ap_mmn.h Mon Sep 19 16:25:42 2011 @@ -352,6 +352,8 @@ * 20110724.5 (2.3.15-dev) add ap_set_accept_ranges() * 20110724.6 (2.3.15-dev) add max_overlaps and max_reversals to core_dir_config * 20110724.7 (2.3.15-dev) add ap_random_insecure_bytes(), ap_random_pick() + * 20110724.8 (2.3.15-dev) add ap_abort_on_oom(), ap_malloc(), ap_calloc(), + * ap_realloc() */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* AP24 */ @@ -359,7 +361,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20110724 #endif -#define MODULE_MAGIC_NUMBER_MINOR 7/* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 8/* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a Modified: httpd/httpd/trunk/include/httpd.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/httpd.h?rev=1172686r1=1172685r2=1172686view=diff == --- httpd/httpd/trunk/include/httpd.h (original) +++ httpd/httpd/trunk/include/httpd.h Mon Sep 19 16:25:42 2011 @@ -2086,6 +2086,38 @@ AP_DECLARE(void) ap_random_insecure_byte */ AP_DECLARE(apr_uint32_t) ap_random_pick(apr_uint32_t min, apr_uint32_t max); +/** + * Abort with a error message signifying out of memory + */ +AP_DECLARE(void) ap_abort_on_oom(void) __attribute__((noreturn)); + +/** + * Wrapper for malloc() that calls ap_abort_on_oom() if out of memory + * @param size size of the memory block + * @return pointer to the allocated memory + * @note ap_malloc may be
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
On Monday 19 September 2011, Roy T. Fielding wrote: I am pretty sure that this kind of change has been vetoed numerous times in the past. What has changed? Probably nothing, except maybe the involved people. But I couldn't find any discussion about this (just about handling oom in APR, which is unrelated). The reasons for this change are stated in the commit message. Either we add logging/handling code to every call of malloc and friends, or we make a wrapper. Just continuing is usually wrong. Even such seemingly innocuous things as not adding an entry to a cache in an out of mem situation can cause much time to be wasted for debugging. We had that with the LDAP cache in the past. Besides, aborting with an error message is exactly what we do if an allocation from a pool fails (via the pool abort function). So why handle malloc differently? Roy On Sep 19, 2011, at 9:25 AM, s...@apache.org wrote: Author: sf Date: Mon Sep 19 16:25:42 2011 New Revision: 1172686 URL: http://svn.apache.org/viewvc?rev=1172686view=rev Log: Add wrappers for malloc, calloc, realloc that check for out of memory situations. Use them in most places where malloc, and friends are used. This results in clean error messages in an out of memory situation instead of segfaulting or silently malfunctioning. In some places, it just allows to remove some logging code. PR 51568, PR 51569, PR 51571.
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
On 9/19/2011 1:20 PM, Stefan Fritsch wrote: Besides, aborting with an error message is exactly what we do if an allocation from a pool fails (via the pool abort function). So why handle malloc differently? We install a pool abort function in httpd?
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
On Monday 19 September 2011, William A. Rowe Jr. wrote: On 9/19/2011 1:20 PM, Stefan Fritsch wrote: Besides, aborting with an error message is exactly what we do if an allocation from a pool fails (via the pool abort function). So why handle malloc differently? We install a pool abort function in httpd? Yes, in main.c. But only in trunk, not in 2.2.x.
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
On Monday 19 September 2011, Stefan Fritsch wrote: On Monday 19 September 2011, William A. Rowe Jr. wrote: On 9/19/2011 1:20 PM, Stefan Fritsch wrote: Besides, aborting with an error message is exactly what we do if an allocation from a pool fails (via the pool abort function). So why handle malloc differently? We install a pool abort function in httpd? Yes, in main.c. But only in trunk, not in 2.2.x. Found some discussion: http://mail-archives.apache.org/mod_mbox/httpd- dev/200605.mbox/%3c20060510120403.gb13...@redhat.com%3E
Re: svn commit: r1172010 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
On 17.09.2011 18:25, drugg...@apache.org wrote:
+if (res == 1) {
+/* Removing the client cert if verification is OK
+ * could save a loop when choosing which cert to send
+ * when more than one is available */
+/* XXX: This is not needed if we collapse the two
+ * checks in ssl_engine_kernel in the future */
+X509_free(sk_X509_shift(chain));
IMO, you can always drop the first element of the chain, since you only
want to remember CA certs in pkp-ca_certs.
+else {
+int n=X509_STORE_CTX_get_error(sctx);
+ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+ SSL proxy client cert chain verification failed
for %s: %s,
+ cert_cn, X509_verify_cert_error_string(n));
+}
Here, cert_cn holds the X509_NAME_oneline() string of the subject DN.
Either the variable name is a misnomer or a typo (did you mean cert_dn
instead of cert_cn?), but more importantly, we should not add new code
which still calls X509_NAME_oneline(), at least for trunk... as its
OpenSSL man page states: its use is strongly discouraged in new
applications.
I have just added ssl_log_xerror() and SSL_X509_NAME_to_string() in
r1172797, can you adapt the code in ssl_callback_proxy_cert() to make
use of these where applicable/possible? Hopefully this makes logging
cert details in mod_ssl more straightforward.
Kaspar
Re: Pushing for httpd 2.4.0 GA
Just a reminder about this, providing a way to phase out a server by only accepting existing sessions/routed requests. |51247|New|Enh|2011-05-23|Enhance mod_proxy and _balancer with worker status I've reviewed the other patch https://issues.apache.org/bugzilla/show_bug.cgi?id=48841 and I had a similar idea, wondering if the route-only intent would happen if I tried to set lbfactor=0 but it only allowed values 1-100 and I worried about the complexity of changing the lbmethod formulae so using a separate status code seemed cleaner. It's a bit of a magic value, but an intuitive one I think. On the user surface lbfactor=0 requires less change than my ROUTE_ONLY to the configuration and balancer-manager but it needs some documentation to clarify the intent. I also attached a patch to https://issues.apache.org/bugzilla/show_bug.cgi?id=51247 for the trunk, but since I'm having trouble with the overall compile it's in theory. Please forgive compile issues, but I wanted to at least share the thought and will update when I can verify a compile and test run. In the end, either solution can work, and my hope is that multiple attempts at the same goal make a stronger case to bring the functionality to the 2.2.x stream for people to enjoy sooner rather than later. \|/- Keith Mashinter kmash...@yahoo.com From: Jim Jagielski j...@jagunet.com To: dev@httpd.apache.org Sent: Monday, September 19, 2011 9:00:44 AM Subject: Re: Pushing for httpd 2.4.0 GA On Sep 18, 2011, at 6:52 PM, Rainer Jung wrote: - mpm_simple mpm_simple likely to get dropped for 2.4, see our main STATUS file I hope to spent some time diving into mod_simple… I have some uncommitted patches that I need to re-look at.
