Bug report for Apache httpd-1.3 [2009/10/04]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10744|New|Nor|2002-07-12|suexec might fail to open log file| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc| |14518|Opn|Reg|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite| |16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore | |16631|Inf|Min|2003-01-31|.htaccess errors logged outside the virtual host l| |17318|Inf|Cri|2003-02-23|Abend on deleting a temporary cache file if proxy | |19279|Inf|Min|2003-04-24|Invalid chmod options in solaris build| |21637|Inf|Nor|2003-07-16|Timeout causes a status code of 200 to be logged | |21777|Inf|Min|2003-07-21|mod_mime_magic doesn't handle little gif files| |21975|Opn|Nor|2003-07-29|mod_rewrite RewriteMap from external program gets | |22618|New|Maj|2003-08-21|MultiViews invalidates PATH_TRANSLATED if cgi-wrap| |25057|Inf|Maj|2003-11-27|Empty PUT access control in .htaccess overrides co| |26126|New|Nor|2004-01-14|mod_include hangs with request body | |26152|Ass|Nor|2004-01-15|Apache 1.3.29 and below directory traversal vulner| |26790|New|Maj|2004-02-09|error deleting old cache file | |29257|Opn|Nor|2004-05-27|Problem with apache-1.3.31 and mod_frontpage (dso,| |29498|New|Maj|2004-06-10|non-anonymous ftp broken in mod_proxy | |29538|Ass|Enh|2004-06-12|No facility used in ErrorLog to syslog| |30207|New|Nor|2004-07-20|Piped logs don't close read end of pipe | |30877|New|Nor|2004-08-26|htpasswd clears passwd file on Sun when /var/tmp i| |30909|New|Cri|2004-08-28|sporadic segfault resulting in broken connections | |31975|New|Nor|2004-10-29|httpd-1.3.33: buffer overflow in htpasswd if calle| |32078|New|Enh|2004-11-05|clean up some compiler warnings | |32539|New|Trv|2004-12-06|[PATCH] configure --enable-shared= brocken on SuSE| |32974|Inf|Maj|2005-01-06|Client IP not set | |33086|New|Nor|2005-01-13|unconsistency betwen 404 displayed path and server| |33495|Inf|Cri|2005-02-10|Apache crashes with WSADuplicateSocket failed for| |33772|New|Nor|2005-02-28|inconsistency in manual and error reporting by sue| |33875|New|Enh|2005-03-07|Apache processes consuming CPU| |34108|New|Nor|2005-03-21|mod_negotiation changes mtime to mtime of Document| |34114|New|Nor|2005-03-21|Apache could interleave log entries when writing t| |34404|Inf|Blk|2005-04-11|RewriteMap prg can not handle fpout | |34571|Inf|Maj|2005-04-22|Apache 1.3.33 stops logging vhost| |34573|Inf|Maj|2005-04-22|.htaccess not working / mod_auth_mysql| |35424|New|Nor|2005-06-20|httpd disconnect in Timeout on CGI| |35439|New|Nor|2005-06-21|Problem with remove /../ in util.c and mod_rewri| |35547|Inf|Maj|2005-06-29|Problems with libapreq 1.2 and Apache::Cookie | |3|New|Nor|2005-06-30|Can't find DBM on Debian Sarge| |36375|Opn|Nor|2005-08-26|Cannot include http_config.h from C++ file| |37166|New|Nor|2005-10-19|Under certain conditions, mod_cgi delivers an empt| |37252|New|Reg|2005-10-26|gen_test_char reject NLS string | |38989|New|Nor|2006-03-15|restart + piped logs stalls httpd for 24 minutes (| |39104|New|Enh|2006-03-25|[FR] fix build with -Wl,--as-needed | |39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn| |39937|New|Nor|2006-06-30|Garbage output if README.html is gzipped or compre| |40224|Ver|Nor|2006-08-10|System time crashes Apache @year 2038 (win32 only?| |41279|New|Nor|2007-01-02|Apache 1.3.37 htpasswd is vulnerable to buffer ove| |42355|New|Maj|2007-05-08|Apache 1.3 permits non-rfc HTTP error code = 600 | |43626|New|Maj|2007-10-15|r-path_info returning invalid value | |44768|New|Blk|2008-04-07|Server suddenly reverted to showing test page only|
Re: [mod_fcgid proposal] defining processing options for particular commands
Ricardo Cantu wrote: On Friday 02 October 2009 11:10:25 am Barry Scott wrote: Jeff Trawick wrote: On Fri, Oct 2, 2009 at 5:15 AM, Barry Scott barry.sc...@onelan.co.uk mailto:barry.sc...@onelan.co.uk wrote: Jeff Trawick wrote: (instead of based on uri or vhost) FCGIDCommand /path/to/command IdleTimeout n MaxProcessLifetime n MinProcesses n MaxProcesses n MaxRequestsPerProcess n InitialEnv var[=val] ... class (the names of these options follow my proposal for the names of existing directives ;) ) When a command is to be started by mod_fcgid, any options specified for the command on this directive override those defined for the uri, vhost, global, or the defaults. When a wrapper is used, it is that wrapper which must be specified on this directive. This directive is not required unless one or more options must be customized for a command. Initially this would be allowed only in global sections. InitialEnv can be repeated. Regarding *class*: Something is needed to disable or alter existing management of applications based on their class. Currently a class is limited to the processes started by the same command within the same vhost (except when ServerName isn't specified) with the same identity. One possibility is to provide an option to ignore the vhost name when managing the class (IgnoreVHost or ClassIsGlobal). Another possibility is to set the name of the class to be used in lieu of the virtual host (ClassName foo), which could be used to the same effect but might be more useful in the future when the process manager can see per-server configs (for existing directives as well as FCGIDCommand). None of this would affect the identity checks. (Processes with different uid/gid would never be considered to be in the same class.) This seems to offer all the features of mod_fastcgi process configuration and then go usefully beyond what mod_fastcgi does. Thanks for looking. Does anyone else care to comment? Is it possible to also ask for the fcgi process to be started before any request arrive? Sure. I guess there could be some InitialProcesses n option on this directive. (If this appears to be forgotten, open a bug at https://issues.apache.org/bugzilla/ and set the severity to enhancement. Product = Apache httpd-2, component = mod_fcgid.) BTW, do you need to pre-spawn just on general principle (don't want any initial delay), or is the on-demand spawning not aggressive enough, such that it takes too long to create an adequate number of application processes? We have a setup that can be CPU time and memory limited. Using Static servers allows the start up overhead to be suffer once at boot time. Our fast CGI servers are python processes that run very fast but can be slow to start, a few seconds, which is bad for response times. So do you want a fixed number of these python processes to be pre-spawned and for the pm to stay out of the way? (never start any more or terminate any that were pre-spawned) Fixed number pre-spawned, never terminated. If any die then restart them. Barry
Re: small docu enhancement
On Mon, Oct 5, 2009 at 12:14 AM, Guenter Knauf fua...@apache.org wrote: Hi, every now and then I get asked about why Apache doesnt start, and it always turns out that folks try to load 2.0.x modules into 2.2.x, or even 1.3.x modules into 2.0.x ... therefore I posted already about 4 years this on my site: http://www.gknw.net/phpbb/viewtopic.php?t=88 so that I only need to point to this ... just today got another discussion about this, and I believe its not enough to just tell the user 'Apache 2.2.x is incompatible with Apache 2.0.x', but instead we should explain a bit more like I did with my post, and even that is often not sufficient to convince the average user - well it convinces certainly that its wasted time to try further, but it does not convince why we do the MMN check at all. Probably someone has a good suggestion how to formulate this so that a *user* can understand? And even more important can we perhaps post this then on the httpd main page? something short and sweet will have to be good enough, lest we detract from the overall message (and probably fail to convince some people anyway) Modules built for Apache 2.0 or earlier are not compatible with Apache 2.2; contact the supplier for a replacement. (and similar for Apache 2.0) This could go in the introductory paragraph of the new features page. Hopefully people are clicking on that link?
Re: Time for a 2.3/2.4 branch?
Jim Jagielski wrote: start cutting alpha releases :-) I suggested a 2.3.3a about a month ago and the silence was deafening. As wrowe pointed out, there is a lot of work still to do - modules need to be documented, or marked for removal if abandoned. If we branched v2.4.x now, we would have to do this work twice, once on trunk, and a second time on the v2.4 branch. I don't think we're quite ready to branch trunk yet, there is still more work to do, but cutting alphas will definitely get the momentum going. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: Time for a 2.3/2.4 branch?
On Oct 5, 2009, at 7:34 AM, Graham Leggett wrote: Jim Jagielski wrote: start cutting alpha releases :-) I suggested a 2.3.3a about a month ago and the silence was deafening. I don't think we're quite ready to branch trunk yet, there is still more work to do, but cutting alphas will definitely get the momentum going. I'm going to go thru and see what tasks need to be done and try to start documenting them as release showstoppers, and in parallel try to get a 2.3.3-alpha out.
Re: adding mod_reqtimeout to trunk?
Thx... I'm updating it with an eye to making it core, and therefore having ReqTimeout headerinit=5 headermax=10 Let me know if I can help w/ the docs. On Oct 4, 2009, at 3:40 PM, Stefan Fritsch wrote: On Sunday 04 October 2009, Nick Kew wrote: FWIW, IMO it should go in modules/filters not experimental. +1. trunk is, by definition, experimental. But when we float off 2.3/4-branch, we should perhaps do some documentation of stability levels of different features and modules for users. I might open a wiki page to collect information on the subject. I agree and would rather reserve modules/experimental for modules that have known issues. I have commited mod_reqtimeout to trunk. I haven't finished the docs, yet.
Re: QoS marking by default on sockets
On 10/02/2009 02:11 PM, Paul Querna wrote: On Fri, Oct 2, 2009 at 2:04 PM, Philip A. Prindeville philipp_s...@redfish-solutions.com wrote: Hi. I haven't contributed to Apache in about 10 years, so it's been a while since I've stared at the source. I did, however, recently pull down the 2.2.13 tarball and did: [phil...@builder ~/httpd-2.2.13]$ find . -type f -print | xargs grep IP_TOS [phil...@builder ~/httpd-2.2.13]$ Hmmm. Any reason that HTTP traffic wouldn't be QoS marked so that it can be handled properly? (Assuming that we have or will have net-neutrality... ;-) ) I just don't want software updates (which aren't time critical but *do* suck down huge amounts of bandwidth) degrading my VoIP service... Seems reasonable, right? Of course, we could mark all open sockets as AF11 (for instance)... but then if you have a cgi plugin generating video, it would have to re-setsockopt() the socket to remark the traffic appropriately... Is that overly burdensome? Or reasonable? A patch to configure it at runtime (maybe per-directory?) would be a reasonable thing to include. Wouldn't be that bad, just a request output filter that set the socket opt and then removed itself. I was thinking of marking the socket on listen(), and then having letting the marking be changed, either by plugins or else by server directives (as you say, per-directory, or per content-type, etc.) -Philip
PATCH PR-24329] - mod_rewrite and CONNECT requests
I hope someone from the official dev team can merge this into the next release of apache httpd. Please find attached an svn diff made against revision 820823 of: http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/mappers/mod_rewrite.c This diff fixes the Bug 29744 on the Bugzilla: Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=47928 Patch: https://issues.apache.org/bugzilla/attachment.cgi?id=24329 This fix allows mod_rewrite to handle CONNECT requests (by not trying to fully qualify the substitution string). The current behavior is that mod_rewrite tries to connect to http[s]://ourhost[:ourport]/host:port. I checked with the RFC (http://www.ietf.org/rfc/rfc2817.txt): A CONNECT method requests that a proxy establish a tunnel connection on its behalf. The Request-URI portion of the Request-Line is always an 'authority' as defined by URI Generic Syntax [2], which is to say the host name and port number destination of the requested connection separated by a colon: CONNECT server.example.com:80 HTTP/1.1 Host: server.example.com:80 This patch will allow a CONNECT request to simply connect to the host:port specified in the substitution string of the rewrite rule. Hopefully this is enough detail to help. Thank you, BillZ mod_rewrite.c.unified.diff.patch Description: Binary data
Re: svn commit: r821989 - in /httpd/site/trunk: dist/Announcement2.2.html dist/Announcement2.2.txt dist/binaries/win32/README.html docs/doap.rdf docs/download.html docs/index.html xdocs/doap.rdf xdocs
minf...@apache.org wrote: Author: minfrin Date: Mon Oct 5 20:11:21 2009 New Revision: 821989 URL: http://svn.apache.org/viewvc?rev=821989view=rev Log: Prepare the announcement for httpd v2.2.14. SvnPubSub works great :) Would it be possible for someone to eyeball these changes and make sure I didn't miss anything out or break anything? Unless I hear any objections, will send out the announcement itself within the next two hours or so. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: svn commit: r821993 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_cache.xml modules/cache/mod_cache.c
On 10/05/2009 10:27 PM, minf...@apache.org wrote: Author: minfrin Date: Mon Oct 5 20:27:19 2009 New Revision: 821993 URL: http://svn.apache.org/viewvc?rev=821993view=rev Log: mod_cache: Teach CacheEnable and CacheDisable to work from within a Location section, in line with how ProxyPass works. Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/docs/manual/mod/mod_cache.xml httpd/httpd/trunk/modules/cache/mod_cache.c Modified: httpd/httpd/trunk/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=821993r1=821992r2=821993view=diff == --- httpd/httpd/trunk/CHANGES [utf-8] (original) +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Oct 5 20:27:19 2009 @@ -10,6 +10,9 @@ mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch sf fritsch.de, Joe Orton] + *) mod_cache: Teach CacheEnable and CacheDisable to work from within a + Location section, in line with how ProxyPass works. [Graham Leggett] It should be noted that this doesn't work with regular expressions / LocationMatch. Regards RĂ¼diger
Re: svn commit: r821993 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_cache.xml modules/cache/mod_cache.c
Ruediger Pluem wrote: It should be noted that this doesn't work with regular expressions / LocationMatch. True, let me take a closer look. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: svn commit: r821989 - in /httpd/site/trunk: dist/Announcement2.2.html dist/Announcement2.2.txt dist/binaries/win32/README.html docs/doap.rdf docs/download.html docs/index.html xdocs/doap.rdf xdo
On Mon, Oct 5, 2009 at 4:15 PM, Graham Leggett minf...@sharp.fm wrote: minf...@apache.org wrote: Author: minfrin Date: Mon Oct 5 20:11:21 2009 New Revision: 821989 URL: http://svn.apache.org/viewvc?rev=821989view=rev Log: Prepare the announcement for httpd v2.2.14. SvnPubSub works great :) Would it be possible for someone to eyeball these changes and make sure I didn't miss anything out or break anything? The security aspect of the bundling of APR and APR-util needs to be tweaked. Does this look right? Index: dist/Announcement2.2.html === --- dist/Announcement2.2.html(revision 822019) +++ dist/Announcement2.2.html(working copy) @@ -21,8 +21,8 @@ pleased to announce the release of version 2.2.14 of the Apache HTTP Server (Apache). This version of Apache is principally a security and bug fix release. Notably, this version bundles the APR Library - version 1.3.9 and APR Utility Library version 1.3.9, which address - a security concern which may be triggered by some third party modules. + version 1.3.9, which addresses a security concern with the Prefork + and Event MPMs on Solaris 10. /p p Index: dist/Announcement2.2.txt === --- dist/Announcement2.2.txt(revision 822019) +++ dist/Announcement2.2.txt(working copy) @@ -4,8 +4,8 @@ pleased to announce the release of version 2.2.14 of the Apache HTTP Server (Apache). This version of Apache is principally a security and bug fix release. Notably, this version bundles the APR Library - version 1.3.9 and APR Utility Library version 1.3.9, which address - a security concern which may be triggered by some third party modules. + version 1.3.9, which addresses a security concern with the Prefork + and Event MPMs on Solaris 10. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.
Re: svn commit: r821989 - in /httpd/site/trunk: dist/Announcement2.2.html dist/Announcement2.2.txt dist/binaries/win32/README.html docs/doap.rdf docs/download.html docs/index.html xdocs/doap.rdf xdo
Jeff Trawick wrote: The security aspect of the bundling of APR and APR-util needs to be tweaked. Does this look right? It does, thanks for taking a look. Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: [mod_fcgid proposal] defining processing options for particular commands
On Fri, Oct 2, 2009 at 10:47 AM, Ricardo Cantu rica...@smartcsc.com wrote: mod_fastcgi's FastCgiServer directive is similar in some respects to the one I propose in this thread, but it has a key difference: It implies that at least one instance/process will be maintained at all times, irrespective of load. This can already be done with FCGIDDefaultMinClassProcessCount. For better or for worse, MinClassProcessCount doesn't result in a pool of processes being started. It means that a process that has exceeded its idle time or process lifetime won't be terminated unless there are more than MinClassProcessCount instances. (maybe it means other stuff too) AFAICT, mod_fcgid only creates processes on-demand at present. The primary motivation for my new directive is to specify options that sometimes need to be associated with the application itself and not with the context of a particular request that the application can handle. This is perfect. Regardless, an option like InitialProcesses could be specified to pre-spawn processes. Another approach, instead of specifying something like InitialProcesses with the other options, is to call this options directive FCGIDCommandOptions, and have another directive that specifies that the command is in fact a static application (to borrow the terminology from mod_fastcgi). Whether an application is started on demand or maintained perpetually (static application), any options specified on FCGIDCommandOptions would override settings from the vhost or defaults. I like the FCGIDCommandOptions idea. There are really two concepts here that need to be addressed. FCGIDCmdOptions is soon to be committed. Initially it will provide only a different way to associate existing types of configuration with a command. One: Would you like your process pre-spawned (and how many) then controlled by the pm based on load and various other directives? Two; Would you like your process pre-spawned and left alone? (Expect for requests that need to be aborted due to hanging up the server) Hopefully this can be implemented with one directive that specifies that a certain number of copies of a command should be started, and existing settings (and maybe a new setting or two) can control which of these two flavors you get?