Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.40 Changelog
  • SECURITY: CVE-2002-0661 (cve.mitre.org) Close a very significant security hole that applies only to the Win32, OS2 and Netware platforms. Unix was not affected, Cygwin may be affected. Certain URIs will bypass security and allow users to invoke or access any file depending on the system configuration. Without upgrading, a single .conf change will close the vulnerability. Add the following directive in the global server httpd.conf context before any other Alias or Redirect directives; RedirectMatch 400 "\\\.\." Reported by Auriemma Luigi . [Brad Nicholes]
  • SECURITY: CVE-2002-0654 (cve.mitre.org) Close a path-revealing exposure in multiview type map negotiation (such as the default error documents) where the module would report the full path of the typemapped .var file when multiple documents or no documents could be served based on the mime negotiation. Reported by Auriemma Luigi . [William Rowe]
  • SECURITY: CVE-2002-0654 (cve.mitre.org) Close a path-revealing exposure in cgi/cgid when we fail to invoke a script. The modules would report "couldn't create child process /path-to-script/script.pl" revealing the full path of the script. Reported by Jim Race . [Bill Stoddard]
  • Set aside the apr-iconv and apr_xlate() features for the Win32 build of 2.0.40 so development can be completed. A patch, from will be available for those that wish to work with apr-iconv. [William Rowe]
  • Fix proxy so that it is possible to access ftp: URLs via a proxy chain. [Peter Van Biesen ]
  • mod-deflate now checks to make sure that 'gzip-only-text/html' is set to 1, so we can exclude things from the general case with browsermatch. [Ian Holsman, Andre Schild ]
  • Accept multiple leading /'s for requests within the DocumentRoot. PR 10946 [William Rowe, David Shane Holden ]
  • Solved the reports of .pdf byterange failures on Win32 alone. APR's sendfile for the win32 platform collapses header and trailer buffers into a single buffer. However, we destroyed the pointers to the header buffer if a trailer buffer was present. PR 10781 [William Rowe]
  • mod_ext_filter: Add the ability to enable or disable a filter via an environment variable. Add the ability to register a filter of type other than AP_FTYPE_RESOURCE. [Jeff Trawick]
  • Restore the ability to specify host names on Listen directives. PR 11030. [Jeff Trawick, David Shane Holden ]
  • When deciding on the default address family for listening sockets, make sure we can actually bind to an AF_INET6 socket before deciding that we should default to AF_INET6. This fixes a startup problem on certain levels of OpenUNIX. PR 10235. [Jeff Trawick]
  • Replace usage of atol() to parse strings when we might want a larger-than-long value with apr_atoll(), which returns long long. This allows HTTPD to deal with larger files correctly. [Shantonu Sen ]
  • mod_ext_filter: Ignore any content-type parameters when checking if the response should be filtered. Previously, "intype=text/html" wouldn't match something like "text/html;charset=8859_1". [Jeff Trawick]
  • mod_ext_filter: Set up environment variables for external programs. [Craig Sebenik ]
  • Modified the HTTP_IN filter to immediately append the EOS (end of stream) bucket for C-L POST bodies, saving a roundtrip and allowing the caller to determine that no content remains without prefetching additional POST body. [William Rowe]
  • Get proxy ftp to work over IPv6. [Shoichi Sakane ]
  • Look for OpenSSL libraries in /usr/lib64. [Peter Poeml ]
  • Update SuSE layout. [Peter Poeml ]
  • Changes to the internationalized error documents: Comment them out in the default config file to make the default install as simple as possible; Correct the english 500 error to be more understandable; Add a Swedish translation. [Thomas Sjogren , Erik Abele , Rich Bowen, Joshua Slive]
  • Increase the limit on file descriptors per process in apachectl. [Brian Pane]
  • Fix a dependency error when building ApacheMonitor, so that Win32 and MSVC now trust that the project is current (when it is). [James Cox ]
  • mod_ext_filter: don't segfault if content-type is not set. PR 10617. [Arthur P. Smith , Jeff Trawick]
  • APR-Util Renames pending have been completed [Thom May]
  • Performance improvements for the code that reads request headers (ap_rgetline_core() and related functions) [Brian Pane]
  • Add a new directive: MaxMemFree. MaxMemFree makes it possible to configure the maximum amount of memory the allocators will hold on to for reuse. Anything over the MaxMemFree threshold will be free()d. This directive is useful when uncommon large peaks occur in memory usage. It should _not_ be used to mask defective modules' memory use. [Sander Striker]
  • Fixed the Content-Length filter so that HTTP/1.0 requests to CGI scripts would not result in a truncated response. [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]
  • Add a filter_init parameter to the filter registration functions so that a filter can execute arbitrary code before the handlers are invoked. This resolves a problem where mod_include requests would incorrectly return a 304. [Justin Erenkrantz]
  • Fix a long-standing bug in 2.0, CGI scripts were being called with relative paths instead of absolute paths. Apache 1.3 used absolute paths for everything except for SuExec, this brings back that standard. [Ryan Bloom]
  • Fix infinite loop due to two HTTP_IN filters being present for internally redirected requests. PR 10146. [Justin Erenkrantz]
  • Switch conn_rec->keepalive to an enumeration rather than a bitfield. [Justin Erenkrantz]
  • Fix mod_ext_filter to look in the main server for filter definitions when running in a vhost if the filter definition is not found in the vhost. PR 10147 [Jeff Trawick]
  • Support WinNT CGI invocation through ScriptInterpreterSource 'registry' for script interpreter paths and names with non-ascii characters in the executable filepath. [William Rowe]
  • Support the -w flag on to keep the Win32 console open on error. [William Rowe]
  • Normalize the hostname value in the request_rec to all-lowercase [Perry Harrington ]
  • Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include extended characters (non US-ASCII) in non-utf8 format. This brings Win32 back into CGI/1.1 compliance, and leaves charset decoding up to the cgi application itself. [William Rowe]
  • Major overhaul of mod_dav, mod_dav_fs and the experimental/cache modules to bring them up to the current apr/apr-util APIs. [William Rowe]
  • Fix segfault in mod_mem_cache most frequently observed when serving the same file to multiple clients on an MP machine. [Bill Stoddard]
  • mod_rewrite can now set cookies (RewriteRule (. - [CO=name:$1:.domain]) [Brian Degenhardt , Ian Holsman]
  • Fix perchild to work with apachectl by adding -k support to perchild. PR 10074 [Jeff Trawick]
  • Fix a silly htpasswd.c logic error that incorrectly reported that both -c and -n had been used. PR 9989 [Cliff Woolley]
  • Fixed a mod_include error case in which no HTTP response was sent to the client if an shtml document contained an unterminated SSI directive [Brian Pane]
  • Improve ap_get_client_block implementation by using APR-util brigade helper functions and relying on current filter assumptions. [Justin Erenkrantz]