Skip to content
CHANGES 650 KiB
Newer Older
     RewriteLock file is opened _AFTER_ the childs were spawned which is now
     the case by opening it in the child_init instead of the module_init API
     hook. [Ralf S. Engelschall] PR#1029

  *) Change to Location and LocationMatch semantics.  LocationMatch no
     longer lets a single slash match multiple adjacent slashes in the
     URL.  This change is for consistency with RewriteRule and
     AliasMatch.  Multiple slashes have meaning in URLs that they do
     not have in (some) filesystems.  Location on the other hand can
     be considered a shorthand for a more complicated regex, and it
     does match multiple slashes with a single slash -- which is
     also consistent with the Alias directive.
     [Dean Gaudet] related PR#1440

  *) Fix bug with mod_mime_magic causing certain files, including files
     of length 0, to result in no response from the server.
     [Dean Gaudet]

  *) The Configure script now generates src/include/ap_config.h which
     contains the set of defines used when Apache is compiled on a platform.
     This file can then be included by external modules before including
     any Apache header files in case they are being built separately from
     Apache.  Along with this change, a couple of minor changes were
     made to make Apache's #defines coexist peacefully with any autoconf
     defines an external module might have. [Rasmus Lerdorf]

  *) Fix mod_rewrite for the ugly API case where <VirtualHost> sections exist
     but without any RewriteXXXXX directives. Here mod_rewrite is given no
     chance by the API to initialize its per-server configuration and thus
     receives the wrong one from the main server. This is now avoided by
     remembering the server together with the config structure while
     configuring and later assuming there is no config when we see a
     difference between the remembered server and the one calling us. 
     [Ralf S. Engelschall] PR#1790

  *) Fixed the DBM RewriteMap support for mod_rewrite: First the support now
     is automatically disabled under configure time when the dbm_xxx functions
     are not available. Second, two heavy source code errors in the DBM
     support code were fixed.  This makes DBM RewriteMap's usable again after
     a long time of brokenness. [Ralf S. Engelschall] PR#1696

  *) Now all configuration files support Unix-style line-continuation via 
     the trailing backslash ("\") character. This enables us to write down
     complex or just very long directives in a more readable way.  The
     backslash character has to be really the last character before the
     newline and it has not been prefixed by another (escaping) backslash.
     [Ralf S. Engelschall]

  *) When using ProxyPass the ?querystring was not passed correctly.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Joel Truher <truher wired.com>]

  *) To deal with modules being compiled and [dynamically] linked
     at a different time from the core, the SERVER_VERSION and
     SERVER_BUILT symbols have been abstracted through the new
     API routines apapi_get_server_version() and apapi_get_server_built().
     [Ken Coar]  PR#1448

  *) WIN32: Preserve trailing slash in canonical path (and hence
     in PATH_INFO). [Paul Sutton, Ben Laurie]

  *) PORT: USE_PTHREAD_SERIALIZED_ACCEPT has proven unreliable
     depending on the rev of Solaris and what mixture of modules
     are in use.  So it has been disabled, and Solaris is back to
     using USE_FCNTL_SERIALIZED_ACCEPT.  Users may experiment with
     USE_PTHREAD_SERIALIZED_ACCEPT at their own risk, it may speed
     up static content only servers.  Or it may fail unpredictably.
     [Dean Gaudet] PR#1779, 1854, 1904

  *) mod_test_util_uri.c created which tests the logic in util_uri.c.
     [Dean Gaudet]

  *) API: Rewrite of absoluteURI handling, and in particular how
     absoluteURIs match vhosts.  Unless a request is a proxy request, a
     "http://host" url is treated as if a similar "Host:" header had been
     supplied.  This change was made to support future HTTP/1.x protocols
     which may require clients to send absoluteURIs for all requests.

     In order to achieve this change subtle changes were made to the API.  In a
     request_rec, r->hostlen has been removed.  r->unparsed_uri now exists so
     that the unmodified uri can be retrieved easily.  r->proxyreq is not set
     by the core, modules must set it during the post_read_request or
     translate_names phase.

     Plus changes to the virtualhost test suite for absoluteURI testing.

     This fixes several bugs with the proxy proxying requests to vhosts
     managed by the same httpd.
     [Dean Gaudet]

  *) API: Cleanup of code in http_vhost.c, and remove vhost matching
     code from mod_rewrite.  The vhost matching is now performed by a
     globally available function matches_request_vhost().  [Dean Gaudet]

  *) Reduce memory usage, and speed up ServerAlias support.  As a
     side-effect users can list multiple ServerAlias directives
     and they're all considered.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Chia-liang Kao <clkao cirx.org>] PR#1531

  *) The "poly" directive in image maps did not include the borders of the
     polygon, whereas the "rect" directive does.  Fix this inconsistency.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Konstantin Morshnev <moko design.ru>] PR#1771
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Make \\ behave as expected.  [<Ronald.Tschalaer psi.ch>]

  *) Add the `%a' construct to LogFormat and CustomLog to log the client IP
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     address. [Todd Eigenschink <eigenstr mixi.net>] PR#1885

  *) API: A new source module main/util_uri.c; It contains a routine
     parse_uri_components() and friends which breaks a URI into its component
     parts.  These parts are stored in a uri_components structure called
     parsed_uri within each request_rec, and are available to all modules.
     Additionally, an unparse routine is supplied which re-assembles the URI
     components back to an URI, optionally hiding the username:password@ part
     from ftp proxy requests, and other useful routines.  Within the structure,
     you find on a ready-for-use basis:
        scheme;     /* scheme ("http"/"ftp"/...) */
        hostinfo;   /* combined [user[:password]@]host[:port] */
        user;       /* user name, as in http://user:passwd@host:port/ */
        password;   /* password, as in http://user:passwd@host:port/ */
        hostname;   /* hostname from URI (or from Host: header) */
        port_str;   /* port string (integer representation is in "port") */
        path;       /* the request path (or "/" if only scheme://host was given) */
        query;      /* Everything after a '?' in the path, if present */
        fragment;   /* Trailing "#fragment" string, if present */
     This is meant to serve as the platform for *BIG* savings in
     code complexity for the proxy module (and maybe the vhost logic).
     [Martin Kraemer]

  *) Make all possible meta-construct expansions ($N, %N, %{NAME} and
     ${map:key}) available for all location where a string is created in
     mod_rewrite rewriting rulesets: 1st arg of RewriteCond, 2nd arg of
     RewriteRule and for the [E=NAME:STRING] flag of RewriteRule. This way the
     possible expansions are consequently usable at all string creation
     locations. [Ralf S. Engelschall]

  *) Fix initialization of RewriteLogLevel (default now is 0 as documented 
     and not 1) and the per-virtual-server merging of directives. Now all
     directives except `RewriteEngine' and `RewriteOption' are either
     completely overridden (default) or completely inherited (when
     `RewriteOptions inherit') is used. [Ralf S. Engelschall] PR#1325

  *) Fix `RewriteMap' program lookup in situations where such maps are
     defined but disabled (`RewriteEngine off') in per-server context. 
     [Ralf S. Engelschall] PR#1431

  *) Fix bug introduced in 1.3b4-dev, config with no Port setting would cause
     server to bind to port 0 rather than 80.  [Dean Gaudet]

  *) Fix long-standing problem with RewriteMap _programs_ under Unix derivates
     (like SunOS and FreeBSD) which don't accept the locking of pipes
     directly.  A new directive RewriteLock is introduced which can be used to
     setup a separate locking file which then is used for synchronization.
     [Ralf S. Engelschall] PR#1029

  *) WIN32: The server root is obtained from the registry key
     HKLM\SOFTWARE\Apache Group\Apache\<version> (version is currently
     "1.3 beta"), unless overridden by the -d command line flag. The
     value is stored by running "apache -i -d serverroot". [Paul Sutton]

  *) Merged os/win32/mod_dll.c into modules/standard/mod_so.c to support
     dynamic loading on Win32 and Unix via the same module. [Paul Sutton]

  *) Now mod_rewrite no longer makes problematic assumptions on the characters
     a username can contain when trying to expand it via /etc/passwd. 
     [Ralf S. Engelschall]

  *) The mod_setenvif BrowserMatch backwards compatibility command did not
     work properly with spaces in the regex.  [Ronald Tschalaer] PR#1825

  *) Add new RewriteMap types: First, `rnd' which is equivalent to the `txt'
     type but with a special post-processing for the looked-up value: It
     parses it into alternatives according to `|' chars and then only one
     particular alternative is chosen randomly (this is an essential
     functionality needed for balancing between backend-servers when using
     Apache as a Reverse Proxy.  The looked up value here is a list of
     servers). Second, `int' with the built-in maps named `tolower' and
     `toupper' which can be used to map URL parts to a fixed case (this is an
     essential feature to fix the case of server names when doing mass
     virtual-hosting with the help of mod_rewrite instead of using
     <VirtualHost> sections). [Ralf S. Engelschall, parts based on code from
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     Jay Soffian <jay cimedia.com>] PR#1631

  *) Add a new directive to mod_proxy similar to ProxyPass: `ProxyPassReverse'.
     This directive lets Apache adjust the URL in Location-headers on HTTP
     redirect responses sent by the remote server. This way the virtually
     mapped area is no longer left on redirects and thus by-passed which is
     especially essential when running Apache as a reverse proxy.  
     [Ralf S. Engelschall]

  *) Hide Proxy-Authorization from CGI/SSI/etc just like Authorization is
     hidden. [Alvaro Martinez Echevarria]

  *) Apache will, when started with the -X (single process) debugging flag,
     honor the SIGINT or SIGQUIT signals again now. This capability got lost
     a while ago during OS/2 signal handling changes.

  *) [PORT] Work around the fact that NeXT runs on more than the
     m68k chips in mod_status [Scott Anguish and Timothy Luoma
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     <luomat peak.org>]

  *) [PORT] Recognize FreeBSD versions so we can use the OS regex as well
     as handling unsigned-chars for FreeBSD v3 and v2 [Andrey Chernov
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     <ache nagual.pp.ru> and Jim] PR#1450

  *) Use SA_RESETHAND or SA_ONESHOT when installing the coredump handlers.
     In particular the handlers could trigger themselves into an infinite
     loop if RLimitMem was used with a small amount of memory -- too small
     for the signal stack frame to be set up.  [Dean Gaudet]

  *) Fix problems with absoluteURIs introduced during 1.3b4.  [Dean Gaudet,
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     Alvaro Martinez Echevarria <alvaro lander.es>]

  *) Fix multiple UserDir problem introduced during 1.3b4-dev.
     [Dean Gaudet] PR#1850

  *) ap_cpystrn() had an off-by-1 error.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Charles Fu <ccwf klab.caltech.edu>] PR#1847

  *) API: As Ken suggested the check_cmd_context() function and related
     defines are non-static now so modules can use 'em.  [Martin Kraemer]

  *) mod_info would occasionally produce an unpaired <tt> in its
     output. Fixed. [Martin Kraemer]

  *) By default AIX binds a process (and it's children) to a single
     processor.  httpd children now unbind themselves from that cpu
     and re-bind to one selected at random via bindprocessor()
     [Doug MacEachern]

  *) Linux 2.0 and above implement RLIMIT_AS, RLIMIT_DATA has almost no
     effect.  Work around it by using RLIMIT_AS for the RLimitMEM
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     directive.  [Enrik Berkhan <enrik inka.de>] PR#1816

  *) mod_mime_magic error message should indicate the filename when
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     reads fail.  ["M.D.Parker" <mdpc netcom.com>] PR#1827

  *) Previously Apache would permit </Files> to end <FilesMatch> (and
     similary for Location and Directory), now this is diagnosed as an
     error.  Improve error messages for mismatched sections (<Files>,
     <FilesMatch>, <Directory>, <DirectoryMatch>, ...).
     [Dean Gaudet, Martin Kraemer]

  *) <Files> is not permitted within <Location> (because of the
     semantic ordering).  [Dean Gaudet] PR#379

  *) <Files> with wildcards was broken by the change in wildcard
     semantics (* does not match /).  To fix this, <Files> now
     apply only to the basename of the request filename.  This
     fixes some other inconsistencies in <Files> semantics
     (such as <Files a*b> not working).  [Dean Gaudet] PR#1817

  *) Removed bogus "dist.tar" target from Makefile.tmpl and make sure
     backup files are removed on "clean" target [Ralf S. Engelschall]

  *) PORT: Add -lm to LIBS for HPUX.  [Dean Gaudet] PR#1639

  *) Various errors from select() and accept() in child_main() would
     result in an infinite loop.  It seems these two tickle kernel
     or library bugs occasionally, and result in log spammage and
     a generally bad scene.  Now the child exits immediately,
     which seems to be a good workaround.
     [Dean Gaudet] PR#1747, 1107, 588, 1787, 987, 588

  *) Cleaned up some race conditions in unix child_main during
     initialization. [Dean Gaudet]

  *) SECURITY: "UserDir /abspath" without a * in the path would allow
     remote users to access "/~.." and bypass access restrictions
     (but note /~../.. was handled properly).
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Lauri Jesmin <jesmin ut.ee>] PR#1701

  *) API: os_is_path_absolute() now takes a const char * instead of a char *.
     [Dean Gaudet]

Changes with Apache 1.3b5

  *) Source file dependencies in Makefile.tmpl files throughout the
     source tree were updated to accurately reflect reality.
     [Dean Gaudet]

  *) Preserve the content encoding given by the AddEncoding directive
     when the client doesn't otherwise specify an encoding.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Ronald Tschalaer <Ronald.Tschalaer psi.ch>]

  *) Sort out problems with canonical filename handling happening too late.
     [Dean Gaudet, Ben Laurie]

Changes with Apache 1.3b4

  *) The module structure was modified to include a *dynamic_load_handle
     in the STANDARD_MODULE_STUFF portion, and the MODULE_MAGIC_NUMBER
     has been bumped accordingly.  [Paul Sutton]

  *) All BrowserMatch directives mentioned in
     htdocs/manual/known_client_problems.html are in the default
     configuration files.  [Lars Eilebrecht]

  *) MiNT port update. [Jan Paul Schmidt]

  *) HTTP/1.1 requires x-gzip and gzip encodings be treated
     equivalent, similarly for x-compress and compress.  Apache
     now ignores a leading x- when comparing encodings.  It also
     preserves the encoding the client requests (for example if
     it requests x-gzip, then Apache will respond with x-gzip
     in the Content-Encoding header).
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Ronald Tschalaer <Ronald.Tschalaer psi.ch>] PR#1772

  *) Fix a memory leak on keep-alive connections.  [Igor Tatarinov]

  *) Added mod_so module to support dynamic loading of modules on Unix
     (like mod_dld for Win32). This replaces mod_dld.c. Use SharedModule
     instead of AddModule in Configuration to build shared modules
     [Sameer Parekh, Paul Sutton]

  *) Minor cleanups to r->finfo handling in some modules.
     [Dean Gaudet]

  *) Abstract read()/write() to ap_read()/ap_write().
     Makes it easier to add other types of IO code such as SFIO.
     [Randy Terbush]

  *) API: Generalize default_port manipulations to make support of
     different protocols easier. [Ben Laurie, Randy Terbush]

  *) There are many cases where users do not want Apache to form
     self-referential urls using the "canonical" ServerName and Port.
     The new UseCanonicalName directive (default on), if set to off
     will cause Apache to use the client-supplied hostname and port.
     API: Part of this change required a change to the construct_url()
     prototype; and the addition of get_server_name() and
     get_server_port().
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Michael Douglass <mikedoug texas.net>, Dean Gaudet]
     PR#315, 459, 485, 1433

  *) Yet another rearrangement of the source tree.. now all the common
     header files are in the src/include directory.  The -Imain -Iap
     references in Makefiles have been changed to the simpler -Iinclude
     instead.  In addition to simplifying the build a little bit, this
     also makes it clear when a module is referencing something in a
     other than kosher manner (e.g., the proxy including mod_mime.h).
     Module-private header files (the proxy, mod_mime, the regex library,
     and mod_rewrite) have not been moved to src/include; nor have
     the OS-abstraction files.  [Ken Coar]

  *) Fix a bug where r->hostname didn't have the :port stripped
     from it.  [Dean Gaudet]

  *) Tweaked the headers_out table size, and the subprocess_env
     table size guess in rename_original_environment().  Added
     MAKE_TABLE_PROFILE which can help discover make_table()
     calls that use too small an initial guess, see alloc.c.
     [Dean Gaudet]

  *) Options and AllowOverride weren't properly merging in the main
     server setting inside vhosts (only an issue when you have no
     <Directory> or other section containing an Options that affects
     a request).  Options +foo or -foo in the main_server wouldn't
     affect the main_server's lookup defaults.  [Dean Gaudet]

  *) Variable 'cwd' was being used pointlessly before being set.
     [Ken Coar] PR#1738

  *) r->allowed handling cleaned up in the standard modules.
     [Dean Gaudet]

  *) Some case-sensitivity issues cleaned up to be consistent with
     RFC2068.  [Dean Gaudet]

  *) SIGURG doesn't exist everywhere.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Mark Andrew Heinrich <heinrich tinderbox.Stanford.EDU>]

  *) mod_unique_id was erroneously generating a second unique id when
     an internal redirect occured.  Such redirects occur, for example,
     when processing a DirectoryIndex match.  [Dean Gaudet]

  *) API: table_add, table_merge, and table_set include implicit pstrdup()
     of the key and value.  But in many cases this is not required
     because the key/value is a constant, or the value has been built
     by pstrcat() or other similar means.  New routines table_addn,
     table_mergen, and table_setn have been added to the API, these
     routines do not pstrdup() their arguments.  The core code and
     standard modules were changed to take advantage of these routines.
     The resulting server is up to 20% faster in some situations.

     Note that it is easy to get code subtly wrong if you pass a key/value
     which is in a pool other than the pool of the table.  The only
     safe thing to do is to pass key/values which are in the pool of
     the table, or in one of the ancestors of the pool of the table.
     i.e. if the table is part of a subrequest, a value from the main
     request's pool is OK since the subrequest pool is a sub_pool of the
     main request's pool (and therefore has a lifespan at most as long as
     the main pool).  There is debugging code which can detect improper
     usage, enabled by defining POOL_DEBUG.  See alloc.c for more details.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Dmitry Khrustalev <dima bog.msu.su>, Dean Gaudet]

  *) More mod_mime_magic cleanup:  fewer syscalls; should handle "files"
     which don't exist on disk more gracefully; handles vhosts properly.
     Update documentation to reflect the code -- if there's no
     MimeMagicFile directive then the module is not enabled.
     [Dean Gaudet]

  *) PORT: Some older *nix dialects cannot automatically start scripts
     which begin with a #! interpreter line (the shell starts the scripts
     appropriately on these platforms). Apache now supports starting of
     "hashbang-scripts" when the NEED_HASHBANG_EMUL define is set.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Martin Kraemer, with code from Peter Wemm <peter zeus.dialix.oz.au>
     taken from tcsh]

  *) API: "typedef array_header table" removed from alloc.h, folks should
     have been writing to use table as if it were an opaque type, but even
     some standard modules got this wrong.  By changing the definition
     to "typedef struct table table" module authors will receive compile
     time warnings that they're doing the wrong thing.  This change
     facilitates future changes with more sophisticated table
     structures.  Specifically, module authors should be using table_elts()
     to get access to an array_header * for the table. [Dean Gaudet]

  *) API: Renamed new_connection() to avoid namespace collision with LDAP
     library routines.  [Ken Coar, Rasmus Lerdorf]

  *) WIN32: mod_speling is now available on the Win32 platform.
     [Marc Slemko]

  *) For clarity the following compile time definition was changed:

        SAFE_UNSERIALIZED_ACCEPT  ->   SINGLE_LISTEN_UNSERIALIZED_ACCEPT

     Also, for example, HAVE_MMAP would mean to use mmap() scoreboards
     and not be a general notice that the OS has mmap(). Now the
     HAVE_MMAP/SHMGET #defines strictly are informational that the
     OS has that method of shared memory; the type to use for
     the scoreboard is a seperate #define (USE_MMAP_SCOREBOARD
     and USE_SHMGET_SCOREBOARD). This allows outside modules to
     determine if shared memory is available and allows Apache
     to determine the best method to use for the scoreboard.
     [Jim Jagielski]

  *) PORT: UnixWare 2.1.2 SMP appears to require USE_FCNTL_SERIALIZED_ACCEPT,
     as do various earlier versions.  It should be safe on all versions.
     Unixware 1.x appears to have the same SIGHUP bug as solaris does with
     the slack code.  A few other cleanups for Unixware.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Tom Hughes <thh cyberscience.com>] PR#1082, PR#1282, PR#1499, PR#1553

  *) PORT: A/UX can handle single-listen accepts without mutex
     locking, so we add SINGLE_LISTEN_UNSERIALIZED_ACCEPT. [Jim Jagielski]

  *) When die() happens we need to eat any request body if one exists.
     Otherwise we can't continue with a keepalive session.  This shows up
     as a POST problem with MSIE 4.0, typically against pages which are
     authenticated.  [Roy Fielding] PR#1399

  *) If you define SECURITY_HOLE_PASS_AUTHORIZATION then the Authorization
     header will be passed to CGIs.  This is generally a security hole, so
     it's not a default.  [Marc Slemko] PR#549

  *) Fix Y2K problem with date printing in suexec log.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Paul Eggert <eggert twinsun.com>] PR#1343

  *) WIN32 deserves a pid file.  [Ben Hyde]

  *) suexec errors now include the errno/description.  [Marc Slemko] PR#1543

  *) PORT: OSF/1 now uses USE_FLOCK_SERIALIZED_ACCEPT to solve PR#467.
     The choice of flock vs. fcntl was made based on timings which showed that
     even on non-NFS, non-exported filesystems fcntl() was an order of
     magnitude slower.  It also uses SINGLE_LISTEN_UNSERIALIZED_ACCEPT so
     that single socket users will see no difference. [Dean Gaudet] PR#467

  *) "File does not exist" error message was erroneously including the
     errno.  [Marc Slemko]

  *) Improve the warning message generated when a client drops the
     connection (hits stop button, etc.) during a send.  [Roy Fielding]

  *) Defining GPROF will disable profiling in the parent and enable it
     in the children.  If you're profiling under Linux this is pretty much
     necessary because SIGPROF is lost across a fork(). [Dean Gaudet]

  *) htdigest and htpasswd needed slight tweaks to work on OS/2 and WIN32.
     [Brian Havard]

  *) The NeXT cc (which is gcc hacked up) doesn't appear to support some
     gcc functionality.  Work around it.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Keith Severson <keith sssd.navy.mil>] PR#1613

  *) Some linkers complain when .o files contain no functions.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Keith Severson <keith sssd.navy.mil>] PR#1614

  *) Some const declarations in mod_imap.c that were added for debugging
     purposes caused some compilers heartburn without adding any
     significant value, so they've been removed.  [Ken Coar]

  *) The src/main/*.h header files have had #ifndef wrappers added to
     insulate them against duplicate calls if they get included through
     multiple paths (e.g., in .c files as well as other .h files).
     [Ken Coar]

  *) The libap routines now have a header file for their prototypes,
     src/ap/ap.h, to ease their use in non-httpd applications.  [Ken Coar]

  *) mod_autoindex with a plaintext header file would emit the <PRE>
     start-tag before the HTML preamble, rather than after the preamble
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     but before the header file contents.  [John Van Essen <jve gamers.org>]
     PR#1667

  *) SECURITY: Fix a possible buffer overflow in logresolve.  This is
     only an issue on systems without a MAXDNAME define or where
     the resolver returns domain names longer than MAXDNAME.  [Marc Slemko]

  *) SECURITY: Eliminate possible buffer overflow in cfg_getline, which
     is used to read various types of files such as htaccess and
     htpasswd files.  [Marc Slemko]

  *) SECURITY: Ensure that the buffer returned by ht_time is always
     properly null terminated.  [Marc Slemko]

  *) The "Connection" header could be sent back with multiple "close"
     tokens.  Not an error, but a waste.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [<Ronald.Tschalaer psi.ch>] PR#1683

  *) mod_rewrite's RewriteLog should behave like mod_log_config, it
     shouldn't force hostname lookups.  [Dean Gaudet] PR#1684

  *) "basic" auth needs a case-insensitive comparison.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [<Ronald.Tschalaer psi.ch>] PR#1666

  *) For maximum portability, the environment passed to CGIs should
     only contain variables whose names match the regex
     /[a-zA-Z][a-zA-Z0-9_]*/.  This is now enforced by stamping
     underscores over any character outside the regex.  This
     affects HTTP_* variables, in a way that should be backward
     compatible for all the standard headers; and affects variables
     set with SetEnv/BrowserMatch and similar directives.
     [Dean Gaudet]

  *) mod_speling returned incorrect HREF's when an ambigous match
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     was found. Noticed by <robinton amtrash.comlink.de> (Soeren Ziehe)
     [Soeren Ziehe <robinton amtrash.comlink.de>, Martin Kraemer]

  *) PORT: Apache now compiles & runs on an EBCDIC mainframe
     (the Siemens BS2000/OSD family) in the POSIX subsystem
     [Martin Kraemer]

  *) PORT: Fix problem killing children when terminating.  Allow ^C
     to shut down the server.  [Brian Havard]

  *) pstrdup() is implicit in calls to table_* functions, so there's
     no need to do it before calling.  Clean up a few cases.
     [Marc Slemko, Dean Gaudet]

  *) new -C and -c command line arguments
     usage:
     -C "directive" : process directive before reading config files
     -c "directive" : process directive after reading config files
     example:
     httpd -C "PerlModule Apache::httpd_conf"
     [Doug MacEachern, Martin Kraemer]

  *) WIN32: Fix the execution of CGIs that are scripts and called 
     with path info that does not have an '=' in.
     (eg. http://server/cgi-bin/printenv?foobar)  
     [Marc Slemko] PR#1591

  *) WIN32: Fix a call to os_canonical_filename so it doesn't try to 
     mess with fake filenames.  This fixes proxy caching on 
     win32. PR#1265

  *) SECURITY: General mod_include cleanup, including fixing several
     possible buffer overflows and a possible infinite loop.
     [Dean Gaudet, Marc Slemko]

  *) SECURITY: Numerous changes to mod_imap in a general cleanup
     including fixing a possible buffer overflow.  [Dean Gaudet]

  *) WIN32: overhaul of multithreading code. Shutdowns are now graceful
     (connections are not dropped). Code can handle graceful restarts
     (but there is as yet no way to signal this to Apache). Various
     other cleanups. [Paul Sutton]

  *) The aplog_error changes specific to 1.3 introduced a buffer
     overrun in the (now legacy) log_printf function.  Fixed.
     [Dean Gaudet]

  *) mod_digest didn't properly deal with proxy authentication.  It
     also lacked a case-insensitive comparision of the "Digest"
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     token.  [Ronald Tschalaer <Ronald.Tschalaer psi.ch>] PR#1599

  *) A few cleanups in mod_status for efficiency.  [Dean Gaudet]

  *) A few cleanups in mod_info to make it thread-safe, and remove an
     off-by-5 bug that could hammer \0 on the stack. [Dean Gaudet]

  *) no2slash() was O(n^2) in the length of the input.  Make it O(n).
     [Dean Gaudet]

  *) API: migration from strncpy() to our "enhanced" version called
     ap_cpystrn() for performance and functionality reasons.
     Located in libap.a.  [Jim Jagielski]

  *) table_set() and table_unset() did not deal correctly with
     multiple occurrences of the same key.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Stephen Scheck <sscheck infonex.net>, Ben Laurie] PR#1604

  *) The AuthName must now be enclosed in quotes if it is to contain
     spaces.  [Ken Coar] PR#1195

  *) API: new function: ap_escape_quotes(). [Ken Coar] PR#1195

  *) WIN32: Work around optimiser bug that killed ISAPI in release
     versions. [Ben Laurie] PR#1533

  *) PORT: Update the MPE port [Mark Bixby, Jim Jagielski]

  *) Interim (slow) fix for p->sub_pool critical sections in
     alloc.c (affects win32 only).  [Ben Hyde]

  *) non-WIN32 was missing destroy_mutex definition.  [Ben Hyde]

  *) send_fd_length() did not calculate total_bytes_sent properly.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Ben Reser <breser regnow.com>] PR#1366

  *) The bputc() macro was not properly integrated with the chunking
     code; in many cases modules using bputc() could cause completely
     bogus chunked output.  (Typically this will show up as problems
     with Internet Explorer 4.0 reading a page, but other browsers
     having no problem.) [Dean Gaudet]

  *) Create LARGE_WRITE_THRESHOLD define which determines how many
     bytes have to be supplied to bwrite() before it will consider
     doing a writev() to assemble multiple buffers in one system
     call.  This is critical for modules such as mod_include,
     mod_autoindex, mod_php3 which all use bputc()/bputs() of smaller
     strings in some cases.  The result would be extra effort
     setting up writev(), and in many cases extra effort building
     chunks.  The default is 31, it can be overriden at compile
     time. [Dean Gaudet]

  *) Move the gid switching code into the child so that log files
     and pid files are opened with the root gid.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Gregory A Lundberg <lundberg vr.net>]

  *) WIN32: Check for binaries by looking for the executable header
     instead of counting control characters.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Jim Patterson <Jim.Patterson Cognos.COM>] PR#1340

  *) ap_snprintf() moved from main/util_snprintf.c to ap/ap_snprintf.c
     so the functionality is available to applications other than the
     server itself (like the src/support tools).  [Ken Coar]

  *) ap_slack() moved out of main/util.c into ap/ap_slack.c as part of
     the libap consolidation work.  [Ken Coar]

  *) ap_snprintf() with a len of 0 behaved like sprintf().  This is not
     useful, and isn't what the standards require.  Now it returns 0
     and writes nothing.  [Dean Gaudet]

  *) When an error occurs in fcntl() locking suggest the user look up
     the docs for LockFile.  [Dean Gaudet]

  *) Eliminate some dead code from writev_it_all().
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Igor Tatarinov <tatarino prairie.NoDak.edu>]

  *) mod_autoindex had an fread() without checking the result code.
     It also wouldn't handle "AddIconByType (TXT,/icons/text.gif text/*"
     (note the missing closing paren) properly.  [Dean Gaudet]

  *) It appears the "257th byte" bug (see
     htdocs/manual/misc/known_client_problems.html#257th-byte) can happen
     at the 256th byte as well.  Fixed.  [Dean Gaudet]

  *) PORT: Fix mod_mime_magic under OS/2, no support for block devices.
     [Brian Havard]

  *) Fix memory corruption caused by allocating auth usernames in the
     wrong pool.  [Dean Gaudet] PR#1500

  *) Fix an off-by-1, and an unterminated string error in
     mod_mime_magic.  [Dean Gaudet]

  *) Fix a potential SEGV problem in mod_negotiation when dealing
     with type-maps.  [Dean Gaudet]

  *) Better glibc support under Linux.  [Dean Gaudet] PR#1542

  *) "RedirectMatch gone /" would cause a SIGSEGV. [Dean Gaudet] PR#1319

  *) WIN32: avoid overflows during file canonicalisations.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [<malcolm mgdev.demon.co.uk>] PR#1378

  *) WIN32: set_file_slot() didn't detect absolute paths. [Ben Laurie]
     PR#1511, 1508

  *) WIN32: mod_status display header didn't match fields. [Ben Laurie]

  *) The pthread_mutex_* functions return an error code, and don't
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     set errno.  [Igor Tatarinov <tatarino prairie.NoDak.edu>]

  *) WIN32: Allow spaces to prefix the interpreter in #! lines.
     [Ben Laurie] PR#1101

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) WIN32: Cure file leak in CGIs. [Peter Tillemans <pti net4all.be>] PR#1523

  *) proxy_ftp: the directory listings generated by the proxy ftp module
     now have a title in which the path components are clickable and allow
     quick navigation to the clicked-on directory on the currently listed
     ftp server. This also fixes a bug where the ".." directory links would
     sometimes refer to the wrong directory.  [Martin Kraemer]

  *) WIN32: Allocate the correct amount of memory for the scoreboard.
     [Ben Hyde] PR#1387

  *) WIN32: Only lowercase the part of the path that is real. [Ben Laurie]
     PR#1505

  *) Fix problems with timeouts in inetd mode and -X mode.  [Dean Gaudet]

  *) Fix the spurious "(0)unknown error: mmap_handler: mmap failed"
     error messages. [Ben Hyde]

Changes with Apache 1.3b3

  *) WIN32: Work around brain-damaged spawn calls that can't deal
     with spaces and slashes.  [Ben Laurie]

  *) WIN32: Fix the code so CGIs can use socket calls on Windows.  
     The problem was that certain undocumented environment variables
     needed for sockets to work under Win32 were not being passed.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Frank Faubert <frank sane.com>]

  *) Add a "-V" command line flag to the httpd binary.  This 
     flag shows some of the defines that Apache was compiled with.
     It is useful for debugging purposes.  [Martin Kraemer]

  *) Start separating the ap_*() routines into their own library, so they
     can be used by items in src/support among other things.  
     [Ken Coar] PR#512, 905, 1252, 1308 

  *) Give a more informative error when no AuthType is set.
     [Lars Eilebrecht]

  *) Remove strtoul() use from mod_proxy because it isn't available
     on all platforms.   [Marc Slemko] PR#1214

  *) WIN32: Some Win32 systems terminated all responses after 16 kB. 
     This turns out to be a bug in Winsock - select() doesn't always 
     return the correct status.  [Ben Laurie]

  *) Directives owned by http_core can now use the new check_cmd_context()
     routine to ensure that they're not being used within a container
     (e.g., <Directory>) where they're invalid.  [Martin Kraemer]

  *) PORT: Recent changes made it necessary to add explicit prototype
     for fgetc() and fgets() on SunOS 4.x.  [Martin Kraemer, Ben Hyde]

  *) It was necessary to distinguish between resources which are
     allocated in the parent, for cleanup in the parent, and resources
     which are allocated in each child, for cleanup in each child.
     A new pool was created which is passed to the module child_init
     and child_exit functions; modules are free to register per-child
     cleanups there.  This fixes a bug with reliable piped logs.
     [Dean Gaudet]

  *) mod_autoindex wasn't displaying the ReadmeName file at the bottom
     unless it was also doing FancyIndexes, but it displayed the
     HeaderName file at the top under all circumstances.  It now shows
     the ReadmeName file for simple indices, too, as it should.  
     [Ken Coar] PR#1373

  *) http_core was mmap()ing even in cases where it wasn't going to
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     read the file.  [Ben Hyde <bhyde gensym.com>]

  *) Complete rewrite ;-) of mod_rewrite's URL rewriting engine:
     Now the rewriting engine (the heart of mod_rewrite) is organized more
     straight-forward, first time well documented and reduced to the really
     essential parts. All redundant cases were stripped off and processing now
     is the same for both per-server and per-directory context with only a
     minimum difference (the prefix stripping in per-dir context). As a
     side-effect some subtle restrictions and two recently discovered problems
     are gone: Wrong escaping of QUERY_STRING on redirects in per-directory
     context and restrictions on the substitution URL on redirects.
     Additionally some minor source cleanups were done. 
     [Ralf S. Engelschall] 

  *) Lars Eilebrecht wrote a whole new set of Apache Vhost Internals
     documentation, examples, explanations and caveats. They live in a new
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     subdirectory htdocs/manual/vhost/. [Lars Eilebrecht <sfx unix-ag.org>]

  *) If ap_slack fails to allocate above the low slack line it's a good
     indication that further problems will occur; it's a better indication
     than many external libraries give us when we actually run out of
     descriptors.  So report it to the user once per restart.
     [Dean Gaudet] PR#1181

  *) Change mod_include and mod_autoindex to use Y2K-safe date formats
     by default.  [Ken Coar]

  *) Add a "SuppressColumnSorting" option to the IndexOptions list,
     which will keep the column heading from being links for sorting
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     the display.  [Ken Coar, suggested by Brian Tiemann <btman pacific.net>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) PORT: Update the LynxOS port.  [Marius Groeger <mag sysgo.de>]

  *) Fix logic error when issuing a mmap() failed message
     with a non-zero MMAP_THRESHOLD.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [David Chambers <davidc flosun.salk.edu>] PR#1294

  *) Preserve handler value on ProxyPass'ed requests by not
     calling find_types on a proxy'd request; fixes problems
     where some ProxyPass'ed URLs weren't actually passed
     to the proxy.
     [Lars Eilebrecht] PR#870

  *) Fix a byte ordering problem in mod_access which prevented
     the old-style syntax (i.e. "a.b.c." to match a class C)
     from working properly. [Dean Gaudet] PR#1248, 1328, 1384

  *) Fix problem with USE_FLOCK_SERIALIZED_ACCEPT not working
     properly. Each child needs to open the lockfile instead
     of using the passed file-descriptor from the parent. 
     [Jim Jagielski] PR#1056

  *) Fix the error logging in mod_cgi; the recent error log changes
     introduced a bug that prevented it from working correctly.
     [M.D.Parker] PR#1352

  *) Default to USE_FCNTL_SERIALIZED_ACCEPT on HPUX to properly 
     handle multiple Listen directives.  [Marc Slemko] PR#872

  *) Inherit a bugfix to fnmatch.c from FreeBSD sources.
     [Андрей Чернов <ache nagual.pp.ru>] PR#1311

  *) When a configuration parse complained about a bad directive,
     the logger would use whatever (unrelated) value was in errno.
     errno is now forced to EINVAL first in this case.  [Ken Coar]

  *) A sed command in the Configure script pushed the edge of POSIXness,
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     breaking on some systems.  [Bhaba R.Misra <system vt.edu>] PR#1368

  *) Solaris >= 2.5 was totally broken due to a mess up using pthread
     mutexes.  [Roy Fielding, Dean Gaudet]

  *) OS/2 Port updated; it should be possible to build OS/2 from the same
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     sources as Unix now.  [Brian Havard <brianh kheldar.apana.org.au>]

  *) Fix a year formatting bug in mod_usertrack.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Paul Eggert <eggert twinsun.com>] PR#1342

  *) A mild SIGTERM/SIGALRM race condition was eliminated.
     [Dean Gaudet] PR#1211

  *) Warn user that default path has changed if /usr/local/etc/httpd
     is found on the system.  [Lars Eilebrecht]

  *) Various mod_mime_magic bug fixes and cleanups: Uncompression
     should work, it should work on WIN32, and a few resource
     leaks and abort conditions are fixed.
     [Dean Gaudet] PR#1205

  *) PORT: On AIX 1.x files can't be named '@', fix the proxy cache
     to use '%' instead of '@' in its encodings.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [David Schuler <schuld btv.ibm.com>] PR#1317

  *) Improve the warning message generated when the "server is busy".
     [Dean Gaudet] PR#1293

  *) PORT: All ports which don't otherwise define DEF_WANTHSREGEX will
     get Spencer regex by default.  This is to avoid having to
     discover bugs in operating system libraries.  [Dean Gaudet]

  *) PORT: "Fix" PR#467 by generating warnings on systems which we have
     not been able to get working USE_*_SERIALIZED_ACCEPT settings for.
     Document this a bit more in src/PORTING.  [Dean Gaudet] PR#467

  *) Ensure that one copy of config warnings makes it to the
     error_log.  [Dean Gaudet]

  *) Invent new structure and associated methods to handle config file
     reading. Add "custom" hook to use config file cfg_getline() on
     something which is not a FILE*  [Martin Kraemer]

  *) Make single-exe Windows install. [Ben Laurie and Eric Esselink]

  *) WIN32: Make CGI work under Win95. [Ben Laurie and Paul Sutton]

  *) WIN32: Make index.html and friends work under Win95. [Ben Laurie]

  *) PORT: Solaris 2.4 needs Spencer regex, the system regex is broken.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [John Line <jml4 cam.ac.uk>] PR#1321

  *) Default pathname has been changed everywhere to /usr/local/apache
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Sameer <sameer c2.net>]

  *) PORT: AIX now uses USE_FCNTL_SERIALIZED_ACCEPT.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [David Bronder <David-Bronder uiowa.edu>] PR#849

  *) PORT: i386 AIX does not have memmove.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [David Schuler <schuld btv.ibm.com>] PR#1267

  *) PORT: HPUX now defaults to using Spencer regex.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Philippe Vanhaesendonck <pvanhaes be.oracle.com>,
     Omar Del Rio <al112263 academ01.lag.itesm.mx>] PR#482, 1246

  *) PORT: Some versions of NetBSD don't automatically define
     __NetBSD__.  Workaround by defining NETBSD.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Chris Craft <ccraft cncc.cc.co.us>] PR#977

  *) PORT: UnixWare 2.x requires -lgen for syslog.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Hans Snijder <hs meganet.nl>] PR#1249

  *) PORT: ULTRIX appears to not have syslog.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Lars Eilebrecht <Lars.Eilebrecht unix-ag.org>]

  *) PORT: Basic Gemini port (treat it like unixware212).
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     ["Pavel Yakovlev (Paul McHacker)" <hac tomcat.olly.ru>]

  *) PORT: All SVR4 systems now use NET_SIZE_T = size_t, and
     use USE_SHMGET_SCOREBOARD.
     [Martin Kraemer]

  *) Various improvements in detecting config file errors (missing closing
     directives for <Directory>, <Files> etc. blocks, prohibiting global
     server settings in <VirtualHost> blocks, flagging unhandled multiple
     arguments to <Directory>, <Files> etc.)
     [Martin Kraemer]

  *) Add support to suexec wrapper program for mod_unique_id's UNIQUE_ID
     variable to provide this one to suexec'd CGIs, too.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [M.D.Parker <mdpc netcom.com>] PR#1284

  *) New support tool: src/support/split-logfile, a sample Perl script which
     splits up a combined access log into separate files based on the
     name of the virtual host (listed first in the log records by "%v").
     [Ken Coar]

Changes with Apache 1.3b2 (there is no 1.3b1)

  *) TestCompile was not passing $LIBS [Dean Gaudet]

  *) Makefile.tmpl was not using $CFLAGS in the link phase. 
     [Martin Kraemer]

  *) Add debugging code to alloc.c.  Defining ALLOC_DEBUG provides a
     rudimentary memory debugger which can be used on live servers with
     low impact -- it sets all allocated and freed memory bytes to 0xa5.
     Defining ALLOC_USE_MALLOC will cause the alloc code to use malloc()
     and free() for each object.  This is far more expensive and should
     only be used for testing with tools such as Electric Fence and
     Purify.  See main/alloc.c for more details.  [Dean Gaudet]

  *) Configure uses a sh trap and didn't set its exitcode properly.
     [Dean Gaudet] PR#1159

  *) Yet another vhost revamp.  Add the NameVirtualHost directive which
     explicitly lists the ip:port pairs that are to be used for name-vhosts.
     From a given ip:port, regardless what the Host: header is, you can
     only reach the vhosts defined on that ip:port.  The precedence of
     vhosts was reversed to match other precedences in the config --
     the earlier vhosts override the later vhosts.  All vhost matching was
     moved into http_vhost.[ch].  [Dean Gaudet]

  *) ap_inline can be used to force inlining.  GNUC __attribute__() can
     be used for whatever reason is appropriate (i.e. format() warnings
     for printf style functions).  Both are enabled only with
     gcc >= 2.7.x (so that we have fewer support issues with older
     versions).  [Dean Gaudet]

  *) Fix support for Proxy Authentication (we were testing the response
     status too early). [Marc Slemko]

  *) CoreDumpDirectory directive directs where the core file is
     written when a SIGSEGV, SIGBUS, SIGABORT or SIGABRT are
     received.  [Marc Slemko, Dean Gaudet]

  *) PORT: Support for Atari MINT.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Jan Paul Schmidt <Jan.P.Schmidt mni.fh-giessen.de>]

  *) When booting, apache will now detach itself from stdin, stdout,
     and stderr.  stderr will not be detached until after the config
     files have been read so you will be able to see initial error
     messages.  After that all errors are logged in the error_log.
     This makes it more convenient to start apache via rsh, ssh,
     or crontabs.  [Dean Gaudet] PR#523

  *) mod_proxy was sending HTTP/1.1 responses to ftp requests by mistake.
     Also removed the auto-generated link to www.apache.org that was the
     source of so many misdirected bug reports.  [Roy Fielding, Marc Slemko]

  *) send_fb would not detect aborted connections in some situations.
     [Dean Gaudet]

  *) mod_include would use uninitialized data when parsing certain
     expressions involving && and ||. [Brian Slesinsky] PR#1139

  *) mod_imap should only handle GET methods.  [Jay Bloodworth]

  *) suexec.c wouldn't build without -DLOG_EXEC. [Jason A. Dour]

  *) mod_autoindex improperly counted &escapes; as more than one
     character in the description.  It also improperly truncated