Skip to content
CHANGES 533 KiB
Newer Older
Cliff Woolley's avatar
Cliff Woolley committed
Changes with Apache 2.0.40
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) SECURITY: [CAN-2002-0661] Close a very significant security hole that 
     applies only to the Win32, OS2 and Netware platforms.  Unix was not 
     affected, Cygwin may be affected.  Certain URIs will bypass security
     and allow users to invoke or access any file depending on the system 
     configuration.  Without upgrading, a single .conf change will close 
     the vulnerability.  Add the following directive in the global server
     httpd.conf context before any other Alias or Redirect directives;
         RedirectMatch 400 "\\\.\."
     Reported by Auriemma Luigi <bugtest@sitoverde.com>.
     [Brad Nicholes]

  *) SECURITY:  Close a path-revealing exposure in multiview type
     map negotiation (such as the default error documents) where the
     module would report the full path of the typemapped .var file when
     multiple documents or no documents could be served based on the mime
     negotiation.  Reported by Auriemma Luigi <bugtest@sitoverde.com>.
     [CAN-2002-0654]  [William Rowe]

  *) SECURITY:  Close a path-revealing exposure in cgi/cgid when we 
     fail to invoke a script.  The modules would report "couldn't create 
     child process /path-to-script/script.pl" revealing the full path
     of the script.  Reported by Jim Race <jrace@qualys.com>.
     [CAN-2002-0654]  [Bill Stoddard]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Set aside the apr-iconv and apr_xlate() features for the Win32
     build of 2.0.40 so development can be completed.  A patch, from
     <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
     will be available for those that wish to work with apr-iconv.
     [William Rowe]

  *) Fix proxy so that it is possible to access ftp: URLs via a proxy
     chain. [Peter Van Biesen <peter.vanbiesen@vlafo.be>]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
     set to 1, so we can exclude things from the general case with
     browsermatch. [Ian Holsman, Andre Schild <A.Schild@aarboard.ch>]
  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Accept multiple leading /'s for requests within the DocumentRoot.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 10946  [William Rowe, David Shane Holden <dpejesh@yahoo.com>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Solved the reports of .pdf byterange failures on Win32 alone.
     APR's sendfile for the win32 platform collapses header and trailer
     buffers into a single buffer.  However, we destroyed the pointers
     to the header buffer if a trailer buffer was present.  PR 10781
     [William Rowe]

  *) mod_ext_filter: Add the ability to enable or disable a filter via
     an environment variable.  Add the ability to register a filter of
     type other than AP_FTYPE_RESOURCE.  [Jeff Trawick]

  *) Restore the ability to specify host names on Listen directives.
     PR 11030.  [Jeff Trawick, David Shane Holden <dpejesh@yahoo.com>]

  *) When deciding on the default address family for listening sockets, 
     make sure we can actually bind to an AF_INET6 socket before
     deciding that we should default to AF_INET6.  This fixes a startup
     problem on certain levels of OpenUNIX.  PR 10235.  [Jeff Trawick]

  *) Replace usage of atol() to parse strings when we might want a
     larger-than-long value with apr_atoll(), which returns long long.
     This allows HTTPD to deal with larger files correctly.
     [Shantonu Sen <ssen@apple.com>]

  *) mod_ext_filter: Ignore any content-type parameters when checking if
     the response should be filtered.  Previously, "intype=text/html"
     wouldn't match something like "text/html;charset=8859_1".
     [Jeff Trawick]

  *) mod_ext_filter: Set up environment variables for external programs.
     [Craig Sebenik <craig@netapp.com>]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Modified the HTTP_IN filter to immediately append the EOS (end of
     stream) bucket for C-L POST bodies, saving a roundtrip and allowing
     the caller to determine that no content remains without prefetching
     additional POST body.  [William Rowe]

  *) Get proxy ftp to work over IPv6.  [Shoichi Sakane <sakane@kame.net>]

  *) Look for OpenSSL libraries in /usr/lib64.  [Peter Poeml <poeml@suse.de>]

Justin Erenkrantz's avatar
Justin Erenkrantz committed
  *) Update SuSE layout.  [Peter Poeml <poeml@suse.de>]

  *) Changes to the internationalized error documents:
     Comment them out in the default config file to make the default
     install as simple as possible; Correct the english 500 error to
     be more understandable; Add a Swedish translation.
     [Thomas Sjogren <thomas@northernsecurity.net>, 
      Erik Abele <erik@codefaktor.de>, Rich Bowen, Joshua Slive]
     
  *) Increase the limit on file descriptors per process in apachectl.
     [Brian Pane]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix a dependency error when building ApacheMonitor, so that Win32
     and MSVC now trust that the project is current (when it is).
     [James Cox <imajes@php.net>]

  *) mod_ext_filter: don't segfault if content-type is not set.  PR 10617.
     [Arthur P. Smith <apsmith@aps.org>, Jeff Trawick]

Ian Holsman's avatar
Ian Holsman committed
  *) APR-Util Renames pending have been completed [Thom May]

  *) Performance improvements for the code that reads request
     headers (ap_rgetline_core() and related functions)  [Brian Pane]

  *) Add a new directive: MaxMemFree.  MaxMemFree makes it possible
     to configure the maximum amount of memory the allocators will
     hold on to for reuse.  Anything over the MaxMemFree threshold
Jeff Trawick's avatar
Jeff Trawick committed
     will be free()d.  This directive is useful when uncommon large
     peaks occur in memory usage.  It should _not_ be used to mask
     defective modules' memory use.  [Sander Striker]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

Cliff Woolley's avatar
Cliff Woolley committed
  *) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
     scripts would not result in a truncated response.
     [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]

  *) Add a filter_init parameter to the filter registration functions
     so that a filter can execute arbitrary code before the handlers
     are invoked.  This resolves a problem where mod_include requests
     would incorrectly return a 304.  [Justin Erenkrantz]

  *) Fix a long-standing bug in 2.0, CGI scripts were being called
     with relative paths instead of absolute paths.  Apache 1.3 used
     absolute paths for everything except for SuExec, this brings back
     that standard.  [Ryan Bloom]

  *) Fix infinite loop due to two HTTP_IN filters being present for
     internally redirected requests.  PR 10146.  [Justin Erenkrantz]

  *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
     [Justin Erenkrantz]

  *) Fix mod_ext_filter to look in the main server for filter definitions
     when running in a vhost if the filter definition is not found in
     the vhost.  PR 10147  [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Support WinNT CGI invocation through ScriptInterpreterSource 
     'registry' for script interpreter paths and names with non-ascii
     characters in the executable filepath.  [William Rowe]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Support the -w flag on to keep the Win32 console open on error.
     [William Rowe]

  *) Normalize the hostname value in the request_rec to all-lowercase
     [Perry Harrington <pedward@webcom.com>]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     extended characters (non US-ASCII) in non-utf8 format.  This brings
     Win32 back into CGI/1.1 compliance, and leaves charset decoding up
     to the cgi application itself.  [William Rowe]

  *) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
     modules to bring them up to the current apr/apr-util APIs.
     [William Rowe]

  *) Fix segfault in mod_mem_cache most frequently observed when
     serving the same file to multiple clients on an MP machine.
     [Bill Stoddard]
Cliff Woolley's avatar
Cliff Woolley committed

  *) mod_rewrite can now set cookies  (RewriteRule (.*) - [CO=name:$1:.domain])
     [Brian Degenhardt <bmd@mp3.com>, Ian Holsman]

  *) Fix perchild to work with apachectl by adding -k support to perchild.
     PR 10074  [Jeff Trawick]

  *) Fix a silly htpasswd.c logic error that incorrectly reported that
     both -c and -n had been used.  PR 9989  [Cliff Woolley]

  *) Fixed a mod_include error case in which no HTTP response was sent
     to the client if an shtml document contained an unterminated SSI
     directive [Brian Pane]

Cliff Woolley's avatar
Cliff Woolley committed
  *) Improve ap_get_client_block implementation by using APR-util brigade
     helper functions and relying on current filter assumptions.
     [Justin Erenkrantz]

Cliff Woolley's avatar
Cliff Woolley committed
Changes with Apache 2.0.39

  *) Fixed a build problem in htpasswd.c on Win32.
     [Guenter Knauf <eflash@gmx.net>, Cliff Woolley]
Cliff Woolley's avatar
Cliff Woolley committed

Cliff Woolley's avatar
Cliff Woolley committed
Changes with Apache 2.0.38

  *) Rewrite htpasswd to use APR.  The removes the annoying warning about
     tmpnam being unsafe.   [Ryan Bloom]

  *) We must set the MIME-type for .shtml files to text/html if we want them
     to be parsed for SSI tags.  Add the config for that to the default 
     config file so that it is easier to enable .shtml parsing.
     [Dave Dyer <ddyer@real-me.net>]

  *) Fixed a problem with 'make install' on ReliantUnix.
     [Jean-frederic Clere <jfrederic.clere@fujitsu-siemens.com>]

  *) Make the default_handler catch all requests that aren't served by
     another handler.  This also gets us to return a 404 if a directory
     is requested, there is no DirectoryIndex, and mod_autoindex isn't
     loaded.  [Justin Erenkrantz]

Loading full blame...