Skip to content
CHANGES 632 KiB
Newer Older
Justin Erenkrantz's avatar
Justin Erenkrantz committed
Changes with Apache 2.1.4

  [Remove entries to the current 2.0 section below, when backported]
Joe Orton's avatar
Joe Orton committed

Justin Erenkrantz's avatar
Justin Erenkrantz committed
Changes with Apache 2.1.3

  *) core_input_filter: Move buckets to a persistent brigade instead of
     creating a new brigade when apr_brigade_split is called. This stops
     a memory leak when proxying a Streaming Media Server. PR 33382.
     [Paul Querna]

  *) mod_ssl: Add ssl_ext_lookup optional function for accessing
     certificate extensions.   [David Reid, Joe Orton]

Joe Orton's avatar
Joe Orton committed
  *) Add support for use of an external PCRE library; pass the
     --with-pcre flag to configure.  PR 27550.  [Joe Orton,
     Andres Salomon <dilinger voxel.net>]

  *) Renamed regex interfaces to be namespace-safe, and moved from
     pcreposix.h header to ap_regex.h: regex_t->ap_regex_t,
     regmatch_t->ap_regmatch_t; REG_*->AP_REG_*; functions
     reg*->ap_reg*.  PR 27550.  [Andres Salomon <dilinger voxel.net>,
     Joe Orton]

  *) Only recompile buildmark.c when we have to relink httpd.
     [Justin Erenkrantz]

  *) Remove formatting characters from ap_log_error() calls.  These
     were escaped as fallout from CAN-2003-0020.
     [Eric Covener <ecovener gmail.com>]

  *) mod_cache: Fix up handling of revalidated responses.
  *) mod_disk_cache: Properly load cached ETag from on-disk structures.
     [Justin Erenkrantz]

  *) mod_authnz_ldap: Added an optional second parameter to AuthLDAPURL
     to allow it to override the connection type set in mod_ldap. This
     parameter can be set to NONE, SSL or TLS | STARTTLS.
     [Brad Nicholes]

  *) Fix --with-apr=/usr and/or --with-apr-util=/usr.  PR 29740.
     [Max Bowsher <maxb ukf.net>]

  *) mod_proxy: Fix ProxyRemoteMatch directive.  PR 33170.
     [Rici Lake <rici ricilake.net>]

  *) proxy HTTP: Rework the handling of request bodies to handle
     chunked input and input filters which modify content length, and
     avoid spooling arbitrary-sized request bodies in memory.
     PR 15859.  [Jeff Trawick]

  *) mod_proxy: Fix incorrect decoding/unescaping for reverse proxies.
     PR 32459, 15207. [Jim Jagielski]

  *) mod_cache: Add CacheStorePrivate and CacheStoreNoStore directive.
     [Justin Erenkrantz]

  *) mod_ldap: Added the directive LDAPConnectionTimeout to configure
     the ldap socket connection timeout value.  
     [Brad Nicholes]

  *) Add --enable-pie flag to configure, to build httpd as a Position
     Independent Executable where supported (GCC/binutils).
     [Joe Orton]

  *) proxy_balancer: Add in load-balancing via weighted traffic
     byte count. [Jim Jagielski]

  *) mod_disk_cache: Cache r->err_headers_out headers.  This allows CGI
     scripts to be properly cached.  [Justin Erenkrantz, Sander Striker]

  *) mod_ldap: Updated to use the new apr-util v1.1 apr_ldap_*_option()
     API for the setting of server and client SSL certificates. Replaced
     LDAPTrustedCA directive with LDAPTrustedGlobalCert and
     LDAPTrustedClientCert directives to correctly support global certs
     (CA certs / Netware client certs) and per connection client certs
     as supported by Netware, OpenLDAP and Netscape/Mozilla.
     [Graham Leggett]

  *) mod_cache: Remove unimplemented CacheForceCompletion directive.
     [Justin Erenkrantz]

  *) support/check_forensic: Fix temp file usage
     [Javier Fernandez-Sanguino Pen~a <jfs computer.org>]

  *) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives
     which can be used to configure a specific list of CA names to send
     in a client certificate request.  PR 32848. 
     [Tim Taylor <tim.taylor dfas.mil>]

  *) --with-module can now take more than one module to be statically
     linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
     If the <modtype>-subdirectory doesn't exist it will be created and
     populated with a standard Makefile.in.  [Erik Abele]

  *) Remove some compiler warnings within the LDAP modules [Graham Leggett]

  *) Add a build script to create a solaris package. [Graham Leggett]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) ap_http_scheme() replaced with ap_http_method() - this function
     returns the scheme (http v.s. https).
     [William Rowe]

  *) mod_proxy: Fix a request corruption problem and a buffering problem
     which sometimes prevented proxy-sendchunks from working.
     [Jeff Trawick]

  *) Fix the RPM spec file so that an RPM build now works. An RPM
     build now requires system installations of APR and APR-util.
     [Graham Leggett]

  *) Significantly simplify the load balancer scheduling algorithm
     for the proxy BalancerMember weighting. loadfactors (lbfactors)
     are now normalized with respect to each other. [Jim Jagielski]

  *) mod_dumpio: Added to the available module suite; it is an
     I/O logging/dumping module. Placed in the (new) debug module
     subdirectory. mod_bucketeer moved to that directory as well.
     [Jim Jagielski]
  *) core: Add support for APR_TCP_DEFER_ACCEPT to defer accepting
     of a connection until data is available.
     [Paul Querna]

Justin Erenkrantz's avatar
Justin Erenkrantz committed
Changes with Apache 2.1.2

  *) mod_proxy: Respect errors reported by pre_connection hooks.
     [Jeff Trawick]

  *) worker MPM: Fix a problem which could cause httpd processes to
     remain active after shutdown.  [Jeff Trawick]

  *) core: Error out on sections that are missing an argument instead of
     silently consuming the section. PR 25460.
     [Geoffrey Young, Paul Querna]

  *) mod_cache/mod_mem_cache/mod_disk_cache: Move out of experimental.

  *) Upgraded PCRE to version 5.0. [Brian Pane]
  *) mod_cgid: Catch configuration problem where two web server instances
     share same ServerRoot but admin forgot to use ScriptSock.
     [Jeff Trawick]

  *) mod_cgi: Ensure that all stderr is logged for a script which returns
     a Location header to generate a non-local redirect.  PR 20111.
     [Joe Orton]

  *) Added the Event MPM to more efficiently handle clients during a 
     Keep Alive request.
     [Paul Querna, Greg Ames]

Justin Erenkrantz's avatar
Justin Erenkrantz committed
Changes with Apache 2.1.1

  *) mod_proxy_http: Stream content better - always flush buffered data to
     the client before blocking waiting for new data.  PR 19954.
     [Joe Orton]

  *) mod_ssl: Add support for command-line option "-t -DDUMP_CERTS" which
     will dump the filenames of all configured SSL certificates to stdout.
     [Joe Orton]

  *) mod_disk_cache: Remove a bunch of non-implemented garbage collection
     and cache size directives that are now available through htcacheclean.
     [Justin Erenkrantz]

  *) Add htcacheclean to support/ for assistance with mod_disk_cache.
     [Andreas Steinmetz]

  *) mod_authnz_ldap: Added the directive "Requires ldap-filter" that
     allows the module to authorize a user based on a complex LDAP
  *) mod_usertrack: Run the fixups hook before other modules.
  *) Allow mod_authnz_ldap authorization functionality to be used 
     without requiring the user to also be authenticated through 
     mod_authnz_ldap. This allows other authentication modules to 
     take advantage of LDAP authorization only [PR 28253]
     [Jari Ahonen jah progress.com, Brad Nicholes]
     
  *) Log the client IP address when an error occurs disabling nagle on a
     connection, but log at a severity of debug since this error 
     generally means that the connection was dropped before data was
     sent.  Log the client IP address when reporting errors in the core
     output filter.  [Jeff Trawick]

  *) Add ap_log_cerror() for logging messages associated with particular
     client connections.  [Jeff Trawick]

  *) core: Add a warning message if the request line read fails.
     [Paul Querna]

  *) mod_cache: Add CacheIgnoreHeaders directive.  PR 30399.
     [Rüiger Plü <r.pluem t-online.de>]

  *) mod_rewrite: Removed the MaxRedirects option in favor of the
     core LimitInternalRecursion directive.  [André Malo]

  *) Unix MPMs: Shut down the server more quickly when child processes are
     slow to exit.  [Joe Orton, Jeff Trawick]

  *) mod_info: Added listing of the Request Hooks and added more build 
     information like 'httpd -V' contains. Changed output to XHTML. 
     [Paul Querna]

  *) mod_info: Rewrote config tree walk using a recursive function.
     Added ?config option. Added printout of config filename and line numbers.
     [Rici Lake <rici ricilake.net>, Paul Querna]

  *) mod_proxy: Fix type error that prevents proxy-sendchunks from working.
     [Justin Erenkrantz]

  *) mod_proxy: Fix data corruption by properly setting aside buckets.
     [Justin Erenkrantz]

  *) mod_proxy: If a request has a blank body and has a 0 Content-Length
     headers, pass that to the proxy.  [Justin Erenkrantz]

Andre Malo's avatar
Andre Malo committed
  *) Recognize QSA flag in mod_rewrite again.
     [Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]

  *) Restructured mod_auth_ldap to fit the new authentication model.
     The module is now called authnz_ldap and has been moved out of
     the modules/experimental area and into modules/aaa with the other
     auth modules.  Both the authn_ldap provider and the authz_ldap
     handler are contained within the authnz_ldap module.  The 
     authz_ldap handler introduces 3 new "requires" values for handling
     authorization.  These handlers are ldap-user, ldap-group and 
     ldap-dn. [Brad Nicholes]

  *) Fix some compiler warnings in proxy
     [Geoffrey Young <geoff@modperlcookbook.org>]

  *) mod_ssl: Add SSL_CLIENT_V_REMAIN variable, representing the
     number of days until the client cert expires.  [Joe Orton]

  *) Add test_config hook, run only if httpd is invoked using -t.
     [Joe Orton]

  *) Improve error handling for corrupted pid files.  [Jeff Trawick]

  *) mod_proxy.c and proxy_util.c: Enable compiling on 2.0-HEAD 
     (for backwards compatibility):
     Avoids mod_ssl.h (not included in 2.0-HEAD) and
     use apr_socket_create_ex for 0.9.x 
     [Mladen Turk]

  *) Added proxy_ajp.c module for proxy support to ajp:// backends.
     [Jean Frederic Clere]

  *) Fixes the build of proxy on Windows. Since the proxy_module is declared
     as extern using AP_MODULE_DECLARE_DATA that expands to dllexport, there
     is a LNK2001 error when building proxy_http. [Mladen Turk]

  *) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap.
     [Graham Leggett]

  *) Remove deprecated/removed APR_STATUS_IS_SUCCESS().  [Justin Erenkrantz]

  *) perchild MPM: Fix thread safety problem in the use of longjmp().
     [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]

  *) Add load balancer support to the scoreboard in preparation for
     load balancing support in mod_proxy. [Mladen Turk]

  *) mod_nw_ssl: Added the directive NWSSLUpgradeable to mod_nw_ssl to 
     allow a non-secure connection to be upgraded to secure connections
     [Brad Nicholes]
     
  *) core: Add Options= syntax to AllowOverride to specify which options
     may be overridden in .htaccess files. PR 29310.
     [Tom Alsberg <alsbergt cs.huji.ac.il>, Paul Querna]

  *) ab: Handle long URLs with an error instead of an buffer overflow.
     PR 28204. [Erik Weide <erik.weidel mplus-technologies.de>, Paul Querna]

Paul Querna's avatar
Paul Querna committed
  *) mod_so, core: Add new command line options to print all loaded
     modules. '-t -D DUMP_MODULES' and '-M' will show all static 
     and shared modules as loaded from the configuration file.
     [Paul Querna]

  *) mod_autoindex: Add ShowForbidden to IndexOptions to list files
     that are not shown because the subrequest returned 401 or 403. 
     PR 10575.  [Paul Querna]

Nick Kew's avatar
 
Nick Kew committed
  *) mod_headers: implement "Early" processing option in post_read_request
     to enable Header and RequestHeader directives to be used to set up
     testcases for pre-fixups request phases [Nick Kew]

Nick Kew's avatar
 
Nick Kew committed
  *) mod_proxy: multiple bugfixes, principally support cookies in
     ProxyPassReverse, and don't canonicalise URL passed to backend.
     Documentation correspondingly updated. [Nick Kew <nick webthing.com>]

  *) mod_deflate: support gzip flags in inflate_out_filter
     [Nick Kew <nick webthing.com>]

  *) Drop the ErrorHeader directive which turned out to be a misnomer.
     Instead there's a new optional flag for the Header directive
     ('always'), which keeps the former ErrorHeader functionality.
     [André Malo]

  *) mod_deflate: Don't deflate responses with zero length 
     e.g. proxied 304's [Allan Edwards]

Andre Malo's avatar
Andre Malo committed
  *) <IfModule> now recognizes the module identifier in addition to the
     file name. PR 29003.  [Edward Rudd <eddie omegaware.com>, André Malo]

  *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
     OpenSSL 0.9.7 flag which uses the server's cipher order rather
     than the client's.  PR 28665.
     [Jim Schneider <jschneid netilla.com>]
  *) mod_ssl: Drop support for the CompatEnvVars argument to
     SSLOptions, which was never actually implemented in 2.0.
     [Joe Orton]

  *) Fix bug in mod_deflate that unconditionally sent deflate'd output
     even when Accept-Encoding is not present.  [Justin Erenkrantz]

  *) Pass environment variables through to piped loggers and start
     them via the shell, resolving regressions since 1.3.  PR 28815
     [Ken Coar, Jeff Trawick]
  *) External rewrite map responses are no longer limited to 2048
     bytes.  [André Malo]

Jim Jagielski's avatar
Jim Jagielski committed
  *) Proxy server was deleting cookies that Apache had already
     assigned if the origin server had set any cookies. PR 27023.
     [Jim Jagielski]

  *) Removed old and unmaintained ap_add_named_module API and changed
     the following APIs to return an error instead of hard exiting:
     ap_add_module, ap_add_loaded_module, ap_setup_prelinked_modules,
     and ap_process_resource_config.  [André Malo]
  *) mod_headers: Allow %% in header values to represent a literal %.
     [André Malo]

  *) mod_headers: Allow env clauses also for 'echo' and 'unset' actions.
     [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) mod_headers: Allow 'echo' also for ErrorHeaders.  [André Malo]

Ian Holsman's avatar
Ian Holsman committed
  *) mod_deflate: New option for DEFLATE output file (force-gzip),
     new output filter 'INFLATE' for uncompressing responses.
     [Nick Kew <Nick at WebThing dot com>, Ian Holsman]

  *) Added new module mod_version, which provides version dependent
     configuration containers.  [André Malo]

  *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
     format is used.  PR 27787.  [André Malo]

  *) Allow Digest providers to return AUTH_DENIED to propagate a 401
     status and terminate the provider chain prior to checking the password.
     [Geoffrey Young]

  *) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost;
     Don't place script socket inside default server root instead of
     actual server root.  PR 27886.  [Jeff Trawick]

  *) mod_proxy: Fix handling of non-200 success status codes when
     "ProxyErrorOverride On" is configured.  PR 20183.
     [Marcus Janson <marcus.janson tre.se>, Joe Orton]

  *) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize 
     directive (previously NetWare-only) to override default thread 
     stack size for threads which handle client connections.  Required 
     for some third-party modules on platforms with small default 
     thread stack size.  [Jeff Trawick]
  *) minor mod_auth_basic and mod_auth_digest sync.  mod_auth_basic
     now populates r->user with the (possibly unauthenticated) user,
     and mod_auth_digest returns 500 when a provider returns
     AUTH_GENERAL_ERROR.
     [Geoffrey Young]

  *) The whole codebase was relicensed and is now available under
     the Apache License, Version 2.0 (http://www.apache.org/licenses).
     [Apache Software Foundation]

  *) Delete some make-generated files in the server directory during 
     "make clean" processing.  PR 26552.  [Jeff Trawick]

  *) Add core version query function (ap_get_server_revision) and
     accompanying ap_version_t structure (minor MMN bump).
     [André Malo]

  *) mod_rewrite: EOLs sent by external rewritemaps are now consumed
     as whole. That way, on systems with more than one EOL character
     rewritemap programs no longer need to switch stdout to binary
     mode. PR 25635.  [André Malo]

  *) mod_rewrite: Introduce the ability to force a content handler via
     the [handler=...] flag.  [André Malo]

  *) mod_rewrite: Introduce the RewriteCond -x check, which returns
     true if the pattern is a file with execution permissions.
     [André Malo]

  *) mod_rewrite: Allow proxying and RewriteRules in directory context
     for subrequests.  PR 14648, 15114.  [André Malo]

  *) mod_rewrite: Allow setting of any valid HTTP response code.
     PR 25917.  [André Malo]

  *) mod_rewrite: Cookie creation now works locale independent.
     [André Malo]

  *) mod_ssl: Add support for distributed session cache using 'distcache'.
     [Geoff Thorpe <geoff geoffthorpe.net>]

  *) mod_dav: Disallow requests with an unescaped hash character in
Joe Orton's avatar
Joe Orton committed
     the Request-URI.  PR 21779.  [Amit Athavale <amit_athavale lycos.com>]
Andre Malo's avatar
Andre Malo committed
  *) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration
     attaches a body to the 302 response and a wrong Content-Length header.
     PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de]

  *) Bring ErrorHeader concept forward from 1.3, so that response
     header fields can be set for return even on errors or external
     redirects.  [Ken Coar]

  *) Fix <Limit> and <LimitExcept> parsing to require a closing '>' 
     in the initial container.  PR 25414. 
     [Geoffrey Young <geoff apache.org>]

  *) Clean up httpd -V output: Instead of displaying the MPM source
     directory, display the MPM name and some MPM properties.
     [Geoffrey Young <geoff apache.org>]

  *) mod_ssl/mod_status: Re-enable support for output of SSL session
     cache information in server-status page.  [Joe Orton]

  *) mod_ssl: Remove the shmht session cache, shmcb should be used
     instead.  [Joe Orton]

  *) mod_logio: Account for some bytes handed to the network layer prior to
     dropped connections.  [Jeff Trawick]

  *) mod_autoindex: new directive IndexStyleSheet 
    [Tyler Riddle <triddle_1999 yahoo.com>, Paul Querna <chip force-elite.com>]

  *) Fix uninitialized gprof directory name in prefork MPM.  PR 24450.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Chris Knight <Christopher.D.Knight nasa.gov>]
  *) Log an error when requests for URIs which fail to map to a valid 
     filesystem name are rejected with 403.  [Jeff Trawick]

  *) Switch to APR 1.0 API.

  *) Major overhaul of mod_include's filter parser. The new parser code
     is expected to be more robust and should catch all of the edge cases
Andre Malo's avatar
Andre Malo committed
     that were not handled by the previous one. This includes a binary
     incompatible change of mod_include's external API.  [André Malo]
  *) mod_rewrite: Allow forced mimetypes [T=...] to get expanded.
     PR 14223.  [André Malo]

  *) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously
     the current rewrite state was just used as lookup path, which lead to
     strange and often useless results. Related to PR 8493.  [André Malo]

  *) Change Listen directive to bind to all addresses when a hostname is
     not specified.  [Justin Erenkrantz]

  *) Correct failure with Listen directives on machines with IPv6 enabled.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Colm MacCárthaigh <colm stdlib.net>, Justin Erenkrantz]
Cliff Woolley's avatar
 
Cliff Woolley committed
  *) Fix a link failure in mod_ssl when the OpenSSL libraries contain
     the ENGINE functions but the engine header files are missing.
     [Cliff Woolley]

  *) mod_rewrite: RewriteRules in server context using the force
     type feature [T=...] no longer disable MultiViews.  [André Malo]

  *) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot.
     [André Malo]

  *) mod_authz_groupfile: Strip trailing spaces of group names. This
     hopefully saves some hours of searching for typos. PR 12863.
     [André Malo]

  *) mod_actions: Propagate the handler name to the action script via
     the REDIRECT_HANDLER environment variable.  [André Malo]

  *) mod_actions: Introduce the "virtual" modifier to the Action directive,
     which allows the use of handlers for virtual locations. PR 8431.
     [André Malo]

  *) mod_speling: Recognize AcceptPathInfo setting for the particular
     location. Default is to reject path information. PR 21059.
     [André Malo]

  *) mod_ext_filter: Add the ability to filter request bodies.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Philipp Reisner <philipp.reisner linbit.com>]
  *) Fix some broken log messages in WinNT MPM.  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Juan Rivera <Juan.Rivera citrix.com>]
  *) prefork MPM: Use the right permissions for the directory created 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     for gprof support.  [Jim Carlson <jcarlson jnous.com>]
  *) Fix a compile failure with recent OpenSSL and picky compilers
     (e.g., OpenSSL 0.9.7a and xlc_r on AIX).  [Jeff Trawick]

  *) OpenSSL headers should be included as "openssl/ssl.h", and not rely on
     the INCLUDE path to be defined properly.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 11310. [Geoff Thorpe <geoff geoffthorpe.net>]
  *) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli]
  *) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
     autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc). 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Geoff Thorpe <geoff geoffthorpe.net>]
  *) change directive name from 'compressionlevel' to 'deflatecompressionlevel'
  *) mod_negotiation: quality values are now parsed independent from
     the current locale. level values are now really parsed as integers.
     PR 17564.  [André Malo]

  *) Extend mod_negotiation to evaluate the environment variables
     no-gzip and gzip-only-text/html the same way as mod_deflate does.
     [André Malo]

  *) mod_rewrite: Fix some problems reporting errors with mapping
     programs (RewriteMap prg:/something).  [Jeff Trawick]

  *) Return 413 if chunk-ext-header is too long rather than reading from
     the truncated line.  PR 15857.  [Justin Erenkrantz]

  *) Allow restart of httpd to occur even with syntax errors in the config
     file.  PR 16813.  [Justin Erenkrantz]

  *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure.  PR 15679.
     [Justin Erenkrantz]

  *) Remove files on 'make distclean' that should be.  PR 15592.
     [Justin Erenkrantz]

  *) Allow apachectl to perform status with links and elinks as well.
     [Justin Erenkrantz]

  *) mod_log_config change optional hook to return previous handler
     [Ian Holsman]

  *) Forward port of mod_actions' ability to handle arbitrary methods
     with the Script directive.  [André Malo]

  *) Let suexec send a message to stderr, if it failed or its policy
     was violated. This message appears in the error log and allows
Andre Malo's avatar
Andre Malo committed
     for easier debugging. PR 5381, 7638, 8255, 10773.  [André Malo]
  *) Modify buildconf to copy all required files into httpd's tree.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Thom May <thom planetarytramp.net>]
  *) Allow mod_dav to do weak entity comparison functions.
     [Justin Erenkrantz]

Andre Malo's avatar
Andre Malo committed
  *) Move RFC 1413 ident requests from core to new module mod_ident.
     [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) Add mod_authz_owner - a forward port of "Require file-owner"
     and "Require file-group", which was already present in version
     1.3.21.  [André Malo]

  *) Add mod_dav_lock - a generic subset of the DAV locking implementation.
     [Justin Erenkrantz]

  *) Replace some of the mutex locking in the worker MPM with
     atomic operations for higher concurrency.  [Brian Pane]

  *) Allow 'make depend' to work with non-GCC compilers.
     [Justin Erenkrantz]

  *) If an httpd.conf has commented out AddModule directives, 
     apxs -i -a will add an un-commented AddModule directive for 
     the new module, which breaks the config.
     PR: 11212 [Joe Orton]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Fix mod_proxy handling of filtered input bodies.  [Justin Erenkrantz]

  *) Move the check of the Expect request header field after the hook
     for ap_post_read_request, since that is the only opportunity for
     modules to handle Expect extensions.  [Justin Erenkrantz]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Rewrite of aaa modules to an authn/authz model.
     [Dirk-Willem van Gulik, Justin Erenkrantz]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  [Apache 2.1.0-dev includes those bug fixes and changes with the
   Apache 2.0.xx tree as documented, and except as noted, below.]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
Changes with Apache 2.0.54

  *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid 
     hiccups from additional path information passed in non-utf-8 format.
     [Richard Donkin <rd9 donkin.org]

Bill Stoddard's avatar
Bill Stoddard committed
Changes with Apache 2.0.53

  *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
     library handles special characters. PR 24437 [Jess Holle]

  *) Win32 MPM: Correct typo in debugging output.  [William Rowe]

  *) conf: Remove AddDefaultCharset from the default configuration because
     setting a site-wide default does more harm than good. PR 23421.
     [Roy Fielding]

  *) Add charset to example CGI scripts.  [Roy Fielding]
 
  *) mod_ssl: fail quickly if SSL connection is aborted rather than
     making many doomed ap_pass_brigade calls.  PR 32699.  [Joe Orton]
 
  *) Remove compiled-in upper limit on LimitRequestFieldSize.
     [Bill Stoddard]

  *) Start keeping track of time-taken-to-process-request again for
     mod_status if ExtendedStatus is enabled. [Jim Jagielski]

  *) mod_proxy: Handle client-aborted connections correctly.  PR 32443.
     [Janne Hietamäki, Joe Orton]

Joe Orton's avatar
Joe Orton committed
  *) Fix handling of files >2Gb on all platforms (or builds) where
     apr_off_t is larger than apr_size_t.  PR 28898.  [Joe Orton]

  *) mod_include: Fix bug which could truncate variable expansions
     of N*64 characters by one byte.  PR 32985.  [Joe Orton]

  *) Correct handling of certain bucket types in ap_save_brigade, fixing
     possible segfaults in mod_cgi with #include virtual.  PR 31247.
     [Joe Orton]

Erik Abele's avatar
Erik Abele committed
  *) Allow for the use of --with-module=foo:bar where the ./modules/foo
     directory is local only. Assumes, of course, that the required
     files are in ./modules/foo, but makes it easier to statically
     build/log "external" modules.  [Jim Jagielski]

  *) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that 
     ldap authorization only modules have access to the util_ldap 
     user cache without having to require ldap authentication as well.  
     [PR 31898] [Jari Ahonen jah progress.com, Brad Nicholes]

  *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
     allows the module to only authorize a user if the attribute value
     specified matches the value of the user object. PR 31913
     [Ryan Morgan <rmorgan pobox.com>]

Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2004-0942 (cve.mitre.org)
     Fix for memory consumption DoS in handling of MIME folded request
     headers.  [Joe Orton]

  *) SECURITY: CAN-2004-0885 (cve.mitre.org)
     mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
     bypassed during an SSL renegotiation.  PR 31505.  
     [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]

  *) mod_ssl: Fail at startup rather than segfault at runtime if a
     client cert is configured with an encrypted private key.
     PR 24030.  [Joe Orton]

Graham Leggett's avatar
Graham Leggett committed
  *) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
     [Joe Orton]
                                                                                
Graham Leggett's avatar
Graham Leggett committed
  *) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
     [Jeff Trawick]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_cache: CacheDisable will only disable the URLs it was meant to 
     disable, not all caching. PR 31128.
     [Edward Rudd <eddie omegaware.com>, Paul Querna]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
     cache responses.  [Justin Erenkrantz]

  *) mod_rewrite: Handle per-location rules when r->filename is unset.
     Previously this would segfault or simply not match as expected,
     depending on the platform.  [Jeff Trawick]

  *) mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
     [michael teitler <michael.teitler cetelem.fr>,
      Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]

  *) mod_rewrite: Fix 0 bytes write into random memory position.
     PR 31036. [André Malo]

  *) mod_disk_cache: Do not store aborted content.  PR 21492.
     [Rüiger Plü <r.pluem t-online.de>]

  *) mod_disk_cache: Correctly store cached content type.  PR 30278.
     [Rüiger Plü <r.pluem t-online.de>]

  *) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
     statistics display. PR 29216 [Graham Leggett]

  *) mod_ldap: fix a bogus error message to tell the user which file
     is causing a potential problem with the LDAP shared memory cache.
     PR 31431 [Graham Leggett]

  *) mod_disk_cache: Do not store hop-by-hop headers.  [Justin Erenkrantz]

Bradley Nicholes's avatar
Bradley Nicholes committed
  *) Fix the re-linking issue when purging elements from the LDAP cache
     PR 24801 [Jess Holle <jessh ptc.com>]
      
Bill Stoddard's avatar
Bill Stoddard committed
  *) mod_disk_cache: Fix races in saving responses.  [Justin Erenkrantz]

  *) Fix Expires handling in mod_cache.  [Justin Erenkrantz]

  *) Alter mod_expires to run at a different filter priority to allow
     proper Expires storage by mod_cache.  [Justin Erenkrantz]

Bill Stoddard's avatar
Bill Stoddard committed
Changes with Apache 2.0.52

  *) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]

  *) Fix the global mutex crash when the global mutex is never allocated
     due to disabled/empty caches. [Jess Holle <jessh ptc.com>]

  *) Fix a segfault in the LDAP cache when it is configured switched
     off. [Jess Holle <jessh ptc.com>]
Graham Leggett's avatar
Graham Leggett committed

  *) SECURITY: CAN-2004-0811 (cve.mitre.org)
     Fix merging of the Satisfy directive, which was applied to
     the surrounding context and could allow access despite configured
     authentication.  PR 31315.  [Rici Lake <rici ricilake.net>]

  *) Fix the handling of URIs containing %2F when AllowEncodedSlashes
     is enabled.  Previously, such urls would still be rejected.
     [Jeff Trawick, Bill Stoddard]

Bill Stoddard's avatar
Bill Stoddard committed
  *) mod_mem_cache: Fixed race condition causing segfault because of memory being
     freed twice, or reused after being freed.
     [J. Clar, W. Stoddard, G. Ames]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Add -l option to rotatelogs to let it use local time rather than
     UTC.  PR 24417.  [Ken Coar, Uli Zappe <uli ritual.org>]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_log_config: Fix a bug which prevented request completion time
     from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
     processing.  PR 29696.  [Alois Treindl <alois astro.ch>]

Changes with Apache 2.0.51

  *) SECURITY: CAN-2004-0786 (cve.mitre.org)
     Fix an input validation issue in apr-util which could be
     triggered by malformed IPv6 literal addresses.  [Joe Orton]

  *) SECURITY: CAN-2004-0747 (cve.mitre.org)
     Fix buffer overflow in expansion of environment variables in
     configuration file parsing.  [André Malo]

  *) SECURITY: CAN-2004-0809 (cve.mitre.org)
     mod_dav_fs: Fix a segfault in the handling of an indirect lock
     refresh.  PR 31183.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) mod_include no longer checks for recursion, because that's done
Cliff Woolley's avatar
Cliff Woolley committed
     in the core. This allows for careful usage of recursive SSI.
Andre Malo's avatar
Andre Malo committed
     [André Malo]

  *) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
     [chunyan sheng <shengperson yahoo.com>, André Malo]

  *) Include directives no longer refuse to process symlinks on
     directories. Instead there's now a maximum nesting level
     of included directories (128 as distributed). This is configurable
     at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
     PR 28492.  [André Malo]

Bill Stoddard's avatar
Bill Stoddard committed
  *) Win32: apache -k start|restart|install|config can leave stranded
     piped logger processes (eg, rotatelogs.exe) due to improper
     server shutdown on these code paths.
     [Bill Stoddard]

Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2004-0751 (cve.mitre.org)
     mod_ssl: Fix a segfault in the SSL input filter which could be
     triggered if using "speculative" mode, for instance by a 
     proxy request to an SSL server.  PR 30134.  [Joe Orton]

  *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
     PR 30464.  [Joe Orton, Madhusudan Mathihalli]

  *) mod_ssl: Add new 'ssl_is_https' optional function.  [Joe Orton]

  *) Prevent CGI script output which includes a Content-Range header
     from being passed through the byterange filter.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) Satisfy directives now can be influenced by a surrounding <Limit>
     container.  PR 14726.  [André Malo]

  *) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
     PR 27985.  [André Malo]

  *) mod_disk_cache: Implement binary format for on-disk header files.
     [Brian Akins <bakins web.turner.com>, Justin Erenkrantz]

  *) mod_disk_cache: Optimize network performance of disk cache subsystem by
     allowing zero-copy (sendfile) writes and other miscellaneous fixes.
     [Justin Erenkrantz]

  *) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and
     switch to the provider API instead of hooks.  [Justin Erenkrantz]

Joe Orton's avatar
Joe Orton committed
  *) mod_autoindex: Don't truncate the directory listing if a stat()
     call fails (for instance on a >2Gb file).  PR 17357.
     [Joe Orton]

  *) Makefile fix: httpd is linked against LIBS given to the
     'make' invocation.  PR 7882.  [Joe Orton]

Bill Stoddard's avatar
Bill Stoddard committed
  *) WinNT MPM: Fix a broken log message at termination.  PR 28063.
     [Eider Oliveira <eider bol.com.br>]

Bill Stoddard's avatar
Bill Stoddard committed
  *) Prevent Win32 pool corruption at startup [Allan Edwards]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Add "SSLUserName" directive to set r->user based on a
     chosen SSL environment variable.  PR 20957. 
     [Martin v. Loewis <martin v.loewis.de>]

  *) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
     [Zvi Har'El <rl math.technion.ac.il>]

  *) apachectl: Fix a problem finding envvars if sbindir != bindir.
     PR 30723.  [Friedrich Haubensak <hsk imb-jena.de>]

  *) mod_ssl: Build on RHEL 3.  PR 18989.  [Justin Erenkrantz]

  *) SECURITY: CAN-2004-0748 (cve.mitre.org)
     mod_ssl: Fix a potential infinite loop.  PR 29964.  [Joe Orton]

  *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
     PR 18989.  [Joe Orton]

  *) mod_userdir: Ensure that the userdir identity is used for
     suexec userdir access in a virtual host which has suexec configured.  
     PR 18156.  [Joshua Slive]

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite no longer confuses the RewriteMap caches if
     different maps defined in different virtual hosts use the
     same map name. PR 26462.  [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) mod_setenvif: Remove "support" for Remote_User variable which
     never worked at all. PR 25725.  [André Malo]

  *) Backport from 2.1 / Regression from 1.3: mod_headers now knows
     again the functionality of the ErrorHeader directive. But instead
     using this misnomer additional flags to the Header directive were
     introduced ("always" and "onsuccess", defaulting to the latter).
     PR 28657.  [André Malo]

  *) Use the higher performing 'httpready' Accept Filter on all platforms 
     except FreeBSD < 4.1.1. [Paul Querna]

Andre Malo's avatar
Andre Malo committed
  *) mod_usertrack: Escape the cookie name before pasting into the
     regexp.  [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) Extend the SetEnvIf directive to capture subexpressions of the
     matched value.  [André Malo]

  *) Recursive Include directives no longer crash. The server stops
     including configuration files after a certain nesting level (128
     as distributed). This is configurable at compile time using the
     -DAP_MAX_INCLUDE_DEPTH switch. PR 28370.  [André Malo]

  *) mod_dir: the trailing-slash behaviour is now configurable using the
     DirectorySlash directive.  [André Malo]

  *) Allow proxying of resources that are invoked via DirectoryIndex.
     PR 14648, 15112, 29961.  [André Malo]

  *) util_ldap: Switched the lock types on the shared memory cache 
     from thread reader/writer locks to global mutexes in order to 
     provide cross process cache protection. [Brad Nicholes]
     
  *) util_ldap: Reworked the cache locking scheme to eliminate duplicate 
     cache entries in the credentials cache due to race conditions.
     [Brad Nicholes]
     
  *) util_ldap: Enhanced the util_ldap cache-info display to show more 
     detail about the contents and current state of the cache. 
     [Brad Nicholes]
     
Bradley Nicholes's avatar
Bradley Nicholes committed
  *) Enable the option to support anonymous shared memory in mod_ldap.
     This makes the cache work on Linux again. [Graham Leggett]

Geoffrey Young's avatar
Geoffrey Young committed
  *) Enable special ErrorDocument value 'default' which restores the
     canned server response for the scope of the directive.
Andre Malo's avatar
Andre Malo committed
     [Geoffrey Young, André Malo]
Geoffrey Young's avatar
Geoffrey Young committed

Paul Querna's avatar
Paul Querna committed
  *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
     is set in r->subprocess_env allow mismatched query strings to pass.
     PR 27758.  [Paul Querna, Geoffrey Young]

  *) Accept URLs for the ServerAdmin directive. If the supplied
     argument is not recognized as an URL, assume it's a mail address.
     PR 28174.  [André Malo, Paul Querna]

Geoffrey Young's avatar
Geoffrey Young committed
  *) initialize server arrays prior to calling ap_setup_prelinked_modules
     so that static modules can push Defines values when registering
     hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Small fix to allow reverse proxying to an ftp server. Previously
     an attempt to do this would try and connect to 0.0.0.0, regardless
     of the server specified. PR 24922
     [Pascal Terjan <pterjan@linuxfr.org>]

Graham Leggett's avatar
Graham Leggett committed
  *) Add the NOTICE file to the rpm spec file in compliance with the
     Apache v2.0 license. [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) RPM spec file changes: changed default dependancy to link to db4
     instead of db3. Fixed complaints about unpackaged files.
     [Graham Leggett]

Bill Stoddard's avatar
Bill Stoddard committed
Changes with Apache 2.0.50
  *) SECURITY: CAN-2004-0493 (cve.mitre.org)
     Close a denial of service vulnerability identified by Georgi
     Guninski which could lead to memory exhaustion with certain
     input data.  [Jeff Trawick]

Joe Orton's avatar
Joe Orton committed
  *) mod_cgi: Handle output on stderr during script execution on Unix
     platforms; preventing deadlock when stderr output fills pipe buffer.
     Also fixes case where stderr from nph- scripts could be lost.
     PR 22030, 18348.  [Joe Orton, Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) mod_alias now emits a warning if it detects overlapping *Alias*
     directives.  [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite no longer turns forward proxy requests into reverse proxy
     requests. PR 28125  [ast domdv.de, André Malo]

  *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
     exported on Win32 and Netware as well (minor MMN bump).  PR 28523.
     [Edward Rudd <eddie omegaware.com>, André Malo]

  *) Restore the ability to disable the use of AcceptEx on Win9x systems
Joe Orton's avatar
Joe Orton committed
     automatically (broken in 2.0.49). PR 28529.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Jeff Trawick's avatar
Jeff Trawick committed
  *) <VirtualHost myhost> now applies to all IP addresses for myhost
     instead of just the first one reported by the resolver.  This
     corrects a regression since 1.3.  [Jeff Trawick]

  *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
     against ServerRoot PR#26602 [Brad Nicholes]
       
Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2004-0488 (cve.mitre.org)
     mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
     (trusted) client certificate subject DN which exceeds 6K in length.
     [Joe Orton]

  *) mod_dav_fs: Fix MKCOL response for missing parent collections, which 
     caused issues for the Eclipse WebDAV extension.
     PR 29034.  [Joe Orton]

  *) mod_deflate: Fix memory consumption (which was proportional to the
     response size).  PR 29318.  [Joe Orton]

  *) mod_ssl: Log the errors returned on failure to load or initialize
     a crypto accelerator engine.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) Allow RequestHeader directives to be conditional. PR 27951.
     [Vincent Deffontaines <vincent gryzor.com>, André Malo]

Andre Malo's avatar
Andre Malo committed
  *) Allow LimitRequestBody to be reset to unlimited. PR 29106
     [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) Fix a bunch of cases where the return code of the regex compiler
     was not checked properly. This affects: mod_setenvif, mod_usertrack,
     mod_proxy, mod_proxy_ftp and core. PR 28218.  [André Malo]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
     small cache sizes.  PR 27751.  [Geoff Thorpe <geoff geoffthorpe.net>]

  *) Remove 2Gb log file size restriction on some 32-bit platforms.
     PR 13511.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) mod_logio no longer removes the EOS bucket. PR 27928.
     [Bojan Smojver <bojan rexursive.com>]

  *) htpasswd no longer refuses to process files that contain empty
     lines.  [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) Regression from 1.3: At startup, suexec now will be checked for
     availability, the setuid bit and user root. The works only if
     httpd is compiled with the shipped APR version (0.9.5).
Andre Malo's avatar
Andre Malo committed
     PR 28287.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Unix MPMs: Stop dropping connections when the file descriptor
     is at least FD_SETSIZE.  [Jeff Trawick]

  *) Fix handling of IPv6 numeric strings in mod_proxy.  [Jeff Trawick]

  *) mod_isapi: send_response_header() failed to copy status string's 
     last character.  PR 20619.  [Jesse Pelton <jsp pkc.com>]