Re: mod_dav_fs locking / Re: apr_dbm and concurrency
On Thu, Nov 23, 2023 at 05:36:06PM +, Joe Orton wrote: > 3) in the mean time I worked up a PR for mod_dav_fs which adds a global > mutex around the dbm lockdb use. This passes my stress tests for the > first time. How concurent is the stress test? In the past, I have been badly hurt by a few WebDAV clients proactively exploring the filesystem using locksdiscovery. That compeltely killed the service. I introduced the DavLockDiscovery directive to work it around. -- Emmanuel Dreyfus m...@netbsd.org
Re: Please support/enable https by default in the Apache web sever.
On Sat, Sep 30, 2023 at 07:40:34PM +0530, General Email wrote: > By the way, I don't understand how the default certificate can be abused. It is not signed by a trusted CA, hence your browser cannot tell if it is speaking to your legitimate web server, or to some malware lurking in between. Perhaps your web trafic is not worth being evesdropped, but consider a malware could inject an exploit against your browser in your web trafic. The attacker could just be an infected machine on the same LAN. The security level of an untrusted ceritificate is not much better than plain text HTTP. -- Emmanuel Dreyfus m...@netbsd.org
Re: [VOTE] Switch read/write repository from Subversion to Git
On Thu, May 04, 2023 at 10:34:32AM +0200, Ruediger Pluem wrote: > [ ]: Move the read/write repository from Subversion to Git and leverage the > features of Github (for now Actions and PR). > [ ]: Move the read/write repository from Subversion to Git, but I don't want > to work with Github and I will only work with > what gitbox.apache.org offers. > [X]: Leave everything as is. -- Emmanuel Dreyfus m...@netbsd.org
Re: Why is my merge_dir_config not called
On Wed, Mar 01, 2023 at 05:29:28AM -0500, Eric Covener wrote: > Does your config have directives from dav_fs in two overlapping sections? Like this, you mean? DavQuota DavQuota None DavQuota 222 -- Emmanuel Dreyfus m...@netbsd.org
Why is my merge_dir_config not called
Hello I am trying to add a per-directory confioguration directive to mod_dav_fs, but the merge_dir_config() calback is never called, and I always get the value from create_dir_config() when accessing the per-directory configuration. The directive is defined with ACCESS_CONF|RSRC_CONF but I am not sure that matters here, since merge_dir_config() should handle all directives and it is not called at all. What is the trick? I have spent a lot of time with printfs in server/config.c with no success so far. -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1907608 - in /httpd/httpd/trunk: CMakeLists.txt modules/dav/main/NWGNUmakefile modules/dav/main/config5.m4 modules/dav/main/mod_dav.c modules/dav/main/mod_dav.dsp modules/dav/main/mod
> > +static const char *mswdv_urlencode(request_rec *r, const char *str) (...) > Any reason why we cannot use an existing function like > ap_escape_path_segment here? MS-WDV section 2.2.3 quoted below says it needs to be percent-encoded as in RFC3986 section 2.1. How to do it with existing function was not obvious to me. Would you whare an example? > An Error-string is a percentage-encoded UTF-8 string, as specified > in [RFC3986] section 2.1, that gives additional explanatory text > about the cause of the error. This string is not significant to > protocol operation and is intended only for display and logging > purposes. -- Emmanuel Dreyfus m...@netbsd.org
Re: MS-WDV and other MS extensions
On Fri, Feb 10, 2023 at 04:15:16PM +0100, Ruediger Pluem wrote: > > Do you suggests adding values to Options, or to create a DAVoptions > > directive? > > I think DAVMSextis fine, but with an Options like syntax. Hence for now this? DAVMSext +WDV -- Emmanuel Dreyfus m...@netbsd.org
Re: MS-WDV and other MS extensions
On Fri, Feb 10, 2023 at 09:53:47AM -0500, Eric Covener wrote: > I like the third case with an all/on option. If it will need to be > per-directory, maybe an Options like syntax would make sense? Do you suggests adding values to Options, or to create a DAVoptions directive? -- Emmanuel Dreyfus m...@netbsd.org
MS-WDV and other MS extensions
Hello I am ready to commit MS-WDV support for mod_dav. There are many other MS extensions, and I just wonder if we should prepare to configure MS extensions one by one or as a whole I mean, what directive makes more sense in httpd.conf? DAVMSext on (and if we add new MS extensions, this enables all of them) DAVMSWDV on (and if we implement MS-FOO, we will add DAVMSFOO directive) DAVMSext WDV (if we implemnt MS-FOO, it could become DAVMSext WDV FOO) We can also use the first cas, and turn it into the third case later, with "on" being a shortcut for all implemented MS extensions. Thoughts? -- Emmanuel Dreyfus m...@netbsd.org
Re: stable branch
On Mon, Jan 09, 2023 at 09:37:37AM -0500, Eric Covener wrote: > svn relocate http://svn.apache.org https://svn.apache.org That did it! I made the commit, but someone knowledgable should probably check I did not break something -- Emmanuel Dreyfus m...@netbsd.org
Re: stable branch
On Mon, Jan 09, 2023 at 08:05:30AM -0500, Eric Covener wrote: > Yes. Most times, the person who proposed it does the final backport. > Sometimes, the last person to vote or someone preparing a release will > apply it. Um, sorry for the noob questions, but I ma stick with svn: E195023: Commit failed (details follow): svn: E195023: Changing directory '/scratch/httpd-trunk/httpd/branches/2.4.x' is forbidden by the server svn: E175013: Access to '/repos/asf/!svn/me' forbidden I do svn commit --username manu --password *** What am I doing wrong? -- Emmanuel Dreyfus m...@netbsd.org
stable branch
Hello I see in httpd/branches/2.4.x/STATUS that my DAVlockDiscovery contribution now has three +1 including mine. May I commit the change to the branch? *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery This is a game changer for performances if client use PROPFIND a lot, trunk patch: http://svn.apache.org/r1904638 http://svn.apache.org/r1904662 http://svn.apache.org/r1905170 http://svn.apache.org/r1905206 http://svn.apache.org/r1905230 2.4.x patch: svn merge -c 1904638,1904662,1905170,1905206,1905230 ^/httpd/h ttpd/trunk . +1: manu, covener, gbechis covener: xml needs doc tweak after backport -- Emmanuel Dreyfus m...@netbsd.org
Re: MS-WDV (was Re: Help with buckets)
On Fri, Dec 02, 2022 at 03:17:05PM +, Joe Orton wrote: > I think this might need to do something more complex, maybe running the > PROPFIND in a subrequest properly and capturing (buffering) the output > in a custom filter, rather than using the mod_dav internal API directly. > Have you tried using ap_sub_req_method_uri()? Not sure this has been > tried before with mod_dav so might well be something I'm missing. I did it the way you suggested. The patch gets huge, I just send the reelvant bits. Does it looks good to you? In register_hooks() I have ap_register_output_filter("DAV_MSEXT_OUT", dav_msext_output, NULL, AP_FTYPE_RESOURCE); Then: static apr_status_t dav_msext_output(ap_filter_t *f, apr_bucket_brigade *bb) { apr_bucket_brigade *bbsub = f->ctx; apr_bucket *b; b = APR_BRIGADE_FIRST(bb); while (b != APR_BRIGADE_SENTINEL(bb)) { apr_bucket *nb; if (APR_BUCKET_IS_EOS(b)) break; nb = APR_BUCKET_NEXT(b); APR_BUCKET_REMOVE(b); APR_BRIGADE_INSERT_TAIL(bbsub, b); b = nb; } return ap_pass_brigade(f->next, bb); } static void dav_msdavext_combined_propfind(request_rec *r) { apr_bucket_brigade *bbsub; apr_bucket_brigade *bb; ap_filter_t *f; apr_bucket *b; request_rec *rr = NULL; apr_off_t length; bbsub = apr_brigade_create(r->pool, r->output_filters->c->bucket_alloc); rr = ap_sub_req_method_uri("PROPFIND", r->uri, r, r->output_filters); if (!rr || rr->status != HTTP_OK) goto out; f = ap_add_output_filter("DAV_MSEXT_OUT", bbsub, rr, rr->connection); if (!f) goto out; if (ap_run_sub_req(rr) != OK) goto out; ap_remove_output_filter(f); if (apr_brigade_length(bbsub, 1, ) != APR_SUCCESS) goto out; bb = apr_brigade_create(r->pool,r->output_filters->c->bucket_alloc); apr_brigade_printf(bb, NULL, NULL, "%016" APR_UINT64_T_HEX_FMT, length); APR_BRIGADE_CONCAT(bb, bbsub); ap_destroy_sub_req(rr); rr = NULL; rr = ap_sub_req_lookup_uri(r->uri, r, r->output_filters); if (!rr || rr->status != HTTP_OK || rr->filename == NULL || rr->finfo.filetype != APR_REG) goto out; apr_brigade_printf(bb, NULL, NULL, "%016" APR_UINT64_T_HEX_FMT, rr->finfo.size); ap_set_content_type(r, "multipart/MSDAVEXTPrefixEncoded"); ap_pass_brigade(r->output_filters, bb); /* plain GET rocessing happens afterward */ out: if (rr) ap_destroy_sub_req(rr); return; } -- Emmanuel Dreyfus m...@netbsd.org
Re: MS-WDV (was Re: Help with buckets)
On Fri, Dec 02, 2022 at 03:17:05PM +, Joe Orton wrote: > I think this might need to do something more complex, maybe running the > PROPFIND in a subrequest properly and capturing (buffering) the output > in a custom filter, rather than using the mod_dav internal API directly. > Have you tried using ap_sub_req_method_uri()? Not sure this has been > tried before with mod_dav so might well be something I'm missing. I can try that, but whatever the method is, we need to produce the propfind data before sending its size. I see two unsatisfying alternatives: 1) produce propfind data in a buffer, output the size, then the buffer 2) produce propfind data, discarding it as it comes but coutning its size, then output the size, and produce the propfind data a second time. First approach wastes memory, second approach wastes CPU. And second approach needs a mechanism to ensure propfind data does not change between the two times it is produced. I am not sure that can be guaranteed. -- Emmanuel Dreyfus m...@netbsd.org
MS-WDV (was Re: Help with buckets)
Hello I made some progress with the combined GET+PROPFIND specified by MS-WDV (for a summary, see https://lists.apache.org/thread/57s1vvl6k9qpdv5ym7mtcl29bd933w7k ) Attached is the diff against trunk, form comments. -- Emmanuel Dreyfus m...@netbsd.org Index: dav/main/mod_dav.c === --- dav/main/mod_dav.c (revision 1905652) +++ dav/main/mod_dav.c (working copy) @@ -84,7 +84,7 @@ int locktimeout; int allow_depthinfinity; int allow_lockdiscovery; - +int enable_msext; } dav_dir_conf; /* per-server configuration */ @@ -206,6 +206,8 @@ allow_depthinfinity); newconf->allow_lockdiscovery = DAV_INHERIT_VALUE(parent, child, allow_lockdiscovery); +newconf->enable_msext = DAV_INHERIT_VALUE(parent, child, + enable_msext); return newconf; } @@ -319,6 +321,20 @@ } /* + * Command handler for the DAVmsExt directive, which is FLAG. + */ +static const char *dav_cmd_davmsext(cmd_parms *cmd, void *config, int arg) +{ +dav_dir_conf *conf = (dav_dir_conf *)config; + +if (arg) +conf->enable_msext = DAV_ENABLED_ON; +else +conf->enable_msext = DAV_ENABLED_OFF; +return NULL; +} + +/* * Command handler for DAVMinTimeout directive, which is TAKE1 */ static const char *dav_cmd_davmintimeout(cmd_parms *cmd, void *config, @@ -558,10 +574,17 @@ DAV_DECLARE(apr_status_t) dav_finish_multistatus(request_rec *r, apr_bucket_brigade *bb) { +ap_fputs(r->output_filters, bb, "" DEBUG_CR); + +return OK; +} + + +/* Send the response to the first filter */ +static apr_status_t dav_pass_brigade(request_rec *r, apr_bucket_brigade *bb) +{ apr_bucket *b; -ap_fputs(r->output_filters, bb, "" DEBUG_CR); - /* indicate the end of the response body */ b = apr_bucket_eos_create(r->connection->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, b); @@ -590,6 +613,7 @@ apr_pool_destroy(subpool); dav_finish_multistatus(r, bb); +dav_pass_brigade(r, bb); } /* @@ -1691,6 +1715,7 @@ /* handle the OPTIONS method */ static int dav_method_options(request_rec *r) { +dav_dir_conf *conf; const dav_hooks_locks *locks_hooks = DAV_GET_HOOKS_LOCKS(r); const dav_hooks_vsn *vsn_hooks = DAV_GET_HOOKS_VSN(r); const dav_hooks_binding *binding_hooks = DAV_GET_HOOKS_BINDING(r); @@ -1801,6 +1826,11 @@ /* this tells MSFT products to skip looking for FrontPage extensions */ apr_table_setn(r->headers_out, "MS-Author-Via", "DAV"); +/* MS-WDV extensions */ +conf = ap_get_module_config(r->per_dir_config, _module); +if (conf && conf->enable_msext == DAV_ENABLED_ON) + apr_table_setn(r->headers_out, "X-MSDAVEXT", "1"); + /* * Determine which methods are allowed on the resource. * Three cases: resource is null (3), is lock-null (7.4), or exists. @@ -2146,7 +2176,7 @@ } /* handle the PROPFIND method */ -static int dav_method_propfind(request_rec *r) +static int dav_method_propfind(request_rec *r, apr_bucket_brigade *bb) { dav_resource *resource; int depth; @@ -2237,7 +2267,10 @@ ctx.doc = doc; ctx.r = r; -ctx.bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); +if (bb) +ctx.bb = bb; +else +ctx.bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); apr_pool_create(, r->pool); apr_pool_tag(ctx.scratchpool, "mod_dav-scratch"); @@ -2288,6 +2321,8 @@ } dav_finish_multistatus(r, ctx.bb); +if (!bb) +dav_pass_brigade(r, ctx.bb); /* the response has been sent. */ return DONE; @@ -4965,12 +5000,70 @@ return dav_created(r, lookup.rnew->unparsed_uri, "Binding", 0); } +static void dav_msdavext_combined(request_rec *r) +{ +dav_dir_conf *conf; +const char *msdavext_hdr; +apr_bucket_brigade *bb; +apr_bucket *b; +request_rec *rr = NULL; +apr_off_t length; +char buf[16+1]; /* +1 for trailing \0 */ +if (r->main) +goto out; + +if (r->method_number != M_GET && r->method_number != M_POST) +goto out; + +conf = ap_get_module_config(r->per_dir_config, _module); +if (conf->enable_msext != DAV_ENABLED_ON) +goto out; + +msdavext_hdr = apr_table_get(r->headers_in, "X-MSDAVEXT"); +if (msdavext_hdr == NULL || strcmp(msdavext_hdr, "PROPFIND") !=0) +goto out; + +bb = apr_brigade_create(r->pool,r->output_filters->c->bucket_alloc); +if (dav_method_propfind(r, bb) != DONE) +goto out; + +if (apr_brigade_length(bb, 1, ) != APR_SUCCESS) +
Re: svn commit: r1905170 - /httpd/httpd/trunk/modules/dav/main/mod_dav.c
On Wed, Nov 16, 2022 at 08:05:43AM +0100, Ruediger Pluem wrote: > If you want to backport a patch to the 2.4.x branch just add your proposal to > the STATUS file This way? Index: STATUS === --- STATUS (revision 1905352) +++ STATUS (working copy) @@ -282,7 +282,25 @@ make it nonblocking (by default)? jim: Non-blocking seems the best way to handle... + *) mod_dav: Open the lock database read-only when possible + trunk patch: http://svn.apache.org/r1905229 + 2.4.x patch: trunk works + +1: manu + + *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery + + trunk patch: http://svn.apache.org/r1904638 + trunk patch: http://svn.apache.org/r1904662 + trunk patch: http://svn.apache.org/r1905170 + trunk patch: http://svn.apache.org/r1905206 + trunk patch: http://svn.apache.org/r1905230 + trunk patch: http://svn.apache.org/r1905327 + 2.4.x patch: trunk works, except for + docs/manual/mod/mod_dav_fs.html.en.utf8 on trunk that is + docs/manual/mod/mod_dav_fs.html.en on 2.4.x branch + +1: manu + PATCHES/ISSUES THAT ARE STALLED *) core: avoid duplicate headers when using ap_send_error_response. -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1905170 - /httpd/httpd/trunk/modules/dav/main/mod_dav.c
On Fri, Nov 11, 2022 at 02:12:09AM +, Emmanuel Dreyfus wrote: > I will let someone review xml changes in r1905230 before committing > the html files. I committed the html files. What is the procedure for pushing changes to the 2.4 branch? I have the following changes for DAVLockDiscovery: r1905327 r1905230 r1905229 r1905206 r1905170 r1904662 r1904638 -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1905170 - /httpd/httpd/trunk/modules/dav/main/mod_dav.c
On Wed, Nov 09, 2022 at 08:19:47AM +0100, Ruediger Pluem wrote: > Typically the change to the xml file and the updated html files are committed > separately e.g. look at I will let someone review xml changes in r1905230 before committing the html files. -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1905170 - /httpd/httpd/trunk/modules/dav/main/mod_dav.c
On Wed, Nov 09, 2022 at 08:19:47AM +0100, Ruediger Pluem wrote: > Better do not set it here, but leave it to 0 aka DAV_ENABLED_UNSET. > This makes it possible to use DAV_INHERIT_VALUE in dav_merge_dir_config > The corresponding code for dav_merge_dir_config is missing in this this patch. It was committed before: newconf->allow_lockdiscovery = DAV_INHERIT_VALUE(parent, child, allow_lockdiscovery); The chnage below this seems to be enough to do the job. allow_lockdiscovery is only checked against DAV_ENABLED_OFF, hence DAV_ENABLED_UNSET and DAV_ENABLED_ON have the same effect, which is what is desired for backward compatibility sake. Index: modules/dav/main/mod_dav.c === --- modules/dav/main/mod_dav.c (revision 1905191) +++ modules/dav/main/mod_dav.c (working copy) @@ -160,7 +160,7 @@ conf = (dav_dir_conf *)apr_pcalloc(p, sizeof(*conf)); -conf->allow_lockdiscovery = DAV_ENABLED_ON; +conf->allow_lockdiscovery = DAV_ENABLED_UNSET; /* clean up the directory to remove any trailing slash */ if (dir != NULL) { -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1905170 - /httpd/httpd/trunk/modules/dav/main/mod_dav.c
On Wed, Nov 09, 2022 at 08:19:47AM +0100, Ruediger Pluem wrote: > Would you provide some documentation for the new directive Yes, this is pending. -- Emmanuel Dreyfus m...@netbsd.org
Re: New committer: Emmanuel Dreyfus
On Tue, Nov 08, 2022 at 01:05:28PM +0100, Yann Ylavic wrote: > Welcome Emmanuel, glad to have you on the team! Thank you everybody for the grretings. I made my first commit in r1905170, I hope it is fine. -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1904638 - in /httpd/httpd/trunk: changes-entries/DAVLockDiscovery.txt modules/dav/main/mod_dav.c modules/dav/main/mod_dav.h modules/dav/main/props.c
On Thu, Oct 27, 2022 at 01:58:58AM -0500, Greg Stein wrote: > With that said, I'm not a fan of [DAV or svn] locks. Anything that can be > done to avoid a workflow that encompasses locks would be ideal. For DAV filesystem, we cannot spare locks when clients use LOCK/UNLOCK methods. Lock discovery by PROPFIND is another story, I cannot see a use case for that. If you want to see less locks, then you must be great fan of my DAVLockDiscovery contribution, especially now it has been updated as a flag directive. Any chance we get it into 2.4 branch? -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1904638 - in /httpd/httpd/trunk: changes-entries/DAVLockDiscovery.txt modules/dav/main/mod_dav.c modules/dav/main/mod_dav.h modules/dav/main/props.c
On Tue, Oct 18, 2022 at 05:03:48PM +, Emmanuel Dreyfus wrote: > dbm is fast once you have it open. mod_dav_fs opens DAVLockDB on each > HTTP request, then it acquire a filesystem level lock on it. This is > where contenton occurs. I have been thinking about how Apache could open DAVLockDB once, instead of for each HTTP request. The workers should share a file descriptor on the file, and a mutex to avoid concurent access. That does not fit well with the prefork model. Opending DAVLockDB and creating the mutex (a sysV mutex?) should be done in the master process. Should it be done when processing the configuration directive? We would also need to take care of closing the previous file descriptor on reloads. -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1904638 - in /httpd/httpd/trunk: changes-entries/DAVLockDiscovery.txt modules/dav/main/mod_dav.c modules/dav/main/mod_dav.h modules/dav/main/props.c
On Mon, Oct 17, 2022 at 12:04:55PM +0200, Ruediger Pluem wrote: > Why do we need to use an Apache expression here? Wouldn't it be sufficient to > have > DAVLockDiscovery as a flag (On/Off) I posted a patch for that change, along with documentation, on https://bz.apache.org/bugzilla/show_bug.cgi?id=66313 Is it fine for you? -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1904638 - in /httpd/httpd/trunk: changes-entries/DAVLockDiscovery.txt modules/dav/main/mod_dav.c modules/dav/main/mod_dav.h modules/dav/main/props.c
On Mon, Oct 17, 2022 at 12:04:55PM +0200, Ruediger Pluem wrote: > Why do we need to use an Apache expression here? Wouldn't it be sufficient to > have > DAVLockDiscovery as a flag (On/Off) with default to On that can be placed in > an > block if expressions are needed? Yes, that would be fine too. I was too focused on a specific client's client behavior that expr on User-Agent and remote IP seemed critical to me, but indeed acheive the same result. -- Emmanuel Dreyfus m...@netbsd.org
Re: svn commit: r1904638 - in /httpd/httpd/trunk: changes-entries/DAVLockDiscovery.txt modules/dav/main/mod_dav.c modules/dav/main/mod_dav.h modules/dav/main/props.c
On Mon, Oct 17, 2022 at 05:38:37AM -0500, Greg Stein wrote: > Did you run any tests to observe the alleged contention? I was the victim of it, with a server showing processes awaiting for fcntl() to give a lock on DAVLockDB, and users complaining anything takes ages. > The dbm database is very fast. I'd be surprised that contention occurs in > any typical workload. dbm is fast once you have it open. mod_dav_fs opens DAVLockDB on each HTTP request, then it acquire a filesystem level lock on it. This is where contenton occurs. -- Emmanuel Dreyfus m...@netbsd.org
mod_dav_fs performances
Hello I have been badly hit by a performance problem in mod_dav_fs. After a few users updated to (RaiDrive/2022.6.56.0), all users reported terrible performance, with files taking age to open. Investigating the problem, we discovered lock contention of the DavLockDB file. Too many clients looking up locks, too often. A log analysis show that RaiDrive/2022.6.56.0 does much more PROPFIND than other clients. PROPFIND involves lock discovery, and lock discovery needs serialized access to DavLockDB. I submitted a proposed fix in https://bz.apache.org/bugzilla/show_bug.cgi?id=66313 I This introduces a DAVLockDiscovery option to optionaly disable lock discovery. It uses an apache expession so that the thing can be fine tuned, e.g. disabling it for specific UserAgent that exhibit an abusive behavior. When lock discovery is disabled, PROPFIND just returns an empty lock discovery section. I have been testing disabling lock discovery for a week, it works well. Performances are good again, and no regression appeared. -- Emmanuel Dreyfus m...@netbsd.org
DAV lock database management tool
Hello mod_dav_fs is a nice solution to provide file sharing, but I have found the management of stale mod_dav_fs locks a pain to handle. If an application crashes holding a lock, one have to await for lock timeout before touchign the file again. Perhaps there is a smart solution to this, but since I did not find it, I made this tool to manage the lock database: https://ftp.espci.fr/pub/htdavlock/htdavlock-0.2.tar.gzc It is able to dump the mod_dav_fs lock database content, and with appropriate Apache configuration (see README), it can remove locks. I provide it for whoever is interested. Feedback are welcome. -- Emmanuel Dreyfus m...@netbsd.org
Cookies and sessions bugfixes
Hello I few months ago, I submitted a few bug fixes, and they got coompletely ignored. Is there some step I missed in in the patch submisssion process? It would be nice is eomone coule have a look at it: 1) Add Expires parameters in Apache-issued cookies https://bz.apache.org/bugzilla/show_bug.cgi?id=60908 Apache issued cookies set the Max-Age parameter, but this is ignored by MSIE and MS Edge, which only consider the Expires parameter. The patch makes sur both are included 2) Do not send Set-Cookie header twice https://bz.apache.org/bugzilla/show_bug.cgi?id=60910 Apache sends the Set-Cookie header twice for successful requests. The patch makes sure it exists only once. 3) Do not save expiry in empty session https://bz.apache.org/bugzilla/show_bug.cgi?id=60909 When a session is empty, do not save a add lone expiry key. And that one seems to be obsolete because someone else did the same work and got it committed in tree: https://bz.apache.org/bugzilla/show_bug.cgi?id=60708 -- Emmanuel Dreyfus m...@netbsd.org
Discard a brigade from filter
Hello Is there a way to completely discard a brigade in an input filter, and not pass it through filter chain? Removing all buckets cause an empty brigade to be sent to next filter and that causes trouble. I found a case where another filter in the chain considers an empty brigade to be end of request, and hence miss the next brigades. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz m...@netbsd.org
Re: [PATCH] MS Office webDAV interoperability, MS-OFBA support
Hello This contribution has not met an enthousiast reaction. No comment, anyone? On Wed, Mar 29, 2017 at 01:05:48PM +, Emmanuel Dreyfus wrote: > Hello > > If you tried to use mod_dav_fs with recent MS Office on Windows, > you probably had the unpleaseant experience of being prompted for > authentication on every time an MS Office program is started. This > is because it has its own WebDAV client and it does not use the > Windows network drive. > > There are various workarounds [1], one of them being to implement > MS-OFBA [2] which stands for Office Forms Based Authentication. It > works this way: > > - An OFBA-capable client sends an unauthenticated OPTIONS request. > OFBA capability is advertised either by a specific HTTP header, or > through a list of specified User-Agent strings. > > - The serveur replies with HTTP status 403 FORBIDDEN with OFBA-specific > headers pointing to a form where authentication should happen > > - The client invokes MS Internet Explorer or Edge and display the form. > Once authentication is done, it obtains a session cookie which is shared > among all OFBA capable clients, until it expires. > > - MS Office now access the WebDAV share using the session cookie, and it > does not prompt for authentication anymore. > > I crafted a patch that implements MS-OFBA in mod_auth_form [3]. It > depends on 4 previously filed changes [4, 5, 6, 7]. I have not yet > filled a bug report in bugzilla for the mod_auth_form.c [3] patch > because it probably needs to be improved a bit. > > Here is the problem: if OFBA is enabled and mod_auth_form detected > an unauthenticated OFBA-capable client, it must reply with an HTTP > status 403, with OFBA headers. For now I do that by registering an > output filter so that I can regain control after authentication > and detect that the client was not authenticated. Is there a better > suited hook for that? > > Any other comment on the patches? An Apache WebDAV server playing > better with MS Office would be a great benefit, hence I hope this > will get some interest. > > > [1] > https://support.microsoft.com/en-us/help/2019105/authentication-requests-when-you-open-office-documents > [2] https://msdn.microsoft.com/en-us/library/office/cc313069(v=office.12).aspx > [3] https://ftp.espci.fr/shadow/manu/patch20170329-modules_aaa_mod_auth_form.c > [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=60908 > [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=60909 > [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=60708 > [7] https://bz.apache.org/bugzilla/show_bug.cgi?id=60910 > > -- > Emmanuel Dreyfus > m...@netbsd.org -- Emmanuel Dreyfus m...@netbsd.org
[PATCH] MS Office webDAV interoperability, MS-OFBA support
Hello If you tried to use mod_dav_fs with recent MS Office on Windows, you probably had the unpleaseant experience of being prompted for authentication on every time an MS Office program is started. This is because it has its own WebDAV client and it does not use the Windows network drive. There are various workarounds [1], one of them being to implement MS-OFBA [2] which stands for Office Forms Based Authentication. It works this way: - An OFBA-capable client sends an unauthenticated OPTIONS request. OFBA capability is advertised either by a specific HTTP header, or through a list of specified User-Agent strings. - The serveur replies with HTTP status 403 FORBIDDEN with OFBA-specific headers pointing to a form where authentication should happen - The client invokes MS Internet Explorer or Edge and display the form. Once authentication is done, it obtains a session cookie which is shared among all OFBA capable clients, until it expires. - MS Office now access the WebDAV share using the session cookie, and it does not prompt for authentication anymore. I crafted a patch that implements MS-OFBA in mod_auth_form [3]. It depends on 4 previously filed changes [4, 5, 6, 7]. I have not yet filled a bug report in bugzilla for the mod_auth_form.c [3] patch because it probably needs to be improved a bit. Here is the problem: if OFBA is enabled and mod_auth_form detected an unauthenticated OFBA-capable client, it must reply with an HTTP status 403, with OFBA headers. For now I do that by registering an output filter so that I can regain control after authentication and detect that the client was not authenticated. Is there a better suited hook for that? Any other comment on the patches? An Apache WebDAV server playing better with MS Office would be a great benefit, hence I hope this will get some interest. [1] https://support.microsoft.com/en-us/help/2019105/authentication-requests-when-you-open-office-documents [2] https://msdn.microsoft.com/en-us/library/office/cc313069(v=office.12).aspx [3] https://ftp.espci.fr/shadow/manu/patch20170329-modules_aaa_mod_auth_form.c [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=60908 [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=60909 [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=60708 [7] https://bz.apache.org/bugzilla/show_bug.cgi?id=60910 -- Emmanuel Dreyfus m...@netbsd.org
Session support for mod_auth_basic [PATCH 60708]
Hello I posted this patch that brings mod_session support for mod_auth_basic in trunk and 2.4.x https://bz.apache.org/bugzilla/show_bug.cgi?id=60708 Any comment on it? The motivation was to reduce the latency of Webdav operation from Windows: using just HTTP basic authentication, each request is first done without credentials, hits a HTTP 401 and then succeeds with credentials. With the help of a session, all requests after initial HTTP basic authentication have a session cookie and can succeed on first attempt, saving one HTTP request/response. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz m...@netbsd.org