Newer
Older
11001
11002
11003
11004
11005
11006
11007
11008
11009
11010
11011
11012
11013
11014
11015
11016
11017
11018
11019
11020
11021
11022
11023
11024
11025
11026
11027
11028
11029
11030
11031
11032
11033
11034
11035
11036
11037
11038
11039
11040
11041
11042
11043
11044
11045
11046
11047
11048
11049
11050
11051
11052
11053
11054
11055
11056
11057
11058
11059
11060
11061
11062
11063
11064
11065
11066
11067
11068
11069
11070
11071
11072
11073
11074
11075
11076
11077
11078
11079
11080
11081
11082
11083
11084
11085
11086
11087
11088
11089
11090
11091
11092
11093
11094
11095
11096
11097
11098
11099
11100
11101
11102
11103
11104
11105
11106
11107
11108
11109
11110
11111
11112
11113
11114
11115
11116
11117
11118
11119
11120
11121
11122
11123
11124
11125
11126
11127
11128
11129
11130
11131
11132
11133
11134
11135
11136
11137
11138
11139
11140
11141
11142
11143
11144
11145
11146
11147
11148
11149
11150
11151
11152
11153
11154
11155
11156
11157
11158
11159
11160
11161
11162
11163
11164
11165
11166
11167
11168
11169
11170
11171
11172
11173
11174
11175
11176
11177
11178
11179
11180
11181
11182
11183
11184
11185
11186
11187
11188
11189
11190
11191
11192
11193
11194
11195
11196
11197
11198
11199
11200
11201
11202
11203
11204
11205
11206
11207
11208
11209
11210
11211
11212
11213
11214
11215
11216
11217
11218
11219
11220
11221
11222
11223
11224
11225
11226
11227
11228
11229
11230
11231
11232
11233
11234
11235
11236
11237
11238
11239
11240
11241
11242
11243
11244
11245
11246
11247
11248
11249
11250
11251
11252
11253
11254
11255
11256
11257
11258
11259
11260
11261
11262
11263
11264
11265
11266
11267
11268
11269
11270
11271
11272
11273
11274
11275
11276
11277
11278
11279
11280
11281
11282
11283
11284
11285
11286
11287
11288
11289
11290
11291
11292
11293
11294
11295
11296
11297
11298
11299
11300
11301
11302
11303
11304
11305
11306
11307
11308
11309
11310
11311
11312
11313
11314
11315
11316
11317
11318
11319
11320
11321
11322
11323
11324
11325
11326
11327
11328
11329
11330
11331
11332
11333
11334
11335
11336
11337
11338
11339
11340
11341
11342
11343
11344
11345
11346
11347
11348
11349
11350
11351
11352
11353
11354
11355
11356
11357
11358
11359
11360
11361
11362
11363
11364
11365
11366
11367
11368
11369
11370
11371
11372
11373
11374
11375
11376
11377
11378
11379
11380
11381
11382
11383
11384
11385
11386
11387
11388
11389
11390
11391
11392
11393
11394
11395
11396
11397
11398
11399
11400
11401
11402
11403
11404
11405
11406
11407
11408
11409
11410
11411
11412
11413
11414
11415
11416
11417
11418
11419
11420
11421
11422
11423
11424
11425
11426
11427
11428
11429
11430
11431
11432
11433
11434
11435
11436
11437
11438
11439
11440
11441
11442
11443
11444
11445
11446
11447
11448
11449
11450
11451
11452
11453
11454
11455
11456
11457
11458
11459
11460
11461
11462
11463
11464
11465
11466
11467
11468
11469
11470
11471
11472
11473
11474
11475
11476
11477
11478
11479
11480
11481
11482
11483
11484
11485
11486
11487
11488
11489
11490
11491
11492
11493
11494
11495
11496
11497
11498
11499
11500
11501
11502
11503
11504
11505
11506
11507
11508
11509
11510
11511
11512
11513
11514
11515
11516
11517
11518
11519
11520
11521
11522
11523
11524
11525
11526
11527
11528
11529
11530
11531
11532
11533
11534
11535
11536
11537
11538
11539
11540
11541
11542
11543
11544
11545
11546
11547
11548
11549
11550
11551
11552
11553
11554
11555
11556
11557
11558
11559
11560
11561
11562
11563
11564
11565
11566
11567
11568
11569
11570
11571
11572
11573
11574
11575
11576
11577
11578
11579
11580
11581
11582
11583
11584
11585
11586
11587
11588
11589
11590
11591
11592
11593
11594
11595
11596
11597
11598
11599
11600
11601
11602
11603
11604
11605
11606
11607
11608
11609
11610
11611
11612
11613
11614
11615
11616
11617
11618
11619
11620
11621
11622
11623
11624
11625
11626
11627
11628
11629
11630
11631
11632
11633
11634
11635
11636
11637
11638
11639
11640
11641
11642
11643
11644
11645
11646
11647
11648
11649
11650
11651
11652
11653
11654
11655
11656
11657
11658
11659
11660
11661
11662
11663
11664
11665
11666
11667
11668
11669
11670
11671
11672
11673
11674
11675
11676
11677
11678
11679
11680
11681
11682
11683
11684
11685
11686
11687
11688
11689
11690
11691
11692
11693
11694
11695
11696
11697
11698
11699
11700
11701
11702
11703
11704
11705
11706
11707
11708
11709
11710
11711
11712
11713
11714
11715
11716
11717
11718
11719
11720
11721
11722
11723
11724
11725
11726
11727
11728
11729
11730
11731
11732
11733
11734
11735
11736
11737
11738
11739
11740
11741
11742
11743
11744
11745
11746
11747
11748
11749
11750
11751
11752
11753
11754
11755
11756
11757
11758
11759
11760
11761
11762
11763
11764
11765
11766
11767
11768
11769
11770
11771
11772
11773
11774
11775
11776
11777
11778
11779
11780
11781
11782
11783
11784
11785
11786
11787
11788
11789
11790
11791
11792
11793
11794
11795
11796
11797
11798
11799
11800
11801
11802
11803
11804
11805
11806
11807
11808
11809
11810
11811
11812
11813
11814
11815
11816
11817
11818
11819
11820
11821
11822
11823
11824
11825
11826
11827
11828
11829
11830
11831
11832
11833
11834
11835
11836
11837
11838
11839
11840
11841
11842
11843
11844
11845
11846
11847
11848
11849
11850
11851
11852
11853
11854
11855
11856
11857
11858
11859
11860
11861
11862
11863
11864
11865
11866
11867
11868
11869
11870
11871
11872
11873
11874
11875
11876
11877
11878
11879
11880
11881
11882
11883
11884
11885
11886
11887
11888
11889
11890
11891
11892
11893
11894
11895
11896
11897
11898
11899
11900
11901
11902
11903
11904
11905
11906
11907
11908
11909
11910
11911
11912
11913
11914
11915
11916
11917
11918
11919
11920
11921
11922
11923
11924
11925
11926
11927
11928
11929
11930
11931
11932
11933
11934
11935
11936
11937
11938
11939
11940
11941
11942
11943
11944
11945
11946
11947
11948
11949
11950
11951
11952
11953
11954
11955
11956
11957
11958
11959
11960
11961
11962
11963
11964
11965
11966
11967
11968
11969
11970
11971
11972
11973
11974
11975
11976
11977
11978
11979
11980
11981
11982
11983
11984
11985
11986
11987
11988
11989
11990
11991
11992
11993
11994
11995
11996
11997
11998
11999
12000
multiple occurrences of the same key. [Stephen Scheck
<sscheck@infonex.net>, Ben Laurie] PR#1604
*) send_fd_length() did not calculate total_bytes_sent properly in error
cases. [Ben Reser <breser@regnow.com>] PR#1366
*) r->connection->user was allocated in the wrong pool causing corruption
in some cases when used with mod_cern_meta. [Dean Gaudet] PR#1500
*) mod_proxy was sending HTTP/1.1 responses to ftp requests by mistake.
Also removed the auto-generated link to www.apache.org that was the
source of so many misdirected bug reports. [Roy Fielding, Marc Slemko]
*) Multiple "close" tokens may have been set in the "Connection"
header, not an error, but a waste.
[Ronald.Tschalaer@psi.ch] PR#1683
*) "basic" and "digest" auth tokens should be tested case-insensitive.
[Ronald.Tschalaer@psi.ch] PR#1599, PR#1666
*) It appears the "257th byte" bug (see
htdocs/manual/misc/known_client_problems.html#257th-byte) can happen
at the 256th byte as well. Fixed. [Dean Gaudet]
*) mod_rewrite would not handle %3f properly in some situations.
[Ralf Engelschall]
*) Apache could generate improperly chunked HTTP/1.1 responses when
the bputc() or rputc() functions were used by modules (such as
mod_include). [Dean Gaudet]
*) #ifdef wrap a few #defines in httpd.h to make life easier on
some ports. [Ralf Engelschall]
*) Fix MPE compilation error in mod_usertrack.c. [Mark Bixby]
*) Quote CC='$(CC)' to improve recurse make calls. [Martin Kraemer]
*) Avoid B_ERROR redeclaration on sysvr4 systems. [Martin Kraemer]
Changes with Apache 1.2.5
*) SECURITY: Fix a possible buffer overflow in logresolve. This is
only an issue on systems without a MAXDNAME define or where
the resolver returns domain names longer than MAXDNAME. [Marc Slemko]
*) Fix an improper length in an ap_snprintf call in proxy_date_canon().
[Marc Slemko]
*) Fix core dump in the ftp proxy when reading incorrectly formatted
directory listings. [Marc Slemko]
*) SECURITY: Fix possible minor buffer overflow in the proxy cache.
[Marc Slemko]
*) SECURITY: Eliminate possible buffer overflow in cfg_getline, which
is used to read various types of files such as htaccess and
htpasswd files. [Marc Slemko]
*) SECURITY: Ensure that the buffer returned by ht_time is always
properly null terminated. [Marc Slemko]
*) SECURITY: General mod_include cleanup, including fixing several
possible buffer overflows and a possible infinite loop. This cleanup
was done against 1.3 code and then backported to 1.2, the result
is a large difference (due to indentation cleanup in 1.3 code).
Users interested in seeing a smaller set of relevant differences
should consider comparing against src/modules/standard/mod_include.c
from the 1.3b3 release. Non-indentation changes to mod_include
between 1.2 and 1.3 were minimal. [Dean Gaudet, Marc Slemko]
*) SECURITY: Numerous changes to mod_imap in a general cleanup
including fixing a possible buffer overflow. This cleanup also
was done with 1.3 code as a basis, see the the previous note
about mod_include. [Dean Gaudet]
*) SECURITY: If a htaccess file can not be read due to bad
permissions, deny access to the directory with a HTTP_FORBIDDEN.
The previous behavior was to ignore the htaccess file if it could not
be read. This change may make some setups with unreadable
htaccess files stop working. PR#817 [Marc Slemko]
*) SECURITY: no2slash() was O(n^2) in the length of the input.
Make it O(n). This inefficiency could be used to mount a denial
of service attack against the Apache server. Thanks to
Michal Zalewski <lcamtuf@boss.staszic.waw.pl> for reporting
this. [Dean Gaudet]
*) mod_include used uninitialized data for some uses of && and ||.
[Brian Slesinsky <bslesins@wired.com>] PR#1139
*) mod_imap should decline all non-GET methods.
[Jay Bloodworth <jay@pathways.sde.state.sc.us>]
*) suexec.c wouldn't build without -DLOG_EXEC. [Jason A. Dour]
*) mod_userdir was modifying r->finfo in cases where it wasn't setting
r->filename. Since those two are meant to be in sync with each other
this is a bug. ["Paul B. Henson" <henson@intranet.csupomona.edu>]
*) mod_include did not properly handle all possible redirects from sub-
requests. [Ken Coar]
*) Inetd mode (which is buggy) uses timeouts without having setup the
jmpbuffer. [Dean Gaudet] PR#1064
*) Work around problem under Linux where a child will start looping
reporting a select error over and over.
[Rick Franchuk <rickf@transpect.net>] PR#1107
Changes with Apache 1.2.4
*) The ProxyRemote change in 1.2.3 introduced a bug resulting in the proxy
always making requests with the full-URI instead of just the URI path.
[Marc Slemko, Roy Fielding]
*) Add -lm for AIX versions >= 4.2 to allow Apache to link properly
on this platform. [Marc Slemko]
Changes with Apache 1.2.3
*) The request to a remote proxy was mangled if it was generated as the
result of a ProxyPass directive. URL schemes other than http:// were not
supported when ProxyRemote was used. PR#260, PR#656, PR#699, PR#713,
PR#812 [Lars Eilebrecht]
*) Fixed proxy-pass-through feature of mod_rewrite; Added error logging
information for case where proxy module is not available. [Marc Slemko]
*) Force proxy to always respond as HTTP/1.0, which it was failing to
do for errors and cached responses. [Roy Fielding]
*) PORT: Improved support for ConvexOS 11. [Jeff Venters]
Changes with Apache 1.2.2 [not released]
*) Fixed another long-standing bug in sub_req_lookup_file where it would
happily skip past access checks on subdirectories looked up with relative
paths. (It's used by mod_dir, mod_negotiation, and mod_include.)
[Dean Gaudet]
*) Add lockfile name to error message printed out when
USE_FLOCK_SERIALIZED_ACCEPT is defined.
[Marc Slemko]
*) Enhanced the chunking and error handling inside the buffer functions.
[Dean Gaudet, Roy Fielding]
*) When merging the main server's <Directory> and <Location> sections into
a vhost, put the main server's first and the vhost's second. Otherwise
the vhost can't override the main server. [Dean Gaudet] PR#717
*) The <Directory> code would merge and re-merge the same section after
a match was found, possibly causing problems with some modules.
[Dean Gaudet]
*) Fixed an infinite loop in mod_imap for references above the server root.
[Dean Gaudet] PR#748
*) mod_include cleanup showed that handle_else was being used to handle
endif. It didn't cause problems, but it was cleaned up too.
[Howard Fear]
*) Last official synchronization of mod_rewrite with author version (because
mod_rewrite is now directly developed by the author at the Apache Group):
o added diff between mod_rewrite 3.0.6+ and 3.0.9
minus WIN32/NT stuff, but plus copyright removement.
In detail:
- workaround for detecting infinite rewriting loops
- fixed setting of env vars when "-" is used as subst string
- fixed forced response code on redirects (PR#777)
- fixed cases where r->args is ""
- kludge to disable locking on pipes under braindead SunOS
- fix for rewritelog in cases where remote hostname is unknown
- fixed totally damaged request_rec walk-back loop
o remove static from local data and add static to global ones.
o replaced ugly proxy finding stuff by simple
find_linked_module("mod_proxy") call.
o added missing negation char on rewritelog()
o fixed a few comment typos
[Ralf S. Engelschall]
*) Anonymous_LogEmail was logging on each subrequest.
[Dean Gaudet] PR#421, PR#868
*) "force-response-1.0" now only applies to requests which are HTTP/1.0 to
begin with. "nokeepalive" now works for HTTP/1.1 clients. Added
"downgrade-1.0" which causes Apache to pretend it received a 1.0.
Additionally mod_browser now triggers during translate_name to workaround
a deficiency in the header_parse phase.
[Dean Gaudet] PR#875
*) get_client_block() returns wrong length if policy is
REQUEST_CHUNKED_DECHUNK.
[Kenichi Hori <ken@d2.bs1.fc.nec.co.jp>] PR#815
*) Properly treat <files> container like other containers in mod_info.
[Marc Slemko] PR#848
*) The proxy didn't treat the "Host:" keyword of the host header as case-
insensitive. The proxy would corrupt the first line of a response from
an HTTP/0.9 server. [Kenichi Hori <ken@d2.bs1.fc.nec.co.jp>] PR#813,814
*) mod_include would log some bogus values occasionally.
[Skip Montanaro <skip@calendar.com>, Marc Slemko] PR#797
*) PORT: The slack fd changes in 1.2.1 introduced a problem with SIGHUP
under Solaris 2.x (up through 2.5.1). It has been fixed.
[Dean Gaudet] PR#832
*) API: In HTTP/1.1, whether or not a request message contains a body
is independent of the request method and based solely on the presence
of a Content-Length or Transfer-Encoding. Therefore, our default
handlers need to be prepared to read a body even if they don't know
what to do with it; otherwise, the body would be mistaken for the
next request on a persistent connection. discard_request_body()
has been added to take care of that. [Roy Fielding] PR#378
*) API: Symbol APACHE_RELEASE provides a numeric form of the Apache
release version number, such that it always increases along the
same lines as our source code branching. [Roy Fielding]
*) Minor oversight on multiple variants fixed. [Paul Sutton] PR#94
Changes with Apache 1.2.1
*) SECURITY: Don't serve file system objects unless they are plain files,
symlinks, or directories. This prevents local users from using pipes
or named sockets to invoke programs for an extremely crude form of
CGI. [Dean Gaudet]
*) SECURITY: HeaderName and ReadmeName were settable in .htaccess and
could contain "../" allowing a local user to "publish" any file on
the system. No slashes are allowed now. [Dean Gaudet]
*) SECURITY: It was possible to violate the symlink Options using mod_dir
(headers, readmes, titles), mod_negotiation (type maps), or
mod_cern_meta (meta files). [Dean Gaudet]
*) SECURITY: Apache will refuse to run as "User root" unless
BIG_SECURITY_HOLE is defined at compile time. [Dean Gaudet]
*) CONFIG: If a symlink pointed to a directory then it would be disallowed
if it contained a .htaccess disallowing symlinks. This is contrary
to the rule that symlink permissions are tested with the symlink
options of the parent directory. [Dean Gaudet] PR#353
*) CONFIG: The LockFile directive can be used to place the serializing
lockfile in any location. It previously defaulted to /usr/tmp/htlock.
[Somehow it took four of us: Randy Terbush, Jim Jagielski, Dean Gaudet,
Marc Slemko]
*) Request processing now retains state of whether or not the request
body has been read, so that internal redirects and subrequests will
not try to read it twice (and block). [Roy Fielding]
*) Add a placeholder in modules/Makefile to avoid errors with certain
makes. [Marc Slemko]
*) QUERY_STRING was unescaped in mod_include, it shouldn't be.
[Dean Gaudet] PR#644
*) mod_include was not properly changing the current directory.
[Marc Slemko] PR#742
*) Attempt to work around problems with third party libraries that do not
handle high numbered descriptors (examples include bind, and
solaris libc). On all systems apache attempts to keep all permanent
descriptors above 15 (called the low slack line). Solaris users
can also benefit from adding -DHIGH_SLACK_LINE=256 to EXTRA_CFLAGS
which keeps all non-FILE * descriptors above 255. On all systems
this should make supporting large numbers of vhosts with many open
log files more feasible. If this causes trouble please report it,
you can disable this workaround by adding -DNO_SLACK to EXTRA_CFLAGS.
[Dean Gaudet] various PRs
*) Related to the last entry, network sockets are now opened before
log files are opened. The only known case where this can cause
problems is under Solaris with many virtualhosts and many Listen
directives. But using -DHIGH_SLACK_LINE=256 described above will
work around this problem. [Dean Gaudet]
*) USE_FLOCK_SERIALIZED_ACCEPT is now default for FreeBSD, A/UX, and
SunOS 4.
*) Improved unix error response logging. [Marc Slemko]
*) Update mod_rewrite from 3.0.5 to 3.0.6. New ruleflag
QSA=query_string_append. Also fixed a nasty bug in per-dir context:
when a URL http://... was used in conjunction with a special
redirect flag, e.g. R=permanent, the permanent status was lost.
[Ronald Tschalaer <Ronald.Tschalaer@psi.ch>, Ralf S. Engelschall]
*) If an object has multiple variants that are otherwise equal Apache
would prefer the last listed variant rather than the first.
[Paul Sutton] PR#94
*) "make clean" at the top level now removes *.o. [Dean Gaudet] PR#752
*) mod_status dumps core in inetd mode. [Marc Slemko and Roy Fielding]
PR#566
*) pregsub had an off-by-1 in its error checking code. [Alexei Kosut]
*) PORT: fix rlim_t problems with AIX 4.2. [Marc Slemko] PR#333
*) PORT: Update UnixWare support for 2.1.2.
[Lawrence Rosenman <ler@lerctr.org>] PR#511
*) PORT: NonStop-UX [Joachim Schmitz <schmitz_joachim@tandem.com>] PR#327
*) PORT: Update ConvexOS support for 11.5.
[David DeSimone <fox@convex.com>] PR#399
*) PORT: Support for DEC cc compiler under ULTRIX.
["P. Alejandro Lopez-Valencia" <alejolo@ideam.gov.co>] PR#388
*) PORT: Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383
*) PORT: Workaround for AIX 3.x compiler bug in http_bprintf.c.
[Marc Slemko] PR#725
*) PORT: fix problem compiling http_bprintf.c with gcc under SCO
[Marc Slemko] PR#695
Changes with Apache 1.2
Changes with Apache 1.2b11
*) Fixed open timestamp fd in proxy_cache.c [Chuck Murcko]
*) Added undocumented perl SSI mechanism for -DUSE_PERL_SSI and mod_perl.
[Doug MacEachern, Rob Hartill]
*) Proxy needs to use hard_timeout instead of soft_timeout when it is
reading from one buffer and writing to another, at least until it has
a custom timeout handler. [Roy Fielding and Petr Lampa]
*) Fixed problem on IRIX with servers hanging in IdentityCheck,
apparently due to a mismatch between sigaction and setjmp.
[Roy Fielding] PR#502
*) Log correct status code if we timeout before receiving a request (408)
or if we received a request-line that was too long to process (414).
[Ed Korthof and Roy Fielding] PR#601
*) Virtual hosts with the same ServerName, but on different ports, were
not being selected properly. [Ed Korthof]
*) Added code to return the requested IP address from proxy_host2addr()
if gethostbyaddr() fails due to reverse DNS lookup problems. Original
change submitted by Jozsef Hollosi <hollosi@sbcm.com>.
[Chuck Murcko] PR#614
*) If multiple requests on a single connection are used to retrieve
data from different virtual hosts, the virtual host list would be
scanned starting with the most recently used VH instead of the first,
causing most virtual hosts to be ignored.
[Paul Sutton and Martin Mares] PR#610
*) The OS/2 handling of process group was broken by a porting patch for
MPE, so restored prior code for OS/2. [Roy Fielding and Garey Smiley]
*) Inherit virtual server port from main server if none (or "*") is
given for VirtualHost. [Dean Gaudet] PR#576
*) If the lookup for a DirectoryIndex name with content negotiation
has found matching variants, but none are acceptable, return the
negotiation result if there are no more DirectoryIndex names to lookup.
[Petr Lampa and Roy Fielding]
*) If a soft_timeout occurs after keepalive is set, then the main child
loop would try to read another request even though the connection
has been aborted. [Roy Fielding]
*) Configure changes: Allow for whitespace at the start of a
Module declaration. Also, be more understanding about the
CC=/OPTIM= format in Configuration. Finally, fix compiler
flags if using HP-UX's cc compiler. [Jim Jagielski]
*) Subrequests and internal redirects now inherit the_request from the
original request-line. [Roy Fielding]
*) Test for error conditions before creating output header fields, since
we don't want the error message to include those fields. Likewise,
reset the content_language(s) and content_encoding of the response
before generating or redirecting to an error message, since the new
message will have its own Content-* definitions. [Dean Gaudet]
*) Restored the semantics of headers_out (headers sent only with 200..299
and 304 responses) and err_headers_out (headers sent with all responses).
Avoid the overhead of copying tables if err_headers_out is empty
(the usual case). [Roy Fielding]
*) Fixed a couple places where a check for the default Content-Type was
not properly checking both the value configured by the DefaultType
directive and the DEFAULT_TYPE symbol in httpd.h. Changed the value
of DEFAULT_TYPE to match the documented default (text/plain).
[Dean Gaudet] PR#506
*) Escape the HTML-sensitive characters in the Request-URI that is
output for each child by mod_status. [Dean Gaudet and Ken Coar] PR#501
*) Properly initialize the flock structures used by the mutex locking
around accept() when USE_FCNTL_SERIALIZED_ACCEPT is defined.
[Marc Slemko]
*) The method for determining PATH_INFO has been restored to the pre-1.2b
(and NCSA httpd) definition wherein it was the extra path info beyond
the CGI script filename. The environment variable FILEPATH_INFO has
been removed, and instead we supply the original REQUEST_URI to any
script that wants to be Apache-specific and needs the real URI path.
This solves a problem with existing scripts that use extra path info
in the ScriptAlias directive to pass options to the CGI script.
[Roy Fielding]
*) The _default_ change in 1.2b10 will change the behaviour on configs
that use multiple Listen statements for listening on multiple ports.
But that change is necessary to make _default_ consistent with other
forms of <VirtualHost>. It requires such configs to be modified
to use <VirtualHost _default_:*>. The documentation has been
updated. [Dean Gaudet] PR#530
*) If an ErrorDocument CGI script is used to respond to an error
generated by another CGI script which has already read the message
body of the request, the server would block trying to read the
message body again. [Rob Hartill]
*) signal() replacement conflicted with a define on QNX (and potentially
other platforms). Fixed. [Ben Laurie] PR#512
Changes with Apache 1.2b10
*) Allow HTTPD_ROOT, SERVER_CONFIG_FILE, DEFAULT_PATH, and SHELL_PATH
to be configured via -D in Configuration. [Dean Gaudet] PR#449
*) <VirtualHost _default_:portnum> didn't work properly. [Dean Gaudet]
*) Added prototype for mktemp() for SUNOS4 [Marc Slemko]
*) In mod_proxy.c, check return values for proxy_host2addr() when reading
config, in case the hostent struct returned is trash.
[Chuck Murcko] PR #491
*) Fixed the fix in 1.2b9 for parsing URL query info into args for CGI
scripts. [Dean Gaudet, Roy Fielding, Marc Slemko]
Changes with Apache 1.2b9 [never announced]
*) Reset the MODULE_MAGIC_NUMBER to account for the unsigned port
changes and in anticipation of 1.2 final release. [Roy Fielding]
*) Fix problem with scripts not receiving a SIGPIPE when client drops
the connection (e.g., when user presses Stop). Apache will now stop
trying to send a message body immediately after an error from write.
[Roy Fielding and Nathan Kurz] PR#335
*) Rearrange Configuration.tmpl so that mod_rewrite has higher priority
than mod_alias, and mod_alias has higher priority than mod_proxy;
rearranged other modules to enhance understanding of their purpose
and relative order (and maybe even reduce some overhead).
[Roy Fielding and Sameer Parekh]
*) Fix graceful restart. Eliminate many signal-related race
conditions in both forms of restart, and in SIGTERM. See
htdocs/manual/stopping.html for details on stopping and
restarting the parent. [Dean Gaudet]
*) Fix memory leaks in mod_rewrite, mod_browser, mod_include. Tune
memory allocator to avoid a behaviour that required extra blocks to
be allocated. [Dean Gaudet]
*) Allow suexec to access files relative to current directory but not
above. (Excluding leading / or any .. directory.) [Ken Coar]
PR#269, 319, 395
*) Fix suexec segfault when group doesn't exist. [Gregory Neil Shapiro]
PR#367, 368, 354, 453
*) Fix the above fix: if suexec is enabled, avoid destroying r->url
while obtaining the /~user and save the username in a separate data
area so that it won't be overwritten by the call to getgrgid(), and
fix some misuse of the pool string allocation functions. Also fixes
a general problem with parsing URL query info into args for CGI scripts.
[Roy Fielding] PR#339, 367, 354, 453
*) Fix IRIX warning about bzero undefined. [Marc Slemko]
*) Fix problem with <Directory proxy:...>. [Martin Kraemer] PR#271
*) Corrected spelling of "authoritative". AuthDBAuthoratative became
AuthDBAuthoritative. [Marc Slemko] PR#420
*) MaxClients should be at least 1. [Lars Eilebrecht] PR#375
*) The default handler now logs invalid methods or URIs (i.e. PUT on an
object that can't be PUT, or FOOBAR for some method FOOBAR that
apache doesn't know about at all). Log 404s that occur in mod_include.
[Paul Sutton, John Van Essen]
*) If a soft timeout (or lingerout) occurs while trying to flush a
buffer or write inside buff.c or fread'ing from a CGI's output,
then the timeout would be ignored. [Roy Fielding] PR#373
*) Work around a bug in Netscape Navigator versions 2.x, 3.x and 4.0b2's
parsing of headers. If the terminating empty-line CRLF occurs starting
at the 256th or 257th byte of output, then Navigator will think a normal
image is invalid. We are guessing that this is because their initial
read of a new request uses a 256 byte buffer. We check the bytes written
so far and, if we are about to tickle the bug, we instead insert a
padding header of eminent bogosity. [Roy Fielding and Dean Gaudet] PR#232
*) Fixed SIGSEGV problem when a DirectoryIndex file is also the source
of an external redirection. [Roy Fielding and Paul Sutton]
*) Configure would create a broken Makefile if the configuration file
contained a commented-out Rule. [Roy Fielding]
*) Promote per_dir_config and subprocess_env from the subrequest to the
main request in mod_negotiation. In particular this fixes a bug
where <Files> sections wouldn't properly apply to negotiated content.
[Dean Gaudet]
*) Fix a potential deadlock in mod_cgi script_err handling.
[Ralf S. Engelschall]
*) rotatelogs zero-pads the logfile names to improve alphabetic sorting.
[Mitchell Blank Jr]
*) Updated mod_rewrite to 3.0.4: Fixes HTTP redirects from within
.htaccess files because the RewriteBase was not replaced correctly.
Updated mod_rewrite to 3.0.5: Fixes problem with rewriting inside
<Directory> sections missing a trailing /. [Ralf S. Engelschall]
*) Clean up Linux settings in conf.h by detecting 2.x versus 1.x. For
1.x the settings are those of pre-1.2b8. For 2.x we include
USE_SHMGET_SCOREBOARD (scoreboard in shared memory rather than file) and
HAVE_SYS_RESOURCE_H (enable the RLimit commands).
[Dean Gaudet] PR#336, PR#340
*) Redirect did not preserve ?query_strings when present in the client's
request. [Dean Gaudet]
*) Configure was finding non-modules on EXTRA_LIBS. [Frank Cringle] PR#380
*) Use /bin/sh5 on ULTRIX. [P. Alejandro Lopez-Valencia] PR#369
*) Add UnixWare compile/install instructions. [Chuck Murcko]
*) Add mod_example (illustration of API techniques). [Ken Coar]
*) Add macro for memmove to conf.h for SUNOS4. [Marc Slemko]
*) Improve handling of directories when filenames have spaces in them.
[Chuck Murcko]
*) For hosts with multiple IP addresses, try all additional addresses if
necessary to get a connect. Fail only if hostent address list is
exhausted. [Chuck Murcko]
*) More signed/unsigned port fixes. [Dean Gaudet]
*) HARD_SERVER_LIMIT can be defined in the Configuration file now.
[Dean Gaudet]
Changes with Apache 1.2b8
*) suexec.c doesn't close the log file, allowing CGIs to continue writing
to it. [Marc Slemko]
*) The addition of <Location> and <File> directives made the
sub_req_lookup_simple() function bogus, so we now handle
the special cases directly. [Dean Gaudet]
*) We now try to log where the server is dumping core when a fatal
signal is received. [Ken Coar]
*) Improved lingering_close by adding a special timeout, removing the
spurious log messages, removing the nonblocking settings (they
are not needed with the better timeout), and adding commentary
about the NO_LINGCLOSE and USE_SO_LINGER issues. NO_LINGCLOSE is
now the default for SunOS4, UnixWare, NeXT, and IRIX. [Roy Fielding]
*) Send error messages about setsockopt failures to the server error
log instead of stderr. [Roy Fielding]
*) Fix loopholes in proxy cache expiry vis a vis alarms. [Brian Moore]
*) Stopgap solution for CGI 3-second delay with server-side includes: if
processing a subrequest, allocate memory from r->main->pool instead
of r->pool so that we can avoid waiting for free_proc_chain to cleanup
in the middle of an SSI request. [Dean Gaudet] PR #122
*) Fixed status of response when POST is received for a nonexistent URL
(was sending 405, now 404) and when any method is sent with a
full-URI that doesn't match the server and the server is not acting
as a proxy (was sending 501, now 403). [Roy Fielding]
*) Host port changed to unsigned short. [Ken Coar] PR #276
*) Fix typo in command definition of AuthAuthoritative. [Ken Coar] PR #246
*) Defined USE_SHMGET_SCOREBOARD for shared memory on Linux. [Dean Gaudet]
*) Report extra info from errno with many errors that cause httpd to exit.
spawn_child, popenf, and pclosef now have valid errno returns in the
event of an error. Correct problems where errno was stomped on
before being reported. [Dean Gaudet]
*) In the proxy, if the cache filesystem was full, garbage_coll() was
never called, and thus the filesystem would remain full indefinitely.
We now also remove incomplete cache files left if the origin server
didn't send a Content-Length header and either the client has aborted
transfer or bwrite() to client has failed. [Petr Lampa]
*) Fixed the handling of module and script-added header fields.
Improved the interface for sending header fields and reduced
the duplication of code between sending okay responses and errors.
We now always send both headers_out and err_headers_out, and
ensure that the server-reserved fields are not being overridden,
while not overriding those that are not reserved. [Roy Fielding]
*) Moved transparent content negotiation fields to err_headers_out
to reflect above changes. [Petr Lampa]
*) Fixed the determination of whether or not we should make the
connection persistent for all of the cases where some other part
of the server has already indicated that we should not. Also
improved the ordering of the test so that chunked encoding will
be set whenever it is desired instead of only when KeepAlive
is enabled. Added persistent connection capability for most error
responses (those that do not indicate a bad input stream) when
accessed by an HTTP/1.1 client. [Roy Fielding]
*) Added missing timeouts for sending header fields, error responses,
and the last chunk of chunked encoding, each of which could have
resulted in a process being stuck in write forever. Using soft_timeout
requires that the sender check for an aborted connection rather than
continuing after an EINTR. Timeouts that used to be initiated before
send_http_header (and never killed) are now initiated only within or
around the routines that actually do the sending, and not allowed to
propagate above the caller. [Roy Fielding]
*) mod_auth_anon required an @ or a . in the email address, not both.
[Dirk vanGulik]
*) per_dir_defaults weren't set correctly until directory_walk for
name-based vhosts. This fixes an obscure bug with the wrong config
info being used for vhosts that share the same ip as the server.
[Dean Gaudet]
*) Improved generation of modules/Makefile to be more generic for
new module directories. [Ken Coar, Chuck Murcko, Roy Fielding]
*) Generate makefile dependency for Configuration based on the actual
name given when running the Configure process. [Dean Gaudet]
*) Fixed problem with vhost error log not being set prior to
initializing virtual hosts. [Dean Gaudet]
*) Fixed infinite loop when a trailing slash is included after a type map
file URL (extra path info). [Petr Lampa]
*) Fixed server status updating of per-connection counters. [Roy Fielding]
*) Add documentation for DNS issues (reliability and security), and try
to explain the virtual host matching process. [Dean Gaudet]
*) Try to continue gracefully by disabling the vhost if a DNS lookup
fails while parsing the configuration file. [Dean Gaudet]
*) Improved calls to setsockopt. [Roy Fielding]
*) Negotiation changes: Don't output empty content-type in variant list;
Output charset in variant list; Return sooner from handle_multi() if
no variants found; Add handling of '*' wildcard in Accept-Charset.
[Petr Lampa and Paul Sutton]
*) Fixed overlaying of request/sub-request notes and headers in
mod_negotiation. [Dean Gaudet]
*) If two variants' charset quality are equal and one is the default
charset (iso-8859-1), then prefer the variant that was specifically
listed in Accept-Charset instead of the default. [Petr Lampa]
*) Memory allocation problem in push_array() -- it would corrupt memory
when nalloc==0. [Kai Risku <krisku@tf.hut.fi> and Roy Fielding]
*) invoke_handler() doesn't handle mime arguments in content-type
[Petr Lampa] PR#160
*) Reduced IdentityCheck timeout to 30 seconds, as per RFC 1413 minimum.
[Ken Coar]
*) Fixed problem with ErrorDocument not working for virtual hosts
due to one of the performance changes in 1.2b7. [Dean Gaudet]
*) Log an error message if we get a request header that is too long,
since it may indicate a buffer overflow attack. [Marc Slemko]
*) Made is_url() allow "[-.+a-zA-Z0-9]+:" as a valid scheme and
not reject URLs without a double-slash, as per RFC2068 section 3.2.
[Ken Coar] PR #146, #187
*) Added table entry placeholder for new header_parser callback
in all of the distributed modules. [Ken Coar] PR #191
*) Allow for cgi files without the .EXE extension on them under OS/2.
[Garey Smiley] PR #59
*) Fixed error message when resource is not found and URL contains
path info. [Petr Lampa and Dean Gaudet] PR #40
*) Fixed user and server confusion over what should be a virtual host
and what is the main server, resulting in access to something
other than the name defined in the virtualhost directive (but
with the same IP address) failing. [Dean Gaudet]
*) Updated mod_rewrite to version 3.0.2, which: fixes compile error on
AIX; improves the redirection stuff to enable the users to generally
redirect to http, https, gopher and ftp; added TIME variable for
RewriteCond which expands to YYYYMMDDHHMMSS strings and added the
special patterns >STRING, <STRING and =STRING to RewriteCond, which
can be used in conjunction with %{TIME} or other variables to create
time-dependent rewriting rules. [Ralf S. Engelschall]
*) bpushfd() no longer notes cleanups for the file descriptors it is handed.
Module authors may need to adjust their code for proper cleanup to take
place (that is, call note_cleanups_for_fd()). This change fixes problems
with file descriptors being erroneously closed when the proxy module was
in use. [Ben Laurie]
*) Fix bug in suexec reintroduced by changes in 1.2b7 which allows
initgroups() to hose the group information needed for later
comparisons. [Randy Terbush]
*) Remove unnecessary call to va_end() in create_argv() which
caused a SEGV on some systems.
*) Use proper MAXHOSTNAMELEN symbol for limiting length of server name.
[Dean Gaudet]
*) Clear memory allocated for listeners. [Randy Terbush]
*) Improved handling of IP address as a virtualhost address and
introduced "_default_" as a synonym for the default vhost config.
[Dean Gaudet] PR #212
Changes with Apache 1.2b7
*) Port to UXP/DS(V20) [Toshiaki Nomura <nom@yk.fujitsu.co.jp>]
*) unset Content-Length if chunked (RFC-2068) [Petr Lampa]
*) mod_negotiation fixes [Petr Lampa] PR#157, PR#158, PR#159
- replace protocol response numbers with symbols
- save variant-list into main request notes
- free allocated memory from subrequests
- merge notes, headers_out and err_headers_out
*) changed status check mask in proxy_http.c from "HTTP/#.# ### *" to
"HTTP/#.# ###*" to be more lenient about what we accept.
[Chuck Murcko]
*) more proxy FTP bug fixes:
- Changed send_dir() to remove user/passwd from displayed URL.
- Changed login error messages to be more descriptive.
- remove setting of SO_DEBUG socket option
- Make ftp_getrc() more lenient about multiline responses,
specifically, 230 responses which don't have continuation 230-
on each line). These seem to be all NT FTP servers, and while
perhaps questionable, they appear to be legal by RFC 959.
- Add missing kill_timeout() after transfer to user completes.
[Chuck Murcko]
*) Fixed problem where a busy server could hang when restarting
after being sent a SIGHUP due to child processes not exiting.
[Marc Slemko]
*) Modify mod_include escaping so a '\' only signifies an escaped
character if the next character is one that needs
escaping. [Ben Laurie]
*) Eliminated possible infinite loop in mod_imap when relative URLs are
used with a 'base' directive that does not have a '/' in it.
[Marc Slemko, reported by Onno Witvliet <onno@tc.hsa.nl>]
*) Reduced the default timeout from 1200 seconds to 300, and the
one in the sample configfile from 400 to 300. [Marc Slemko]
*) Stop vbprintf from crashing if given a NULL string pointer;
print (null) instead. [Ken Coar]
*) Don't disable Nagle algorithm if system doesn't have TCP_NODELAY.
[Marc Slemko and Roy Fielding]
*) Fixed problem with mod_cgi-generated internal redirects trying to
read the request message-body twice. [Archie Cobbs and Roy Fielding]
*) Reduced timeout on lingering close, removed possibility of a blocked
read causing the child to hang, and stopped logging of errors if
the socket is not connected (reset by client). [Roy Fielding]
*) Rearranged main child loop to remove duplication of code in
select/accept and keep-alive requests, fixed several bugs regarding
checking scoreboard_image for exit indication and failure to
account for all success conditions and trap all error conditions,
prevented multiple flushes before closing the socket; close the entire
socket buffer instead of just one descriptor, prevent logging of
EPROTO and ECONNABORTED on platforms where supported, and generally
improved readability. [Roy Fielding]
*) Extensive performance improvements. Cleaned up inefficient use of
auto initializers, multiple is_matchexp calls on a static string,
and excessive merging of response_code_strings. [Dean Gaudet]
*) Added double-buffering to mod_include to improve performance on
server-side includes. [Marc Slemko]
*) Several fixes for suexec wrapper. [Randy Terbush]
- Make wrapper work for files on NFS filesystem.
- Fix portability problem of MAXPATHLEN.
- Fix array overrun problem in clean_env().
- Fix allocation of PATH environment variable
*) Removed extraneous blank line is description of mod_status chars.
[Kurt Kohler]
*) Logging of errors from the call_exec routine simply went nowhere,
since the logfile fd has been closed, so now we send them to stderr.
[Harald T. Alvestrand]
*) Fixed core dump when DocumentRoot is a CGI.
[Ben Laurie, reported by geddis@tesserae.com]
*) Fixed potential file descriptor leak in mod_asis; updated it and
http_core to use pfopen/pfclose instead of fopen/fclose.
[Randy Terbush and Roy Fielding]
*) Fixed handling of unsigned ints in ap_snprintf() on some chips such
as the DEC Alpha which is 64-bit but uses 32-bit ints.
[Dean Gaudet and Ken Coar]
*) Return a 302 response code to the client when sending a redirect
due to a missing trailing '/' on a directory instead of a 301; now
it is cacheable. [Markus Gyger]
*) Fix condition where, if a bad directive occurs in .htaccess, and
sub_request() goes first to this directory, then log_reason() will
SIGSEGV because it doesn't have initialized r->per_dir_config.
[PR#162 from Petr Lampa, fix by Marc Slemko and Dean Gaudet]
*) Fix handling of lang_index in is_variant_better(). This was
causing problems which resulted in the server sending the
wrong language document in some cases. [Petr Lampa]
*) Remove free() from clean_env() in suexec wrapper. This was nuking
the clean environment on some systems.
*) Tweak byteserving code (e.g. serving PDF files) to work around
bugs in Netscape Navigator and Microsoft Internet Explorer.
Emit Content-Length header when sending multipart/byteranges.
[Alexei Kosut]
*) Port to HI-UX/WE2. [Nick Maclaren]
*) Port to HP MPE operating system for HP 3000 machines
[Mark Bixby <markb@cccd.edu>]
*) Fixed bug which caused a segmentation fault if only one argument
given to RLimit* directives. [Ed Korthof]
*) Continue persistent connection after 204 or 304 response. [Dean Gaudet]
*) Improved buffered output to the client by delaying the flush decision
until the BUFF code is actually about to read the next request.
This fixes a problem introduced in 1.2b5 with clients that send
an extra CRLF after a POST request. Also improved chunked output
performance by combining writes using writev() and removing as
many bflush() calls as possible. NOTE: Platforms without writev()
must add -DNO_WRITEV to the compiler CFLAGS, either in Configuration
or Configure, unless we have already done so. [Dean Gaudet]
*) Fixed mod_rewrite bug which truncated the rewritten URL [Marc Slemko]
*) Fixed mod_info output corruption bug introduced by buffer overflow
fixes. [Dean Gaudet]
*) Fixed http_protocol to correctly output all HTTP/1.1 headers, including
for the special case of a 304 response. [Paul Sutton]
*) Improved handling of TRACE method by bypassing normal method handling
and header parsing routines; fixed Allow response to always allow TRACE.
[Dean Gaudet]
*) Fixed compiler warnings in the regex library. [Dean Gaudet]
*) Cleaned-up some of the generated HTML. [Ken Coar]
Changes with Apache 1.2b6
*) Allow whitespace in imagemap mapfile coordinates. [Marc Slemko]
*) Fix typo introduced in fix for potential infinite loop around
accept() in child_main(). This change caused the rev to 1.2b6.
1.2b5 was never a public beta.
Changes with Apache 1.2b5
*) Change KeepAlive semantics (On|Off instead of a number), add
MaxKeepAliveRequests directive. [Alexei Kosut]
*) Various NeXT compilation patches, as well as a change in
regex/regcomp.c since that file also used a NEXT define.
[Andreas Koenig]
*) Allow * to terminate the end of a directory match in mod_dir.
Allows /~* to match for both /~joe and /~joe/. [David Bronder]
*) Don't call can_exec() if suexec_enabled. Calling this requires
scripts executed by the suexec wrapper to be world executable, which
defeats one of the advantages of running the wrapper. [Randy Terbush]
*) Portability Fix: IRIX complained with 'make clean' about *pure* (removed)
[Jim Jagielski]
*) Migration from sprintf() to snprintf() to avoid buffer
overflows. [Marc Slemko]
*) Provide portable snprintf() implementation (ap_snprintf)
as well as *cvt family. [Jim Jagielski]
*) Portability Fix: NeXT lacks unistd.h so we wrap it's inclusion
[Jim Jagielski]
*) Remove mod_fastcgi.c from the distribution. This module appears
to be maintained more through the Open Market channels and should
continue to be easily available at http://www.fastcgi.com/
*) Fixed bug in modules/Makefile that wouldn't allow building in more
than one subdirectory (or cleaning, either). [Jeremy Laidman]
*) mod_info assumed that the config files were relative to ServerRoot.
[Ken the Rodent]
*) CGI scripts called as an error document resulting from failed
CGI execution would hang waiting for POST'ed data. [Rob Hartill]
*) Log reason when mod_dir returns access HTTP_FORBIDDEN
[Ken the Rodent]
*) Properly check errno to prevent display of a directory index
when server receives a long enough URL to confuse stat().
[Marc Slemko]
*) Several security enhancements to suexec wrapper. It is _highly_
recommended that previously installed versions of the wrapper
be replaced with this version. [Randy Terbush, Jason Dour]
- ~user execution now properly restricted to ~user's home
directory and below.
- execution restricted to UID/GID > 100
- restrict passed environment to known variables
- call setgid() before initgroups() (portability fix)
- remove use of setenv() (portability fix)
*) Add HTTP/1.0 response forcing. [Ben Laurie]
*) Add access control via environment variables. [Ben Laurie]
*) Add rflush() function. [Alexei Kosut]
*) remove duplicate pcalloc() call in new_connection().
*) Fix incorrect comparison which could allow number of children =
MaxClients + 1 if less than HARD_SERVER_LIMIT. Also fix potential
problem if StartServers > HARD_SERVER_LIMIT. [Ed Korthof]
*) Updated support for OSes (MachTen, ULTRIX, Paragon, ISC, OpenBSD
AIX PS/2, CONVEXOS. [Jim Jagielski]
*) Replace instances of inet_ntoa() with inet_addr() for ProxyBlock.
It's more portable. [Martin Kraemer]
*) Replace references to make in Makefile.tmpl with $(MAKE).
[Chuck Murcko]
*) Add ProxyBlock directive w/IP address caching. Add IP address
caching to NoCache directive as well. ProxyBlock works with all
handlers; NoCache now also works with FTP for anonymous logins.
Still more code cleanup. [Chuck Murcko]
*) Add "header parse" API hook [Ben Laurie]
*) Fix byte ordering problems for REMOTE_PORT [Chuck Murcko]
*) suEXEC wrapper was freeing memory that had not been malloc'ed.
*) Correctly allow access and auth directives in <Files> sections in
server config files. [Alexei Kosut]