07.08.2013 Views

André Malo - Parent Directory

André Malo - Parent Directory

André Malo - Parent Directory

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Changes with Apache 2.0.52

*) Use HTML 2.0 for error pages. PR 30732 [André Malo]

*) Fix the global mutex crash when the global mutex is never allocated

due to disabled/empty caches. [Jess Holle ]

*) Fix a segfault in the LDAP cache when it is configured switched

off. [Jess Holle ]

*) SECURITY: CAN-2004-0811 (cve.mitre.org)

Fix merging of the Satisfy directive, which was applied to

the surrounding context and could allow access despite configured

authentication. PR 31315. [Rici Lake ]

*) Fix the handling of URIs containing %2F when AllowEncodedSlashes

is enabled. Previously, such urls would still be rejected.

[Jeff Trawick, Bill Stoddard]

*) mod_mem_cache: Fixed race condition causing segfault because of memory being

freed twice, or reused after being freed.

[J. Clar, W. Stoddard, G. Ames]

*) Add -l option to rotatelogs to let it use local time rather than

UTC. PR 24417. [Ken Coar, Uli Zappe ]

*) mod_log_config: Fix a bug which prevented request completion time

from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE

processing. PR 29696. [Alois Treindl ]

Changes with Apache 2.0.51

*) SECURITY: CAN-2004-0786 (cve.mitre.org)

Fix an input validation issue in apr-util which could be

triggered by malformed IPv6 literal addresses. [Joe Orton]

*) SECURITY: CAN-2004-0747 (cve.mitre.org)

Fix buffer overflow in expansion of environment variables in

configuration file parsing. [André Malo]

*) SECURITY: CAN-2004-0809 (cve.mitre.org)

mod_dav_fs: Fix a segfault in the handling of an indirect lock

refresh. PR 31183. [Joe Orton]

*) mod_include no longer checks for recursion, because that’s done

in the core. This allows for careful usage of recursive SSI.

[André Malo]

*) Fix memory leak in the cache handling of mod_rewrite. PR 27862.

[chunyan sheng , André Malo]

*) Include directives no longer refuse to process symlinks on

directories. Instead there’s now a maximum nesting level

of included directories (128 as distributed). This is configurable

at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.

PR 28492. [André Malo]

*) Win32: apache -k start|restart|install|config can leave stranded

piped logger processes (eg, rotatelogs.exe) due to improper

server shutdown on these code paths.


[Bill Stoddard]

*) SECURITY: CAN-2004-0751 (cve.mitre.org)

mod_ssl: Fix a segfault in the SSL input filter which could be

triggered if using "speculative" mode, for instance by a

proxy request to an SSL server. PR 30134. [Joe Orton]

*) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.

PR 30464. [Joe Orton, Madhusudan Mathihalli]

*) mod_ssl: Add new ’ssl_is_https’ optional function. [Joe Orton]

*) Prevent CGI script output which includes a Content-Range header

from being passed through the byterange filter. [Joe Orton]

*) Satisfy directives now can be influenced by a surrounding

container. PR 14726. [André Malo]

*) mod_rewrite now officially supports RewriteRules in sections.

PR 27985. [André Malo]

*) mod_disk_cache: Implement binary format for on-disk header files.

[Brian Akins , Justin Erenkrantz]

*) mod_disk_cache: Optimize network performance of disk cache subsystem by

allowing zero-copy (sendfile) writes and other miscellaneous fixes.

[Justin Erenkrantz]

*) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and

switch to the provider API instead of hooks. [Justin Erenkrantz]

*) mod_autoindex: Don’t truncate the directory listing if a stat()

call fails (for instance on a >2Gb file). PR 17357.

[Joe Orton]

*) Makefile fix: httpd is linked against LIBS given to the

’make’ invocation. PR 7882. [Joe Orton]

*) WinNT MPM: Fix a broken log message at termination. PR 28063.

[Eider Oliveira ]

*) Prevent Win32 pool corruption at startup [Allan Edwards]

*) mod_ssl: Add "SSLUserName" directive to set r->user based on a

chosen SSL environment variable. PR 20957.

[Martin v. Loewis ]

*) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.

[Zvi Har’El ]

*) apachectl: Fix a problem finding envvars if sbindir != bindir.

PR 30723. [Friedrich Haubensak ]

*) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz]

*) SECURITY: CAN-2004-0748 (cve.mitre.org)

mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton]

*) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.

PR 18989. [Joe Orton]


*) mod_userdir: Ensure that the userdir identity is used for

suexec userdir access in a virtual host which has suexec configured.

PR 18156. [Joshua Slive]

*) mod_rewrite no longer confuses the RewriteMap caches if

different maps defined in different virtual hosts use the

same map name. PR 26462. [André Malo]

*) mod_setenvif: Remove "support" for Remote_User variable which

never worked at all. PR 25725. [André Malo]

*) Backport from 2.1 / Regression from 1.3: mod_headers now knows

again the functionality of the ErrorHeader directive. But instead

using this misnomer additional flags to the Header directive were

introduced ("always" and "onsuccess", defaulting to the latter).

PR 28657. [André Malo]

*) Use the higher performing ’httpready’ Accept Filter on all platforms

except FreeBSD < 4.1.1. [Paul Querna]

*) mod_usertrack: Escape the cookie name before pasting into the

regexp. [André Malo]

*) Extend the SetEnvIf directive to capture subexpressions of the

matched value. [André Malo]

*) Recursive Include directives no longer crash. The server stops

including configuration files after a certain nesting level (128

as distributed). This is configurable at compile time using the

-DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [André Malo]

*) mod_dir: the trailing-slash behaviour is now configurable using the

DirectorySlash directive. [André Malo]

*) Allow proxying of resources that are invoked via DirectoryIndex.

PR 14648, 15112, 29961. [André Malo]

*) util_ldap: Switched the lock types on the shared memory cache

from thread reader/writer locks to global mutexes in order to

provide cross process cache protection. [Brad Nicholes]

*) util_ldap: Reworked the cache locking scheme to eliminate duplicate

cache entries in the credentials cache due to race conditions.

[Brad Nicholes]

*) util_ldap: Enhanced the util_ldap cache-info display to show more

detail about the contents and current state of the cache.

[Brad Nicholes]

*) Enable the option to support anonymous shared memory in mod_ldap.

This makes the cache work on Linux again. [Graham Leggett]

*) Enable special ErrorDocument value ’default’ which restores the

canned server response for the scope of the directive.

[Geoffrey Young, André Malo]

*) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack

is set in r->subprocess_env allow mismatched query strings to pass.

PR 27758. [Paul Querna, Geoffrey Young]


*) Accept URLs for the ServerAdmin directive. If the supplied

argument is not recognized as an URL, assume it’s a mail address.

PR 28174. [André Malo, Paul Querna]

*) initialize server arrays prior to calling ap_setup_prelinked_modules

so that static modules can push Defines values when registering

hooks just like DSO modules can ["Philippe M. Chiasson" ]

*) Small fix to allow reverse proxying to an ftp server. Previously

an attempt to do this would try and connect to 0.0.0.0, regardless

of the server specified. PR 24922

[Pascal Terjan ]

*) Add the NOTICE file to the rpm spec file in compliance with the

Apache v2.0 license. [Graham Leggett]

*) RPM spec file changes: changed default dependancy to link to db4

instead of db3. Fixed complaints about unpackaged files.

[Graham Leggett]

Changes with Apache 2.0.50

*) SECURITY: CAN-2004-0493 (cve.mitre.org)

Close a denial of service vulnerability identified by Georgi

Guninski which could lead to memory exhaustion with certain

input data. [Jeff Trawick]

*) mod_cgi: Handle output on stderr during script execution on Unix

platforms; preventing deadlock when stderr output fills pipe buffer.

Also fixes case where stderr from nph- scripts could be lost.

PR 22030, 18348. [Joe Orton, Jeff Trawick]

*) mod_alias now emits a warning if it detects overlapping *Alias*

directives. [André Malo]

*) mod_rewrite no longer turns forward proxy requests into reverse proxy

requests. PR 28125 [ast domdv.de, André Malo]

*) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now

exported on Win32 and Netware as well (minor MMN bump). PR 28523.

[Edward Rudd , André Malo]

*) Restore the ability to disable the use of AcceptEx on Win9x systems

automatically (broken in 2.0.49). PR 28529. [André Malo]

*) now applies to all IP addresses for myhost

instead of just the first one reported by the resolver. This

corrects a regression since 1.3. [Jeff Trawick]

*) util_ldap: allow relative paths for LDAPTrustedCA to be resolved

against ServerRoot PR#26602 [Brad Nicholes]

*) SECURITY: CAN-2004-0488 (cve.mitre.org)

mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a

(trusted) client certificate subject DN which exceeds 6K in length.

[Joe Orton]

*) mod_dav_fs: Fix MKCOL response for missing parent collections, which

caused issues for the Eclipse WebDAV extension.


PR 29034. [Joe Orton]

*) mod_deflate: Fix memory consumption (which was proportional to the

response size). PR 29318. [Joe Orton]

*) mod_ssl: Log the errors returned on failure to load or initialize

a crypto accelerator engine. [Joe Orton]

*) Allow RequestHeader directives to be conditional. PR 27951.

[Vincent Deffontaines , André Malo]

*) Allow LimitRequestBody to be reset to unlimited. PR 29106

[André Malo]

*) Fix a bunch of cases where the return code of the regex compiler

was not checked properly. This affects: mod_setenvif, mod_usertrack,

mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]

*) mod_ssl: Fix a potential segfault in the ’shmcb’ session cache for

small cache sizes. PR 27751. [Geoff Thorpe ]

*) Remove 2Gb log file size restriction on some 32-bit platforms.

PR 13511. [Joe Orton]

*) mod_logio no longer removes the EOS bucket. PR 27928.

[Bojan Smojver ]

*) htpasswd no longer refuses to process files that contain empty

lines. [André Malo]

*) Regression from 1.3: At startup, suexec now will be checked for

availability, the setuid bit and user root. The works only if

httpd is compiled with the shipped APR version (0.9.5).

PR 28287. [André Malo]

*) Unix MPMs: Stop dropping connections when the file descriptor

is at least FD_SETSIZE. [Jeff Trawick]

*) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]

*) mod_isapi: send_response_header() failed to copy status string’s

last character. PR 20619. [Jesse Pelton ]

*) Fix a segfault when requests for shared memory fails and returns

NULL. Fix a segfault caused by a lack of bounds checking on the

cache. PR 24801. [Graham Leggett]

*) Throw an error message if an attempt is made to use the LDAPTrustedCA

or LDAPTrustedCAType directives in a VirtualHost. PR 26390

[Brad Nicholes]

*) Fix a potential segfault if the bind password in the LDAP cache

is NULL. PR 28250. [Jari Ahonen ]

*) Quotes cannot be used around require group and require dn

directives, update the documentation to reflect this. Also add

quotes around the dn and group within debug messages, to make it

more obvious why authentication is failing if quotes are used in

error. PR 19304. [Graham Leggett]


*) The Microsoft LDAP SDK escapes filters for us, stop util_ldap

from escaping filters twice when the backslash character is used.

PR 24437. [Jess Holle ]

*) Overhaul handling of LDAP error conditions, so that the util_ldap_*

functions leave the connections in a sane state after errors have

occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,

27271 [Graham Leggett]

*) mod_ldap calls ldap_simple_bind_s() to validate the user

credentials. If the bind fails, the connection is left

in an unbound state. Make sure that the ldap connection

record is updated to show that the connection is no longer

bound. [Brad Nicholes]

*) Ensure that lines in the request which are too long are

properly terminated before logging.

[Tsurutani Naoki ]

*) Update the bind credentials for the cached LDAP connection to

reflect the last bind. This prevents util_ldap from creating

unnecessary connections rather than reusing cached connections.

[Brad Nicholes]

*) mod_isapi: GetServerVariable returned improperly terminated header

fields given "ALL_HTTP" or "ALL_RAW". PR 20656.

[Jesse Pelton ]

*) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer

size. PR 20617. [Jesse Pelton ]

*) mod_dav: Fix a problem that could cause crashes when manipulating

locks on some platforms. [Jeff Trawick]

*) mod_headers no longer crashes if an empty header value should

be added. [André Malo]

*) Fix segfault in mod_expires, which occured under certain

circumstances. PR 28047. [André Malo]

*) htpasswd: use apr_temp_dir_get() and general cleanup

[Guenter Knauf , Thom May]

*) mod_ssl: Fix memory leak in session cache handling. PR 26562

[Madhusudan Mathihalli]

*) mod_ssl: Fix potential segfaults when performing SSL shutdown from

a pool cleanup. PR 27945. [Joe Orton]

*) Add forensic logging module (mod_log_forensic).

[Ben Laurie]

*) logresolve: Allow size of log line buffer to be overridden at

build time (MAXLINE). PR 27793. [Jeff Trawick]

*) Fix the comment delimiter in htdbm so that it correctly parses the

username comment. Also add a terminate function to allow NetWare

to pause the output before the screen is destroyed.

[Guenter Knauf , Brad Nicholes]


*) Fix crash when Apache was started with no Listen directives.

[Michael Corcoran ]

*) core_output_filter: Fix bug that could result in sending

garbage over the network when module handlers construct

bucket brigades containing multiple file buckets all referencing

the same open file descriptor. [Bojan Smojver]

*) Fix memory corruption problem with ap_custom_response() function.

The core per-dir config would later point to request pool data

that would be reused for different purposes on different requests.

[Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]

*) Win32: Tweak worker thread accounting routines to eliminate

server hang when number of Listen directives in httpd.conf

is greater than or equal to the setting of ThreadsPerChild.

[Bill Stoddard]

Changes with Apache 2.0.49

*) SECURITY: CAN-2004-0174 (cve.mitre.org)

Fix starvation issue on listening sockets where a short-lived

connection on a rarely-accessed listening socket will cause a

child to hold the accept mutex and block out new connections until

another connection arrives on that rarely-accessed listening socket.

With Apache 2.x there is no performance concern about enabling the

logic for platforms which don’t need it, so it is enabled everywhere

except for Win32. [Jeff Trawick]

*) mod_cgid: Fix storage corruption caused by use of incorrect pool.

[Jeff Trawick]

*) Win32: find_read_listeners was not correctly handling multiple

listeners on the Win32DisableAcceptEx path. [Bill Stoddard]

*) Fix bug in mod_usertrack when no CookieName is set. PR 24483.

[Manni Wood ]

*) Fix some piped log problems: bogus "piped log program ’(null)’

failed" messages during restart and problem with the logger

respawning again after Apache is stopped. PR 21648, PR 24805.

[Jeff Trawick]

*) Fixed file extensions for real media files and removed rpm extension

from mime.types. PR 26079. [Allan Sandfeld ]

*) Remove compile-time length limit on request strings. Length is

now enforced solely with the LimitRequestLine config directive.

[Paul J. Reder]

*) mod_ssl: Send the Close Alert message to the peer before closing

the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]

*) SECURITY: CVE-2004-0113 (cve.mitre.org)

mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.

PR 27106. [Joe Orton]

*) mod_ssl: Fix bug in passphrase handling which could cause spurious

failures in SSL functions later. PR 21160. [Joe Orton]


*) mod_log_config: Fix corruption of buffered logs with threaded

MPMs. PR 25520. [Jeff Trawick]

*) Fix mod_include’s expression parser to recognize strings correctly

even if they start with an escaped token. [André Malo]

*) Add fatal exception hook for use by diagnostic modules. The hook

is only available if the --enable-exception-hook configure parm

is used and the EnableExceptionHook directive has been set to

"on". [Jeff Trawick]

*) Allow mod_auth_digest to work with sub-requests with different

methods than the original request. PR 25040.

[Josh Dady ]

*) fix "Expected > but saw " errors in nested,

argumentless containers.

["Philippe M. Chiasson" ]

*) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.

[Matthieu Estrade , Brad Nicholes]

*) mod_cgid: Restart the cgid daemon if it crashes. PR 19849

[Glenn Nielsen ]

*) The whole codebase was relicensed and is now available under

the Apache License, Version 2.0 (http://www.apache.org/licenses).

[Apache Software Foundation]

*) Fixed cache-removal order in mod_mem_cache.

[Jean-Jacques Clar, Cliff Woolley]

*) mod_setenvif: Fix the regex optimizer, which under circumstances

treated the supplied regex as literal string. PR 24219.

[André Malo]

*) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm

instead of mmn. [André Malo]

*) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules

could lead to a 400 (Bad Request) response. [André Malo]

*) Keep focus of ITERATE and ITERATE2 on the current module when

the module chooses to return DECLINE_CMD for the directive.

PR 22299. [Geoffrey Young ]

*) Add support for IMT minor-type wildcards (e.g., text/*) to

ExpiresByType. PR#7991 [Ken Coar]

*) Fix segfault in mod_mem_cache cache_insert() due to cache size

becoming negative. PR: 21285, 21287

[Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]

*) core.c: If large file support is enabled, allow any file that is

greater than AP_MAX_SENDFILE to be split into multiple buckets.

This allows Apache to send files that are greater than 2gig.

Otherwise we run into 32/64 bit type mismatches in the file size.

[Brad Nicholes]

*) proxy_http fix: mod_proxy hangs when both KeepAlive and


ProxyErrorOverride are enabled, and a non-200 response without a

body is generated by the backend server. (e.g.: a client makes a

request containing the "If-Modified-Since" and "If-None-Match"

headers, to which the backend server respond with status 304.)

[Graham Wiseman , Richard Reiner]

*) mod_dav: Reject requests which include an unescaped fragment in the

Request-URI. PR 21779. [Amit Athavale ]

*) Build array of allowed methods with proper dimensions, fixing

possible memory corruption. [Jeff Trawick]

*) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.

PR 15057. [Otmar Lendl ]

*) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944

[Joe Orton]

*) mod_usertrack no longer inspects the Cookie2 header for

the cookie name. PR 11475. [Chris Darrochi ]

*) mod_usertrack no longer overwrites other cookies.

PR 26002. [Scott Moore ]

*) worker MPM: fix stack overlay bug that could cause the parent

process to crash. [Jeff Trawick]

*) Win32: Add Win32DisableAcceptEx directive. This Windows

NT/2000/CP directive is useful to work around bugs in some

third party layered service providers like virus scanners,

VPN and firewall products, that do not properly handle

WinSock 2 APIs. Use this directive if your server is issuing

AcceptEx failed messages.

[Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]

*) Make REMOTE_PORT variable available in mod_rewrite.

PR 25772. [André Malo]

*) Fix a long delay with CGI requests and keepalive connections on

AIX. [Jeff Trawick]

*) mod_autoindex: Add ’XHTML’ option in order to allow switching between

HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]

*) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).

[André Malo]

*) mod_ssl: Advertise SSL library version as determined at run-time rather

than at compile-time. PR 23956. [Eric Seidel ]

*) mod_ssl: Fix segfault on a non-SSL request if the ’c’ log

format code is used. PR 22741. [Gary E. Miller ]

*) Fix build with parallel make. PR 24643. [Joe Orton]

*) mod_rewrite: In external rewrite maps lookup keys containing

a newline now cause a lookup failure. PR 14453.

[Cedric Gavage , André Malo]

*) Backport major overhaul of mod_include’s filter parser from 2.1.


The new parser code is expected to be more robust and should

catch all of the edge cases that were not handled by the previous one.

The 2.1 external API changes were hidden by a wrapper which is

expected to keep the API backwards compatible. [André Malo]

*) Add a hook (insert_error_filter) to allow filters to re-insert

themselves during processing of error responses. Enable mod_expires

to use the new hook to include Expires headers in valid error

responses. This addresses an RFC violation. It fixes PRs 19794,

24884, and 25123. [Paul J. Reder]

*) Add Polish translation of error messages. PR 25101.

[Tomasz Kepczynski ]

*) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet

supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,

Bill Stoddard]

*) Add mod_status hook to allow modules to add to the mod_status

report. [Joe Orton]

*) Fix htdbm to generate comment fields in DBM files correctly.

[Justin Erenkrantz]

*) mod_dav: Use bucket brigades when reading PUT data. This avoids

problems if the data stream is modified by an input filter. PR 22104.

[Tim Robbins , André Malo]

*) Fix RewriteBase directive to not add double slashes. [André Malo]

*) Improve ’configure --help’ output for some modules. [Astrid Keßler]

*) Correct UseCanonicalName Off to properly check incoming port number.

[Jim Jagielski]

*) Fix slow graceful restarts with prefork MPM. [Joe Orton]

*) Fix a problem with namespace mappings being dropped in mod_dav_fs;

if any property values were set which defined namespaces these

came out mangled in the PROPFIND response. PR 11637.

[Amit Athavale ]

*) mod_dav: Return a WWW-auth header for MOVE/COPY requests where

the destination resource gives a 401. PR 15571. [Joe Orton]

*) SECURITY: CVE-2003-0020 (cve.mitre.org)

Escape arbitrary data before writing into the errorlog. Unescaped

errorlogs are still possible using the compile time switch

"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]

*) mod_autoindex / core: Don’t fail to show filenames containing

special characters like ’%’. PR 13598. [André Malo]

*) mod_status: Report total CPU time accurately when using a threaded

MPM. PR 23795. [Jeff Trawick]

*) Fix memory leak in handling of request bodies during reverse

proxy operations. PR 24991. [Larry Toppi ]

*) Win32 MPM: Implement MaxMemFree to enable setting an upper


limit on the amount of storage used by the bucket brigades

in each server thread. [Bill Stoddard]

*) Modified the cache code to be header-location agnostic. Also

fixed a number of other cache code bugs related to PR 15852.

Includes a patch submitted by Sushma Rai .

This fixes mod_mem_cache but not mod_disk_cache yet so I’m not

closing the PR since that is what they are using. [Paul J. Reder]

*) complain via error_log when mod_include’s INCLUDES filter is

enabled, but the relevant Options flag allowing the filter to run

for the specific resource wasn’t set, so that the filter won’t

silently get skipped. next remove itself, so the warning will be

logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]

*) mod_info: HTML escape configuration information so it displays

correctly. PR 24232. [Thom May]

*) Restore the ability to add a description for directories that

don’t contain an index file. (Broken in 2.0.48) [André Malo]

*) Fix a problem with the display of empty variables ("SetEnv foo") in

mod_include. PR 24734 [Markus Julen ]

*) mod_log_config: Log the minutes component of the timezone correctly.

PR 23642. [Hong-Gunn Chew ]

*) mod_proxy: Fix cases where an invalid status-line could be sent

to the client. PR 23998. [Joe Orton]

*) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL

are also loaded. [Joe Orton]

*) mod_ssl: Use human-readable OpenSSL error strings in logs; use

thread-safe interface for retrieving error strings. [Joe Orton]

*) mod_expires: Initialize ExpiresDefault to NULL instead of "" to

avoid reporting an Internal Server error if it is used without

having been set in the httpd.conf file. PR: 23748, 24459

[Andre Malo, Liam Quinn ]

*) mod_autoindex: Don’t omit the start tag if the SuppressIcon

option is set. PR 21668. [Jesse Tie-Ten-Quee ]

*) mod_include no longer allows an ETag header on 304 responses.

PR 19355. [Geoffrey Young , André Malo]

*) EBCDIC: Convert header fields to ASCII before sending (broken

since 2.0.44). [Martin Kraemer]

*) Fix the inability to log errors like exec failure in

mod_ext_filter/mod_cgi script children. This was broken after

such children stopped inheriting the error log handle.

[Jeff Trawick]

*) Fix mod_info to use the real config file name, not the default

config file name. [Aryeh Katz ]

*) Set the scoreboard state to indicate logging prior to running

logging hooks so that server-status will show ’L’ for hung loggers


instead of ’W’. [Jeff Trawick]

Changes with Apache 2.0.48

*) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of

the AF_UNIX socket used to communicate with the cgid daemon and

the CGI script. [Jeff Trawick]

*) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and

mod_rewrite which occurred if one configured a regular expression

with more than 9 captures. [André Malo]

*) mod_include: fix segfault which occured if the filename was not

set, for example, when processing some error conditions.

PR 23836. [Brian Akins , André Malo]

*) fix the config parser to support .. containers (no

arguments in the opening tag) supported by httpd 1.3. Without

this change mod_perl 2.0’s sections are broken.

["Philippe M. Chiasson" ]

*) mod_cgid: fix a hash table corruption problem which could

result in the wrong script being cleaned up at the end of a

request. [Jeff Trawick]

*) Update httpd-*.conf to be clearer in describing the connection

between AddType and AddEncoding for defining the meaning of

compressed file extensions. [Roy Fielding]

*) mod_rewrite: Don’t die silently when failing to open RewriteLogs.

PR 23416. [André Malo]

*) mod_rewrite: Fix mod_rewrite’s support of the [P] option to send

rewritten request using "proxy:". The code was adding multiple "proxy:"

fields in the rewritten URI. PR: 13946.

[Eider Oliveira ]

*) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and

expires as directed in RFC 2616. [Thomas Castelle ]

*) Ensure that ssl-std.conf is generated at configure time, and switch

to using the expanded config variables to work the same as

httpd-std.conf PR: 19611

[Thom May]

*) mod_ssl: Fix segfaults after renegotiation failure. PR 21370

[Hartmut Keil ]

*) mod_autoindex: If a directory contains a file listed in the

DirectoryIndex directive, the folder icon is no longer replaced

by the icon of that file. PR 9587.

[David Shane Holden ]

*) Fixed mod_usertrack to not get false positive matches on the

user-tracking cookie’s name. PR 16661.

[Manni Wood ]

*) mod_cache: Fix the cache code so that responses can be cached

if they have an Expires header but no Etag or Last-Modified

headers. PR 23130.


[]

*) mod_log_config: Fix %b log format to write really "-" when 0 bytes

were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]

*) Modify ap_get_client_block() to note if it has seen EOS.

[Justin Erenkrantz]

*) Fix a bug, where mod_deflate sometimes unconditionally compressed the

content if the Accept-Encoding header contained only other tokens than

"gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]

*) Avoid an infinite recursion, which occured if the name of an included

config file or directory contained a wildcard character. PR 22194.

[André Malo]

*) mod_ssl: Fix a problem setting variables that represent the

client certificate chain. PR 21371 [Jeff Trawick]

*) Unix: Handle permissions settings for flock-based mutexes in

unixd_set_global|proc_mutex_perms(). Allow the functions to be

called for any type of mutex. PR 20312 [Jeff Trawick]

*) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]

*) Fix a misleading message from the some of the threaded MPMs when

MaxClients has to be lowered due to the setting of ServerLimit.

[Jeff Trawick]

*) Lower the severity of the "listener thread didn’t exit" message

to debug, as it is of interest only to developers. PR 9011

[Jeff Trawick]

*) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.

[Cliff Woolley, Jean-Jacques Clar]

*) Install config.nice into the build/ directory to make

minor version upgrades easier. [Joshua Slive]

*) Fix mod_deflate so that it does not call deflate() without checking

first whether it has something to deflate. (Currently this causes

deflate to generate a fatal error according to the zlib spec.)

PR 22259. [Stas Bekman]

*) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an

identity spoof is encountered.

[Sander Striker]

*) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory

containing the .htaccess file is requested without a trailing slash.

PR 20195. [André Malo]

*) ab: Overlong credentials given via command line no longer clobber

the buffer. [André Malo]

*) mod_deflate: Don’t attempt to hold all of the response until we’re

done. [Justin Erenkrantz]

*) Assure that we block properly when reading input bodies with SSL.

PR 19242. [David Deaves , William Rowe]


*) Update mime.types to include latest IANA and W3C types. [Roy Fielding]

*) mod_ext_filter: Set additional environment variables for use by

the external filter. PR 20944. [Andrew Ho, Jeff Trawick]

*) Fix buildconf errors when libtool version changes. [Jeff Trawick]

*) Remember an authenticated user during internal redirects if the

redirection target is not access protected and pass it

to scripts using the REDIRECT_REMOTE_USER environment variable.

PR 10678, 11602. [André Malo]

*) mod_include: Fix a trio of bugs that would cause various unusual

sequences of parsed bytes to omit portions of the output stream.

PR 21095. [Ron Park , André Malo, Cliff Woolley]

*) Update the header token parsing code to allow LWS between the

token word and the ’:’ seperator. [PR 16520]

[Kris Verbeeck , Nicel KM ]

*) Eliminate creation of a temporary table in ap_get_mime_headers_core()

[Joe Schaefer ]

*) Added FreeBSD directory layout. PR 21100.

[Sander Holthaus , André Malo]

*) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP

response. PR 21085. [Glenn Nielsen , André Malo]

*) mod_rewrite: Perform child initialization on the rewrite log lock.

This fixes a log corruption issue when flock-based serialization

is used (e.g., FreeBSD). [Jeff Trawick]

*) Don’t respect the Server header field as set by modules and CGIs.

As with 1.3, for proxy requests any such field is from the origin

server; otherwise it will have our server info as controlled by

the ServerTokens directive. [Jeff Trawick]

Changes with Apache 2.0.47

*) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences

of per-directory renegotiations and the SSLCipherSuite directive

being used to upgrade from a weak ciphersuite to a strong one

could result in the weak ciphersuite being used in place of the

strong one. [Ben Laurie]

*) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing

temporary denial of service when accept() on a rarely accessed port

returns certain errors. Reported by Saheed Akhtar

. [Jeff Trawick]

*) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial

of service when target host is IPv6 but proxy server can’t create

IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo

]

*) SECURITY [VU#379828] Prevent the server from crashing when entering

infinite loops. The new LimitInternalRecursion directive configures

limits of subsequent internal redirects and nested subrequests, after


which the request will be aborted. PR 19753 (and probably others).

[William Rowe, Jeff Trawick, André Malo]

*) core_output_filter: don’t split the brigade after a FLUSH bucket if

it’s the last bucket. This prevents creating unneccessary empty

brigades which may not be destroyed until the end of a keepalive

connection.

[Juan Rivera ]

*) Add support for "streamy" PROPFIND responses.

[Ben Collins-Sussman ]

*) mod_cgid: Eliminate a double-close of a socket. This resolves

various operational problems in a threaded MPM, since on the

second attempt to close the socket, the same descriptor was

often already in use by another thread for another purpose.

[Jeff Trawick]

*) mod_negotiation: Introduce "prefer-language" environment variable,

which allows to influence the negotiation process on request basis

to prefer a certain language. [André Malo]

*) Make mod_expires’ ExpiresByType work properly, including for

dynamically-generated documents. [Ken Coar, Bill Stoddard]

Changes with Apache 2.0.46

*) SECURITY [CAN-2003-0245]: Fixed a bug causing apr_pvsprintf() to crash

by sending an overly long string. This can be triggered remotely

through mod_dav, mod_ssl, and other mechanisms. Reported by David

Endler .

[Joe Orton ]

*) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability

affecting basic authentication on Unix platforms related to

thread-safety in apr_password_validate(). The problem was reported

by John Hughes .

*) Fix for mod_dav. Call the ’can_be_activity’ callback, if provided,

when a MKACTIVITY request comes in.

[Ben Collins-Sussman ]

*) Perform run-time query in apxs for apr and apr-util’s includes.

[Justin Erenkrantz]

*) run libtool from the apr install directory (in case that is different

from the apache install directory) [Jeff Trawick]

*) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]

*) If mod_mime_magic does not know the content-type, do not attempt to

guess. PR 16908. [Andrew Gapon ]

*) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session

caching. PR 17864.

[Andreas Leimbacher , Madhusudan Mathihalli]

*) Add a delete flag to htpasswd.

[Thom May]


*) Fix mod_rewrite’s handling of absolute URIs. The escaping routines

now work scheme dependent and the query string will only be

appended if supported by the particular scheme. [André Malo]

*) Add another check for already compressed content in mod_deflate.

PR 19913. [Tsuyoshi SASAMOTO ]

*) Fixes for VPATH builds; copying special.mk and any future .mk files

from the source tree as well as the build tree (now creates a usable

configuration for apxs), and eliminated redundant -I’nclude paths.

[William Rowe]

*) Code fixes, constness corrections and ssl_toolkit_compat.h updates

for SSLC and OpenSSL toolkit compatibility. Still work remains to

be done to cripple features based on the limitations of RSA’s binary

distribution of their SSL-C toolkit.

[William Rowe, Madhusudan Mathihalli, Jeff Trawick]

*) Linux 2.4+: If Apache is started as root and you code

CoreDumpDirectory, coredumps are enabled via the prctl() syscall.

[Greg Ames]

*) ap_get_mime_headers_core: allocate space for the trailing null

when folding is in effect.

PR 18170 [Peter Mayne ]

*) Fix --enable-mods-shared=most and other variants. [Aaron Bannert]

*) mod_log_config: Add the ability to log the id of the thread

processing the request via new %P formats. [Jeff Trawick]

*) Use appropriate language codes for Czech (cs) and Traditional Chinese

(zh-tw) in default config files. PR 9427. [André Malo]

*) mod_auth_ldap: Use generic whitespace character class when parsing

"require" directives, instead of literal spaces only. PR 17135.

[André Malo]

*) Hook mod_rewrite’s type checker before mod_mime’s one. That way the

RewriteRule [T=...] Flag should work as expected now. PR 19626.

[André Malo]

*) htpasswd: Check the processed file on validity. If a line is not empty

and not a comment, it must contain at least one colon. Otherwise exit

with error code 7. [Kris Verbeeck , Thom May]

*) Fix a problem that caused httpd to be linked with incorrect flags

on some platforms when mod_so was enabled by default, breaking

DSOs on AIX. PR 19012 [Jeff Trawick]

*) By default, use the same CC and CPP with which APR was built.

The user can override with CC and CPP environment variables.

[Jeff Trawick]

*) Fix ap_construct_url() so that it surrounds IPv6 literal address

strings with []. This fixes certain types of redirection.

PR 19207. [Jeff Trawick]

*) forward port of buffer overflow fixes for htdigest. [Thom May]


*) Added AllowEncodedSlashes directive to permit control of whether

the server will accept encoded slashes (’%2f’) in the URI path.

Default condition is off (the historical behaviour). This permits

environments in which the path-info needs to contain encoded

slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. [Ken Coar]

*) When using Redirect in directory context, append requested query

string if there’s no one supplied by configuration. PR 10961.

[André Malo]

*) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise

the pattern will not always match as desired. PR 12596.

[André Malo]

*) mod_autoindex now emits and accepts modern query string parameter

delimiters (;). Thus column headers no longer contain unescaped

ampersands. PR 10880 [André Malo]

*) Enable ap_sock_disable_nagle for Windows. This along with the

addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle

to be disabled for Windows. [Allan Edwards]

*) Correct a mis-correlation between mpm_common.c and mpm_common.h;

This patch reverts us to pre-2.0.46 behavior, using the

ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle

was never compiled on Win32. [Allan Edwards, William Rowe]

*) Fix a build problem with passing unsupported --enable-layout

args to apr and apr-util. This broke binbuild.sh as well as

user-specified layout parameters. PR 18649 [Justin Erenkrantz,

Jeff Trawick]

*) If a Date response header was already set in the headers array,

this value was ignored in favour of the current time. This meant

that Date headers on proxied requests where rewritten when they

should not have been. PR: 14376 [Graham Leggett]

*) Add code to buildconf that produces an httpd.spec file from

httpd.spec.in, using build/get-version.sh from APR.

[Graham Leggett]

*) Fixed a segfault when multiple ProxyBlock directives were used.

PR: 19023 [Sami Tikka ]

*) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability

identified and reported by Robert Howard that

where device names faulted the running OS2 worker process.

The fix is actually in APR 0.9.4. [Brian Havard]

*) Forward port: Escape special characters (especially control

characters) in mod_log_config to make a clear distinction between

client-supplied strings (with special characters) and server-side

strings. This was already introduced in version 1.3.25.

[André Malo]

*) mod_deflate: Check also err_headers_out for an already set

Content-Encoding: gzip header. This prevents gzip compressed content

from a CGI script from being compressed once more. PR 17797.

[André Malo]


Changes with Apache 2.0.45

*) Fix possible segfaults under obscure error conditions within the

cgid daemon. [Jeff Trawick, William Rowe]

*) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability

identified by David Endler on all platforms.

An unlimited stream of newlines were acceptable between requests

where each would allocate an 80 byte buffer, leading very

quickly to memory exahustion. [Brian Pane]

*) Added an rpm build script.

[Graham Leggett, Joe Orton ]

*) Simpler, faster code path for request header scanning [Brian Pane]

*) SECURITY: Eliminated leaks of several file descriptors to child

processes, such as CGI scripts. This fix depends on the APR library

release 0.9.2 or later (0.9.3 was distributed with the httpd

source tarball for Apache 2.0.45.) PR 17206

[Christian Kratzer , Bjoern A. Zeeb ]

*) Fix path handling of mod_rewrite, especially on non-unix systems.

There was some confusion between local paths and URL paths.

PR 12902. [André Malo]

*) Prevent endless loops of internal redirects in mod_rewrite by

aborting after exceeding a limit of internal redirects. The

limit defaults to 10 and can be changed using the RewriteOptions

directive. PR 17462. [André Malo]

*) Win32: Avoid busy wait (consuming all the CPU idle cycles) when

all worker threads are busy.

[Igor Nazarenko ]

*) Keep the subrequest filter in place when a subrequest is

redirected. PR 15423. [Jeff Trawick]

*) you can now specify the compression level for mod_deflate.

[Ian Holsman, Stephen Pierzchala ,

Michael Schroepl ]

*) mod_deflate: Extend the DeflateFilterNote directive to

allow accurate logging of the filter’s in- and outstream.

[André Malo]

*) Allow SSLMutex to select/use the full range of APR locking

mechanisms available to it. Also, fix the bug that SSLMutex uses

APR_LOCK_DEFAULT no matter what. PR 8122 [Jim Jagielski,

Martin Kutschker ]

*) Restore the ability of htdigest.exe to create files that contain

more than one user. PR 12910. [André Malo]

*) Improve binary compatibility of the core between debug (aka

maintainer-mode) and a non-debug compile.

[Sander Striker]

*) mod_usertrack: don’t set the cookie in subrequests. This works

around the problem that cookies were set twice during fast internal


edirects. PR 13211. [André Malo]

*) mod_autoindex no longer forgets output format and enabled version

sort in linked column headers. [André Malo]

*) Use .sv instead of .se as extension for Swedish documents in the

default configuration. PR 12877. [André Malo]

*) Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL

and standardized the LDAP SSL support across the various LDAP SDKs.

Isolated the SSL functionality to mod_ldap rather than speading it

across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA

and LDAPTrustedCAType directives to mod_ldap to allow for a more

common method of specifying the SSL certificate.

[Dave Ward, Brad Nicholes]

*) Fixed mod_ssl’s SSLCertificateChain initialization to no longer

skip the first cert of the chain by default. This misbehavior

was introduced in 2.0.34. PR 14560 [Madhusudan Mathihalli]

*) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot

be started on Unix because of such problems as bad permissions,

bad shebang line, etc. [Jeff Trawick]

*) Fix 64-bit problem in mod_ssl input logic.

[Madhusudan Mathihalli ]

*) Fix potential memory leaks in mod_deflate on malformed data. PR 16046.

[Justin Erenkrantz]

*) Rewrite ap_xml_parse_input to use bucket brigades. PR 16134.

[Justin Erenkrantz]

*) Fix segfault which occurred when a section in an included

configuration file was not closed. PR 17093. [André Malo]

*) Enhance the behavior of mod_isapi’s WriteClient() callback to

provide better emulation for isapi modules that presume that the

first WriteClient() call may send status and headers. An example

of WriteClient() abuse is the foxisapi module, which relies on

that assumpion and now works. [William Rowe, Milan Kosina]

*) Check the return value of ap_run_pre_connection(). So if the

pre_connection phase fails (without setting c->aborted)

ap_run_process_connection is not executed. [Stas Bekman]

*) Fixed a problem with mod_ldap which caused it to fault when caching

was disabled. Needed to make sure that the code did not

attempt to use the cache if it didn’t exist. Also fixed some memory

leaks which were due to not releasing LDAP resources on error

conditions. [Brad Nicholes]

*) Hook mod_proxy’s fixup before mod_rewrite’s fixup, so that by

mod_rewrite proxied URLs will not be escaped accidentally by

mod_proxy’s fixup. PR 16368 [André Malo]

*) While processing filters on internal redirects, remember seen EOS

buckets also in the request structure of the redirect issuer(s). This

prevents filters (such as mod_deflate) from adding garbage to the

response. PR 14451. [André Malo]


*) suexec: Be more pedantic when cleaning environment. Clean it

immediately after startup. PR 2790, 10449.

[Jeff Stewart , André Malo]

*) Fix apxs to insert LoadModule directives only outside of sections.

PR 8712, 9012. [André Malo]

*) Fix suexec compile error under SUNOS4, where strerror() doesn’t

exist. PR 5913, 9977.

[Jonathan W Miner ]

*) Fix If header parsing when a non-mod_dav lock token is passed to it.

PR 16452. [Justin Erenkrantz]

*) mod_auth_digest no longer tries to guess AuthDigestDomain, if it’s

not specified. Now it assumes "/" as already documented. PR 16937.

[André Malo]

*) Try to log an error if a piped log program fails. Try to

restart a piped log program in more failure situations. Fix an

existing problem with error handling in piped_log_spawn(). Use

new APR apr_proc_create() features to prevent Apache from starting

on Unix* in most cases where a piped log program can be started,

and add log messages for the other situations. *Other platforms

already failed Apache initialization if a piped log program

couldn’t be started. PR 15761 [Jeff Trawick]

*) Fix mod_cern_meta to not create empty metafiles when the

metafile searched for does not exist. PR 12353

[Owen Rees ]

*) Introduce debugging symbols for Win32 release builds, both .pdb

and .dbg files (older debuggers and Dr. Watson-type utilities

on WinNT or Win9x don’t support the newer .pdb flavor.)

[Allen Edwards, William Rowe]

*) Fix bug where ’Satisfy Any’ without an AuthType lost all MIME

information (and more). Related to PR 9076. [André Malo]

*) mod_file_cache: fix segfault serving mmaped cached files.

[Bill Stoddard]

*) mod_file_cache: fixed a segfault when multiple MMapFile directives

were used. PR 16313. [Cliff Woolley]

*) Fix a nasty segfault in mmap_bucket_setaside() caused by passing

an incompatible pointer type to mmap_bucket_destroy(void*).

[Gerard Eviston ]

*) Enable the -n name parameter on NetWare to allow the

administrator to rename the Apache console screen

[Brad Nicholes]

*) Fixed piped access logs on Win32 by disabling OTHER_CHILD

support by default in APR. More development is required

to deploy OTHER_CHILD on Win32. [William Rowe]

*) Use saner default config values for suexec. PR 15713.

[Thom May ]


*) mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks"

(or SymlinksIfOwnermatch) is set. PR 12395. [André Malo]

*) apxs: Include any special APR ld flags when linking the DSO.

This resolves problems on AIX when building a DSO with apxs+gcc.

[Jeff Trawick]

*) Added character set support to mod_auth_LDAP to allow it to

convert extended characters used in the user ID to UTF-8

before authenticating against the LDAP directory. The new

directive AuthLDAPCharsetConfig is used to specify the config

file that contains the character set conversion table.

[Brad Nicholes]

*) Don’t remove the Content-Length from responses in mod_proxy

PR: 8677 [Brian Pane]

*) Ensure LDAP version is set to v3 on every bind. PR 14235.

[Sergey A. Lipnevich ]

*) Fix mod_ldap to open an existing shared memory file should one

already exist. PR 12757. [Scooter Morris ,

Graham Leggett]

*) Fix the ulimit command used by apachectl on Tru64. PR 13609.

[Joseph Senulis , Jeff Trawick]

*) Change the ulimit command used by apachectl on AIX so that it

works in all locales. [Jeff Trawick]

*) mod_ext_filter: Fix a problem building argument lists which

occasionally caused exec to fail. PR 15491. [Jeff Trawick]

Changes with Apache 2.0.44

*) mod_autoindex: Bring forward the IndexOptions IgnoreCase option

from Apache 1.3. PR 14276

[David Shane Holden , William Rowe]

*) mod_mime: Workaround to prevent a segfault if r->filename=NULL

[Brian Pane]

*) Reorder the definitions for mod_ldap and mod_auth_ldap within

config.m4 to make sure the parent mod_ldap is defined first.

This ensures that mod_ldap comes before mod_auth_ldap in the

httpd.conf file, which is necessary for mod_auth_ldap to load.

PR 14256 [Graham Leggett]

*) Fix the building of cgi command lines when the query string

contains ’=’. PR 13914 [Ville Skyttä ,

Jeff Trawick]

*) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move

implementation of MCacheMaxStreamingBuffer from mod_cache to

mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the

lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should

eliminate the need for explicitly coding MCacheMaxStreamingBuffer

in most configurations. [Bill Stoddard]


*) mod_cache: Fix PR 15113, a core dump in cache_in_filter when

a redirect occurs. The code was passing a format string and

integer to apr_pstrcat. Changed to apr_psprintf.

[Paul J. Reder]

*) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL

as set by apr-util in util_ldap.c. This should allow mod_ldap

to work with the Netscape/Mozilla LDAP library. [Øyvin Sømme

, Graham Leggett]

*) Fix critical bug in new --enable-v4-mapped configure option

implementation which broke IPv4 listening sockets on some

systems. [hiroyuki hanai ]

*) mod_setenvif: Fix BrowserMatchNoCase support for non-regex

patterns [André Malo ]

*) Add version string to provider API. [Justin Erenkrantz]

*) build: ’./configure && make’ now works without an in-tree

apr and apr-util. [Wilfredo Sanchez]

*) mod_negotiation: Set the appropriate mime response headers

(Content-Type, charset, Content-Language and Content-Encoding)

for negotated type-map "Body:" responses (such as the error

pages.) [André Malo ]

*) mod_log_config: Allow ’%%’ escaping in CustomLog format

strings to insert a literal, single ’%’.

[André Malo ]

*) mod_autoindex: AddDescription directives for directories

now work as in Apache 1.3, where no trailing ’/’ is

specified on the directory name. Previously, the trailing

’/’ *had* to be specified, which was incompatible with

Apache 1.3. PR 7990 [Jeff Trawick]

*) Fix for PR 14556. The expiry calculations in mod_cache were

trying to perform "now + ((date - lastmod) * factor)" where

date == lastmod resulting in "now + 0". The code now follows

the else path (using the default expiration) if date is

equal to lastmod. [Sergey , Paul J. Reder]

*) Use AP_DECLARE in the debug versions of ap_strXXX in case the

default calling convention is not the same as the one used by

AP_DECLARE. [Juan Rivera ]

*) mod_cache: Don’t cache response header fields designated

as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).

[Estrade Matthieu , Brian Pane]

*) mod_cgid: Handle environment variables containing newlines.

PR 14550 [Piotr Czejkowski , Jeff

Trawick]

*) Move mod_ext_filter out of experimental and into filters.

[Jeff Trawick]

*) Fixed a memory leak in mod_deflate with dynamic content.

PR 14321 [Ken Franken ]


*) Add --[enable|disable]-v4-mapped configure option to control

whether or not Apache expects to handle IPv4 connections

on IPv6 listening sockets. Either setting will work on

systems with the IPV6_V6ONLY socket option. --enable-v4-mapped

must be used on systems that always allow IPv4 connections on

IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats)

[Jeff Trawick]

*) This fixes a problem where the underlying cache code

indicated that there was one more element on the cache

than there actually was. This happened since element 0

exists but is not used. This code allocates the correct

number of useable elements and reports the number of

actually used elements. The previous code only allowed

MCacheMaxObjectCount-1 objects to be stored in the

cache. [Paul J. Reder]

*) mod_setenvif: Add SERVER_ADDR special keyword to allow

envariable setting according to the server IP address

which received the request. [Ken Coar]

*) mod_cgid: Terminate CGI scripts when the client connection

drops. PR 8388 [Jeff Trawick]

*) Rearrange OpenSSL engine initialization to support RAND

redirection on crypto accelerator.

[Frederic DONNAT ]

*) Always emit Vary header if mod_deflate is involved in the

request. [Andre Malo ]

*) mod_isapi: Stop unsetting the ’empty’ query string result with

a NULL argument in ecb->lpszQueryString, eliminating segfaults

for some ISAPI modules. PR 14399

[Detlev Vendt ]

*) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION

notification is received before the HttpExtensionProc() returns

HSE_STATUS_PENDING. This only affected isapi .dll’s configured

with the ISAPIFakeAsync on directive. PR 11918

[John DeSetto , William Rowe]

*) mod_isapi: Fix the issue where all results from mod_isapi would

run through the core die handler resulting in invalid responses

or access log entries. PR 10216 [William Rowe]

*) Improves the user friendliness of the CacheRoot processing

over my last pass. This version avoids the pool allocations

but doesn’t avoid all of the runtime checks. It no longer

terminates during post-config processing. An error is logged

once per worker, indicating that the CacheRoot needs to be set.

[Paul J. Reder]

*) Fix a bug where we keep files open until the end of a

keepalive connection, which can result in:

(24)Too many open files: file permissions deny server access

especially on threaded servers. [Greg Ames, Jeff Trawick]

*) Fix a bug in which mod_proxy sent an invalid Content-Length


when a proxied URL was invoked as a server-side include within

a page generated in response to a form POST. [Brian Pane]

*) Added code to process min and max file size directives and to

init the expirychk flag in mod_disk_cache. Added a clarifying

comment to cache_util. [Paul J. Reder]

*) The value emitted by ServerSignature now mimics the Server HTTP

header as controlled by ServerTokens. [Francis Daly ]

*) Gracefully handly retry situations in the SSL input filter,

by following the SSL libraries’ retry semantics.

[William Rowe]

*) Terminate CGI scripts when the client connection drops. This

fix only applies to some normal paths in mod_cgi. mod_cgid

is still busted. PR 8388 [Jeff Trawick]

*) Fix a bug where 416 "Range not satisfiable" was being

returned for content that should have been redirected.

[Greg Ames]

*) Fix memory leak in mod_ssl from internal SSL library allocations

within SSL_get_peer_certificate and X509_get_pubkey.

[Zvi Har’El

Madhusudan Mathihalli ].

*) mod_ssl uses free() inappropriately in several places, to free

memory which has been previously allocated inside OpenSSL.

Such memory should be freed with OPENSSL_free(), not with free().

[Nadav Har’El ,

Madhusudan Mathihalli ].

*) Emit a message to the error log when we return 404 because

the URI contained ’%2f’. (This was previously nastily silent

and difficult to debug.) [Ken Coar]

*) Fix streaming output from an nph- CGI script. CGI:IRC now

works. PR 8482 [Jeff Trawick]

*) More accurate logging of bytes sent in mod_logio when

the client terminates the connection before the response

is completely sent [Bojan Smojver ]

*) Fix some problems in the perchild MPM.

[Jonas Eriksson ]

*) Change the CacheRoot processing to check for a required

value at config time. This saves a lot of wasted processing

if the mod_disk_cache module is loaded but no CacheRoot

was provided. This fix also adds code to log an error

and avoid useless pallocs and procesing when the computed

cache file name cannot be opened. This also updates the

docs accordingly. [Paul J. Reder]

*) Introduce the EnableSendfile directive, allowing users of NFS

shares to disable sendfile mechanics when they either fail

outright or provide intermitantly corrupted data. PR

[William Rowe]


*) Resolve the error "An operation was attempted on something

that is not a socket. : winnt_accept: AcceptEx failed.

Attempting to recover." for users of various firewall and

anti-virus software on Windows. PR 8325 [William Rowe]

*) Add the ProxyBadHeader directive, which gives the admin some

control on how mod_proxy should handle bogus HTTP headers from

proxied servers. This allows 2.0 to "emulate" 1.3’s behavior if

desired. [Jim Jagielski]

*) Change the LDAP modules to export their symbols correctly

during a Windows build. Add dsp files for Windows. Update

README.ldap file for Windows build instructions.

[Andre Schild ]

*) Performance improvements for the code that generates HTTP

response headers [Brian Pane]

*) Add -S as a synonym for -t -DDUMP_VHOSTS.

[Thom May ]

*) Fix a bug with dbm rewrite maps which caused the wrong value to

be used when the key was not found in the dbm. PR 13204

[Jeff Trawick]

*) Fix a problem with streaming script output and mod_cgid.

[Jeff Trawick]

*) Add ap_register_provider/ap_lookup_provider API.

[John K. Sterling , Justin Erenkrantz]

Changes with Apache 2.0.43

*) SECURITY [CVE-2002-0840]: HTML-escape the address produced by

ap_server_signature() against this cross-site scripting

vulnerability exposed by the directive ’UseCanonicalName Off’.

Also HTML-escape the SERVER_NAME environment variable for CGI

and SSI requests. It’s safe to escape as only the ’’,

and ’&’ characters are affected, which won’t appear in a valid

hostname. Reported by Matthew Murphy .

[Brian Pane]

*) Fix a core dump in mod_cache when it attemtped to store uncopyable

buckets. This happened, for instance, when a file to be cached

contained SSI tags to execute a CGI script (passed as a pipe

bucket). [Paul J. Reder]

*) Ensure that output already available is flushed to the network

when the content-length filter realizes that no new output will

be available for a while. This helps some streaming CGIs as

well as some other dynamically-generated content. [Jeff Trawick]

*) Fix a mutex problem in mod_ssl session cache support which

could lead to an infinite loop. PR 12705

[Amund Elstad , Jeff Trawick]

*) SECURITY [CVE-2002-1156] (cve.mitre.org):

Fix the exposure of CGI source when a POST request is sent to

a location where both DAV and CGI are enabled. [Ryan Bloom]


*) Allow the UserDir directive to accept a list of directories.

This matches what Apache 1.3 does. Also add documentation for

this feature. [Jay Ball ]

*) New Module: mod_logio. adds the ability to log bytes sent and

received. [Bojan Smojver ]

*) SuExec needs to use the same default directory as the rest of

server, namely /usr/local/apache2.

[SangBeom han ]

*) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN.

[Thomas Bennett , Graham Leggett]

*) Make sure the contents of the WWW-Authenticate header is

passed on a 4xx error by proxy. Previously all headers

were dropped, resulting in the browser being unable to

authenticate. [Dr Richard Reiner ,

Richard Danielli , Graham Wiseman

, David Henderson

]

*) Make mod_cache’s CacheMaxStreamingBuffer directive work

properly for virtual hosts that override server-wide mod_cache

setttings. [Matthieu Estrade ]

*) Add -p option to apxs to allow programs to be compiled with apxs.

[Justin Erenkrantz]

Changes with Apache 2.0.42

*) mod_dav: Check for versioning hooks before using them.

[Greg Stein]

Changes with Apache 2.0.41

*) The protocol version (eg: HTTP/1.1) in the request line parsing

is now case insensitive. [Jim Jagielski]

*) Allow AddOutputFilterByType to add multiple filters per directive.

[Justin Erenkrantz]

*) Remove warnings with Sun’s Forte compiler. [Justin Erenkrantz]

*) Fixed mod_disk_cache’s generation of 304s

[Kris Verbeeck ]

*) Add support for using fnmatch patterns in the final path

segment of an Include statement (eg.. include /foo/bar/*.conf).

and remove the noise on stderr during config dir processing.

[Joe Orton ]

*) mod_cache: cache_storage.c. Add the hostname and any request

args to the key generated for caching. This provides a unique

key for each virtual host and for each request with unique

args. [Paul J. Reder, args code provided by Kris Verbeeck]

*) mod_cache: Do not cache responses to GET requests with query

URLs if the origin server does not explicitly provide an

Expires header on the response (RFC 2616 Section 13.9)


[Kris Verbeeck ]

*) Fix memory leak in core_output_filter. [Justin Erenkrantz]

*) Update OpenSSL detection to work on Darwin.

[Sander Temme ]

*) Update the xslt and css to give the documentation a more

modern style.

[André Malo , Gernot Winkler ]

*) Fix some bucket memory leaks in the chunking code

[Joe Schaefer ]

*) Add ModMimeUsePathInfo directive. [Justin Erenkrantz]

*) mod_cache: added support for caching streamed responses (proxy,

CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]

*) Add image/x-icon to httpd.conf PR 10993.

[Ian Holsman, Peter Bieringer ]

*) Fix FileETags none operation. PR 12207.

[Justin Erenkrantz, Andrew Ho ]

*) Restored the experimental leader/followers MPM to working

condition and converted its thread synchronization from

mutexes to atomic CAS. [Brian Pane]

*) Fix Logic on non-html file removal in mod_deflate

[Kris Verbeeck ]

*) Fix "ab -g"’s truncated year: the last digit was cut off.

[Leon Brocard ]

*) mod_rewrite can now sets cookies in err_headers, uses the correct

expiry date, and can now set the path as well

PR 12132,12181,12172.

[Ian Holsman / Rob Cromwell ]

*) The content-length filter no longer tries to buffer up

the entire output of a long-running request before sending

anything to the client. [Brian Pane]

*) Win32: Lower the default stack size from 1MB to 256K. This will

allow around 8000 threads to be started per child process.

’EDITBIN /STACK:size apache.exe’ can be used to change this

value directly in the apache.exe executable.

[Bill Stoddard]

*) Win32: Implement ThreadLimit directive in the Windows MPM.

[Bill Stoddard]

*) Remove CacheOn config directive since it is set but never checked.

No sense wasting cycles on unused code. Besides, the only truly

bug free code is deleted code. :) [Paul J. Reder]

*) BufferLogs are now run-time enabled, and the log_config now has 2 new

callbacks to allow a 3rd party module to actually do the writing of the

log file [Ian Holsman]


*) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.

[André Malo, Astrid Keßler ]

*) Fix Segfault in mod_cache. [Kris Verbeeck ]

*) Fix a null pointer dereference in the merge_env_dir_configs

function of the mod_env module. PR 11791

[Paul J. Reder]

*) New option to ServerTokens ’maj[or]’. Only show the major version

Also Surfaced this directive in the standard config (default FULL)

[Ian Holsman]

*) Change mod_rewrite to use apr-util’s dbm support for dbm rewrite

maps. The dbm type (e.g., ndbm, gdbm) can be specified on the

RewriteMap directive. PR 10644 [Jeff Trawick]

*) Fixed mod_rewrite’s RewriteMap prg: support so that request/response

pairs will no longer get out of sync with each other. PR 9534

[Cliff Woolley]

*) Fixes required to get quoted and escaped command args working in

mod_ext_filter. PR 11793 [Paul J. Reder]

*) mod-proxy: handle proxied responses with no status lines

[JD Silvester , Brett Huttley ]

*) Fix bug where environment or command line arguments containing

non-ASCII-7 characters would cause the Win32 child process creation

to fail. PR 11854 [William Rowe]

*) Bug #11213.. make module loading error messages more informative

[Ian Darwin ]

*) thread safety & proxy-ftp [Alexey Panchenko , Ian Holsman]

*) mod_disk_cache works much better. This module should still

be considered experimental. [Eric Prud’hommeaux]

*) Performance improvement for keepalive requests: when setting

aside a small file for potential concatenation with the next

response on the connection, set aside the file descriptor rather

than copying the file into the heap. [Brian Pane]

*) Modified version check on openssl so that it finds the executable

first and then performs a check of the version, only warning the

user if they chose, or we selected, an old version of OpenSSL.

This change also allows the code to work for non-openssl libraries

selected via the --with-ssl=dir option, which can override the

automated library check in any case. [Roy Fielding]

Changes with Apache 2.0.40

*) SECURITY [CAN-2002-0661] (cve.mitre.org):

Close a very significant security hole that

applies only to the Win32, OS2 and Netware platforms. Unix was not

affected, Cygwin may be affected. Certain URIs will bypass security

and allow users to invoke or access any file depending on the system

configuration. Without upgrading, a single .conf change will close


the vulnerability. Add the following directive in the global server

httpd.conf context before any other Alias or Redirect directives;

RedirectMatch 400 "\\\.\."

Reported by Auriemma Luigi .

[Brad Nicholes]

*) SECURITY [CAN-2002-0654] (cve.mitre.org):

Close a path-revealing exposure in multiview type

map negotiation (such as the default error documents) where the

module would report the full path of the typemapped .var file when

multiple documents or no documents could be served based on the mime

negotiation. Reported by Auriemma Luigi .

[William Rowe]

*) SECURITY [CAN-2002-0654] (cve.mitre.org):

Close a path-revealing exposure in cgi/cgid when we

fail to invoke a script. The modules would report "couldn’t create

child process /path-to-script/script.pl" revealing the full path

of the script. Reported by Jim Race .

[Bill Stoddard]

*) Set aside the apr-iconv and apr_xlate() features for the Win32

build of 2.0.40 so development can be completed. A patch, from


will be available for those that wish to work with apr-iconv.

[William Rowe]

*) Fix proxy so that it is possible to access ftp: URLs via a proxy

chain. [Peter Van Biesen ]

*) mod-deflate now checks to make sure that ’gzip-only-text/html’ is

set to 1, so we can exclude things from the general case with

browsermatch. [Ian Holsman, Andre Schild ]

*) Accept multiple leading /’s for requests within the DocumentRoot.

PR 10946 [William Rowe, David Shane Holden ]

*) Solved the reports of .pdf byterange failures on Win32 alone.

APR’s sendfile for the win32 platform collapses header and trailer

buffers into a single buffer. However, we destroyed the pointers

to the header buffer if a trailer buffer was present. PR 10781

[William Rowe]

*) mod_ext_filter: Add the ability to enable or disable a filter via

an environment variable. Add the ability to register a filter of

type other than AP_FTYPE_RESOURCE. [Jeff Trawick]

*) Restore the ability to specify host names on Listen directives.

PR 11030. [Jeff Trawick, David Shane Holden ]

*) When deciding on the default address family for listening sockets,

make sure we can actually bind to an AF_INET6 socket before

deciding that we should default to AF_INET6. This fixes a startup

problem on certain levels of OpenUNIX. PR 10235. [Jeff Trawick]

*) Replace usage of atol() to parse strings when we might want a

larger-than-long value with apr_atoll(), which returns long long.

This allows HTTPD to deal with larger files correctly.

[Shantonu Sen ]


*) mod_ext_filter: Ignore any content-type parameters when checking if

the response should be filtered. Previously, "intype=text/html"

wouldn’t match something like "text/html;charset=8859_1".

[Jeff Trawick]

*) mod_ext_filter: Set up environment variables for external programs.

[Craig Sebenik ]

*) Modified the HTTP_IN filter to immediately append the EOS (end of

stream) bucket for C-L POST bodies, saving a roundtrip and allowing

the caller to determine that no content remains without prefetching

additional POST body. [William Rowe]

*) Get proxy ftp to work over IPv6. [Shoichi Sakane ]

*) Look for OpenSSL libraries in /usr/lib64. [Peter Poeml ]

*) Update SuSE layout. [Peter Poeml ]

*) Changes to the internationalized error documents:

Comment them out in the default config file to make the default

install as simple as possible; Correct the english 500 error to

be more understandable; Add a Swedish translation.

[Thomas Sjogren ,

Erik Abele , Rich Bowen, Joshua Slive]

*) Increase the limit on file descriptors per process in apachectl.

[Brian Pane]

*) Fix a dependency error when building ApacheMonitor, so that Win32

and MSVC now trust that the project is current (when it is).

[James Cox ]

*) mod_ext_filter: don’t segfault if content-type is not set. PR 10617.

[Arthur P. Smith , Jeff Trawick]

*) APR-Util Renames pending have been completed [Thom May]

*) Performance improvements for the code that reads request

headers (ap_rgetline_core() and related functions) [Brian Pane]

*) Add a new directive: MaxMemFree. MaxMemFree makes it possible

to configure the maximum amount of memory the allocators will

hold on to for reuse. Anything over the MaxMemFree threshold

will be free()d. This directive is useful when uncommon large

peaks occur in memory usage. It should _not_ be used to mask

defective modules’ memory use. [Sander Striker]

*) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI

scripts would not result in a truncated response.

[Ryan Bloom, Justin Erenkrantz, Cliff Woolley]

*) Add a filter_init parameter to the filter registration functions

so that a filter can execute arbitrary code before the handlers

are invoked. This resolves a problem where mod_include requests

would incorrectly return a 304. [Justin Erenkrantz]

*) Fix a long-standing bug in 2.0, CGI scripts were being called

with relative paths instead of absolute paths. Apache 1.3 used

absolute paths for everything except for SuExec, this brings back


that standard. [Ryan Bloom]

*) Fix infinite loop due to two HTTP_IN filters being present for

internally redirected requests. PR 10146. [Justin Erenkrantz]

*) Switch conn_rec->keepalive to an enumeration rather than a bitfield.

[Justin Erenkrantz]

*) Fix mod_ext_filter to look in the main server for filter definitions

when running in a vhost if the filter definition is not found in

the vhost. PR 10147 [Jeff Trawick]

*) Support WinNT CGI invocation through ScriptInterpreterSource

’registry’ for script interpreter paths and names with non-ascii

characters in the executable filepath. [William Rowe]

*) Support the -w flag on to keep the Win32 console open on error.

[William Rowe]

*) Normalize the hostname value in the request_rec to all-lowercase

[Perry Harrington ]

*) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include

extended characters (non US-ASCII) in non-utf8 format. This brings

Win32 back into CGI/1.1 compliance, and leaves charset decoding up

to the cgi application itself. [William Rowe]

*) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache

modules to bring them up to the current apr/apr-util APIs.

[William Rowe]

*) Fix segfault in mod_mem_cache most frequently observed when

serving the same file to multiple clients on an MP machine.

[Bill Stoddard]

*) mod_rewrite can now set cookies (RewriteRule (.*) - [CO=name:$1:.domain])

[Brian Degenhardt , Ian Holsman]

*) Fix perchild to work with apachectl by adding -k support to perchild.

PR 10074 [Jeff Trawick]

*) Fix a silly htpasswd.c logic error that incorrectly reported that

both -c and -n had been used. PR 9989 [Cliff Woolley]

*) Fixed a mod_include error case in which no HTTP response was sent

to the client if an shtml document contained an unterminated SSI

directive [Brian Pane]

*) Improve ap_get_client_block implementation by using APR-util brigade

helper functions and relying on current filter assumptions.

[Justin Erenkrantz]

Changes with Apache 2.0.39

*) Fixed a build problem in htpasswd.c on Win32.

[Guenter Knauf , Cliff Woolley]

Changes with Apache 2.0.38

*) Rewrite htpasswd to use APR. The removes the annoying warning about


tmpnam being unsafe. [Ryan Bloom]

*) We must set the MIME-type for .shtml files to text/html if we want them

to be parsed for SSI tags. Add the config for that to the default

config file so that it is easier to enable .shtml parsing.

[Dave Dyer ]

*) Fixed a problem with ’make install’ on ReliantUnix.

[Jean-frederic Clere ]

*) Make the default_handler catch all requests that aren’t served by

another handler. This also gets us to return a 404 if a directory

is requested, there is no DirectoryIndex, and mod_autoindex isn’t

loaded. [Justin Erenkrantz]

*) Fixed the handling of nested if-statements in shtml files.

PR 9866 [Brian Pane]

*) Allow ’make install DESTDIR=/path’. This allows packagers to install

into a directory different from the one that was configured. This

also mirrors the root= feature from 1.3. We cannot use prefix=,

because both APR and APR-util resolve their installation paths at

configuration time. This means that there is no variable prefix

to replace. [Andreas Hasenack ]

*) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.

These levels of AIX don’t have a thundering herd problem with

accept(). [Jeff Trawick]

*) prefork MPM: Ignore mutex errors during graceful restart. For

certain types of mutexes (particularly SysV semaphores), we

should expect to occasionally fail to obtain or release the

mutex during restart processing. [Jeff Trawick]

*) Fix install-bindist.sh so that it finds any perl instead of just

early perl 5.x versions. This is consistent with a build/install

from source, and it allows the perl scripts installed by a bindist

to work on systems with perl 5.6. [Jeff Trawick]

*) Fix apxs so that the makefile created by "apxs -g" works on AIX and

Tru64 (and probably some other platforms). [Jeff Trawick]

*) Allow CGI scripts to return their Content-Length. This also fixes a

hang on HEAD requests seen on certain platforms (such as FreeBSD).

[Justin Erenkrantz]

*) Added log rotation based on file size to the RotateLog support

utility. [Brad Nicholes]

*) Fix some casting in mod_rewrite which broke random maps.

PR 9770 [Allan Edwards, Greg Ames, Jeff Trawick]

Changes with Apache 2.0.37

*) allow POST method over SSL when per-directory client cert

authentication is used with ’SSLOptions +OptRenegotiate’ enabled

and a client cert was found in the ssl session cache.

*) ’SSLOptions +OptRengotiate’ will use client cert in from the ssl

session cache when there is no cert chain in the cache. prior to


the fix this situation would result in a FORBIDDEN response and

error message "Cannot find peer certificate chain"

[Doug MacEachern]

*) ap_finalize_sub_req_protocol() shouldn’t send an EOS bucket if

one was already sent. PR 9644 [Jeff Trawick]

*) Fix the display of the default name for the mime types config

file. PR 9729 [Matthew Brecknell ]

*) Fix the working directory *for WinNT/2K/XP services only* to

change to the Apache directory (one level above the location

of Apache.exe, in the case that Apache.exe resides in bin/.)

Solves the case of ServerRoot /foo paths where /foo was not

on the same drive as /winnt/system32. [William Rowe]

*) Make 2.0’s "AcceptMutex" startup message now "completely"

match how 1.3 does it. [Jim Jagielski]

*) Implement a fixed size memory cache using a priority queue

[Ian Holsman]

*) Fix apxs to allow "apxs -q installbuilddir" and to allow

querying certain other variables from config_vars.mk. PR 9316

[Jeff Trawick]

*) Added the "detached" attribute to the cgi_exec_info_t internals

so that Win32 and Netware won’t create a new window or console

for each CGI invoked. PR 8387

[Brad Nicholes, William Rowe]

*) Consolidated the command line parameters and attributes that are

manipulated by the optional function ap_cgi_build_command() in

mod_cgi into a single structure.

[Brad Nicholes]

*) Get rid of uninitialized value errors with "apxs -q" on certain

variables. [Stas Bekman ]

*) Fix apxs to allow it to work when the build directory is somewhere

besides server-root/build. PR 8453

[Jeff Trawick and a host of others]

*) Allow ap_discard_request_body to be called multiple times in the

same request. Essentially, ap_http_filter keeps track of whether

it has sent an EOS bucket up the stack, if so, it will only ever

send an EOS bucket for this request.

[Ryan Bloom, Justin Erenkrantz, Greg Stein]

*) Remove all special mod_ssl URIs. This also fixes the bug where

redirecting (.*) will allow an SSL protected page to be viewed

without SSL. [Ryan Bloom]

*) Fix the binary build install script so that the build logic

created by "apxs -g" will work when the user has a binary

build. [Jeff Trawick]

*) Allow instdso.sh to work with full paths to the shared module.

[Justin Erenkrantz]


*) NetWare: Enabled CGI functionality and added mod_cgi as a built

in module for NetWare [Brad Nicholes]

*) Changed cgi and piped log behavior to accept 65536 characters

on Win32 (matching Linux) before deadlocking between outputing

client stdin, slurping the output from stdout and then the stderr

stream. PR 8179 [William Rowe]

*) Fixed Win32 wintty.exe support to assure the window title is valid.

Elimiates possible gpfault or garbage title without the -t option.

[William Rowe]

*) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use

brigades and input filters. [Justin Erenkrantz]

*) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request

body. [Justin Erenkrantz]

*) NetWare: Piping log entries through RotateLogs using the

CustomLogs directive is finally supported now that we have

the pipes and spawning functionality working.

[Brad Nicholes]

*) SECURITY [CVE-2002-0392] (cve.mitre.org) [CERT VU#944335]:

Detect overflow when reading the hex bytes forming a chunk line.

[Aaron Bannert]

*) Allow RewriteMap prg:’s to take command-line arguments. PR 8464.

[James Tait ]

*) Correctly return 413 when an invalid chunk size is given on

input. Also modify ap_discard_request_body to not do anything

on sub-requests or when the connection will be dropped.

[Justin Erenkrantz]

*) Fix the TIME_* SSL var lookups to be threadsafe. PR 9469.

[Cliff Woolley]

*) Ensure that apr_brigade_write() flushes in all of the cases that

it should to avoid conditions in some modules that could cause

large amounts of data to be buffered. [Cliff Woolley]

*) Fix problem where mod_cache/mod_disk_cache was incorrectly

stripping the content_type from cached responses.

[Bill Stoddard]

*) apachectl passes through any httpd options. Note: apachectl

should be used in preference to httpd since it ensures that any

appropriate environment variables have been set up.

[Jeff Trawick]

*) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.

PR 7810 [Colm MacCarthaigh ]

*) Fix suexec execution of CGI scripts from mod_include.

PR 7791, 8291 [Colm MacCarthaigh ]

*) Fix segfaults at startup on some platforms when mod_auth_digest,

mod_suexec, or mod_ssl were used as DSO’s due to the way they

were tracking the current init phase since DSO’s get completely


unloaded and reloaded between phases. PR 9413.

[Tsuyoshi Sasamoto , Brad Nicholes]

*) Fix mod_include’s handling of regular expressions in

"


callback, it was not including the trailing null in the consumed

buffer size. This was particularly bad for Delphi 6.0 users.

PR 8934 [Sebastian Hantsch ]

*) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).

[William Rowe]

*) Make apxs look in the correct directory for envvars. It was

broken when sbindir != bindir. PR 8869

[Andreas Sundström ]

*) Fix mod_deflate corruption when using multiple buckets. PR 9014.

[Asada Kazuhisa ]

*) Performance enhancements for access logger when using

default timestamp formatting [Brian Pane]

*) Added EnableMMAP config directive to enable the server

administrator to disable memory-mapping of delivered files

on a per-directory basis. [Brian Pane]

*) Performance enhancements for mod_setenvif [Brian Pane]

*) Fix a mod_ssl build problem on OS/390. [Jeff Trawick]

*) Fixed If-Modified-Since on Win32, which would give false positives

because of the sub-second resolution of file timestamps on that

platform. [Cliff Woolley]

*) Reverse the hook ordering for mod_userdir and mod_alias so

that Alias/ScriptAlias will override Userdir. PR 8841

[Joshua Slive]

*) Move mod_deflate out of experimental and into filters.

[Justin Erenkrantz]

*) Get proxy CONNECT basically working. [Jeff Trawick]

*) Fix mod_rewrite hang when APR uses SysV Semaphores and

RewriteLogLevel is set to anything other than 0. PR: 8143

[Aaron Bannert, Cliff Woolley]

*) Fix byterange requests from returning 416 when using dynamic data

(such as filters like mod_include). [Justin Erenkrantz]

*) Allow mod_rewrite’s set of "int:" internal RewriteMap functions

to be extended by third-party modules via an optional function.

[Tahiry Ramanamampanoharana , Cliff Woolley]

*) Fix mod_include expression parser’s handling of unquoted strings

followed immediately by a closing paren. PR 8462. [Brian Pane]

*) Remove autom4te.cache in ’make distclean’.

[Thom May ]

*) Fix generated httpd.conf to respect layout for LoadModule lines.

PR 8170. [Thom May ]

*) Win32: During a graceful restart, threads in the new process

were accessing scoreboard slots still in use by active threads in


the old process. [Bill Stoddard]

Changes with Apache 2.0.36

*) Fix some minor formatting issues with ab. Part of this is

in reference to PR 8544, the rest I noticed while testing

the PR fix. [Paul J. Reder]

*) Fix a case where an invalid pass phrase is entered and an

error message is given, but the prompt is not shown again.

This left the user in an ambiguous state. PR 8320 [Paul J. Reder]

*) Close sockets on worker MPM when doing a graceless restart.

[Aaron Bannert]

*) Reverted a minor optimization in mod_ssl.c that used the vhost ID

as the session id context rather that a MD5 hash of that vhost ID,

because it caused very long vhost id’s to be unusable with mod_ssl.

PR 8572. [Cliff Woolley]

*) Fix the link to the description of the CoredumpDirectory

directive in the server-wide document. PR 8643. [Jeff Trawick]

*) Fixed SHMCB session caching. [Aaron Bannert, Cliff Woolley]

*) Synced with remaining changes from mod_ssl 2.8.8-1.3.24:

- Avoid SIGBUS on sparc machines with SHMCB session caches

- Allow whitespace between the pipe and the name of the

program in SSLLog "| /path/to/program". [Cliff Woolley]

*) Introduce mod_ext_filter and mod_deflate experimental modules

to the Win32 build (zlib sources must be in srclib\zlib.)

[William Rowe]

*) Changes to the worker MPM’s queue management and thread

synchronization code to reduce mutex contention [Brian Pane]

*) Don’t install *.in configuration files since we already install

*-std.conf files. [Aaron Bannert]

*) Many improvements to the threadpool MPM. [Aaron Bannert]

*) Fix subreqs that are promoted via fast_redirect from having invalid

frec->r structures. This would cause subtle errors later on in

request processing such as seen in PR 7966. [Justin Erenkrantz]

*) More efficient pool recycling logic for the worker MPM [Brian Pane]

*) Modify the worker MPM to not accept() new connections until

there is an available worker thread. This prevents queued

connections from starving for processing time while long-running

connections were hogging all the available threads. [Aaron Bannert]

*) Convert the worker MPM’s fdqueue from a LIFO back into a FIFO.

[Aaron Bannert]

*) Get basic HTTP proxy working on EBCDIC machines. [Jeff Trawick]

*) Allow mod_unique_id to work on systems with no IPv4 address

corresponding to their host name. [Jeff Trawick]


*) Fix suexec behavior with user directories. PR 7810.

[Colm ]

*) Reject a blank UserDir directive since it is ambiguous. PR 8472.

[Justin Erenkrantz]

*) Make mod_mime use case-insensitive matching when examining

extensions on all platforms. PR 8223. [Justin Erenkrantz]

*) Add an intelligent error message should no proxy submodules be

valid to handle a request. PR 8407 [Graham Leggett]

*) Major improvements in concurrent processing for AB by enabling

non-blocking connect()s and preventing APR from doing blocking

read()s. Also implement fatal error checking for apr_recv().

[Aaron Bannert]

*) Fix Win32 NTFS Junctions (symlinks). PR 8014 [William Rowe]

*) Fix Win32 ’short name’ aliases in httpd.conf directives.

PR 8009 [William Rowe]

*) Fix generation of default httpd.conf when the layout paths are

disjoint. PR 7979, 8227. [Justin Erenkrantz]

*) Swap downgrade-1.0 and force-response-1.0 conditional checks so

that downgraded responses can have force-response. PR 8357.

[Justin Erenkrantz]

*) Fix perchild MPM so that it can be configured with the move to the

experimental directory. [Scott Lamb ]

*) Fix perchild MPM so that it uses ap_gname2id for groups instead of

ap_uname2id. [Scott Lamb ]

*) Fix AcceptPathInfo. PR 8234 [Cliff Woolley]

*) SECURITY: Added the APLOG_TOCLIENT flag to ap_log_rerror() to

explicitly tell the server that warning messages should be sent

to the client in addition to being recorded in the error log.

Prior to this change, ap_log_rerror() always sent warning

messages to the client. In one case, a faulty CGI script caused

the server to send a warning message to the client that contained

the full path to the CGI script. This could be considered a

minor security exposure. [Bill Stoddard]

*) mod_autoindex output when SuppressRules was specified would

omit the first carriage return so the first item in the list

would appear to the right of the column headings instead of

underneath them. PR 8016 [David Shane Holden ]

*) Moved the call to apr_mmap_dup outside the error branch so

that it would actually get called. This fixes a core dump

at init everytime you use the MMapFile directive. PR 8314

[Paul J. Reder]

*) Trigger an error when a LoadModule directive attempts to

load a module which is built-in. This is a common error when

switching from a DSO build to a static build. [Jeff Trawick]


*) Change instdso.sh to use libtool --install everywhere and then

clean up some stray files and symlinks that libtool leaves around

on some platforms. This gets subversion building properly since

it needed a re-link to be performed by libtool at install time,

and the old instdso.sh logic to simply cp the DSO didn’t handle

that requirement. [Sander Striker]

*) Allow VPATH builds to succeed when configured from an empty

directory. [Thom May ]

*) Fix ’control reaches end of non-void function’ warning in

server/log.c. [Ben Collins-Sussman ]

*) Perchild MPM is now correctly deemed as experimental and is now

located in server/mpm/experimental. [Justin Erenkrantz]

*) Fix segfault in mod_mem_cache when garabge collecting an expired

cache entry. [Bill Stoddard]

*) Introduced -E startup_logfile_name option to httpd to allow admins

to begin logging errors immediately. This provides Win32 users

an alternative to sending startup errors to the event viewer, and

allows other daemon tool authors an alternative to logging to stderr.

[William Rowe]

*) Fix subreqs with non-defined Content-Types being served improperly.

[Justin Erenkrantz]

*) Merge in latest GNU config.guess and config.sub files. PR 7818.

[Justin Erenkrantz]

*) Move 100 - Continue support to the HTTP_IN filter so that filters

are guaranteed to support 100 - Continue logic without any

intervention. [Justin Erenkrantz]

*) Add HTTP chunked input trailer support. [Justin Erenkrantz]

*) Rename and export get_mime_headers as ap_get_mime_headers.

[Justin Erenkrantz]

*) Allow empty Host: header arguments. PR 7441. [Justin Erenkrantz]

*) Properly substitute sbindir as httpd’s location in apachectl. PR 7840.

[Andreas Hasenack ]

*) Allow Win32 shebang scripts to follow the path (or omit the .exe

suffix from the shebang command), and allow ScriptInterpreterSource

Registry or RegistryStrict to override shebang lines, as 1.3 did.

PR 8004 [William Rowe]

*) worker MPM: Fix a situation where a child exited without releasing

the accept mutex. Depending on the OS and mutex mechanism this

could result in a hang. [Jeff Trawick]

*) Update the instructions for how to get started with mod_example.

[Stas Bekman]

*) Fix PidFile to default to rel_runtimedir instead of

rel_logfiledir. PR 7841. [Andreas Hasenack ]


*) Win32: Fix problem that caused rapid performance degradation

when number of connecting clients exceeded ThreadsPerChild.

[Bill Stoddard]

*) Fixed a segfault parsing large SSIs on non-mmap systems.

[Brian Havard]

*) Proxy was bombing out every second keepalive request, caused by a

stray CRLF before the second response’s status line. Proxy now

tries to read one more line if it encounters a CRLF where it

expected a status. PR 10010 [Graham Leggett]

*) Deprecated the apr_lock.h API. Please see the following files

for the improved thread and process locking and signaling:

apr_proc_mutex.h, apr_thread_mutex.h, apr_thread_rwlock.h,

apr_thread_cond.h, and apr_global_mutex.h. [Aaron Bannert]

*) Change mod_status to use scoreboard accessor functions so it can

be used in any MPM without having to be recompiled.

[Ryan Morgan ]

*) Fix parsing of some AP_DECLARE_DATA declarations so that the filter

handle declarations are recognized. This fixes problems loading

mod_autoindex on some platforms. [Brian Havard]

*) add optional fixup hook to proxy [Daniel Lopez ]

*) Remind the admin about the User and Group directives when we are

unable to set permissions on a semaphore. PR 7812 [Jeff Trawick]

*) fix possible compilation problem in ssl_engine_kernel.c. PR 7802

[Doug MacEachern]

*) fix possible infinite loop in mod_ssl triggered by certain

netscape clients [Doug MacEachern]

*) fix ProxyPass when frontend is https and backend is http

[Doug MacEachern]

*) Add DASL support to mod_dav

[Sung Kim ]

Changes with Apache 2.0.35

*) mod_rewrite: updated to use the new APR global mutex type.

[Aaron Bannert]

*) Fixes for mod_include errors on boundary conditions in which

"


This implies it’s the new default for Darwin. [Jim Jagielski]

*) AIX: Fix the syntax for setting the LDR_CNTRL and AIXTHREAD_SCOPE

environment variables in the envvars file. [Jeff Trawick]

*) worker MPM: Don’t create a listener thread until we have a worker

thread. Otherwise, in situations where we’ll have to wait a while

to take over scoreboard slots from a previous generation, we’ll be

accepting connections we can’t process yet. [Jeff Trawick]

*) Allow worker MPM to build on systems without pthread_kill().

[Pier Fumagalli, Jeff Trawick]

*) Prevent ap_add_output_filters_by_type from being called in

ap_set_content_type if the content-type hasn’t changed.

[Justin Erenkrantz]

*) Performance: implemented the bucket allocator made possible by the

API change in 2.0.34. [Cliff Woolley]

*) Don’t allow initialization to succeed if we can’t get a socket

corresponding to one of the Listen statements. [Jeff Trawick]

Changes with Apache 2.0.34

*) Allow all Perchild directives to accept either numerical UID/GID

or logical user/group names. [Scott Lamb ]

*) Make Perchild compile cleanly and serve pages again. [Ryan Bloom]

*) implement ssl proxy to support ProxyPass / https:// and the

SSLProxy* directives [Doug MacEachern]

*) Update mod_cgid to not do single-byte socket reads for CGI headers

[Brian Pane]

*) Made AB’s use of the Host: header rfc2616 compliant

by Taisuke Yamada [Dirk-Willem van Gulik].

*) The old, legacy (and unused) code in which the scoreboard was totally

and completely contained in a file (SCOREBOARD_FILE) has been

removed. This does not affect scoreboards which are *mapped* to

files using named-shared-memory. [Jim Jagielski]

*) Change bucket brigades API to allow a "bucket allocator" to be

passed in at certain points. This allows us to implement freelists

so that we can stop using malloc/free so frequently.

[Cliff Woolley, Brian Pane]

*) Add support for macro expansion within the variable names in

and directives [Brian Pane]

*) Fix some mod_include segfaults [Cliff Woolley, Brian Pane, Brad Nicholes]

*) Update the "RedHat" Layout to match Red Hat Linux version 7. PR BZ-7422

[Joe Orton]

*) add compat layer to support RSA SSLC 1.x and 2.x in mod_ssl

[Jon Travis, John Barbee, William Rowe, Ryan Bloom, Doug MacEachern]


*) Add a new parameter to the quick_handler hook to instruct

quick handlers to optionally do a lookup rather than actually

serve content. This is the first of several changes required fix

several problems with how quick handlers work with subrequests.

[Bill Stoddard]

*) worker MPM: Get MaxRequestsPerChild to work again. [Jeff Trawick]

*) [APR-related] The ordering of the default accept mutex method has

been changed to better match what’s done in Apache 1.3. The ordering

is now (highest to lowest): pthread -> sysvsem -> fcntl -> flock.

[Jim Jagielski]

*) Ensure that the build/ directory is created when using VPATH.

[Justin Erenkrantz]

*) Add some popular types to the mime magic file. PR 7730.

[Linus Walleij , Justin Erenkrantz]

*) Remove the single-byte socket reads for CGI headers [Brian Pane]

*) When a proxied site was being served, Apache was replacing

the original site Server header with it’s own, which is not

allowed by RFC2616. Fixed. [Graham Leggett]

*) Fix a mod_cgid problem that left daemon processes stranded

in some server restart scenarios. [Jeff Trawick]

*) Added exp_foo and rel_foo variables to config_vars.mk for

all Apache and Autoconf path variables (like --sysconfdir,

--sbindir, etc). exp_foo is the "expanded" version, which means

that all internal variable references have been interpolated.

rel_foo is the same as $exp_foo, only relative to $prefix if they

share a common path. [Aaron Bannert]

*) Fix some restart/terminate problems in the worker MPM. Don’t

drop connections during graceful restart. [Jeff Trawick]

*) Change the header merging behaviour in proxy, as some headers

(like Set-Cookie) cannot be unmerged due to stray commas in

dates. [Graham Leggett]

*) Be more vocal about what AcceptMutex values we allow, to make

us closer to how 1.3 does it. [Jim Jagielski]

*) Get nph- CGI scripts working again. PRs 8902, 8907, 9983

[Jeff Trawick]

*) Upgraded PCRE library to latest version 3.9 [Brian Pane]

*) Add accessor function to set r->content_type. From now on,

ap_rset_content_type() should be used to set r->content_type.

This change is required to properly implement the

AddOutputFilterByType configuration directive.

[Bill Stoddard, Sander Striker, Ryan Bloom]

*) Add new M_FOO symbols for the WebDAV/DeltaV methods specified by

RFC 3253. Improved the method name/number mapping functions.

[Greg Stein]


*) remove sock_enable_linger from connection.c [Ian Holsman]

*) Fix for virtual host processing where the requested hostname

has a ’.’ at the end (PR 9187) [Ryan Cruse ]

*) mod_dav’s APIs for REPORT response handling was changed so that

providers can generate the content directly into the output filter

stack, rather than buffering the response into memory. [Greg Stein]

*) Fix a hang condition with graceful restart and prefork MPM

in the situation where MaxClients is very high but

much fewer servers are actually started at the time of the

restart. [Jeff Trawick]

*) Small performance fixes for mod_include [Brian Pane]

*) Performance improvement for the error logger [Brian Pane]

*) Change configure so that Solaris 8 and above have

SINGLE_LISTEN_UNSERIALIZED_ACCEPT defined by default.

according to sun people solaris 8+ doesn’t have a thundering

herd problem [Ian Holsman]

*) Allow URIs specifying CGI scripts to include ’/’ at the end

(e.g., /cgi-bin/printenv/) on AIX and Solaris (and other OSs

which ignore ’/’ at the end of the names of non-directories).

PR 10138 [Jeff Trawick]

*) implement SSLSessionCache shmht and shmcb based on apr_rmm and

apr_shm. [Madhusudan Mathihalli ]

*) Fix apxs -g handling. Move config_vars.mk from the top build

directory to the build directory. PR 10163 [Jeff Trawick]

*) Fix some mod_include problems which broke evaluation of some

expressions. PR 10108 [Jeff Trawick]

*) Fix the calculation of request time in mod_status. [Stas Bekman]

*) Fix the calculation of thread_num in the worker score structure.

[Stas Bekman]

*) Use apr_atomic operations in managing the mod_mem_cache

cache_objects for SMP scalability. (see USE_ATOMICS

preprocessor directive in mod_file_cache)

[Bill Stoddard]

*) Add filehandle caching to mod_mem_cache. (see CACHE_FD

preprocessor directive in mod_file_cache)

[Bill Stoddard]

*) Implement prototype mod_disk_cache for use with mod_cache.

[Bill Stoddard]

*) Add a missing manualdir entry in the Debian config.layout.

[Thom May ]

*) Stop installing libtool for APR and tell APR where it should place

its copy of libtool (via our installbuildpath layout variable).

[Justin Erenkrantz]


*) New directive ProxyIOBufferSize. Sets the size of the buffer used

when reading from a remote HTTP server in proxy. [Graham Leggett]

*) Modify receive/send loop in proxy_http and proxy_ftp so that

should it be necessary, the remote server socket is closed before

transmitting the last buffer (set by ProxyIOBufferSize) to the

client. This prevents the backend server from being forced to hang

around while the last few bytes are transmitted to a slow client.

Fix the case where no error checking was performed on the final

brigade in the loop. [Graham Leggett]

*) Scrap CacheMaxExpireMin and CacheDefaultExpireMin. Change

CacheMaxExpire and CacheDefaultExpire to use seconds rather than

hours. [Graham Leggett, Bill Stoddard]

*) New Directive SSIUndefinedEcho. to change the ’(none)’ echoed

for a undefined variable. [Ian Holsman]

*) Proxy HTTP and CONNECT: Keep trying other addresses from the DNS

when we can’t get a socket in the specified address family. We may

have gotten back an IPv6 address first and yet our system is not

configured to allow IPv6 sockets. [Jeff Trawick]

*) Be more careful about recursively removing CVS directories. Make

sure that we aren’t cd’ing to their home directory first. PR: 9993

[Aaron Bannert, James LewisMoss ]

*) Add a missing errordir entry in the Debian config.layout. PR: 10067

[Dirk-Jan Faber , Aaron Bannert,

Thom May ]

*) Rename the filter ordering priorities. The recent filtering fixes

have showcased problems with their usage. Therefore, we need to

rename them to increase the clarity. (CONTENT->RESOURCE,

HTTP_HEADER->CONTENT_SET/PROTOCOL) [Justin Erenkrantz]

Changes with Apache 2.0.33

*) Fix a problem in the new --enable-layout functionality where

it wouldn’t allow overrides from variables like --prefix,

--bindir, etc. [Thom May ]

*) Fix a bug in the core input filter for AP_MODE_EXHAUSTIVE. It

no longer hangs around waiting for the socket to close before

returning exhaustive data. [Aaron Bannert]

*) rename apr_exploded_time_t to apr_time_exp_t (as per renames pending)

[Thom May ]

*) Change mod_ssl to always do a full startup/teardown on restarts.

this allows mod_ssl to be added to a server that is already

running and makes it possible to add/change certs/keys after the

server has been started. [Doug MacEachern]

*) Introduce PassPhraseDialog "|/path/to/pipe" mechanism to mod_ssl.

This pipe must be a bidirectional ’console’ style relay, which

mod_ssl prints all prompts to the pipe’s stdin, and reads the

passphrases from the pipe’s stdout. [William Rowe]


*) Fix bug where --sysconfdir and --localstatedir were being

ignored. [Thom May , Aaron Bannert]

PR 9888

*) Fix --enable-layout to work again. Caution: When specifying

--enable-layout, common arguments like --prefix, --exec-prefix,

etc. will be ignored and the settings from the layout will be

used instead. [Thom May , Aaron Bannert]

PR 9124, 9873, 9885

*) New Directive for mod_proxy: ProxyRemoteMatch. This provides

regex pattern matching for the determination of which requests

to use the remote proxy for. [Jim Jagielski]

*) Fix CustomLog bytes-sent with HTTP 0.9. [Justin Erenkrantz]

*) Prevent Apache from ignoring SIGHUP due to some lingering 1.3

cruft in piped logs and rewritemap child processes.

[William Rowe]

*) All instances of apr_lock_t have been removed and converted

to one of the following new lock APIs: apr_thread_mutex.h,

apr_proc_mutex.h, or apr_global_mutex.h. No new code should

use the apr_lock.h API, as the old API will soon be deprecated.

[Aaron Bannert]

*) Merged in changes to mod_ssl up through 2.8.7-1.3.23.

[Ralf S. Engelschall, Cliff Woolley]

*) mod-include: make it handle flush’es and fix the ’false-alarm’

[Justin Erenkrantz, Brian Pane, Ian Holsman]

*) ap_get_*_filter_handle() functions to allow 3rd party modules

to lookup filter handles so they can bypass the filter name

lookup when adding filters to a request (via ap_add_*_filter_handle())

[Ryan Morgan ]

*) Fix for multiple file buckets on Win32, where the first file

bucket would cause the immediate closure of the socket on any

non-keepalive requests. [Ryan Morgan ]

*) Correct Win32 failure of mmap of a segment beyond start of the

file; fixes large SSL and similar transfers. [William Rowe]

PR 9898

*) Implement apr_proc_detach changes and allow -DNO_DETACH in the

multi-process mode to not "daemonize" while detaching from the

controlling terminal. This is necessary for Apache to work with

process-management tools like AIX’s "System Resource Controller"

as well as Dan Bernstein’s "daemontools".

[Jos Backus , Aaron Bannert]

*) Convert mod_auth_digest to use the new apr_global_mutex_t

type. [Aaron Bannert]

*) fix bug in mod-include where it wouldn’t send a unmatched

part if it was at the end of a bucket [Ian Holsman]

*) worker MPM: Improve logging of errors with the interface between

the listener thread and worker threads. [Jeff Trawick]


*) Some browsers ignore cookies that have been merged into a

single Set-Cookie header. Set-Cookie and Set-Cookie2 headers

are now unmerged in the http proxy before being sent to the

client. [Graham Leggett]

*) Fix a problem with proxy where each entry of a duplicated

header such as Set-Cookie would overwrite and obliterate the

previous value of the header, resulting in multiple header

values (like cookies) going missing.

[Graham Leggett, Joshua Slive]

*) Add the server-limit and thread-limit values to the scoreboard

for the sake of third-party applications.

[Adam Sussman ]

*) Fix segfault when proxy recieves an invalid HTTP response [Ian Holsman]

*) OS/390: Get make install to properly copy DSO modules.

[Jeff Trawick]

*) Win32: Fix bug in mod_status with displaying "Restart Time"

and "Server uptime".

[Bill Stoddard]

*) Fix IPv6 name-based virtual hosts. [Jeff Trawick]

*) Introduce AddOutputFilterByType directive. [Justin Erenkrantz]

*) Fix DEBUG_CGI support in mod_cgi. PR 9670, 9671.

[David MacKenzie ]

*) Fix incorrect check for script_in in mod_cgi. PR 9669.

[David MacKenzie ]

*) Fix segfault and display error when SSLMutex file can not be

created. [Adam Sussman ]

*) Add reference counting to mod_mem_cache cache objects to

better manage removing objects from the cache.

[Bill Stoddard]

*) Change the verbage on the ScoreBoardFile in our default configs.

Also change the default to be commented out (unspecified) so we

get anonymous shared memory by default. [Aaron Bannert]

*) Implement new ScoreBoardFile directive logic. This affects how

we create the scoreboard’s shared memory segment. If the directive

is present, a name-based segment is created. If the directive is

not present, first an anonymous segment is created, and if that

fails, a name-based segment is created from a file of the name

DEFAULT_SCOREBOARD. This gives third-party applications the

ability to access our scoreboard. [Aaron Bannert]

*) Allow mod_deflate to work with non-GET requests and properly send

Content-Lengths. [Sander Striker ]

*) Fix ap_directory_merge() to correctly merge configs when there is

no block. [Justin Erenkrantz, William Rowe]


*) Remove spurious debug messsages that are normal under HTTP

keep-alive logic. [Jeff Trawick, Justin Erenkrantz]

*) Fix a bug in mod_cgid that would prevent proper shutdown death

of the cgid process. [Aaron Bannert]

*) Add signal handling back in to the worker MPM for the one_process

(-X, -DDEBUG, -DONE_PROCESS) case. [Aaron Bannert]

*) Performance: Reuse per-connection transaction pools in the

worker MPM, rather than destroying and recreating them. [Brian Pane]

*) Remove all signals from the worker MPM’s child process. Instead,

the parent uses the Pipe of Death for all communication with the

child processes. [Ryan Bloom]

Changes with Apache 2.0.32

*) mod_negotiation: ForceLanguagePriority now uses ’Prefer’ as the

default if the directive is not specified. This mirrors older

behavior without changes to the httpd.conf. [William Rowe]

*) Win32: solve the win32 service problems in 2.0.31-alpha, by fixing

the service, mpm and logging code, and bugs in apr_file_open_stderr

and apr_file_dup2 functions. Win2K/XP services have no handles

associated for stdin/out/err, which caused unpredictable behavior

in the prior release. [William Rowe, Bill Stoddard]

*) Win32: simplify the Application Event Log messages, since there isn’t

likely to be ’more information in the error log’ before an error log

has been opened. [William Rowe]

*) Win32: substantial cleanup to the mpm_winnt code for legibility and

to follow the program flow of other MPMs. [Ryan Bloom, William Rowe]

*) Win32: apache -k shutdown now behaves like apache -k stop.

[Bill Stoddard]

*) Fix prefork to not kill the parent if a child hits a resource shortage

on accept(). [Greg Ames]

*) Fix seg faults that occur when what should be the httpd request line

starts with \r\n followed by garbage. [Greg Ames]

*) Allow statically linked support binaries with the new

--enable-static-support flag, and enable this behavior in

the binbuild script. Also add a new --enable-static-htdbm

flag. [Aaron Bannert]

*) Allow mod_autoindex to serve symlinks if permitted and attempt to

do only one stat() call when generating the directory listings.

[Justin Erenkrantz]

*) Fix resolve_symlink to save the original symlink name if known.

[Justin Erenkrantz]

*) Be a bit more sane with regard to CanonicalNames. If the user has

specified they want to use the CanonicalName, but they have not

configured a port with the ServerName, then use the same port that

the original request used. [Ryan Bloom and Ken Coar]


*) In core_input_filter, check for an empty brigade after

APR_BRIGADE_NORMALIZE(). Otherwise, we can get segfaults if a

client says it will post some data but we get FIN before any

data arrives. [Jeff Trawick]

*) Not being able to bind to the socket is a fatal error. We should

print an error to the console, and return a non-zero status code.

With these changes, all of the Unix MPMs do that correctly.

[Ryan Bloom]

*) suexec: Allow HTTPS and SSL_* environment variables to be passed

through to CGI scripts. PR 9163

[Brian Reid ,

Zvi Har’El ]

*) binbuild.sh: Make sure that we use the expat from our source

tree so that there aren’t any surprises on the target machine.

[Jeff Trawick]

*) mod_cgid: Add retry logic for when the daemon can’t fork fast

enough to keep up with new requests. Start using

HTTP_SERVER_UNAVAILABLE instead of HTTP_INTERNAL_SERVER_ERROR

when we can’t talk to the daemon. [Jeff Trawick]

*) apxs: LTFLAGS envvar can override default libtool options. Try

"LTFLAGS=’ ’ apxs -c mod_foo.c" to see what libtool does under

the covers. [Jeff Trawick]

*) The Location: response header field, used for external

redirect, *must* be an absoluteURI. The Redirect directive

tested for that, but RedirectMatch didn’t -- it would allow

almost anything through. Now it will try to turn an abs_path

into an absoluteURI, but it will correctly varf like Redirect

if the final redirection target isn’t an absoluteURI. [Ken Coar]

Changes with Apache 2.0.31

*) Create the scoreboard (in the parent) in a global pool context,

so it survives graceful restarts. This fixes a SEGV during

graceful restarts. [Aaron Bannert]

*) Add a timeout option to the proxy code ’ProxyTimeout’

[Ian Holsman]

*) FTP directory listings are now always retrieved in ASCII mode.

The FTP proxy properly escapes URI’s and HTML in the generated

listing, and escapes the path components when talking to the FTP

server. It is now possible to browse the root directory by using

a url like: ftp://user@host/%2f/ (ported from apache_1.3.24)

Also, the last path component may contain wildcard characters

’*’ and ’?’, and if they do, a directory listing is created instead

of a file retrieval. Example: ftp://user@host/httpd/server/*.c

[Martin Kraemer]

*) Added single-listener unserialized accept support to the

worker MPM [Brian Pane]

*) New Directive for mod_proxy: ’ProxyPreserveHost’. This passes

the incoming host header through to the proxied server


[Geoff ]

*) New Directive Option for ProxyPass. It now can block a location

from being proxied [Jukka Pihl ]

*) Don’t let the default handler try to serve a raw directory. At

best you get gibberish. Much worse things can happen depending

on the OS. [Jeff Trawick]

*) Change the pre_config hook to return a value. Modules can now emit

an error message and then cause the server to quit gracefully during

startup. This required a bump to the MMN. [Aaron Bannert]

*) Fix some unix socket descriptor leaks in the handler side of

mod_cgid (the part that runs in the server process). Whack a

silly "close(-1)" in the handler too. [Jeff Trawick]

*) Change the pre_mpm hook to return a value, so that scoreboard

init errors percolate up to code that knows how to exit

cleanly. This required a bump to the MMN. [Jeff Trawick]

*) Add the socket back to the conn_rec and remove the create_connection

hook. The create_connection hook had a design flaw that did not

allow creating connections based on vhost info. [Bill Stoddard]

*) Fixed PATH_INFO and QUERY_STRING from mod_negotiation results.

Resolves the common case of using negotation to resolve the request

/script/foo for /script.cgi/foo. [William Rowe]

*) Added new functions ap_add_(input|output)_filter_handle to

allow modules to bypass the usual filter name lookup when

adding hard-coded filters to a request [Brian Pane]

*) caching should now work on subrequests (still very experimental)

[Ian Holsman]

*) The Win32 mpm_winnt now has a shared scoreboard. [William Rowe]

*) Change ap_get_brigade prototype to use apr_off_t instead of apr_off_t*.

[Justin Erenkrantz]

*) Refactor ap_rgetline so that it does not use an internal brigade.

Change ap_rgetline’s prototype to return errors. [Justin Erenkrantz]

*) Remove mod_auth_db. [Justin Erenkrantz]

*) Do not install unnecessary pcre headers like config.h and internal.h.

[Joe Orton ]

*) Change in quick_hanlder behavior for subrequests. it now passes DONE

(as it does for a normal request). quick_handled sub-requests now work

in mod-include [Ian Holsman]

*) Change SUBREQ_CORE so that it is a ’HTTP_HEADER’ filter instead of

’CONTENT’ one, as it needs to run AFTER all content headers

*) Rename BeOS MPM directive RequestsPerThread to MaxRequestsPerThread.

[Lars Eilebrecht]

*) Split out blocking from the mode in the input filters.


[Justin Erenkrantz]

*) Fix a segfault in mod_include. [Justin Erenkrantz, Jeff Trawick]

*) Cause Win32 to capture all child-worker process errors in

Apache to the main server error log, until the child can

open its own error logs. [William Rowe]

*) HPUX 11.*: Do not kill the child process when accept()

returns ENOBUFS on HPUX 11.*. (ported from th 1.3 patch)

[Madhusudan Mathihalli , Bill Stoddard]

*) Fix a problem in the parsing of the directive.

[Jeff Trawick]

*) rewrite of mod_ssl input filter for better performance and less

memory usage [Doug MacEachern]

*) allow quick_handler to be run on subrequests. [Ian Holsman]

*) mod_dav now asks its provider to place content directly into the

filter stack when handling a GET request. The mod_dav/provider

API has changed, so providers need to be updated. [Greg Stein]

*) Clear the output socket descriptor in unixd_accept() to make sure

we don’t supply a bogus socket to the caller if the accept fails.

This caused problems with the worker MPM, which tried to process

the returned socket if it was non-NULL. [Brian Pane]

*) Move a check for an empty brigade to the start of core input filter

to avoid segfaults. [Justin Erenkrantz, Jeff Trawick]

*) Add FileETag directive to allow configurable control of what

data are used to form ETag values for file-based URIs. MMN

bumped to 20020111 because of fields added to the end of

the core_dir_config structure. [Ken Coar]

*) Fix a segfault in mod_rewrite’s logging code caused by passing the

wrong config to ap_get_remote_host(). [Jeff Trawick]

*) Allow mod_cgid to work from a binary distribution install by

using 755 for the permissions on the log directory instead of

750. [Jeff Trawick]

*) Fixed a segfault that happened during graceful shutdown (or when

the httpd ran out of file descriptors) with the worker MPM [Brian Pane]

*) Split all Win32 modules [excluding the core components mod_core,

mod_so, mod_win32 and the winnt mpm] into individual loadable

modules, so the administrator may individually disable the former

compiled-in modules by simply commenting out their LoadModule

directives. [William Rowe]

*) Saved Win32 module authors and porters many future headaches, by

duplicating the appropriate .h files such as os.h into the include

directory, including in the build tree. [William Rowe]

*) mod_ssl adjustments to help with using toolkits other than OpenSSL:

Use SSL functions/macros instead of directly dereferencing SSL

structures wherever possible.


Add type-casts for the cases where functions return a generic pointer.

Add $SSL/include to configure search path.

[Madhusudan Mathihalli ]

*) Moved several pointers out of the shared Scoreboard so it is

more portable, and will present the vhost name across server

generation restarts. [William Rowe]

*) Fix SSLPassPhraseDialog exec: and SSLRandomSeed exec:

[Doug MacEachern]

Changes with Apache 2.0.30

*) Fix the main bug for FreeBSD and threaded MPM’s. There are

still issues (see STATUS) but at least the server will now

run without crashing the machine.

[David Reid, Aaron Bannert, Justin Erenkrantz]

*) Fix a typo in mod_deflate’s m4 config section.

[albert chin ]

*) Fix a couple of mod_proxy problems forwarding HTTP connections

and handling CONNECT:

(1) PR #9190 Proxy failed to connect to IPv6 hosts.

(2) Proxy failed to connect when the first IP address returned by

the resolver was unreachable but a secondary IP address was.

[Jeff Trawick]

*) Fix the module identifer as shown in the docs for various core

modules (e.g., the identifer for mod_log_config was previously

listed as config_log_module). PR #9338

[James Watson ]

*) Fix LimitRequestBody directive by placing it in the HTTP

filter. [Justin Erenkrantz]

*) Fix mod_proxy seg fault when the proxied server returns

an HTTP/0.9 response or a bogus status line.

[Adam Sussman]

*) Prevent mod_proxy from truncating one character off the

end of the status line returned from the proxied server.

[Adam Sussman, Bill Stoddard]

*) Eliminate loop in ap_proxy_string_read().

[Adam Sussman, Bill Stoddard]

*) Provide $0..$9 results from mod_include regex parsing.

[William Rowe]

*) Allow mod-include to look for alternate start & end tags [Ian Holsman]

*) Introduced the ForceLanguagePriority directive, to prevent

returning MULTIPLE_CHOICES or NONE_ACCEPTABLE in some cases,

when using Multiviews. [William Rowe]

*) Fix a problem which prevented mod_cgid and suexec from working

together reliably [Greg Ames]

*) Remove the call to exit() from within mod_auth_digest’s post_config


phase. [Aaron Bannert]

*) Fix a problem in mod_auth_digest that could potentially cause

problems with initialized static data on a system that uses DSOs.

[Aaron Bannert]

*) Fix a segfault in the worker MPM that could happen during

child process exits. [Brian Pane, Aaron Bannert]

*) Allow mod_auth_dbm to handle multiple DBM types [Ian Holsman]

*) Fix matching of vhosts by ip address so we find IPv4

vhost address when target address is v4-mapped form of

that address. [Jeff Trawick]

*) More performance tweaks to the BNDM string-search algorithm

used to find "


[Aaron Bannert]

*) The worker MPM now respects the LockFile setting, needed to

avoid locking problems with NFS. [Jeff Trawick]

*) Fix segfault when worker MPM receives SIGHUP.

[Ian Holsman, Aaron Bannert, Justin Erenkrantz]

*) Fix bug that could potentially prevent the perchild MPM from

working with more than one vhost/uid. [Aaron Bannert]

*) Change make install and apxs -i processing of DSO modules to

perform special handling on platforms where libtool doesn’t install

mod_foo.so. This fixes some wonkiness on HP-UX, Tru64, and AIX

which prevented standard LoadModule statements from working.

[Jeff Trawick]

*) Whenever mod_so is enabled (not just when there are DSOs for

our modules), do whatever special magic is required for compiling/

loading third-party modules. This allows third-party DSOs to

be used on an AIX build when there were no built-in modules

built as DSOs. (This should help on OS/390 and BeOS as well.)

[Jeff Trawick]

*) Allow apxs to be used to build DSOs on AIX without requiring the

user to hard-code the list of import files. (This should help

on OS/390 and BeOS as well.) [Jeff Trawick]

*) Resolved segfault in mod_isapi when configuring with ISAPICacheFile.

PR 8563, 8919 [William Rowe]

*) Get binary builds working when libapr and libaprutil are built

shared [Greg Ames]

*) Get shared builds of libapr and libaprutil, as well as Apache DSOs,

working on AIX. [Aaron Bannert, Dick Dunbar ,

Gary Hook , Victor Orlikowski, Jeff Trawick]

*) Fix the handling of SSI directives in which the ">" of the

terminating "-->" is the last byte in a file [Brian Pane]

*) Add back in the "suEXEC mechanism enabled (wrapper: /path/to/suexec)"

message that we had back in apache-1.3 and still have scattered

throughout our docs. [Aaron Bannert]

*) Prevent the Win32 port from continuing after encountering an

error in the command line args to apache. [William Rowe]

*) On a error in the proxy, make it write a line to the error log

[Ian Holsman]

*) Various mod_ssl performance improvements [Doug MacEachern]

Changes with Apache 2.0.29

*) Add buffering in core_output_filter to ensure that long

lists of small buckets don’t cause small packet writes.

[Brian Pane, Ryan Bloom]

*) Fix the installation target to make sure that the manual is


installed in the correct location.

[Yoshifumi Hiramatsu and

Gomez Henri ]

*) Fix the cmd command for mod_include. When we are processing

a cmd command, we do not want to use the r->filename to set

the command name. The command comes from the SSI tag. To do this,

I added a variable to the function that builds the command line

in mod_cgi. This allows the include_cmd function to specify

the command line itself. [Ryan Bloom]

*) Change open_logs hook to return a value, allowing you

to flag a error while opening logs

[Ian Holsman, Doug MacEachern]

*) Change post_config hook to return a value, allowing you

to flag a error post config

[Ian Holsman, Jeff Trawick]

*) Allow SUEXEC_BIN (the path to the suexec binary that is

hard-coded into the server) to be specified to the configure

script by the --with-suexec-bin parameter. [Aaron Bannert]

*) Fix segv in worker MPM following accept on pipe-of-death

[Brian Pane]

*) Add mod_deflate to experimental.

[Ian Holsman, Justin Erenkrantz]

*) Bail out at configure time if an invalid MPM was specified.

[jean-frederic clere ]

*) Prevent segv in ap_note_basic_auth_failure() when no AuthName is

configured [John Sterling ]

*) Fix apxs to use sbindir. [Henri Gomez ]

*) Fix a problem with IPv6 vhosts. PR #8118 [Jeff Trawick]

*) Optimization for the BNDM string-search function in

mod_include. [Brian Pane]

*) Fixed the behavior of the XBitHack directive.

[Taketo Kabe , Cliff Woolley] PR#8804

*) The threaded MPM for Unix has been removed. Use the worker

MPM instead. [various]

*) APR-ize the resolver logic in mod_unique_id. This fixes a bug

in logging the error from a failed DNS lookup. [Jeff Trawick]

*) Added the missing macros AP_INIT_TAKE13 and AP_INIT_TAKE123.

[Cliff Woolley]

*) Get mod_cgid killed when a MPM exits due to a fatal error.

[Jeff Trawick]

*) Fix a file descriptor leak in mod_include. When we include a

file, we use a sub-request, but we didn’t destroy the sub-request

immediately, instead we waited until the original request was


done. This patch closes the sub-request as soon as the data is

done being generated. [Brian Pane ]

*) Allow modules that add sockets to the ap_listeners list to

define the function that should be used to accept on that

socket. Each MPM can define their own function to use for

the accept function with the MPM_ACCEPT_FUNC macro. This

also abstracts out all of the Unix accept error handling

logic, which has become out of synch across Unix MPMs.

[Ryan Bloom]

*) Fix a bug which would cause the response headers to be omitted

when sending a negotiated ErrorDocument because the required

filters were attached to the wrong request_rec.

[John Sterling ]

*) Remove commas from the end of the macros that define

directives that are used by MPMs. Prior to this patch,

you would use these macros without commas, which was unlike

the macros for any other directives. Now, the caller provides

the comma rather than the macro providing it. This makes

the macros look more like the rest of the directives.

[Ryan Bloom and Cliff Woolley]

*) Add ’redirect-carefully’ environment option to disable sending

redirects under special circumstances. This is helpful for

Microsoft’s WebFolders when accessing a directory resource via

DAV methods. [Justin Erenkrantz]

*) Begin to abstract out the underlying transport layer.

The first step is to remove the socket from the conn_rec,

the server now lives in a context that is passed to the

core’s input and output filters. This forces us to be very

careful when adding calls that use the socket directly,

because the socket isn’t available in most locations.

[Ryan Bloom]

*) Really reset the MaxClients value in worker and threaded

when the configured value is not a multiple of the number

of threads per child. We said we did previously but we

forgot to. [Jeff Trawick]

*) Add Debian layout. [Daniel Stone ]

*) If shared modules are requested and mod_so is not available,

produce a fatal config-time error. [Justin Erenkrantz]

*) Improve http2env’s performance by cutting the work it has to

do. [Brian Pane ]

*) use new ’apr_hash_merge’ function in mod_mime (performance fix)

[Brian Pane ]

Changes with Apache 2.0.28

*) Fix infinite loop in mod_cgid.c.

[Dale Ghent , Brian Pane ]

*) When no port is given in a "ServerName host" directive, the

server_rec->port is now set to zero, not 80. That allows for


un-time deduction of the correct server port (depending on

SSL/plain, and depending also on the current setting of

UseCanonicalName). This change makes redirections

work, even with https:// connections. As in Apache-1.3, the

connection’s actual port number is never used, only the ServerName

setting or the client’s Host: setting. Documentation updated

to reflect the change. [Martin Kraemer]

*) Add a ’%{note-name}e’ argument to mod-headers, which works in

the same way as mod_log_confg. [Ian Holsman]

*) Fix the spelling of the AP_MPMQ_MIN_SPARE_DAEMONS and

AP_MPMQ_MAX_REQUESTS_DAEMON macros in ap_mpm.h and all standard

MPMs. [Cliff Woolley]

*) Introduce htdbm, a user management utility for db/dbm authorization

databases. [Mladen Turk ]

*) Optimize usage of strlen and strcat in ap_directory_walk.

[Brian Pane ]

Changes with Apache 2.0.27

*) Introduce an Apache mod_ssl initial configuration template

(ssl.conf, generated from ssl-std.conf). [Ralf S. Engelschall]

*) Fixed a memory leak in the getline parsing code that could

be triggered by arbitrarily large header lines. Requests

from the core input filter for single lines are now limited

to HUGE_STRING_LEN (8192 bytes). [Aaron Bannert]

*) Fix a truncation bug in how we print the port on the Via: header.

The routine that prints the Via: header now takes a length for

the port string. [Zvi Har’El ]

*) Some syntax errors in mod_mime_magic’s magic file can result

in a 500 error, which previously was unlogged. Now we log the

error. [Jeff Trawick]

*) Add the support/checkgid helper app, which checks the run-time

validity of group identifiers usable in the Group directive.

[Ken Coar]

*) Various --enable-so options have been fixed: --enable-so is

treated as "static"; explicit --enable-so=shared issues an error;

and explicit --enable-so fails with error on systems without

APR_HAS_DSO. [Aaron Bannert]

*) Fix a segfault in the core input filter when the client socket

gets disconnected unexpectedly. [Cliff Woolley]

*) Fix the reporting for child processes that die. This removes

all of the non-portable W* macros from Apache.

[Jeff Trawick and Ryan Bloom]

*) Win32: Track and display "Parent Server Generation:" in

mod_status output. The generation will be bumped at

server graceful restart, when the child process exits

by hitting MaxRequestsPerChild or if the child

process exits abnormally. [Bill Stoddard]


*) Win32: Fix problem where MaxRequestsPerChild directive was

not being picked up in favor of the default. Enable

the parent to start up a new child process immediately upon

the old child starting shutdown.

[Bill Stoddard]

*) Fix some bungling of the remote port in rfc1413.c so that

IdentityCheck retrieves the proper user id instead of failing

and thus always returning "nobody."

[Dick Streefland ]

*) Introduced thread saftey for mod_rewrite’s internal cache.

[Brian Pane ]

*) Simplified mod_env’s directives to behave as most directives are

expected, in that UnsetEnv will not unset a SetEnv and PassEnv

directive following that UnsetEnv within the same container.

Also provides a runtime startup warning if a PassEnv configured

environment value is undefined. [William Rowe]

*) The worker MPM is now completely ported to APR’s new lock API. It

uses native APR types for thread mutexes, cross-process mutexes,

and condition variables. [Aaron Bannert]

*) Sync up documentation to remove all references to the now deprecated

Port directive. [Justin Erenkrantz]

*) Moved all ldap modules from the core to httpd-ldap sub-project

[Ryan Bloom]

*) Exit when we can’t listen on any of the configured ports. This

is the same behavior as 1.3, and it avoids having the MPMs to

deal with bogus ap_listen_rec structures. [Jeff Trawick]

*) Cleanup the proxy code that creates a request to the origin

server. This change adds an optional hook, which allows modules

to gain control while the request is created if the proxy module

is loaded. The purpose of this hook is to allow modules to add

input and/or output filters to the request to the origin. While

I was at it, I made the core use this hook, so that proxy request

creation uses some of the code from the core. This can still be

greatly improved, but this is a good start. [Ryan Bloom]

Changes with Apache 2.0.26

*) Port the MaxClients changes from the worker MPM to the threaded

MPM. [Ryan Bloom]

*) Fix mod_proxy so that it handles chunked transfer-encoding and works

with the new input filtering system. [Justin Erenkrantz]

*) Introduce the MultiviewsMatch directive, to allow the operator

to be flexible in recognizing Handlers and Filters filename

extensions as part of the Multiviews matching logic, strict with

MultiviewsMatch NegotiatedOnly to accept only filename extentions

that designate negotiated parameters, (content type, charset, etc.)

or MultiviewsAll for the 1.3 behavior of matching any files, even

if they have unregistered extensions. [William Rowe]


*) Fixed the configure script to add a LoadModule directive to

the default httpd.conf for any module that was compiled

as a DSO. [Aaron Bannert ]

*) rewrite mod_ssl input filtering to work with the new input filtering

system. [Justin Erenkrantz]

*) prefork: Don’t segfault when we are able to listen on some but

not all of the configured ports. [Jeff Trawick]

*) Build mod_so even if no core modules are built shared.

[Aaron Bannert ]

*) Introduce ap_directory_walk rewrite (with further optimizations

required) to adapt to the ap_process_request_internal() changes.

Optimized so subrequests and redirects now reuse previous section

merges, until we mismatch with the original directory_walk, and

precomputed r->finfo results will cause directory_walk to skip

the most expensive phases of the function. [William Rowe]

*) Allow ApacheMonitor to connect to and control Apache on other

WinNT/2K machines. [Mladen Turk ]

*) Remove the Port directive. In it’s place, the Listen directive

is now a required directive, which tells Apache what port to

listen on. The ServerName directive has also been extended

to accept an optional port. If the port is specified to the

ServerName, the server will report that port whenever it

reports the port that it is listening on. This change was

made to ease configuration errors that stem from having a Port

directive, and a Listen directive. In that situation, the server

would only listen to the port specified by the Listen command,

which caused a lot of confusion to users. [Ryan Bloom]

*) Added mod_mime_magic, mod_unique_id and mod_vhost_alias to the Win32

build, as loadable modules. [William Rowe]

*) Fix --enable-mods-shared processing. If most is specified,

then all modules that can be compiled as shared modules are.

[Aaron Bannert ]

*) Update the mime.types file to map video/vnd.mpegurl to mxu

and add commonly used audio/x-mpegurl for m3u extensions.

[Heiko Recktenwald , Lars Eilebrecht]

*) Eliminate the depreciated r->content_language, in favor of the array

r->content_languages introduced many years ago. Module authors must

substantially overhaul their modules, so this needs to be upgraded

if the module still relied on backwards-brokeness. [William Rowe]

*) Allow configure help strings to work with autoconf 2.50+ and 2.13.

[Justin Erenkrantz]

*) Rewrite the input filtering mechanisms to consolidate and reorganize

code. In short, core_input_filter does something now and

ap_http_filter is now only concerned with HTTP. [Justin Erenkrantz]

*) Update the Win32 build to re-absorb mod_proxy and family.

[William Rowe]


*) Resolved the build failure on Win32 using MSVC 5.0 (without the

current SDK.) [William Rowe]

*) Some style changes to the code that does ProxyErrorOverride. Fixed

config merge behaviour. [Graham Leggett]

*) Allow support programs to be compiled against a static version

of libapr. This allows the smaller support programs to be

relocated. [Aaron Bannert ]

*) Update the mime.types file to the registered media types as

of 2001-09-25, and add mapping for xsl extension [Mark Cox]

*) Fix MaxClients in the Worker MPM, so that it specifies the maximum

number of clients that can connect at the same time, instead of

specifying the maximum number of child processes.

[Aaron Bannert ]

*) Switch proc_pthread AcceptMutex configuration directive to pthread to

be consistent with 1.3. [Justin Erenkrantz]

*) Cache apr_explode_localtime() value for 15 seconds.

[Brian Pane ]

*) Fix mod_include to not return ETag or Last-Modified headers.

[Ian Holsman ]

*) Fix worker MPM’s scoreboard logic. [Aaron Bannert ]

*) Eliminate the wasteful run-time conversion of method names from strings

to numbers in places where the methods are known at compile time.

[Brian Pane ]

*) Turn the worker MPM’s queue into a LIFO. This may

improve cache-hit performance under some conditions.

[Aaron Bannert ]

*) Switch back to SIGUSR1 for graceful restarts on all platforms that

support it. [Justin Erenkrantz]

*) Cleanup the worker MPM. We no longer re-use transaction

pools. This incurs less overhead than shuffling the pools

around so that they can be re-used. Remove one of the

queue’s condition variables. We just redefined the API to

state that you can’t try to add more stuff than you allocated

segments for. [Aaron Bannert ]

*) Fix SSL VPATH builds [Cody Sherr ]

*) Fixed persistent connections when a request contains a body.

[Greg Stein]

*) mod_dav uses a new API to speak to the backend provider for dead

property management. [Greg Stein]

*) Remove the Win32 script-processing exception from mod_cgi, and

roll build_command_line/build_argv_list into a unified, overrideable

ap_cgi_build_command optional function. [William Rowe]

*) Rewrite find_start_sequence to use a better search algorithm


to find the start tag. [Justin Erenkrantz]

*) Fix a seg fault in mod_include. When we are generating an

internal redirect, we must set r->uri to "", not a bogus

string, and not NULL. [Ryan Bloom]

*) Optimized location_walk, so subrequests, redirects and second passes

now reuse previous section merges on a by

basis, until we mismatch with the original location_walk.

[William Rowe]

*) Back out the 1.45 change to util_script.c. This change made

us set the environment variable REQUEST_URI to the redirected

URI, instead of the originally requested URI.

[Taketo Kabe ]

*) Make mod_include do lazy evaluation of potentially expensive to

compute variables. [Brian Pane ]

*) Fix logging of bytes sent for HEAD requests. %b and %B should

log either - or 0, before this patch, they were both logging

the file size. [Taketo Kabe ]

*) Make mod_include check for BYTE_CHECK_THRESHOLD per bucket rather

than per character. [Brian Pane ]

*) Normalize the primary request, redirects and sub-requests to

run the same ap_process_request_internal for consistency in

robustness, behavior and security. [William Rowe]

*) Fix a segfault with mod_include when r->path_info is not set

(which is the case with mod_proxy). [Ian Holsman ]

*) Add -X functionality back. This indicates to all MPMs and any other

part of Apache that it should run in "debug" mode. [Justin Erenkrantz]

*) Some initial support for the cygwin platform [prefork only].

This is not to be confused with support for the WinNT/Win32

platform, which is the recommended configuration for native

Win32 users. The cygwin platform support is recommended for

cygwin platform users. [Stipe Tolj ]

*) Changed syntax of Set{Input|Output}Filter. The list of filters

must be semicolon delimited (if more than one filter is given.)

The Set{Input|Output}Filter directive now overrides a parent

container’s directive (e.g. SetInputFilter in

will override any SetInputFilter directive in .)

This new syntax is more consistent with Add{Input|Output}Filter

directives defined in mod_mime. Also cures a bug in prior releases

where the Set{Input|Output}Filter directive would corrupt the

global configuration if the multiple directives were nested.

[William Rowe]

*) Cured what’s ailed mime for quite some time. If an AddSomething

was given in the configuration (Language, Charset, Handler or

Encoding) Apache would set the content type as given by AddType,

but refused to check the mime.types file if AddType wasn’t given

for that specific extension. Setting the AddHandler for .html

without setting the AddType text/html html would cause Apache to

use the default content type. [William Rowe]


*) Added some bulletproofing to memory allocation in the LDAP cache

code. [Graham Leggett]

Changes with Apache 2.0.25

*) Move the installed /manual directory out of the /htdocs/ tree, so

that it can be kept more independently from the remaining document

root. The "Alias /manual ..." already allowed for easy projection

into existing private document trees. [Martin Kraemer]

*) Add specified user attributes to the environment when using

mod_auth_ldap. This allows you to use mod_include to embed specified

user attributes in a page like so:

Hello , how are you?

[Graham Leggett]

*) Fix a performance problem with the worker MPM. We now create

transaction pools once, and re-use them for each connection.

[Aaron Bannert ]

*) Modfied mod_mime to prevent mod_negotation from serving a multiview

of a ’handler’ or ’filter’, so that any filename extension that does

not contribute to the negotiated metadata can’t be served without

an explicit request. E.g., if the .Z extension is associated with

an unzip filter, the user request somefile.Z.html, mod_negotiation

won’t serve it. It can serve somefile.Z.html when somefile.Z is

requested, since the .Z extension is explictly requested, if the

.html extension is associated with ContentType text/html.

[William Rowe]

*) Introduce the AddInputFilter filter[;filter...] ext [ext...]

and corresponding AddOutputFilter syntax, to insert one or more

filters by mod_mime filename extension processing.

[William Rowe]

*) Fix a growing connection pool in core_output_filter() for

keepalive requests. [Jeff Trawick]

*) Moved split_and_pass_pretag_buckets back to being a

macro at Ryans’s request. Removed the return from it

by setting and returning a return code instead. Updated

the code to check the return code from the macro and

do the right thing. [Paul J. Reder]

*) Fix a segfault when a numeric value was received for Host:.

[Jeff Trawick]

*) Add a function ap_remove_input_filter. This is to match

up with ap_remove_output_filter. [Ryan Bloom]

*) Clean up location_walk, so that this step performs a minimum

amount of redundant effort (it must be run twice, but it will no

longer reparse all blocks when the request uri

hadn’t changed.) [William Rowe]

*) Eliminate proxy: (and all other ’special’) processing from the

ap_directory_walk() phase. Modules that want to use special

walk logic should refer to the mod_proxy map_to_location example,

with it’s proxy_walk and proxysection implementation. This makes


either directory_walk flavor much more legible, since that phase

only runs against real blocks.

[William Rowe]

*) SECURITY: Fix a security problem in mod_include which would allow

an SSI document to be passed to the client unparsed.

[Cliff Woolley, Brian Pane]

*) Introduce the map_to_storage hook, which allows modules to bypass

the directory_walk and file_walk for non-file requests. TRACE

shortcut moved to http_protocol.c as APR_HOOK_MIDDLE, and the

directory_walk/file_walk happen as APR_HOOK_VERY_LAST in core.c.

[William Rowe]

*) Add the ability for mod_include to add the INCLUDES filter

if the file is configured for the server-parsed handler.

This makes the configuration for .shtml files much easier

to understand, and allows mod_include to honor Apache 1.3

config files. Based on Doug MacEachern’s patch to PHP

to do the same thing. [Ryan Bloom]

*) force OpenSSL to ignore process local-caching and to always

get/set/delete sessions using mod_ssl’s callbacks

[Madhusudan Mathihalli ,

Geoff Thorpe ]

*) Make the worker MPM shutdown and restart cleanly. This also

cleans up some race conditions, and gets the worker using

pools more cleanly. [Aaron Bannert ]

*) Implement CRYPTO_set_locking_callback() in terms of apr_lock

for mod_ssl

[Madhusudan Mathihalli ]

*) Fix for mod_include. Ryan’s patch to check error

codes put a return in the wrong place. Also, the

include handler return code wasn’t being checked.

I don’t like macros with returns, so I converted

SPLIT_AND_PASS_PRETAG_BUCKETS into a function.

[Paul J. Reder ]

*) fix segv in mod_mime if no AddTypes are configured

[John Sterling ]

*) Enable ssl client authentication at SSL_accept time

[Madhusudan Mathihalli ]

*) Fix a segfault in mod_include when the original request has no

associated filename (e.g., we’re filtering the error document for

a bad URI). [Jeff Trawick]

*) Fix a storage leak (a strdup() call) in mod_mime_magic. [Jeff Trawick]

*) The prefork and OS/2 MPMs are overwriting the pid file when a second copy

of httpd is started and shuts down due to socket conflict. Moving the

call to ap_log_pid solves the problem.

*) Changed the late-1.3 log_config substitution %c to %X, to log the

status of the closed connection, as it conflicts with the far more

common, historical ssl logging directive %...{var}c. [William Rowe]


*) Added the common error/ tree to the build/install targets

(similar to the common icons/ tree) for the multi-language error

messages that Lars committed earlier. [William Rowe]

*) Added a multi process, multi threaded OS/2 MPM mpmt_os2. [Brian Havard]

*) Added a default commented-out mod_ldap and mod_auth_ldap

configuration to httpd-std.conf and httpd-win.conf

[Graham Leggett]

*) Added documentation for mod_ldap and mod_auth_ldap.

[Graham Leggett]

*) Enabled negative caching on attribute comparisons in the LDAP cache.

Fixed a problem where the default cache TTL was set in milliseconds

not microseconds causing the cache to time out almost immediately.

[Graham Leggett]

*) Fixed all the #if APR_HAS_SHARED_MEMORY checks within the LDAP

module code to follow APR. [Graham Leggett]

*) Fixed LDAP cleanup on graceful restarts. LDAP connections are now

cleaned up when the connection pool pool is cleaned up.

[Graham Leggett]

*) Fix a minor issue with Jeff Trawick’s mod_include

patch. Without this patch, the code will just allocate

more bytes in get_combined_directive than are needed.

[Paul Reder]

*) Added the LDAP authentication module mod_auth_ldap.

[Dave Carrigan , Graham Leggett]

*) Added the LDAP cache and connection pooling module mod_ldap.

[Dave Carrigan , Graham Leggett]

*) Fix --enable-modules=all breakage with mod_auth_db and mod_auth_digest

by allowing a module to disable itself if its prerequisites are not

met. [Justin Erenkrantz]

Changes with Apache 2.0.24

*) Fix a couple of issues in mod_include when the tag appeared at

offsets near 8192 in the file being parsed. [Jeff Trawick]

*) Fix an assertion failure in mod_ssl when the keepalive timeout is

reached. [Jeff Trawick]

*) Numerous improvements to the Win32 build system. Introduced command line

builds without requiring .mak files for MSVC 6.0 and later versions.

Improved .dsp file compatibility for both Visual Studio 5.0 and 6.0 users.

[William Rowe]

*) Assorted corrections and improvements to the winnt_mpm startup code. Better

reporting of uninstalled services and other error conditions, and changed the

default service name to Apache2. [William Rowe]

*) Numerous improvements to the Win32 ApacheMonitor utility, including winnt_mpm

compatibility with existing Apache 1.3 Win32 Apache management utilites.


[Mladen Turk , William Rowe]

*) Fixed the segfaults in mod_mime introduced by hash tables in 2.0.20.

[William Rowe, Greg Ames]

*) Rounded out the mod_mime Add/Remove pairs by adding RemoveLanguage

and RemoveCharset directives. [William Rowe]

*) The Unix MPMs other than perchild now allow child server

processes to use the accept mutex when starting as root and

using SysV sems for the accept mutex. Previously, this

combination would lead to fatal errors in the child server

processes. perchild can’t use SysV sems because of security

issues. [Jeff Trawick, Greg Ames]

*) Added Win32 revision stamp resources to all http binaries

(including modules/ and support/ tools.) PR7322 [William Rowe]

*) Fix ap_rvprintf to support more than 4K of data at one time.

[Cody Sherr ]

*) We have always used the obsolete/deprecated Netscape syntax

for our tracking cookies; now the CookieStyle directive

allows the Webmaster to choose the Netscape, RFC2109, or

RFC2965 format. The new CookieDomain directive allows the

setting of the cookie’s Domain= attribute, too. PR #s 5006,

5023, 5920, 6140 [Ken Coar]

*) Tweak server/Makefile so that the rules for generating exports.c

are compatible with make utilities which don’t expand wildcards

in a dependency list (e.g., OS/390 make, certain levels of GNU

make). [Jeff Trawick]

*) Install the SSL headers. [John Sterling ]

*) Begin to sanitize the MPM configuration directives. Now, all

MPMs use the same functions for all common MPM directives. This

should make it easier to catch all bugs in these directives once.

[Cody Sherr ]

*) Close a major resource leak. Every time we had issued a

graceful restart, we leaked a socket descriptor.

[Ryan Bloom]

*) Fix a problem with the new method code. We need to cast

the 1 to an apr_int64_t or it will be treated as a 32-bit

integer, and it will wrap after being shifted 32 times.

[Cody Sherr and Ryan Morgan ]

*) Fix a bug in mod_expires. Previous to this patch, if you

told mod_expires to add 604800 seconds to the last-modified

time, it actually added 604800 usec’s to the last-modified time,

so that when looking at the response it looked like nothing

had been done. The root of the problem was that we always compute

time in usec’s, but we ask users to input sec’s. This means we

need to convert to usec’s before using those values.

[Ryan Bloom]

*) The worker MPM now handles shutdown and restart requests. It

definitely isn’t perfect, but we do stop the servers correctly.


The biggest problem right now is that SIGHUP causes the server to

just die. [Ryan Bloom]

Changes with Apache 2.0.23

*) Use the prefork MPM by default on Unix. [various]

*) Added a systray icon monitor application for Win32.

[Mladen Turk ]

*) mod_rewrite: Fix the line ending on some non-Unix systems for

messages written to the rewrite log.

[Richard Labennett ]

*) All mod_autoindex query parsing is now quietly quashed with the

IndexOption IgnoreClient. The IndexOption SuppressColumnSorting

still drops the column sort ’s for the column headers, but

IgnoreClient is required to ignore these Query options entirely.

[William Rowe]

*) Introduced new mod_autoindex query argument parsing for F=[0|1|2]

to allow the client to select plain, FancyIndexing or HTMLTable

formatting, V=[0|1] to inhibit or enable version sorting, and

P=pattern to return only specific files. The old Query Arguments

were reorganized as C=f for sorting column ’f’ (same N, D, S, or M

as before), and O=A|D for ordering ascending or descending.

[William Rowe]

*) Fixed an error in mod_include’s directive parsing routines which

caused #if, #elif, and #else expressions containing backslashes

to be improperly evaluated. [Cliff Woolley]

*) Introduced new mod_autoindex IndexOptions flags: SuppressIcon to

drop the icon column, SuppressRules to drop the elements,

and HTMLTable to create rudimentary HTML table listings (implies

FancyIndexing). [William Rowe]

*) Re-introduced the mod_autoindex IndexOptions flag TrackModified

from Apache 1.3.15. This is needed for two reasons, first, given

multiple machines within a server farm, ETags and Last-Modified

stamps won’t correspond from machine to machine, and second, many

Unixes don’t capture changes to the date or time stamp of existing

files, since these don’t modify the dirent itself. [William Rowe]

*) Re-introduced the mod_autoindex IndexOptions flag FoldersFirst

and DirectoryWidth options from Apache 1.3.10.

[William Rowe, Ken Coar]

*) Eliminated FancyIndexing directive, deprecated early in Apache

1.3 by the IndexOptions FancyIndexing syntax. [William Rowe]

*) mod_autoindex now excludes any file names that would result in

an error, other than a success or redirect. Also optimized

the parent directory, always included except in the URI ’/’.

[William Rowe]

*) Refactored mod_negotiation and mod_mime to help mod_dir accept

negotiated index pages, and prevent the server from defaulting

to an autoindex of the directory. mod_negotiation will now die

with a 500 Internal Error if it could match some filenames


(e.g. for mod_dir) but none can be served. mod_negotation now

refuses to serve any file with an extention that mod_mime doesn’t

recognize, and wasn’t part of the request. [William Rowe]

*) Eliminate mod_cgi’s handling of .exe files without the .exe file

extension. This is already handled by multiviews, if the admin

wishes to AddHandler .exe or define a content type handler and

associate .exe files with that content type. Multiviews must be

enabled to allow these to be served. [William Rowe]

*) Speed up the server’s response to a spike in incoming workload

or restarts by assigning empty scoreboard slots to new processes

when they are available. [Greg Ames]

*) Add a handler to mod_includes.c. This handler is designed to

implement the XbitHack directive. This can’t be done with a

fixup, because we need to check the content-type, which is

only available in the handler phase. [Ryan Bloom]

*) Make the includes filter check return codes from filters lower in

the filter chain. If a lower level filter returns an error, then

the request needs to stop immediately. This allows mod_include to

stop parsing data once a lower filter recognizes an error.

[Ryan Bloom]

*) Add the ability to extend the methods that Apache understands

and have those methods able in the httpd.conf. It uses

the same bit mask/shifted offset as the original HTTP methods

such as M_GET or M_POST, but expands the total bits from an int to

an ap_int64_t to handle more bits for new request methods than

an int provides. [Cody Sherr ]

*) Fix broken mod_mime behavior in merging its arguments. Possible

cause of unexplicable crashes introduced in 2.0.20. [William Rowe]

*) Solve many mod_ssl porting issues (too many to detail) with

help from the whole team, but most notably [Ralf S. Engelschall,

Madhusudan Mathihalli ,

Doug MacEachern, William Rowe, Cliff Woolley]

*) More stall fixes for the threaded & worker mpm’s.

Make mod_status output more accurate. Don’t

count workers in processes which aren’t actively

serving requests. [Greg Ames]

*) Win32: Get SSI exec cgi tag working. [Bill Stoddard]

*) Add a single listener/multiple worker MPM. This MPM is

definately not fully correct, but it allows us to solve many

of the problems that exist in the threaded MPM. This is a

modified version of the threaded MPM. [Ryan Bloom]

*) Improve content generation throughout Apache, providing closer

compliance with HTML 3.2, HTML 4.01 Transitional and XHTML 1.0

Transitional specifications. [William Rowe]

Changes with Apache 2.0.22

*) Fix a problem where the threaded MPM stalls after restarts or

segfaults. Also prevent multiple active processes from using


the same scoreboard slot. [Greg Ames]

*) Apache/Win32 now fills in the service description with Apache’s

server version string, including loaded and advertised modules.

[William Rowe]

*) Improved support for the Win32 build, to recover gracefully from

missing apr or apr-util directories or the awk interpreter,

create the proper cgi-bin examples, including a test-cgi.bat, and

fix the perl shebang line for printenv.pl, when installing from

the build environment. [William Rowe]

*) Fix a segfault in threaded.c caused by passing uninitialized

apr_thread_t * to apr_thread_join(). [Jeff Trawick]

*) Use new APR number conversion functions to reduce CPU consumption

when setting the content length, and in mod_log_config.

[Brian Pane]

*) Fix problem reported by Taketo Kabe

where HEAD response headers were being repeated twice for

files greater than 32K bytes (4*AP_MIN_BYTES_TO_WRITE). This

problem in the http_header filter was exposed by the recent rewrite

of the content_length filter. [Taketo Kabe, Bill Stoddard]

*) Fix seg faults in mod_status with ExtendedStatus enabled, after

restarts. A garbage pointer to a vhost’s server_rec from the

previous generation was being left around under certain

conditions. [Greg Ames]

*) Fix a cosmetic problem with mod_include. Non-existant SSI vars

used to appear as ’(none’, without the closing paren.

[Günter Knauf ]

*) Improve the exports generating awk script. In the past, we had

work around problems in the awk script by avoiding some #if and

#ifdefs. This has bitten us many times in generating the exports.c

file. This improvement allows corrects the header file parsing.

[Sander Striker ]

Changes with Apache 2.0.21

*) Resolve the Win32 htpasswd bug, where a file that existed would be

overwritten, regardless of the -c flag.

[William Rowe, Mladen Turk ]

*) Introduce connection sub-pools into ab. Truncating the lifetime

of these allocations means that ab no longer perpetually grows

its working set, running out of memory on large request attempts.

[William Rowe]

*) Make scoreboard creation a hook. This allows management

modules to have access to the scoreboard at the time that it is

created, and at every restart request.

[Cody Sherr ]

*) Changed AP_MPMQ_MAX_DAEMONS to refer to MaxClients and

added an AP_MPMQ_MAX_DAEMON_USED to refer to the highest

daemon index actually used in the scoreboard. I also

updated the pertinent calls. [Paul J. Reder]


*) Win32: Prevent listening sockets from being inherited by

the Apache child process, CGI scripts, rotatelog process

etc. If the Apache child process segfaults, any processes

that the child started are not reaped. Prior to this fix,

these processes inherited the listening sockets which sometimes

prevented the restarted Apache child process from accepting

connections (ie, the server would hang).

[Bill Stoddard]

*) Provide vhost and request strings when ExtendedStatus is on.

[Greg Ames]

*) Fix some issues with the pod and prefork: check the pod *after*

processing a connection so that a server processing a timeconsuming

request bails out as soon as practical; when the

parent process wakes up a server process via connect(), use an

APR timeout on the connect() so that we don’t hang for a long

time if there aren’t server processes around to do accept().

[Jeff Trawick, Greg Ames]

*) Performance improvement to mod_mime.c. find_ct() in mod_mime,

spends a lot of time in apr_table_get calls. Using the default

httpd.conf, the tables for languages and charsets are somewhat

large, so the time spent scanning them on each request is

significant. Replacing the tables with hash tables provides

a nice speedup. [Brian Pane ]

*) Add two functions to allow modules to access random parts of the

scoreboard. This allows modules compiled for one MPM to access the

scoreboard, even if it the server was compiled for another MPM.

[Harrie Hazewinkel ]

Changes with Apache 2.0.20

*) Fix problem in content-length filter where the filter would

buffer all the output from a CGI before sending any bytes

down the filter stack to the network. This problem would cause

significant memory consumption if the CGIs generated

lots of bytes. [Bill Stoddard]

*) Get non-blocking CGI pipe reads working with the bucket brigades.

[Bill Stoddard]

*) Fix seg fault on Windows when serving files cached with mod_file_cache.

[Bill Stoddard]

*) Fix a bug in the threaded MPM that would cause it to kill off all

workers immediately after starting if the number of workers started

was above a certain threshold. [Ryan Bloom, Bill Stoddard]

Changes with Apache 2.0.19

*) Fix problem with threaded MPM. The problem was that if each child

process was busy serving a single long-lived request and the server

was sent a graceful restart signal, the server would stop serving

requests. This would happen because each child process would wait to

die until the last thread was done, and the parent wouldn’t spawn any

new children until a process died. Now, the parent looks at the fact

that the children are dying gracefully, and starts new children.


Those new children only start enough threads to compliment the number

of threads in the other child process that shares the same spot in

the scoreboard. In this way, we make sure to never go over

MaxClients. [Ryan Bloom]

*) modified mod_negotiation and mod_autoindex to speed up by almost a

factor of two on apr_dir_read()-enhanced platforms, such as Win32

and OS2, by calling ap_sub_request_lookup_dirent() with the results

already provided by apr_dir_read(). [William Rowe]

*) mod_file_cache is now more robust to filtering and serves requests

slightly more efficiently. [Cliff Woolley]

*) Fix problem handling FLUSH bucket in the chunked encoding filter.

Module was calling ap_rwrite() followed by ap_rflush() but the

served content was not being displayed in the browser. Inspection

of the output stream revealed that the first data chunk was

missing the trailing CRLF required by the RFC. [Bill Stoddard]

*) apxs no longer generates ap_send_http_header() in the example handler

*) Fix an ab problem which could cause a divide-by-zero exception

with certain invocations (e.g., ab -k -c 6 -n 100 localhost/).

[Ian Holsman ]

*) Solve case-insensitive platforms’ confusion about negotiated

filenames, allowing files of differnt case to match in choosing

the document to serve. [William Rowe]

*) Fix brokenness when ThreadsPerChild is higher than the built-in

limit. We left ap_threads_per_child at the higher value which

led to segfaults when doing certain scoreboard operations.

[Jeff Trawick]

*) Fix seg faults and/or missing output from mod_include. The

default_handler was using the subrequest pool for files and

MMAPs, even though the associated APR structures typically

live longer than the subrequest. [Greg Ames]

*) Extend mod_setenvif to support specifying regular expressions

on the SetEnvIf (and SetEnvIfNoCase) directive attribute field.

Example: SetEnvIf ^TS* [a-z].* HAVE_TS

will cause HAVE_TS to be set if any of the request headers begins

with "TS" and has a value that begins with any character in the

set [a-z]. [Bill Stoddard]

*) httpd children now re-bind themselves to a random CPU on

multiprocessor systems on AIX via bindprocessor() in 2.0.

[Victor J. Orlikowski]

*) Fix htdigest. It would go into a loop in getline when adding

a second user. [Bill Stoddard]

*) Win32 platforms now fully support mod_userdir options. [Will Rowe]

*) Automatically generate httpd.exp for AIX.

DSOs now work again on AIX in 2.0

[Victor J. Orlikowski]

*) Add a new request hook, error_log. This phase allows modules


to act on the error log string _after_ it has been written

to the error log. The goal for this hook is to allow monitoring

modules to send the error string to the monitoring agent.

[Ryan Bloom]

*) Modify mod_echo to make it use filters for input and output.

[Ryan Morgan ]

*) Extend mod_headers to support conditional driven Header

add, append and set. Use SetEnvIf to set an envar and conditionally

add/append/set headers based on this envar thusly:

SetEnvIf TSMyHeader value HAVE_TSMyHeader

Header add MyHeader "%t %D" env=HAVE_TSMyHeader

If the request contains header "TSMyHeader: value" then header

MyHeader: "t=xxxxxxxxxx D=yyyy" will be sent on the response.

[Bill Stoddard]

*) Extend mod_headers to support using format specifiers on Header

add, append and set header values. Two format specifiers are supported:

%t - reports, in UTC microseconds since the epoch, when the

request was received.

%D - reports the time, in microseconds, between when the request was

received and the response sent.

Examples:

Header add MyHeader "This request served in %D microseconds. %t"

results in a header being added to the response that looks like this:

MyHeader: This request served in D=5438 microseconds. t=991424704447256

[Bill Stoddard]

*) Fix reset_filter(). We need to be careful how we remove filters.

If we set r->output_filters to NULL, we also have to reset the

connection’s filters. [John Sterling]

*) Optimise reset_filter() in http_protocol.c. [Greg Stein]

*) Add a check to ap_die() to make sure the filter stack is sane and

contains the correct basic filters when an error occurs. This fixes

a problem where headers are not being sent on error. [John Sterling]

*) New Header directive ’echo’ option. "Header echo regex" will

cause any headers received on the request that match regex to be

echoed to (included in) the response headers.

[Bill Stoddard]

*) include/ap_compat.h tested and set APR_COMPAT_H instead of AP_COMPAT_H.

This prevented the inclusion of apr_compat.h. PR #7773

[Oleg Broytmann ]

*) Moved util_uri to the apr-util library. This required a bunch of

apr_name changes for the uri utility functions. [Justin Erenkrantz]

*) Move the addition of default AP_HTTP_HTTP_HEADER filters to the


insert_filter phase so that other filters are not bypassed by default.

[Graham Leggett]

*) Reimplement mod_headers as an output filter. mod_headers can now

add custom headers to inbound requests using the RequestHeader directive

and to responses using the same old Header directive. [Graham Leggett]

Changes with Apache 2.0.18

*) Fix command-line processing so that if a bad argument is specified

Apache will exit. [Jeff Trawick]

*) Change the make targets and rules to be consistent in all of the

Apache-owned source trees. [Roy Fielding]

*) Fix processing of the TRACE method. Previously we passed bogus

parms to form_header_field() and it overlaid some vhost structures,

resulting in a segfault in check_hostalias().

[Greg Ames, Jeff Trawick]

*) Win32: Add support for reliable piped logs. If the logging process

goes down, Apache will automatically restart it. This function has

been part of Apache on Unix/Linux/BSD since the early v1.3 releases.

[Bill Stoddard]

*) Do not start piped log processes during the config file

preflight. This change also circumvents a problem on

Windows where the rotatelog processes created during preflight

was not getting cleaned up properly.

[Bill Stoddard]

*) add "Request Phase Participation" info to mod_info

[Doug MacEachern]

*) Make first phase changes to the scoreboard data structures in

preparation for the rewriting of the scoreboard per my posted

design notes. [Paul J. Reder]

*) Fix httpd’s definition of LTFLAGS to be consistent with that of apr

and apr-util, allow it to be overridden by the configure command-line

(default="--silent") and introduce LT_LDFLAGS to replace what we were

formerly abusing as LTFLAGS. [Roy Fielding]

*) Clean up the reporting of incorrect closing container tags.

[Barrie Slaymaker ]

*) Simplify the configure process by moving all libtool stuff to APR

and moving hints.m4 inline. [Roy Fielding]

*) Add the AP_DECLARE()/AP_CORE_DECLARE macros on the return types

of functions used by mod_proxy for export in the DLL

[Ian Holsman ]

*) Prevent a hang when a cgi handled by mod_cgid tries to read a

request body from its stdin but no reqest body is being written to

the cgi. [Jeff Trawick]

*) mod_log_config: %c connection status incorrectly logged

as "-" (non-keepalive) when MaxKeepAliveRequests is set to 0.

[Bill Stoddard]


*) Get mod_cern_meta working under Windows

[Bill Stoddard]

*) Create Files, and thus MMAPs, out of the request pool, not the

connection pool. This solves a small resource leak that had us

not closing files until a connection was closed. In order to do

this, at the end of the core_output_filter, we loop through the

brigade and convert any data we have into a single HEAP bucket

that we know will survive clearing the request_rec.

[Ryan Bloom, Justin Erenkrantz ,

Cliff Woolley]

*) Completely revamp configure so that it preserves the standard make

variables CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS and LIBS by moving

the configure additions to EXTRA_* variables. Also, allow the user

to specify NOTEST_* values for all of the above, which eliminates the

need for THREAD_CPPFLAGS, THREAD_CFLAGS, and OPTIM. Fix the setting

of INCLUDES and EXTRA_INCLUDES. Check flags as they are added to

avoid pointless duplications. Fix the order in which flags are given

on the compile and link lines. Remove obsolete macros APR_DOEXTRA,

AC_ADD_LIBRARY, AC_CHECK_DEFINE, APACHE_PASSTHRU, and APACHE_ONCE.

Added APR_SAVE_THE_ENVIRONMENT and APR_RESTORE_THE_ENVIRONMENT macros.

Renamed AC_TYPE_RLIM_T macro to APACHE_TYPE_RLIM_T. [Roy Fielding]

*) Get mod_tls to compile/work better on Windows. PR #7612

[Bernhard Schrenk ]

*) Fix shutdown/restart hangs in the threaded MPM.

[Jeff Trawick, Greg Ames, Ryan Bloom]

*) Removed the keptalive boolean from conn_rec because it is now only

used by a single routine and can be replaced by a local variable.

[Greg Stein, Ryan Bloom, Roy Fielding]

*) Patch prefork to put enough of the signal processing back in so that

signals are all handled properly now. The previous patch fixed the

deadlock race condition, but broke the user directed signal handling.

This fixes it to work the way it did before my previous prefork patch

(primarily, SIGTERM is now working).

*) Change how input filters decide how much data is returned to the

higher filter. We used to use a field in the conn_rec, with this

change, we use an argument to ap_get_brigade to determine how much

data is retrieved. [Ryan Bloom]

*) Fix seg fault at start-up introduced by Ryan’s change to enable

modules to specify their own logging tags. mod_log_config

registers an optional function, ap_register_log_handler().

ap_register_log_handler() was being called by http_core before

the directive hash table was created. This patch creates the

directive hash table before ap_register_log_handler() is

registered as an optional function.

[jean-frederic clere ]

*) Add ap_set_int_slot() function

[John K. Sterling ]

*) Under certain circumstances, Apache did not supply the

right response headers when requiring authentication.


[Gertjan van Wingerde ] PR#7114

(This is a port of the change that went into Apache 1.3.19.)

*) Allow modules to specify their own logging tags. This basically

allows a module to tell mod_log_config that when %x is encountered

a specific function should be called. Currently, x can be any single

character. It may be more useful to make this a string at some point.

[Ryan Bloom]

Changes with Apache 2.0.17

*) If a higher-level filter handles the byterange aspects of a

request, then the byterange filter should not try to redo the

work. The most common case of this happening, is a byterange

request going through the proxy, and the origin server handles

the byterange request. The proxy should ignore it.

[Graham Leggett ]

*) Changed the threaded mpm to have child_main join to each of the

worker threads to make sure the kids are all gone before child_main

exits after a signal (cleanup from perform_idle_server_maintenance).

This is an extension of Ryans recent commit to make the child_main

the signal thread.

*) Add more options to the ap_mpm_query function. This also allows MPMs to

report if their threads are dynamic or static. Finally, this also

implements a new API, ap_show_mpm, which returns the MPM that was

required into the core. [Harrie Hazewinkel ]

*) Do not install the binaries from the support directory twice.

[jun-ichiro hagino ]

*) The ap_f* functions should flush data to the filter that is passed

in, not the filter after the one passed in.

[Ryan Morgan ]

*) Make ab work again by changing its native types to apr types and formats.

[Justin Erenkrantz ]

*) Move the byterange filter and all of the supporting functions back

to the HTTP module. The byterange filter turned out to be very

HTTP specific, and it belongs in the HTTP module. [Greg Stein]

*) Make clean, distclean, and extraclean consistently according to the

Gnu makefile guidelines. [Justin Erenkrantz ]

*) Fix errors in the renaming of the apr_threadattr_detach_xxx functions.

This may have been causing problems stopping processes in the threaded

mpm’s. [Greg Ames]

*) Fix content-length in mod_negotiation to a long int representation.

[William Rowe]

*) Remove BindAddress from the default config file.

[]

*) Allow module authors to add a module to their Apache build using

--with-module, without re-running buildconf. The syntax is:

--with-module=module_type:/path/to/module.c

The configure script will copy the module.c file to


modules/module_type, and it will be added to the relevant Makefiles.

currently, this only works for static modules. [Ryan Bloom]

*) Changes required to make prefork clean up idle children properly.

There was a window during which a starting worker deadlocks when

an idle cleanup arrives before it completes init. Apache then keeps

trying to cleanup the same deadlocked worker forever (until higher

pids come along, but it still will never reduce below the deadlocked

pid). Thus the number of children would not reduce to the correct

idle level. [Paul J. Reder]

Changes with Apache 2.0.16

*) Change the default installation directory to /usr/local/apache2,

as now defined by the "Apache" layout in config.layout. [Marc Slemko]

*) OS/2: Added support for building loadable modules as OS/2 DLLs.

[Brian Havard]

*) Get MaxRequestsPerChild working with the Windows MPM.

[Bill Stoddard]

*) Make generic hooks to work, with mod_generic_hook_import/export

experimental modules. [Ben Laurie, Will Rowe]

*) Fix segfaults for configuration file syntax errors such as

"" followed by "


*) Enable mod_status by default. This matches what Apache 1.3 does.

[Ed Korthof]

*) Add a ScriptSock directive to the default config file. This is

only enabled when mod_cgid is used.

[Taketo Kabe ]

Changes with Apache 2.0.15

*) Untangled the buildconf script and eliminated the need for build’s

aclocal.m4, generated_lists, build.mk, build2.mk, and a host of other

libtool muck that is now under srclib/apr/build. [Roy Fielding]

*) Win32: Don’t accept more connections than we have worker threads

to handle.

[Bill Stoddard]

*) Fix bug in the Unix threaded.c MPM that allowed child processes

to fork() new child processes.

[Bill Stoddard]

*) SECURITY: Fix a major security problem with double-reverse lookup

checking. Previously, a client connecting over IPv4 would not be

matched properly when the server had an IPv6 listening socket.

PR #7407 [Taketo Kabe ]

*) Change the way the beos MPM handles polling to allow it to stop and

restart. Problem was the sockets being polled were being reset by

the select call, so once it had accepted a connection it was no

longer listening on the UDP socket we use for shutdown instructions.

APR needs to be altered, patch on it’s way. [David Reid]

*) Empty out the brigade shared by ap_getline()/ap_get_client_block()

on error exit from ap_getline(). Some other code got upset because

the wrong data was in the brigade. [Greg Ames, Jeff Trawick]

*) Handle ap_discard_request_body() being called more than once.

[Greg Ames, Jeff Trawick]

*) Get rid of an inadvertent close of file descriptor 2 in

mod_mime_magic. [Greg Ames, Jeff Trawick]

*) Add a hook, create_request. This hook allows modules to modify

a request while it is being created. This hook is called for all

request_rec’s, main request, sub request, and internal redirect.

When this hook is called, the r->main, r->prev, r->next

pointers have been set, so modules can determine what kind of

request this is. [Ryan Bloom]

*) Cleanup the build process a bit more. The Apache configure

script no longer creates its own helper scripts, it just

uses APR’s.

[jean-frederic clere ]

*) Stop the forced downgrade of the connection to HTTP/1.0 for

proxy requests. [Graham Leggett]

*) Avoid using sscanf to determine the HTTP protocol number in

the common case because sscanf is a performance hog. From


Mike Abbot’s Accelerating Apache patch number 6.

[Mike Abbot , Bill Stoddard]

*) SECURITY: Fix a security exposure in mod_access. Previously when

IPv6 listening sockets were used, allow/deny-from-IPv4-address rules

were not evaluated properly (PR #7407). Also, add the ability to

specify IPv6 address strings with optional prefix length on Allow

and Deny. [Jeff Trawick]

*) Enhance rotatelogs so that a UTC offset can be specified, and

the logfile name can be formatted using strftime(3). (Brought

forward from 1.3.) [Ken Coar]

*) Reimplement the Windows MPM (mpm_winnt.c) to eliminate calling

DuplicateHandle on an IOCompletionPort (a practice which

MS "discourages"). The new model does not rely on associating

the completion port with the listening sockets, thus the

completion port can be completely managed within the child

process. A dedicated thread accepts connections off the network,

then calls PostQueuedCompletionStatus() to wake up worker

threads blocked on the completion port.

[Bill Stoddard]

*) Bring forward the --suexec-umask option which allows the

builder to preset the umask for suexec processes. [Ken Coar]

*) Add a -V flag to suexec, which causes it to display the

compile-time settings with which it was built. (Only

usable by root or the AP_HTTPD_USER username.) [Ken Coar]

*) Mod_include should always unset the content-length if the file is

going to be passed through send_parsed_content. There is no to

determine if the content will change before actually scanning the

entire content. It is far safer to just remove the C-L as long

as we are scanning it. [Ryan Bloom]

*) Make sure Apache sends WWW-Authenticate during a reverse proxy

request and not Proxy-Authenticate.

[Graham Leggett ]

Changes with Apache 2.0.14

*) Fix content-length computation. We ONLY compute a content-length if

We are not in a 1.1 request and we cannot chunk, and this is a keepalive

or we already have all the data. [Ryan Bloom]

*) Report unbounded containers in the config file. Previously, a typo

in the directive could result in the rest of the config

file being silently ignored, with undesired defaults used.

[Jeff Trawick]

*) Make the old_write filter use the ap_f* functions for the buffering.

[Ryan Bloom]

*) Move more code from the http module into the core server. This

is core code, basically the default handler, the default input

and output filters, and all of the core configuration directives.

All of this code is required in order for the server to work, with or

without HTTP. The server is closer to working without the HTTP

module, although there is still more to do. [Ryan Bloom]


*) Fix a number of SGI compile warnings throughout the server. Fix some

bad parameters to apr_bucket_read(). Fix a bad statement in

ap_method_in_list(). For the mod_rewrite cache use apr_time_t

consistently; we were mixing apr_time_t and time_t in invalid ways

before. In load_file(), call apr_dso_error() instead of

apr_strerror() so that we get a more specific string on some platforms.

PR #6980 [Jeff Trawick]

*) Allow modules to query the MPM about it’s execution profile. This

query API can and should be extended in the future, but for now,

max_daemons, and threading or forking is a very good start.

[Jon Travis ]

*) Modify mod_include to send blocks of data no larger than 9k.

Without this, mod_include will wait until the whole file is parsed,

or the first tag is found to send any data to the client.

[Paul J. Reder ]

*) Fix mod_info, so that and directives are

not displayed twice when displaying the current configuration.

[Ryan Morgan ]

*) Add config directives to override DEFAULT_ERROR_MSG and

DEFAULT_TIME_FORMAT. This was sent in as PR 6193.

[Dan Rench ]

*) Get mod_info building and loading on Win32. [William Rowe]

*) Begin to move protocol independant functions out of mod_http. The goal

is to have only functions that are HTTP specific in the http directory.

[Ryan Bloom]

Changes with Apache 2.0.13

*) Don’t assume that there will always be multiple calls to the byterange

filter. It is possible that we will need to do byteranges with only

one call to the filter. [Ryan Morgan ]

*) Move the error_bucket definition from the http module to the

core server. Every protocol will need this ability, not just

HTTP. [Ryan Bloom]

Changes with Apache 2.0.12

*) Modify mod_file_cache to save pre-formatted strings for

content-length and last-modified headers for performance.

[Mike Abbot ]

*) Namespace protect IOBUFSIZ since it is exposed in the API.

[Jon Travis ]

*) Use "Basic" authentication instead of "basic" in ab, as the spec

says we should. [Andre Breiler ]

*) Fix a seg fault in mod_userdir.c. We used to use the pw structure

without ever filling it out. This fixes PR 7271.

[Taketo Kabe and

Cliff Woolley ]


*) Add a couple of GCC attribute tags to printf style functions.

[Jon Travis ]

*) Add the correct language tag for interoperation with the Taiwanese

versions of MSIE and Netscape. [Clive Lin ] PR#7142

*) Migrate the perchild MPM to use the new apr signal child, and

APR thread functions. [Ryan Bloom]

*) Close one copy of the CGI’s stdout before creating the new process.

The CGI will still have stdout, because we have already dup’ed it.

This keeps Apache from waiting forever to send the results of a CGI

process that has forked a long-lived child process.

[Taketo Kabe ]

*) Remove the rest of the pthreads functions from the threaded MPM.

This requires the APR support for a signal thread that was just

added. [Ryan Bloom]

*) Make mod_dir use a fixup for sending a redirect to the browser.

Before this, we were using a handler, which doesn’t make much

sense, because the handler wasn’t generating any data, it would

either return a redirect error code, or DECLINED. This fits the

current hooks better. [Ryan Morgan ]

*) Make the threaded MPM use APR threads instead of pthreads.

[Ryan Bloom]

*) Get mod_tls to the point where it actually appears to work in all cases.

[Ben Laurie]

*) implement --enable-modules and --enable-mods-shared for "all" and

"most". [Greg Stein]

*) Move the threaded MPM to use APR locks instead of pthread locks.

[Ryan Bloom]

*) Rename mpmt_pthread to threaded. This is more in line with the

fact that mpmt_pthread shouldn’t be using pthreads directly, and

it is a smaller name that doesn’t tie into anything.

[Ryan Bloom]

*) Rename the module structures so that the exported symbol matches

the file name, and it is easier to automate the installation

process (generating LoadModule directives from the module filenames).

[Martin Kraemer]

*) Remove the coalesce filter. With the ap_f* functions, this filter

is no longer needed. [Ryan Bloom]

Changes with Apache 2.0.11

*) Remove the dexter MPM. Perchild is the same basic idea, but it has the

added feature of allowing a uid/gid per child process. If no

uid/gid is specified, then Perchild behaves exactly like dexter.

[Ryan Bloom]

*) Get perchild building again. [Ryan Bloom]

*) Don’t disable threads just because we are using the prefork MPM.


If somebody wants to compile without threads, they must now add

--disable-threads to the configure command line. [Ryan Bloom]

*) Begin to move the calls to update_child_status into common code, so

that each individual MPM does not need to update the scoreboard itself.

[Ryan Bloom]

*) Allow mod_tls to compile under Unix boxes where openssl has been

installed to the system include files.

[Gomez Henri ]

*) Cleanup the mod_tls configure process. This should remove any need

to hand-edit any files. We require OpenSSL 0.9.6 or later, but

configure doesn’t check that yet. [Ryan Bloom]

*) Add a very early prototype of SSL support (in mod_tls.c). It is

vital that you read modules/tls/README before attempting to build

it. [Ben Laurie]

*) Fix a potential seg fault on all platforms. David Reid fixed this

on BEOS, but the problem could happen anywhere, so we don’t want

to #ifdef it. [Cliff Woolley ]

*) Add new LogFormat directive, %D, to log time it takes to serve a

request in microseconds. [Bill Stoddard]

*) Change AddInputFilter and AddOutputFilter to SetInputFilter and

SetOutputFilter. This corresponds nicely with the other Set

directives, which operate on containers while the Add* directives

tend to work directly on extensions. [Ryan Bloom]

*) Cleanup the header handling a bit. This uses the apr_brigade_*

functions for the buffering so that we don’t need to compute

the length of the headers before we actually create the header

buffer. [Ryan Bloom]

*) Allow filters to buffer data using the ap_f* functions. These have

become macros that resolve directly to apr_brigade_*.

[Ryan Bloom]

*) Get the Unix MPM’s to do a graceful restart again. If we are going

to register a cleanup with ap_cleanup_scoreboard, then we have to

kill the cleanup with the same function, and that function can’t be

static. [Ryan Bloom]

*) Install all required header files. Without these, it was not

possible to compile some modules outside of the server.

[Ryan Bloom]

*) Fix the AliasMatch directive in Apache 2.0. When we brought a patch

forward from 1.3 to 2.0, we missed a single line, which broke regex

aliases. [Ryan Bloom]

*) We have a poor abstraction in the protocol. This is a temporary

hack to fix the bug, but it will need to be fixed for real. If

we find an error while sending out a custom error response, we back

up to the first non-OK request and send the data. Then, when we send

the EOS from finalize_request_protocol, we go to the last request,

to ensure that we aren’t sending an EOS to a request that has already

received one. Because the data is sent on a different request than


the EOS, the error text never gets sent down the filter stack. This

fixes the problem by finding the last request, and sending the data

with that request. [Ryan Bloom]

*) Make the server status page show the correct restart time, and

thus the proper uptime. [Ryan Bloom]

*) Move the CGI creation logic from mod_include to mod_cgi(d). This

should reduce the amount of duplicate code that is required to

create CGI processes.

[Paul J. Reder ]

*) ap_new_connection() closes the socket and returns NULL if a socket

call fails. Usually this is due to a connection which has been

reset. [Jeff Trawick]

*) Move the Apache version information out of httpd.h and into release.h.

This is in preparation for the first tag with the new tag and release

system. [Ryan Bloom]

*) Begin restructuring scoreboard code to enable adding back in

the ability to use IPC other than shared memory.

Get mod_status working on Windows again. [Bill Stoddard]

*) Make mod_status work with 2.0. This will work for prefork,

mpmt_pthread, and dexter. [Ryan Bloom]

*) Correct a typo in httpd.conf.

[Kunihiro Tanaka ] PR#7154

*) Really fix mod_rewrite map lookups this time. [Tony Finch]

*) Get the correct IP address if ServerName isn’t set and we can’t

find a fully-qualified domain name at startup.

PR#7170 [Danek Duvall ]

*) Make mod_cgid work with SuExec. [Ryan Bloom]

*) Adopt apr user/group name features for mod_rewrite. Eliminates some

’extra’ stat’s for user/group since they should never occur, and now

resolves the SCRIPT_USER and SCRIPT_GROUP, including on WinNT NTFS

volumes. [William Rowe]

*) Adopt apr features to simplify mod_includes. This changes the

behavior of the USER_NAME variable, unknown uid’s are now reported

as USER_NAME="" rather than the old user#000 result.

WinNT now resolves USER_NAME on NTFS volumes. [William Rowe]

*) Adopt apr features for simplifing mod_userdir, and accept the new

Win32/OS2 exceptions without hiccuping. [William Rowe]

*) Replace configure --with-optim option by using and saving the

environment variable OPTIM instead. This is needed because configure

options do not support multiple flags separated by spaces.

[Roy Fielding]

*) Fix some byterange handling. If we get a byte range that looks like

"-999999" where that is past the end of the file, we should return

a PARTIAL CONTENT status code, and return the whole file as one big

byterange. This matches the 1.3 handling now. [Ryan Bloom]


*) Make the error bucket a real meta-data bucket. This means that the

bucket length is 0, and a read returns NULL data. If one of these

buckets is passed down after the headers are sent, this data will

just be ignored. [Greg Stein]

*) The prefork MPM wasn’t killing child processes correctly if a restart

signal was received while the process was serving a request. The child

process would become the equivalent of a second parent process. If

we break out of the accept loop, then we need to do die after cleaning

up after ourselves. [Ryan Bloom]

*) Change the Prefork MPM to use SIGWINCH instead of SIGUSR1 for graceful

restarts. [Ryan Bloom]

*) Modify the apr_stat/lstat/getfileinfo calls within apache to use

the most optimal APR_FINFO_wanted bits. This spares Win32 from

performing very expensive owner, group and permission lookups

and allows the server to function until these apr_finfo_t fields

are implemented under Win32. [William Rowe]

*) Support for typedsafe optional functions - that is functions exported by

optional modules, which, therefore, may or may not be present, depending

on configuration. See the experimental modules mod_optional_fn_{ex,im}port

for sample code. [Ben Laurie]

*) filters can now report an HTTP error to the server. This is done

by sending a brigade where the first bucket is an error_bucket.

This bucket is a simple bucket that stores an HTTP error and

a string. Currently the string is not used, but it may be needed

to output an error log. The http_header_filter will find this

bucket, and output the error text, and then return

AP_FILTER_ERROR, which informs the server that the error web page

has already been sent. [Ryan Bloom]

*) If we get an error, then we should remove all filters except for

those critical to serving a web page. This fixes a bug, where

error pages were going through the byterange filter, even though

that made no sense. [Ryan Bloom]

*) Relax the syntax checking of Host: headers in order to support

iDNS. PR#6635 [Tony Finch]

*) Cleanup the byterange filter to use the apr_brigade_partition

and apr_bucket_copy functions. This removes a lot of very messy

code, and hopefully makes this filter more stable.

[Ryan Bloom]

*) Remove AddModule and ClearModuleList directives. Both of these

directives were used to ensure that modules could be enabled

in the correct order. That requirement is now gone, because

we use hooks to ensure that modules are in the correct order.

[Ryan Bloom]

*) When SuExec is specified, we need to add it to the list of

targets to be built. If we don’t, then any changes to the

configuration won’t affect SuExec, unless ’make suexec’ is

specifically run. [Ryan Bloom]

*) Cleaned out open_file from mod_file_cache, as apr now accepts


the APR_XTHREAD argument to open a file for consumption by

parallel threads on win32. [William Rowe]

*) Correct a bug in determining when we follow symlinks. The code

expected a stat -1 result, not an apr_status_t positive error.

Also check if the APR_FINFO_USER fields are valid before we

follow the link. [William Rowe]

*) Move initgroupgs, ap_uname2id and ap_gname2id from util.c to

mpm_common.c. These functions are only valid on some platforms,

so they should not be in the main-line code. [Ryan Bloom]

*) Remove ap_chdir_file(). This function is not thread-safe,

and nobody is currently using it. [Ryan Bloom]

*) Do not try to run make depend if there are no .c files in the

current directory, doing so makes ‘make depend‘ fail.

[Ryan Bloom]

*) Update highperformance.conf to work with either prefork or

pthreads mpms. [Greg Ames]

*) Stop checking to see if this is a pipelined request if we know

for a fact that it isn’t. Basically, if r->connection->keepalive == 0.

This keeps us from making an extra read call when serving a 1.0

request. [Ryan Bloom and Greg Stein]

*) Fix the handling of variable expansion look-ahead in mod_rewrite,

i.e. syntax like %{LA-U:REMOTE_USER}, and also fix the parsing of

more complicated nested RewriteMap lookups. PR#7087 [Tony Finch]

*) Fix the RFC number mentioned when complaining about a missing

Host: header. PR#7079 [Alexey Toptygin ]

*) Fix an endless loop in ab which occurred when ab was posting

and the server dropped the connection unexpectedly.

[Jeff Trawick]

*) Fix a segfault while handling request bodies in ap_http_filter().

This problem has been seen with mod_dav usage as well as with

requests where the body was just being discarded. [Jeff Trawick]

*) Some adjustment on the handling and automatic setting (via

hints.m4) of various compilation flags (eg: CFLAGS). Also,

add the capability to specify flags (NOTEST_CFLAGS and

NOTEST_LDFLAGS) which are used to compile Apache, but

not used during the configuration process. Useful for

flags like "-Werror". [Jim Jagielski]

*) Stop using environment variables to force debug mode or

no detach. We now use the -D command line argument to

specify the correct mode. -DONE_PROCESS and -DNO_DETACH.

[Greg Stein, Ryan Bloom]

*) Change handlers to use hooks. [Ben Laurie]

*) Stop returning copies of filenames from both apr_file_t and

apr_dir_t. We pstrdup the filenames that we store in the

actual structures, so we don’t need to pstrdup the strings again.

[Ryan Bloom]


*) mod_cgi: Fix some problems where the wrong error value was being

traced. [Jeff Trawick]

*) EBCDIC: Fix some missing ASCII conversion on some protocol data.

[Jeff Trawick]

*) Add generic hooks. [Ben Laurie]

*) Use a real pool to dup the error log descriptor. [Ryan Bloom]

*) Fix a segfault caused by mod_ext_filter when the external filter

program does not exist. [Jeff Trawick]

*) Fix an output truncation error when on an HTTP >= 1.0 request an

object of size between DEFAULT_BUCKET_SIZE and AP_MIN_BYTES_TO_WRITE

was served through mod_charset_lite (or anything else that would

create a transient bucket in this size range). ap_bucket_make_heap()

silently failed (fixed), transient_setaside() discovered it, but

ap_save_brigade() ignored it (fixed). [Jeff Trawick]

*) Ignore \r\n or \n when using PEEK mode for input filters. The problem

is that some browsers send extra lines at the end of POST requests, and

we don’t want to delay sending data back to the user just because the

browser isn’t well behaved. [Ryan Bloom]

*) Get SuEXEC working again. We can’t send absolute paths to suExec

because it refuses to execute those programs. SuEXEC also wasn’t

always recognizing configuration changes made using the autoconf

setup. [Ryan Bloom]

*) Allow the buildconf process to find the config.m4 files in the correct

order. Basically, we can now name config.m4 files as config\d\d.m4,

and we will sort them correctly when inserting them into the build

process. [Ryan Bloom]

*) Get mod_cgid to use apr calls for creating the actual CGI process.

This also allows mod_cgid to use ap_os_create_priviledged_process,

thus allowing for SuExec execution from mod_cgid. Currently, we do

not support everything that standard SuExec supports, but at least

it works minimally now. [Ryan Bloom]

*) Allow SuExec to be configured from the ./configure command line.

[Ryan Bloom]

*) Update some of the docs in README and INSTALL to reflect some of

the changes in Apache 2.0 [Cliff Woolley ]

*) If we get EAGAIN returned from the call to apr_sendfile, then we

need to call sendfile again. This gets us serving large files

such as apache_2.0a9.tar.gz on FreeBSD again. [Ryan Bloom]

*) Get the support programs building cleanly again.

[Cliff Woolley ]

*) The Apache/Win32 Apache.exe and dll’s now live in bin. The

current directory logic now backs up over bin/ to determine the

server root from the Apache.exe path.

*) Apache/Win32 now follows the standard conventions of mod_foo.so


loadable modules, dynamic libs are all named libfoo.dll, and the

makefile.win populates the include, lib and libexec directories.

*) Apache is now IPv6-capable. On systems where APR supports IPv6,

Apache gets IPv6 listening sockets by default. Additionally, the

Listen, NameVirtualHost, and directives support IPv6

numeric address strings (e.g., "Listen [fe80::1]:8080").

[Jeff Trawick]

*) Modify the install directory layout. Modules are now installed in

modules/. Shared libraries should be installed in libraries/, but

we don’t have any of those on Unix yet. All install directories

are modifyable at configure time. [Ryan Bloom]

*) Install all header files in the same directory on Unix. [Ryan Bloom]

*) Get the functions in server/linked into the server, regardless of

which modules linked into the server. This uses the same hack

for Apache that we use for APR and apr-util to ensure all of the

necessary functions are linked. As a part of thise, the CHARSET_EBCDIC

was renamed to AP_CHARSET_EBCDIC for namespace protection, and to make

the scripts a bit easier.

[Ryan Bloom]

*) Rework the RFC1413 handling to make it thread-safe, use a timeout

on the query, and remove IPv4 dependencies. [Jeff Trawick]

*) Get all of the auth modules to the point that they will install and

be loadable into the server. Our new build/install mechanism expects

that all modules will have a common name format. The auth modules

didn’t use that format, so we didn’t install them properly.

[Ryan Bloom]

*) API routines ap_pgethostbyname() and ap_pduphostent() are no longer

available. Use apr_getaddrinfo() instead. [Jeff Trawick]

*) Get "NameVirtualHost *" working in 2.0. [Ryan Bloom]

*) Return HTTP_RANGE_NOT_SATISFIABLE if the every range requested starts

after the end of the response. [Ryan Bloom]

*) Get byterange requests working with responses that do not have a

content-length. Because of the way byterange requests work, we have to

have all of the data before we can actually do the byterange, so we

can compute the content-length in the byterange filter.

[Ryan Bloom]

*) Get exe CGI’s working again on Windows.

[Allan Edwards]

*) Get mod_cgid and mod_rewrite to work as DSOs by changing the way

they keep track of whether or not their post config hook has been

called before. Instead of a static variable (which is replaced when

the DSO is loaded a second time), use userdata in the process pool.

[Jeff Trawick]

Changes with Apache 2.0a9

*) Win32 now requires perl to complete the final install step for users

to build + install on Win32. Makefile.win now rewrites @@ServerRoot@


and installs the conf, htdocs and htdocs/manual directories.

[William Rowe]

*) Make mod_include use a hash table to associate directive tags with

functions. This allows modules to implement their own SSI tags easily.

The idea is simple enough, a module can insert it’s own tag and function

combination into a hash table provided by mod_include. While mod_include

parses an SSI file, when it encounters a tag in the file, it does a

hash lookup to find the function that implements that tag, and passes

all of the relevant data to the function. That function is then

responsible for processing the tag and handing the remaining data back

to mod_include for further processing.

[Paul J. Reder ]

*) Get rid of ap_new_apr_connection(). ap_new_connection() now has

fewer parameters: the local and remote socket addresses were removed

from the parameter list because all required information is available

via the APR socket. [Jeff Trawick]

*) Distribution directory structure reorganized to reflect a

normal source distribution with external install targets.

[Roy Fielding]

*) The MPMs that need multiple segments of shared memory now create

two apr_shmem_t variables, one for each shared memory allocation.

the problem is that we can’t determine how much memory will be required

for shared memory allocations once we try to allocate more than one

variable. The MM code automatically aligns the shared memory allocations,

so we end up needing to pad the amount of shared memory we want based

on how many variables will be allocated out of the shared memory segment.

It is just easier to create a second apr_shmem_t variable, and two

shmem memory blocks.

[Ryan Bloom]

*) Cleanup the export list a bit. This creates a single unified list of

functions exported by APR. The export list is generated at configure

time, and that list is then used to generate the exports.c file.

Because of the way the export list is generated, we only export those

functions that are valid on the platform we are building on.

[Ryan Bloom]

*) Enable logging the cookie with mod_log_config

[Sander van Zoest ]

*) Fix a segfault in mod_info when it reaches the end of the configuration.

[Jeff Trawick]

*) Added lib/aputil/ as a placeholder for utility functions which are not

specific to the Apache HTTP Server (but do not make sense with APR).

The first utility is "apu_dbm": a set of functions to work with DBM

files. This first version can be compiled for SDBM or GDBM databases.

[Greg Stein]

*) Complete re-write of mod_include. This makes mod_include a filter that

uses buckets directly. This has now served the FAQ correctly.

[Paul Reder ]

*) Allow modules to specify the first filter in a sub_request when

making the sub_request. This keeps modules from having to change the

output_filter immediately after creating the sub-request, and therefore


skip the sub_req_output_filter. [Ryan Bloom]

*) Update ab to accept URLs with IPv6 literal address strings (in the

format described in RFC 2732), and to build Host header fields in

the same format. This allows IPv6 literal address strings to be

used with ab. This support has been tested against Apache 1.3 with

the KAME patch, but Apache 2.0 does not yet work with this format

of the Host header field. [Jeff Trawick]

*) Accomodate an out-of-space condition in the piped logs and the

rotatelogs.c code, and no longer churn log processes for this

condition. [Victor J. Orlikowski]

*) Add support for partial writes with apr_sendfile() to core_output_filter.

[Greg Ames]

Changes with Apache 2.0a8

*) Add a directive to mod_mime so that filters can be associated with

a given mime-type.

[Ryan Bloom]

*) Get multi-views working again. We were setting the path_info

field incorrectly if we couldn’t find the specified file.

[Ryan Bloom]

*) Fix 304 processing. The core should never try to send the headers

down the filter stack. Always, just setup the table in the request

record, and let the header filter convert it to data that is ready

for the network.

[Ryan Bloom]

*) More fixes for the proxy. There are still bugs in the proxy code,

but this has now proxied www.yahoo.com and www.ntrnet.net (my ISP)

successfully.

[Ryan Bloom]

*) Fix params for apr_getaddrinfo() call in connect proxy handler.

[Chuck Murcko]

*) APR: Add new apr_getopt_long function to handle long options.

[B. W. Fitzpatrick ]

*) APR: Change apr_connect() to take apr_sockaddr_t instead of hostname.

Add generic apr_create_socket(). Add apr_getaddrinfo() for doing

hostname resolution/address string parsing and building

apr_sockaddr_t. Add apr_get_sockaddr() for getting the address

of one of the apr_sockaddr_t structures for a socket. Change

apr_bind() to take apr_sockaddr_t. [David Reid and Jeff Trawick]

*) Remove the BUFF from the HTTP proxy. This is still a bit ugly, but

I have proxied pages with it, cleanup will commence soon.

[Ryan Bloom]

*) Make the proxy work with filters. This isn’t perfect, because we

aren’t dealing with the headers properly. [Ryan Bloom]

*) Do not send a content-length iff the C-L is 0 and this is a head

request. [Ryan Bloom]


*) Make cgi-bin work as a regular directory when using mod_vhost_alias

with no VirtualScriptAlias directives. PR#6829 [Tony Finch]

*) Remove BUFF from the PROXY connect handling. [Ryan Bloom]

*) Get the default_handler to stop trying to deal with HEAD requests.

The idea is to let the content-length filter compute the C-L before

we try to send the data. If we can get the C-L correctly, then we

should send it in the HEAD response.

[Ryan Bloom]

*) The Header filter can now determine if a body should be sent based

on r->header_only. The general idea of this is that if we delay

deciding to send the body, then we might be able to compute the

content-length correctly, which will help caching proxies to cache

our data better. Any handler that doesn’t want to try to compute

the content-length can just send an EOS bucket without data and

everything will just work.

[Ryan Bloom]

*) Add the referer to the error log if one is available.

[Markus Gyger ]

*) Mod_info.c has now been ported to Apache 2.0. As a part of this

change, the root of the configuration tree has been exposed to modules

as ap_conftree.

[Ryan Morgan ]

*) Get the core_output_filter to use the bucket interface directly.

This keeps us from calling the content-length filter multiple times

for a simple static request.

[Ryan Bloom]

*) We are sending the content-type correctly now.

[Ryan Bloom and Will Rowe]

*) APR on FreeBSD: Fix a bug in apr_sendfile() which caused us to report

a bogus bytes-sent value when the only thing being sent was trailers

and writev() returned an error (or EAGAIN). [Jeff Trawick]

*) Get SINGLE_LISTEN_UNSERIALIZED_ACCEPT working again. This uses the

hints file to determine which platforms define

SINGLE_LISTEN_UNSERIALIZED_ACCEPT.

[Ryan Bloom]

*) APR: add apr_get_home_directory() [Jeff Trawick]

*) Initial import of 1.3-current mod_proxy. [Chuck Murcko]

*) Not all platforms have INADDR_NONE defined by default. Apache

used to make this check and define INADDR_NONE if appropriate,

but APR needs the check too, and I suspect other applications will

as well. APR now defines APR_INADDR_NONE, which is always a valid

value on all platforms.

[Branko Èibej ]

*) Destroy the pthread mutex in lock_intra_cleanup() for PR#6824.

[Shuichi Kitaguchi ]

*) Relax the syntax checking of Host: headers in order to support


iDNS. PR#6635 [Tony Finch]

*) When reading from file buckets we convert to an MMAP if it makes

sense. This also simplifies the default handler because the

default handler no longer needs to try to create MMAPs.

[Ryan Bloom]

*) BUFF has been removed from the main server. The BUFF code will remain

in the code until it has been purged from the proxy module as well.

[Ryan Bloom]

*) Byteranges have been completely re-written to be a filter. This

has been tested, and I believe it is working correctly, but it could

doesn’t work for the Adobe Acrobat plug-in. The output almost matches

the output from 1.3, the only difference being that 1.3 includes

a content-length in the response, and this does not.

[Ryan Bloom]

*) APR read/write functions and bucket read functions now operate

on unsigned integers, instead of signed ones. It doesn’t make

any sense to use signed ints, because we return the error codes,

so if we have an error we should report 0 bytes read or written.

[Ryan Bloom]

*) Always compute the content length, whether it is sent or not.

The reason for this, is that it allows us to correctly report

the bytes_sent when logging the request. This also simplifies

content-length filter a bit, and fixes the actual byte-reporing

code in mod_log_config.c

[Ryan Bloom]

*) Remove AP_END_OF_BRIGADE definition. This does not signify what

it says, because it was only used by EOS and FLUSH buckets. Since

neither of those are required at the end of a brigade, this was

really signifying FLUSH_THE_DATA, but that can be determined better

by checking AP_BUCKET_IS_EOS() or AP_BUCKET_IS_FLUSH. EOS and FLUSH

buckets now return a length of 0, which is actually the amount of data

read, so they make more sense.

[Ryan Bloom]

*) Allow the core_output_filter to save some data past the end of a

request. If we get an EOS bucket, we only send the data if it

makes sense to send it. This allows us to pipeline request

responses. As a part of this, we also need to allocate mmap

buckets out of the connection pool, not the request pool. This

allows the mmap to outlive the request.

[Ryan Bloom]

*) Make blocking and non-blocking bucket reads work correctly for

sockets and pipes. These are the only bucket types that should

have non-blocking reads, because the other bucket types should

ALWAYS be able to return something immediately.

[Ryan Bloom]

*) In the Apache/Win32 console window, accept Ctrl+C to stop the

server, but use Ctrl+Break to initiate a graceful restart

instead of duplicating behavior. [John Sterling]

*) Patch mod_autoindex to set the Last-Modified header based on

the directory’s mtime, and add the ETag header. [William Rowe]


*) Merge the 1.3 patch to add support for logging query string in

such a way that "%m %U%q %H" is the same as "%r".

[Bill Stoddard]

*) Port three log methods from mod_log_config 1.3 to 2.0:

CLF compliant ’-’ byte count, method and protocol.

[Bill Stoddard]

*) Add a new LogFormat directive, %c, that will log connection

status at the end of the response as follows:

’X’ - connection aborted before the response completed.

’+’ - connection may be kept-alive by the server.

’-’ - connection will be closed by the server.

[Bill Stoddard]

*) Expand APR for WinNT to fully accept and return utf-8 encoded

Unicode file names and paths for Win32, and tag the Content-Type

from mod_autoindex to reflect that charset if the feature

macro APR_HAS_UNICODE_FS is true. [William Rowe]

*) Compute the content length (and add appropriate header field) for

the response when no content length is available and we can’t use

chunked encoding. [Jeff Trawick]

*) Changed ap_discard_request_body() to use REQUEST_CHUNKED_DECHUNK,

so that content input filters get dechunked data when using

the default handler. Also removed REQUEST_CHUNKED_PASS.

[Sascha Schumann]

*) Add mod_ext_filter as an experimental module. This module allows

the administrator to use external programs as filters. Currently,

only filtering of output is supported. [Jeff Trawick]

*) Most Apache functions work on EBCDIC machines again, as protocol

data is now translated (again). [Jeff Trawick]

*) Introduce ap_xlate_proto_{to|from}_ascii() to clean up some of

the EBCDIC support. They are noops on ASCII machines, so this

type of translation doesn’t have to be surrounded by #ifdef

CHARSET_EBCDIC. [Jeff Trawick]

*) Fix mod_include. tag commands work again, and the server will

send the FAQ again. This also allows mod_include to set aside

buckets that include partial buckets.

[Ryan Bloom and David Reid]

*) Add suexec support back. [Manoj Kasichainula]

*) Lingering close now uses the socket directly instead of using

BUFF. This has been tested, but since all we can tell is that it

doesn’t fail, this needs to be really hacked on.

[Ryan Bloom]

*) Allow filters to modify headers and have those headers be sent to

the client. The idea is that we have an http_header filter that

actually sends the headers to the network. This removes the need

for the BUFF to send headers.

[Ryan Bloom]


*) Charset translation: mod_charset_lite handles translation of

request bodies. Get rid of the xlate version of ap_md5_digest()

since we don’t compute digests of filtered (e.g., translated)

response bodies this way anymore. (Note that we don’t do it at

all at the present; somebody needs to write a filter to do so.)

[Jeff Trawick]

*) Input filters and ap_get_brigade() now have a input mode parameter

(blocking, non-blocking, peek) instead of a length parameter.

[hackathon]

*) Update the mime.types file to the registered media types as

of 2000-10-19. PR#6613 [Carsten Klapp ,

Tony Finch]

*) Namespace protect some macros declared in ap_config.h

[Ryan Bloom]

*) Support HTTP header line folding with input filtering.

[Greg Ames]

*) Mod_include works again. This should still be re-written, but at

least now we can serve an SHTML page again.

[Ryan Bloom]

*) Begin to remove BUFF from the core. Currently, we keep a pointer

to both the BUFF and the socket in the conn_rec. Functions that

want to use the BUFF can, functions that want to use the socket,

can. They point to the same place.

[Ryan Bloom]

*) apr_psprintf doesn’t understand %lld as a format. Make it %ld.

[Tomas "Ögren" ]

*) APR pipes on Unix and Win32 are now cleaned up automatically when the

associated pool goes away. (APR pipes on OS/2 were already had this

logic.) This resolvs a fatal file descriptor leak with CGIs.

[Jeff Trawick]

*) The final line of the config file was not being read if there was

no \n at the end of it. This was caused by apr_fgets returning

APR_EOF even though we had read valid data. This is solved by

making cfg_getline check the buff that was returned from apr_fgets.

If apr_fgets return APR_EOF, but there was data in the buf, then we

return the buf, otherwise we return NULL.

[Ryan Bloom]

*) Piped logs work again in the 2.0 series.

[Ryan Bloom]

*) Restore functionality broken by the mod_rewrite security fix:

rewrite map lookup keys and default values are now expanded

so that the lookup can depend on the requested URI etc.

PR #6671 [Tony Finch]

*) SECURITY: Tighten up the syntax checking of Host: headers to fix a

security bug in some mass virtual hosting configurations

that can allow a remote attacker to retrieve some files

on the system that should be inaccessible. [Tony Finch]


*) Add a pool bucket type. This bucket is used for data allocated out

of a pool. If the pool is cleaned before the bucket is destroyed, then

the data is converted to a heap bucket, allowing it to survive the

death of the pool.

[Ryan Bloom]

*) Add a flush bucket. This allows modules to signal that the filters

should all flush whatever data they currently have. There is no way

to actually force them to do this, so if a filter ignores this bucket,

that’s life, but at least we can try with this.

[Ryan Bloom]

*) Add an output filter for sub-requests. This filter just strips the

EOS bucket so that we don’t confuse the main request’s core output

filter by sending multiple EOS buckets. This change also makes sub

requests start to send EOS buckets when they are finished.

[Ryan Bloom]

*) Make ap_bucket_(read|destroy|split|setaside) into macros. Also

makes ap_bucket_destroy a return void, which is okay because it

used to always return APR_SUCCESS, and nobody ever checked its

return value anyway.

[Cliff Woolley ]

*) Remove the index into the bucket-type table from the buckets

structure. This has now been replaced with a pointer to the

bucket_type. Also add some macros to test the bucket-type.

[Ryan Bloom]

*) Renamed all MODULE_EXPORT symbols to AP_MODULE_DECLARE and all symbols

for CORE_EXPORT to AP_CORE_DECLARE (namespace protecting the wrapper)

and retitled API_EXPORT as AP_DECLARE and APR_EXPORT as APR_DECLARE.

All _VAR_ flavors changes to _DATA to be absolutely clear.

[William Rowe]

*) Add support for /, //, //servername and //server/sharename

parsing of blocks under Win32 and OS2.

[Tim Costello, William Rowe, Brian Harvard]

*) Remove the function pointers from the ap_bucket type. They have been

replaced with a global table. Modules are allowed to register bucket

types and use then use those buckets.

[Ryan Bloom]

*) mod_cgid: In the handler, shut down the Unix socket (only for write)

once we finish writing the request body to the cgi child process;

otherwise, the client doesn’t hit EOF on stdin. Small request bodies

worked without this change (for reasons I don’t understand), but large

ones didn’t. [Jeff Trawick]

*) Remove file bucket specific information from the ap_bucket type.

This has been moved to a file_bucket specific type that hangs off

the data pointer in the ap_bucket type.

[Ryan Bloom]

*) Input filtering now has a third argument. This is the amount of data

to read from lower filters. This argument can be -1, 0, or a positive

number. -1 means give me all the data you have, I’ll deal with it and

let you know if I need more. 0 means give me one line and one line

only. A positive number means I want no more than this much data.


Currently, only 0 and a positive number are implemented. This allows

us to remove the remaining field from the conn_rec structure, which

has also been done.

[Ryan Bloom]

*) Big cleanup of the input filtering. The goal is that http_filter

understands two conditions, headers and body. It knows where it is

based on c->remaining. If c->remaining is 0, then we are in headers,

and http_filter returns a line at a time. If it is not 0, then we are

in body, and http_filter returns raw data, but only up to c->remaining

bytes. It can return less, but never more.

[Greg Ames, Ryan Bloom, Jeff Trawick]

*) mod_cgi: Write all of the request body to the child, not just what

the kernel would accept on the first write. [Jeff Trawick]

*) Back out the change that moved the brigade from the core_output_filters

ctx to the conn_rec. Since all requests over a given connection

go through the same core_output_filter, the ctx pointer has the

correct lifetime.

[Ryan Bloom]

*) Fix another bug in the send_the_file() read/write loop. A partial

send by apr_send would cause unsent data in the read buffer to

get clobbered. Complete making send_the_file handle partial

writes to the network.

[Bill Stoddard]

*) Fix a couple of type fixes to allow compilation on AIX again

[Victor J. Orlikowski ]

*) Fix bug in send_the_file() which causes offset to be ignored

if there are no headers to send.

[Bill Stoddard]

*) Handle APR_ENOTIMPL returned from apr_sendfile in the core

filter. Useful for supporting Windows 9* with a binary

compiled on Windows NT.

[Bill Stoddard]

Changes with Apache 2.0a7

*) Reimplement core_output_filter to buffer/save bucket brigades

across multiple calls to the core_filter. The brigade will be

sent when either MIN_BYTES_TO_SEND or MAX_IOVEC_TO_WRITE

thresholds are hit or the EOS bucket is received.

[Bill Stoddard]

*) Create experimental filter (buffer_filter) that coalesces bytes

into one large buffer before invoking the next filter in the

chain. This filter is particularly useful with the current

implementation of mod_autoindex when it inserted above the

chunk_filter. mod_autoindex generates a lot of brigades that

containing buckets holding just a few bytes each. The

buffer_filter coalesces these buckets into a single large bucket.

[Bill Stoddard]

*) Add apr_sendfile() support into the core_output_filter.

[Bill Stoddard]


*) Add apr_sendv() support into the core_output_filter.

[Bill Stoddard]

*) Fix mod_log_config so that it compiles cleanly with BUFFERED_LOGS

[Mike Abbott ]

*) Remove ap_send_fb. This is no longer used in Apache, and it doesn’t

make much sense, because Apache uses buckets instead of BUFFs now.

[Ryan Bloom]

*) send_the_file now falls back to a read/write loop on platforms that

do not have sendfile.

[Ryan Bloom and Brian Havard]

*) Install apachectl correctly, and substitute the proper values so

that it works again. [Ryan Bloom]

*) Better(??) handle platforms that lack sendfile().

[Jim Jagielski]

*) APR now has UUID generation/formatting/parsing support.

[Greg Stein]

*) Begin the http_filter. This is an input filter that understands

the absolute basic amount required to parse an HTTP Request. The

goal is to be able to split headers from request body before passing

the data back to the other filters.

[Ryan Bloom]

*) Bring forward from 1.3.13 the config directory implementation

[Jim Jagielski]

*) install apxs if it is created

[Ryan Bloom]

*) Added APR_IS_STATUS_condition test macros to eliminate canonical error

conversions. [William Rowe]

*) Now that we have ap_add_input_filter(), rename ap_add_filter() to

ap_add_output_filter(). [Jeff Trawick]

*) Multiple build and configuration fixes

Build process:

-add datadir and localstatedir substitutions

-fix layout name

-fix logfilename misspelling

-fix evaluation of installation dir variables and

-replace $foobar by $(foobar) to be usefull in the makefile

Cross compile:

-add rules for cross-compiling in rules.mk. Okay, rule to check for

$CC_FOR_BUILD is still missing

-use CHECK_TOOL instead of CHECK_PROG for ranlib

-add missing "AR=@AR@" to severaly Makefile.in’s

-cache result for "struct rlimit"

-compile all helper programs with native and cross compiler

and use the native version to generate header file


["Rüdiger" Kuhlmann ]

*) Prepare our autoconf setup for autoconf 2.14a and for crosscompiling.

["Rüdiger" Kuhlmann ]

*) Fix a bug where a client which only sends \n to delimit header

lines (netcat) gets a strange looking HTTP_NOT_IMPLEMENTED

message. Start working on ebcdic co-existance with input

filtering.

[William Rowe, Greg Ames]

*) If mod_so is enabled in the server always create libexec, even

if there are no modules installed in this directory. This is a

requirement for APXS to work correctly.

[Ryan Bloom]

*) Connection oriented output filters are now stored in the

conn_rec instead of the request_rec. This allows us to add the

output filter in the pre-connection phase instead of the

post_read_request phase, which keeps us from trying to write an

error page before we have a filter to write to the network.

[Ryan Bloom, Jeff Trawick, and Greg Ames]

*) Cleaning up an mmap bucket no longer deletes the mmap. An

mmap can be used across multiple buckets (default_handler with

byte ranges, mod_file_cache, mod_mmap_static), so cleanup of

the mmap itself can’t be associated with the bucket.

[Jeff Trawick]

*) Add .dll caching directive ISAPICacheFile to mod_isapi.

[William Rowe]

*) Radical surgery to improve mod_isapi support under Win32.

Includes a number of newer ServerSupportFunction calls, support

for ReadClient (in order to retrieve POSTs greater than 48KB),

and general bug fixes to more reliably load ISAPI .dll’s and

prevent leaking handle resources. Note: There are still

discrepancies between IIS’s and Apache’s ServerVariables, and

async calls are still not supported. Additional warnings are

logged to facilitate debugging of unsupported ISAPI calls.

[William Rowe]

*) Add input filtering to Apache. The basic idea for the input

filters is the same as the ideas for output filters. The biggest

difference is that instead of calling ap_pass_brigade, ap_get_brigade

should be called, and the order of execution for the filter itself is

different. When writing an output filter, a brigade is passed in,

and filters operate directly on that brigade, when done, they call

ap_pass_brigade. Input filters are the exact opposite. Because input

is not a push operation, filters first call ap_get_brigade. When this

function returns, the input filter will be left with a valid brigade.

The input filter should then operate on the brigade, and return.

[Ryan Bloom]

*) Fix building on BSD/OS using its native make. The build system

falls back to the BSD .include directive on that host platform.

[Sascha Schumann]

*) Expand dbmmanage to allow -d -m -s -p options for Crypt, MD5,


SHA1 and plaintext password encodings. Make feature tests a

bit more flexible. [William Rowe]

*) Charset translation: mod_charset_lite handles output content

translation in a filter. mod_charset_lite no longer ignores

subrequests. A bunch of cruft related to BUFF’s support for

translating request and response bodies was removed.

[Jeff Trawick]

*) Move the addition of the CORE filter to the post_read_request

hook in http_core.c. This removes the need to add the filter in

multiple places and allows for an SSL module to be added much

simpler. [Ryan Bloom]

*) SECURITY [CVE-2000-0913] (cve.mitre.org):

Fix a security problem that affects certain configurations of

mod_rewrite. If the result of a RewriteRule is a filename that

contains expansion specifiers, especially regexp backreferences

$0..$9 and %0..%9, then it may be possible for an attacker to

access any file on the web server. [Tony Finch]

*) Fix a bug where errors that are detected during early request parsing

don’t produce visible HTTP error messages at the browser, because

the core_filter wasn’t present. [Greg Ames]

*) Provide apr_socklen_t as a portability aid.

[Victor J. Orlikowski]

*) Overhaul of dbmmanage to allow a groups arg (as in Apache 1.2)

as well as a comment arg to the add, adduser and update cmds.

update allows the user to clear or preserve pw/groups/comment.

Fixed a bug in dbmmanage that prevented the check option from

parsing a password followed by :group... text. Corrected the

seed calcualation for Win32 systems, and added -lsdbm support.

[William Rowe]

*) Configured mod_auth_dbm to compile with sdbmlib under Win32.

[William Rowe]

*) Avoid a segfault when parsing .htaccess files. An

uninitialized tree pointer was passed to ap_build_config().

[Jeff Trawick]

*) Change the way that inet_addr & inet_network are checked for

in APR’s configure process to allow BeOS BONE to correctly

find them. With this change BeOS BONE now builds from source

with no problems. [David Reid]

*) Fix a bug in apr_create_process() for Unix. The NULL signifying

the end of the parameters to execve() was stored in the wrong

location, overlaying the storage beyond the newargs[] array and

also passing uninitialized storage to execve(), which would

sometimes fail with EFAULT. [Jeff Trawick]

*) Fix a bug parsing configuration file containers. With a sequence

like this in the config file


any stuff


(blank line)

any stuff


the second container would be terminated at the blank line due to

sediment in the buffer from reading the prior and an

error message would be generated for the real for the

second container. Also due to this problem, any two characters

could be used for "


*) APRVARS.in no longer overwrites the EXTRA_LIBS variable.

[Mike Abbott ]

*) Remove ap_bopenf from buff code. This required modifying the file_cache

code to use APR file’s directly instead of going through BUFFs.

[Ryan Bloom]

*) Fix compile break on some platforms for mod_mime_magic.c

[John K. Sterling ]

*) Fix merging of AddDefaultCharset directive.

PR #5872 (1.3) [Jun Kuriyama ]

*) Minor revamp of the rlimit sections of code. We now test

explicitly for setrlimit and getrlimit. Also, unixd_set_rlimit()

is now "available" even if the platform doesn’t support

the rlimit family (it’s just a noop though). [Jim Jagielski]

*) Migrate the pre-selection of which MPM to use for specific

platforms to hints.m4, which contains (or should contain)

all platform specific "hints". [Jim Jagielski]

*) Remove IOLs from Apache. With filtering, IOLs are no longer necessary

[Ryan Bloom]

*) Add tables with non-string/binary values to APR.

[Ken Coar]

*) Fix some bad calls to ap_log_rerror() in mod_rewrite.

[Jeff Trawick]

*) Update PCRE to version 3.2. [Ryan Bloom]

*) Change the way buckets’ destroy functions are called so that

they can be more directly used when changing the type of a

bucket in place. [Tony Finch]

*) Add generic support for reference-counting the resources used by

buckets, and alter the HEAP and MMAP buckets to use it. Change

the way buckets are initialised to support changing the type of

buckets in place, and use it when setting aside TRANSIENT buckets.

Change the implementation of TRANSIENT buckets so that it can be

mostly shared with IMMORTAL buckets, which are now implemented.

[Tony Finch]

Changes with Apache 2.0a6

*) Add support to Apache and APR for dsos on OS/390. [Greg Ames]

*) Add a chunking filter to Apache. This brings us one step closer

to removing BUFF. [Ryan Bloom]

*) ap_add_filter now adds filters in a LIFO fashion. The first filter

added to the stack is the last filter to be called. [Ryan Bloom]

*) Apache 2.0 has been completely documented using Scandoc. The

docs can be generated by running ’make docs’. [Ryan Bloom]

*) Add filtered I/O to Apache. This is based on bucket brigades,


Currently the buckets still use BUFF under the covers, but that

should change quickly. The only currently written filter is the

core filter which just calls ap_bwrite. [The Apache Group]

*) APR locks on Unix: Let APR_LOCKALL locks work when APR isn’t

built with thread support. [Jeff Trawick]

*) Abort configuration if --with-layout was specified and there’s

no layout definition file. [Ken Coar]

*) Add support for ’--with-port=n’ option to configure. [Ken Coar]

*) Add support for extension methods for the Allow response header

field, and an API routine for accessing r->allowed and the

list of extension methods in a unified manner. [Ken Coar]

*) mod_cern_meta: fix broken file reading loop in scan_meta_file().

[Rob Simonson ]

*) Get xlate builds working again. The apr renaming in 2.0a5 broke

APACHE_XLATE builds. [Jeff Trawick]

*) A configuration file parsing problem was fixed. When the

configuration file started with an IfModule/IfDefine container,

only the last statement in the container would be retained.

[Jeff Trawick]

Changes with Apache 2.0a5

*) Perchild is serving pages after passing them to different child

processes. There are still a lot of bugs, but this does work. I

have made requests against the same installation of Apache, and had

different servers use different user IDs to serve the responses.

This change moves to using socketpair instead of an AF_UNIX socket.

[Ryan Bloom]

*) Perchild MPM still doesn’t work perfectly, but it is serving pages.

It can’t seem to pass between child processes yet, but I think we

are closer now than before. This moves us back to using Unix

Domain Sockets. [Ryan Bloom]

*) libapr functions and types renamed with apr_ prefix.

#include "apr_compat.h" for 1.3.x backwards compat

[Perl]

*) Fix problems with APR sockaddr handling on Win32. It didn’t always

return the right information on the local socket address.

[Gregory Nicholls ]

*) ap_recv() on Win32: Set bytes-read to 0 on error.

[Gregory Nicholls ]

*) Add an option to not detach from the controlling terminal without

going into single process mode. This allows for much easier

debugging of the process startup code. [Ryan Bloom]

*) ab: don’t use perror() to report the failure of an APR function.

[Jeff Trawick]

*) Make dexter, mpmt_pthread, and perchild MPMs not destroy the


scoreboard on graceful restarts.

[Ryan Bloom]

*) Fix segfault/SIGSEGV when running gzip from mod_mime_magic.c.

An invalid ap_proc_t was passed to ap_create_process().

[Jeff Trawick]

*) Allow modules to register filters. Those filters are still

never called, but this is a step in the right direction.

[Ryan Bloom and Greg Stein]

*) Register the mod_cgid daemon process for cleanup so that it is

killed at termination if it does not die when the parent gets

SIGTERM. This change is to fix occasional problems where the

process stays around. Bugs in similar logic in mod_rewrite and

mod_include were also fixed. [Jeff Trawick]

*) Fix a bug in the time handling. Basically, we were imploding a time

in ap_parseHTTPdate, but it had bogus data in the exploded time format.

Namely, tm_usec and tm_gmtoff were not filled out. ap_implode_time

uses those two fields to adjust the time value. Because of the HTTP

spec, both of those values can be zero’ed out safely. This fixes

the bug correctly. [Ryan Bloom]

*) Fix a couple of place in the Windows code where the wrong error

code was being returned. [Gregory Nicholls ]

*) Fix POOL_DEBUG (at least for prefork mpm). [Dean Gaudet]

*) Added the APR_EOL_STR macro for platform dependent differences in

logfiles and other raw text (such as all APR files). Fixes logfiles

not terminated with cr/lf sequences in Win32. [William Rowe]

*) Move all strings functions in APR to src/lib/apr/strings and create

apr_strings.h for the prototypes. [Ryan Bloom]

*) APR lock fixes: when using SysV sems, flock(), or fcntl(), be sure

to repeat the syscall until we stop getting EINTR. I noticed a

related problem at termination (SIGTERM) on FreeBSD when using

fcntl(). Apache 1.3 had these new loops too. Also, make the flock()

implementation work properly with child init. Previously, ap_lock()

was essentially a no-op because all children were using different

locks and thus nobody ever blocked. [Jeff Trawick]

*) The htdocs/ tree has been moved out of the CVS source tree into

a separate area for easier development. This has NO EFFECT on

end-users or Apache installations. [Ken Coar]

*) Integrate the mod_dav module for WebDAV protocol handling. This

adds the dav and dav_fs modules, the SDBM library, and additional

XML handling utilities. [Greg Stein]

*) Clean out obsolete names (from httpd.h) for the HTTP Status Codes

[Greg Stein]

*) Update the lib/expat-lite/ library (bring forward changes from

the Apache 1.3 repository). [Greg Stein]

*) If sizeof(long long) == sizeof(long), then prefer long in APR

configure.in. [Dave Hill ]


*) Add ap_sendfile for Tru64 Unix. Also, add an error message for

machines where sendfile is detected, but nobody has written ap_sendfile.

[Dave Hill ]

*) Compile fixes in mod_mmap_static. [Victor J. Orlikowski]

*) ab would start up more connections than needed, then quit when the

desired number were finished. Also fixed a logic error involving

ab keepalives. [Victor J. Orlikowski]

*) WinNT: Implement non-blocking pipes with timeouts to communicate

with CGIs. Apache 2.0a4 had non-blocking pipes but without

timeouts (i.e, if a timeout was specified, the pipe reverted to

a full blocking pipe). Now the behaviour is more in line with

Unix non-blocking pipes.

[Bill Stoddard]

*) WinNT: Implement accept socket reuse. Using mod_file_cache to

cache open file handles along with accept socket reuse enables

Apache 2.0 to serve non-keepalive requests for static files at

3x the rate of Apache 1.3.(e.g, Apache 1.3 will serve 400 rps

and Apache 2.0 will serve almost 1200 rps on my system).

[Bill Stoddard]

*) Merge mod_mmap_static function into mod_file_cache. mod_file_cache

supports two config directives, mmapfile (same behavious as

mod_mmap_static) and cachefile. Use the cachefile directive

to cache open file handles. This directive only works on systems

that have implemented the ap_sendfile API. cachefile works today

on Windows NT, but has not been tested on any flavors of Unix.

[Bill Stoddard]

*) Cleanup the configuration. With the last few changes the

configuration process automatically:

inherits information about how to build from APR. Allowing

APR to inform Apache that it should or should not use -ldl

Detects which mod_cgi should be used mod_cgi or mod_cgid,

based on the threading model

Apache calls APR’s configure process before finishing it’s

configuration processing, allowing for more information flow

between the two.

[Ryan Bloom]

*) Change Unix and Win32 ap_setsockopt() so that APR_SO_NONBLOCK

with non-zero argument makes the socket non-blocking. BeOS and

OS/2 already worked this way. [Jeff Trawick]

*) ap_close() now calls ap_flush() for buffered files, so write

operations work a whole lot better on buffered files.

[Jeff Trawick]

*) Fix error messages issued from MPMs which explain where to change

compiled-in limits (e.g., ThreadsPerChild, MaxClients, StartTreads).

[Greg Ames]

*) ap_create_pipe() now leaves pipes in blocking state. (This helps


educe the number of syscalls on Unix.) ap_set_pipe_timeout() is

now the way that the blocking state of a pipe is manipulated.

ap_block_pipe() is gone. [Jeff Trawick]

*) Correct the problem where the only local host name that the IP stack

can discover are ’undotted’ private names. If no fully qualified

domain name can be identified, the default ServerName will be set to

the machine’s IP address string. A warning is always provided if the

ServerName not specified, but assumed. Solves PR6215 [William Rowe]

*) Repair problems with config file processing which caused segfault

at init when virtual hosts were defined and which caused ServerName to

be ignored when there was no valid DNS setup. [Jeff Trawick]

*) Removed pointless ap_is_aborted macro function. [Roy Fielding]

*) Add ap_sendfile implementation for AIX

[Victor J. Orlikowski]

*) Repair C++ compatibility in ap_config.h, apr_file_io.h,

apr_network_io.h, and apr_thread_proc.h.

[Tyler J. Brooks , Jeff Trawick]

*) Bring the allocation and pool debugging code back into a working

state. This will need to be tested as so far it’s only been used on

BeOS. [David Reid]

*) Change configuration command setup to be properly typesafe when in

maintainer mode. Note that this requires a compiler that can initialise

unions. [Ben Laurie]

*) Turn on buffering for config file reads. Part of this was to

repair buffered I/O support in Unix and implement buffered

ap_fgets() for all platforms. [Brian Havard, Jeff Trawick]

*) Win32: Fix problem where UTC offset was not being set correctly

in the access log. Problem reported on news group by Jerry Baker.

[Bill Stoddard]

*) Fix segfault when reporting this type of syntax error:

" without matching section", where

container is VirtualHost or Directory or whatever.

[Jeff Trawick]

*) SECURITY [CAN-2000-1204] (cve.mitre.org):

Prevent the source code for CGIs from being revealed when

using mod_vhost_alias and the CGI directory is under the document root

and a user makes a request like http://www.example.com//cgi-bin/cgi

as reported in

[Tony Finch]

*) Add support for the new Beos NetwOrking Environment (BONE)

[David Reid]

*) xlate: ap_xlate_conv_buffer() now tells the caller when the

final input char is incomplete; ap_bwrite_xlate() now handles

incomplete final input chars. [Jeff Trawick]

*) Yet another update to saferead/halfduplex stuff -- need to ensure

that a bhalfduplex call occurs before logging or else DNS and


such can delay the last packet of the response. [Dean Gaudet]

*) Some syscall reduction in APR on unix -- don’t seek when setting

up an mmap; and don’t fcntl() more than once per socket.

[Dean Gaudet]

*) When mod_cgid is started as root, the cgi daemon now switches

to the configured User/Group (like other httpd processes)

instead of continuing as root. [Jeff Trawick]

*) The prefork MPM now uses an APR lock for the accept() mutex.

It has not been getting a lock at all recently. httpd -V now

displays APR’s selection of the lock mechanism instead of the

symbols previously respected by prefork. [Jeff Trawick]

*) Change the mmap() feature test to check only for existence.

The previous check required features not used by Apache.

[Greg Ames]

*) Fix a couple of bugs in mod_cgid: The cgi arguments were

sometimes mangled. The len parm to accept() was not

initialized, leading sometimes to an endless loop of failed

accept() calls on OS/390 and anywhere else that failed the call

if the len was negative. Use for struct sockaddr_un

instead of declaring it ourselves to fix a compilation problem

on Solaris. [Jeff Trawick]

*) Add Resource limiting code back into Apache 2.0. [Ryan Bloom]

*) Fix zombie process problem with mod_cgi. [Jeff Trawick]

*) Port mod_mmap_static to 2.0. Make it go faster. [Greg Ames]

*) Fix storage overlay when loading dsos. Symptom: Apache dies at

initialization if ALLOC_DEBUG is defined; no known symptom

otherwise. [Jeff Trawick]

*) Fix typo in configure script when checking for mod_so. bash

doesn’t seem to have a problem but /bin/sh on Solaris does.

Symptom: "./configure: test: unknown operator =="

[Jeff Trawick]

*) Rebind the Win32 NT and 9x services control into the MPM.

All console, WinNT SCM and Win9x pseudo-service control code is

now wrapped within the WinNT MPM.

[William Rowe]

*) Make a copy of getenv("PATH") before storing for later use. Some

getenv() implementations use the same storage for successive calls.

CGIs on OS/390 had a bad PATH due to this. [Jeff Trawick]

*) Server Tokens work in 2.0 again. This also propogates the change

to allow just the product name in the server string using

PRODUCT_ONLY.

[Ryan Bloom]

Changes with Apache 2.0a4

*) EBCDIC: Rearrange calls to ap_checkconv() so that most handlers

won’t need to call it. [Greg Ames, Jeff Trawick]


*) Move pre_config hook call to between configuration read and config

tree walk. This allows all modules to implement pre_config hooks

and know that they will be called at an appropriate time.

[Ryan Bloom]

*) mod_cgi, mod_cgid: Make ScriptLog directive work again.

[Jeff Trawick]

*) Add pre-config hooks back to all modules.

[Ryan Bloom]

*) Fix a SIGSEGV in ap_md5digest(), which is used when you have

ContentDigest enabled and we can’t/don’t mmap the file.

[Jeff Trawick]

*) We now report the correct line number for syntax errors in config

files. [Ryan Bloom, Greg Stein, Jeff Trawick]

*) Brought mod_auth_digest up to synch with 1.3, fixed ap_time_trelated

bugs, and changed shmem/locking to use apr API. Shared-mem

is currently disabled, however, because of problems with graceful

restarts. [Ronald Tschalär]

*) Fix corruption of IFS variable in --with-module= handling.

Depending on the user’s shell or customization thereof, there

would be errors generating ap_config_auto.h later in the configure

procedure. [Jeff Trawick]

*) mod_cgi: Restore logging of stderr from child process when ScriptLog

isn’t used (as in 1.3), except that on Unix it is now logged via

ap_log_rerror() instead of by the child having STDERR_FILENO refer

to the error log. [Greg Ames, Jeff Trawick]

*) Add ’-D’ argument processing for run time configuration defines.

[William Rowe]

*) Organize http_main.c as independent code, such that no code or

global data is exported from it. WIN32 will dynamically link it

to the server core, so this will prevent mutual dependency.

[William Rowe]

*) Add separate dynamic linkage tags APR_EXPORT(), APR_EXPORT_NONSTD()

and APR_VAR_EXPORT to correctly resolve apr functions and globals.

[William Rowe]

*) Add Win9x service execution and Ctrl+C/Ctrl+Break/Shutdown handlers.

[William Rowe, Jan Just Keijser ]

*) Add mod_charset_lite for configuring character set translation.

[Jeff Trawick]

*) Add ’-n’ option to htpasswd to make it print its user:pw record

on stdout rather than having to frob a text file. [Ken Coar]

*) Fix saferead. Basically, we flush the output buffer if a read on the

input will block.

[Ryan Bloom]

*) APR: Add ap_xlate_get_sb() so that an app can find out whether or not


a conversion is single-byte only. [Jeff Trawick]

*) BEOS: ap_shutdown should return APR_SUCCESS or errno. Note that

the BeOS 5.0 documentation says that shutdown doesn’t work yet.

[Roy Fielding]

*) Fix some minor errors where pid was being manipulated as an int

instead of the portable pid_t. [Roy Fielding]

*) Fix some error log prints that were printing the pointer to a

structure rather than the pid within the structure.

[Jeff Trawick, Roy Fielding]

*) ab: Fix a command-line processing bug; track bad headers in

err_response; support reading headers up to 2K.

[Ask Bjoern Hansen ]

*) Fix ap_resolve_env() so that it handles new function added in a prior

alpha (see "Added the capability to do ${ENVVAR} constructs in the

config file.") as well as the constructs used by mod_rewrite.

[Paul Reder ]

*) Apache 2.0 builds and runs on OS/390. [Jeff Trawick, Greg Ames]

*) Change the EBCDIC support in functions for MD5, SHA1, and base 64 to use

APR to perform translation, instead of accessing the hard-coded tables

in 1.3’s ebcdic.c. [Jeff Trawick]

*) Fix some bugs (mostly lost 1.3 code) in ab’s command-line processing.

[Jeff Trawick]

*) Add the ability to hook into the config file reading phase. Basically

if a directive is specified EXEC_ON_READ, then when that directive is

read from the config file, the assocaited function is executed. This

should only be used for those directives that must muck with HOW the

server INTERPRETS the config. This should not be used for directives

that re-order or replace items in the config tree. Those changes should

be made in the pre-config step.

[Ryan Bloom]

*) Add mod_example to the build system.

[Tony Finch]

*) APR: Add ap_xlate_conv_byte() to convert one char between singlebyte

character sets. [Jeff Trawick]

*) Pick up various EBCDIC fixes from 1.3 (from Martin

Kraemer and Oliver Reh originally according to the change log).

[Jeff Trawick]

*) Fix a couple of problems in RFC1413 support (controlled by the

IdentityCheck directive). Apache did not build the request string

properly and more importantly Apache would loop forever if the

would-be ident server dropped the connection before sending a

properly terminated response. [Jeff Trawick]

*) apxs works in 2.0.

[Ryan Bloom]

*) Reliable piped logs work in 2.0.


[Ryan Bloom]

*) Introduce a hash table implementation into APR to be used for

replacing tables and other random data structures in Apache.

[Tony Finch]

*) Add some more error reporting to htpasswd in the case of problems

generating or accessing the temporary file. Also, pass in a

buffer if the implementation knows how to use it (i.e., if L_tmpnam

is defined). [Ken Coar]

*) Configure creates config.nice now containing your configure

options. Syntax: ./config.nice [--more-options]

[Sascha Schumann]

*) Fix various return code problems in APR on Win32. For most of

these, APR was returning APR_EEXIST instead of GetLastError()/

WSAGetLastError(). [Jeff Trawick]

*) Make piped logs work again in version 2.0

[Ryan Bloom]

*) Add VPATH support to UNIX build system of Apache and APR.

[Sascha Schumann]

*) Fix ap_tokenize_to_argv to respect the const arguments that are

passed to it.

[Ryan Bloom]

*) Fix mm’s memcpy/memset macros, pointer arithmetic was broken.

Patch submitted to author.

[Sascha Schumann]

*) Fix mm configuration on Solaris 8 x86 and OS/390. Don’t require

/sbin in PATH on FreeBSD (all submitted to rse previously)

[Jeff Trawick]

*) Fix building Pthread-based MPMs on OpenBSD

[Sascha Schumann] PR#26

*) Fix ap_readdir() problem on systems where d_name[] field in

struct dirent is declared with only one byte. (This problem only

affected multithreaded builds.) This caused a segfault during

pool cleanup with mod_autoindex on Solaris (Solaris 8 x86, at

least). [Jeff Trawick]

*) Fix some make-portability problems on at least Tru64, Irix

and UnixWare.

[Sascha Schumann] PR#18, PR#39

*) Add ap_sigwait() to support old-style sigwait() on systems

like OS/390 and UnixWare.

[Sascha Schumann]

*) Add POSIX-thread flags for more platforms.

[Sascha Schumann]

*) Fix some minor bugs in ap_strerror(). Teach ap_strerror()

(on Unix, at least) to handle resolver errors. Fix a bug in

the definition of APR_ENOMEM so that ap_strerror() can spit


out the correct error message for it.

[Jeff Trawick]

Changes with Apache 2.0a3

*) mod_so reports ap_os_dso_error() if ap_dso_load() fails

[Doug MacEachern]

*) API: *HOOK* macros now have an AP_ prefix

[Doug MacEachern]

*) Win32: Eliminate redundant calls to initialize winsock.

[Tim Costello ]

*) Fix bugs initializing ungetchar for pipes.

[Chia-liang Kao ]

*) The ab program in the src/support directory is now portable using

APR.

[Ryan Bloom]

*) Support directory is being compiled when the server is built

[Ryan Bloom]

*) The configure option --with-program-name has been added to allow

developers to rename the executable at configure time. This also

changes the name of the config files to match the executable’s name.

[Ryan Bloom]

*) mod_autoindex: Add ‘IndexOptions +VersionSort’, to nicely sort filenames

containing version numbers. [Martin Pool]

*) ap_open(..,APR_OS_DEFAULT,..) uses perms 0666 instead of 0777 on

Unix; access_log and error_log now created with these perms; non-

Unix is unaffected [Jeff Trawick]

*) Finished move of ap_md5 routines to apr_md5. Removed ap_md5.h.

Replaced more magic numbers with MD5_DIGESTSIZE.

[William Rowe, Roy Fielding]

*) Win32: Get mod_auth_digest compiling and added to the Windows

build environment. Not tested and I’d be suprised if it

actually works. [Bill Stoddard]

*) Revamp the Win32 make environment. Makefiles have been removed and

Apache.dsw created to bring together all the pieces. Create new file

os/win32/BaseAddr.ref to define module base addresses (to prevent

dll relocation at start-up).

[William Rowe, Greg Marr, Tim Costello, Bill Stoddard]

*) [EBCDIC] Port Paul Gilmartin’s CRLF patch from 1.3. This replaces most

of the \015, \012, and \015\012 constants with macros.

[Greg Ames]

*) Add ap_xlate_open() et al for translation of text between different

character sets. The initial implementation requires iconv().

[Jeff Trawick]

*) More FAQs and answers from comp.infosystems.www.servers.unix.

[Joshua Slive ]


*) CGI output is being timed out now.

[Ryan Bloom]

*) Fix the problem with dieing quietly. dupfile now takes a pool which

is used by the new apr file. There is no reason to create a new file

with the same lifetime as the original file.

[Ryan Bloom]

*) Win32: Attempt to eliminate dll relocation at start-up by specifying

module base addresses. This will help shooting seg faults

in the field. [William Rowe ]

*) Update Apache on Windows documentation. Add new document

describing how to compile Apache on Windows.

[William Rowe ]

*) ap_set_pipe_timeout(), ap_poll(), and APR_SO_TIMEOUT now take

microseconds instead of seconds. Some storage leaks and other

minor bugs in related code were fixed. [Jeff Trawick]

*) Win32: First cut at getting mod_isapi working under 2.0

[William Rowe ]

*) First stab at getting mod_auth_digest working under 2.0

quick change summary:

- moved the random byte generation (ap_generate_random_bytes) into APR

- now uses ap_time_t

- compiles and runs on linux

- tested with amaya

[Brian Martin ]

*) Win32: Move the space stripping of physical service names

fix up from Apache 1.3. #include’ing "ap_mpm.h" fixes up an

unresolved symbol. Add dependency checking to the

CreateService call to ensure TCPIP and AFP (winsock) is started

before Apache.

[William Rowe ]

*) Win32: Add code to perform latebinding on functions that may

not exist on all levels of Windows where Apache runs. This

is needed to allow Apache to start-up on Win95/98. All calls

to non portable functions should be protected with

ap_oslevel checks to prevent runtime segfaults.

[William Rowe ]

*) Fix fallback default values for SHM_R and SHM_W [Martin Kraemer]

*) Get lingering_close() working again. [Dean Gaudet, Jeff Trawick]

*) Win32: Get non-blocking CGI pipe reads working under Windows NT.

This addresses PR 1623. Still need to address timing out runaway

CGI scripts. [Bill Stoddard]

*) Win32: Make ap_stat Windows 95/98 friendly

[William Rowe ]

*) Win32: Fix a bug in ap_get_oslevel which causes GetVersionEx() to

always fail. Need to initialise the dwOSVersionInfoSize member of the

OSVERSIONINFO struct before calling GetVersionEx, so GetVersionEx


always fails.

The patch also enhances ap_get_oslevel (and the associated enum) to

handle selected service packs for NT4, and adds recognition for

Windows 2000. This is useful, eg. if we can recognise NT4 SP2 then

we can use ReadFileScatter and WriteFileGather in readwrite.c.

[Tim Costello ]

*) Get mod_rewrite building and running, and mod_status building for Win NT

[Allan Edwards ]

*) Patch to port mod_auth_db to the 2.0 api and also to support

Berlekey DB 3.0. It works for me with both Berkeley DB 3.0.55 and

2.7.7. It should work with version 1 as well but I haven’t tested it.

[Brian Martin ]

*) Get APR DSO code working under Windows. Includes cross platform

fixes to mod_so.c.

[]

*) Fix some of the Windows APR time functions.

[William Rowe]

*) FAQ changes related to tidying up historical documents on the web site.

[Joshua Slive ]

*) Move Windows DSO code into APR.

[Bill Stoddard]

*) Eliminate apr_win.h and apr_winconfig.h (and the ugly #ifdefs they cause).

Now, apr.h and apr_config.h are generated from apr.hw and apr_config.hw

at build time. At this point, the server will not compile on Windows because

of the recent DSO commits. Fixing those next.

[Bill Rowe & Bill Stoddard]

*) Added error checking for file I/O APR routines.

[Jon Travis ]

*) APR: Don’t use the values of resolver error codes for the

corresponding APR error codes. On Unix and Win32, return the

proper APR error code after a resolver error. [Jeff Trawick]

Changes with Apache 2.0a2

*) Renamed the executable back to httpd on all platforms other

than Win32

[Ryan Bloom]

*) Allow BeOS to survive restarts, log properly and a few

small things it had problems with due to the way it setup

users and groups. [David Reid]

*) Get mod_rewrite working with APR locks

[Paul Reder ]

*) Actually remove the sempahore when the lock cleanup routine

is called on BeOS. [David Reid]

*) Clear hook registrations between reads of the config file.

When DSOs are unloaded and re-loaded the old hook pointers may


no longer be valid. This fix eliminates potential segfaults.

[Allan Edwards ]

*) Fix a problem with Sigfunc not being defined or bypassed

if sigaction() wasn’t found. [Jim Jagielski]

*) Fix the locking mechanism on BSD variants. They now use fcntl

locks. This allows the server to start and serve pages.

[Ryan Bloom]

*) First cut at getting the Win32 installer to work

[William Rowe ]

*) Get htpasswd compiling under Windows

[William Rowe ]

*) Change the log message for a bind() failure to show the

interface and port number. [Jeff Trawick]

*) Import the documentation from 1.3.12 and bring parts of it

up-to-date with respect to the changes that have occurred

in 2.0.

[Tony Finch]

*) BeOS MPM updated. CGI bug on BeOS fixed. IP addresses

now logged correctly on BeOS.

[David Reid]

*) Create one makefile for all Win32 distributions (NT/2000/95/98).

Makefile.win includes the same user interface as the old

Makefile.nt

[William Rowe , Jeff Trawick ]

*) Win32 exec now uses COMSPEC environment string for command

shell path resolution.

[William Rowe ] PR#3715

*) Win32: ap_connect() was not returning correct error condition

PR5866

[Allen Prescott ]

*) Win32: ap_open() was broken on Win9x because an NT-specific

flag was passed to CreateFile. ap_puts() added an unnecessary

’\n’.

[Jeff Trawick ]

*) Put in Korean and Norwegian index.html pages (2.0 and 1.3)

which where donated by Lee Kuk Hyun and Lorant Czaran. ’Fixed’

confusing ee/et name and made all extensions language/dialect

rather than country reflecting. Changed example files to

explicit reflect the ISO charset and added a few common

ones to the example config [dirkx]

*) Extend external module capability. To use this, you call

configure with --with-module=path/to/mod1,path/to/mod2,etc.

[Ryan Bloom]

*) Backported the various "default charset" fixes from 1.3.12,

including the AddDefaultCharset directive. [Jim Jagielski]


*) Added the capability to do ${ENVVAR} constructs in the

config file. E.g. ’ServerAdmin ${POSTMASTER}’. As commited

it does this on a line by line basis; i.e. if the envvar

expands to something with spaces you have to protect it

by adding quotes around it (Unless of course you expect it

to contains more than one argument. Alternatively you

can compile it on a per token basis; which is what people

usually expect by setting RESOLVE_ENV_PER_TOKEN. But this

hampers fancier hacks.

[Dirk-Willem van Gulik]

*) Changed the ’ErrorDocument’ syntax in that it NO longer

supports the asymetric

ErrorDocument 301 "Some message

Note the opening " quote, without a closing quote. It now

has either the following syntaxes

ErrorDocument XXX /local/uri

ErrorDocument XXX http://valid/url

ErrorDocument XXX "Some Message"

The recognition heuristic is: if it has a space it

is a message. If it has no spaces and starts with a /

or is a valid URL then treat it that way. Otherwise it

is assumed to be a message.

This breaks backward compatibility but makes live a hell

of a lot easier for GUI’s and config file parsers.

[Dirk-Willem van Gulik]

*) Changed ’CacheNegotiatedDocs’ from its present/not-present

syntax into a ’on’ or ’off’ syntax. As it currently is the

only non nesting token which uses NO_ARGS and thus is an

absolute pain for any config interface automation. This

breaks backward compatibility. [Dirk-Willem van Gulik]

*) Add ability to add external modules to the build process. This is

done with --with-module=/path/to/module. Modules can only be added

as static modules at this point.

[Ryan Bloom]

Changes with Apache 2.0a1

*) Fix FreeBSD 3.3 core dump.

Basically, ap_initialize() needs to get called before

create_process(), since create_process() passes op_on structure

to semop() to get a lock, but op_on isn’t initialized until

ap_initialize() calls setup_lock(). Here is a slight

rearrangement to main() which calls ap_initialize() earlier...

[Jeff Trawick ]

*) Enable Apache to use sendfile/TransmitFile API

[Bill Stoddard, David Reid, Paul Reder]

*) Re-Implement Win32 APR network I/O APIs and most of the file I/O

APIs.

[Bill Stoddard]


*) Make file I/O and network I/O writev/sendv APIs consistent.

Eliminate use of ap_iovec_t and use Posix struct iovec.

Use seperate variable on ap_writev to set the number of iovecs

passed in and number of bytes written.

[Bill Stoddard]

*) Adapt file iol to use APR functions. Replaced ap_open_file()

with ap_create_file_iol(). ap_create_file_iol() requires that

the file be opened prior to the call using ap_open().

[Bill Stoddard]

*) Port mod_include and mod_cgi to 2.0

[Paul Reder, Bill Stoddard]

*) ap_send{,v}, ap_recv, ap_sendfile API clarification -bytes_read/bytes_written

is always valid (never -1). Plus

some fixes to buff.c to correct problems introduced by the

errno => ap_status_t changes a while back. Plus a fix to

chunked encoding introduced right at the beginning of 2.0.

[Dean Gaudet]

*) Revamped UNIX build system to use autoconf and libtool.

[Manoj Kasichainula, Sascha Schumann]

*) port mod_rewrite to 2.0. [Paul J. Reder ]

*) SECURITY: More rigorous checking of Host: headers to fix security

problems with mass name-based virtual hosting (whether using mod_rewrite

or mod_vhost_alias).

[Ben Hyde, Tony Finch]

*) Add back support for UseCanonicalName in containers.

[Manoj Kasichainula]

*) Added APLOG_STARTUP log type. This allows us to write an error

message without any of the date and time information. As a part

of this change, I also removed all of the calls to fprintf(stderr

and replaced them with calls to ap_log_error using APLOG_STARTUP

writing to stderr is no longer portable, because we don’t direct

stderr to the error log on all platforms.

[Ryan Bloom]

*) Convert error logging functions to take errno as an argument.

This makes our error logs more portable, because some Windows API’s

don’t set errno. This change allows us to still output a valid

message on all of our platforms.

[Ryan Bloom]

*) mod_mime_magic runs in 2.0-dev now.

[Paul Reder ]

*) sendfile has been added to APR.

[John Zedlewski ]

*) buff.c has been converted to no longer use errno.

[Manoj Kasichainula]

*) mod_speling runs in 2.0-dev now: a bug in readdir_r handling and

interface adaption to APR functions did it. [Martin Kraemer]


*) Support DSOs properly on 32-bit HP-UX 11.0

[Dilip Khandekar ]

*) Updated MM in APR source tree from version 1.0.8 to 1.0.11

[Ralf S. Engelschall]

*) Cleaned APR build environment integration and bootstrap APR

automatically for developers from src/Configure.

[Ralf S. Engelschall]

*) Fixed building of src/support/htpasswd.c

[Ralf S. Engelschall]

*) When generating the Location: header, mod_speling forgot

to escape the spelling-fixed uri. (Forw-Port from 1.3)

[Martin Kraemer]

*) Moved mod_auth_digest.c from experimental to standard. [Roy Fielding]

*) Change all pools to APR contexts. This is the first step to

incorporating APR into Apache. [Ryan Bloom]

*) Move "handler not found" warning message to below the check

for a wildcard handler. [Dirk , Roy Fielding]

PR#2584, PR#2751, PR#3349, PR#3436, PR#3548, PR#4384, PR#4795, PR#4807

*) Support line-continuation feature in config.option file and

allow the loading of multiple option sections at once via

‘‘--with-option=,,...’’

[Ralf S. Engelschall]

*) Rebuilt CVS repository with Apache 1.3.9 as basis. [Roy Fielding]

Changes with Apache MPM

This is a demo version of txt2pdf v.10.1

Developed by SANFACE Software http://www.sanface.com/

Available at http://www.sanface.com/txt2pdf.html

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!