-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
CHANGES
13405 lines (10102 loc) · 588 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Changes with Apache 2.0.49
*) SECURITY: CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
With Apache 2.x there is no performance concern about enabling the
logic for platforms which don't need it, so it is enabled everywhere
except for Win32. [Jeff Trawick]
*) mod_cgid: Fix storage corruption caused by use of incorrect pool.
[Jeff Trawick]
*) Win32: find_read_listeners was not correctly handling multiple
listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
*) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
[Manni Wood <manniwood planet-save.com>]
*) Fix some piped log problems: bogus "piped log program '(null)'
failed" messages during restart and problem with the logger
respawning again after Apache is stopped. PR 21648, PR 24805.
[Jeff Trawick]
*) Fixed file extensions for real media files and removed rpm extension
from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
*) Remove compile-time length limit on request strings. Length is
now enforced solely with the LimitRequestLine config directive.
[Paul J. Reder]
*) mod_ssl: Send the Close Alert message to the peer before closing
the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
*) SECURITY: CAN-2004-0113 (cve.mitre.org)
mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
PR 27106. [Joe Orton]
*) mod_ssl: Fix bug in passphrase handling which could cause spurious
failures in SSL functions later. PR 21160. [Joe Orton]
*) mod_log_config: Fix corruption of buffered logs with threaded
MPMs. PR 25520. [Jeff Trawick]
*) Fix mod_include's expression parser to recognize strings correctly
even if they start with an escaped token. [André Malo]
*) Add fatal exception hook for use by diagnostic modules. The hook
is only available if the --enable-exception-hook configure parm
is used and the EnableExceptionHook directive has been set to
"on". [Jeff Trawick]
*) Allow mod_auth_digest to work with sub-requests with different
methods than the original request. PR 25040.
[Josh Dady <jpd indecisive.com>]
*) fix "Expected </Foo>> but saw </Foo>" errors in nested,
argumentless containers.
["Philippe M. Chiasson" <gozer cpan.org>]
*) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
[Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
*) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
[Glenn Nielsen <glenn apache.org>]
*) The whole codebase was relicensed and is now available under
the Apache License, Version 2.0 (http://www.apache.org/licenses).
[Apache Software Foundation]
*) Fixed cache-removal order in mod_mem_cache.
[Jean-Jacques Clar, Cliff Woolley]
*) mod_setenvif: Fix the regex optimizer, which under circumstances
treated the supplied regex as literal string. PR 24219.
[André Malo]
*) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
instead of mmn. [André Malo]
*) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
could lead to a 400 (Bad Request) response. [André Malo]
*) Keep focus of ITERATE and ITERATE2 on the current module when
the module chooses to return DECLINE_CMD for the directive.
PR 22299. [Geoffrey Young <geoff apache.org>]
*) Add support for IMT minor-type wildcards (e.g., text/*) to
ExpiresByType. PR#7991 [Ken Coar]
*) Fix segfault in mod_mem_cache cache_insert() due to cache size
becoming negative. PR: 21285, 21287
[Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
*) core.c: If large file support is enabled, allow any file that is
greater than AP_MAX_SENDFILE to be split into multiple buckets.
This allows Apache to send files that are greater than 2gig.
Otherwise we run into 32/64 bit type mismatches in the file size.
[Brad Nicholes]
*) proxy_http fix: mod_proxy hangs when both KeepAlive and
ProxyErrorOverride are enabled, and a non-200 response without a
body is generated by the backend server. (e.g.: a client makes a
request containing the "If-Modified-Since" and "If-None-Match"
headers, to which the backend server respond with status 304.)
[Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
*) mod_dav: Reject requests which include an unescaped fragment in the
Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
*) Build array of allowed methods with proper dimensions, fixing
possible memory corruption. [Jeff Trawick]
*) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
PR 15057. [Otmar Lendl <lendl nic.at>]
*) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
[Joe Orton]
*) mod_usertrack no longer inspects the Cookie2 header for
the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
*) mod_usertrack no longer overwrites other cookies.
PR 26002. [Scott Moore <apache nopdesign.com>]
*) worker MPM: fix stack overlay bug that could cause the parent
process to crash. [Jeff Trawick]
*) Win32: Add Win32DisableAcceptEx directive. This Windows
NT/2000/CP directive is useful to work around bugs in some
third party layered service providers like virus scanners,
VPN and firewall products, that do not properly handle
WinSock 2 APIs. Use this directive if your server is issuing
AcceptEx failed messages.
[Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
*) Make REMOTE_PORT variable available in mod_rewrite.
PR 25772. [André Malo]
*) Fix a long delay with CGI requests and keepalive connections on
AIX. [Jeff Trawick]
*) mod_autoindex: Add 'XHTML' option in order to allow switching between
HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
*) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
[André Malo]
*) mod_ssl: Advertise SSL library version as determined at run-time rather
than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]
*) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
*) Fix build with parallel make. PR 24643. [Joe Orton]
*) mod_rewrite: In external rewrite maps lookup keys containing
a newline now cause a lookup failure. PR 14453.
[Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
*) Backport major overhaul of mod_include's filter parser from 2.1.
The new parser code is expected to be more robust and should
catch all of the edge cases that were not handled by the previous one.
The 2.1 external API changes were hidden by a wrapper which is
expected to keep the API backwards compatible. [André Malo]
*) Add a hook (insert_error_filter) to allow filters to re-insert
themselves during processing of error responses. Enable mod_expires
to use the new hook to include Expires headers in valid error
responses. This addresses an RFC violation. It fixes PRs 19794,
24884, and 25123. [Paul J. Reder]
*) Add Polish translation of error messages. PR 25101.
[Tomasz Kepczynski <tomek jot23.org>]
*) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
Bill Stoddard]
*) Add mod_status hook to allow modules to add to the mod_status
report. [Joe Orton]
*) Fix htdbm to generate comment fields in DBM files correctly.
[Justin Erenkrantz]
*) mod_dav: Use bucket brigades when reading PUT data. This avoids
problems if the data stream is modified by an input filter. PR 22104.
[Tim Robbins <tim robbins.dropbear.id.au>, André Malo]
*) Fix RewriteBase directive to not add double slashes. [André Malo]
*) Improve 'configure --help' output for some modules. [Astrid Keßler]
*) Correct UseCanonicalName Off to properly check incoming port number.
[Jim Jagielski]
*) Fix slow graceful restarts with prefork MPM. [Joe Orton]
*) Fix a problem with namespace mappings being dropped in mod_dav_fs;
if any property values were set which defined namespaces these
came out mangled in the PROPFIND response. PR 11637.
[Amit Athavale <amit_athavale persistent.co.in>]
*) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
the destination resource gives a 401. PR 15571. [Joe Orton]
*) SECURITY: CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog. Unescaped
errorlogs are still possible using the compile time switch
"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
*) mod_autoindex / core: Don't fail to show filenames containing
special characters like '%'. PR 13598. [André Malo]
*) mod_status: Report total CPU time accurately when using a threaded
MPM. PR 23795. [Jeff Trawick]
*) Fix memory leak in handling of request bodies during reverse
proxy operations. PR 24991. [Larry Toppi <larry.toppi citrix.com>]
*) Win32 MPM: Implement MaxMemFree to enable setting an upper
limit on the amount of storage used by the bucket brigades
in each server thread. [Bill Stoddard]
*) Modified the cache code to be header-location agnostic. Also
fixed a number of other cache code bugs related to PR 15852.
Includes a patch submitted by Sushma Rai <rsushma novell.com>.
This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
closing the PR since that is what they are using. [Paul J. Reder]
*) complain via error_log when mod_include's INCLUDES filter is
enabled, but the relevant Options flag allowing the filter to run
for the specific resource wasn't set, so that the filter won't
silently get skipped. next remove itself, so the warning will be
logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]
*) mod_info: HTML escape configuration information so it displays
correctly. PR 24232. [Thom May]
*) Restore the ability to add a description for directories that
don't contain an index file. (Broken in 2.0.48) [André Malo]
*) Fix a problem with the display of empty variables ("SetEnv foo") in
mod_include. PR 24734 [Markus Julen <mj zermatt.net>]
*) mod_log_config: Log the minutes component of the timezone correctly.
PR 23642. [Hong-Gunn Chew <hgbug gunnet.org>]
*) mod_proxy: Fix cases where an invalid status-line could be sent
to the client. PR 23998. [Joe Orton]
*) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
are also loaded. [Joe Orton]
*) mod_ssl: Use human-readable OpenSSL error strings in logs; use
thread-safe interface for retrieving error strings. [Joe Orton]
*) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
avoid reporting an Internal Server error if it is used without
having been set in the httpd.conf file. PR: 23748, 24459
[Andre Malo, Liam Quinn <liam htmlhelp.com>]
*) mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
option is set. PR 21668. [Jesse Tie-Ten-Quee <highos highos.com>]
*) mod_include no longer allows an ETag header on 304 responses.
PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]
*) EBCDIC: Convert header fields to ASCII before sending (broken
since 2.0.44). [Martin Kraemer]
*) Fix the inability to log errors like exec failure in
mod_ext_filter/mod_cgi script children. This was broken after
such children stopped inheriting the error log handle.
[Jeff Trawick]
*) Fix mod_info to use the real config file name, not the default
config file name. [Aryeh Katz <aryeh secured-services.com>]
*) Set the scoreboard state to indicate logging prior to running
logging hooks so that server-status will show 'L' for hung loggers
instead of 'W'. [Jeff Trawick]
Changes with Apache 2.0.48
*) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
the AF_UNIX socket used to communicate with the cgid daemon and
the CGI script. [Jeff Trawick]
*) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
mod_rewrite which occurred if one configured a regular expression
with more than 9 captures. [André Malo]
*) mod_include: fix segfault which occured if the filename was not
set, for example, when processing some error conditions.
PR 23836. [Brian Akins <bakins web.turner.com>, André Malo]
*) fix the config parser to support <Foo>..</Foo> containers (no
arguments in the opening tag) supported by httpd 1.3. Without
this change mod_perl 2.0's <Perl> sections are broken.
["Philippe M. Chiasson" <gozer cpan.org>]
*) mod_cgid: fix a hash table corruption problem which could
result in the wrong script being cleaned up at the end of a
request. [Jeff Trawick]
*) Update httpd-*.conf to be clearer in describing the connection
between AddType and AddEncoding for defining the meaning of
compressed file extensions. [Roy Fielding]
*) mod_rewrite: Don't die silently when failing to open RewriteLogs.
PR 23416. [André Malo]
*) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
rewritten request using "proxy:". The code was adding multiple "proxy:"
fields in the rewritten URI. PR: 13946.
[Eider Oliveira <eider bol.com.br>]
*) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
expires as directed in RFC 2616. [Thomas Castelle <tcastelle generali.fr>]
*) Ensure that ssl-std.conf is generated at configure time, and switch
to using the expanded config variables to work the same as
httpd-std.conf PR: 19611
[Thom May]
*) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
[Hartmut Keil <Hartmut.Keil adnovum.ch>]
*) mod_autoindex: If a directory contains a file listed in the
DirectoryIndex directive, the folder icon is no longer replaced
by the icon of that file. PR 9587.
[David Shane Holden <dpejesh yahoo.com>]
*) Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name. PR 16661.
[Manni Wood <manniwood planet-save.com>]
*) mod_cache: Fix the cache code so that responses can be cached
if they have an Expires header but no Etag or Last-Modified
headers. PR 23130.
[<bjorn exoweb.net>]
*) mod_log_config: Fix %b log format to write really "-" when 0 bytes
were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
*) Modify ap_get_client_block() to note if it has seen EOS.
[Justin Erenkrantz]
*) Fix a bug, where mod_deflate sometimes unconditionally compressed the
content if the Accept-Encoding header contained only other tokens than
"gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
*) Avoid an infinite recursion, which occured if the name of an included
config file or directory contained a wildcard character. PR 22194.
[André Malo]
*) mod_ssl: Fix a problem setting variables that represent the
client certificate chain. PR 21371 [Jeff Trawick]
*) Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type of mutex. PR 20312 [Jeff Trawick]
*) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
*) Fix a misleading message from the some of the threaded MPMs when
MaxClients has to be lowered due to the setting of ServerLimit.
[Jeff Trawick]
*) Lower the severity of the "listener thread didn't exit" message
to debug, as it is of interest only to developers. PR 9011
[Jeff Trawick]
*) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
[Cliff Woolley, Jean-Jacques Clar]
*) Install config.nice into the build/ directory to make
minor version upgrades easier. [Joshua Slive]
*) Fix mod_deflate so that it does not call deflate() without checking
first whether it has something to deflate. (Currently this causes
deflate to generate a fatal error according to the zlib spec.)
PR 22259. [Stas Bekman]
*) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
identity spoof is encountered.
[Sander Striker]
*) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
containing the .htaccess file is requested without a trailing slash.
PR 20195. [André Malo]
*) ab: Overlong credentials given via command line no longer clobber
the buffer. [André Malo]
*) mod_deflate: Don't attempt to hold all of the response until we're
done. [Justin Erenkrantz]
*) Assure that we block properly when reading input bodies with SSL.
PR 19242. [David Deaves <David.Deaves dd.id.au>, William Rowe]
*) Update mime.types to include latest IANA and W3C types. [Roy Fielding]
*) mod_ext_filter: Set additional environment variables for use by
the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
*) Fix buildconf errors when libtool version changes. [Jeff Trawick]
*) Remember an authenticated user during internal redirects if the
redirection target is not access protected and pass it
to scripts using the REDIRECT_REMOTE_USER environment variable.
PR 10678, 11602. [André Malo]
*) mod_include: Fix a trio of bugs that would cause various unusual
sequences of parsed bytes to omit portions of the output stream.
PR 21095. [Ron Park <ronald.park cnet.com>, André Malo, Cliff Woolley]
*) Update the header token parsing code to allow LWS between the
token word and the ':' seperator. [PR 16520]
[Kris Verbeeck <kris.verbeeck advalvas.be>, Nicel KM <mnicel yahoo.com>]
*) Eliminate creation of a temporary table in ap_get_mime_headers_core()
[Joe Schaefer <joe+gmane sunstarsys.com>]
*) Added FreeBSD directory layout. PR 21100.
[Sander Holthaus <info orangexl.com>, André Malo]
*) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
response. PR 21085. [Glenn Nielsen <glenn apache.org>, André Malo]
*) mod_rewrite: Perform child initialization on the rewrite log lock.
This fixes a log corruption issue when flock-based serialization
is used (e.g., FreeBSD). [Jeff Trawick]
*) Don't respect the Server header field as set by modules and CGIs.
As with 1.3, for proxy requests any such field is from the origin
server; otherwise it will have our server info as controlled by
the ServerTokens directive. [Jeff Trawick]
Changes with Apache 2.0.47
*) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one. [Ben Laurie]
*) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
temporary denial of service when accept() on a rarely accessed port
returns certain errors. Reported by Saheed Akhtar
<S.Akhtar talis.com>. [Jeff Trawick]
*) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
of service when target host is IPv6 but proxy server can't create
IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo
<tsuneo.yoshioka f-secure.com>]
*) SECURITY [VU#379828] Prevent the server from crashing when entering
infinite loops. The new LimitInternalRecursion directive configures
limits of subsequent internal redirects and nested subrequests, after
which the request will be aborted. PR 19753 (and probably others).
[William Rowe, Jeff Trawick, André Malo]
*) core_output_filter: don't split the brigade after a FLUSH bucket if
it's the last bucket. This prevents creating unneccessary empty
brigades which may not be destroyed until the end of a keepalive
connection.
[Juan Rivera <Juan.Rivera citrix.com>]
*) Add support for "streamy" PROPFIND responses.
[Ben Collins-Sussman <sussman collab.net>]
*) mod_cgid: Eliminate a double-close of a socket. This resolves
various operational problems in a threaded MPM, since on the
second attempt to close the socket, the same descriptor was
often already in use by another thread for another purpose.
[Jeff Trawick]
*) mod_negotiation: Introduce "prefer-language" environment variable,
which allows to influence the negotiation process on request basis
to prefer a certain language. [André Malo]
*) Make mod_expires' ExpiresByType work properly, including for
dynamically-generated documents. [Ken Coar, Bill Stoddard]
Changes with Apache 2.0.46
*) SECURITY [CAN-2003-0245]: Fixed a bug causing apr_pvsprintf() to crash
by sending an overly long string. This can be triggered remotely
through mod_dav, mod_ssl, and other mechanisms. Reported by David
Endler <DEndler iDefense.com>.
[Joe Orton <jorton redhat.com>]
*) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
affecting basic authentication on Unix platforms related to
thread-safety in apr_password_validate(). The problem was reported
by John Hughes <john.hughes entegrity.com>.
*) Fix for mod_dav. Call the 'can_be_activity' callback, if provided,
when a MKACTIVITY request comes in.
[Ben Collins-Sussman <sussman collab.net>]
*) Perform run-time query in apxs for apr and apr-util's includes.
[Justin Erenkrantz]
*) run libtool from the apr install directory (in case that is different
from the apache install directory) [Jeff Trawick]
*) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
*) If mod_mime_magic does not know the content-type, do not attempt to
guess. PR 16908. [Andrew Gapon <agapon telcordia.com>]
*) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
caching. PR 17864.
[Andreas Leimbacher <andreasl67 yahoo.de>, Madhusudan Mathihalli]
*) Add a delete flag to htpasswd.
[Thom May]
*) Fix mod_rewrite's handling of absolute URIs. The escaping routines
now work scheme dependent and the query string will only be
appended if supported by the particular scheme. [André Malo]
*) Add another check for already compressed content in mod_deflate.
PR 19913. [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]
*) Fixes for VPATH builds; copying special.mk and any future .mk files
from the source tree as well as the build tree (now creates a usable
configuration for apxs), and eliminated redundant -I'nclude paths.
[William Rowe]
*) Code fixes, constness corrections and ssl_toolkit_compat.h updates
for SSLC and OpenSSL toolkit compatibility. Still work remains to
be done to cripple features based on the limitations of RSA's binary
distribution of their SSL-C toolkit.
[William Rowe, Madhusudan Mathihalli, Jeff Trawick]
*) Linux 2.4+: If Apache is started as root and you code
CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
[Greg Ames]
*) ap_get_mime_headers_core: allocate space for the trailing null
when folding is in effect.
PR 18170 [Peter Mayne <PeterMayne SPAM_SUX.ap.spherion.com>]
*) Fix --enable-mods-shared=most and other variants. [Aaron Bannert]
*) mod_log_config: Add the ability to log the id of the thread
processing the request via new %P formats. [Jeff Trawick]
*) Use appropriate language codes for Czech (cs) and Traditional Chinese
(zh-tw) in default config files. PR 9427. [André Malo]
*) mod_auth_ldap: Use generic whitespace character class when parsing
"require" directives, instead of literal spaces only. PR 17135.
[André Malo]
*) Hook mod_rewrite's type checker before mod_mime's one. That way the
RewriteRule [T=...] Flag should work as expected now. PR 19626.
[André Malo]
*) htpasswd: Check the processed file on validity. If a line is not empty
and not a comment, it must contain at least one colon. Otherwise exit
with error code 7. [Kris Verbeeck <Kris.Verbeeck ubizen.com>, Thom May]
*) Fix a problem that caused httpd to be linked with incorrect flags
on some platforms when mod_so was enabled by default, breaking
DSOs on AIX. PR 19012 [Jeff Trawick]
*) By default, use the same CC and CPP with which APR was built.
The user can override with CC and CPP environment variables.
[Jeff Trawick]
*) Fix ap_construct_url() so that it surrounds IPv6 literal address
strings with []. This fixes certain types of redirection.
PR 19207. [Jeff Trawick]
*) forward port of buffer overflow fixes for htdigest. [Thom May]
*) Added AllowEncodedSlashes directive to permit control of whether
the server will accept encoded slashes ('%2f') in the URI path.
Default condition is off (the historical behaviour). This permits
environments in which the path-info needs to contain encoded
slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. [Ken Coar]
*) When using Redirect in directory context, append requested query
string if there's no one supplied by configuration. PR 10961.
[André Malo]
*) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
the pattern will not always match as desired. PR 12596.
[André Malo]
*) mod_autoindex now emits and accepts modern query string parameter
delimiters (;). Thus column headers no longer contain unescaped
ampersands. PR 10880 [André Malo]
*) Enable ap_sock_disable_nagle for Windows. This along with the
addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle
to be disabled for Windows. [Allan Edwards]
*) Correct a mis-correlation between mpm_common.c and mpm_common.h;
This patch reverts us to pre-2.0.46 behavior, using the
ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle
was never compiled on Win32. [Allan Edwards, William Rowe]
*) Fix a build problem with passing unsupported --enable-layout
args to apr and apr-util. This broke binbuild.sh as well as
user-specified layout parameters. PR 18649 [Justin Erenkrantz,
Jeff Trawick]
*) If a Date response header was already set in the headers array,
this value was ignored in favour of the current time. This meant
that Date headers on proxied requests where rewritten when they
should not have been. PR: 14376 [Graham Leggett]
*) Add code to buildconf that produces an httpd.spec file from
httpd.spec.in, using build/get-version.sh from APR.
[Graham Leggett]
*) Fixed a segfault when multiple ProxyBlock directives were used.
PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]
*) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability
identified and reported by Robert Howard <rihoward rawbw.com> that
where device names faulted the running OS2 worker process.
The fix is actually in APR 0.9.4. [Brian Havard]
*) Forward port: Escape special characters (especially control
characters) in mod_log_config to make a clear distinction between
client-supplied strings (with special characters) and server-side
strings. This was already introduced in version 1.3.25.
[André Malo]
*) mod_deflate: Check also err_headers_out for an already set
Content-Encoding: gzip header. This prevents gzip compressed content
from a CGI script from being compressed once more. PR 17797.
[André Malo]
Changes with Apache 2.0.45
*) Fix possible segfaults under obscure error conditions within the
cgid daemon. [Jeff Trawick, William Rowe]
*) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability
identified by David Endler <DEndler iDefense.com> on all platforms.
An unlimited stream of newlines were acceptable between requests
where each <lf> would allocate an 80 byte buffer, leading very
quickly to memory exahustion. [Brian Pane]
*) Added an rpm build script.
[Graham Leggett, Joe Orton <jorton redhat.com>]
*) Simpler, faster code path for request header scanning [Brian Pane]
*) SECURITY: Eliminated leaks of several file descriptors to child
processes, such as CGI scripts. This fix depends on the APR library
release 0.9.2 or later (0.9.3 was distributed with the httpd
source tarball for Apache 2.0.45.) PR 17206
[Christian Kratzer <ck cksoft.de>, Bjoern A. Zeeb <bz zabbadoz.net>]
*) Fix path handling of mod_rewrite, especially on non-unix systems.
There was some confusion between local paths and URL paths.
PR 12902. [André Malo]
*) Prevent endless loops of internal redirects in mod_rewrite by
aborting after exceeding a limit of internal redirects. The
limit defaults to 10 and can be changed using the RewriteOptions
directive. PR 17462. [André Malo]
*) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
all worker threads are busy.
[Igor Nazarenko <igor_nazarenko hotmail.com>]
*) Keep the subrequest filter in place when a subrequest is
redirected. PR 15423. [Jeff Trawick]
*) you can now specify the compression level for mod_deflate.
[Ian Holsman, Stephen Pierzchala <stephen pierzchala.com>,
Michael Schroepl <Michael.Schroepl telekurs.de>]
*) mod_deflate: Extend the DeflateFilterNote directive to
allow accurate logging of the filter's in- and outstream.
[André Malo]
*) Allow SSLMutex to select/use the full range of APR locking
mechanisms available to it. Also, fix the bug that SSLMutex uses
APR_LOCK_DEFAULT no matter what. PR 8122 [Jim Jagielski,
Martin Kutschker <martin.t.kutschker blackbox.net>]
*) Restore the ability of htdigest.exe to create files that contain
more than one user. PR 12910. [André Malo]
*) Improve binary compatibility of the core between debug (aka
maintainer-mode) and a non-debug compile.
[Sander Striker]
*) mod_usertrack: don't set the cookie in subrequests. This works
around the problem that cookies were set twice during fast internal
redirects. PR 13211. [André Malo]
*) mod_autoindex no longer forgets output format and enabled version
sort in linked column headers. [André Malo]
*) Use .sv instead of .se as extension for Swedish documents in the
default configuration. PR 12877. [André Malo]
*) Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL
and standardized the LDAP SSL support across the various LDAP SDKs.
Isolated the SSL functionality to mod_ldap rather than speading it
across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA
and LDAPTrustedCAType directives to mod_ldap to allow for a more
common method of specifying the SSL certificate.
[Dave Ward, Brad Nicholes]
*) Fixed mod_ssl's SSLCertificateChain initialization to no longer
skip the first cert of the chain by default. This misbehavior
was introduced in 2.0.34. PR 14560 [Madhusudan Mathihalli]
*) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
be started on Unix because of such problems as bad permissions,
bad shebang line, etc. [Jeff Trawick]
*) Fix 64-bit problem in mod_ssl input logic.
[Madhusudan Mathihalli <madhusudan_mathihalli hp.com>]
*) Fix potential memory leaks in mod_deflate on malformed data. PR 16046.
[Justin Erenkrantz]
*) Rewrite ap_xml_parse_input to use bucket brigades. PR 16134.
[Justin Erenkrantz]
*) Fix segfault which occurred when a section in an included
configuration file was not closed. PR 17093. [André Malo]
*) Enhance the behavior of mod_isapi's WriteClient() callback to
provide better emulation for isapi modules that presume that the
first WriteClient() call may send status and headers. An example
of WriteClient() abuse is the foxisapi module, which relies on
that assumpion and now works. [William Rowe, Milan Kosina]
*) Check the return value of ap_run_pre_connection(). So if the
pre_connection phase fails (without setting c->aborted)
ap_run_process_connection is not executed. [Stas Bekman]
*) Fixed a problem with mod_ldap which caused it to fault when caching
was disabled. Needed to make sure that the code did not
attempt to use the cache if it didn't exist. Also fixed some memory
leaks which were due to not releasing LDAP resources on error
conditions. [Brad Nicholes]
*) Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
mod_rewrite proxied URLs will not be escaped accidentally by
mod_proxy's fixup. PR 16368 [André Malo]
*) While processing filters on internal redirects, remember seen EOS
buckets also in the request structure of the redirect issuer(s). This
prevents filters (such as mod_deflate) from adding garbage to the
response. PR 14451. [André Malo]
*) suexec: Be more pedantic when cleaning environment. Clean it
immediately after startup. PR 2790, 10449.
[Jeff Stewart <jws purdue.edu>, André Malo]
*) Fix apxs to insert LoadModule directives only outside of sections.
PR 8712, 9012. [André Malo]
*) Fix suexec compile error under SUNOS4, where strerror() doesn't
exist. PR 5913, 9977.
[Jonathan W Miner <Jonathan.W.Miner lmco.com>]
*) Fix If header parsing when a non-mod_dav lock token is passed to it.
PR 16452. [Justin Erenkrantz]
*) mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
not specified. Now it assumes "/" as already documented. PR 16937.
[André Malo]
*) Try to log an error if a piped log program fails. Try to
restart a piped log program in more failure situations. Fix an
existing problem with error handling in piped_log_spawn(). Use
new APR apr_proc_create() features to prevent Apache from starting
on Unix* in most cases where a piped log program can be started,
and add log messages for the other situations. *Other platforms
already failed Apache initialization if a piped log program
couldn't be started. PR 15761 [Jeff Trawick]
*) Fix mod_cern_meta to not create empty metafiles when the
metafile searched for does not exist. PR 12353
[Owen Rees <owen_rees hp.com>]
*) Introduce debugging symbols for Win32 release builds, both .pdb
and .dbg files (older debuggers and Dr. Watson-type utilities
on WinNT or Win9x don't support the newer .pdb flavor.)
[Allen Edwards, William Rowe]
*) Fix bug where 'Satisfy Any' without an AuthType lost all MIME
information (and more). Related to PR 9076. [André Malo]
*) mod_file_cache: fix segfault serving mmaped cached files.
[Bill Stoddard]
*) mod_file_cache: fixed a segfault when multiple MMapFile directives
were used. PR 16313. [Cliff Woolley]
*) Fix a nasty segfault in mmap_bucket_setaside() caused by passing
an incompatible pointer type to mmap_bucket_destroy(void*).
[Gerard Eviston <geviston bigpond.net.au>]
*) Enable the -n name parameter on NetWare to allow the
administrator to rename the Apache console screen
[Brad Nicholes]
*) Fixed piped access logs on Win32 by disabling OTHER_CHILD
support by default in APR. More development is required
to deploy OTHER_CHILD on Win32. [William Rowe]
*) Use saner default config values for suexec. PR 15713.
[Thom May <thom planetarytramp.net>]
*) mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
(or SymlinksIfOwnermatch) is set. PR 12395. [André Malo]
*) apxs: Include any special APR ld flags when linking the DSO.
This resolves problems on AIX when building a DSO with apxs+gcc.
[Jeff Trawick]
*) Added character set support to mod_auth_LDAP to allow it to
convert extended characters used in the user ID to UTF-8
before authenticating against the LDAP directory. The new
directive AuthLDAPCharsetConfig is used to specify the config
file that contains the character set conversion table.
[Brad Nicholes]
*) Don't remove the Content-Length from responses in mod_proxy
PR: 8677 [Brian Pane]
*) Ensure LDAP version is set to v3 on every bind. PR 14235.
[Sergey A. Lipnevich <sergeyli pisem.net>]
*) Fix mod_ldap to open an existing shared memory file should one
already exist. PR 12757. [Scooter Morris <scooter gene.com>,
Graham Leggett]
*) Fix the ulimit command used by apachectl on Tru64. PR 13609.
[Joseph Senulis <Joseph.Senulis dnr.state.wi.us>, Jeff Trawick]
*) Change the ulimit command used by apachectl on AIX so that it
works in all locales. [Jeff Trawick]
*) mod_ext_filter: Fix a problem building argument lists which
occasionally caused exec to fail. PR 15491. [Jeff Trawick]
Changes with Apache 2.0.44
*) mod_autoindex: Bring forward the IndexOptions IgnoreCase option
from Apache 1.3. PR 14276
[David Shane Holden <dpejesh yahoo.com>, William Rowe]
*) mod_mime: Workaround to prevent a segfault if r->filename=NULL
[Brian Pane]
*) Reorder the definitions for mod_ldap and mod_auth_ldap within
config.m4 to make sure the parent mod_ldap is defined first.
This ensures that mod_ldap comes before mod_auth_ldap in the
httpd.conf file, which is necessary for mod_auth_ldap to load.
PR 14256 [Graham Leggett]
*) Fix the building of cgi command lines when the query string
contains '='. PR 13914 [Ville Skyttä <ville.skytta iki.fi>,
Jeff Trawick]
*) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
implementation of MCacheMaxStreamingBuffer from mod_cache to
mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should
eliminate the need for explicitly coding MCacheMaxStreamingBuffer
in most configurations. [Bill Stoddard]
*) mod_cache: Fix PR 15113, a core dump in cache_in_filter when
a redirect occurs. The code was passing a format string and
integer to apr_pstrcat. Changed to apr_psprintf.
[Paul J. Reder]
*) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
as set by apr-util in util_ldap.c. This should allow mod_ldap
to work with the Netscape/Mozilla LDAP library. [Øyvin Sømme
<somme oslo.westerngeco.slb.com>, Graham Leggett]
*) Fix critical bug in new --enable-v4-mapped configure option
implementation which broke IPv4 listening sockets on some
systems. [hiroyuki hanai <hanai imgsrc.co.jp>]
*) mod_setenvif: Fix BrowserMatchNoCase support for non-regex
patterns [André Malo <nd perlig.de>]
*) Add version string to provider API. [Justin Erenkrantz]
*) build: './configure && make' now works without an in-tree
apr and apr-util. [Wilfredo Sanchez]
*) mod_negotiation: Set the appropriate mime response headers
(Content-Type, charset, Content-Language and Content-Encoding)
for negotated type-map "Body:" responses (such as the error
pages.) [André Malo <nd perlig.de>]
*) mod_log_config: Allow '%%' escaping in CustomLog format
strings to insert a literal, single '%'.
[André Malo <nd perlig.de>]
*) mod_autoindex: AddDescription directives for directories
now work as in Apache 1.3, where no trailing '/' is
specified on the directory name. Previously, the trailing
'/' *had* to be specified, which was incompatible with
Apache 1.3. PR 7990 [Jeff Trawick]
*) Fix for PR 14556. The expiry calculations in mod_cache were
trying to perform "now + ((date - lastmod) * factor)" where
date == lastmod resulting in "now + 0". The code now follows
the else path (using the default expiration) if date is
equal to lastmod. [Sergey <rx armstrike.com>, Paul J. Reder]
*) Use AP_DECLARE in the debug versions of ap_strXXX in case the
default calling convention is not the same as the one used by
AP_DECLARE. [Juan Rivera <Juan.Rivera citrix.com>]
*) mod_cache: Don't cache response header fields designated
as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
[Estrade Matthieu <estrade-m ifrance.com>, Brian Pane]
*) mod_cgid: Handle environment variables containing newlines.
PR 14550 [Piotr Czejkowski <apache czarny.eu.org>, Jeff
Trawick]
*) Move mod_ext_filter out of experimental and into filters.
[Jeff Trawick]
*) Fixed a memory leak in mod_deflate with dynamic content.
PR 14321 [Ken Franken <kfranken decisionmark.com>]
*) Add --[enable|disable]-v4-mapped configure option to control
whether or not Apache expects to handle IPv4 connections
on IPv6 listening sockets. Either setting will work on
systems with the IPV6_V6ONLY socket option. --enable-v4-mapped
must be used on systems that always allow IPv4 connections on
IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats)
[Jeff Trawick]
*) This fixes a problem where the underlying cache code
indicated that there was one more element on the cache
than there actually was. This happened since element 0
exists but is not used. This code allocates the correct
number of useable elements and reports the number of
actually used elements. The previous code only allowed
MCacheMaxObjectCount-1 objects to be stored in the
cache. [Paul J. Reder]
*) mod_setenvif: Add SERVER_ADDR special keyword to allow
envariable setting according to the server IP address
which received the request. [Ken Coar]
*) mod_cgid: Terminate CGI scripts when the client connection
drops. PR 8388 [Jeff Trawick]
*) Rearrange OpenSSL engine initialization to support RAND
redirection on crypto accelerator.
[Frederic DONNAT <frederic.donnat zencod.com>]
*) Always emit Vary header if mod_deflate is involved in the
request. [Andre Malo <nd perlig.de>]
*) mod_isapi: Stop unsetting the 'empty' query string result with
a NULL argument in ecb->lpszQueryString, eliminating segfaults
for some ISAPI modules. PR 14399
[Detlev Vendt <detlev.vendt brillit.de>]
*) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
notification is received before the HttpExtensionProc() returns
HSE_STATUS_PENDING. This only affected isapi .dll's configured
with the ISAPIFakeAsync on directive. PR 11918
[John DeSetto <jdesetto radiantsystems.com>, William Rowe]
*) mod_isapi: Fix the issue where all results from mod_isapi would
run through the core die handler resulting in invalid responses
or access log entries. PR 10216 [William Rowe]
*) Improves the user friendliness of the CacheRoot processing
over my last pass. This version avoids the pool allocations
but doesn't avoid all of the runtime checks. It no longer
terminates during post-config processing. An error is logged
once per worker, indicating that the CacheRoot needs to be set.
[Paul J. Reder]
*) Fix a bug where we keep files open until the end of a
keepalive connection, which can result in:
(24)Too many open files: file permissions deny server access
especially on threaded servers. [Greg Ames, Jeff Trawick]