Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 1.2.1 Changelog
  • SECURITY: Don't serve file system objects unless they are plain files, symlinks, or directories. This prevents local users from using pipes or named sockets to invoke programs for an extremely crude form of CGI. [Dean Gaudet]
  • SECURITY: HeaderName and ReadmeName were settable in .htaccess and could contain "../" allowing a local user to "publish" any file on the system. No slashes are allowed now. [Dean Gaudet]
  • SECURITY: It was possible to violate the symlink Options using mod_dir (headers, readmes, titles), mod_negotiation (type maps), or mod_cern_meta (meta files). [Dean Gaudet]
  • SECURITY: Apache will refuse to run as "User root" unless BIG_SECURITY_HOLE is defined at compile time. [Dean Gaudet]
  • CONFIG: If a symlink pointed to a directory then it would be disallowed if it contained a .htaccess disallowing symlinks. This is contrary to the rule that symlink permissions are tested with the symlink options of the parent directory. [Dean Gaudet] PR#353
  • CONFIG: The LockFile directive can be used to place the serializing lockfile in any location. It previously defaulted to /usr/tmp/htlock. [Somehow it took four of us: Randy Terbush, Jim Jagielski, Dean Gaudet, Marc Slemko]
  • Request processing now retains state of whether or not the request body has been read, so that internal redirects and subrequests will not try to read it twice (and block). [Roy Fielding]
  • Add a placeholder in modules/Makefile to avoid errors with certain makes. [Marc Slemko]
  • QUERY_STRING was unescaped in mod_include, it shouldn't be. [Dean Gaudet] PR#644
  • mod_include was not properly changing the current directory. [Marc Slemko] PR#742
  • Attempt to work around problems with third party libraries that do not handle high numbered descriptors (examples include bind, and solaris libc). On all systems apache attempts to keep all permanent descriptors above 15 (called the low slack line). Solaris users can also benefit from adding -DHIGH_SLACK_LINE=256 to EXTRA_CFLAGS which keeps all non-FILE * descriptors above 255. On all systems this should make supporting large numbers of vhosts with many open log files more feasible. If this causes trouble please report it, you can disable this workaround by adding -DNO_SLACK to EXTRA_CFLAGS. [Dean Gaudet] various PRs
  • Related to the last entry, network sockets are now opened before log files are opened. The only known case where this can cause problems is under Solaris with many virtualhosts and many Listen directives. But using -DHIGH_SLACK_LINE=256 described above will work around this problem. [Dean Gaudet]
  • USE_FLOCK_SERIALIZED_ACCEPT is now default for FreeBSD, A/UX, and SunOS 4.
  • Improved unix error response logging. [Marc Slemko]
  • Update mod_rewrite from 3.0.5 to 3.0.6. New ruleflag QSA=query_string_append. Also fixed a nasty bug in per-dir context: when a URL http://... was used in conjunction with a special redirect flag, e.g. R=permanent, the permanent status was lost. [Ronald Tschalaer , Ralf S. Engelschall]
  • If an object has multiple variants that are otherwise equal Apache would prefer the last listed variant rather than the first. [Paul Sutton] PR#94
  • "make clean" at the top level now removes *.o. [Dean Gaudet] PR#752
  • mod_status dumps core in inetd mode. [Marc Slemko and Roy Fielding] PR#566
  • pregsub had an off-by-1 in its error checking code. [Alexei Kosut]
  • PORT: fix rlim_t problems with AIX 4.2. [Marc Slemko] PR#333
  • PORT: Update UnixWare support for 2.1.2. [Lawrence Rosenman ] PR#511
  • PORT: NonStop-UX [Joachim Schmitz ] PR#327
  • PORT: Update ConvexOS support for 11.5. [David DeSimone ] PR#399
  • PORT: Support for DEC cc compiler under ULTRIX. ["P. Alejandro Lopez-Valencia" ] PR#388
  • PORT: Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383
  • PORT: Workaround for AIX 3.x compiler bug in http_bprintf.c. [Marc Slemko] PR#725
  • PORT: fix problem compiling http_bprintf.c with gcc under SCO [Marc Slemko] PR#695