Newer
Older
[Remove entries to the current 2.0 section below, when backported]
*) Ensure that ssl-std.conf is generated at configure time, and switch
to using the expanded config variables to work the same as
httpd-std.conf PR 19611
[Thom May]
*) Fix a problem with namespace mappings being dropped in mod_dav_fs;
if any property values were set which defined namespaces these
came out mangled in the PROPFIND response. PR 11637.
[Amit Athavale <amit_athavale@persistent.co.in>]
*) prefork MPM: Use the right permissions for the directory created
for gprof support. [Jim Carlson <jcarlson@jnous.com>]
*) mod_log_config: Add the ability to log the id of the thread
processing the request via new %P formats. [Jeff Trawick]
*) ssl_toolkit_compat.h and code fixes to build clean on SSLC.
[William Rowe, Madhusudan Mathihalli]
*) Fix the inability to log errors like exec failure in
mod_ext_filter/mod_cgi script children. This was broken after
such children stopped inheriting the error log handle.
[Jeff Trawick]
*) Fix a compile failure with recent OpenSSL and picky compilers
(e.g., OpenSSL 0.9.7a and xlc_r on AIX). [Jeff Trawick]
*) ap_get_mime_headers_core: allocate space for the trailing null
when folding is in effect.
PR 18170 [Peter Mayne <PeterMayne@SPAM_SUX.ap.spherion.com>]
*) Do not bypass output filters when redirecting subrequests internally.
PR 17629. [André Malo]
Madhusudan Mathihalli
committed
*) OpenSSL headers should be included as "openssl/ssl.h", and not rely on
the INCLUDE path to be defined properly.
PR 11310. [Geoff Thrope <geoff@geoffthorpe.net>]
Madhusudan Mathihalli
committed
*) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli]
Madhusudan Mathihalli
committed
*) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc).
[Geoff Thorpe <geoff@geoffthorpe.net>]
*) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
caching. PR 17864.
[Andreas Leimbacher <andreasl67@yahoo.de>, Madhusudan Mathihalli]
*) change directive name from 'compressionlevel' to 'deflatecompressionlevel'
[Ian Holsman, André Malo]
*) mod_negotiation: quality values are now parsed independent from
the current locale. level values are now really parsed as integers.
PR 17564. [André Malo]
*) Linux 2.4+: enable coredumps when Apache is started as root
if CoreDumpDir is configured [Greg Ames]
*) Added the WindowsSocketsWorkaround directive for Windows NT/2000/XP
to work around problems with certain VPN and Firewall products that
have buggy AcceptEx implementations.
[Allan Edwards w/ suggestions from Bill Stoddard & Bill Rowe]
*) Extend mod_negotiation to evaluate the environment variables
no-gzip and gzip-only-text/html the same way as mod_deflate does.
[André Malo]
*) mod_rewrite: Fix some problems reporting errors with mapping
programs (RewriteMap prg:/something). [Jeff Trawick]
*) Fix mod_rewrite's handling of absolute URIs. The escaping routines
now work scheme dependent and the query string will only be
appended if supported by the particular scheme. [André Malo]
Justin Erenkrantz
committed
*) Return 413 if chunk-ext-header is too long rather than reading from
the truncated line. PR 15857. [Justin Erenkrantz]
Justin Erenkrantz
committed
*) If mod_mime_magic does not know the content-type, do not attempt to
guess. PR 16908. [Andrew Gapon <agapon@telcordia.com>]
*) Allow restart of httpd to occur even with syntax errors in the config
file. PR 16813. [Justin Erenkrantz]
*) Use APR_LAYOUT instead of APACHE_LAYOUT in configure. PR 15679.
[Justin Erenkrantz]
*) Remove files on 'make distclean' that should be. PR 15592.
[Justin Erenkrantz]
Justin Erenkrantz
committed
*) Allow apachectl to perform status with links and elinks as well.
[Justin Erenkrantz]
*) Extend the SetEnvIf directive to capture subexpressions of the
matched value. [André Malo]
*) mod_log_config change optional hook to return previous handler
[Ian Holsman]
*) Forward port of mod_actions' ability to handle arbitrary methods
with the Script directive. [André Malo]
*) Let suexec send a message to stderr, if it failed or its policy
was violated. This message appears in the error log and allows
for easier debugging. PR 5381, 7638, 8255, 10773. [André Malo]
Justin Erenkrantz
committed
*) Modify buildconf to copy all required files into httpd's tree.
[Thom May <thom@planetarytramp.net>]
Justin Erenkrantz
committed
*) Allow mod_dav to do weak entity comparison functions.
[Justin Erenkrantz]
*) mod_negotiation: Introduce "prefer-language" environment variable,
which allows to influence the negotiation process on request basis
to prefer a certain language. [André Malo]
*) Move RFC 1413 ident requests from core to new module mod_ident.
[André Malo]
*) Add mod_authz_owner - a forward port of "Require file-owner"
and "Require file-group", which was already present in version
1.3.21. [André Malo]
Justin Erenkrantz
committed
*) Add mod_dav_lock - a generic subset of the DAV locking implementation.
[Justin Erenkrantz]
*) Replace some of the mutex locking in the worker MPM with
atomic operations for higher concurrency. [Brian Pane]
*) Allow 'make depend' to work with non-GCC compilers.
[Justin Erenkrantz]
*) If an httpd.conf has commented out AddModule directives,
apxs -i -a will add an un-commented AddModule directive for
the new module, which breaks the config.
PR: 11212 [Joe Orton]
Justin Erenkrantz
committed
*) Fix mod_proxy handling of filtered input bodies. [Justin Erenkrantz]
*) Move the check of the Expect request header field after the hook
for ap_post_read_request, since that is the only opportunity for
modules to handle Expect extensions. [Justin Erenkrantz]
*) Rewrite of aaa modules to an authn/authz model.
[Dirk-Willem van Gulik, Justin Erenkrantz]
[Apache 2.1.0-dev includes those bug fixes and changes with the
Apache 2.0.xx tree as documented, and except as noted, below.]
*) Use appropriate language code for Czech (cs) and Traditional Chinese
(zh-tw) in default config files. PR 9427. [André Malo]
*) mod_auth_ldap: Use generic whitespace character class when parsing
"require" directives, instead of literal spaces only. PR 17135.
[André Malo]
*) Hook mod_rewrite's type checker before mod_mime's one. That way the
RewriteRule [T=...] Flag should work as expected now. PR 19626.
[André Malo]
*) htpasswd: Check the processed file on validity. If a line is not empty
and not a comment, it must contain at least one colon. Otherwise exit
with error code 7. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>, Thom May]
*) Fix a problem that caused httpd to be linked with incorrect flags
on some platforms when mod_so was enabled by default, breaking
DSOs on AIX. PR 19012 [Jeff Trawick]
*) By default, use the same CC and CPP with which APR was built.
The user can override with CC and CPP environment variables.
[Jeff Trawick]
*) Fix ap_construct_url() so that it surrounds IPv6 literal address
strings with []. This fixes certain types of redirection.
PR 19207. [Jeff Trawick]
*) forward port of buffer overflow fixes for htdigest. [Thom May]
*) Added AllowEncodedSlashes directive to permit control of whether
the server will accept encoded slashes ('%2f') in the URI path.
Default condition is off (the historical behaviour). This permits
environments in which the path-info needs to contain encoded
slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. [Ken Coar]
*) When using Redirect in directory context, append requested query
string if there's no one supplied by configuration. PR 10961.
[André Malo]
*) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
the pattern will not always match as desired. PR 12596.
[André Malo]
*) mod_autoindex now emits and accepts modern query string parameter
delimiters (;). Thus column headers no longer contain unescaped
ampersands. PR 10880 [André Malo]
Allan K. Edwards
committed
*) Enable ap_sock_disable_nagle for Windows. This along with the
addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle
to be disabled for Windows. [Allan Edwards]
*) Fix a build problem with passing unsupported --enable-layout
args to apr and apr-util. This broke binbuild.sh as well as
user-specified layout parameters. PR 18649 [Justin Erenkrantz,
Jeff Trawick]
*) If a Date response header was already set in the headers array,
this value was ignored in favour of the current time. This meant
that Date headers on proxied requests where rewritten when they
should not have been. PR: 14376 [Graham Leggett]
*) Add code to buildconf that produces an httpd.spec file from
httpd.spec.in, using build/get-version.sh from APR.
[Graham Leggett]
*) Fixed a segfault when multiple ProxyBlock directives were used.
PR: 19023 [Sami Tikka <sami.tikka@f-secure.com>]
*) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability
identified and reported by Robert Howard <rihoward@rawbw.com> that
where device names faulted the running OS2 worker process.
The fix is actually in APR 0.9.4. [Brian Havard]
*) Forward port: Escape special characters (especially control
characters) in mod_log_config to make a clear distinction between
client-supplied strings (with special characters) and server-side
strings. This was already introduced in version 1.3.25.
[André Malo]
*) mod_deflate: Check also err_headers_out for an already set
Content-Encoding: gzip header. This prevents gzip compressed content
from a CGI script from being compressed once more. PR 17797.
[André Malo]
Changes with Apache 2.0.45
*) Fix possible segfaults under obscure error conditions within the
cgid daemon. [Jeff Trawick, William Rowe]
*) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability
identified by David Endler <DEndler@iDefense.com> on all platforms.
An unlimited stream of newlines were acceptable between requests
where each <lf> would allocate an 80 byte buffer, leading very
quickly to memory exahustion. [Brian Pane]
*) Added an rpm build script.
[Graham Leggett, Joe Orton <jorton@redhat.com>]
*) Simpler, faster code path for request header scanning [Brian Pane]
processes, such as CGI scripts. This fix depends on the APR library
release 0.9.2 or later (0.9.3 was distributed with the httpd
source tarball for Apache 2.0.45.) PR 17206
[Christian Kratzer <ck@cksoft.de>, Bjoern A. Zeeb <bz@zabbadoz.net>]
*) Fix path handling of mod_rewrite, especially on non-unix systems.
There was some confusion between local paths and URL paths.
PR 12902. [André Malo]
*) Prevent endless loops of internal redirects in mod_rewrite by
aborting after exceeding a limit of internal redirects. The
limit defaults to 10 and can be changed using the RewriteOptions
directive. PR 17462. [André Malo]
*) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
all worker threads are busy.
[Igor Nazarenko <igor_nazarenko@hotmail.com>]
*) Keep the subrequest filter in place when a subrequest is
redirected. PR 15423. [Jeff Trawick]
*) you can now specify the compression level for mod_deflate.
[Ian Holsman, Stephen Pierzchala <stephen@pierzchala.com>,
Michael Schroepl <Michael.Schroepl@telekurs.de>]
*) mod_deflate: Extend the DeflateFilterNote directive to
allow accurate logging of the filter's in- and outstream.
[André Malo]
*) Allow SSLMutex to select/use the full range of APR locking
mechanisms available to it. Also, fix the bug that SSLMutex uses
APR_LOCK_DEFAULT no matter what. PR 8122 [Jim Jagielski,
martin.t.kutschker@blackbox.net (Martin Kutschker)]
*) Restore the ability of htdigest.exe to create files that contain
more than one user. PR 12910. [André Malo]
*) Improve binary compatibility of the core between debug (aka
maintainer-mode) and a non-debug compile.
[Sander Striker]
*) mod_usertrack: don't set the cookie in subrequests. This works
around the problem that cookies were set twice during fast internal
redirects. PR 13211. [André Malo]
*) mod_autoindex no longer forgets output format and enabled version
sort in linked column headers. [André Malo]
*) Use .sv instead of .se as extension for Swedish documents in the
default configuration. PR 12877. [André Malo]
*) Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL
Bradley Nicholes
committed
and standardized the LDAP SSL support across the various LDAP SDKs.
Isolated the SSL functionality to mod_ldap rather than speading it
across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA
and LDAPTrustedCAType directives to mod_ldap to allow for a more
common method of specifying the SSL certificate.
[Dave Ward, Brad Nicholes]
*) Fixed mod_ssl's SSLCertificateChain initialization to no longer
skip the first cert of the chain by default. This misbehavior
was introduced in 2.0.34. PR 14560 [Madhusudan Mathihalli]
*) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
be started on Unix because of such problems as bad permissions,
bad shebang line, etc. [Jeff Trawick]
*) Fix 64-bit problem in mod_ssl input logic.
[Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>]
*) Fix potential memory leaks in mod_deflate on malformed data. PR 16046.
[Justin Erenkrantz]
*) Rewrite ap_xml_parse_input to use bucket brigades. PR 16134.
[Justin Erenkrantz]
*) Fix segfault which occurred when a section in an included
configuration file was not closed. PR 17093. [André Malo]
*) Enhance the behavior of mod_isapi's WriteClient() callback to
provide better emulation for isapi modules that presume that the
first WriteClient() call may send status and headers. An example
of WriteClient() abuse is the foxisapi module, which relies on
that assumpion and now works. [William Rowe, Milan Kosina]
*) Check the return value of ap_run_pre_connection(). So if the
pre_connection phase fails (without setting c->aborted)
ap_run_process_connection is not executed. [Stas Bekman]
*) Fixed a problem with mod_ldap which caused it to fault when caching
was disabled. Needed to make sure that the code did not
attempt to use the cache if it didn't exist. Also fixed some memory
leaks which were due to not releasing LDAP resources on error
conditions. [Brad Nicholes]
*) Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
mod_rewrite proxied URLs will not be escaped accidentally by
mod_proxy's fixup. PR 16368 [André Malo]
*) While processing filters on internal redirects, remember seen EOS
buckets also in the request structure of the redirect issuer(s). This
prevents filters (such as mod_deflate) from adding garbage to the
response. PR 14451. [André Malo]
*) suexec: Be more pedantic when cleaning environment. Clean it
immediately after startup. PR 2790, 10449.
[Jeff Stewart <jws@purdue.edu>, André Malo]
*) Fix apxs to insert LoadModule directives only outside of sections.
PR 8712, 9012. [André Malo]
*) Fix suexec compile error under SUNOS4, where strerror() doesn't
exist. PR 5913, 9977.
[Jonathan W Miner <Jonathan.W.Miner@lmco.com>]
*) Fix If header parsing when a non-mod_dav lock token is passed to it.
PR 16452. [Justin Erenkrantz]
*) mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
not specified. Now it assumes "/" as already documented. PR 16937.
[André Malo]
*) Try to log an error if a piped log program fails. Try to
restart a piped log program in more failure situations. Fix an
existing problem with error handling in piped_log_spawn(). Use
new APR apr_proc_create() features to prevent Apache from starting
on Unix* in most cases where a piped log program can be started,
and add log messages for the other situations. *Other platforms
already failed Apache initialization if a piped log program
couldn't be started. PR 15761 [Jeff Trawick]
*) Fix mod_cern_meta to not create empty metafiles when the
metafile searched for does not exist. PR 12353
[Owen Rees <owen_rees@hp.com>]
*) Introduce debugging symbols for Win32 release builds, both .pdb
and .dbg files (older debuggers and Dr. Watson-type utilities
on WinNT or Win9x don't support the newer .pdb flavor.)
[Allen Edwards, William Rowe]
*) Fix bug where 'Satisfy Any' without an AuthType lost all MIME
information (and more). Related to PR 9076. [André Malo]
*) mod_file_cache: fix segfault serving mmaped cached files.
[Bill Stoddard]
*) mod_file_cache: fixed a segfault when multiple MMapFile directives
were used. PR 16313. [Cliff Woolley]
*) Fix a nasty segfault in mmap_bucket_setaside() caused by passing
an incompatible pointer type to mmap_bucket_destroy(void*).
[Gerard Eviston <geviston@bigpond.net.au>]
*) Enable the -n name parameter on NetWare to allow the
administrator to rename the Apache console screen
[Brad Nicholes]
*) Fixed piped access logs on Win32 by disabling OTHER_CHILD
support by default in APR. More development is required
to deploy OTHER_CHILD on Win32. [William Rowe]
*) Use saner default config values for suexec. PR 15713.
[Thom May <thom@planetarytramp.net>]
*) mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
(or SymlinksIfOwnermatch) is set. PR 12395. [André Malo]
*) apxs: Include any special APR ld flags when linking the DSO.
This resolves problems on AIX when building a DSO with apxs+gcc.
[Jeff Trawick]
*) Added character set support to mod_auth_LDAP to allow it to
convert extended characters used in the user ID to UTF-8
before authenticating against the LDAP directory. The new
directive AuthLDAPCharsetConfig is used to specify the config
file that contains the character set conversion table.
[Brad Nicholes]
*) Don't remove the Content-Length from responses in mod_proxy
PR: 8677 [Brian Pane]
*) Ensure LDAP version is set to v3 on every bind. PR 14235.
[Sergey A. Lipnevich <sergeyli@pisem.net>]
*) Fix mod_ldap to open an existing shared memory file should one
already exist. PR 12757. [Scooter Morris <scooter@gene.com>,
Graham Leggett]
*) Fix the ulimit command used by apachectl on Tru64. PR 13609.
[Joseph Senulis <Joseph.Senulis@dnr.state.wi.us>, Jeff Trawick]
*) Change the ulimit command used by apachectl on AIX so that it
works in all locales. [Jeff Trawick]
*) mod_ext_filter: Fix a problem building argument lists which
occasionally caused exec to fail. PR 15491. [Jeff Trawick]
Changes with Apache 2.0.44
*) mod_autoindex: Bring forward the IndexOptions IgnoreCase option
from Apache 1.3. PR 14276
[David Shane Holden <dpejesh@yahoo.com>, William Rowe]
*) mod_mime: Workaround to prevent a segfault if r->filename=NULL
[Brian Pane]
*) Reorder the definitions for mod_ldap and mod_auth_ldap within
config.m4 to make sure the parent mod_ldap is defined first.
This ensures that mod_ldap comes before mod_auth_ldap in the
httpd.conf file, which is necessary for mod_auth_ldap to load.
PR 14256 [Graham Leggett]
*) Fix the building of cgi command lines when the query string
contains '='. PR 13914 [Ville Skyttä <ville.skytta@iki.fi>,
Jeff Trawick]
*) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
implementation of MCacheMaxStreamingBuffer from mod_cache to
mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should
eliminate the need for explicitly coding MCacheMaxStreamingBuffer
in most configurations. [Bill Stoddard]
*) mod_cache: Fix PR 15113, a core dump in cache_in_filter when
a redirect occurs. The code was passing a format string and
integer to apr_pstrcat. Changed to apr_psprintf.
[Paul J. Reder]
*) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
as set by apr-util in util_ldap.c. This should allow mod_ldap
to work with the Netscape/Mozilla LDAP library. [Øyvin Sømme
<somme@oslo.westerngeco.slb.com>, Graham Leggett]
*) Fix critical bug in new --enable-v4-mapped configure option
implementation which broke IPv4 listening sockets on some
systems. [hiroyuki hanai <hanai@imgsrc.co.jp>]
*) mod_setenvif: Fix BrowserMatchNoCase support for non-regex
patterns [André Malo <nd@perlig.de>]
*) Add version string to provider API. [Justin Erenkrantz]
*) build: './configure && make' now works without an in-tree
apr and apr-util. [Wilfredo Sanchez]
*) mod_negotiation: Set the appropriate mime response headers
(Content-Type, charset, Content-Language and Content-Encoding)
for negotated type-map "Body:" responses (such as the error
pages.) [André Malo <nd@perlig.de>]
*) mod_log_config: Allow '%%' escaping in CustomLog format
strings to insert a literal, single '%'.
[André Malo <nd@perlig.de>]
*) mod_autoindex: AddDescription directives for directories
now work as in Apache 1.3, where no trailing '/' is
specified on the directory name. Previously, the trailing
'/' *had* to be specified, which was incompatible with
Apache 1.3. PR 7990 [Jeff Trawick]
*) Fix for PR 14556. The expiry calculations in mod_cache were
trying to perform "now + ((date - lastmod) * factor)" where
date == lastmod resulting in "now + 0". The code now follows
the else path (using the default expiration) if date is
equal to lastmod. [rx@armstrike.com (Sergey), Paul J. Reder]
*) Use AP_DECLARE in the debug versions of ap_strXXX in case the
default calling convention is not the same as the one used by
AP_DECLARE. [Juan Rivera <Juan.Rivera@citrix.com>]
*) mod_cache: Don't cache response header fields designated
as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
[Estrade Matthieu <estrade-m@ifrance.com>, Brian Pane]
*) mod_cgid: Handle environment variables containing newlines.
PR 14550 [Piotr Czejkowski <apache@czarny.eu.org>, Jeff
Trawick]
*) Move mod_ext_filter out of experimental and into filters.
[Jeff Trawick]
*) Fixed a memory leak in mod_deflate with dynamic content.
PR 14321 [Ken Franken <kfranken@decisionmark.com>]
*) Add --[enable|disable]-v4-mapped configure option to control
whether or not Apache expects to handle IPv4 connections
on IPv6 listening sockets. Either setting will work on
systems with the IPV6_V6ONLY socket option. --enable-v4-mapped
must be used on systems that always allow IPv4 connections on
IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats)
[Jeff Trawick]
*) This fixes a problem where the underlying cache code
indicated that there was one more element on the cache
than there actually was. This happened since element 0
exists but is not used. This code allocates the correct
number of useable elements and reports the number of
actually used elements. The previous code only allowed
MCacheMaxObjectCount-1 objects to be stored in the
cache. [Paul J. Reder]
*) mod_setenvif: Add SERVER_ADDR special keyword to allow
envariable setting according to the server IP address
which received the request. [Ken Coar]
*) mod_cgid: Terminate CGI scripts when the client connection
drops. PR 8388 [Jeff Trawick]
*) Rearrange OpenSSL engine initialization to support RAND
redirection on crypto accelerator.
[Frederic DONNAT <frederic.donnat@zencod.com>]
*) Always emit Vary header if mod_deflate is involved in the
request. [Andre Malo <nd@perlig.de>]
*) mod_isapi: Stop unsetting the 'empty' query string result with
a NULL argument in ecb->lpszQueryString, eliminating segfaults
for some ISAPI modules. PR 14399
[Detlev Vendt <detlev.vendt@brillit.de>]
*) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
notification is received before the HttpExtensionProc() returns
HSE_STATUS_PENDING. This only affected isapi .dll's configured
with the ISAPIFakeAsync on directive. PR 11918
[John DeSetto <jdesetto@radiantsystems.com>, William Rowe]
*) mod_isapi: Fix the issue where all results from mod_isapi would
run through the core die handler resulting in invalid responses
or access log entries. PR 10216 [William Rowe]
*) Improves the user friendliness of the CacheRoot processing
over my last pass. This version avoids the pool allocations
but doesn't avoid all of the runtime checks. It no longer
terminates during post-config processing. An error is logged
once per worker, indicating that the CacheRoot needs to be set.
[Paul J. Reder]
*) Fix a bug where we keep files open until the end of a
keepalive connection, which can result in:
(24)Too many open files: file permissions deny server access
especially on threaded servers. [Greg Ames, Jeff Trawick]
*) Fix a bug in which mod_proxy sent an invalid Content-Length
when a proxied URL was invoked as a server-side include within
a page generated in response to a form POST. [Brian Pane]
*) Added code to process min and max file size directives and to
init the expirychk flag in mod_disk_cache. Added a clarifying
comment to cache_util. [Paul J. Reder]
Justin Erenkrantz
committed
*) The value emitted by ServerSignature now mimics the Server HTTP
header as controlled by ServerTokens. [Francis Daly <deva@daoine.org>]
*) Gracefully handly retry situations in the SSL input filter,
by following the SSL libraries' retry semantics.
[William Rowe]
*) Terminate CGI scripts when the client connection drops. This
fix only applies to some normal paths in mod_cgi. mod_cgid
is still busted. PR 8388 [Jeff Trawick]
*) Fix a bug where 416 "Range not satisfiable" was being
returned for content that should have been redirected.
[Greg Ames]
*) Fix memory leak in mod_ssl from internal SSL library allocations
within SSL_get_peer_certificate and X509_get_pubkey.
[Zvi Har'El <rl@math.technion.ac.il>
Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>].
*) mod_ssl uses free() inappropriately in several places, to free
memory which has been previously allocated inside OpenSSL.
Such memory should be freed with OPENSSL_free(), not with free().
[Nadav Har'El <nyh@math.technion.ac.il>,
Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>].
*) Emit a message to the error log when we return 404 because
the URI contained '%2f'. (This was previously nastily silent
and difficult to debug.) [Ken Coar]
*) Fix streaming output from an nph- CGI script. CGI:IRC now
works. PR 8482 [Jeff Trawick]
*) More accurate logging of bytes sent in mod_logio when
the client terminates the connection before the response
is completely sent [Bojan Smojver <bojan@rexursive.com>]
*) Fix some problems in the perchild MPM.
[Jonas Eriksson <jonas@webkonsulterna.com>]
*) Change the CacheRoot processing to check for a required
value at config time. This saves a lot of wasted processing
if the mod_disk_cache module is loaded but no CacheRoot
was provided. This fix also adds code to log an error
and avoid useless pallocs and procesing when the computed
cache file name cannot be opened. This also updates the
docs accordingly. [Paul J. Reder]
*) Introduce the EnableSendfile directive, allowing users of NFS
shares to disable sendfile mechanics when they either fail
outright or provide intermitantly corrupted data. PR
[William Rowe]
*) Resolve the error "An operation was attempted on something
that is not a socket. : winnt_accept: AcceptEx failed.
Attempting to recover." for users of various firewall and
anti-virus software on Windows. PR 8325 [William Rowe]
*) Add the ProxyBadHeader directive, which gives the admin some
control on how mod_proxy should handle bogus HTTP headers from
proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
desired. [Jim Jagielski]
*) Change the LDAP modules to export their symbols correctly
during a Windows build. Add dsp files for Windows. Update
README.ldap file for Windows build instructions.
[Andre Schild <A.Schild@aarboard.ch>]
*) Performance improvements for the code that generates HTTP
response headers [Brian Pane]
*) Add -S as a synonym for -t -DDUMP_VHOSTS.
[Thom May <thom@planetarytramp.net>]
*) Fix a bug with dbm rewrite maps which caused the wrong value to
be used when the key was not found in the dbm. PR 13204
[Jeff Trawick]
*) Fix a problem with streaming script output and mod_cgid.
[Jeff Trawick]
*) Add ap_register_provider/ap_lookup_provider API.
[John K. Sterling <john@sterls.com>, Justin Erenkrantz]
*) SECURITY: [CAN-2002-0840] HTML-escape the address produced by
ap_server_signature() against this cross-site scripting
vulnerability exposed by the directive 'UseCanonicalName Off'.
Also HTML-escape the SERVER_NAME environment variable for CGI
and SSI requests. It's safe to escape as only the '<', '>',
and '&' characters are affected, which won't appear in a valid
hostname. Reported by Matthew Murphy <mattmurphy@kc.rr.com>.
[Brian Pane]
*) Fix a core dump in mod_cache when it attemtped to store uncopyable
buckets. This happened, for instance, when a file to be cached
contained SSI tags to execute a CGI script (passed as a pipe
bucket). [Paul J. Reder]
*) Ensure that output already available is flushed to the network
when the content-length filter realizes that no new output will
be available for a while. This helps some streaming CGIs as
well as some other dynamically-generated content. [Jeff Trawick]
*) Fix a mutex problem in mod_ssl session cache support which
could lead to an infinite loop. PR 12705
[amund.elstad@ergo.no (Amund Elstad), Jeff Trawick]
*) SECURITY: CAN-2002-1156 (cve.mitre.org)
Fix the exposure of CGI source when a POST request is sent to
a location where both DAV and CGI are enabled. [Ryan Bloom]
*) Allow the UserDir directive to accept a list of directories.
This matches what Apache 1.3 does. Also add documentation for
this feature. [Jay Ball <jay@veggiespam.com>]
*) New Module: mod_logio. adds the ability to log bytes sent and
received. [Bojan Smojver <bojan@rexursive.com>]
*) SuExec needs to use the same default directory as the rest of
server, namely /usr/local/apache2.
[SangBeom han <sbhan@os.korea.ac.kr>]
*) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN.
[Thomas Bennett <thomas.bennett@eds.com>, Graham Leggett]
*) Make sure the contents of the WWW-Authenticate header is
passed on a 4xx error by proxy. Previously all headers
were dropped, resulting in the browser being unable to
authenticate. [Dr Richard Reiner <rreiner@fscinternet.com>,
Richard Danielli <rdanielli@fscinternet.com>, Graham Wiseman
<gwiseman@fscinternet.com>, David Henderson
<dhenderson@fscinternet.com>]
*) Make mod_cache's CacheMaxStreamingBuffer directive work
properly for virtual hosts that override server-wide mod_cache
setttings. [Matthieu Estrade <estrade-m@ifrance.com>]
*) Add -p option to apxs to allow programs to be compiled with apxs.
[Justin Erenkrantz]
*) mod_dav: Check for versioning hooks before using them.
[Greg Stein]
*) The protocol version (eg: HTTP/1.1) in the request line parsing
is now case insensitive. [Jim Jagielski]
*) Allow AddOutputFilterByType to add multiple filters per directive.
[Justin Erenkrantz]
*) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz]
*) Fixed mod_disk_cache's generation of 304s
[Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
*) Add support for using fnmatch patterns in the final path
segment of an Include statement (eg.. include /foo/bar/*.conf).
and remove the noise on stderr during config dir processing.
[Joe Orton <jorton@redhat.com>]
*) mod_cache: cache_storage.c. Add the hostname and any request
args to the key generated for caching. This provides a unique
key for each virtual host and for each request with unique
args. [Paul J. Reder, args code provided by Kris Verbeeck]
*) mod_cache: Do not cache responses to GET requests with query
URLs if the origin server does not explicitly provide an
Expires header on the response (RFC 2616 Section 13.9)
[Kris Verbeeck krisv@be.ubizen.com]
*) Fix memory leak in core_output_filter. [Justin Erenkrantz]
*) Update OpenSSL detection to work on Darwin.
[Sander Temme <sctemme@covalent.net>]
*) Update the xslt and css to give the documentation a more
modern style.
[André Malo <nd@perlig.de>, Gernot Winkler <greh@o3media.de>]
*) Fix some bucket memory leaks in the chunking code
[Joe Schaefer <joe+apache@sunstarsys.com>]
*) Add ModMimeUsePathInfo directive. [Justin Erenkrantz]
*) mod_cache: added support for caching streamed responses (proxy,
CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]
*) Add image/x-icon to httpd.conf PR 10993.
[Ian Holsman, Peter Bieringer <pb@bieringer.de>]
*) Fix FileETags none operation. PR 12207.
[Justin Erenkrantz, Andrew Ho <andrew@tellme.com>]
*) Restored the experimental leader/followers MPM to working
condition and converted its thread synchronization from
mutexes to atomic CAS. [Brian Pane]
*) Fix Logic on non-html file removal in mod_deflate
[Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
*) Fix "ab -g"'s truncated year: the last digit was cut off.
[Leon Brocard <acme@astray.com>]
*) mod_rewrite can now sets cookies in err_headers, uses the correct
expiry date, and can now set the path as well
PR 12132,12181,12172.
[Ian Holsman / Rob Cromwell <apachechangelog@robcromwell.com>]
*) The content-length filter no longer tries to buffer up
the entire output of a long-running request before sending
anything to the client. [Brian Pane]
*) Win32: Lower the default stack size from 1MB to 256K. This will
allow around 8000 threads to be started per child process.
'EDITBIN /STACK:size apache.exe' can be used to change this
value directly in the apache.exe executable.
[Bill Stoddard]
*) Win32: Implement ThreadLimit directive in the Windows MPM.
*) Remove CacheOn config directive since it is set but never checked.
No sense wasting cycles on unused code. Besides, the only truly
bug free code is deleted code. :) [Paul J. Reder]
*) BufferLogs are now run-time enabled, and the log_config now has 2 new
callbacks to allow a 3rd party module to actually do the writing of the
log file [Ian Holsman]
*) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
[André Malo, Astrid Keßler <kess@kess-net.de>]
*) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
*) Fix a null pointer dereference in the merge_env_dir_configs
function of the mod_env module. PR 11791
[Paul J. Reder]
*) New option to ServerTokens 'maj[or]'. Only show the major version
Also Surfaced this directive in the standard config (default FULL)
[Ian Holsman]
*) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
maps. The dbm type (e.g., ndbm, gdbm) can be specified on the
RewriteMap directive. PR 10644 [Jeff Trawick]
*) Fixed mod_rewrite's RewriteMap prg: support so that request/response
pairs will no longer get out of sync with each other. PR 9534
[Cliff Woolley]
*) Fixes required to get quoted and escaped command args working in
mod_ext_filter. PR 11793 [Paul J. Reder]
*) mod-proxy: handle proxied responses with no status lines
[JD Silvester <jsilves@uwo.ca>, Brett Huttley <brett@huttley.net>]
*) Fix bug where environment or command line arguments containing
non-ASCII-7 characters would cause the Win32 child process creation
to fail. PR 11854 [William Rowe]
*) Bug #11213.. make module loading error messages more informative
[Ian Darwin <Ian779@darwinsys.com>]
*) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman]
*) mod_disk_cache works much better. This module should still
be considered experimental. [Eric Prud'hommeaux]
*) Performance improvement for keepalive requests: when setting
aside a small file for potential concatenation with the next
response on the connection, set aside the file descriptor rather
than copying the file into the heap. [Brian Pane]
*) Modified version check on openssl so that it finds the executable
first and then performs a check of the version, only warning the
user if they chose, or we selected, an old version of OpenSSL.
This change also allows the code to work for non-openssl libraries
selected via the --with-ssl=dir option, which can override the
automated library check in any case. [Roy Fielding]
*) SECURITY: [CAN-2002-0661] Close a very significant security hole that
applies only to the Win32, OS2 and Netware platforms. Unix was not
affected, Cygwin may be affected. Certain URIs will bypass security
and allow users to invoke or access any file depending on the system
configuration. Without upgrading, a single .conf change will close
the vulnerability. Add the following directive in the global server
httpd.conf context before any other Alias or Redirect directives;
RedirectMatch 400 "\\\.\."
Reported by Auriemma Luigi <bugtest@sitoverde.com>.
[Brad Nicholes]
*) SECURITY: Close a path-revealing exposure in multiview type
map negotiation (such as the default error documents) where the
module would report the full path of the typemapped .var file when
multiple documents or no documents could be served based on the mime
negotiation. Reported by Auriemma Luigi <bugtest@sitoverde.com>.
[CAN-2002-0654] [William Rowe]
*) SECURITY: Close a path-revealing exposure in cgi/cgid when we
fail to invoke a script. The modules would report "couldn't create
child process /path-to-script/script.pl" revealing the full path
of the script. Reported by Jim Race <jrace@qualys.com>.
[CAN-2002-0654] [Bill Stoddard]
*) Set aside the apr-iconv and apr_xlate() features for the Win32
build of 2.0.40 so development can be completed. A patch, from
<http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
will be available for those that wish to work with apr-iconv.
[William Rowe]
*) Fix proxy so that it is possible to access ftp: URLs via a proxy
chain. [Peter Van Biesen <peter.vanbiesen@vlafo.be>]
*) mod-deflate now checks to make sure that 'gzip-only-text/html' is
Ian Holsman
committed
set to 1, so we can exclude things from the general case with
browsermatch. [Ian Holsman, Andre Schild <A.Schild@aarboard.ch>]
*) Accept multiple leading /'s for requests within the DocumentRoot.
*) Solved the reports of .pdf byterange failures on Win32 alone.
APR's sendfile for the win32 platform collapses header and trailer
buffers into a single buffer. However, we destroyed the pointers
to the header buffer if a trailer buffer was present. PR 10781
[William Rowe]
*) mod_ext_filter: Add the ability to enable or disable a filter via
an environment variable. Add the ability to register a filter of
type other than AP_FTYPE_RESOURCE. [Jeff Trawick]
*) Restore the ability to specify host names on Listen directives.
PR 11030. [Jeff Trawick, David Shane Holden <dpejesh@yahoo.com>]
*) When deciding on the default address family for listening sockets,
make sure we can actually bind to an AF_INET6 socket before
deciding that we should default to AF_INET6. This fixes a startup
problem on certain levels of OpenUNIX. PR 10235. [Jeff Trawick]
Wilfredo Sanchez
committed
*) Replace usage of atol() to parse strings when we might want a
larger-than-long value with apr_atoll(), which returns long long.
This allows HTTPD to deal with larger files correctly.
[Shantonu Sen <ssen@apple.com>]
*) mod_ext_filter: Ignore any content-type parameters when checking if
the response should be filtered. Previously, "intype=text/html"
wouldn't match something like "text/html;charset=8859_1".
[Jeff Trawick]
*) mod_ext_filter: Set up environment variables for external programs.
[Craig Sebenik <craig@netapp.com>]
*) Modified the HTTP_IN filter to immediately append the EOS (end of
stream) bucket for C-L POST bodies, saving a roundtrip and allowing
the caller to determine that no content remains without prefetching
additional POST body. [William Rowe]
*) Get proxy ftp to work over IPv6. [Shoichi Sakane <sakane@kame.net>]
*) Look for OpenSSL libraries in /usr/lib64. [Peter Poeml <poeml@suse.de>]
*) Update SuSE layout. [Peter Poeml <poeml@suse.de>]
*) Changes to the internationalized error documents:
Comment them out in the default config file to make the default
install as simple as possible; Correct the english 500 error to
be more understandable; Add a Swedish translation.
[Thomas Sjogren <thomas@northernsecurity.net>,
Erik Abele <erik@codefaktor.de>, Rich Bowen, Joshua Slive]
*) Increase the limit on file descriptors per process in apachectl.
[Brian Pane]
*) Fix a dependency error when building ApacheMonitor, so that Win32
and MSVC now trust that the project is current (when it is).
[James Cox <imajes@php.net>]
*) mod_ext_filter: don't segfault if content-type is not set. PR 10617.
[Arthur P. Smith <apsmith@aps.org>, Jeff Trawick]
*) APR-Util Renames pending have been completed [Thom May]
*) Performance improvements for the code that reads request
headers (ap_rgetline_core() and related functions) [Brian Pane]
*) Add a new directive: MaxMemFree. MaxMemFree makes it possible
to configure the maximum amount of memory the allocators will
hold on to for reuse. Anything over the MaxMemFree threshold