Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 1.3.27 Changelog
  • SECURITY: CVE-2002-0840 ( Prevent a cross-site scripting vulnerability in the default error page. The issue could only be exploited if the directive UseCanonicalName is set to Off and a server is being run at a domain that allows wildcard DNS. [Matthew Murphy]
  • SECURITY: CVE-2002-0843 ( Fix some possible overflows in ab.c that could be exploited by a malicious server. Reported by David Wagner. [Jim Jagielski]
  • Included a patch submitted by Sander van Zoest (#9181) and written by Michael Radwin whichs is essentially a work around for the adding headers to error responses. As apache does not go through the proper chain for non 2xx responses. This patch adds an ErrorHeader directive; which is for non 2xx replies the direct analog of the existing Header directive. This is usefull during 3xx redirects or more complex 4xx auth schemes. [Dirk- Willem van Gulik]
  • Included the patch submitted by Sander van Zoest (#12712) which prevents just 'anything' being sucked in when doing gobbeling in complete directories - such as editor backup files and other cruft. This patch allows us to tailor/control this properly by allowing simple wildcards such as *.conf. [Dirk-Willem van Gulik]
  • SECURITY: CVE-2002-0839 ( Add the new directive 'ShmemUIDisUser'. By default, Apache will no longer set the uid/gid of SysV shared memory scoreboard to User/Group, and it will therefore stay the uid/gid of the parent Apache process. This is actually the way it should be, however, some implementations may still require this, which can be enabled by 'ShmemUIDisUser On'. Reported by iDefense. [Jim Jagielski]
  • Fix a problem with the definition of union semun which broke System V semaphores on systems where sizeof(int) != sizeof(long). PR 12072 []
  • The protocol version (eg: HTTP/1.1) in the request line parsing is now case insensitive. This closes a few PRs and implies that ProtocolReqCheck will trigger on *true* invalid protocols. [Jim Jagielski]
  • Relaxed mod_digest its parsing in order to make it work with iCal's "WebDAVFS/1.2 (01208000) Darwin/6.0 (Power Macintosh)" User-Agent. Apache (incorrectly) insisted on a quoted URI's in the uri field of the Authorization client header. Not yet done for EBCDIC plaforms. [Dirk-Willem van Gulik]
  • Back out an older patch for PR 9932, which had some incorrect behavior. Instead, use a backport of the APR fix. This has the nice effect that ap_snprintf() can now distinguish between an output which was truncated, and an output which exactly filled the buffer. [Jim Jagielski]
  • The cache in mod_proxy was incorrectly updating the Content-Length value (to 0) from 304 responses when doing validation. Bugz#10128 [Paul Terry , , Jim Jagielski]
  • Added support for Berkeley-DB/4.x to mod_auth_db. [Martin Kraemer]
  • PR 10993: add image/x-icon to default httpd.conf files [Ian Holsman, Peter Bieringer
  • Fix a problem in proxy where headers from other modules were added to the response headers when this was already done in the core already. This resulted in header (and therefore cookie) duplication. [Martijn Schoemaker ]
  • Fix FileETags none operation. PR 12202. [Justin Erenkrantz, Andrew Ho ]
  • Win32: Fix one byte buffer overflow in ap_get_win32_interpreter when a CGI script's #! line does not contain a \r or \n (i.e. a line feed character) in the first 1023 bytes. The overflow is always a '\0' (string termination) character.
  • Add new "suppress-error-charset" environment variable to allow a BrowserMatch workaround for clients that incorrectly use the charset of a redirect as the charset of the target. [Ken Coar]
  • Support Caldera OpenUNIX 8. [Larry Rosenman ]
  • Use SysV semaphores by default on OpenBSD. [Henning Brauer ]
  • httpd -V will now also print out the compile time defined HARD_SERVER_LIMIT value. [Dirk-Willem van Gulik].
  • In 1.3.26, a null or all blank Content-Length field would be triggered as an error; previous versions would silently ignore this and assume 0. As a special case, we now allow this and behave as we previously did. HOWEVER, previous versions would also silently accept bogus C-L values; We do NOT do that. That *is* an invalid value and we treat it as such. [Jim Jagielski]
  • Add ProtocolReqCheck directive, which determines if Apache will check for a valid protocol string in the request (eg: HTTP/1.1) and return HTTP_BAD_REQUEST if not valid. Versions of Apache prior to 1.3.26 would silently ignore bad protocol strings, but 1.3.26 included a more strict check. This makes it runtime configurable. The default is On. This also removes the requirement on an ANSI sscanf() implementation. [Jim Jagielski]
  • NetWare: implemented file locking in mod_rewrite for the NetWare CLib platform. This fixes a bug that prevented rewrite logging from working. [Brad Nicholes]