Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 1.3.21 Changelog
  • Enable mod_mime_magic (experimental) for Win32. [William Rowe]
  • Use an installed Expat library rather than the bundled Expat. This fixes a problem where multiple copies of Expat could be loaded into the process space, thus conflicting and causing strange segfaults. Most notably with mod_perl and XML::Parsers::Expat. [Greg Stein]
  • Handle user modification of WinNT/2K service display names. Prior versions of Apache only accepted identical internal and display names (where internal service names were space-stripped.) [William Rowe]
  • Introduce Win32 -W option for -k install/config to set up service dependencies on the workstation, snmp and other services that given modules or configurations might depend upon. [William Rowe]
  • Update the mime.types file to map video/vnd.mpegurl to mxu and add commonly used audio/x-mpegurl for m3u extensions. [Heiko Recktenwald , Lars Eilebrecht]
  • Modified mod_mime and mod_negotiation to prevent mod_negotiation from serving any multiview variant containing one or more 'unknown' filename extensions. In PR #8130, mod_negotiation was incorrectly serving index.html.zh.Big5 when better variants were available. The httpd.conf file on the failing server did not have an AddLanguage directive for .zh, which caused mod_mime to loose the file_type information it gleened from parsing the .html extension. The absence of any language preferences, either in the browser or configured on the server, caused mod_negotiation to consider all the variants equivalent. When that occurs, mod_negotiation picks the 'smallest' variant available, which just happened to be index.html.zh.Big5. [Bill Stoddard, Bill Rowe] PR #8130
  • SECURITY: CVE-2001-0731 (cve.mitre.org) Close autoindex /?M=D directory listing hole reported in bugtraq id 3009. In some configurations where multiviews and indexes are enabled for a directory, requesting URI /?M=D could result in a directory listing being returned to the client rather than the negotiated index.html variant that was configured and expected. The work around for this problem (for pre 1.3.21 releases) is to disable Indexes or Multiviews in the affected directories. [Bill Stoddard, Bill Rowe]
  • Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted) as arguments for mod_vhost_alias'es directives. [William Rowe]
  • Changes for Win32 to assure mod_unique_id's UNIQUE_ID strings really are unique between threads. [William Rowe]
  • mod_proxy - fix for Pragma: nocache (HTTP/1.0 only) [Kim Bisgaard ] PR #5668
  • PORT: Some Cygwin changes, esp. improvements for dynamic loading, and cleanups. [Stipe Tolj ]
  • Win32 SECURITY: CVE-2001-0729 (cve.mitre.org) The default installation could lead to mod_negotiation and mod_dir/mod_autoindex displaying a directory listing instead of the index.html.* files, if a very long path was created artificially by using many slashes. Now a 403 FORBIDDEN is returned. This problem was similar to and in the same area as the problem reported and fixed by Martin Kraemer in 1.3.18, only the scope is much narrower and is specific to Windows. [Bill Stoddard]
  • Update the mime.types file to the registered media types as of 2001-09-25, and add xsl, so, dll extensions [Mark Cox]
  • Resolved the build failure on Win32 using MSVC 5.0 (without the current SDK.) PRs 7790, 7948. [William Rowe]
  • mod_proxy - fix reverse proxy cookie passthrough [Brian Eidelman ] PR#6055
  • mod_proxy - fix CacheForceCompletion directive [Alexey Panchenko ] PR#8090
  • mod_proxy - close origin server connection when client aborts [Alexey Panchenko ] PR#8067,7383,6585
  • ErrorDocument 404 pointing to a parsed html file with a with a request URI containing %2f would result in a segfault (NULL pointer deref, not a security problem). [Jeff Moe , Dean Gaudet] PR#8362
  • UnsetEnv from main body of httpd.conf file didn't work; backport of bugfix from 2.0 codebase. [Gary Benson ] PR#8254
  • Win32 - add mod_unique_id.so and mod_vhost_alias.so to the build. [William Rowe]
  • Enhancement of mod_auth to handle 'Require file-owner' and 'Require file-group'. This allows access IFF the authenticated username (from the appropriate AuthUserFile database) matches the username of the UID that owns the document (and equivalent checking for file GID and user's membership in AuthGroupFile). See the mod_auth documentation for examples. (Not supported on Windows.) [Ken Coar]
  • Addition of the AcceptMutex runtime directive. The accept mutex method is now runtime controllable. The suite of available methods per platform is defined at compile time (with HAVE_FOO_SERIALIZED_ACCEPT noting that the method is available and works, and USE_FOO_SERIALIZED_ACCEPT noting that it should be the default method in absense of any AcceptMutex line, or via AcceptMutex default) and selectable at runtime. The full (current) suite is uslock, pthread, sysvsem, fcntl, flock, os2sem, tpfcore and none, but not all platforms accept all methods. [Jim Jagielski]
  • Parallel to a change in Apache-2.0, the manual directory was moved out of the DocumentRoot tree to simplify the separation of private content&configuration from server's on-line documentation. An "Alias /manual/ ..." projects the manual/ directory (which resides now side-by-side with the icons/ directory) into the logical DocumentRoot. Note that a request to http://server/manual (without the trailing slash) will now behave different than before (it used to redirect to http://server/manual/ but no longer does). [Martin Kraemer] Fixed ap_os_canonical_filename() so that it wouldn't try to canonicalize an invalid file name. Also fixed ap_os_is_path_absolute() so that it wouldn't recognize names such as proxy:http://blah as a NetWare volume:pathname. Both of these fixes were necessary to fix mod_proxy problems on NetWare. [Brad Nicholes ]
  • Fix a storage leak (a strdup() call) in mod_mime_magic. [Jeff Trawick]
  • We have always used the obsolete/deprecated Netscape syntax for our tracking cookies; now the CookieStyle directive allows the Webmaster to choose the Netscape, RFC2109, or RFC2965 format. The new CookieDomain directive allows the setting of the cookie's Domain= attribute, too. PR #s 5006, 5023, 5920, 6140 [Ken Coar]
  • The Win32 Makefile.win build script failed if INSTDIR="c:\path\with spaces" was given, this is now fixed. PR 8184 [Jack Tan ]
  • EBCDIC: The proxy, when used in a proxy chain, "forgot" to convert the "CONNECT host:port HTTP/1.0" request line to ASCII before contacting the next proxy, and was thus unusable for SSL proxying. [Martin Kraemer]
  • SECURITY: CVE-2001-0730 (cve.mitre.org) Make support/split-logfile use the default log file if "/" or "\" are present in the virtual host name. This prevents the possible use of specially crafted virtual host names in some configurations to allow writing to any .log file on the system. [Daniel Matuschek , Marc Slemko] PR#7848
  • Added a directive: "AcceptFilter ". To control BSD acccept filters when at compile time SO_ACCEPT_FILTER is detected. The default is still 'on' except when, at compile time, AP_ACCEPT_FILTER_OFF is defined.
  • Also downgraded the fatal exit to a warning when the associated setsocketopt(2) fails for any reason but for ENOPROTOOPT. The latter - which implies that the kernel does not support the filters - now rates only an info level message. All in all this should make it easier to move httpd binaries and config files across BSD machines with varying acceptfilter support. [Dirk-Willem van Gulik ]
  • Fix the container to *really* deny all access. Without the Satisfy All, .ht* files could still be fetched if they were within the scope of a Satisfy Any directive. [Ken Coar]
  • Print a warning when an attempt is made to use line-end comments. Apparently they are not detected/handled gracefully by all directives. [Martin Kraemer]
  • (TPF only) Take advantage of improvements to select(), fork(), and exec() in the TPF operating system. [David McCreedy ]
  • (Cygwin only) Fix problems with signals sent to child processes; Improve auto-configuration for Cygwin. [Stipe Tolj ]
  • Added Mod_Vhost_Alias to the project file so that it builds as an external module (VHOST.NLM). [Brad Nicholes ]
  • Fix problem with lingering_close() on Windows. Issuing read() on the socket descriptor on Windows always fails. Should be calling recv() instead of read() on Windows. [Bill Stoddard, Bill Rowe]
  • Added an abnormal exit clean up routine to make sure that ApacheC NLM is always unloaded cleanly. This fixes the "Ouch! out of memory" problem when restarting Apache for NetWare after an abnormal exit due to configuration errors. [Brad Nicholes ]
  • Change the compile switches for ReliantUNIX SVR4 not to use SYSV semaphores, because upon reaching the system limit of semaphores, the whole server exits (not just one child). Apache could be improved to use NO_SEM_UNDO flag (see test/time-sem.c) which is currently implemented only in the time-sem program, but not in apache. Until then, revert to using fcntl() locks. [Martin Kraemer]
  • Changes to 'ab': fixed int overruns, added statistics, output in csv/gnuplot format, rudimentary SSL support and various other tweaks to make results more true to what is measured. The upshot of this it turns out that 'ab' has often underreported the true performance of apache. Often by a order of magnitude :-) See talk/paper of Sander Temme at April ApacheCon 2001 for details. [Dirk-Willem van Gulik]