Apache

1.3.5 [not released]

Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 1.3.5 [not released] Changelog
  • M_INVALID needed a value within the scope of METHODS so that unknown methods can be access controlled. [Roy Fielding] PR#3821
  • Added PassAllEnv; makes server's entire environment available to CGIs and SSIs executed within directive's scope. [Ken Coar]
  • ap_uuencode() always added two trailing '='s and encoding of 8 bit characters on a machine with signed char may produced incorrect results. Additionally ap_uuencode() should now work correctly on EBCDIC platforms. [Ronald Tschal?r ] PR#3411
  • WIN32: Binary installer now runs the configuration DLL before the reboot prompt (which is only given if MSVCRT.DLL system DLL is new or updated). This should avoid the configuration directory being empty after installation. [Paul Sutton] PR#3767, 3800, 3827, 3850, 3900, 3953, 3988
  • WIN32: Binary installer now creates Start menu options to start and stop Apache as a console application and to uninstall the Apache service on NT. [Paul Sutton] PR#3741
  • WIN32: Apache.exe now contains an icon. [Paul Sutton]
  • PORT: Switch back to using fcntl() locking on Linux -- instabilities have been reported with flock() locking (probably related to kernel version). [Dean Gaudet] PR#2723, 3531
  • Using APACI, the main config file (usually httpd.conf) was not being adjusted as $(TARGET).conf. [Wilfredo Sanchez ]
  • PORT: AIX does not require the SHARED_CODE "hack" [Ryan Bloom ]
  • Set-Cookie headers were being doubled up for some CGIs by the O(n^2) avoidance code added in 1.3.3. [Dean Gaudet, Jeff Lewis ] PR#3872
  • ap_isxdigit was somehow neglected when adding the ap_isfoo() macros for 8-bit safeness. [Dean Gaudet]
  • PORT: Use -fPIC instead of -fpic on Solaris and SunOS for compiling DSOs because SPARCs have a small machine-specific maximum size for the Global Offset Table which is often exceeded when compiling one of the larger third-party modules with Apache. [Peter Urban ] PR#3977
  • Move the directive `ExtendedStatus' in httpd.conf-dist-win _after_ the DSO/DLL section because it's a directive from mod_status and isn't available before the DLL of mod_status is loaded. [Martin POESCHL ] PR#3936
  • SECURITY: Fix a bug in the calculation of the buffer size for the line continuation facility in Apache's configuration files which could lead to a buffer overflow situation. [Thomas Devanneaux ] PR#3617
  • Make documentation and error messages of APACI's --activate-module=FILE option more clear. [Jan Wolter ] PR#3995
  • Fix the gcc version check (for enabling the `inline' facility) to really support all future gcc versions >= 2.7 until we know more. [John Tobey ] PR#3983
  • Let APACI's configure script correctly complain for unknown --enable-XXX and --disable-XXX options. [Ralf S. Engelschall] PR#3958
  • Link the shared core bootstrap program (``Rule SHARED_CORE=yes'') also against libap.a and use its ap_snprintf() instead of sprintf() to avoid possible buffer overflows. [Ralf S. Engelschall]
  • Remove no longer used non-API function ap_single_module_init(). [Ralf S. Engelschall]
  • Add Apple's Mac OS X Server Layout "Rhapsody" to config.layout. [Wilfredo Sanchez]
  • Add cgidir, htdocsdir, iconsdir variables to Makefile.tmpl in order to make platform installations easier. [Wilfredo Sanchez]
  • In configure, do not append the target name to the directory path if the path already contains "apache". [Ralf S. Engelschall]
  • SIGPIPE is now ignored by the server core. The request write routines (ap_rputc, ap_rputs, ap_rvputs, ap_rwrite, ap_rprintf, ap_rflush) now correctly check for output errors and mark the connection as aborted. Replaced many direct (unchecked) calls to ap_b* routines with the analogous ap_r* calls. [Roy Fielding]
  • Enhanced mod_rewrite's mapfile handling: The in-core cache for text and DBM format mapfiles now uses a 4-way hash table with LRU functionality. Furthermore map lookups for non-existent keys are now cached as well. Additionally "txt" maps are now parsed with simple string functions instead of using ap_pregcomp(). As a side effect a bug that prevented the usage of keys containing the "," character was fixed. The changes drastically improve the performance when large rewrite maps are in use. [Michael van Elst , Lars Eilebrecht] PR#3160
  • Added ap_sub_req_method_uri() for doing a subrequest with a method other than GET, and const'd the definition of method in request_rec. [Greg Stein]
  • Use proper pid_t type for saving PIDs in alloc.c. [John Bley]
  • Replaced use of WIN32 define with HAVE_DRIVE_LETTERS to indicate when the OS allows a DOS drive letter within pathnames. [Brian Havard]
  • Add %V to mod_log_config, this logs the hostname according to the UseCanonicalName setting (this is the pre-1.3.4 behaviour of %v). Useful for mass vhosting. [Tony Finch ]
  • Add support for \n and \t to mod_log_config, can be used to produce more reliable logs with multiline entries. [Tony Finch ]
  • Fixed a few compiler nits. [John Bley ]
  • Added informative error messages for failed munmap() and fseek() calls in http_core.c. [John Bley, Roy Fielding]
  • Added some informative error messages for some failed malloc() calls. [John Bley , Jim Jagielski]
  • OS/2 ap_os_canonical_filename()'s behaviour is improved: ap_assert() is removed. This allows directives to work and prevents invalid requests from killing the process. [Brian Havard ]
  • Reorganised FAQ document. [Joshua Slive ] PR#2497
  • src/support/: The ApacheBench benchmark program was overhauled by David N. Welton: you can now have it generate an HTML TABLE, presumably for integration into other HTML sources. David updated the ab man page as well and added some missing descriptions. Thanks! [David N. Welton ]
  • Win32: The filename validity checker now allows filenames containing characters in the range 0x80 to 0xff (for example accented characters). [Paul Sutton] PR#3890
  • Added conditional logging based upon environment variables to mod_log_config. mod_log_referer and mod_log_agent are now deprecated. [Ken Coar]
  • Allow apache acting as a proxy server to relay the real reason of a failure to a client rather than the "internal server error" it does currently. The general exposure mechanism can be triggered by any module by setting the "verbose-error-to" note to "*"; this allows more than just proxy errors to be exposed. [Cliff Skolnick, Roy Fielding, Martin Kraemer] Related to PR#3455, 4086
  • Moved man pages for ab and apachectrl to section 8. [Wilfredo Sanchez, Roy Fielding]
  • Added -S option to install.sh so that options can be passed to strip on some platforms. [Ralf S. Engelschall, Wilfredo Sanchez]
  • Tweak modules Makefile generated by Configure so that it handles the test case of no modules being selected. []
  • Added a sectioning directive that allows the user to assign authentication control to any HTTP method that is *not* given in the argument list; i.e., the logical negation of the directive. This is particularly useful for controlling access on methods unknown to the Apache core, but perhaps known by some module or CGI script. [Roy Fielding, Tony Finch]
  • Prevent apachectl from complaining if the PIDFILE exists but does not contain a process id, as might occur if the server is being rapidly restarted. [Wilfredo Sanchez]
  • Win32: Add global symbols missing from ApacheCore.def. [Carl Olsen]
  • Entity tag comparisons for If-Match and If-None-Match were not being performed correctly -- weak tags might cause false positives. Also, strong comparison wasn't properly enforced in all cases. [Roy Fielding, Ken Coar, Dean Gaudet] PR#2065, 3657
  • OS/2: Supply OS/2 error code instead of errno on semaphore errors. [Brian Havard]
  • Work around a bug in Lynx regarding its sending "Negotiate: trans" even though it doesn't understand TCN. [Koen Holtman, Roy Fielding]
  • Added ap_size_list_item(), ap_get_list_item(), and ap_find_list_item() to util.c for parsing an HTTP header field value to extract the next list item, taking into account the possible presence of nested comments, quoted-pairs, and quoted-strings. ap_get_list_item() also removes insignificant whitespace and lowercases non-quoted tokens. [Roy Fielding] PR#2065
  • proxy: The various calls to ap_proxyerror() can return HTTP/1.1 status code different from 500. This allows the proxy to, e.g., return "403 Forbidden" for ProxyBlock'ed URL's. [Martin Kraemer] Related to PR#3455
  • Fix ordering of language variants for the case where the traditional negotiation algorithm is being used with multiple language variants and no Accept-Language. [James Treacy ] PR#3299, 3688
  • Do not round the TCN quality calculation to 5 decimal places, unlike RFC 2296, because the calculation might need 12 decimal places to get the right result. [Roy Fielding]
  • Remove unused code to disable transparent negotiation when negotiating on encoding only, as we now handle encoding too (though this is nonstandard for TCN), remove charset=ISO-8859-1 fiddle from the fiddle-averse RVSA comparison, and fix bugs in some debugging statements within mod_negotiation. [Koen Holtman]
  • Fixed a rare memory corruption possibility in mod_dir if the index file is negotiable and no acceptable variant can be found. [Dean Gaudet, Roy Fielding, Martin Kraemer]
  • Win32: Add new config directive, ScriptInterpreterSource, to enable searching the Win32 registry for script interpreters. [Bill Stoddard]
  • Win32: The compiled-in default filename for the error log is now error.log, which matches the default in the distributed httpd.conf. [Paul Sutton]
  • Win32: Any error messages from -i or -u command line options are now displayed on the console output rather than sent to the error log. Also the "Running Apache..." message is not output unless Apache is going to serve requests. [Paul Sutton]
  • Rework the MD5 authentication scheme to use FreeBSD's algorithm, and use a private significator ('$apr1$') to mark passwords as being smashed with our own algorithm. Also abstract the password checking into a new ap_validate_password() routine. [Ken Coar]
  • Win32: The filename validity checker now allows "COM" but refuses access to "COM1" through "COM4". This allows filenames such as "com.name" to be served. [Paul Sutton] PR#3769.
  • BS2000: Adapt to the new ufork() system call interface which will make subtasking easier on the OSD/POSIX mainframe environment. [Martin Kraemer]
  • Add a compatibility define for escape_uri() -> ap_escape_uri() to ap_compat.h. [David White ] PR#3725
  • Make NDBM file suffix determination for mod_rewrite more accurate, i.e. use `.db' instead of `.pag' not only for FreeBSD, but also when the NDBM library looks like Berkeley-DB based. [Ralf S. Engelschall] PR#3773
  • Add ability to handle DES or MD5 authentication passwords. [Ryan Bloom ]
  • Fix O(n^2) memory consumption in mod_speling. [Dean Gaudet]
  • SECURITY: Avoid some buffer overflow problems when escaping quoted strings. (This overflow was on the heap and we believe impossible to exploit.) [Rick Perry ]
  • Let src/Configure be aware of CFLAGS options starting with plus signs as it's the case for the HP/UX compiler. [Doug Yatcilla ] PR#3681
  • Remove the hard-wire of TAR=tar (we now check for gtar and gnutar first) and check to see if the tar we wind up with supports '-h'. [Jim Jagielski] PR#3671
  • A consistent and conservative style for all shell scripts has been implemented. Basically, all shell string tests use the traditional hack of 'if [ "x$var" != "x" ]' or 'if [ "x$var" = "xstring" ]' to protect against bare null variable strings (ie: wrapping both sides with double quotes and prepending 'x'). 'x' was chosen because it's more universal and hopefully easier for old shell prgrammers, as well as being easier to search for in 'vi' (/x\$) :) [Jim Jagielski]
  • The status module now prints out both the main server generation as well as the generation of each process. Also, the vhost info is printed with '?notable'. [Jim Jagielski]
  • Move src/main/md5c.c to src/ap/ap_md5c.c; it's httpd-neutral and this makes its functions available to things in src/support. [Ken Coar]