Apache

1.3.13 [not released]

Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 1.3.13 [not released] Changelog
  • NOTE: A number of Win32 symbols were exported without explicit declaration in the ApacheCore.def file. These are now exported with the same ordinal export values from 1.3.12, but are now named consistent with Apache's conventions. [William Rowe]
  • Add support for a "conf directory" which operates similar to /etc/rc.d/init. Basically, if a config file is actually a directory, all the files in that directory will be parsed as conf files. PR #6397 [Jim Jagielski, Lionel Clark ]
  • Initial support added for mod_proxy under MPE/iX. [Mark Bixby ]
  • Refined UID/GID management and permissions on MPE/iX to deal with some limitations. [Mark Bixby ]
  • Updated the MPE DSO code to be compatible with an OS patch that fixed an earlier DSO problem, #include tweakage required for using apxs to build modules without access to the full source tree, and other minor MPE tweaks. [Mark Bixby ]
  • SECURITY: Tighten up the syntax checking of Host: headers to fix a security bug in some mass virtual hosting configurations that can allow a remote attacker to retrieve some files on the system that should be inaccessible. [Tony Finch]
  • Add support for /, //, //servername and //server/sharename parsing of blocks under Win32 and OS2. [Tim Costello, William Rowe, Brian Havard]
  • Expand dbmmanage to allow -d -m -s -p options for Crypt, MD5, SHA1 and plaintext password encodings. Make feature tests a bit more flexible. [William Rowe]
  • SECURITY: CVE-2000-0913 (cve.mitre.org) Fix a security problem that affects some configurations of mod_rewrite. If the result of a RewriteRule is a filename that contains expansion specifiers, especially regexp backreferences $0..$9 and %0..%9, then it may have been possible for an attacker to access any file on the web server. [Tony Finch]
  • Add mod_auth_dbm (sdbm flavor) binary build for Win32. [William Rowe]
  • Overhaul of dbmmanage to allow a groups arg (as in Apache 1.2) as well as a comment arg to the add, adduser and update cmds. update allows the user to clear or preserve pw/groups/comment. Fixed a bug in dbmmanage that prevented the check option from parsing a password followed by :group... text. Corrected the seed calcualation for Win32 systems, and added -lsdbm support. [William Rowe]
  • Radical surgery to improve mod_isapi support under Win32. Includes a number of newer ServerSupportFunction calls, support for ReadClient (in order to retrieve POSTs greater than 48KB), and general bug fixes to more reliably load ISAPI .dll's and prevent leaking handle resources. Note: There are still discrepancies between IIS's and Apache's ServerVariables, and async calls are still not supported. Additional warnings are logged to facilitate debugging of unsupported ISAPI calls. [William Rowe]
  • Update Configure script to allow building Apache on IBM's IA64 version of AIX. [Paul Reder]
  • NameVirtualHost can now take "*" as an argument instead of an IP address. This allows you to create a purely name-based virtual hosting server that does not have any IP addresses in the configuration file and which ignores the local address of any connections. PR #5595, PR #4455 [Tony Finch]
  • Fix processing/merging of Remove* MIME directives. PR #5597 [Sander van Zoest ]
  • Fix merging of AddDefaultCharset directive. PR #5872 [Jun Kuriyama ] Win32: Work around bug in Win32 select on network reads. Select can indicate a socket has data to read, but the subsequent read can return WSAEWOULDBLOCK. This problem has been observed when running with SSL enabled Apache, specifically, browsers sometimes cannot complete the SSL handshake when an SGC certificate is used, receiving a network error message. [Richard Scholz ]
  • Use "accept filtering" on recent versions of FreeBSD iff the kernel is configured to support them. This allows Apache to avoid having to handle new connections until the request has arrived. [Tony Finch]
  • Fix error handling in make_sock. [Tony Finch]
  • The htdocs/ tree has been moved out of the CVS source tree into a separate area for easier development. This has NO EFFECT on end-users or Apache installations. [Ken Coar]
  • Fix problem matching Configure guessos on HP-UX 10. [Victor J. Orlikowski] PR#6015
  • Correct the problem where the only local host name that the IP stack can discover are 'undotted' private names. If no fully qualified domain name can be identified, the default ServerName will be set to the machine's IP address string. A warning is provided if Apache has to assume the IP dotted address string or the localhost/loopback address as the ServerName. The default ServerName is removed from the default Win32 httpd.conf file. [William Rowe]
  • Add new directives RemoveType and RemoveEncoding to accompany the RemoveHandler directive added in 1.3.4. AddType, AddEncoding, and AddHandler now all have corresponding 'undo' directives. This allows things like marking foo.tar.gz.asc as *not* being gzipped, so it will be correctly interpreted as an unzipped signature of a gzipped file. [Ken Coar]
  • Win32 NT and 2000 services now capture stderr messages that occur before Apache's logs are opened to the Application Event Log. Console and Win9x services now hold the console open for 30 seconds (and may be dismissed with the key) if they exit with an error. [William Rowe]
  • Expand Win32 protection for pathname length, to provide protection from future potential bugs such as that which caused directory index to be displayed rather than returning an error. [William Rowe, Allan Edwards ]
  • USE_SYSVSEM_SERIALIZED_ACCEPT locking on OS/390 [Ovies Brabson]
  • Change Win32 the isProcessService() routine to compensate for other helper apps that invoke Apache.exe without a console. Recognize that we are running NT, and use the STARTF_FORCEOFFFEEDBACK flag to be sure that the SCM has invoked the process. [William Rowe, Jim Patterson , Kevin Kiley ]
  • Export from Win32 the ap_start_shutdown and ap_start_restart symbols for modules and executables dynamically linked to the core. [William Rowe; Jim Patterson ]
  • SECURITY: CVE-2000-1204 (cve.mitre.org) Prevent the source code for CGIs from being revealed when using mod_vhost_alias and the CGI directory is under the document root and a user makes a request like http://www.example.com//cgi-bin/cgi as reported in [Tony Finch]
  • Under Win32, The console input mode is fixed to ignore mouse events and always listen for a Ctrl+C interrupt, even if the console window defaults to another mode. [William Rowe]
  • All Win32 services will now perform a graceful restart when given the -n servicename -k restart signal. No equivilant control exists in the service control panel applet or through the NET command. There is no useful acknowledgement on Windows 95/98, however. [William Rowe]
  • Significant overhaul of the Win32 port documentation contained in the README-WIN.TXT, as well as the htdocs/manual pages windows.html, win_compiling.html, and the new win_service.html. [Andrew Braund , William Rowe]
  • Add 'services' for Windows 95 and 98, including install/uninstall options. The Apache server therefore can start when the OS loads, and will not stop between logoffs. This implementation remains -HIGHLY EXPERIMENTAL-. Additional changes provide for clean shutdown of Win95/98 when Apache is running as a 'service' or a console. [William Rowe, Jan Just Keijser ]
  • USE_PTHREAD_SERIALIZED_ACCEPT on AIX 4.3 and above. This change provides a substantial performance improvement on multi-CPU machines serving large numbers of concurrent clients. [Victor J. Orlikowski ]
  • Brought httpd.conf-dist-win into sync with httpd.conf-dist, and added explicit documentation of many Win32 specific features. [William Rowe]
  • Convert Win32 build files (.dsp) to MSVC 6.0 format, and add perl scripts cvstodsp5.pl and dsp5tocvs.pl for portability to version 5.0. [William Rowe]
  • Fix mod_expires to merge its settings for Cache-Control into any existing value for the field. It was unconditionally setting it, wiping out anything from, say, a 'Header Append Cache-Control'. [Ken Coar] PR#5769
  • Add Win32 option -k stop as an alias of -k shutdown, to correspond to the NET START/NET STOP syntax. [William Rowe]
  • Force Apache to test the Win32 config prior to any operation, except the [-k shutdown -n service] and [-u -n service] combinations. [William Rowe]
  • Add Win32 Ctrl+C/Ctrl+Break/Close/Logoff/Shutdown handler. [William Rowe, Jan Just Keijser ]
  • Expand mod_setenvif so its directives can be used in and containers, and in .htaccess files when FileInfo overriding is allowed. [Ken Coar] PR#3000
  • SECURITY: CVE-2000-0505 (cve.mitre.org) Fix Win32 bug when pathname length exactly equals MAX_PATH. This bug caused directory index to be displayed rather than returning an error. [Allan Edwards ]
  • Correct mod_proxy Win95 dynamic link __declspec(thread) bug. David Whitmarsh PR: 1462, 2216, 3645 Changed Apache for NetWare build to link with XDC data which marks the NLMs as being able to run on any processor. [Mike Gardiner ]
  • Ported expat-lite to NetWare and integrated project files into the ApacheNW.mcp. [Mike Gardiner ] Switched thread storage data mechanism on NetWare to use updated system calls. [Mike Gardiner ] Fixed problem with multilanguage support that prevented Apache on NetWare from displaying the correct language page. [Mike Gardiner ] Fixed memory leaks on NetWare port. When unloading Apache with the developer option turned on NetWare would spew messages complaining about unreleased resources. [Mike Gardiner ] Fixed a problem that prevented Apache on NetWare from shutting down correctly when loading multiple instances in individual address spaces. [Mike Gardiner ]
  • Changed threading primitives to use faster more scalable calls. [Mike Gardiner ] Added -s option for NetWare port to allow Apache to run without a screen. [Mike Gardiner ] Added code for NetWare port to display the listening ports and loaded DSO modules to the console screen. [Mike Gardiner ] Removed ugly NetWare specific code from the modules and added libpre.c and libprews.c instead. These files implement the NLM startup code for shared NLMs (DSOs). The result of using these files is less obtrusive code, faster load times, and a smaller executable size. libprews.c contains WSAStartup and WSACleanup WinSock calls needed for initialization and termination of DSO modules. [Mike Gardiner ] Moved htpasswd and htdigest projects files for NetWare into the main ApacheNW.mcp project file. [Mike Gardiner ] Added mod_tls (SSL/TLS) module for NetWare SSL/TLS support. [Mike Gardiner ]
  • Updated httpd.conf-dist-nw with directives around standard DSO modules. [Mike Gardiner ] Correct mod_proxy Win32 garbage collection bug (clean failing due to stat() against directory). PR: 1891, 3278, 3640, 4139, 5997 [Michael Friedel ]
  • Add '-n' option to htpasswd to make it print its user:pw record on stdout rather than having to frob a text file. [Ken Coar]
  • Set default ServerName setting to 127.0.0.1 for the Windows config file (httpd.conf-dist-win) PR: 5509, 5783, 5953, 5903, 5983, 5259, 5515, 5858 [Oliver Wendemuth ]
  • [EBCDIC] Update mod_mmap_static so that an ebcdic box can use MMapFile for files that shouldn't be converted from ebcdic->ascii. [Greg Ames]
  • Revamp the Win32 make environment. Apache.dsw created to bring together all the pieces. Create new file os/win32/BaseAddr.ref to define module base addresses (to prevent dll relocation at start-up). Extraneous compiler files were removed (precompiled headers, incremental link images), and .map files were added for consistent diagnostics of gpfaults of the binary release. [William Rowe, Greg Marr, Tim Costello, Bill Stoddard]
  • Resolved Win32 mod_info (ApacheModuleInfo.dll) errors. PR1442, PR2472, PR4125, PR1643 and PR2208 Jim Patterson, Jan Just Keijser
  • Add some more error reporting to htpasswd in the case of problems generating or accessing the temporary file. Also, pass in a buffer if the implementation knows how to use it (i.e., if L_tmpnam is defined). [Ken Coar] PR#3945, 5253, 5383, 5558
  • PORT: Add recognition of the GNU/Hurd platform. [Adam Farrell ]
  • More FAQs and answers from comp.infosystems.www.servers.unix. [Joshua Slive ]
  • Win32: Add dependency checking to the CreateService call to ensure TCPIP and AFP (winsock) are started before Apache. [William Rowe ]
  • FAQ changes related to tidying up historical documents on the web site. [Joshua Slive ]
  • Various fixes to mod_auth_digest: - Reworked MD5-sess stuff. The semantics of userpw_hash() have been changed for it to return MD5(MD5(username ":" realm ":" password) ":" nonce ":" cnonce) instead of just MD5(username ":" realm ":" password) because one of the points of MD5-sess is to allow the info to be retrieved from login servers so that the server itself never has the full auth info (after all, MD5(u/r/p) is equivalent to the password for auth purposes). - In order to allow for servers to share a realm the server-name and port have been removed from the nonce-hash. Even so, sharing the realm has problems - see the new comments at the beginning. - Fixed uri-comparison when request-uri isn't identical to uri in Authorization header (some fields were not being initialized). - Handle non-FQDN's (i.e. simple hostnames) in uri parameter in the Authorization header. Thanks to Joe Orton for pointing out the problem. [Ronald Tschal?r]
  • Add case_preserved_filename field to the request_rec structure. On systems with case insensitive file systems (Windows, OS/2, etc.), r->filename is case canonicalized (folded to either lower or upper case, depending on the specific system) to accomodate file access checking. case_preserved_filename is the same as r->filename except case is preserved. There is at least one instance where Apache needs access to the case preserved filename: Java class files published with WebDAV need to preserve filename case to make the Java compiler happy. [Bill Stoddard]
  • Put in Korean and Norwegian index.html pages (2.0 and 1.3) which where donated by Lee Kuk Hyun and Lorant Czaran [dirkx].
  • Modules which load third-party DLLs (ala mod_dav) expect them to be in the path or cwd. Tweak the service startup code to not only change to correct drive but also correct directory. [Keith Wannamaker ]
  • WinNT: Do a better job at handling spaces in service names. Add the util function ap_remove_spaces and export it on all platforms. Change some Win32 service and registry functions to make use of this new function. [Keith Wannamaker ]
  • use send/recv instead of write/read in proxy_connect -- fixes https through proxy on NT. [] PR 5963, 5899, 5823, 5107, 4990?, 4885, 4680, 4468, 3801, 2014
  • [EBCDIC] Make chunked encoding work again; it was broken by the recent CRLF macro changes. An oversight. [Martin Kraemer]
  • Work around a popular restriction of some sed(1)'s in APACI where "1,//" commands start searching for at line 2 only. [Ralf S. Engelschall]
  • Merged in a small subset of SGI's latest `10x' patchkit for Apache 1.3.11. The extracted and merged in parts are entirely cleanup and non-performance related changes only. SGI's remaining changes are not taken over, because they are either cluttering the Apache 1.3 sources too much (e.g. the lint(1) related changes) or cause too much internal changes (e.g. the ap_int32 types, etc.) which are not reasonable to do any longer for Apache 1.3 (they should be done for Apache 2.0 instead). [Mike Abbott , Ralf S. Engelschall]
  • Fixes to mod_proxy for BeOS support. [David Reid ]
  • Fix return value calculation in APXS' error messages. This should avoid the confusion on APXS errors. [Ralf S. Engelschall]
  • Make ApacheBench (ab) compile again stand-alone under -DNO_APACHE_INCLUDES. [Ralf S. Engelschall]
  • The ServerTokens directive now accepts the 'ProductOnly' keyword, which results in the display of just 'Apache' with no version information. Additional product tokens are still only visible with ServerTokens Full. In addition, ServerTokens now complains about bogus keywords (which it used to silently treat as 'Full'). [Ken Coar]