Skip to content
CHANGES 663 KiB
Newer Older
Bill Stoddard's avatar
Bill Stoddard committed
     AcceptEx failed messages.
     [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) Make REMOTE_PORT variable available in mod_rewrite.
Andre Malo's avatar
Andre Malo committed

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix a long delay with CGI requests and keepalive connections on
     AIX.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) mod_autoindex: Add 'XHTML' option in order to allow switching between
     HTML 3.2 and XHTML 1.0 output. PR 23747.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
Andre Malo's avatar
Andre Malo committed

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Advertise SSL library version as determined at run-time rather
     than at compile-time.  PR 23956.  [Eric Seidel <seidel apple.com>]

  *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
     format code is used.  PR 22741.  [Gary E. Miller <gem rellim.com>]

  *) Fix build with parallel make.  PR 24643.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite: In external rewrite maps lookup keys containing
     a newline now cause a lookup failure. PR 14453.
     [Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Backport major overhaul of mod_include's filter parser from 2.1.
     The new parser code is expected to be more robust and should
     catch all of the edge cases that were not handled by the previous one.
     The 2.1 external API changes were hidden by a wrapper which is
     expected to keep the API backwards compatible.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Add a hook (insert_error_filter) to allow filters to re-insert
     themselves during processing of error responses. Enable mod_expires
     to use the new hook to include Expires headers in valid error
     responses. This addresses an RFC violation. It fixes PRs 19794,
     24884, and 25123. [Paul J. Reder]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Add Polish translation of error messages.  PR 25101.
     [Tomasz Kepczynski <tomek jot23.org>]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
Jeff Trawick's avatar
Jeff Trawick committed
     supported for BeOS or OS/2 MPMs.)  [Jeff Trawick, Brad Nicholes,
     Bill Stoddard]
Jeff Trawick's avatar
Jeff Trawick committed

  *) Add mod_status hook to allow modules to add to the mod_status
     report.  [Joe Orton]

Justin Erenkrantz's avatar
Justin Erenkrantz committed
  *) Fix htdbm to generate comment fields in DBM files correctly.
     [Justin Erenkrantz]

  *) mod_dav: Use bucket brigades when reading PUT data. This avoids
     problems if the data stream is modified by an input filter. PR 22104.
     [Tim Robbins <tim robbins.dropbear.id.au>, André Malo]
  *) Fix RewriteBase directive to not add double slashes.  [André Malo]
  *) Improve 'configure --help' output for some modules.  [Astrid Keßler]
Justin Erenkrantz's avatar
Justin Erenkrantz committed

  *) Correct UseCanonicalName Off to properly check incoming port number.
     [Jim Jagielski]

  *) Fix slow graceful restarts with prefork MPM.  [Joe Orton]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix a problem with namespace mappings being dropped in mod_dav_fs;
     if any property values were set which defined namespaces these
Justin Erenkrantz's avatar
Justin Erenkrantz committed
     came out mangled in the PROPFIND response.  PR 11637.
     [Amit Athavale <amit_athavale persistent.co.in>]

  *) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
     the destination resource gives a 401.  PR 15571.  [Joe Orton]

  *) SECURITY: CVE-2003-0020 (cve.mitre.org)
Andre Malo's avatar
Andre Malo committed
     Escape arbitrary data before writing into the errorlog. Unescaped
     errorlogs are still possible using the compile time switch
     "-DAP_UNSAFE_ERROR_LOG_UNESCAPED".  [Geoffrey Young, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) mod_autoindex / core: Don't fail to show filenames containing
     special characters like '%'. PR 13598.  [André Malo]
Andre Malo's avatar
Andre Malo committed
 
Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_status: Report total CPU time accurately when using a threaded
     MPM.  PR 23795.  [Jeff Trawick]

  *) Fix memory leak in handling of request bodies during reverse
     proxy operations.  PR 24991. [Larry Toppi <larry.toppi citrix.com>]

  *) Win32 MPM: Implement MaxMemFree to enable setting an upper
     limit on the amount of storage used by the bucket brigades
     in each server thread. [Bill Stoddard]
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Modified the cache code to be header-location agnostic. Also
     fixed a number of other cache code bugs related to PR 15852.
     Includes a patch submitted by Sushma Rai <rsushma novell.com>.
     This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
     closing the PR since that is what they are using. [Paul J. Reder]

Stas Bekman's avatar
Stas Bekman committed
  *) complain via error_log when mod_include's INCLUDES filter is
     enabled, but the relevant Options flag allowing the filter to run
     for the specific resource wasn't set, so that the filter won't
     silently get skipped. next remove itself, so the warning will be
     logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]

  *) mod_info: HTML escape configuration information so it displays 
     correctly. PR 24232. [Thom May]
     
  *) Restore the ability to add a description for directories that
     don't contain an index file.  (Broken in 2.0.48) [André Malo]

  *) Fix a problem with the display of empty variables ("SetEnv foo") in
     mod_include.  PR 24734  [Markus Julen <mj zermatt.net>]

Joe Orton's avatar
Joe Orton committed
  *) mod_log_config: Log the minutes component of the timezone correctly.
     PR 23642.  [Hong-Gunn Chew <hgbug gunnet.org>]

  *) mod_proxy: Fix cases where an invalid status-line could be sent 
     to the client.  PR 23998.  [Joe Orton]

  *) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
     are also loaded.  [Joe Orton]

  *) mod_ssl: Use human-readable OpenSSL error strings in logs; use
     thread-safe interface for retrieving error strings.  [Joe Orton]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
     avoid reporting an Internal Server error if it is used without
     having been set in the httpd.conf file. PR: 23748, 24459
     [André Malo, Liam Quinn  <liam htmlhelp.com>]
Paul J. Reder's avatar
 
Paul J. Reder committed

Andre Malo's avatar
Andre Malo committed
  *) mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
     option is set. PR 21668.  [Jesse Tie-Ten-Quee <highos highos.com>]

  *) mod_include no longer allows an ETag header on 304 responses.
     PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]
Andre Malo's avatar
Andre Malo committed

Jeff Trawick's avatar
Jeff Trawick committed
  *) EBCDIC: Convert header fields to ASCII before sending (broken
     since 2.0.44). [Martin Kraemer]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix the inability to log errors like exec failure in
     mod_ext_filter/mod_cgi script children.  This was broken after 
     such children stopped inheriting the error log handle.  
     [Jeff Trawick]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix mod_info to use the real config file name, not the default
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     config file name.  [Aryeh Katz <aryeh secured-services.com>]
Jeff Trawick's avatar
Jeff Trawick committed
  *) Set the scoreboard state to indicate logging prior to running 
     logging hooks so that server-status will show 'L' for hung loggers
     instead of 'W'.  [Jeff Trawick]

Changes with Apache 2.0.48
Sander Striker's avatar
Sander Striker committed

  *) SECURITY: CVE-2003-0789 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
     communicate with the cgid daemon and the CGI script.
     [Jeff Trawick]
  *) SECURITY: CVE-2003-0542 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     Fix buffer overflows in mod_alias and mod_rewrite which occurred
     if one configured a regular expression with more than 9 captures.
Andre Malo's avatar
Andre Malo committed
  *) mod_include: fix segfault which occured if the filename was not
     set, for example, when processing some error conditions.
     PR 23836.  [Brian Akins <bakins web.turner.com>, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) fix the config parser to support <Foo>..</Foo> containers (no
     arguments in the opening tag) supported by httpd 1.3. Without
     this change mod_perl 2.0's <Perl> sections are broken.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     ["Philippe M. Chiasson" <gozer cpan.org>]
  *) mod_cgid: fix a hash table corruption problem which could
     result in the wrong script being cleaned up at the end of a
     request.  [Jeff Trawick]

  *) Update httpd-*.conf to be clearer in describing the connection
     between AddType and AddEncoding for defining the meaning of
     compressed file extensions. [Roy Fielding]

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite: Don't die silently when failing to open RewriteLogs.
Andre Malo's avatar
Andre Malo committed

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
     rewritten request using "proxy:". The code was adding multiple "proxy:"
     fields in the rewritten URI. PR: 13946.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Eider Oliveira <eider bol.com.br>]
Paul J. Reder's avatar
 
Paul J. Reder committed

Martin Kraemer's avatar
Martin Kraemer committed
  *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     expires as directed in RFC 2616. [Thomas Castelle <tcastelle generali.fr>]
Paul J. Reder's avatar
 
Paul J. Reder committed

Thom May's avatar
Thom May committed
  *) Ensure that ssl-std.conf is generated at configure time, and switch
     to using the expanded config variables to work the same as
Andre Malo's avatar
Andre Malo committed
     httpd-std.conf PR: 19611
Thom May's avatar
Thom May committed
     [Thom May]

Sander Striker's avatar
Sander Striker committed
  *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Hartmut Keil <Hartmut.Keil adnovum.ch>]
Sander Striker's avatar
Sander Striker committed

Sander Striker's avatar
Sander Striker committed
  *) mod_autoindex: If a directory contains a file listed in the
     DirectoryIndex directive, the folder icon is no longer replaced
     by the icon of that file. PR 9587.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [David Shane Holden <dpejesh yahoo.com>]
Sander Striker's avatar
Sander Striker committed
  *) Fixed mod_usertrack to not get false positive matches on the
     user-tracking cookie's name.  PR 16661.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Manni Wood <manniwood planet-save.com>]
Sander Striker's avatar
Sander Striker committed

Sander Striker's avatar
Sander Striker committed
  *) mod_cache: Fix the cache code so that responses can be cached
     if they have an Expires header but no Etag or Last-Modified
     headers. PR 23130.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [<bjorn exoweb.net>]
Sander Striker's avatar
Sander Striker committed

Andre Malo's avatar
Andre Malo committed
  *) mod_log_config: Fix %b log format to write really "-" when 0 bytes
     were sent (e.g. with 304 or 204 response codes).  [Astrid Keßler]
Andre Malo's avatar
Andre Malo committed

  *) Modify ap_get_client_block() to note if it has seen EOS.
     [Justin Erenkrantz]

  *) Fix a bug, where mod_deflate sometimes unconditionally compressed the
     content if the Accept-Encoding header contained only other tokens than
     "gzip" (such as "deflate"). PR 21523.  [Joe Orton, André Malo]

  *) Avoid an infinite recursion, which occured if the name of an included
     config file or directory contained a wildcard character. PR 22194.
  *) mod_ssl: Fix a problem setting variables that represent the
     client certificate chain.  PR 21371  [Jeff Trawick]

  *) Unix: Handle permissions settings for flock-based mutexes in 
     unixd_set_global|proc_mutex_perms().  Allow the functions to be
     called for any type of mutex.  PR 20312  [Jeff Trawick]

  *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix a misleading message from the some of the threaded MPMs when 
     MaxClients has to be lowered due to the setting of ServerLimit.  
     [Jeff Trawick]

  *) Lower the severity of the "listener thread didn't exit" message
     to debug, as it is of interest only to developers.  PR 9011
     [Jeff Trawick]

  *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
     [Cliff Woolley, Jean-Jacques Clar]

  *) Install config.nice into the build/ directory to make
     minor version upgrades easier. [Joshua Slive]

  *) Fix mod_deflate so that it does not call deflate() without checking
     first whether it has something to deflate. (Currently this causes
     deflate to generate a fatal error according to the zlib spec.)
     PR 22259. [Stas Bekman]

  *) mod_ssl: Fix FakeBasicAuth for subrequest.  Log an error when an
     identity spoof is encountered.
     [Sander Striker]

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
     containing the .htaccess file is requested without a trailing slash.
Andre Malo's avatar
Andre Malo committed

  *) ab: Overlong credentials given via command line no longer clobber
Andre Malo's avatar
Andre Malo committed

  *) mod_deflate: Don't attempt to hold all of the response until we're
     done.  [Justin Erenkrantz]

  *) Assure that we block properly when reading input bodies with SSL.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 19242.  [David Deaves <David.Deaves dd.id.au>, William Rowe]

  *) Update mime.types to include latest IANA and W3C types.  [Roy Fielding]

  *) mod_ext_filter: Set additional environment variables for use by
     the external filter.  PR 20944.  [Andrew Ho, Jeff Trawick]

  *) Fix buildconf errors when libtool version changes.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) Remember an authenticated user during internal redirects if the
     redirection target is not access protected and pass it
     to scripts using the REDIRECT_REMOTE_USER environment variable.
     PR 10678, 11602.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) mod_include: Fix a trio of bugs that would cause various unusual
     sequences of parsed bytes to omit portions of the output stream.
     PR 21095. [Ron Park <ronald.park cnet.com>, André Malo, Cliff Woolley]
Andre Malo's avatar
Andre Malo committed

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Update the header token parsing code to allow LWS between the
     token word and the ':' seperator.  [PR 16520]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Kris Verbeeck <kris.verbeeck advalvas.be>, Nicel KM <mnicel yahoo.com>]
Paul J. Reder's avatar
 
Paul J. Reder committed

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Eliminate creation of a temporary table in ap_get_mime_headers_core()
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Joe Schaefer <joe+gmane sunstarsys.com>]
Paul J. Reder's avatar
 
Paul J. Reder committed

Andre Malo's avatar
Andre Malo committed
  *) Added FreeBSD directory layout. PR 21100.
     [Sander Holthaus <info orangexl.com>, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
     response. PR 21085. [Glenn Nielsen <glenn apache.org>, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) mod_rewrite: Perform child initialization on the rewrite log lock.
     This fixes a log corruption issue when flock-based serialization
     is used (e.g., FreeBSD).  [Jeff Trawick]

  *) Don't respect the Server header field as set by modules and CGIs.
     As with 1.3, for proxy requests any such field is from the origin
     server; otherwise it will have our server info as controlled by
     the ServerTokens directive.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
Changes with Apache 2.0.47
  *) SECURITY: CVE-2003-0192 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     Fixed a bug whereby certain sequences of per-directory
     renegotiations and the SSLCipherSuite directive being used to
     upgrade from a weak ciphersuite to a strong one could result in
     the weak ciphersuite being used in place of the strong one.  
     [Ben Laurie]
  *) SECURITY: CVE-2003-0253 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     Fixed a bug in prefork MPM causing temporary denial of service
     when accept() on a rarely accessed port returns certain errors.
     Reported by Saheed Akhtar <S.Akhtar talis.com>.  [Jeff Trawick]
  *) SECURITY: CVE-2003-0254 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     Fixed a bug in ftp proxy causing denial of service when target
     host is IPv6 but proxy server can't create IPv6 socket.  Fixed by
     the reporter.  [Yoshioka Tsuneo <tsuneo.yoshioka f-secure.com>]
  *) SECURITY [VU#379828] Prevent the server from crashing when entering
     infinite loops. The new LimitInternalRecursion directive configures
     limits of subsequent internal redirects and nested subrequests, after
     which the request will be aborted.  PR 19753 (and probably others).
     [William Rowe, Jeff Trawick, André Malo]
Sander Striker's avatar
Sander Striker committed

Sander Striker's avatar
Sander Striker committed
  *) core_output_filter: don't split the brigade after a FLUSH bucket if
     it's the last bucket.  This prevents creating unneccessary empty
     brigades which may not be destroyed until the end of a keepalive
     connection.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Juan Rivera <Juan.Rivera citrix.com>]
Sander Striker's avatar
Sander Striker committed

  *) Add support for "streamy" PROPFIND responses.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Ben Collins-Sussman <sussman collab.net>]
  *) mod_cgid: Eliminate a double-close of a socket.  This resolves
     various operational problems in a threaded MPM, since on the
     second attempt to close the socket, the same descriptor was
     often already in use by another thread for another purpose.
     [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) mod_negotiation: Introduce "prefer-language" environment variable,
     which allows to influence the negotiation process on request basis
     to prefer a certain language.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) Make mod_expires' ExpiresByType work properly, including for
     dynamically-generated documents.  [Ken Coar, Bill Stoddard]
Andre Malo's avatar
Andre Malo committed

Changes with Apache 2.0.46

  *) SECURITY: CVE-2003-0245 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     Fixed a bug causing apr_pvsprintf() to crash by sending an overly
     long string.  This can be triggered remotely through mod_dav,
     mod_ssl, and other mechanisms.
     Reported by David Endler <DEndler iDefense.com>.  [Joe Orton]
  *) SECURITY: CVE-2003-0189 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     Fixed a denial-of-service vulnerability affecting basic
     authentication on Unix platforms related to thread-safety in
     apr_password_validate().
     Reported by John Hughes <john.hughes entegrity.com>.
  *) Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
     when a MKACTIVITY request comes in.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Ben Collins-Sussman <sussman collab.net>]

  *) Perform run-time query in apxs for apr and apr-util's includes.
     [Justin Erenkrantz]

  *) run libtool from the apr install directory (in case that is different
     from the apache install directory) [Jeff Trawick]

  *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]

  *) If mod_mime_magic does not know the content-type, do not attempt to
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     guess.  PR 16908.  [Andrew Gapon <agapon telcordia.com>]

  *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
     caching. PR 17864.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Andreas Leimbacher <andreasl67 yahoo.de>, Madhusudan Mathihalli]
  *) Add a delete flag to htpasswd.
     [Thom May]

  *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
     now work scheme dependent and the query string will only be
     appended if supported by the particular scheme.  [André Malo]
Andre Malo's avatar
Andre Malo committed
  *) Add another check for already compressed content in mod_deflate.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 19913. [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]
Andre Malo's avatar
Andre Malo committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fixes for VPATH builds; copying special.mk and any future .mk files 
     from the source tree as well as the build tree (now creates a usable
     configuration for apxs), and eliminated redundant -I'nclude paths.
     [William Rowe]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
     for SSLC and OpenSSL toolkit compatibility.  Still work remains to
     be done to cripple features based on the limitations of RSA's binary 
     distribution of their SSL-C toolkit.
     [William Rowe, Madhusudan Mathihalli, Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Linux 2.4+: If Apache is started as root and you code 
     CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
     [Greg Ames]

  *) ap_get_mime_headers_core: allocate space for the trailing null
     when folding is in effect.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 18170 [Peter Mayne <PeterMayne SPAM_SUX.ap.spherion.com>]
  *) Fix --enable-mods-shared=most and other variants.  [Aaron Bannert]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_log_config: Add the ability to log the id of the thread 
     processing the request via new %P formats.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) Use appropriate language codes for Czech (cs) and Traditional Chinese
     (zh-tw) in default config files. PR 9427.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) mod_auth_ldap: Use generic whitespace character class when parsing
     "require" directives, instead of literal spaces only. PR 17135.
Andre Malo's avatar
Andre Malo committed

  *) Hook mod_rewrite's type checker before mod_mime's one. That way the
     RewriteRule [T=...] Flag should work as expected now. PR 19626.
Andre Malo's avatar
Andre Malo committed

Thom May's avatar
Thom May committed
  *) htpasswd: Check the processed file on validity. If a line is not empty
     and not a comment, it must contain at least one colon. Otherwise exit
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     with error code 7. [Kris Verbeeck <Kris.Verbeeck ubizen.com>, Thom May]
Thom May's avatar
Thom May committed

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix a problem that caused httpd to be linked with incorrect flags
     on some platforms when mod_so was enabled by default, breaking 
     DSOs on AIX.  PR 19012  [Jeff Trawick]

  *) By default, use the same CC and CPP with which APR was built.
     The user can override with CC and CPP environment variables.
     [Jeff Trawick]

  *) Fix ap_construct_url() so that it surrounds IPv6 literal address
     strings with [].  This fixes certain types of redirection.
     PR 19207.  [Jeff Trawick]

  *) forward port of buffer overflow fixes for htdigest. [Thom May]

  *) Added AllowEncodedSlashes directive to permit control of whether
     the server will accept encoded slashes ('%2f') in the URI path.
     Default condition is off (the historical behaviour).  This permits
     environments in which the path-info needs to contain encoded
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     slashes.  PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.  [Ken Coar]
Andre Malo's avatar
Andre Malo committed
  *) When using Redirect in directory context, append requested query
     string if there's no one supplied by configuration. PR 10961.
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
     the pattern will not always match as desired. PR 12596.
Andre Malo's avatar
Andre Malo committed

  *) mod_autoindex now emits and accepts modern query string parameter
     delimiters (;). Thus column headers no longer contain unescaped
     ampersands. PR 10880  [André Malo]
Andre Malo's avatar
Andre Malo committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Enable ap_sock_disable_nagle for Windows. This along with the 
     addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Correct a mis-correlation between mpm_common.c and mpm_common.h;
     This patch reverts us to pre-2.0.46 behavior, using the 
     ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle 
     was never compiled on Win32. [Allan Edwards, William Rowe]

  *) Fix a build problem with passing unsupported --enable-layout
     args to apr and apr-util.  This broke binbuild.sh as well as
     user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
     Jeff Trawick]

  *) If a Date response header was already set in the headers array,
     this value was ignored in favour of the current time. This meant
     that Date headers on proxied requests where rewritten when they
     should not have been. PR: 14376 [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Add code to buildconf that produces an httpd.spec file from
     httpd.spec.in, using build/get-version.sh from APR.
     [Graham Leggett]

  *) Fixed a segfault when multiple ProxyBlock directives were used.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]
  *) SECURITY: CVE-2003-0134 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     OS2: Fix a Denial of Service vulnerability identified and
     reported by Robert Howard <rihoward rawbw.com> that where device
     names faulted the running OS2 worker process.  The fix is
     actually in APR 0.9.4.  [Brian Havard]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) SECURITY: CVE-2003-0083 (cve.mitre.org)
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     Forward port: Escape special characters (especially control
     characters) in mod_log_config to make a clear distinction between
     client-supplied strings (with special characters) and server-side
     strings. This was already introduced in version 1.3.25.

  *) mod_deflate: Check also err_headers_out for an already set
     Content-Encoding: gzip header. This prevents gzip compressed content
     from a CGI script from being compressed once more. PR 17797.
Changes with Apache 2.0.45
Andre Malo's avatar
Andre Malo committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix possible segfaults under obscure error conditions within the
     cgid daemon.  [Jeff Trawick, William Rowe]

  *) SECURITY: CVE-2003-0132 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     Close a Denial of Service vulnerability identified by David
     Endler <DEndler iDefense.com> on all platforms.  An unlimited
     stream of newlines were acceptable between requests where each
     <lf> would allocate an 80 byte buffer, leading very quickly to
     memory exahustion.  [Brian Pane]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Added an rpm build script.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Graham Leggett, Joe Orton <jorton redhat.com>]
  *) Simpler, faster code path for request header scanning  [Brian Pane]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) SECURITY:  Eliminated leaks of several file descriptors to child
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     processes, such as CGI scripts.  This fix depends on the APR library 
     release 0.9.2 or later (0.9.3 was distributed with the httpd 
     source tarball for Apache 2.0.45.)  PR 17206
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Christian Kratzer <ck cksoft.de>, Bjoern A. Zeeb <bz zabbadoz.net>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

Andre Malo's avatar
Andre Malo committed
  *) Fix path handling of mod_rewrite, especially on non-unix systems.
     There was some confusion between local paths and URL paths.
Andre Malo's avatar
Andre Malo committed
  *) Prevent endless loops of internal redirects in mod_rewrite by
     aborting after exceeding a limit of internal redirects. The
     limit defaults to 10 and can be changed using the RewriteOptions
     directive. PR 17462.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
     all worker threads are busy. 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Igor Nazarenko <igor_nazarenko hotmail.com>]
  *) Keep the subrequest filter in place when a subrequest is 
     redirected.  PR 15423.  [Jeff Trawick]

  *) you can now specify the compression level for mod_deflate. 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Ian Holsman, Stephen Pierzchala <stephen pierzchala.com>, 
     Michael Schroepl <Michael.Schroepl telekurs.de>]

  *) mod_deflate: Extend the DeflateFilterNote directive to
     allow accurate logging of the filter's in- and outstream.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Allow SSLMutex to select/use the full range of APR locking
     mechanisms available to it. Also, fix the bug that SSLMutex uses
     APR_LOCK_DEFAULT no matter what.  PR 8122  [Jim Jagielski,
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     Martin Kutschker <martin.t.kutschker blackbox.net>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

Andre Malo's avatar
Andre Malo committed
  *) Restore the ability of htdigest.exe to create files that contain
     more than one user. PR 12910.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Improve binary compatibility of the core between debug (aka
     maintainer-mode) and a non-debug compile.
     [Sander Striker]

Andre Malo's avatar
Andre Malo committed
  *) mod_usertrack: don't set the cookie in subrequests. This works
     around the problem that cookies were set twice during fast internal
     redirects. PR 13211.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) mod_autoindex no longer forgets output format and enabled version
     sort in linked column headers.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) Use .sv instead of .se as extension for Swedish documents in the
     default configuration. PR 12877.  [André Malo]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL
     and standardized the LDAP SSL support across the various LDAP SDKs.  
     Isolated the SSL functionality to mod_ldap rather than speading it 
     across mod_auth_ldap and mod_ldap.  Also added LDAPTrustedCA
     and LDAPTrustedCAType directives to mod_ldap to allow for a more 
     common method of specifying the SSL certificate.
     [Dave Ward, Brad Nicholes]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fixed mod_ssl's SSLCertificateChain initialization to no longer 
     skip the first cert of the chain by default.  This misbehavior 
     was introduced in 2.0.34.  PR 14560  [Madhusudan Mathihalli]

  *) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
     be started on Unix because of such problems as bad permissions,
     bad shebang line, etc.  [Jeff Trawick]

  *) Fix 64-bit problem in mod_ssl input logic.  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Madhusudan Mathihalli <madhusudan_mathihalli hp.com>]
  *) Fix potential memory leaks in mod_deflate on malformed data.  PR 16046.
     [Justin Erenkrantz]

  *) Rewrite ap_xml_parse_input to use bucket brigades.  PR 16134.
     [Justin Erenkrantz]

Andre Malo's avatar
Andre Malo committed
  *) Fix segfault which occurred when a section in an included
     configuration file was not closed. PR 17093.  [André Malo]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Enhance the behavior of mod_isapi's WriteClient() callback to
     provide better emulation for isapi modules that presume that the
     first WriteClient() call may send status and headers.  An example
     of WriteClient() abuse is the foxisapi module, which relies on
     that assumpion and now works.  [William Rowe, Milan Kosina]

  *) Check the return value of ap_run_pre_connection(). So if the
     pre_connection phase fails (without setting c->aborted)
     ap_run_process_connection is not executed. [Stas Bekman]

  *) Fixed a problem with mod_ldap which caused it to fault when caching
     was disabled.  Needed to make sure that the code did not
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     attempt to use the cache if it didn't exist. Also fixed some memory
     leaks which were due to not releasing LDAP resources on error
     conditions.  [Brad Nicholes]
  *) Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
     mod_rewrite proxied URLs will not be escaped accidentally by
     mod_proxy's fixup. PR 16368  [André Malo]

  *) While processing filters on internal redirects, remember seen EOS
     buckets also in the request structure of the redirect issuer(s). This
     prevents filters (such as mod_deflate) from adding garbage to the
     response. PR 14451.  [André Malo]

  *) suexec: Be more pedantic when cleaning environment. Clean it
     immediately after startup. PR 2790, 10449.
     [Jeff Stewart <jws purdue.edu>, André Malo]

  *) Fix apxs to insert LoadModule directives only outside of sections.

  *) Fix suexec compile error under SUNOS4, where strerror() doesn't
     exist. PR 5913, 9977.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Jonathan W Miner <Jonathan.W.Miner lmco.com>]
  *) Fix If header parsing when a non-mod_dav lock token is passed to it.
     PR 16452.  [Justin Erenkrantz]

  *) mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
     not specified. Now it assumes "/" as already documented. PR 16937.
  *) Try to log an error if a piped log program fails.  Try to
     restart a piped log program in more failure situations.  Fix an
     existing problem with error handling in piped_log_spawn().  Use
     new APR apr_proc_create() features to prevent Apache from starting
     on Unix* in most cases where a piped log program can be started,
     and add log messages for the other situations.  *Other platforms
     already failed Apache initialization if a piped log program
     couldn't be started.  PR 15761  [Jeff Trawick]

  *) Fix mod_cern_meta to not create empty metafiles when the
     metafile searched for does not exist.  PR 12353
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Owen Rees <owen_rees hp.com>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Introduce debugging symbols for Win32 release builds, both .pdb 
     and .dbg files (older debuggers and Dr. Watson-type utilities 
     on WinNT or Win9x don't support the newer .pdb flavor.)
     [Allen Edwards, William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
 
Andre Malo's avatar
Andre Malo committed
  *) Fix bug where 'Satisfy Any' without an AuthType lost all MIME
     information (and more). Related to PR 9076.  [André Malo]
  *) mod_file_cache: fix segfault serving mmaped cached files.
     [Bill Stoddard]

  *) mod_file_cache: fixed a segfault when multiple MMapFile directives
     were used.  PR 16313.  [Cliff Woolley]
  *) Fix a nasty segfault in mmap_bucket_setaside() caused by passing
     an incompatible pointer type to mmap_bucket_destroy(void*).
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Gerard Eviston <geviston bigpond.net.au>]
  *) Enable the -n name parameter on NetWare to allow the
     administrator to rename the Apache console screen
     [Brad Nicholes]
     
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fixed piped access logs on Win32 by disabling OTHER_CHILD
     support by default in APR.  More development is required
     to deploy OTHER_CHILD on Win32.  [William Rowe]

  *) Use saner default config values for suexec. PR 15713.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Thom May <thom planetarytramp.net>]
Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
     (or SymlinksIfOwnermatch) is set. PR 12395.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) apxs: Include any special APR ld flags when linking the DSO.
     This resolves problems on AIX when building a DSO with apxs+gcc.
     [Jeff Trawick]

  *) Added character set support to mod_auth_LDAP to allow it to 
     convert extended characters used in the user ID to UTF-8 
     before authenticating against the LDAP directory. The new
     directive AuthLDAPCharsetConfig is used to specify the config
     file that contains the character set conversion table.
     [Brad Nicholes]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Don't remove the Content-Length from responses in mod_proxy
     PR: 8677 [Brian Pane]

  *) Ensure LDAP version is set to v3 on every bind. PR 14235.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Sergey A. Lipnevich <sergeyli pisem.net>]
  *) Fix mod_ldap to open an existing shared memory file should one
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     already exist. PR 12757. [Scooter Morris <scooter gene.com>,
  *) Fix the ulimit command used by apachectl on Tru64.  PR 13609.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Joseph Senulis <Joseph.Senulis dnr.state.wi.us>, Jeff Trawick]

  *) Change the ulimit command used by apachectl on AIX so that it
     works in all locales.  [Jeff Trawick]

  *) mod_ext_filter: Fix a problem building argument lists which 
     occasionally caused exec to fail.  PR 15491.  [Jeff Trawick]

Changes with Apache 2.0.44

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_autoindex: Bring forward the IndexOptions IgnoreCase option
     from Apache 1.3.  PR 14276
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [David Shane Holden <dpejesh yahoo.com>, William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_mime: Workaround to prevent a segfault if r->filename=NULL
     [Brian Pane]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
 
  *) Reorder the definitions for mod_ldap and mod_auth_ldap within
     config.m4 to make sure the parent mod_ldap is defined first.
     This ensures that mod_ldap comes before mod_auth_ldap in the
     httpd.conf file, which is necessary for mod_auth_ldap to load.
     PR 14256  [Graham Leggett]

  *) Fix the building of cgi command lines when the query string
     contains '='.  PR 13914  [Ville Skyttä <ville.skytta iki.fi>,
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
     implementation of MCacheMaxStreamingBuffer from mod_cache to
     mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
     lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should 
     eliminate the need for explicitly coding MCacheMaxStreamingBuffer
     in most configurations. [Bill Stoddard]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_cache: Fix PR 15113, a core dump in cache_in_filter when
     a redirect occurs. The code was passing a format string and
     integer to apr_pstrcat. Changed to apr_psprintf.
     [Paul J. Reder]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
     as set by apr-util in util_ldap.c. This should allow mod_ldap
     to work with the Netscape/Mozilla LDAP library. [Øyvin Sømme
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     <somme oslo.westerngeco.slb.com>, Graham Leggett]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Fix critical bug in new --enable-v4-mapped configure option
     implementation which broke IPv4 listening sockets on some
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     systems.  [hiroyuki hanai <hanai imgsrc.co.jp>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_setenvif: Fix BrowserMatchNoCase support for non-regex
     patterns [André Malo <nd perlig.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Add version string to provider API.  [Justin Erenkrantz]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) build: './configure && make' now works without an in-tree
     apr and apr-util. [Wilfredo Sanchez]

  *) mod_negotiation: Set the appropriate mime response headers
     (Content-Type, charset, Content-Language and Content-Encoding)
     for negotated type-map "Body:" responses (such as the error
     pages.)  [André Malo <nd perlig.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_log_config: Allow '%%' escaping in CustomLog format
     strings to insert a literal, single '%'.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_autoindex: AddDescription directives for directories
     now work as in Apache 1.3, where no trailing '/' is
     specified on the directory name.  Previously, the trailing
     '/' *had* to be specified, which was incompatible with
     Apache 1.3.  PR 7990  [Jeff Trawick]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix for PR 14556. The expiry calculations in mod_cache were
     trying to perform "now + ((date - lastmod) * factor)" where
     date == lastmod resulting in "now + 0". The code now follows
     the else path (using the default expiration) if date is
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     equal to lastmod. [Sergey <rx armstrike.com>, Paul J. Reder]
Paul J. Reder's avatar
 
Paul J. Reder committed

  *) Use AP_DECLARE in the debug versions of ap_strXXX in case the
     default calling convention is not the same as the one used by
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     AP_DECLARE.  [Juan Rivera <Juan.Rivera citrix.com>]
  *) mod_cache: Don't cache response header fields designated
     as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Estrade Matthieu <estrade-m ifrance.com>, Brian Pane]
  *) mod_cgid: Handle environment variables containing newlines.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 14550  [Piotr Czejkowski <apache czarny.eu.org>, Jeff
  *) Move mod_ext_filter out of experimental and into filters.
     [Jeff Trawick]

  *) Fixed a memory leak in mod_deflate with dynamic content.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 14321  [Ken Franken <kfranken decisionmark.com>]
  *) Add --[enable|disable]-v4-mapped configure option to control
     whether or not Apache expects to handle IPv4 connections
     on IPv6 listening sockets.  Either setting will work on 
     systems with the IPV6_V6ONLY socket option.  --enable-v4-mapped
     must be used on systems that always allow IPv4 connections on
     IPv6 listening sockets.  PR 14037 (Bugzilla), PR 7492 (Gnats)
     [Jeff Trawick]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) This fixes a problem where the underlying cache code
     indicated that there was one more element on the cache
     than there actually was. This happened since element 0
     exists but is not used. This code allocates the correct
     number of useable elements and reports the number of
     actually used elements. The previous code only allowed
     MCacheMaxObjectCount-1 objects to be stored in the
     cache. [Paul J. Reder]

  *) mod_setenvif: Add SERVER_ADDR special keyword to allow
     envariable setting according to the server IP address
     which received the request.  [Ken Coar]

  *) mod_cgid: Terminate CGI scripts when the client connection 
     drops.  PR 8388  [Jeff Trawick]

  *) Rearrange OpenSSL engine initialization to support RAND 
     redirection on crypto accelerator. 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Frederic DONNAT <frederic.donnat zencod.com>]
  *) Always emit Vary header if mod_deflate is involved in the
     request.  [André Malo <nd perlig.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_isapi: Stop unsetting the 'empty' query string result with
     a NULL argument in ecb->lpszQueryString, eliminating segfaults
     for some ISAPI modules.  PR 14399
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Detlev Vendt <detlev.vendt brillit.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
     notification is received before the HttpExtensionProc() returns 
     HSE_STATUS_PENDING.  This only affected isapi .dll's configured 
     with the ISAPIFakeAsync on directive.  PR 11918
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [John DeSetto <jdesetto radiantsystems.com>, William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_isapi: Fix the issue where all results from mod_isapi would
     run through the core die handler resulting in invalid responses
     or access log entries.  PR 10216 [William Rowe]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Improves the user friendliness of the CacheRoot processing
     over my last pass. This version avoids the pool allocations
     but doesn't avoid all of the runtime checks. It no longer
     terminates during post-config processing. An error is logged
     once per worker, indicating that the CacheRoot needs to be set.
     [Paul J. Reder]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix a bug where we keep files open until the end of a 
     keepalive connection, which can result in:
     (24)Too many open files: file permissions deny server access
     especially on threaded servers.  [Greg Ames, Jeff Trawick]

  *) Fix a bug in which mod_proxy sent an invalid Content-Length
     when a proxied URL was invoked as a server-side include within
     a page generated in response to a form POST.  [Brian Pane]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Added code to process min and max file size directives and to
     init the expirychk flag in mod_disk_cache. Added a clarifying
     comment to cache_util.   [Paul J. Reder]

  *) The value emitted by ServerSignature now mimics the Server HTTP
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     header as controlled by ServerTokens.  [Francis Daly <deva daoine.org>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Gracefully handly retry situations in the SSL input filter,
     by following the SSL libraries' retry semantics.
     [William Rowe]

  *) Terminate CGI scripts when the client connection drops.  This
     fix only applies to some normal paths in mod_cgi.  mod_cgid
     is still busted.  PR 8388  [Jeff Trawick]

  *) Fix a bug where 416 "Range not satisfiable" was being
     returned for content that should have been redirected.
     [Greg Ames]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix memory leak in mod_ssl from internal SSL library allocations
     within SSL_get_peer_certificate and X509_get_pubkey.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Zvi Har'El <rl math.technion.ac.il>
      Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_ssl uses free() inappropriately in several places, to free
     memory which has been previously allocated inside OpenSSL.
     Such memory should be freed with OPENSSL_free(), not with free().
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Nadav Har'El <nyh math.technion.ac.il>,
      Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
  *) Emit a message to the error log when we return 404 because
     the URI contained '%2f'.  (This was previously nastily silent
     and difficult to debug.)  [Ken Coar]

  *) Fix streaming output from an nph- CGI script.  CGI:IRC now
     works.  PR 8482  [Jeff Trawick]

  *) More accurate logging of bytes sent in mod_logio when
     the client terminates the connection before the response
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     is completely sent  [Bojan Smojver <bojan rexursive.com>]
  *) Fix some problems in the perchild MPM.  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Jonas Eriksson <jonas webkonsulterna.com>]
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Change the CacheRoot processing to check for a required
     value at config time. This saves a lot of wasted processing
     if the mod_disk_cache module is loaded but no CacheRoot
     was provided. This fix also adds code to log an error
     and avoid useless pallocs and procesing when the computed
     cache file name cannot be opened. This also updates the
     docs accordingly.  [Paul J. Reder]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Introduce the EnableSendfile directive, allowing users of NFS 
     shares to disable sendfile mechanics when they either fail
     outright or provide intermitantly corrupted data.  PR 
     [William Rowe]

  *) Resolve the error "An operation was attempted on something 
     that is not a socket.  : winnt_accept: AcceptEx failed. 
     Attempting to recover." for users of various firewall and
     anti-virus software on Windows.  PR 8325  [William Rowe]

  *) Add the ProxyBadHeader directive, which gives the admin some
     control on how mod_proxy should handle bogus HTTP headers from
     proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
     desired. [Jim Jagielski]

  *) Change the LDAP modules to export their symbols correctly
     during a Windows build. Add dsp files for Windows. Update
     README.ldap file for Windows build instructions.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Andre Schild <A.Schild aarboard.ch>]
  *) Performance improvements for the code that generates HTTP
     response headers  [Brian Pane]

  *) Add -S as a synonym for -t -DDUMP_VHOSTS.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Thom May <thom planetarytramp.net>]
  *) Fix a bug with dbm rewrite maps which caused the wrong value to
     be used when the key was not found in the dbm.  PR 13204
     [Jeff Trawick]

  *) Fix a problem with streaming script output and mod_cgid.
     [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Add ap_register_provider/ap_lookup_provider API.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [John K. Sterling <john sterls.com>, Justin Erenkrantz]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

Changes with Apache 2.0.43

Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CVE-2002-0840 (cve.mitre.org)
     HTML-escape the address produced by ap_server_signature() against
     this cross-site scripting vulnerability exposed by the directive
     'UseCanonicalName Off'.  Also HTML-escape the SERVER_NAME
     environment variable for CGI and SSI requests.  It's safe to
     escape as only the '<', '>', and '&' characters are affected,
     which won't appear in a valid hostname.  Reported by Matthew
     Murphy <mattmurphy kc.rr.com>.  [Brian Pane]
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix a core dump in mod_cache when it attemtped to store uncopyable
     buckets. This happened, for instance, when a file to be cached
     contained SSI tags to execute a CGI script (passed as a pipe
     bucket). [Paul J. Reder]

  *) Ensure that output already available is flushed to the network
     when the content-length filter realizes that no new output will
     be available for a while.  This helps some streaming CGIs as
     well as some other dynamically-generated content.  [Jeff Trawick]

  *) Fix a mutex problem in mod_ssl session cache support which
     could lead to an infinite loop.  PR 12705  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Amund Elstad <amund.elstad ergo.no>, Jeff Trawick]
Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CVE-2002-1156 (cve.mitre.org)
     Fix the exposure of CGI source when a POST request is sent to 
     a location where both DAV and CGI are enabled. [Ryan Bloom]
  *) Allow the UserDir directive to accept a list of directories.
     This matches what Apache 1.3 does.  Also add documentation for
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     this feature. [Jay Ball <jay veggiespam.com>]
Ian Holsman's avatar
Ian Holsman committed
  *) New Module: mod_logio. adds the ability to log bytes sent and