9 changed files with 24 additions and 45 deletions
--- a/1
+++ b/1
@ -141,7 +141,6 @@ required packages to run test harness ::
  perl-HTTP-Message
  perl-IO-HTML
  perl-LWP-MediaTypes
-  perl-Test-Harness
  perl-Tie-Function
  perl-TimeDate

--- a/src/ck.c
+++ b/src/ck.c
@ -270,11 +270,6 @@ ck_memeq_const_time (const void *a, const size_t alen, const void *b, const size
    /* rounds to next multiple of 64 to avoid potentially leaking exact
     * string lengths when subject to high precision timing attacks
     */
-    /* Note: implementation detail
-     * each string is expected to have a valid char one byte after len,
-     * i.e. a[alen] and b[blen], and which must match if the strings match.
-     * (In most use cases, this char is end of string '\0').
-     */
    /* Note: some libs provide similar funcs but might not obscure length, e.g.
     * OpenSSL:
     *   int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len)
--- a/src/fdlog.h
+++ b/src/fdlog.h
@ -5,12 +5,12 @@
 #include "base_decls.h"
 #include "buffer.h"

-struct fdlog_st {
+typedef struct fdlog_st {
    enum { FDLOG_FILE, FDLOG_FD, FDLOG_SYSLOG, FDLOG_PIPE } mode;
    int fd;
    buffer b;
    const char *fn;
-};
+} fdlog_st;

 __attribute_cold__
 __attribute_returns_nonnull__
--- a/src/h2.c
+++ b/src/h2.c
@ -1742,7 +1742,6 @@ h2_init_con (request_st * const restrict h2r, connection * const restrict con, c
    con->read_idle_ts = log_monotonic_secs;
    con->keep_alive_idle = h2r->conf.max_keep_alive_idle;

-    /*(h2r->h2_rwin must match value assigned in h2_init_stream())*/
    h2r->h2_rwin = 65535;                 /* h2 connection recv window */
    h2r->h2_swin = 65535;                 /* h2 connection send window */
    /* settings sent from peer */         /* initial values */
@ -2553,7 +2552,7 @@ h2_init_stream (request_st * const h2r, connection * const con)
    /* XXX: TODO: assign default priority, etc.
     *      Perhaps store stream id and priority in separate table */
    h2c->r[h2c->rused++] = r;
-    r->h2_rwin = 65535; /* must keep in sync with h2_init_con() */
+    r->h2_rwin = h2c->s_initial_window_size;
    r->h2_swin = h2c->s_initial_window_size;
    r->http_version = HTTP_VERSION_2;

--- a/src/mod_ajp13.c
+++ b/src/mod_ajp13.c
@ -845,21 +845,6 @@ ajp13_recv_parse (request_st * const r, struct http_response_opts_t * const opts
                    r->conf.stream_response_body &=
                      ~(FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN);
                }
-              #if 0
-                else if ((r->conf.stream_response_body &
-                           (FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN))
-                         && (   r->http_status == 204
-                             || r->http_status == 205
-                             || r->http_status == 304
-                             || r->http_method == HTTP_METHOD_HEAD)) {
-                    /* disable streaming to wait for backend protocol to signal
-                     * end of response (prevent http_response_write_prepare()
-                     * from short-circuiting and finishing responses without
-                     * response body) */
-                    r->conf.stream_response_body &=
-                      ~(FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN);
-                }
-              #endif
            }
            else {
                log_error(errh, __FILE__, __LINE__,
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@ -63,7 +63,7 @@ http_auth_cache_entry_init (const struct http_auth_require_t * const require, co
     *(store pointer to http_auth_require_t, which is persistent
     * and will be different for each realm + permissions combo)*/
    http_auth_cache_entry * const ae =
-      malloc(sizeof(http_auth_cache_entry) + ulen + pwlen+1);
+      malloc(sizeof(http_auth_cache_entry) + ulen + pwlen);
    force_assert(ae);
    ae->require = require;
    ae->ctime = log_monotonic_secs;
@ -74,7 +74,6 @@ http_auth_cache_entry_init (const struct http_auth_require_t * const require, co
    ae->pwdigest = ae->username + ulen;
    memcpy(ae->username, username, ulen);
    memcpy(ae->pwdigest, pw, pwlen);
-    ae->pwdigest[pwlen] = '\0';
    return ae;
 }

--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@ -43,13 +43,28 @@
 *       config. However "all" has effect only on connecting IP, as the
 *       X-Forwarded-For header can not be trusted.
 *
- * Note: The effect of this module is variable on $HTTP["remoteip"] directives and
+ * Note: The effect of this module is variable on $HTTP["remotip"] directives and
 *       other module's remote ip dependent actions.
 *  Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
 *  Things done in between these two moments will match on the real client's IP.
 *  The moment things are done by a module depends on in which hook it does things and within the same hook
 *  on whether they are before/after us in the module loading order
 *  (order in the server.modules directive in the config file).
+ *
+ * Tested behaviours:
+ *
+ *  mod_access: Will match on the real client.
+ *
+ *  mod_accesslog:
+ *   In order to see the "real" ip address in access log ,
+ *   you'll have to load mod_extforward after mod_accesslog.
+ *   like this:
+ *
+ *    server.modules  = (
+ *       .....
+ *       mod_accesslog,
+ *       mod_extforward
+ *    )
 */


@ -1203,6 +1218,7 @@ int mod_extforward_plugin_init(plugin *p) {
 	p->handle_connection_accept = mod_extforward_handle_con_accept;
 	p->handle_uri_raw = mod_extforward_uri_handler;
 	p->handle_request_env = mod_extforward_handle_request_env;
+	p->handle_request_done = mod_extforward_restore;
 	p->handle_request_reset = mod_extforward_restore;
 	p->handle_connection_close = mod_extforward_handle_con_close;
 	p->set_defaults  = mod_extforward_set_defaults;
--- a/src/mod_fastcgi.c
+++ b/src/mod_fastcgi.c
@ -452,21 +452,6 @@ static handler_t fcgi_recv_parse(request_st * const r, struct http_response_opts
 					r->conf.stream_response_body &=
 					  ~(FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN);
 				}
-			  #if 0
-				else if ((r->conf.stream_response_body &
-				           (FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN))
-				         && (   r->http_status == 204
-				             || r->http_status == 205
-				             || r->http_status == 304
-				             || r->http_method == HTTP_METHOD_HEAD)) {
-					/* disable streaming to wait for backend protocol to signal
-					 * end of response (prevent http_response_write_prepare()
-					 * from short-circuiting and finishing responses without
-					 * response body) */
-					r->conf.stream_response_body &=
-					  ~(FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN);
-				}
-			  #endif
 			} else if (hctx->send_content_body) {
 				if (0 != mod_fastcgi_transfer_cqlen(r, hctx->rb, packet.len - packet.padding)) {
 					/* error writing to tempfile;
--- a/src/mod_webdav.c
+++ b/src/mod_webdav.c
@ -4014,8 +4014,9 @@ mod_webdav_propfind (request_st * const r, const plugin_config * const pconf)
        http_status_set_error(r, 403);
        return HANDLER_FINISHED;
    }
-    else {
-        pb.depth = 0;
+    else if (0 != pb.depth) {
+        http_status_set_error(r, 403);
+        return HANDLER_FINISHED;
    }

    pb.proplist.ptr  = NULL;