Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 1.3b4 Changelog
  • The module structure was modified to include a *dynamic_load_handle in the STANDARD_MODULE_STUFF portion, and the MODULE_MAGIC_NUMBER has been bumped accordingly. [Paul Sutton]
  • All BrowserMatch directives mentioned in htdocs/manual/known_client_problems.html are in the default configuration files. [Lars Eilebrecht]
  • MiNT port update. [Jan Paul Schmidt]
  • HTTP/1.1 requires x-gzip and gzip encodings be treated equivalent, similarly for x-compress and compress. Apache now ignores a leading x- when comparing encodings. It also preserves the encoding the client requests (for example if it requests x-gzip, then Apache will respond with x-gzip in the Content-Encoding header). [Ronald Tschalaer ] PR#1772
  • Fix a memory leak on keep-alive connections. [Igor Tatarinov]
  • Added mod_so module to support dynamic loading of modules on Unix (like mod_dld for Win32). This replaces mod_dld.c. Use SharedModule instead of AddModule in Configuration to build shared modules [Sameer Parekh, Paul Sutton]
  • Minor cleanups to r->finfo handling in some modules. [Dean Gaudet]
  • Abstract read()/write() to ap_read()/ap_write(). Makes it easier to add other types of IO code such as SFIO. [Randy Terbush]
  • API: Generalize default_port manipulations to make support of different protocols easier. [Ben Laurie, Randy Terbush]
  • There are many cases where users do not want Apache to form self-referential urls using the "canonical" ServerName and Port. The new UseCanonicalName directive (default on), if set to off will cause Apache to use the client-supplied hostname and port. API: Part of this change required a change to the construct_url() prototype; and the addition of get_server_name() and get_server_port(). [Michael Douglass , Dean Gaudet] PR#315, 459, 485, 1433
  • Yet another rearrangement of the source tree.. now all the common header files are in the src/include directory. The -Imain -Iap references in Makefiles have been changed to the simpler -Iinclude instead. In addition to simplifying the build a little bit, this also makes it clear when a module is referencing something in a other than kosher manner (e.g., the proxy including mod_mime.h). Module-private header files (the proxy, mod_mime, the regex library, and mod_rewrite) have not been moved to src/include; nor have the OS-abstraction files. [Ken Coar]
  • Fix a bug where r->hostname didn't have the :port stripped from it. [Dean Gaudet]
  • Tweaked the headers_out table size, and the subprocess_env table size guess in rename_original_environment(). Added MAKE_TABLE_PROFILE which can help discover make_table() calls that use too small an initial guess, see alloc.c. [Dean Gaudet]
  • Options and AllowOverride weren't properly merging in the main server setting inside vhosts (only an issue when you have no or other section containing an Options that affects a request). Options +foo or -foo in the main_server wouldn't affect the main_server's lookup defaults. [Dean Gaudet]
  • Variable 'cwd' was being used pointlessly before being set. [Ken Coar] PR#1738
  • r->allowed handling cleaned up in the standard modules. [Dean Gaudet]
  • Some case-sensitivity issues cleaned up to be consistent with RFC2068. [Dean Gaudet]
  • SIGURG doesn't exist everywhere. [Mark Andrew Heinrich ]
  • mod_unique_id was erroneously generating a second unique id when an internal redirect occured. Such redirects occur, for example, when processing a DirectoryIndex match. [Dean Gaudet]
  • API: table_add, table_merge, and table_set include implicit pstrdup() of the key and value. But in many cases this is not required because the key/value is a constant, or the value has been built by pstrcat() or other similar means. New routines table_addn, table_mergen, and table_setn have been added to the API, these routines do not pstrdup() their arguments. The core code and standard modules were changed to take advantage of these routines. The resulting server is up to 20% faster in some situations.
  • Note that it is easy to get code subtly wrong if you pass a key/value which is in a pool other than the pool of the table. The only safe thing to do is to pass key/values which are in the pool of the table, or in one of the ancestors of the pool of the table. i.e. if the table is part of a subrequest, a value from the main request's pool is OK since the subrequest pool is a sub_pool of the main request's pool (and therefore has a lifespan at most as long as the main pool). There is debugging code which can detect improper usage, enabled by defining POOL_DEBUG. See alloc.c for more details. [Dmitry Khrustalev , Dean Gaudet]
  • More mod_mime_magic cleanup: fewer syscalls; should handle "files" which don't exist on disk more gracefully; handles vhosts properly. Update documentation to reflect the code -- if there's no MimeMagicFile directive then the module is not enabled. [Dean Gaudet]
  • PORT: Some older *nix dialects cannot automatically start scripts which begin with a #! interpreter line (the shell starts the scripts appropriately on these platforms). Apache now supports starting of "hashbang-scripts" when the NEED_HASHBANG_EMUL define is set. [Martin Kraemer, with code from Peter Wemm taken from tcsh]
  • API: "typedef array_header table" removed from alloc.h, folks should have been writing to use table as if it were an opaque type, but even some standard modules got this wrong. By changing the definition to "typedef struct table table" module authors will receive compile time warnings that they're doing the wrong thing. This change facilitates future changes with more sophisticated table structures. Specifically, module authors should be using table_elts() to get access to an array_header * for the table. [Dean Gaudet]
  • API: Renamed new_connection() to avoid namespace collision with LDAP library routines. [Ken Coar, Rasmus Lerdorf]
  • WIN32: mod_speling is now available on the Win32 platform. [Marc Slemko]
  • For clarity the following compile time definition was changed:
  • SAFE_UNSERIALIZED_ACCEPT -> SINGLE_LISTEN_UNSERIALIZED_ACCEPT
  • Also, for example, HAVE_MMAP would mean to use mmap() scoreboards and not be a general notice that the OS has mmap(). Now the HAVE_MMAP/SHMGET #defines strictly are informational that the OS has that method of shared memory; the type to use for the scoreboard is a seperate #define (USE_MMAP_SCOREBOARD and USE_SHMGET_SCOREBOARD). This allows outside modules to determine if shared memory is available and allows Apache to determine the best method to use for the scoreboard. [Jim Jagielski]
  • PORT: UnixWare 2.1.2 SMP appears to require USE_FCNTL_SERIALIZED_ACCEPT, as do various earlier versions. It should be safe on all versions. Unixware 1.x appears to have the same SIGHUP bug as solaris does with the slack code. A few other cleanups for Unixware. [Tom Hughes ] PR#1082, PR#1282, PR#1499, PR#1553
  • PORT: A/UX can handle single-listen accepts without mutex locking, so we add SINGLE_LISTEN_UNSERIALIZED_ACCEPT. [Jim Jagielski]
  • When die() happens we need to eat any request body if one exists. Otherwise we can't continue with a keepalive session. This shows up as a POST problem with MSIE 4.0, typically against pages which are authenticated. [Roy Fielding] PR#1399
  • If you define SECURITY_HOLE_PASS_AUTHORIZATION then the Authorization header will be passed to CGIs. This is generally a security hole, so it's not a default. [Marc Slemko] PR#549
  • Fix Y2K problem with date printing in suexec log. [Paul Eggert ] PR#1343
  • WIN32 deserves a pid file. [Ben Hyde]
  • suexec errors now include the errno/description. [Marc Slemko] PR#1543
  • PORT: OSF/1 now uses USE_FLOCK_SERIALIZED_ACCEPT to solve PR#467. The choice of flock vs. fcntl was made based on timings which showed that even on non-NFS, non-exported filesystems fcntl() was an order of magnitude slower. It also uses SINGLE_LISTEN_UNSERIALIZED_ACCEPT so that single socket users will see no difference. [Dean Gaudet] PR#467
  • "File does not exist" error message was erroneously including the errno. [Marc Slemko]
  • Improve the warning message generated when a client drops the connection (hits stop button, etc.) during a send. [Roy Fielding]
  • Defining GPROF will disable profiling in the parent and enable it in the children. If you're profiling under Linux this is pretty much necessary because SIGPROF is lost across a fork(). [Dean Gaudet]
  • htdigest and htpasswd needed slight tweaks to work on OS/2 and WIN32. [Brian Havard]
  • The NeXT cc (which is gcc hacked up) doesn't appear to support some gcc functionality. Work around it. [Keith Severson ] PR#1613
  • Some linkers complain when .o files contain no functions. [Keith Severson ] PR#1614
  • Some const declarations in mod_imap.c that were added for debugging purposes caused some compilers heartburn without adding any significant value, so they've been removed. [Ken Coar]
  • The src/main/*.h header files have had #ifndef wrappers added to insulate them against duplicate calls if they get included through multiple paths (e.g., in .c files as well as other .h files). [Ken Coar]
  • The libap routines now have a header file for their prototypes, src/ap/ap.h, to ease their use in non-httpd applications. [Ken Coar]
  • mod_autoindex with a plaintext header file would emit the
         start-tag before the HTML preamble, rather than after the preamble
         but before the header file contents.  [John Van Essen ]
         PR#1667
  • SECURITY: Fix a possible buffer overflow in logresolve. This is only an issue on systems without a MAXDNAME define or where the resolver returns domain names longer than MAXDNAME. [Marc Slemko]
  • SECURITY: Eliminate possible buffer overflow in cfg_getline, which is used to read various types of files such as htaccess and htpasswd files. [Marc Slemko]
  • SECURITY: Ensure that the buffer returned by ht_time is always properly null terminated. [Marc Slemko]
  • The "Connection" header could be sent back with multiple "close" tokens. Not an error, but a waste. [] PR#1683
  • mod_rewrite's RewriteLog should behave like mod_log_config, it shouldn't force hostname lookups. [Dean Gaudet] PR#1684
  • "basic" auth needs a case-insensitive comparison. [] PR#1666
  • For maximum portability, the environment passed to CGIs should only contain variables whose names match the regex /[a-zA-Z][a-zA-Z0-9_]*/. This is now enforced by stamping underscores over any character outside the regex. This affects HTTP_* variables, in a way that should be backward compatible for all the standard headers; and affects variables set with SetEnv/BrowserMatch and similar directives. [Dean Gaudet]
  • mod_speling returned incorrect HREF's when an ambigous match was found. Noticed by (Soeren Ziehe) [Soeren Ziehe , Martin Kraemer]
  • PORT: Apache now compiles & runs on an EBCDIC mainframe (the Siemens BS2000/OSD family) in the POSIX subsystem [Martin Kraemer]
  • PORT: Fix problem killing children when terminating. Allow ^C to shut down the server. [Brian Havard]
  • pstrdup() is implicit in calls to table_* functions, so there's no need to do it before calling. Clean up a few cases. [Marc Slemko, Dean Gaudet]
  • new -C and -c command line arguments usage: -C "directive" : process directive before reading config files -c "directive" : process directive after reading config files example: httpd -C "PerlModule Apache::httpd_conf" [Doug MacEachern, Martin Kraemer]
  • WIN32: Fix the execution of CGIs that are scripts and called with path info that does not have an '=' in. (eg. http://server/cgi-bin/printenv?foobar) [Marc Slemko] PR#1591
  • WIN32: Fix a call to os_canonical_filename so it doesn't try to mess with fake filenames. This fixes proxy caching on win32. PR#1265
  • SECURITY: General mod_include cleanup, including fixing several possible buffer overflows and a possible infinite loop. [Dean Gaudet, Marc Slemko]
  • SECURITY: Numerous changes to mod_imap in a general cleanup including fixing a possible buffer overflow. [Dean Gaudet]
  • WIN32: overhaul of multithreading code. Shutdowns are now graceful (connections are not dropped). Code can handle graceful restarts (but there is as yet no way to signal this to Apache). Various other cleanups. [Paul Sutton]
  • The aplog_error changes specific to 1.3 introduced a buffer overrun in the (now legacy) log_printf function. Fixed. [Dean Gaudet]
  • mod_digest didn't properly deal with proxy authentication. It also lacked a case-insensitive comparision of the "Digest" token. [Ronald Tschalaer ] PR#1599
  • A few cleanups in mod_status for efficiency. [Dean Gaudet]
  • A few cleanups in mod_info to make it thread-safe, and remove an off-by-5 bug that could hammer \0 on the stack. [Dean Gaudet]
  • no2slash() was O(n^2) in the length of the input. Make it O(n). [Dean Gaudet]
  • API: migration from strncpy() to our "enhanced" version called ap_cpystrn() for performance and functionality reasons. Located in libap.a. [Jim Jagielski]
  • table_set() and table_unset() did not deal correctly with multiple occurrences of the same key. [Stephen Scheck , Ben Laurie] PR#1604
  • The AuthName must now be enclosed in quotes if it is to contain spaces. [Ken Coar] PR#1195
  • API: new function: ap_escape_quotes(). [Ken Coar] PR#1195
  • WIN32: Work around optimiser bug that killed ISAPI in release versions. [Ben Laurie] PR#1533
  • PORT: Update the MPE port [Mark Bixby, Jim Jagielski]
  • Interim (slow) fix for p->sub_pool critical sections in alloc.c (affects win32 only). [Ben Hyde]
  • non-WIN32 was missing destroy_mutex definition. [Ben Hyde]
  • send_fd_length() did not calculate total_bytes_sent properly. [Ben Reser ] PR#1366
  • The bputc() macro was not properly integrated with the chunking code; in many cases modules using bputc() could cause completely bogus chunked output. (Typically this will show up as problems with Internet Explorer 4.0 reading a page, but other browsers having no problem.) [Dean Gaudet]
  • Create LARGE_WRITE_THRESHOLD define which determines how many bytes have to be supplied to bwrite() before it will consider doing a writev() to assemble multiple buffers in one system call. This is critical for modules such as mod_include, mod_autoindex, mod_php3 which all use bputc()/bputs() of smaller strings in some cases. The result would be extra effort setting up writev(), and in many cases extra effort building chunks. The default is 31, it can be overriden at compile time. [Dean Gaudet]
  • Move the gid switching code into the child so that log files and pid files are opened with the root gid. [Gregory A Lundberg ]
  • WIN32: Check for binaries by looking for the executable header instead of counting control characters. [Jim Patterson ] PR#1340
  • ap_snprintf() moved from main/util_snprintf.c to ap/ap_snprintf.c so the functionality is available to applications other than the server itself (like the src/support tools). [Ken Coar]
  • ap_slack() moved out of main/util.c into ap/ap_slack.c as part of the libap consolidation work. [Ken Coar]
  • ap_snprintf() with a len of 0 behaved like sprintf(). This is not useful, and isn't what the standards require. Now it returns 0 and writes nothing. [Dean Gaudet]
  • When an error occurs in fcntl() locking suggest the user look up the docs for LockFile. [Dean Gaudet]
  • Eliminate some dead code from writev_it_all(). [Igor Tatarinov ]
  • mod_autoindex had an fread() without checking the result code. It also wouldn't handle "AddIconByType (TXT,/icons/text.gif text/*" (note the missing closing paren) properly. [Dean Gaudet]
  • It appears the "257th byte" bug (see htdocs/manual/misc/known_client_problems.html#257th-byte) can happen at the 256th byte as well. Fixed. [Dean Gaudet]
  • PORT: Fix mod_mime_magic under OS/2, no support for block devices. [Brian Havard]
  • Fix memory corruption caused by allocating auth usernames in the wrong pool. [Dean Gaudet] PR#1500
  • Fix an off-by-1, and an unterminated string error in mod_mime_magic. [Dean Gaudet]
  • Fix a potential SEGV problem in mod_negotiation when dealing with type-maps. [Dean Gaudet]
  • Better glibc support under Linux. [Dean Gaudet] PR#1542
  • "RedirectMatch gone /" would cause a SIGSEGV. [Dean Gaudet] PR#1319
  • WIN32: avoid overflows during file canonicalisations. [] PR#1378
  • WIN32: set_file_slot() didn't detect absolute paths. [Ben Laurie] PR#1511, 1508
  • WIN32: mod_status display header didn't match fields. [Ben Laurie]
  • The pthread_mutex_* functions return an error code, and don't set errno. [Igor Tatarinov ]
  • WIN32: Allow spaces to prefix the interpreter in #! lines. [Ben Laurie] PR#1101
  • WIN32: Cure file leak in CGIs. [Peter Tillemans ] PR#1523
  • proxy_ftp: the directory listings generated by the proxy ftp module now have a title in which the path components are clickable and allow quick navigation to the clicked-on directory on the currently listed ftp server. This also fixes a bug where the ".." directory links would sometimes refer to the wrong directory. [Martin Kraemer]
  • WIN32: Allocate the correct amount of memory for the scoreboard. [Ben Hyde] PR#1387
  • WIN32: Only lowercase the part of the path that is real. [Ben Laurie] PR#1505
  • Fix problems with timeouts in inetd mode and -X mode. [Dean Gaudet]
  • Fix the spurious "(0)unknown error: mmap_handler: mmap failed" error messages. [Ben Hyde]