CHANGES

  *) Added some informative error messages for some failed malloc()
     calls. [John Bley <jbb6@acpub.duke.edu>, Jim Jagielski]

  *) OS/2 ap_os_canonical_filename()'s behaviour is improved: ap_assert()
     is removed. This allows <Directory proxy:*> directives to work and
     prevents invalid requests from killing the process.
     [Brian Havard <brianh@kheldar.apana.org.au>]

  *) Reorganised FAQ document.
     [Joshua Slive <slive@finance.commerce.ubc.ca>] PR#2497

  *) src/support/: The ApacheBench benchmark program was overhauled by
     David N. Welton: you can now have it generate an HTML TABLE, presumably
     for integration into other HTML sources. David updated the ab man page
     as well and added some missing descriptions. Thanks!
     [David N. Welton <davidw@prosa.it>]

  *) Win32: The filename validity checker now allows filenames containing
     characters in the range 0x80 to 0xff (for example accented characters).
     [Paul Sutton] PR#3890

  *) Added conditional logging based upon environment variables to
     mod_log_config.  mod_log_referer and mod_log_agent
     are now deprecated.  [Ken Coar]

  *) Allow apache acting as a proxy server to relay the real
     reason of a failure to a client rather than the "internal
     server error" it does currently. The general exposure mechanism
     can be triggered by any module by setting the "verbose-error-to"
     note to "*"; this allows more than just proxy errors to be exposed.
     [Cliff Skolnick, Roy Fielding, Martin Kraemer] Related to PR#3455, 4086

  *) Moved man pages for ab and apachectrl to section 8.
     [Wilfredo Sanchez, Roy Fielding]

  *) Added -S option to install.sh so that options can be passed to
     strip on some platforms. [Ralf S. Engelschall, Wilfredo Sanchez]

  *) Tweak modules Makefile generated by Configure so that it handles
     the test case of no modules being selected. [chaz@reliant.com]

  *) Added a <LimitExcept method ...> sectioning directive that allows
     the user to assign authentication control to any HTTP method that
     is *not* given in the argument list; i.e., the logical negation
     of the <Limit> directive.  This is particularly useful for controlling
     access on methods unknown to the Apache core, but perhaps known by
     some module or CGI script. [Roy Fielding, Tony Finch]

  *) Prevent apachectl from complaining if the PIDFILE exists but
     does not contain a process id, as might occur if the server is
     being rapidly restarted. [Wilfredo Sanchez]

  *) Win32: Add global symbols missing from ApacheCore.def. [Carl Olsen]

  *) Entity tag comparisons for If-Match and If-None-Match were not being
     performed correctly -- weak tags might cause false positives.  Also,
     strong comparison wasn't properly enforced in all cases.
     [Roy Fielding, Ken Coar, Dean Gaudet] PR#2065, 3657

  *) OS/2: Supply OS/2 error code instead of errno on semaphore errors.
     [Brian Havard]

  *) Work around a bug in Lynx regarding its sending "Negotiate: trans"
     even though it doesn't understand TCN.  [Koen Holtman, Roy Fielding]

  *) Added ap_size_list_item(), ap_get_list_item(), and ap_find_list_item()
     to util.c for parsing an HTTP header field value to extract the next
     list item, taking into account the possible presence of nested comments,
     quoted-pairs, and quoted-strings. ap_get_list_item() also removes
     insignificant whitespace and lowercases non-quoted tokens.
     [Roy Fielding] PR#2065

  *) proxy: The various calls to ap_proxyerror() can return HTTP/1.1 status
     code different from 500. This allows the proxy to, e.g., return
     "403 Forbidden" for ProxyBlock'ed URL's. [Martin Kraemer] Related to PR#3455

  *) Fix ordering of language variants for the case where the traditional
     negotiation algorithm is being used with multiple language variants
     and no Accept-Language. [James Treacy <treacy@debian.org>] PR#3299, 3688

  *) Do not round the TCN quality calculation to 5 decimal places,
     unlike RFC 2296, because the calculation might need 12 decimal places
     to get the right result.  [Roy Fielding]

  *) Remove unused code to disable transparent negotiation when
     negotiating on encoding only, as we now handle encoding too
     (though this is nonstandard for TCN), remove charset=ISO-8859-1
     fiddle from the fiddle-averse RVSA comparison, and fix bugs in
     some debugging statements within mod_negotiation. [Koen Holtman]

  *) Fixed a rare memory corruption possibility in mod_dir if the index
     file is negotiable and no acceptable variant can be found.
     [Dean Gaudet, Roy Fielding, Martin Kraemer]

  *) Win32: Add new config directive, ScriptInterpreterSource, to enable
     searching the Win32 registry for script interpreters.
     [Bill Stoddard]

  *) Win32: The compiled-in default filename for the error log is now
     error.log, which matches the default in the distributed httpd.conf.
     [Paul Sutton]

  *) Win32: Any error messages from -i or -u command line options are now
     displayed on the console output rather than sent to the error log.
     Also the "Running Apache..." message is not output unless Apache is
     going to serve requests. [Paul Sutton]

  *) Rework the MD5 authentication scheme to use FreeBSD's algorithm,
     and use a private significator ('$apr1$') to mark passwords as
     being smashed with our own algorithm.  Also abstract the password
     checking into a new ap_validate_password() routine.  [Ken Coar]

  *) Win32: The filename validity checker now allows "COM" but refuses 
     access to "COM1" through "COM4". This allows filenames such
     as "com.name" to be served. [Paul Sutton] PR#3769.

  *) BS2000: Adapt to the new ufork() system call interface which will
     make subtasking easier on the OSD/POSIX mainframe environment.
     [Martin Kraemer]

  *) Add a compatibility define for escape_uri() -> ap_escape_uri() to
     ap_compat.h. [David White <david@persimmon.com>] PR#3725

  *) Make NDBM file suffix determination for mod_rewrite more accurate, i.e.
     use `.db' instead of `.pag' not only for FreeBSD, but also when
     the NDBM library looks like Berkeley-DB based.
     [Ralf S. Engelschall] PR#3773

  *) Add ability to handle DES or MD5 authentication passwords.
     [Ryan Bloom <rbb@Raleigh.IBM.Com>]

  *) Fix O(n^2) memory consumption in mod_speling.  [Dean Gaudet]

  *) SECURITY: Avoid some buffer overflow problems when escaping
     quoted strings.  (This overflow was on the heap and we believe
     impossible to exploit.)  [Rick Perry <perry@ece.vill.edu>]

  *) Let src/Configure be aware of CFLAGS options starting with plus
     signs as it's the case for the HP/UX compiler.
     [Doug Yatcilla <yatcilda@umdnj.edu>] PR#3681

  *) Remove the hard-wire of TAR=tar (we now check for gtar and gnutar first)
     and check to see if the tar we wind up with supports '-h'.
     [Jim Jagielski] PR#3671

  *) A consistent and conservative style for all shell scripts has been
     implemented. Basically, all shell string tests use the traditional
     hack of 'if [ "x$var" != "x" ]' or 'if [ "x$var" = "xstring" ]'
     to protect against bare null variable strings (ie: wrapping both
     sides with double quotes and prepending 'x'). 'x' was chosen
     because it's more universal and hopefully easier for old shell
     prgrammers, as well as being easier to search for in 'vi' (/x\$) :)
     [Jim Jagielski]

  *) The status module now prints out both the main server generation as
     well as the generation of each process. Also, the vhost info is
     printed with '?notable'. [Jim Jagielski]

  *) Move src/main/md5c.c to src/ap/ap_md5c.c; it's httpd-neutral
     and this makes its functions available to things in src/support.
     [Ken Coar]

Changes with Apache 1.3.4

  *) Renamed macros status_drops_connection to ap_status_drops_connection
     and vestigial scan_script_header to ap_scan_script_header_err,
     mostly for aesthetic reasons. [Roy Fielding]

  *) The query switch "httpd -S" didn't exit after showing the
     vhost settings. That was inconsistent with the other query functions.
     [Martin Kraemer]

  *) Moved the MODULE_MAGIC_COOKIE from before the versions and
     filename to the end of the STANDARD_MODULE_STUFF.  Its
     presence at the beginning prevented reporting of the filename
     for modules compiled before 1 January 1999.  [Ken Coar]

  *) SECURITY: ap_os_is_filename_valid() has been added to Win32
     to detect and prevent access to special DOS device file names.
     [Paul Sutton, Ken Parzygnat]
     
  *) WIN32: Created new makefiles Makefile_win32.txt (normal build)
     and Makefile_win32_debug.txt (debug build) that work on Win95.
     Run each of the following from the src directory:
        nmake /f Makefile_win32.txt           # compiles normal build
        nmake /f Makefile_win32.txt install   # compiles and installs
        nmake /f Makefile_win32.txt clean     # removes compiled junk
        nmake /f Makefile_win32_debug.txt     # compiles debug build
        nmake /f Makefile_win32_debug.txt install
        nmake /f Makefile_win32_debug.txt clean
     [Roy Fielding]

  *) Added binbuild.sh and findprg.sh helpers to make it easier for us
     to build binary distributions. [Lars Eilebrecht]

  *) IndexOptions SuppressColumnSorting only turned off making
     the column headers anchors; you could still change the display
     order by manually adding a '?N=A' or similar query string to the
     URL.  Now SuppressColumnSorting locks in the sort order so
     it can't be overridden this way.  [Ken Coar]

  *) Added IndexOrderDefault directive to supply a default sort order
     for FancyIndexed directory listings.  [Ken Coar] PR#1699

  *) Change the ap_assert macro to a variant that works on all platforms.
     [Richard Prinz <richard.prinz@cso.net>] PR#2575

  *) Make sure under ELF-based NetBSD (now) and OpenBSD (future) we don't
     search for an underscore on dlsym() (as it's already the case
     for FreeBSD 3.0). [Todd Vierling <tv@pobox.com>] PR#2462
  
  *) Small fix for mod_env.html: The module was documented as to be _not_
     compiled into Apache per default, although it _IS_ compiled into 
     Apache per default. [Sim Harbert <sim@mindspring.com>] PR#3572

  *) Instead of fixing a bug in the generation procedure for config.status (a
     backslash was missing) we remove the bug together with it's complete
     context because the special cases of the past can now no longer occur
     because of the recent magic for the --with-layout default.
     [Ralf S. Engelschall] PR#3590
 
  *) Make top-level Makefile aware of a parallel build procedures (make -j) by
     making sure the src/support/ tools are _forced_ to be build last (they
     depend on other libraries).
     [Markus Theissinger <markus.theissinger@gmx.de>]

  *) Fix installation procedure: Now that os-inline.c is actually used (a
     recently fixed bug prevented this) we need to also install os-include.c
     in addition to os.h into the PREFIX/include/ location or building of
     module DSOs with APXS fails. [Ralf S. Engelschall] PR#3527

  *) Added MODULE_MAGIC_COOKIE as the first field in a module structure to
     allow us to distinguish between a garbled DSO (or even a file which isn't
     an Apache module DSO at all) and a DSO which doesn't match the current
     Apache API. [Ralf S. Engelschall] PR#3152
 
  *) Two minor enhancements to mod_rewrite: First RewriteRule now also
     supports the ``nocase|NC'' flag (as RewriteCond already does for ages) to
     match case insensitive (this especially avoids nasty patterns like
     `[tT][eE][sS][tT]'). Second two additional internal map functions
     `escape' and `unescape' were added which can be used to escape/unescape
     to/from hex-encodings in URLs parts (this is especially useful in
     combination with map lookups). 
     [Magnus Bodin, Ian Kallen, Ralf S. Engelschall]

  *) Renamed the macro escape_uri() to ap_escape_uri() which was
     forgotten (because it was a macro) in the symbol renaming process.
     [Ralf S. Engelschall]

  *) Fix some inconsistencies related to the scopes of directives. The only
     user visible change is that the directives `UseCanonicalName' and
     `ContentDigest' now use the (more correct) `Options' scope instead of
     (less correct) `AuthConfig' scope.  [Ralf S. Engelschall]

  *) Using DSO, the Server token was being mangled. Specifically, the
     module's token was being added first before the Apache token. This
     has been fixed. [Jim Jagielski]

  *) Major overhaul of mod_negotiation.c, part 2.
     - properly handle "identity" within Accept-Encoding.
     - allow encoded variants in RVSA negotiation and let them appear in
       the Alternates field using the non-standard "encoding" tag-list.
     - fixed both negotiation algorithms so that an explicitly accepted
       encoding is preferred over no encoding if "identity" is not
       included within Accept-Encoding.
     - added ap_array_pstrcat() to alloc.c for efficient concatenation
       of large substring sequences.
     - replaced O(n^2) memory hogs in mod_negotiation with ap_array_pstrcat.
     [Roy Fielding]

  *) Major overhaul of mod_negotiation.c, part 1.
     - cleanups to mod_negotiation comments and code structure
     - made compliant with HTTP/1.1 proposed standard (rfc2068) and added
       support for everything in the upcoming HTTP/1.1
       revision (draft-ietf-http-v11-spec-rev-06.txt).
         - language tag matching also handles tags with more than 2
           levels like x-y-z
         - empty Accept, Accept-Language, Accept-Charset headers are
           processed correctly; previously an empty header would make all
           values acceptable instead of unacceptable.
         - allowed for q values in Accept-Encoding
     - added support for transparent content negotiation (rfc2295 and
       rfc2296) (though we do not implement all features in these drafts,
       e.g. no feature negotiation).  Removed old experimental version.
     - implemented 'structured entity tags' for better cache correctness
       (structured entity tags ensure that caches which can deal with Vary
       will (eventually) be updated if the set of variants on the server
       is changed)
         - this involved adding a vlist_validator element to request_rec
         - this involved adding the ap_make_etag() function to the global API
     - modified guessing of charsets used by Apache negotiation algorithm 
       to guess 'no charset' if the variant is not a text/* type
     - added code to sort multiviews variants into a canonical order so that
       negotiation results are consistent across backup/restores and mirrors
     - removed possibility of a type map file resolving to another type map
       file as its best variant
     [Koen Holtman, Roy Fielding, Lars Eilebrecht] PR#3451, 3299, 1987

  *) RFC2396 allows the syntax http://host:/path (with no port number)
     but the proxy disallowed it (ap_proxy_canon_netloc()).
     [David Kristol <dmk@bell-labs.com>] PR#3530

  *) When modules update/modify the file name in the configfile_t structure,
     syntax errors will report the updated name, not the original one.
     [Fabien Coelho <coelho@cri.ensmp.fr>] PR#3573

  *) Correct some filename case assumptions from WIN32 to
     CASE_BLIND_FILESYSTEM.  [Brian Havard <brianh@kheldar.apana.org.au>]

  *) For %v log ServerName regardless of the UseCanonicalName
     setting (similarly for %p).  [Dean Gaudet]

  *) Configure was initializing the variables $OSDIR, $INCDIR and $SHELL
     rather late (too late for some invocations of TestCompile).
     This improves the make environment available to TestCompile and
     the *.module scripts. [Martin Kraemer]

  *) The hashbang emulation code in ap_execve.c would interpret
     #!/hashbang/scripts correctly, but failed to fall back to a
     standard shell for scripts which did NOT start with #!
     Now SHELL_PATH is started in these cases. [Martin Kraemer]

  *) PORT: Added the Cyberguard V2 port [Richard Stagg <stagg@lentil.org>]
     PR#3336

  *) Update APXS manual page: some -q option arguments were missing
     and another was incorrect. [Mark Anderson <mda@discerning.com>] PR#3553

  *) Cleanup the command line options: `-?' was documented to show
     the usage list but does it with an error because `?' is not a valid
     command. OTOH a lot of users expect `-h' to print such a usage list and
     instead are annoyed for ages by our huge unreadable list of directives.
     So we now changed the command line options this way:
     1. `-L' => `-R' 
        Intent: we need `-L' to be free, and `-R' for the DSO run-time path is
        very similar to the popular linker option.
     2. `-h' => `-L'
        Intent: while -l gives the small list of modules, -L now gives the
        large list of directives implemented by these modules.  This is also
        consistent with -v (short version info) and -V (large version info).
     3. `-?' => `-h' 
        Intent: it's now the expected option ;-)
     The manual page was adjusted accordingly. 
     [Ralf S. Engelschall] PR#2714

  *) Fixed problem of fclose() on an unopened file in suexec if LOG_EXEC
     wasn't defined.  [Rick Franchuk <rickf@transpect.net>]

  *) Removed recently introduced bugs and disfigurements in APACI:
     o fixed argument line processing: using $args was broken: It was not
       initialized and using args="$args $apc_option" and even args="$args
       \"$apc_option\"" fails in the second processing round for any arguments
       containing whitespaces. The only correct way is to use the construct
       "$@" (but not possible here) or iterate _both_ times over the implicit
       argument line (no argument to for-loop) which is what we now use.
     o make --with-layout=Apache the default without creating
       redundancy (copying the --with-layout block in the argument parsing
       loop).  We achieve this by using the "$@" construct together with the
       `set' command to prepend --with-layout=Apache to the command line in
       case --with-layout is not used.
     o fixed auto-suffix handling now that config.layout exists.
       Paths which are auto-suffixed are marked with a trailing plus sign in
       config.layout and every path now can be marked this way (not only the
       four paths for which we do it currently).  Additionally the suffix is
       no longer a static one. Instead it's now `/<target>' where <target> is
       the argument of the --target option or per default `httpd'.
     o allow also tabs (and only spaces) where we match whitespaces
     o various fixes and cleanups related to used shell coding style
     o made Jim happy by replacing `Written by' with `Initially written by' ;-)
     o trimmed output of --help to fit into 80 columns
     [Ralf S. Engelschall]

  *) Added two new core API functions, ap_single_module_configure() and
     ap_single_module_init(), which are now used by mod_so to configure a module
     after loading. [Ralf S. Engelschall]

  *) PORT: Add defines for USE_FLOCK_SERIALIZED_ACCEPT and
     SINGLE_LISTEN_UNSERIALIZED_ACCEPT to NetBSD/OpenBSD section
     of ap_config.h to allow serialized accept for multiport listens.
     [Roy Fielding, Curt Sampson] PR#3120

  *) PORT: Fixed a misplaced #endif for NetBSD/OpenBSD section
     of ap_config.h that would skip several defines if DEFAULT_GROUP
     was overridden. [Roy Fielding]

  *) PORT: The I86 version of DGUX has support for strncasecmp and 
     strcasecmp, so allow it in ap_config.h. [Amiel Lee Yee] PR#3247

  *) Fix ordering of definitions in ap_config.h so that ap_inline is
     defined before it might be used. [Victor Khimenko]

  *) PORT: Add Dynamic Shared Object (DSO) support for BSDI (v4.0).
     [Tom Serkowski <tks@bsdi.com>] PR#3453

  *) Make generation of src/Configuration.apaci more robust: It failed to
     differenciate between modules when one module name was a postfix of
     another (e.g. cgi vs. fastcgi). We now check for mod_XXX, libXXX and even
     just XXX (think about totally non-standard names like "apache_ssl", too).
     [Ralf S. Engelschall] PR#3380

  *) In src/Configure remove the SERVER_SUBVERSION support (already deprecated
     since 1.3b7) and make whitespace handling more robust (it failed horrible
     when whitespaces were present in the arguments of -D options).
     [Ralf S. Engelschall] PR#3240

  *) Add APACI --shadow=DIR variant (in addition to --shadow). This now first
     creates an external package shadow tree in DIR before the local build
     shadow tree is generated under DIR. This way one can have the extracted
     Apache distribution tree read-only on NFS or CDROM and still build Apache
     from these sources. An automatically triggered VPATH-like mechanism is
     provided through the TOP variable, too.
     [Ralf S. Engelschall, Wilfredo Sanchez <wsanchez@apple.com>]

  *) Fix negotiation so that a Vary response header is correctly 
     generated when, for a particular dimension, variants only vary
     in having or not having a value for that dimension. [Paul Sutton]

  *) Fix negotiation so that we prefer an encoded variant over an
     unencoded variant if the user-agent explicitly says it can
     accept that encoding. Previously we always preferred the unencoded
     variant.
     [Paul Ausbeck <paula@alumni.cse.ucsc.edu>, Paul Sutton] PR#3447
 
  *) Fix APXS tool: query variables LIBS_SHLIB and TARGET were not recognized
     and the usage page was inconsistent with the functionality and manpage.
     [Ralf S. Engelschall]

  *) Allow special options -Wc,xxx and -Wl,xxx on APXS compile/link command.
     They can occur multiple times and their arguments (`xxx') are passed AS
     IS to the compiler/linker command.  [Ralf S. Engelschall]

  *) Fixed possible (but harmless in practice) bug in the DBM lookup
     procedure of mod_rewrite: very long keys were truncated.
     [Ralf S. Engelschall]

  *) Added a generic --with-layout=[FILE:]ID option. ID here is a layout
     identifier, currently "Apache" and "GNU" are pre-defined in the file
     config.layout.  Custom layouts are possible by using FILE:ID as the
     argument where the layout ID is taken from FILE.

     The config.layout file consists of <Layout ID>..</Layout> sections
     where inside those sections "path_variable: path_value" pairs can be
     specified. These lines are converted to path_variable='path_value'.

  *) Add a DefaultLanguage directive so that files missing a language
     extension (e.g., .fr, .de) can be labelled as being some other
     default language. DefaultLanguage can appear in <Directory> and 
     <Files> containers as well as .htaccess files.  [Paul Sutton]
     PR#1180

  *) Fix TARGET configuration when configuring and installing using
     APACI configure. TARGET now defines the basename of the configuration
     file, startup script, manual page, etc. log_error_core() now reports
     the server binary name given by argv[0]. TARGET can now also be defined
     with --target=TARGET parameter passed to APACI configure.
     [Ralf Engelschall, Randy Terbush]

  *) mod_include.c:handle_perl() now properly tests for OPT_INCNOEXEC
     rather than OPT_INCLUDES [Rainer Schoepf <schoepf@uni-mainz.de>]

  *) ap_md5_binary() was using sprintf() rather than a table lookup
     to convert binary bytes to hex digits.
     [Ronald Tschalär <ronald@innovation.ch>] PR#3409

  *) Fix SEGV in TCN negotiation if no variants are acceptable.
     [Martin Plechsmid <plechsmi@karlin.mff.cuni.cz>] PR#1987

  *) API: ap_exists_config_define() function is now "public" [Doug MacEachern]

  *) Fix documentation of `Action' directive: It can activate a CGI script
     when either a handler or a MIME content type is triggered by the request.
     [Andrew Pimlott <pimlott@math.harvard.edu>] PR#3340

  *) Document the `add' command of `dbmmanage' in `dbmmanage.1' manpage.
     [David MacKenzie <djm@uu.net>] PR#3394

  *) Ignore a "ErrorDocument 401" directive with a full URL and write a
     notice to the error log. It is not possible to send a 401 response
     and a redirect at the same time.  [Lars Eilebrecht]

  *) Fallback to native compilers for IRIX-32 platform. It seems that
     a gcc 2.8.1 compiled apache is logging client addresses with all
     bits set (255.255.255.255). This is the second such problem caused
     by gcc 2.8.1 compiler. The first being broken semaphore locking.
     [Randy Terbush]

  *) Updated mime.types to reflect current Internet media types
     and include a URL to the registry.
     [Manoj Kasichainula, Roy Fielding] PR#2380, 2286, 2246

  *) SECURITY: Do a more complete check in mod_include to avoid 
     an infinite loop of recursive SSI includes.  [Marc Slemko] PR#3323

  *) Add APACI --suexec-docroot and --suexec-logfile options which can be
     used to set the document root directory (DOC_ROOT) and the suexec
     logfile (LOG_EXEC), respectively. Additionally the --layout option
     was changed to show more information about the suEXEC setup.
     [Lars Eilebrecht] PR#3316, 3357, 3361

  *) Added the last two WebDAV status codes of 424 (Failed Dependency)
     and 507 (Insufficient Storage) for use by third-party modules.
     [Roy Fielding]

  *) Enabled all of the WebDAV method names for use by third-party
     modules, Limit, and Script directives.  That includes PATCH,
     PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK.
     Improved mod_actions.c so that it can use any of the methods
     defined in httpd.h.  Added ap_method_number_of(method) for
     getting the internal method number.  [Roy Fielding]

  *) PORT: Add a port to the TPF OS. [Joe Moenich <moenich@us.ibm.com> and
     others at IBM]

  *) Fix problems with handling of UNC names (e.g., \\host\path)
     on Win32.  [Ken Parzygnat <kparz@us.ibm.com>]

  *) Rework os_canonical_*() on Win32 so it's simpler, more
     robust, and works.  [Ken Parzygnat <kparz@us.ibm.com>]
     PR#2555, 2915, 3064, 3232

  *) Work around incomplete implementation of strftime on Win32.
     [Manoj Kasichainula, Ken Parzygnat <kparz@us.ibm.com>]

  *) Move a typedef to fix compile problems on Linux with 1.x kernels.
     [Manoj Kasichainula] PR#3177

  *) PORT: Add a port to the Concurrent PowerMAX OS. [Tom Horsley
     <Tom.Horsley@mail.ccur.com>]

  *) WIN32: Log more explicit error messages if spawning an interpreted 
     script failed, including the command line used to attempt to execute 
     the interpreter and the Win32 error code returned.  [Marc Slemko]

  *) Disable sending of error-notes on a 500 (Internal Server Error) response
     since it often includes file path info.  Enable sending of error-notes
     on a 501 (Method Not Implemented).  [Roy Fielding] PR#3173

  *) http_config.c would respond with 501 (Method Not Implemented) if a
     content type handler was specified but could not be found, which
     should have been a 500 response.  Likewise, mod_proxy.c would responsd
     with a 501 if the URI scheme is unrecognized instead of the correct
     response of 403 (Forbidden).  [Roy Fielding]

  *) SECURITY: Eliminate DoS attack when a bad URI path contains what
     looks like a printf format escape.  [Marc Slemko, Studenten Net Twente]

  *) Fix in mod_autoindex: for files where the last modified time stamp was
     unavailable, an empty string was printed which was 2 bytes short.
     The size and description columns were therefore not aligned correctly.
     [Martin Kraemer] (no PR#)

  *) Update BS2000 OS code to work with recent versions. Starting with
     release A17, the child fork() must be replaced by a _rfork().
     (BS2000 only) [Martin Kraemer]

  *) Add the actual server_rec structure of the specific Vhost to the
     scoreboard file and avoid a string copy (as well as allow some
     further future enhancements). [Harrie Hazewinkel
     <harrie.hazewinkel@jrc.it>]

  *) Add APACI --permute-module=foo:bar option which can be used to
     on-the-fly/batch permute the order of two modules (mod_foo and mod_bar)
     in the Configuration[.apaci] file. Two special and important variants are
     supported for the option argument: first BEGIN:foo which permutes module
     mod_foo with the begin of the module list, i.e. it `moves' the module to
     the begin of the list (gives it lowest priority).  And second foo:END
     which permutes mod_foo with the end of the module list, i.e. it `moves'
     the module to the end of the list (gives it highest priority). 
     [Ralf S. Engelschall]

  *) Fix problem with 'apache -k shutdown' and startup event
     synchronisation (Win32).  [Ken Parzygnat <kparz@raleigh.ibm.com>]
     PR#3255

  *) The config parser wasn't correctly noticing a missing '>'
     on container start lines (e.g., it wouldn't spot
     "<Directory /" as a syntax error).  [Ryan Bloom <rbbloom@us.ibm.com>]
     PR#3279

  *) Add a 'RemoveHandler' directive which will selectively remove
     all handler associations for the specified file extensions.
     [Ryan Bloom <rbbloom@us.ibm.com>] PR#1799.

  *) Properly handle & allow "nul" and ".*/null" in AccessConfig and
     ResourceConfig directives on Win32.  Also add a note to the effect
     of 'useless User directive ignored on Win32' to the errorlog if
     a User directive is encountered on Win32.
     [Ken Parzygnat <kparz@raleigh.ibm.com>] PR#2078, 2303.

  *) Fix multiple whitespace handling in imagemaps for mod_imap which was
     broken since Apache 1.3.1 where we took out compressing of multiple
     spaces in ap_cfg_getline().
     [Ivan Richwalski <ivan@seppuku.net>] PR#3249

  *) Fix Berkeley-DB/2.x support in mod_auth_db: The data structures were not
     initialized correctly and the db_open() call used an invalid mode
     parameter. [Ron Klatchko <ron@ckm.ucsf.edu>] PR#3171

  *) PORT: DSO support for UnixWare 7
     [Ralf S. Engelschall, Ron Record <rr@sco.com>]

  *) Merge the contents of the {srm,access}.conf-dist* files into the
     httpd.conf-dist* files.  The srm and access files now contain
     only comments, and httpd.conf has all the combined contents in
     a rational order.  [Ken Coar]

  *) PORT: DSO/ELF support for FreeBSD 3.0.
     [Ralf S. Engelschall, Dirk Froemberg <ibex@physik.TU-Berlin.DE>]
  
  *) Add a "default-handler" handler that calls the default_hander()
     function which is normally called for static content.  This allows
     you to override a specific handler.  [Marc Slemko]

  *) Further simplify checking for absolute paths by replacing an
     hard-coded syntax check with a call to a routine we already created to
     do this.  [Ken Parzygnat <kparz@raleigh.ibm.com>] PR#2976, 3074

  *) Log an error if we encounter a malformed "require" directive 
     in mod_auth if we know that we know that no other module can
     deal with it.  [Marc Slemko]

  *) Remove ap_private_extern method of hiding conflicting symbols
     on the NEXT platform because it is not correct for all versions,
     and the versions for which it is correct are unknown.
     [Wilfredo Sanchez <wsanchez@apple.com>]

  *) Fix inheritance of IndexOptions NameWidth and remove unintended
     restriction on +NameWidth, +IconHeight, and +IconWidth.  [Ken Coar]

  *) Fix per-directory config merging for cases in which a 500 error
     is encountered in an .htaccess file somewhere down the tree.
     [Ken Coar]  PR#2409

  *) Minor performance improvement to ap_escape_html(). [Roy Fielding]

  *) Fixed a segmentation violation in mod_proxy when a response is
     non-cachable.  [Roy Fielding, traced by Doug Bloebaum]. PR#2950, 3056

Changes with Apache 1.3.3

  *) Added a complete implementation of the Expect header field as
     specified in rev-05 of HTTP/1.1.  Disabled the 100 Continue
     response when we already know the final status, which is mighty
     useful for PUT responses that result in 302 or 401. [Roy Fielding]

  *) Remove extra trailing whitespace from the getline results as part
     of the protocol processing, which is extra nice because it works
     between continuation lines, is almost no cost in the normal case
     of no extra whitespace, and saves memory. [Roy Fielding]

  *) Added new HTTP status codes and default response bodies from the
     revised HTTP/1.1 (307, 416, 417), WebDAV (102, 207, 422, 423), and 
     HTTP Extension Framework (510) specifications.  Did not add the
     WebDAV 424 and 425 codes because they are bogus.  We don't use any
     of these codes yet, but they are now available to 3rd-party modules.
     [Roy Fielding]

  *) Fix a possible race condition between timed-out requests and the
     ap_bhalfduplex select that might result in an infinite loop on
     platforms that do not validate the descriptor. [Roy Fielding]

  *) WIN32: Add "-k shutdown" and "-k restart" options to signal a
     running Apache server [Paul Sutton]

  *) Fix mod_autoindex bug where directories got a size of "0k" instead
     of "-".  [Martin Plechsmid <plechsmi@karlin.mff.cuni.cz>, Marc Slemko]
     PR#3130

  *) PORT: DRS 6000 machine. [Paul Debleecker <pdebleecker@jetair.be>]

  *) Add the server signature text (from the core ServerSignature directive)
     to the list of envariables available to scripts, SSI, and the like.
     [Ken Coar]

  *) PORT: Fix sys/resource.h handling for SCO 3.x platform.
     [M. Laak <maert@proinv.ee>] PR#3108
 
  *) Fallback from sysconf-based to plain HZ-based `ticks per second'
     calculation in mod_status for all systems which don't have POSIX
     sysconf() (like UTS 2.1) and not only for the NEXT platform.
     [Dave Dykstra <dwd@bell-labs.com>] PR#3055

  *) Fix `require ...' directive parsing in mod_auth, mod_auth_dbm and
     mod_auth_db by using ap_getword_white() (which uses ap_isspace()) 
     instead of ap_getword(..., ' ') (which parses only according to spaces 
     but not tabs).  [James Morris <jmorris@intercode.com.au>, 
     Ralf S. Engelschall] PR#3105

  *) Fix the SERVER_NAME variable under sub-request situations (where
     `UseCanonicalName off' is used) like CGI's called from SSI pages or
     RewriteCond variables by adopting r->hostname to sub-requests.
     [James Grinter <jrg@blodwen.demon.co.uk>] PR#3111

  *) Fix stderr redirection under syslog-based error logging situation.
     [Youichirou Koga <y-koga@jp.FreeBSD.org>] PR#3095

  *) Document `ErrorLog syslog:facility' variant of error logging.
     [Youichirou Koga <y-koga@jp.FreeBSD.org>] PR#3096

  *) Fix http://localhost/ hints in top-level INSTALL document.
     [Rob Jenson <robjen@spotch.com>, Ralf S. Engelschall] PR#3088

  *) Quote paths in default configuration files.  [Wilfredo Sanchez]

  *) PORT: Remove extra HAVE_SYS_RESOURCE_H define for RHAPSODY since
     it is now taken care of properly by the header file tests.
     [Wilfredo Sanchez <wsanchez@apple.com>]

  *) Fix problem with scripts and filehandle inheritance on Win32.
     [Ken Parzygnat <kparz@raleigh.ibm.com>]  PR#2884, 2910

  *) Win32 name canonicalisation could end up using the server's
     working directory to fill in some blanks.  [Ken Parzygnat
     <kparz@raleigh.ibm.com>] PR#3001

  *) Correct invalid assumption by ap_sub_req_lookup_file() that all
     absolute paths begin with "/" -- because they don't on Win32.
     [Ken Parzygnat <kparz@raleigh.ibm.com>] PR#2976, 3074

  *) Add [REDIRECT_]VARIANTS environment variable to mod_speling
     so that ErrorDocument 300 processors can reformat the list
     if desired.  [Ken Coar] PR#2859

  *) Add +/- incremental prefixes to IndexOptions keywords, and
     enable merging of multiple IndexOptions directives.  [Ken Coar]

  *) PORT: Allow GuessOS to recognize Unixware 7.0.1 [Steve Cameron
     <steve.cameron@compaq.com>]

  *) Reconstructed the loop through multiple htaccess file names so
     that missing files are not confused with unreadable files.
     [Roy Fielding]

  *) The ap_pfopen and ap_pfdopen routines were failing to protect the
     errno on an error, which leads to one error being mistaken for
     another when reading non-existent .htaccess files.
     [Jim Jagielski]

  *) OS/2: The new header tests get things right, need to update
     ap_config.h.  [Brian Havard]

  *) The Perl %ENV hash will now be setup by default when using the
     mod_include `perl' command [Doug MacEachern]

  *) PORT: Add Pyramid DC/OSx support to configuration mechanism.
     [Earle Ake <akee@wpdiss1.wpafb.af.mil>]

  *) PORT: Fix sys/resource.h handling for Amdahl's UTS 2.1
     [Dave Dykstra <dwd@bell-labs.com>] PR#3054

  *) Correct comment in mod_log_config.c about its internals.
     [Elf Sternberg <elf@halcyon.com>]

  *) Avoid possible line overflow in Configure: Use an awkfile to
     handle the creation of modules.c [Jim Jagielski]

Changes with Apache 1.3.2

  *) Fix bug in ap_remove_module(), which caused problems for dso's 
     who were the top_module.  [Doug MacEachern]

  *) Add support for Berkeley-DB/2.x (in addition to Berkeley-DB/1.x) to
     mod_auth_db to both be friendly to users who wants to use this version
     and to avoid problems under platforms where only version 2.x is present.
     [Dan Jacobowitz <drow@false.org>, Ralf S. Engelschall]

  *) When using ap_log_rerror(), make the error message available to the
     *ERROR_NOTES envariables by default.  [Ken Coar]

  *) BS2000 platform only: get rid of the nasty BS2000AuthFile.
     You now must define a BS2000Account name for the server User.
     This has fewer security implications than the old approach.
     [Martin Kraemer]

  *) Fix SHARED_CORE feature for HPUX platform: We now use extension `.sl'
     instead of `.so' and `SHLIB_PATH' instead of `LD_LIBRARY_PATH' on this
     platform to make the braindead HPUX linker happy. Notice, for the module
     DSOs we don't have to use this, because these are loaded manually (and
     not via HPUX' dld). [Ralf S. Engelschall] PR#2905, PR#2968

  *) Remove 64 thread limit on Win32.
     [Bill Stoddard <stoddard@raleigh.ibm.com>]

  *) Remove redundant substitutions in top-level Makefile.tmpl.
     [Ralf S. Engelschall]

  *) Fix APACI's `Group' configuration adjustment - especially for Linux
     platforms where `nogroup' exists in /etc/group. [Ralf S. Engelschall]
 
  *) Make PrintPath work generically instead of having one version
     strictly for OS/2. [Jim Jagielski, Brian Havard]

  *) Fix the recently introduced C header file checking: We now use the C
     pre-processor pass only (and no longer the complete compiler pass) to
     determine whether a C header file exists or not. Because only this way
     we're safe against inter-header dependencies (which caused horrible
     portability problems). The only drawback is that we now have a CPP
     configuration variable which has to be determined first (we do a similar
     approach as GNU Autoconf does here). When all fails the user still has
     the possibility to override it manually via APACI or src/Configuration.
     As a fallback for the header check itself we can directly check the
     existance of the file under /usr/include, too.
     [Ralf S. Engelschall] PR#2777

  *) PORT: Added RHAPSODY (Mac OS X Server) support. MAP_TMPFILE defined
     as an alternate mechanism for mmap'd shared memory for RHAPSODY.
     ap_private_extern defined to hide symbols that conflict with loaded
     dynamic libraries on the NEXT and RHAPSODY platforms.
     [Wilfredo Sanchez <wsanchez@apple.com>]

  *) Delete PID file on clean shutdowns.
     [Charles Randall <crandall@matchlogic.com>] PR#2947

  *) Fix mod_auth_*.html documents: NSCA -> NCSA
     [Youichirou Koga <y-koga@jp.FreeBSD.org>] PR#2991

  *) Fix INSTALL document: www.gnu.ai.mit.edu -> www.gnu.org
     [Karl Berry <karl@gnu.org>] PR#2994

  *) Fix dbmmanage.1 manual page.
     [Youichirou Koga <y-koga@jp.FreeBSD.org>] PR#2992
     
  *) Fix possible buffer overflow situation in suexec.c.
     [Jeff Stewart <jws@purdue.edu>] PR#2790

  *) Add some more LIBS for the SCO5 platform which are needed for the already
     used -lprot. It's actually a bug in SCO5, of course.
     [Ronald Record <rr@sco.com>] PR#2533

  *) Fix documentation of ProxyPass/ProxyPassReverse according to the
     trailing slash problem. [Jon Drukman <jsd@gamespot.com>] PR#2933
  
  *) Remove `-msym' option from LDFLAGS_SHLIB for the Digital UNIX (OSF/1)
     platform, because it's only supported under version 4.0 and higher. But
     because our GuessOS is still unaware of Digital UNIX versions and the
     -msym is just to optimize the DSO statup time a little bit it's safe and
     best when we leave it out now.  [Ralf S. Engelschall] PR#2969

  *) Fix the ap_log_error_old(), ap_log_unixerr() and ap_log_printf()
     functions: First all three functions no longer fail on strings containing
     "%" chars and second ap_log_printf() no longer does a double-formatting
     (instead it directly passes through the message to be formatted to the
     real internal formatting function). [Ralf S. Engelschall] PR#2941

  *) Allow "Include" directives anywhere in the server config
     files (but not .htaccess files).  [Ken Coar] PR#2727

  *) The proxy was refusing to serve CONNECT requests except to
     port 443 (https://) and 563 (snews://). The new AllowCONNECT
     directive allows the configuration of the ports to which a
     CONNECT is allowed.  [Sameer Parekh, Martin Kraemer]

  *) mod_expires will now act on content that is not sent from a file
     on disk.  Previously it would never add an Expires: header to
     any response that did not come from a file on disk; the only
     case where it still doesn't (and can't) add one for that type of 
     content is if you are using a modification date based setting.  
     [Marc Slemko, Paul Phillips <paulp@go2net.com>]

  *) Problems encountered during .htaccess parsing or CGI execution
     that lead to a "500 Server Error" condition now provide explanatory
     text (in the *ERROR_NOTES envariable) to ErrorDocument 500 scripts.
     [Ken Coar] PR#1291

  *) Add NameWidth keyword to IndexOptions directive so that the
     width of the filename column is customisable.  [Ken Coar, Dean Gaudet]
     PR#1949, 2324.

  *) Recognize lowercase _and_ uppercase `uname' results under
     SCO OpenServer. [David Coelho <drc@ppt.com>]

  *) As duplicate "HTTP/1.0 200 OK" lines within the header seem to be
     a common problem of (mis-administrated?) IIS servers, make the apache
     proxy immune to these errors (and ignore the duplicates, but log
     the fact to error_log). [Martin Kraemer], after the proposal in PR#2914 
     
  *) The <IfModule and <IfDefine block starting directives now only
     allow exactly one argument. Previously, the optional negation
     character '!' could be separated by whitespace without a syntax
     error being reported, albeit defeating the IfModule functionality
     (enclosed directives would ALWAYS be executed). By using the
     stricter syntax, these hard-to-track errors can be avoided.
     [Martin Kraemer]

  *) Simplify handling of IndexOptions in mod_autoindex -- and BTW
     cause the standalone FancyIndexing directive to logically OR
     into any existing IndexOptions settings rather than wiping
     them out.  [Ken Coar]

  *) Changes in ftp proxy: make URL parsing simpler by using the
     parsed_uri stuff.
     + Add display of the "current directory" in cases where it's
     different from the supplied path (e.g., ftp://user@host/ lives
     in /home/user, not in /, therefore clicking on "../" in the
     starting directory might send us to /home/).
     + When ftp login fails, (esp. when a user name was part of the
     URL already), we now return [401 Unauthorized ] to allow the
     browser to pop up an authorization dialog. This makes passwords
     slightly less visible (they don't appear in the regular log files)
     and implements a functionality that other www proxy servers
     already offered.
     [Martin Kraemer]

  *) Triggered by the recent "Via:" header changes, the proxy module would
     dump core for replies with invalid headers (e.g., duplicate
     "HTTP/1.0 200 OK" lines). These errors are now logged and the
     core dump is avoided. Also, broken replies are not cached.
     [Martin Kraemer] PR#2914

  *) new `GprofDir' directive when compiled with -DGPROF, where gprof can
     plop gmon.out profile data for each child [Doug MacEachern]
   
  *) Use the construct ``"$@"'' instead of ``$*'' in the generated
     config.status script to be immune against arguments with whitespaces.
     [Yves Arrouye <yves@apple.com>] PR#2866

  *) Replace the inlined information grabbing stuff for the configuration
     adjustment feature (no --without-confadjust) with calls to a new helper
     script `buildinfo.sh' which is both more flexible and already proofed to
     be more robust against platform differences. This mainly fixes the
     recently occured ``sed: command garbled: ...'' problems.
     [Ralf S. Engelschall] PR#2776, PR#2848

  *) Make ab.c again pass ``gcc -Wall -Wshadow -Wpointer-arith -Wcast-align
     -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline''
     without complains after we recently added the POST feature.
     [Ralf S. Engelschall]

  *) Renamed is_HTTP_xxx() macros to ap_is_HTTP_xxx() name. They are used inside
     modules as API functions and we forgot them at the big symbol renaming.
     [Ralf S. Engelschall]

  *) Remove bad reference to non-existing SERVER_VERSION in mod_rewrite.html
     [Youichirou Koga <y-koga@jp.FreeBSD.ORG>] PR#2895

  *) Dynamically size the filename column of mod_autoindex output.
     [Dean Gaudet]

  *) Add the ability to do POST requests to the ab benchmarking tool.
     [Kurt Sussman <kls@best.com>] PR#2871

  *) Bump up MAX_ENV_FLAGS in mod_rewrite.h from the too conservatice limit of
     5 to 10 because there are some users out there who always have 5 to 8
     variables in one RewriteRule and had to patch mod_rewrite.h for every
     release. So 15 should be now more than enough, even for them. (I never
     needed more than 4 in my RewriteRules ;-)
     [Ralf S. Engelschall]

  *) Make the proxy generate and understand Via: headers
     [Martin Kraemer]

  *) Change the proxy to use tables instead of array_headers for
     the header lines. [Martin Kraemer]

  *) Make sure the config.status file is not overridden when just
     ``configure --help'' is used. [Ralf S. Engelschall] PR#2844

  *) Split MODULE_MAGIC_NUMBER into _MAJOR/_MINOR numbers. This should
     provide a way to trace API changes that add functionality but do
     not create a compatibility issue for precompiled modules, etc.
     See include/ap_mmn.h for more details.  [Randy Terbush]

  *) Fix suexec installation under `make install root=xxx' situation.
     [Ralf S. Engelschall]

  *) Extend the output of the -V switch to include the paths of all
     compiled-in configuration files, if they were overridden at
     compile time, for least astonishment of the user.
     [Martin Kraemer]

  *) When READing a request in ExtendedStatus mode, the "old"
     vhost, request and client information is not displayed.
     [Jim Jagielski]

  *) STATUS is no longer available. Full status information now
     run-time configurable using the ExtendedStatus directive.
     [Jim Jagielski]

  *) SECURITY [CAN-1999-1199] (cve.mitre.org): 
     Eliminate O(n^2) space DoS attacks (and other O(n^2)
     cpu time attacks) in header parsing.  Add ap_overlap_tables(),
     a function which can be used to perform bulk update operations
     on tables in a more efficient manner.
     [Dean Gaudet]

  *) SECURITY: Added compile-time and configurable limits for
     various aspects of reading a client request to avoid some simple
     denial of service attacks, including limits on maximum request-line
     size (LimitRequestLine), number of header fields (LimitRequestFields),
     and size of any one header field (LimitRequestFieldsize).  Also added
     a configurable directive LimitRequestBody for limiting the size of the
     request message body.  [Roy Fielding]

  *) Make status module aware of DNS and logging states, even if
     STATUS not defined.  [Jim Jagielski]

  *) Fix a problem with the new OS/2 mutexes.  [Brian Havard]

  *) Enhance mod_speling so that CheckSpelling can be used in