Newer
Older
*) SECURITY: [CAN-2002-0661] Close a very significant security hole that
applies only to the Win32, OS2 and Netware platforms. Unix was not
affected, Cygwin may be affected. Certain URIs will bypass security
and allow users to invoke or access any file depending on the system
configuration. Without upgrading, a single .conf change will close
the vulnerability. Add the following directive in the global server
httpd.conf context before any other Alias or Redirect directives;
RedirectMatch 400 "\\\.\."
Reported by Auriemma Luigi <bugtest@sitoverde.com>.
[Brad Nicholes]
*) SECURITY: Close a path-revealing exposure in multiview type
map negotiation (such as the default error documents) where the
module would report the full path of the typemapped .var file when
multiple documents or no documents could be served based on the mime
negotiation. Reported by Auriemma Luigi <bugtest@sitoverde.com>.
[CAN-2002-0654] [William Rowe]
*) SECURITY: Close a path-revealing exposure in cgi/cgid when we
fail to invoke a script. The modules would report "couldn't create
child process /path-to-script/script.pl" revealing the full path
of the script. Reported by Jim Race <jrace@qualys.com>.
[CAN-2002-0654] [Bill Stoddard]
*) Set aside the apr-iconv and apr_xlate() features for the Win32
build of 2.0.40 so development can be completed. A patch, from
<http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
will be available for those that wish to work with apr-iconv.
[William Rowe]
*) Fix proxy so that it is possible to access ftp: URLs via a proxy
chain. [Peter Van Biesen <peter.vanbiesen@vlafo.be>]
*) mod-deflate now checks to make sure that 'gzip-only-text/html' is
Ian Holsman
committed
set to 1, so we can exclude things from the general case with
browsermatch. [Ian Holsman, Andre Schild <A.Schild@aarboard.ch>]
*) Accept multiple leading /'s for requests within the DocumentRoot.
*) Solved the reports of .pdf byterange failures on Win32 alone.
APR's sendfile for the win32 platform collapses header and trailer
buffers into a single buffer. However, we destroyed the pointers
to the header buffer if a trailer buffer was present. PR 10781
[William Rowe]
*) mod_ext_filter: Add the ability to enable or disable a filter via
an environment variable. Add the ability to register a filter of
type other than AP_FTYPE_RESOURCE. [Jeff Trawick]
*) Restore the ability to specify host names on Listen directives.
PR 11030. [Jeff Trawick, David Shane Holden <dpejesh@yahoo.com>]
*) When deciding on the default address family for listening sockets,
make sure we can actually bind to an AF_INET6 socket before
deciding that we should default to AF_INET6. This fixes a startup
problem on certain levels of OpenUNIX. PR 10235. [Jeff Trawick]
Wilfredo Sanchez
committed
*) Replace usage of atol() to parse strings when we might want a
larger-than-long value with apr_atoll(), which returns long long.
This allows HTTPD to deal with larger files correctly.
[Shantonu Sen <ssen@apple.com>]
*) mod_ext_filter: Ignore any content-type parameters when checking if
the response should be filtered. Previously, "intype=text/html"
wouldn't match something like "text/html;charset=8859_1".
[Jeff Trawick]
*) mod_ext_filter: Set up environment variables for external programs.
[Craig Sebenik <craig@netapp.com>]
*) Modified the HTTP_IN filter to immediately append the EOS (end of
stream) bucket for C-L POST bodies, saving a roundtrip and allowing
the caller to determine that no content remains without prefetching
additional POST body. [William Rowe]
*) Get proxy ftp to work over IPv6. [Shoichi Sakane <sakane@kame.net>]
*) Look for OpenSSL libraries in /usr/lib64. [Peter Poeml <poeml@suse.de>]
*) Update SuSE layout. [Peter Poeml <poeml@suse.de>]
*) Changes to the internationalized error documents:
Comment them out in the default config file to make the default
install as simple as possible; Correct the english 500 error to
be more understandable; Add a Swedish translation.
[Thomas Sjogren <thomas@northernsecurity.net>,
Erik Abele <erik@codefaktor.de>, Rich Bowen, Joshua Slive]
*) Increase the limit on file descriptors per process in apachectl.
[Brian Pane]
*) Fix a dependency error when building ApacheMonitor, so that Win32
and MSVC now trust that the project is current (when it is).
[James Cox <imajes@php.net>]
*) mod_ext_filter: don't segfault if content-type is not set. PR 10617.
[Arthur P. Smith <apsmith@aps.org>, Jeff Trawick]
*) APR-Util Renames pending have been completed [Thom May]
*) Performance improvements for the code that reads request
headers (ap_rgetline_core() and related functions) [Brian Pane]
*) Add a new directive: MaxMemFree. MaxMemFree makes it possible
to configure the maximum amount of memory the allocators will
hold on to for reuse. Anything over the MaxMemFree threshold
will be free()d. This directive is useful when uncommon large
peaks occur in memory usage. It should _not_ be used to mask
defective modules' memory use. [Sander Striker]
*) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
scripts would not result in a truncated response.
[Ryan Bloom, Justin Erenkrantz, Cliff Woolley]
*) Add a filter_init parameter to the filter registration functions
so that a filter can execute arbitrary code before the handlers
are invoked. This resolves a problem where mod_include requests
would incorrectly return a 304. [Justin Erenkrantz]
*) Fix a long-standing bug in 2.0, CGI scripts were being called
with relative paths instead of absolute paths. Apache 1.3 used
absolute paths for everything except for SuExec, this brings back
that standard. [Ryan Bloom]
Justin Erenkrantz
committed
*) Fix infinite loop due to two HTTP_IN filters being present for
internally redirected requests. PR 10146. [Justin Erenkrantz]
*) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
[Justin Erenkrantz]
*) Fix mod_ext_filter to look in the main server for filter definitions
when running in a vhost if the filter definition is not found in
the vhost. PR 10147 [Jeff Trawick]
*) Support WinNT CGI invocation through ScriptInterpreterSource
'registry' for script interpreter paths and names with non-ascii
characters in the executable filepath. [William Rowe]
*) Support the -w flag on to keep the Win32 console open on error.
[William Rowe]
*) Normalize the hostname value in the request_rec to all-lowercase
[Perry Harrington <pedward@webcom.com>]
*) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
extended characters (non US-ASCII) in non-utf8 format. This brings
Win32 back into CGI/1.1 compliance, and leaves charset decoding up
to the cgi application itself. [William Rowe]
*) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
modules to bring them up to the current apr/apr-util APIs.
[William Rowe]
Bill Stoddard
committed
*) Fix segfault in mod_mem_cache most frequently observed when
serving the same file to multiple clients on an MP machine.
[Bill Stoddard]
*) mod_rewrite can now set cookies (RewriteRule (.*) - [CO=name:$1:.domain])
[Brian Degenhardt <bmd@mp3.com>, Ian Holsman]
*) Fix perchild to work with apachectl by adding -k support to perchild.
PR 10074 [Jeff Trawick]
*) Fix a silly htpasswd.c logic error that incorrectly reported that
both -c and -n had been used. PR 9989 [Cliff Woolley]
*) Fixed a mod_include error case in which no HTTP response was sent
to the client if an shtml document contained an unterminated SSI
directive [Brian Pane]
*) Improve ap_get_client_block implementation by using APR-util brigade
helper functions and relying on current filter assumptions.
[Justin Erenkrantz]
*) Fixed a build problem in htpasswd.c on Win32.
[Guenter Knauf <eflash@gmx.net>, Cliff Woolley]
*) Rewrite htpasswd to use APR. The removes the annoying warning about
tmpnam being unsafe. [Ryan Bloom]
*) We must set the MIME-type for .shtml files to text/html if we want them
to be parsed for SSI tags. Add the config for that to the default
config file so that it is easier to enable .shtml parsing.
[Dave Dyer <ddyer@real-me.net>]
*) Fixed a problem with 'make install' on ReliantUnix.
[Jean-frederic Clere <jfrederic.clere@fujitsu-siemens.com>]
*) Make the default_handler catch all requests that aren't served by
another handler. This also gets us to return a 404 if a directory
is requested, there is no DirectoryIndex, and mod_autoindex isn't
loaded. [Justin Erenkrantz]
Loading full blame...