Newer
Older
12001
12002
12003
12004
12005
12006
12007
12008
12009
12010
12011
12012
12013
12014
12015
12016
12017
12018
12019
12020
12021
12022
12023
12024
12025
through the use of backreferences.
Additionally the rewriting engine was cleaned up by putting common
code to the new expand_backrefs_inbuffer() function.
[Ralf S. Engelschall]
*) When merging the main server's <Directory> and <Location> sections into
a vhost, put the main server's first and the vhost's second. Otherwise
the vhost can't override the main server. [Dean Gaudet] PR#717
*) The <Directory> code would merge and re-merge the same section after
a match was found, possibly causing problems with some modules.
[Dean Gaudet]
*) ip-based vhosts are stored and queried using a hashing function, which
has been shown to improve performance on servers with many ip-vhosts.
Some other changes had to be made to accommodate this:
- the * address for vhosts now behaves like _default_
- the matching process now is:
- match an ip-vhost directly via hash (possibly matches main
server)
- if that fails, just pretend it matched the main server
- if so far only the main server has been matched, perform
name-based lookups (ServerName, ServerAlias, ServerPath)
*only on name-based vhosts*
- if they fail, look for _default_ vhosts
12027
12028
12029
12030
12031
12032
12033
12034
12035
12036
12037
12038
12039
12040
12041
12042
12043
12044
12045
12046
12047
12048
12049
12050
12051
12052
12053
*) dbmmanage overhaul:
- merge dbmmanage and dbmmanage.new functionality, remove dbmmanage.new
- tie() to AnyDBM_File which will use one of DB_File, NDBM_File or
GDBM_File (-ldb, -lndbm, -lgdbm) (trying each in that order)
- provide better seed for rand
- prompt for password as per getpass(3) (turn off echo, read from
/dev/tty, etc.)
- use "newstyle" crypt based on $Config{osname} ($^O)
- will not add a user if already in database, use new `update' command
instead
- added `check' command to check a users' password
- added `import' command to convert existing password text-files or
dbm files exported with `view'
- more descriptive usage, general cleanup, 'use strict' clean, etc.
[Doug MacEachern]
*) Added psocket() which is a pool form of socket(), various places within
the proxy weren't properly blocking alarms while registering the cleanup
for its sockets. bclose() now uses pclose() and pclosesocket(). There
was a bug where the client socket was being close()d twice due a still
registered cleanup. [Dean Gaudet]
*) A few cleanups were made to reduce time(), getpid(), and signal() calls.
[Dean Gaudet]
*) PORT: AIX >= 4.2 requires -lm due to libc changes.
12055
12056
12057
12058
12059
12060
12061
12062
12063
12064
12065
12066
12067
12068
12069
12070
12071
12072
12073
12074
12075
12076
12077
12078
12079
12080
12081
12082
12083
12084
12085
12086
12087
12088
12089
12090
12091
12092
12093
12094
12095
12096
12097
12098
12099
12100
12101
12102
12103
12104
12105
12106
12107
12108
12109
12110
12111
12112
12113
12114
12115
*) Enable ``=""'' for RewriteCond directives to match against
the empty string. This is the preferred way instead of ``^$''.
[Ralf S. Engelschall]
*) Fixed an infinite loop in mod_imap for references above the server root
[Dean Gaudet] PR#748
*) mod_proxy now has a ReceiveBufferSize directive, similar to
SendBufferSize, so that the TCP window can be set appropriately
for LFNs. [Phillip A. Prindeville]
*) mod_browser has been replaced by the more general mod_setenvif
(courtesy of Paul Sutton). BrowserMatch* directives are still
available, but are now joined by SetEnvIf*, UnSetEnvIf*, and
UnSetEnvIfZero directives. [Ken Coar]
*) "HostnameLookups double" forces double-reverse DNS to succeed in
order for remote_host to be set (for logging, or for the env var
REMOTE_HOST). The old define MAXIMUM_DNS has been deprecated.
[Dean Gaudet]
*) mod_access overhaul:
- Now understands network/netmask syntax (i.e. 10.1.0.0/255.255.0.0)
and cidr syntax (i.e. 10.1.0.0/16). PR#762
- Critical path was sped up by pre-computing a few things at config time.
- The undocumented syntax "allow user-agents" was removed,
the replacement is "allow from env=foobar" combined with mod_browser.
- When used with hostnames it now forces a double-reverse lookup
no matter what the directory settings are. This double-reverse
doesn't affect any of the other routines that use the remote
hostname. In particular it's still passed to CGIs and the log
without the double-reverse check. Related PR#860.
[Dean Gaudet]
*) When a large bwrite() occurs (larger than the internal buffer size),
while there is already something in the buffer, apache will combine
the large write and the buffer into a single writev(). (This is
in anticipation of using mmap() for reading files.)
[Dean Gaudet]
*) In obscure cases where a partial socket write occurred while chunking,
Apache would omit the chunk header/footer on the next block. Cleaned
up other bugs/inconsistencies in error conditions in buff.c. Fixed
a bug where a long pause in DNS lookups could cause the last packet
of a response to be unduly delayed. [Roy Fielding, Dean Gaudet]
*) API: Added child_exit function to module structure. This is called
once per "heavy-weight process" just before a server child exit()'s
e.g. when max_requests_per_child is reached, etc.
[Doug MacEachern, Dean Gaudet]
*) mod_include cleanup showed that handle_else was being used to handle
endif. It didn't cause problems, but it was cleaned up too.
[Howard Fear]
*) mod_cern_meta would attempt to find meta files for the directory itself
in some cases, but not in others. It now avoids it in all cases.
[Dean Gaudet]
*) mod_mime_magic would core dump if there was a decompression error.
*) PORT: some variants of DGUX require -lsocket -lnsl
*) mod_autoindex now allows sorting of FancyIndexed directory listings
by the various fields (name, size, et cetera), either in ascending
or descending order. Just click on the column header. [Ken Coar]
*) PORT: Various tweaks to eliminate pointer-int casting warnings on 64-bit
CPUs like the Alpha. Apache still stores ints in pointers, but that's
the relatively safe direction. [Dean Gaudet] PR#344
*) PORT: QNX mmap() support for faster/more reliable scoreboard handling.
12131
12132
12133
12134
12135
12136
12137
12138
12139
12140
12141
12142
12143
12144
12145
12146
12147
12148
12149
12150
12151
12152
12153
12154
12155
12156
12157
12158
12159
12160
12161
12162
12163
12164
12165
12166
12167
12168
12169
*) child_main avoids an unneeded call to select() when there is only one
listening socket. [Dean Gaudet]
*) In the event that the server is starved for idle servers it will
spawn 1, then 2, then 4, ..., then 32 servers each second,
doubling each second. It'll also give a warning in the errorlog
since the most common reason for this is a poor StartServers
setting. The define MAX_SPAWN_RATE can be used to raise/lower
the maximum. [Dean Gaudet]
*) Apache now provides an effectively unbuffered connection for
CGI scripts. This means that data will be sent to the client
as soon as the CGI pauses or stops output; previously, Apache would
buffer the output up to a fixed buffer size before sending, which
could result in the user viewing an empty page until the CGI finished
or output a complete buffer. It is no longer necessary to use an
"nph-" CGI to get unbuffered output. Given that most CGIs are written
in a language that by default does buffering (e.g. perl) this
shouldn't have a detrimental effect on performance.
"nph-" CGIs, which formerly provided a direct socket to the client
without any server post-processing, were not fully compatible with
HTTP/1.1 or SSL support. As such they would have had to implement
the transport details, such as encryption or chunking, in order
to work properly in certain situations. Now, the only difference
between nph and non-nph scripts is "non-parsed headers".
[Dean Gaudet, Sameer Parekh, Roy Fielding]
*) If a BUFF is switched from buffered to unbuffered reading the first
bread() will return whatever remained in the buffer prior to the
switch. [Dean Gaudet]
Changes with Apache 1.3a1
*) Added another Configure helper script: TestLib. It determines
if a specified library exists. [Jim Jagielski]
*) PORT: Allow for use of n32bit libraries under IRIX 6.x
PR#721
*) PORT: Some architectures use size_t for various lengths in network
functions such as accept(), and getsockname(). The definition
NET_SIZE_T is used to control this. [Dean Gaudet]
*) PORT: Linux: Attempt to detect glibc based systems and include crypt.h
and -lcrypt. Test for various db libraries (dbm, ndbm, db) when
mod_auth_dbm or mod_auth_db are included. [Dean Gaudet]
*) PORT: QNX doesn't have initgroups() which support/suexec.c uses.
*) "force-response-1.0" now only applies to requests which are HTTP/1.0 to
begin with. "nokeepalive" now works for HTTP/1.1 clients. Added
"downgrade-1.0" which causes Apache to pretend it received a 1.0.
[Dean Gaudet] related PR#875
*) API: Correct child_init() slot declaration from int to void, to
match the init() declaration. Update mod_example to use the new
hook. [Ken Coar]
*) added transport handle slot (t_handle) to the BUFF structure
[Doug MacEachern]
*) get_client_block() returns wrong length if policy is
REQUEST_CHUNKED_DECHUNK.
*) Support the image map format of FrontPage. For example:
rect /url.hrm 10 20 30 40
*) PORT: -lresolv and -lsocks were in the wrong order for Solaris.
*) AddModuleInfo directive for mod_info which allows you to annotate
*) Added NoProxy directive to avoid using ProxyRemote for selected
addresses. Added ProxyDomain directive to cause unqualified
names to be qualified by redirection.
12214
12215
12216
12217
12218
12219
12220
12221
12222
12223
12224
12225
12226
12227
12228
12229
12230
12231
12232
12233
12234
12235
12236
12237
12238
12239
12240
12241
12242
12243
12244
12245
12246
12247
12248
12249
12250
12251
12252
12253
12254
12255
12256
12257
12258
12259
12260
12261
12262
12263
12264
12265
12266
12267
12268
12269
12270
12271
12272
12273
12274
12275
12276
12277
12278
12279
12280
12281
*) Support Proxy Authentication, and don't pass the Proxy-Authorize
header to the remote host in the proxy. [Sameer Parekh and
Wallace]
*) Upgraded mod_rewrite from 3.0.6+ to latest officially available version
3.0.9. This upgrade includes: fixed deadlooping on rewriting to same
URLs, fixed rewritelog(), fixed forced response code handling on
redirects from within .htaccess files, disabled pipe locking under
braindead SunOS 4.1.x, allow env variables to be set even on rules with
no substitution, bugfixed situations where HostnameLookups is off, made
mod_rewrite more thread-safe for NT port and fixed problem when creating
an empty query string via "xxx?".
This update also removes the copyright of Ralf S. Engelschall,
i.e. now mod_rewrite no longer has a shared copyright. Instead is is
exclusively copyrighted by the Apache Group now. This happened because
the author now has gifted mod_rewrite exclusively to the Apache Group and
no longer maintains an external version.
[Ralf S. Engelschall]
*) API: Added child_init function to module structure. This is called
once per "heavy-weight process" before any requests are handled.
See http_config.h for more details. [Dean Gaudet]
*) Anonymous_LogEmail was logging on each subrequest.
[Dean Gaudet] PR#421, 868
*) API: Added is_initial_req() which tests if the request being
processed is the initial request, or a subrequest.
[Doug MacEachern]
*) Extended SSI (mod_include) now handles additional relops for
string comparisons (<, >, <=, and >=). [Bruno Wolff III] PR#41
*) Configure fixed to correctly propagate user-selected options and
settings (such as CC and OPTIM) to Makefiles other than
src/Makefile (notably support/Makefile). [Ken Coar] PR#666, #834
*) IndexOptions SuppressHTMLPreamble now causes the actual HTML of
directory indices to start with the contents of the HeaderName file
if there is one. If there isn't one, the behaviour is unchanged.
[Ken Coar, Roy Fielding, Andrey A. Chernov]
*) WIN32: Modules can now be dynamically loaded DLLs using the
LoadModule/LoadFile directives. Note that module DLLs must be
compiled with the multithreaded DLL version of the runtime library.
[Alexei Kosut and Ben Laurie]
*) Automatic indexing removed from mod_dir and placed into mod_autoindex.
This allows the admin to completely remove automatic indexing
from the server, while still supporting the basic functions of
trailing-slash redirects and DirectoryIndex files. Note that if
you're carrying over an old Configuration file and you use directory
indexing then you'll want to add:
Module autoindex_module mod_autoindex.o
before mod_dir in your Configuration. [Dean Gaudet]
*) popendir/pclosedir created to properly protect directory scanning.
[Dean Gaudet] PR#525
*) AliasMatch, ScriptAliasMatch and RedirectMatch directives added,
giving regex support to mod_alias. <DirectoryMatch>, <LocationMatch>
and <FilesMatch> sections added to succeed <DirectoryMatch ~>, etc...
[Alexei Kosut]
*) The AccessFileName directive can now take more than one filename.
*) The new mod_mime_magic can be used to "magically" determine the type
of a file if the extension is unknown. Based on the unix file(1)
12287
12288
12289
12290
12291
12292
12293
12294
12295
12296
12297
12298
12299
12300
12301
12302
12303
12304
12305
12306
12307
12308
12309
12310
12311
12312
12313
12314
12315
12316
12317
12318
12319
12320
12321
12322
12323
12324
12325
12326
12327
12328
12329
12330
12331
12332
12333
12334
12335
12336
12337
12338
12339
12340
12341
12342
12343
12344
12345
*) We now determine and display the time spent processing a
request if desired. [Jim Jagielski]
*) mod_status: PID field of "dead" child slots no longer displays
main httpd process's PID. [Jim Jagielski]
*) Makefile.nt added - to build all the bits from the command line:
nmake -f Makefile.nt
Doesn't yet work properly. [Ben Laurie]
*) Default text of 404 error is now "Not Found" rather than the
potentially misleading "File Not Found". [Ken Coar]
*) CONFIG: "HostnameLookups" now defaults to off because it is far better
for the net if we require people that actually need this data to
enable it. [Linus Torvalds]
*) directory_walk() is an expensive function, keep a little more state to
avoid needless string counting. Add two new functions make_dirstr_parent
and make_dirstr_prefix which replace all existing uses of make_dirstr.
The new functions are a little less general than make_dirstr, but
work more efficiently (less memory, less string counting).
[Dean Gaudet]
*) EXTRA_LFLAGS was changed to EXTRA_LDFLAGS (and LFLAGS was changed
to LDFLAGS) to avoid complications with lex rules in make files.
[Dean Gaudet] PR#372
*) run_method optimized to avoid needless scanning over NULLs in the
module list. [Dean Gaudet]
*) Revamp of (unix) scoreboard management code such that it avoids
unnecessary traversals of the scoreboard on each hit. This is
particularly important for high volume sites with a large
HARD_SERVER_LIMIT. Some of the previous operations were O(n^2),
and are now O(n). See also SCOREBOARD_MAINTENANCE_INTERVAL in
httpd.h. [Dean Gaudet]
*) In configurations using multiple Listen statements it was possible for
busy sockets to starve other sockets of service. [Dean Gaudet]
*) Added hook so standalone_main can be replaced at compile time
(define STANDALONE_MAIN)
[Doug MacEachern]
*) Lowest-level read/write functions in buff.c will be replaced with
the SFIO library calls sfread/sfwrite if B_SFIO is defined at
compile time. The default sfio discipline will behave as apache
would without sfio compiled in.
[Doug MacEachern]
*) Enhance UserDir directive (mod_userdir) to accept a list of
usernames for the 'disable' keyword, and add 'enable user...' to
selectively *en*able userdirs if they're globally disabled.
[Ken Coar]
*) If NETSCAPE_DBM_COMPAT is defined in EXTRA_CFLAGS then Apache
will work with Netscape dbm files. (dbmmanage will probably not
12347
12348
12349
12350
12351
12352
12353
12354
12355
12356
12357
12358
12359
12360
12361
12362
12363
*) Add a ListenBacklog directive to control the backlog parameter
passed to listen(). Also change the default to 511 from 512.
[Marc Slemko]
*) API: A new handler response DONE which informs apache that the
request has been handled and it can finish off quickly, similar to
how it handles errors. [Rob Hartill]
*) Turn off chunked encoding after sending terminating chunk/footer
so that we can't do it twice by accident. [Roy Fielding]
*) mod_expire also issues Cache-Control: max-age headers.
[Rob Hartill]
*) API: Added kill_only_once option for free_proc_chain so that it won't
aggressively try to kill off specific children. For fastcgi.
*) mod_auth deals with extra ':' delimited fields. [Marc Slemko]
*) Added IconHeight and IconWidth to mod_dir's IndexOptions directive.
When used together, these cause mod_dir to emit HEIGHT and WIDTH
attributes in the FancyIndexing IMG tags. [Ken Coar]
*) PORT: Sequent and SONY NEWS-OS support added. [Jim Jagielski]
*) PORT: Added Windows NT support
Changes with Apache 1.2.6
*) mod_include when using XBitHack Full would send ETags in addition to
sending Last-Modifieds. This is incorrect HTTP/1.1 behaviour.
[Dean Gaudet] PR#1133
*) SECURITY: When a client connects to a particular port/addr, and
gives a Host: header ensure that the virtual host requested can
actually be reached via that port/addr. [Ed Korthof <ed organic.com>]
*) Support virtual hosts with wildcard port and/or multiple ports
*) Fixed some case-sensitivity issues according to RFC2068.
[Dean Gaudet]
*) Set r->allowed properly in mod_asis.c, mod_dir.c, mod_info.c,
and mod_include.c. [Dean Gaudet]
*) Variable 'cwd' was being used pointlessly before being set.
[Ken Coar] PR#1738
*) SIGURG doesn't exist on all platforms.
*) When an error occurs during a POST, or other operation with a
request body, the body has to be read from the net before allowing
a keepalive session to continue. [Roy Fielding] PR#1399
*) When an error occurs in fcntl() locking suggest the user look up
the docs for LockFile. [Dean Gaudet]
*) table_set() and table_unset() did not deal correctly with
multiple occurrences of the same key. [Stephen Scheck
*) send_fd_length() did not calculate total_bytes_sent properly in error
*) r->connection->user was allocated in the wrong pool causing corruption
in some cases when used with mod_cern_meta. [Dean Gaudet] PR#1500
*) mod_proxy was sending HTTP/1.1 responses to ftp requests by mistake.
Also removed the auto-generated link to www.apache.org that was the
source of so many misdirected bug reports. [Roy Fielding, Marc Slemko]
*) Multiple "close" tokens may have been set in the "Connection"
header, not an error, but a waste.
*) "basic" and "digest" auth tokens should be tested case-insensitive.
12429
12430
12431
12432
12433
12434
12435
12436
12437
12438
12439
12440
12441
12442
12443
12444
12445
12446
12447
12448
12449
12450
12451
12452
12453
12454
12455
12456
12457
12458
12459
12460
12461
12462
12463
12464
12465
12466
12467
12468
12469
12470
12471
12472
12473
12474
12475
12476
12477
12478
12479
12480
12481
12482
*) It appears the "257th byte" bug (see
htdocs/manual/misc/known_client_problems.html#257th-byte) can happen
at the 256th byte as well. Fixed. [Dean Gaudet]
*) mod_rewrite would not handle %3f properly in some situations.
[Ralf Engelschall]
*) Apache could generate improperly chunked HTTP/1.1 responses when
the bputc() or rputc() functions were used by modules (such as
mod_include). [Dean Gaudet]
*) #ifdef wrap a few #defines in httpd.h to make life easier on
some ports. [Ralf Engelschall]
*) Fix MPE compilation error in mod_usertrack.c. [Mark Bixby]
*) Quote CC='$(CC)' to improve recurse make calls. [Martin Kraemer]
*) Avoid B_ERROR redeclaration on sysvr4 systems. [Martin Kraemer]
Changes with Apache 1.2.5
*) SECURITY: Fix a possible buffer overflow in logresolve. This is
only an issue on systems without a MAXDNAME define or where
the resolver returns domain names longer than MAXDNAME. [Marc Slemko]
*) Fix an improper length in an ap_snprintf call in proxy_date_canon().
[Marc Slemko]
*) Fix core dump in the ftp proxy when reading incorrectly formatted
directory listings. [Marc Slemko]
*) SECURITY: Fix possible minor buffer overflow in the proxy cache.
[Marc Slemko]
*) SECURITY: Eliminate possible buffer overflow in cfg_getline, which
is used to read various types of files such as htaccess and
htpasswd files. [Marc Slemko]
*) SECURITY: Ensure that the buffer returned by ht_time is always
properly null terminated. [Marc Slemko]
*) SECURITY: General mod_include cleanup, including fixing several
possible buffer overflows and a possible infinite loop. This cleanup
was done against 1.3 code and then backported to 1.2, the result
is a large difference (due to indentation cleanup in 1.3 code).
Users interested in seeing a smaller set of relevant differences
should consider comparing against src/modules/standard/mod_include.c
from the 1.3b3 release. Non-indentation changes to mod_include
between 1.2 and 1.3 were minimal. [Dean Gaudet, Marc Slemko]
*) SECURITY: Numerous changes to mod_imap in a general cleanup
including fixing a possible buffer overflow. This cleanup also
was done with 1.3 code as a basis, see the previous note
about mod_include. [Dean Gaudet]
*) SECURITY: If a htaccess file can not be read due to bad
permissions, deny access to the directory with a HTTP_FORBIDDEN.
The previous behavior was to ignore the htaccess file if it could not
be read. This change may make some setups with unreadable
htaccess files stop working. PR#817 [Marc Slemko]
*) SECURITY: no2slash() was O(n^2) in the length of the input.
Make it O(n). This inefficiency could be used to mount a denial
of service attack against the Apache server. Thanks to
this. [Dean Gaudet]
*) mod_include used uninitialized data for some uses of && and ||.
*) mod_imap should decline all non-GET methods.
*) suexec.c wouldn't build without -DLOG_EXEC. [Jason A. Dour]
*) mod_userdir was modifying r->finfo in cases where it wasn't setting
r->filename. Since those two are meant to be in sync with each other
this is a bug. ["Paul B. Henson" <henson intranet.csupomona.edu>]
*) mod_include did not properly handle all possible redirects from sub-
requests. [Ken Coar]
*) Inetd mode (which is buggy) uses timeouts without having setup the
jmpbuffer. [Dean Gaudet] PR#1064
*) Work around problem under Linux where a child will start looping
reporting a select error over and over.
12519
12520
12521
12522
12523
12524
12525
12526
12527
12528
12529
12530
12531
12532
12533
12534
12535
12536
12537
12538
12539
12540
12541
12542
12543
12544
12545
12546
12547
12548
12549
12550
12551
12552
12553
12554
12555
12556
12557
12558
12559
12560
12561
12562
12563
12564
12565
12566
12567
12568
12569
12570
12571
12572
12573
12574
12575
12576
12577
12578
12579
12580
12581
12582
12583
12584
12585
12586
12587
12588
12589
12590
12591
12592
12593
12594
12595
12596
12597
12598
12599
12600
12601
12602
12603
Changes with Apache 1.2.4
*) The ProxyRemote change in 1.2.3 introduced a bug resulting in the proxy
always making requests with the full-URI instead of just the URI path.
[Marc Slemko, Roy Fielding]
*) Add -lm for AIX versions >= 4.2 to allow Apache to link properly
on this platform. [Marc Slemko]
Changes with Apache 1.2.3
*) The request to a remote proxy was mangled if it was generated as the
result of a ProxyPass directive. URL schemes other than http:// were not
supported when ProxyRemote was used. PR#260, PR#656, PR#699, PR#713,
PR#812 [Lars Eilebrecht]
*) Fixed proxy-pass-through feature of mod_rewrite; Added error logging
information for case where proxy module is not available. [Marc Slemko]
*) Force proxy to always respond as HTTP/1.0, which it was failing to
do for errors and cached responses. [Roy Fielding]
*) PORT: Improved support for ConvexOS 11. [Jeff Venters]
Changes with Apache 1.2.2 [not released]
*) Fixed another long-standing bug in sub_req_lookup_file where it would
happily skip past access checks on subdirectories looked up with relative
paths. (It's used by mod_dir, mod_negotiation, and mod_include.)
[Dean Gaudet]
*) Add lockfile name to error message printed out when
USE_FLOCK_SERIALIZED_ACCEPT is defined.
[Marc Slemko]
*) Enhanced the chunking and error handling inside the buffer functions.
[Dean Gaudet, Roy Fielding]
*) When merging the main server's <Directory> and <Location> sections into
a vhost, put the main server's first and the vhost's second. Otherwise
the vhost can't override the main server. [Dean Gaudet] PR#717
*) The <Directory> code would merge and re-merge the same section after
a match was found, possibly causing problems with some modules.
[Dean Gaudet]
*) Fixed an infinite loop in mod_imap for references above the server root.
[Dean Gaudet] PR#748
*) mod_include cleanup showed that handle_else was being used to handle
endif. It didn't cause problems, but it was cleaned up too.
[Howard Fear]
*) Last official synchronization of mod_rewrite with author version (because
mod_rewrite is now directly developed by the author at the Apache Group):
o added diff between mod_rewrite 3.0.6+ and 3.0.9
minus WIN32/NT stuff, but plus copyright removement.
In detail:
- workaround for detecting infinite rewriting loops
- fixed setting of env vars when "-" is used as subst string
- fixed forced response code on redirects (PR#777)
- fixed cases where r->args is ""
- kludge to disable locking on pipes under braindead SunOS
- fix for rewritelog in cases where remote hostname is unknown
- fixed totally damaged request_rec walk-back loop
o remove static from local data and add static to global ones.
o replaced ugly proxy finding stuff by simple
find_linked_module("mod_proxy") call.
o added missing negation char on rewritelog()
o fixed a few comment typos
[Ralf S. Engelschall]
*) Anonymous_LogEmail was logging on each subrequest.
[Dean Gaudet] PR#421, PR#868
*) "force-response-1.0" now only applies to requests which are HTTP/1.0 to
begin with. "nokeepalive" now works for HTTP/1.1 clients. Added
"downgrade-1.0" which causes Apache to pretend it received a 1.0.
Additionally mod_browser now triggers during translate_name to workaround
a deficiency in the header_parse phase.
[Dean Gaudet] PR#875
*) get_client_block() returns wrong length if policy is
REQUEST_CHUNKED_DECHUNK.
*) Properly treat <files> container like other containers in mod_info.
[Marc Slemko] PR#848
*) The proxy didn't treat the "Host:" keyword of the host header as case-
insensitive. The proxy would corrupt the first line of a response from
an HTTP/0.9 server. [Kenichi Hori <ken d2.bs1.fc.nec.co.jp>] PR#813,814
*) mod_include would log some bogus values occasionally.
12615
12616
12617
12618
12619
12620
12621
12622
12623
12624
12625
12626
12627
12628
12629
12630
12631
12632
12633
12634
12635
12636
12637
12638
12639
12640
12641
12642
12643
12644
12645
12646
12647
12648
12649
12650
12651
12652
12653
12654
12655
12656
12657
12658
12659
12660
12661
12662
12663
12664
12665
12666
12667
12668
12669
12670
12671
12672
12673
12674
12675
12676
12677
12678
12679
12680
12681
12682
12683
12684
12685
12686
12687
12688
12689
12690
12691
12692
12693
12694
12695
12696
12697
12698
12699
12700
*) PORT: The slack fd changes in 1.2.1 introduced a problem with SIGHUP
under Solaris 2.x (up through 2.5.1). It has been fixed.
[Dean Gaudet] PR#832
*) API: In HTTP/1.1, whether or not a request message contains a body
is independent of the request method and based solely on the presence
of a Content-Length or Transfer-Encoding. Therefore, our default
handlers need to be prepared to read a body even if they don't know
what to do with it; otherwise, the body would be mistaken for the
next request on a persistent connection. discard_request_body()
has been added to take care of that. [Roy Fielding] PR#378
*) API: Symbol APACHE_RELEASE provides a numeric form of the Apache
release version number, such that it always increases along the
same lines as our source code branching. [Roy Fielding]
*) Minor oversight on multiple variants fixed. [Paul Sutton] PR#94
Changes with Apache 1.2.1
*) SECURITY: Don't serve file system objects unless they are plain files,
symlinks, or directories. This prevents local users from using pipes
or named sockets to invoke programs for an extremely crude form of
CGI. [Dean Gaudet]
*) SECURITY: HeaderName and ReadmeName were settable in .htaccess and
could contain "../" allowing a local user to "publish" any file on
the system. No slashes are allowed now. [Dean Gaudet]
*) SECURITY: It was possible to violate the symlink Options using mod_dir
(headers, readmes, titles), mod_negotiation (type maps), or
mod_cern_meta (meta files). [Dean Gaudet]
*) SECURITY: Apache will refuse to run as "User root" unless
BIG_SECURITY_HOLE is defined at compile time. [Dean Gaudet]
*) CONFIG: If a symlink pointed to a directory then it would be disallowed
if it contained a .htaccess disallowing symlinks. This is contrary
to the rule that symlink permissions are tested with the symlink
options of the parent directory. [Dean Gaudet] PR#353
*) CONFIG: The LockFile directive can be used to place the serializing
lockfile in any location. It previously defaulted to /usr/tmp/htlock.
[Somehow it took four of us: Randy Terbush, Jim Jagielski, Dean Gaudet,
Marc Slemko]
*) Request processing now retains state of whether or not the request
body has been read, so that internal redirects and subrequests will
not try to read it twice (and block). [Roy Fielding]
*) Add a placeholder in modules/Makefile to avoid errors with certain
makes. [Marc Slemko]
*) QUERY_STRING was unescaped in mod_include, it shouldn't be.
[Dean Gaudet] PR#644
*) mod_include was not properly changing the current directory.
[Marc Slemko] PR#742
*) Attempt to work around problems with third party libraries that do not
handle high numbered descriptors (examples include bind, and
solaris libc). On all systems apache attempts to keep all permanent
descriptors above 15 (called the low slack line). Solaris users
can also benefit from adding -DHIGH_SLACK_LINE=256 to EXTRA_CFLAGS
which keeps all non-FILE * descriptors above 255. On all systems
this should make supporting large numbers of vhosts with many open
log files more feasible. If this causes trouble please report it,
you can disable this workaround by adding -DNO_SLACK to EXTRA_CFLAGS.
[Dean Gaudet] various PRs
*) Related to the last entry, network sockets are now opened before
log files are opened. The only known case where this can cause
problems is under Solaris with many virtualhosts and many Listen
directives. But using -DHIGH_SLACK_LINE=256 described above will
work around this problem. [Dean Gaudet]
*) USE_FLOCK_SERIALIZED_ACCEPT is now default for FreeBSD, A/UX, and
SunOS 4.
*) Improved unix error response logging. [Marc Slemko]
*) Update mod_rewrite from 3.0.5 to 3.0.6. New ruleflag
QSA=query_string_append. Also fixed a nasty bug in per-dir context:
when a URL http://... was used in conjunction with a special
redirect flag, e.g. R=permanent, the permanent status was lost.
[Ronald Tschalaer <Ronald.Tschalaer psi.ch>, Ralf S. Engelschall]
*) If an object has multiple variants that are otherwise equal Apache
would prefer the last listed variant rather than the first.
[Paul Sutton] PR#94
*) "make clean" at the top level now removes *.o. [Dean Gaudet] PR#752
*) mod_status dumps core in inetd mode. [Marc Slemko and Roy Fielding]
PR#566
*) pregsub had an off-by-1 in its error checking code. [Alexei Kosut]
*) PORT: fix rlim_t problems with AIX 4.2. [Marc Slemko] PR#333
*) PORT: Update UnixWare support for 2.1.2.
*) PORT: NonStop-UX [Joachim Schmitz <schmitz_joachim tandem.com>] PR#327
*) PORT: Update ConvexOS support for 11.5.
*) PORT: Support for DEC cc compiler under ULTRIX.
12726
12727
12728
12729
12730
12731
12732
12733
12734
12735
12736
12737
12738
12739
12740
12741
12742
12743
12744
12745
12746
12747
12748
12749
12750
12751
12752
12753
12754
12755
12756
12757
12758
12759
12760
*) PORT: Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383
*) PORT: Workaround for AIX 3.x compiler bug in http_bprintf.c.
[Marc Slemko] PR#725
*) PORT: fix problem compiling http_bprintf.c with gcc under SCO
[Marc Slemko] PR#695
Changes with Apache 1.2
Changes with Apache 1.2b11
*) Fixed open timestamp fd in proxy_cache.c [Chuck Murcko]
*) Added undocumented perl SSI mechanism for -DUSE_PERL_SSI and mod_perl.
[Doug MacEachern, Rob Hartill]
*) Proxy needs to use hard_timeout instead of soft_timeout when it is
reading from one buffer and writing to another, at least until it has
a custom timeout handler. [Roy Fielding and Petr Lampa]
*) Fixed problem on IRIX with servers hanging in IdentityCheck,
apparently due to a mismatch between sigaction and setjmp.
[Roy Fielding] PR#502
*) Log correct status code if we timeout before receiving a request (408)
or if we received a request-line that was too long to process (414).
[Ed Korthof and Roy Fielding] PR#601
*) Virtual hosts with the same ServerName, but on different ports, were
not being selected properly. [Ed Korthof]
*) Added code to return the requested IP address from proxy_host2addr()
if gethostbyaddr() fails due to reverse DNS lookup problems. Original
12762
12763
12764
12765
12766
12767
12768
12769
12770
12771
12772
12773
12774
12775
12776
12777
12778
12779
12780
12781
12782
12783
12784
12785
12786
12787
12788
12789
12790
12791
12792
12793
12794
12795
12796
12797
12798
12799
12800
12801
12802
12803
12804
12805
12806
12807
12808
12809
12810
12811
12812
12813
12814
12815
12816
12817
12818
12819
12820
12821
12822
12823
12824
12825
12826
12827
12828
12829
12830
12831
12832
12833
12834
12835
12836
12837
12838
12839
12840
12841
12842
12843
12844
12845
12846
12847
12848
12849
12850
12851
12852
12853
12854
12855
12856
12857
12858
12859
12860
12861
12862
12863
12864
12865
12866
12867
12868
12869
12870
12871
12872
12873
12874
12875
12876
12877
12878
12879
12880
12881
12882
12883
12884
12885
12886
12887
12888
12889
12890
12891
12892
12893
12894
12895
12896
12897
12898
12899
12900
12901
12902
12903
12904
12905
12906
12907
12908
12909
12910
12911
12912
12913
12914
12915
12916
12917
12918
12919
12920
12921
12922
12923
12924
12925
12926
12927
12928
12929
12930
12931
12932
12933
12934
12935
12936
12937
12938
12939
12940
12941
12942
12943
12944
12945
12946
12947
12948
12949
12950
12951
12952
12953
12954
12955
12956
12957
12958
12959
12960
12961
12962
12963
12964
12965
12966
12967
12968
12969
12970
12971
12972
12973
12974
12975
12976
12977
12978
12979
12980
12981
12982
12983
12984
12985
12986
12987
12988
12989
12990
12991
12992
12993
12994
12995
12996
12997
12998
12999
13000
[Chuck Murcko] PR#614
*) If multiple requests on a single connection are used to retrieve
data from different virtual hosts, the virtual host list would be
scanned starting with the most recently used VH instead of the first,
causing most virtual hosts to be ignored.
[Paul Sutton and Martin Mares] PR#610
*) The OS/2 handling of process group was broken by a porting patch for
MPE, so restored prior code for OS/2. [Roy Fielding and Garey Smiley]
*) Inherit virtual server port from main server if none (or "*") is
given for VirtualHost. [Dean Gaudet] PR#576
*) If the lookup for a DirectoryIndex name with content negotiation
has found matching variants, but none are acceptable, return the
negotiation result if there are no more DirectoryIndex names to lookup.
[Petr Lampa and Roy Fielding]
*) If a soft_timeout occurs after keepalive is set, then the main child
loop would try to read another request even though the connection
has been aborted. [Roy Fielding]
*) Configure changes: Allow for whitespace at the start of a
Module declaration. Also, be more understanding about the
CC=/OPTIM= format in Configuration. Finally, fix compiler
flags if using HP-UX's cc compiler. [Jim Jagielski]
*) Subrequests and internal redirects now inherit the_request from the
original request-line. [Roy Fielding]
*) Test for error conditions before creating output header fields, since
we don't want the error message to include those fields. Likewise,
reset the content_language(s) and content_encoding of the response
before generating or redirecting to an error message, since the new
message will have its own Content-* definitions. [Dean Gaudet]
*) Restored the semantics of headers_out (headers sent only with 200..299
and 304 responses) and err_headers_out (headers sent with all responses).
Avoid the overhead of copying tables if err_headers_out is empty
(the usual case). [Roy Fielding]
*) Fixed a couple places where a check for the default Content-Type was
not properly checking both the value configured by the DefaultType
directive and the DEFAULT_TYPE symbol in httpd.h. Changed the value
of DEFAULT_TYPE to match the documented default (text/plain).
[Dean Gaudet] PR#506
*) Escape the HTML-sensitive characters in the Request-URI that is
output for each child by mod_status. [Dean Gaudet and Ken Coar] PR#501
*) Properly initialize the flock structures used by the mutex locking
around accept() when USE_FCNTL_SERIALIZED_ACCEPT is defined.
[Marc Slemko]
*) The method for determining PATH_INFO has been restored to the pre-1.2b
(and NCSA httpd) definition wherein it was the extra path info beyond
the CGI script filename. The environment variable FILEPATH_INFO has
been removed, and instead we supply the original REQUEST_URI to any
script that wants to be Apache-specific and needs the real URI path.
This solves a problem with existing scripts that use extra path info
in the ScriptAlias directive to pass options to the CGI script.
[Roy Fielding]
*) The _default_ change in 1.2b10 will change the behaviour on configs
that use multiple Listen statements for listening on multiple ports.
But that change is necessary to make _default_ consistent with other
forms of <VirtualHost>. It requires such configs to be modified
to use <VirtualHost _default_:*>. The documentation has been
updated. [Dean Gaudet] PR#530
*) If an ErrorDocument CGI script is used to respond to an error
generated by another CGI script which has already read the message
body of the request, the server would block trying to read the
message body again. [Rob Hartill]
*) signal() replacement conflicted with a define on QNX (and potentially
other platforms). Fixed. [Ben Laurie] PR#512
Changes with Apache 1.2b10
*) Allow HTTPD_ROOT, SERVER_CONFIG_FILE, DEFAULT_PATH, and SHELL_PATH
to be configured via -D in Configuration. [Dean Gaudet] PR#449
*) <VirtualHost _default_:portnum> didn't work properly. [Dean Gaudet]
*) Added prototype for mktemp() for SUNOS4 [Marc Slemko]
*) In mod_proxy.c, check return values for proxy_host2addr() when reading
config, in case the hostent struct returned is trash.
[Chuck Murcko] PR #491
*) Fixed the fix in 1.2b9 for parsing URL query info into args for CGI
scripts. [Dean Gaudet, Roy Fielding, Marc Slemko]
Changes with Apache 1.2b9 [never announced]
*) Reset the MODULE_MAGIC_NUMBER to account for the unsigned port
changes and in anticipation of 1.2 final release. [Roy Fielding]
*) Fix problem with scripts not receiving a SIGPIPE when client drops
the connection (e.g., when user presses Stop). Apache will now stop
trying to send a message body immediately after an error from write.
[Roy Fielding and Nathan Kurz] PR#335
*) Rearrange Configuration.tmpl so that mod_rewrite has higher priority
than mod_alias, and mod_alias has higher priority than mod_proxy;
rearranged other modules to enhance understanding of their purpose
and relative order (and maybe even reduce some overhead).
[Roy Fielding and Sameer Parekh]
*) Fix graceful restart. Eliminate many signal-related race
conditions in both forms of restart, and in SIGTERM. See
htdocs/manual/stopping.html for details on stopping and
restarting the parent. [Dean Gaudet]
*) Fix memory leaks in mod_rewrite, mod_browser, mod_include. Tune
memory allocator to avoid a behaviour that required extra blocks to
be allocated. [Dean Gaudet]
*) Allow suexec to access files relative to current directory but not
above. (Excluding leading / or any .. directory.) [Ken Coar]
PR#269, 319, 395
*) Fix suexec segfault when group doesn't exist. [Gregory Neil Shapiro]
PR#367, 368, 354, 453
*) Fix the above fix: if suexec is enabled, avoid destroying r->url
while obtaining the /~user and save the username in a separate data
area so that it won't be overwritten by the call to getgrgid(), and
fix some misuse of the pool string allocation functions. Also fixes
a general problem with parsing URL query info into args for CGI scripts.
[Roy Fielding] PR#339, 367, 354, 453
*) Fix IRIX warning about bzero undefined. [Marc Slemko]
*) Fix problem with <Directory proxy:...>. [Martin Kraemer] PR#271
*) Corrected spelling of "authoritative". AuthDBAuthoratative became
AuthDBAuthoritative. [Marc Slemko] PR#420
*) MaxClients should be at least 1. [Lars Eilebrecht] PR#375
*) The default handler now logs invalid methods or URIs (i.e. PUT on an
object that can't be PUT, or FOOBAR for some method FOOBAR that
apache doesn't know about at all). Log 404s that occur in mod_include.
[Paul Sutton, John Van Essen]
*) If a soft timeout (or lingerout) occurs while trying to flush a
buffer or write inside buff.c or fread'ing from a CGI's output,
then the timeout would be ignored. [Roy Fielding] PR#373
*) Work around a bug in Netscape Navigator versions 2.x, 3.x and 4.0b2's
parsing of headers. If the terminating empty-line CRLF occurs starting
at the 256th or 257th byte of output, then Navigator will think a normal
image is invalid. We are guessing that this is because their initial
read of a new request uses a 256 byte buffer. We check the bytes written
so far and, if we are about to tickle the bug, we instead insert a
padding header of eminent bogosity. [Roy Fielding and Dean Gaudet] PR#232
*) Fixed SIGSEGV problem when a DirectoryIndex file is also the source
of an external redirection. [Roy Fielding and Paul Sutton]
*) Configure would create a broken Makefile if the configuration file
contained a commented-out Rule. [Roy Fielding]
*) Promote per_dir_config and subprocess_env from the subrequest to the
main request in mod_negotiation. In particular this fixes a bug
where <Files> sections wouldn't properly apply to negotiated content.
[Dean Gaudet]
*) Fix a potential deadlock in mod_cgi script_err handling.
[Ralf S. Engelschall]
*) rotatelogs zero-pads the logfile names to improve alphabetic sorting.
[Mitchell Blank Jr]
*) Updated mod_rewrite to 3.0.4: Fixes HTTP redirects from within
.htaccess files because the RewriteBase was not replaced correctly.
Updated mod_rewrite to 3.0.5: Fixes problem with rewriting inside
<Directory> sections missing a trailing /. [Ralf S. Engelschall]
*) Clean up Linux settings in conf.h by detecting 2.x versus 1.x. For
1.x the settings are those of pre-1.2b8. For 2.x we include
USE_SHMGET_SCOREBOARD (scoreboard in shared memory rather than file) and
HAVE_SYS_RESOURCE_H (enable the RLimit commands).
[Dean Gaudet] PR#336, PR#340
*) Redirect did not preserve ?query_strings when present in the client's
request. [Dean Gaudet]
*) Configure was finding non-modules on EXTRA_LIBS. [Frank Cringle] PR#380
*) Use /bin/sh5 on ULTRIX. [P. Alejandro Lopez-Valencia] PR#369
*) Add UnixWare compile/install instructions. [Chuck Murcko]
*) Add mod_example (illustration of API techniques). [Ken Coar]
*) Add macro for memmove to conf.h for SUNOS4. [Marc Slemko]
*) Improve handling of directories when filenames have spaces in them.
[Chuck Murcko]
*) For hosts with multiple IP addresses, try all additional addresses if
necessary to get a connect. Fail only if hostent address list is
exhausted. [Chuck Murcko]
*) More signed/unsigned port fixes. [Dean Gaudet]
*) HARD_SERVER_LIMIT can be defined in the Configuration file now.
[Dean Gaudet]
Changes with Apache 1.2b8
*) suexec.c doesn't close the log file, allowing CGIs to continue writing
to it. [Marc Slemko]
*) The addition of <Location> and <File> directives made the
sub_req_lookup_simple() function bogus, so we now handle
the special cases directly. [Dean Gaudet]
*) We now try to log where the server is dumping core when a fatal
signal is received. [Ken Coar]
*) Improved lingering_close by adding a special timeout, removing the
spurious log messages, removing the nonblocking settings (they
are not needed with the better timeout), and adding commentary
about the NO_LINGCLOSE and USE_SO_LINGER issues. NO_LINGCLOSE is
now the default for SunOS4, UnixWare, NeXT, and IRIX. [Roy Fielding]
*) Send error messages about setsockopt failures to the server error
log instead of stderr. [Roy Fielding]
*) Fix loopholes in proxy cache expiry vis a vis alarms. [Brian Moore]
*) Stopgap solution for CGI 3-second delay with server-side includes: if
processing a subrequest, allocate memory from r->main->pool instead
of r->pool so that we can avoid waiting for free_proc_chain to cleanup