u4b: Sync usb_msctest.[ch] with FreeBSD
Most changes are auto quirk detection and application. However, the
previous commit disabled such auto quirks, so this commit should have no
functional change.
u4b: Make autoquirk code optional and opt out
As the FreeBSD described:
> There are significant problems with the current autoquirk code. This
> results in quite a bit of bogus over-quirking.
> ...
> For all these reasons, I'm turning this off and will likely remove it
> entirely in the future once the alternative SYNC CACHE code has
> provent itself.
Actually, this fixes the USB stick probing timeout error in a USB 3.0
port on my HPE MicroServer Gen10. That timeout error happened during
the boot and would drop the system to the 'mountroot>' prompt:
```
CAM: Configuring bus: ahci0
CAM: Configuring bus: ahci0
CAM: Configuring bus: ahci0
CAM: Configuring bus: ahci0
[56 lines not shown]
[SLP] Enable full non-power-of-2 vectorization by default
Default slp-vectorize-non-power-of-2 to true and broaden the set of
supported widths beyond NumElts + 1 == bit_ceil(NumElts) to include
small widths (<= 5), widths where NumElts - 1 is also non-power of two
(e.g. 6, 7, 10..15), and any width when the elements being vectorized
are themselves vectors (REVEC). Tweak gathered loads, stores, and
reduction support to the non-power-of-2 vector factors.
Reviewers: hiraditya, bababuck, RKSimon
Pull Request: https://github.com/llvm/llvm-project/pull/196825
usr.sbin/httpd: add cache controls for static files
Teach httpd to advertise static file revalidation by default with
Cache-Control: no-cache, preserving the existing Last-Modified and
If-Modified-Since flow; add a [no] static-cache-control directive for
opting out, and advertise Vary: Accept-Encoding whenever gzip-static is
enabled.
OK: claudio@
Add new-pane command, currently this is equivalent to split-window but
it will have minor differences for floating panes in future. Also add
-R/-s/-S/-k/-m flags to control border and style and behaviour, like
popups. GitHub issue 5027 from Dane Jensen.
ipfw: treat ipv6 address with zero mask as 'any'
Make the behaviour similar for both IPv4 and IPv6. Also add
the corresponding tests.
PR: 294733
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56618
miniflux: update to 2.3.0.
Security
Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.
Non-resident credentials can no longer be used for first-factor authentication to prevent username enumeration before password verification. They are intended for post-password MFA flows, which Miniflux does not currently support.
Persist WebAuthn backup eligibility/state and validated credential state after login.
Require POST requests for logout, feed refresh, and OAuth2 unlink actions.
Apply CSRF protection to all non-safe HTTP methods.
Add http.CrossOriginProtection middleware for the web UI.
Validate redirect URL schemes in HTMLRedirect to prevent unsafe redirects.
Restore URL scheme validation in templates for untrusted feed URLs.
Sanitize filenames in Content-Disposition headers to prevent header injection.
Reject empty OAuth2 state parameters when no authentication flow is in progress.
Allow configured private proxies while still enforcing private-network restrictions for direct requests and redirects.
Validate URI schemes case-insensitively according to RFC 3986.
Pin third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risks.
Cap the maximum entry limit to 1000 across the UI, API, and storage layer.
[41 lines not shown]
Replace devel/kf5/kcalendarcore with its kf6 equivalent:
- it will break with the upcoming libical update
- nothing uses it in-tree
ok rsadowski@ (maintainer)
