Changes for 1.5.2a ------------------ *) Only enable keep alive from CGI scripts with content lengths and if keep alive is enabled on the server *) Delete preceding white space on CGI headers *) Fix HTTP/1.1 protocal bug (if agent requested HTTP/1.1, server responded with HTTP, now responds with HTTP/1.0 which is spec) *) Added SERVER_ROOT CGI var *) Should escape # character in directory indexing *) Add MaxRequestsPerChild support, so that errors in state can be swept under the carpet Changes for 1.5.2 ------------------ *) Changed getline rfc822 line wrap to check for validity of the next bits before attempting to see them *) Changed imagemap.c so relative URLs actually work *) Don't core dump on a method only request *) reset errno to 0 in send_fp so we break out of loop *) somewhere we stopped killing cgi scripts on SIGALRM and SIGPIPE *) changed group handling support to support multiple groups again *) reset content_length before scanning cgi headers, not after *) don't free env var in replace (it uses allocate now) *) Only look for path_info if its part of the requested URL (as opposed to keep looking until you hit a real directory) *) Make make_dirstr() in util.c return / instead of null if n = 1 *) Added FCGI support from Openmarket *) Added support for Linux 2.0 *) Added support for SCO OpenServer 5 Changes for 1.5.1 ------------------ *) Imagemaps (both internal and external) now add the path of the map file for non full path urls in the map file *) A couple logging functions didn't check reqInfo->remote_name for a NULL *) change getuid to geteuid in httpd.c so that effectively root people can start the server and have it change uids *) Slight code rearrangement to make Redirects from .htaccess more useful because the file doesn't have to exist. *) Added support for restricted access by Referer field *) Added OnDeny command for Limit directive which allows a redirect on failure (esp. useful for denying by referer) *) Added string allocating mechanism for speed *) Added CONTENT_MD5 header support from patches by Martin Hamilton (martin@net.lut.ac.uk) *) Server doesn't keep creating more structures in the event of KeepAlive *) Added bounds checking for security structures *) Fixed Order mutual-failure *) Support both CERN and NCSA style imagemaps (on a line by line basis) *) Attempting to make the server thread safe *) First attempt at allowing ErrorDocument 401s as html files (still broken) *) Fixed string searching for user in group *) Close csd (socket) on exec of CGI scripts so that client doesn't hang waiting for the scripts (and their children) to finish *) made a single interface for most output functions to make it easier to go to different output functions (SSL is a good example) *) remove path_args/path_alias crap, and put it in reqInfo structure *) Why do we require full URLs in Redirect? A local (root) url should work fine *) Redirect from .htaccess should work now (completely) *) Added hack to allow SSI of CGI, at a great expense of speed (CGI_SSI_HACK) *) Made getline() code re-entrant (now has its own sock_buf struct) Fixes for 1.5c ------------------ *) add newline character to list of characters to strip from shell cmds to prevent security hole *) in_ip patch is broken, revert to the old way *) Clean up possible memory leak in status_line code from CGI scripts *) Fix possible SIGSEGV condition in send_fd_timed_out() *) Fixed Mutual-Failure *) If you don't have a require or allow line in the .htaccess LIMIT section, it wouldn't work (ie, just deny), now fixed *) change getuid to geteuid in httpd.c so that effectively root people can start the server and have it change uids *) Fix group checking Fixes for 1.5a ------------------- *) Typo/Thinko for http_access.c which makes order deny/allow not work as documented Fixes for 1.5 Final ------------------- *) Clean up makefiles *) Fix mixed up rfc931 strings (remote_logname) *) Fixed multiple string lengths in get_mime_headers() and scan_script_headers() *) set standalone to 0 after cgi fork so that errors cause exit *) clean up local redirects *) clean up send_fd and send_fp code *) fixed domain restriction bug (last one, I hope) *) changed code for checking for owner of symbolic links *) allow SRM config in server conf with tag *) don't leak file pointer on access_syntax_error() *) Use send_fd for exec cgi and cmd in SSI *) send back 204 no content as default for imagemaps which have no default *) clear default array in imagemap first *) TACHOMETER off by one *) include config.h and portability.h in support programs *) recoded no2slash to fix possible security holes *) set ownDNS to TRUE for DNSmode Minimal Fixes for 1.5 Beta 7 ------------------- *) typo: strncat for strncpy in DOCUMENT_URI setting for SSI *) various domain restriction bugs *) DNSMode support *) DNSMode Minimum should now do the DNS lookup for authentication if necessary *) RESOURCE_LIMIT compile time option makes MaxServers the hard limit for number of servers to run. *) fix imagemap for full urls *) fix referer logging in error_log *) fix SSI file closing *) fixed LOCAL hack to check if remote_host is NULL *) setrlimit (NOFILES) to try and raise the number of file descriptors allowed as high as possible. *) Added patch by Stuart Lynne (sl@wimsey.com) to make proc title a tachometer *) Possible fixes for loop errors and spontaneous 403 errors Fixes for 1.5 Beta 6 -------------------- *) Added SERVER_ADMIN CGI Variable per requests *) Added LOCAL hack to allow matching in domain restriction of all local hostnames (Maurizio Codogno (mau@beatles.cselt.stet.it)) *) Added support for HTTP/1.1 Host: header for virtual host support *) Various includes file and portability fixes *) Fixed weird special case of domain restriction failure from access.conf in conjunction with having .htaccess files *) Fixed new VirtualHost ErrorDocument support so as not to cause SIGSEGV *) Moved RefererIgnore matching to log_transaction() to allow HTTP/1.1 host support to work *) Changed debugging dump (SIGUSR1) *) Typo in ErrorDocument settings *) Added Optional and Required parameters to VirtualHost configuration tag to allow for a single host configuration failure not to bring down all of them *) Added patch by Elf Sternberg (elf@aaden.spry.com) to allow configuring of process titles in SETPROCTITLE *) Change LogType to LogOptions and added a new option (ServerName) which will log the servername of the request to the access_log *) Added CoreDirectory directive to tell HTTPd where to dump core Fixes for 1.5 Beta 5 -------------------- *) Added support for Combined LogType (CLF with referer and useragent) *) Added check at launch to attempt to keep people from leaving a security hole open by leaving the log file directory writeable by the wrong people *) Added support for internal imagemap support *) Added support for VirtualHost level ErrorDocuments *) Added date stamp to UserAgent and RefererLogs to allow for easier correlation *) Added file descriptor wrappers for directories and DBM files *) Fix SSI bug where index filename not added to DOCUMENT_URI *) Don't pass PATH_INFO information to index files unless specifically refered to (ie, do in case of /index.cgi/wow, but not in /wow) *) Add "fix" by Sun for better performance under Solaris *) Change children proctitle to "idle" *) Removed getdomainname patch, its not portable and not the right thing to do *) changed atoi() in uname2id() and gname2id() to scan_long. If the atoi failed, it would return 0, causing the server to run as root Fixes for 1.5 Beta 4 -------------------- *) Fixed typo in FD_LINUX support *) Fixed support for NeXT platform *) order of operations wrong on restart *) Now pass environment to CGI script from SSI *) Fix Alias/ScriptAlias/Redirects for VirtualHost *) Fix if all of POST data read on first pass, don't try to read more as seen through CERN proxy *) Work around for systems which don't support numeric IP addresses passed to gethostbyname() *) Added log_reason for non-exec CGI *) Pass reqInfo to init_header_vars() in local redirects from cgi scripts *) use unbuffered i/o for file writes to fix fwrite bug on AIX 3.2.5 for PowerPC *) fix write loop for send_script() for CGI scripts *) use stat inplace of lstat to fix IfSymLinkOwner bug if link to link to file *) should now recognize and use numeric IP on systems with older versions of bind which don't support a numeric IP to gethostbyname() *) Fix SSI, flastmod wasn't working *) freeing ENV array at the wrong time, esp. in SSI *) Fix refererignore again *) Ultrix not brain dead since 4.4, so put #define in old hack for determining which version of ultrix you are compiling on *) possible help for get_local_host() on some systems which didn't work before *) HEAD_GETPASS for ultrix in support directory Fixes for 1.5 Beta 3 -------------------- *) Fixes to various scripts for cleaner compiles *) Added KeepAlive directives to example httpd.conf *) Fixed Makefile support for SVR4, added ConvexOS, QNX, ATTSVR3 from 1.4.2 *) Cleaned up header include directives for portability *) Added file descriptor wrapper to prevent leaks *) Cleaned up exec code, so forked child always dies even if exec() fails in a funny way (should make sure no children of children get left around) *) file descriptor leak if CGI script returns Location header closed *) attempt to keep environment and authorization between multiple requests like for internal redirects and on ErrorDocument *) Added NIS_SUPPORT patch by Kevin Ruddy *) Fixed Multiple referer ignore *) fixed an off by one error in environment handling (env.c). Probable cause of coredumps on Solaris machines, possibly others. *) Now allow DocumentRoot in httpd.conf file (for VirtualHosts) *) Added support for Linux file descriptor passing /proc hack *) Cleaned up File Not Found error message (per HyperNews suggestion) *) Allow restart when relative path used with -f on command line Vince Tkac (tkac@oclc.org) *) Cleaned up Restart code ( kill -HUP ). Should now work on all systems regardless of optimization *) Cleaned up sockaddr usage *) Moved socket initialiazation to its own function *) Now log start command to error_log *) Improved usage function (for -v command line) *) Made sigjmp_buf default define for JMP_BUF (missed from 1.4.2) *) Fixed getline() Fixes for 1.5 Beta 2 -------------------- *) To fix AddType .cgi completely, now has a single virtual path for any method to a "standard document" and checks just before sending if the method is valid for the document type. *) General code reorganization, including renaming of scripts to cgi and removing all method specific files, and creating an http_send for the new general case *) Moved all non-security compile time options to config.h *) Support for profiling the code added *) A/UX, SVR4, SCO3 support updated *) New type of process title changing subroutine added, and made a compile time option *) Collapsed number of malloc()'s for performance *) DBM support now properly #define'd *) Duh, always initialize url/args/filename *) fixed multihome support to allow more than 2 entries *) fixed access control *) log missing user attempt - Gioacchino La Vecchia (gio@di.unipi.it) *) explicitly allow or disallow certain server configuration directives in virtual hosts *) strip ending / on document root at configuration time *) stat filesystem for .htaccess files instead of checking failure of fopen() for speed improvement *) change order of mime initialization to get actual location of file first *) missing LF in redirect message from die() *) actually log the error message if using an error document for 500 errors *) close more file descriptors on errors *) make separate content_type variables for type as sent and type of reply *) allow Connection header to be made into a CGI variable *) fix signal handling during CGI *) Only shutdown(sd,0) to disallow receives not sends and receives This fix was for OSF/1 2.0, but may fix AIX problems of garbling ends of images *) attempt to lessen the number of fflush()'s called during a transaction *) move local variables that might be clobbered by setjmp/longjmp *) call tzset on all systems *) log errno on some errors *) log which URL is being aborted or timing out *) Keberos fixes *) Multiple referer ignore added *) Probably some I've missed New for 1.5 Beta 1 ------------------ *) Multiple Directory Indexes allowed *) Redirects from .htaccess files *) RedirectPermanent *) MD5 Digest Authentication *) Kerberos v4 Authentication *) Kerberos v5 Authentication *) Connection: Keep-Alive extension *) DBM support for .htpasswd/.htgroup files *) Enhanced Access Control *) Multihome/Virtual Interface support