Skip to content
CHANGES 674 KiB
Newer Older
Jim Jagielski's avatar
Jim Jagielski committed
                                                        -*- coding: utf-8 -*-
  [Remove entries to the current 2.0 and 2.2 section below, when backported]
  *) mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions
     by creating a root pool for object persistence across requests. This
     also eliminates the need for custom serialization code.
     [Davi Arnaut <davi haxent.com.br>]

  *) mod_mem_cache: Memory leak fix: Unconditionally free the buffer.
     [Davi Arnaut <davi haxent.com.br>]

  *) mod_cache: From RFC3986 (section 6.2.3.) if a URI contains an
     authority component and an empty path, the empty path is to be equivalent
     to "/". It explicitly cites the following four URIs as equivalents:
       http://example.com
       http://example.com/
       http://example.com:/
       http://example.com:80/
     [Davi Arnaut <davi haxent.com.br>]

  *) mod_cache: Don't cache requests with a expires date in the past;
     otherwise mod_cache will always try to cache the URL. This bug
     might lead to numerous rename() errors on win32 if the URL was
     previously cached. [Davi Arnaut <davi haxent.com.br>]

  *) mod_disk_cache: Make sure that only positive integers are accepted
     for the CacheMaxFileSize and CacheMinFileSize parameters in the
     config file. PR39380 [Niklas Edmundsson <nikke acc.umu.se>]

  *) mod_proxy_balancer: Set the new environment variable BALANCER_ROUTE_CHANGED
     if a worker with a route different from the one supplied by the client
     had been chosen or if the client supplied no routing information for
     a balancer with sticky sessions. [Ruediger Pluem]

  *) mod_proxy: Print the correct error message for erroneous configured
     ProxyPass directives. PR 40439. [serai lans-tv.com]

  *) Allow htcacheclean, httxt2dbm, and fcgistarter to link apr/apr-util
     statically like the older support programs.
     [Eric Covener <covener gmail.com>]

  *) ap_get_server_version() has been removed.  Third-party modules must 
     now use ap_get_server_banner() or ap_get_server_description().
     [Jeff Trawick]
  *) mod_proxy_balancer: Extract stickysession routing information contained as
     parameter in the URL correctly. PR 40400.
     [Ruediger Pluem, Tomokazu Harada <harada sysrdc.ns-sol.co.jp>]

  *) mod_ext_filter: Handle filter names which include capital letters.
     PR 40323.  [Jeff Trawick]

  *) mod_deflate: Rework inflate output and deflate output filter to fix several
     issues: Incorrect handling of flush buckets, potential memory leaks,
     excessive memory usage in inflate output filter for large compressed
     content. PR 39854. [Ruediger Pluem, Nick Kew, Justin Erenkrantz]

  *) All MPMs: Introduce a check_config phase between pre_config and
     open_logs, to allow modules to review interdependent configuration
     directive values and adjust them while messages can still be logged
     to the console.  Handle relevant MPM directives during this phase
     and format messages for both the console and the error log, as
     appropriate.  [Chris Darroch]

  *) mod_proxy: Don't try to use dead backend connection. PR 37770.
Nick Kew's avatar
Nick Kew committed
     [Olivier BOEL <ob dorrboel.com>]

  *) mod_proxy: don't URLencode tilde in path component
     [Stijn Hoop <stijn sandcat.nl>]

  *) mpm_winnt: Fix return values from wait_for_many_objects.
     The return value is index to the signaled thread in the
     creted_threads array. We can not use WAIT_TIMEOUT because
     his value is defined as 258, thus limiting the MaxThreads
     to that value. [Mladen Turk]

  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
     handling.  For some RewriteRules this could lead to a pointer being
     written out of bounds.  Reported by Mark Dowd of McAfee.
     [Mark Cox]

  *) mod_cache: While serving a cached entity ensure that filters that have
     been applied to this cached entity before saving it to the cache are not
     applied again. PR 40090. [Ruediger Pluem]

  *) mod_proxy_ajp: Added cping/cpong support for the AJP protocol.
     A new worker directive ping=timeout will cause CPING packet
     to be send expecting CPONG packet within defined timeout.
     In case the backend is too busy this will fail instead
     sending the full header.  [Mladen Turk]

  *) core: Do not allow internal redirects like the DirectoryIndex of mod_dir
     to circumvent the symbolic link checks imposed by FollowSymLinks and
     SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe]

  *) mod_proxy: Support environment variable interpolation in reverse
     proxying directives. [Nick Kew]
  *) core: Add the filename of the configuration file to the warning message
     about the useless use of AllowOverride. PR 39992.
     [Darryl Miles <darryl darrylmiles.org>]

  *) mod_proxy_balancer: Add information about the route, the sticky session
     and the worker used during a request as environment variables. PR 39806.
     [Brian <brectanu gmail.com>]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH
     support.  Also corrects the slashes for Windows.  PR 15993. [William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the
     token parser worked while the resulting length was misinterpreted.
     PR 29098 [Brock Bland <bbland serena.com>]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade
     attempts to stream the response at the client.  PR 30022 [William Rowe]

  *) mod_isapi: Ensure we walk through all the methods the developer may have
     employed to report their HTTP status result code.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 16637 30033 28089  [Matt Lewandowsky <matt iamcode.net>, William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ]
     configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
     The default is none as this is far greater debugging resolution than 
     the typical administrator is prepared to untangle.  [William Rowe]

  *) mod_disk_cache: If possible, check if the size of an object to cache is
     within the configured boundaries before actually saving data.
     [Niklas Edmundsson <nikke acc.umu.se>]

  *) mod_cache: Convert all values to seconds before comparing them when
     checking whether to send a Warning header for a stale response.
     PR 39713. [Owen Taylor <otaylor redhat.com>]
  *) mod_disk_cache: Delete temporary files if they cannot be renamed to their
     final name. [Davi Arnaut <davi haxent.com.br>]

  *) Worker and event MPMs: Remove improper scoreboard updates which were
     performed in the event of a fork() failure.  [Chris Darroch]

  *) Add support for fcgi:// proxies to mod_rewrite.
     [Markus Schiegl <ms schiegl.com>]

  *) Remove incorrect comments from scoreboard.h regarding conditional
     loading of worker_score structure with mod_status, and remove unused
     definitions relating to old life_status field.
     [Chris Darroch <chrisd pearsoncmg.com>]

  *) Remove allocation of memory for unused array of lb_score pointers
     in ap_init_scoreboard().  [Chris Darroch <chrisd pearsoncmg.com>]
  *) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy.
     [Garrett Rooney, Jim Jagielski, Paul Querna]
  *) Event MPM: Fill in the scoreboard's tid field. PR 38736.
     [Chris Darroch <chrisd pearsoncmg.com>]

  *) mod_charset_lite: Remove Content-Length when output filter can 
     invalidate it.  Warn when input filter can invalidate it.
     [Jeff Trawick]

  *) mod_ssl: Fix spurious hostname mismatch warning for valid
     wildcard certificates.  PR 37911.  [Nick Burch <nick torchbox.com>]

  *) Authz: Add the new module mod_authn_core that will provide common
     authn directives such as 'AuthType', 'AuthName'.  Move the directives
     'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias 
     into mod_authn_core. [Brad Nicholes]
  *) Authz: Mark the directives 'Order', 'Allow', 'Deny' and 'Satisfy' as 
     deprecated and move them into the new module mod_access_compat which
     can be loaded to provide backwards compatibility for these directives.
     [Brad Nicholes]
  *) Authz: Move the 'Require' directive from the core module as well as 
     add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>' 
     and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR' 
     logic into the authorization processing. [Brad Nicholes]
  *) Authz: Add the new module mod_authz_core which acts as the 
     authorization provider vector and contains common authz 
     directives. [Brad Nicholes]

  *) Authz: Renamed mod_authz_dbm authz providers from 'group' and 
     'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes]

  *) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle
     host-based access control provided by mod_authz_host and invoked 
     through the 'Require' directive. [Brad Nicholes]

  *) Authz: Convert all of the authz modules from hook based to 
     provider based. [Brad Nicholes]
  *) mod_cache: Add CacheMinExpire directive to set the minimum time in
     seconds to cache a document.
     [Brian Akins <brian.akins turner.com>, Ruediger Pluem]

Nick Kew's avatar
Nick Kew committed
  *) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]

Loading full blame...