1 APACHE 2.0 STATUS: -*-text-*-
2 Last modified at [$Date: 2001/12/07 15:33:58 $]
6 2.0.30 : In development
7 2.0.29 : tagged November 27, 2001
8 2.0.28 : released November 13, 2001
9 2.0.27 : rolled November 6, 2001
10 2.0.26 : tagged October 16, 2001. not rolled.
11 2.0.25 : rolled August 29, 2001
12 2.0.24 : rolled August 18, 2001
13 2.0.23 : rolled August 9, 2001
14 2.0.22 : rolled July 29, 2001
15 2.0.21 : rolled July 20, 2001
16 2.0.20 : rolled July 8, 2001
17 2.0.19 : rolled June 27, 2001
18 2.0.18 : rolled May 18, 2001
19 2.0.17 : rolled April 17, 2001
20 2.0.16 : rolled April 4, 2001
21 2.0.15 : rolled March 21, 2001
22 2.0.14 : rolled March 7, 2001
23 2.0a9 : released December 12, 2000
24 2.0a8 : released November 20, 2000
25 2.0a7 : released October 8, 2000
26 2.0a6 : released August 18, 2000
27 2.0a5 : released August 4, 2000
28 2.0a4 : released June 7, 2000
29 2.0a3 : released April 28, 2000
30 2.0a2 : released March 31, 2000
31 2.0a1 : released March 10, 2000
33 Please consult the following STATUS files for information
37 * srclib/apr-util/STATUS
42 * If any request gets to the core handler, without a flag that this
43 r->filename was tested by dir/file_walk, we need to 500 at the very
44 end of the ap_process_request_internal() processing. This provides
45 authors of older modules better compatibility, while still improving
46 the security and robustness of 2.0.
47 Status: still need to decide where this goes, OtherBill comments...
48 Message-ID: <065701c14526$495203b0$96c0b0d0@roweclan.net>
49 we need to look at halting this in the 'default handler' case,
50 and that implies pushing the 'handler election' into the request
51 internal processing phase from the run request phase.
53 * There is a bug in how we sort some hooks, at least the pre-config
54 hook. The first time we call the hooks, they are in the correct
55 order, but the second time, we don't sort them correctly. Currently,
56 the modules/http/config.m4 file has been renamed to
57 modules/http/config2.m4 to work around this problem, it should moved
58 back when this is fixed. rbb
60 * The Add...Filter and Set...Filter directives do not allow the
61 administrator to order filters, beyond the order of filename (mime)
62 extensions. It isn't clear if Set...Filter(s) should be inserted
63 before or after the Add...Filter(s) which are ordered by sequence of
64 filename extensions. At minimum, some sort of +-[0-10] syntax seems
65 like the quickest fix for a 2.0 gold release.
67 * mod_negotiation needs a new option or directive, something like
68 ForceLanguagePriority, to fall back to the LanguagePriority
69 directive instead of returning a "no acceptable variant" error.
70 Status: Bill has some code in his tree that accomplishes
71 this, and will commit it Friday after it's tested.
73 * Fold mod_auth_db features back into mod_auth_dbm, and depricate it.
74 This can't wait until we have a 2.0-gold release, if folks need
75 to move over to auth_dbm, we can't do that to them after 2.0 gold.
76 Status: Ian says.. now that apr-util can handle multiple DBM types
77 we can probably deprecate it completly by adding a directive
78 'AuthDBMType' to mod_auth_dbm.
80 * Convert all instances of the old apr_lock_t type to the new
81 types (once they are fully supported in APR).
82 Status: Aaron is working on converting INTRAPROCESS
83 to apr_thread_mutex_t types. Full replacements for
84 LOCKALL and CROSS_PROCESS are not yet complete on all
85 platforms, and should only be used in MPMs like worker
86 with limited OS exposure.
88 * make_exports.awk doesn't handle declarations that span multiple
89 lines. Thus, stuff like ap_hook_error_log doesn't end up in
90 exports.c and httpd.exp. This can cause DSO modules which call
91 ap_hook_error_log (or other missing functions -- if there are
92 any) to segfault on AIX and can probably cause load or other
93 errors on some other platforms.
95 RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
97 * There is increasing demand from module writers for an API
98 that will allow them to control the server à la apachectl.
99 Reasons include sole-function servers that need to die if
100 an external dependency (e.g., a database) fails, et cetera.
101 Perhaps something in the (ever more abused) scoreboard?
103 * revamp the input filter behavior, per discussions since
104 February (and especially at the hackathon last
105 April). Specifically, ap_get_brigade will return a brigade with
106 *up to* a specific number of bytes, or a "line" of data. The
107 read may be blocking or nonblocking. ap_getline() will be
108 refactored into apr_brigade_getline(), and then DECHUNK can use
109 f->next (ap_getline will always read "top of input stack"). Also
110 fix the bug where request body content will end up closing the
111 connection (buggering up persistent conns).
112 Status: Justin is working on this as fast as he can.
113 The core input filters, HTTP-related filters, mod_ssl, and
114 mod_proxy are switched to the new logic.
115 However, ap_getline() still needs to be refactored out. But,
116 there's a problem there: ap_getline() peeks ahead for MIME
117 continuation (first character on line is space or \t) and
118 stores unused data in core_request_config which violates the
119 abstraction. That's cheating. So, we may not be able to
120 implement this without setting some data aside (yuck!).
121 I believe this is OtherBill's main complaint with the current
123 AIUI (correct me if I'm wrong!), OtherBill believes we
124 should have a pushback option so that we can return unread
125 data - this would solve this case. However, my question to
126 him is how do we handle stuff like mod_ssl - we can't "unread"
127 data. So, do we have two brigades for each filter? An in
128 brigade and a returned brigade? That seems messy. To
129 everyone else, can we refactor ap_getline() without pushback
132 - socket bucket and core input filter changes. see end of
133 message ID (Feb 27): <20010227075326.S2297@lyra.org>
135 - fix up ap_get_brigade() semantics, fix bug in DECHUNK /
136 ap_getline. many messages (plus their threads) (Apr/May):
137 Message-ID: <20010402101207.J27539@lyra.org>
138 Message-ID: <3AF7F921.D2EEC41A@algroup.co.uk>
139 Message-ID: <20010508190029.E18404@lyra.org>
141 - further work with combining/tweaking the builtin filters:
142 Message-ID: <20010509115445.D1374@lyra.org>
144 - thoughts on filter modes:
145 Message-ID: <021b01c14dee$09782af0$93c0b0d0@roweclan.net>
147 * Allow the DocumentRoot directive within <Location > scopes? This
148 allows the beloved (crusty) Alias /foo/ /somepath/foo/ followed
149 by a <Directory /somepath/foo> to become simply
150 <Location /foo/> DocumentRoot /somefile/foo (IMHO a bit more legible
151 and in-your-face.) DocumentRoot unset would be accepted [and would
152 not permit content to be served, only virtual resources such as
153 server-info or server-status.
154 This proposed change would _not_ depricate Alias.
156 * daedalus: mod_cgid and suexec have a problem co-existing. suexec
157 sees a null command string sometimes. The problem happens when
158 you access bugs.apache.org, then click on the "search the bug db"
161 * Win32: Rotatelogs sometimes is not terminated when Apache
162 goes down hard. FirstBill was looking at possibly tracking the
163 child's-child processes in the parent process.
164 OtherBill asks, wasn't this fixed?
166 * Win32: Add a simple hold console open patch (wait for close or
167 the ESC key, with a nice message) if the server died a bad
168 death (non-zero exit code) in console mode.
169 Resolution: bring forward same ugly hacks from 1.3.13-.20
171 * Port of mod_ssl to Apache 2.0:
173 The current porting state is summarized in modules/ssl/README. The
174 remaining work includes:
175 (1) stablizing/optimizing the SSL filter logic
176 (2) Enabling the various SSL caching mechanisms (shmcb, shmht)
177 (3) Enabling SSL extentions
178 (4) Trying to seperate the https filter logic from mod_ssl -
179 This is to facilitate other modules that wish to use the https
180 filter or the mod_ssl logic or both as required.
181 Justin: mod_ssl filter logic is redone, so that should be fine.
182 Madhu has submitted a patch for SSL caching - however, I
183 am -0 on that patch as I *think* we could implement the
184 shared memory another way that is much cleaner (i.e.
185 treat shmem directly as a dbm via APR routines). Justin
186 also thinks that the https filter logic may be sufficiently
187 decoupled now, but isn't really sure.
189 * Performance: Get the SINGLE_LISTEN_UNSERIALIZED_ACCEPT
190 optimization working in worker. prefork's new design for how
191 to notice data on the pod should be sufficient.
193 * Performance & Debug: Eliminate most (and perhaps all) of the
194 malloc/free calls in the bucket brigade code. Need some
195 light weight memory management functions that allow freeing
196 memory (putting it back into a memory pool) when it is no
197 longer needed. Enabling simple debugging features like guard
198 bands, double free detection, etc. would be cool but certainly
199 not a hard requirement.
201 Status: Cliff started to implement this using SMS as has
202 been discussed at length for months, but since
203 SMS is not being used anywhere else in the server,
204 several people expressed the opinion that we should
205 get rid of it entirely, meaning that the buckets
206 need their own memory management (free list) functions.
207 Cliff will implement that this weekend so we at least
208 have something to look at/compare with.
210 * Eliminate unnecessary creation of pipes in mod_cgid
212 * the autoconf setup should be fixed to default to using the
213 "Apache" layout from config.layout, and each variable settable
214 in a layout should be overridable on the command line. Plus,
215 what we do right now just doesn't seem to fully fit into how autoconf
216 works, eg. AC_PREFIX_DEFAULT issues.
217 Message-ID: <Pine.BSF.4.20.0104031557420.20876-100000@alive.znep.com>
219 * Combine log_child and piped_log_spawn. Clean up http_log.c.
222 * Document mod_file_cache.
224 * OS/2: Make mod_status work for spmt_os2 MPM.
226 * Platforms that do not support fork (primarily Win32 and AS/400)
227 Architect start-up code that avoids initializing all the modules
228 in the parent process on platforms that do not support fork.
230 * Win32: Migrate the MPM over to use APR thread/process calls. This
231 would eliminate some code in the Win32 branch that essentially
232 duplicates what is in APR.
234 * There are still a number of places in the code where we are
235 losing error status (i.e. throwing away the error returned by a
236 system call and replacing it with a generic error code)
238 * Mass vhosting version of suEXEC.
240 * All DBMs suffer from confusion in support/dbmmanage (perl script) since
241 the dbmmanage employs the first-matched dbm format. This is not
242 necessarily the library that Apache was built with. Aught to
243 rewrite dbmmanage upon installation to bin/ with the proper library
244 for predictable mod_auth_db/dbm administration.
245 Status: Mladen Turk has posted several patches and ideas.
246 Key question, part of htpasswd, or a seperate utility?
248 prefer seperate: OtherBill
250 * use apu_dbm in mod_auth_dbm
251 Status: Greg +1 (low-priority volunteer)
252 Justin says: "Seems like this is already there, so should we just
253 remove the other DBM code in that file? If you want
254 to use gdbm, or dbm, etc, you should tell apr-util."
255 Will says: "bs - I may choose the fastest - most efficient native
256 dbm implementation, for shared proc caches, ssl session
257 caching, etc, but that has nothing to do with maintaining
258 a userlist via dbm, which has to remain readable between
259 builds/machines, etc. The use-multiple database schema
260 for apr-util would let us do this with just apr, though."
263 Some additional items remaining:
264 - case_preserved_filename stuff
265 (use the new canonical name stuff?)
266 - find a new home for ap_text(_header)
267 - is it possible to remove the DAV: namespace stuff from util_xml?
269 * ap_core_translate() and its use by mod_mmap_static and mod_file_cache
270 are a bit wonky. The function should probably be exposed as a utility
271 function (such as ap_translate_url2fs() or ap_validate_fs_url() or
272 something). Another approach would be a new hook phase after
273 "translate" which would allow the module to munge what the
274 translation has decided to do.
275 Status: Greg +1 (volunteers), Ryan +1
277 * Explore use of a post-config hook for the code in http_main.c which
278 calls ap_fixup_virutal_hosts(), ap_fini_vhost_config(), and
279 ap_sort_hooks() [to reduce the logic in main()]
281 * read the config tree just once, and process N times (as necessary)
283 * (possibly) use UUIDs in mod_unique_id and/or mod_usertrack
285 * (possibly) port the bug fix for PR 6942 (segv when LoadModule is put
286 into a VirtualHost container) to 2.0.
288 * shift stuff to mod_core.h
290 * callers of ap_run_create_request() should check the return value
291 for failure (Doug volunteers)
293 * Win32: Get Apache working on Windows 95/98. The following work
294 (at least) needs to be done:
295 - winnt MPM: Fix 95/98 code paths in the winnt MPM. There is some NT
296 specific code that is still not in NT only code paths
297 - IOL binds to APR sendfile, implemented with TransmitFile, which
298 is not available on 95/98.
299 - Document warning that OSR2 is required (for Crypt functions, in
300 rand.c, at least.) This could be resolved with an SSL library, or
301 randomization in APR itself.
302 - Bring the Win9xConHook.dll from 1.3 into 2.0 (no sense till it
303 actually works) and add in a splash of Win9x service code.
305 * In order to use a DSO version of mod_ssl we have to link with
306 -lssl and -lcrypto. A workaround is in place right now where the
307 entire EXTRA_LIBS macro is being appended to the objects list, but
308 this is a hack. We should either revamp the APACHE_CHECK_SSL_TOOLKIT
309 autoconf function or come up with some other autoconf checks to
310 search for libssl and libcrypto and properly add them to mod_ssl's
313 * Make the worker MPM the default MPM for threaded Unix boxes.
314 +1: Justin, Jeff, Ian
315 -0: Aaron (premature decision, needs more discussion)
316 -0: Cliff (I think the default config should be the safest possible)
318 PRs that have been suspended forever waiting for someone to
319 put them into 'the next release':
322 missing call to "setlocale();"
326 Additional status for XBitHack directive
330 Mod_proxy doesn't allow change of error pages
334 Modified PATH environemnt variable is not passed, instead
339 Proxy doesn't deliver documents if not connected
343 proxy converts ~name to %7Ename when name starts with a dot (.)
347 mod_access syntax allows hosts that should be restricted
350 * PR#557: mod_auth-any
351 ~UserHome directories are not honored in absolute pathname
356 Proxy FTP Authentication Fails
359 * PR#623: mod_include
360 A smarter "Last Modified" value for SSI documents (see PR number 600)
364 Request of "Options SymLinksIfGroupMatch"
368 Proxy doesn't do links right for OpenVMS files through ftp:
372 imap should read <MAP><AREA>*</MAP> too!
376 RLimitCPU and RLimitMEM don't apply to all children like they should
380 Uses cwd before filling it in, doesn't use syslog
384 it is useful to allow specifiction that root-owned symlinks
385 should always be followed
389 Controlling Access to Remote Proxies would be nice...
393 Adding authentication "on the fly" through the proxy module
396 * PR#1004: apache-api
397 request_config field in request_rec is moderately bogus
401 DoS attacks involving memory consumption
404 * PR#1050: mod_log-any
405 Logging of virtual server to error_log as well
409 ProxyRemote make a dead cycle.
412 * PR#1117: mod_auth-any
413 Using NIS passwd.byname dbm files with AuthDBMUserFile
417 suexec does not parse arguments to #exec cmd
420 * PR#1145: mod_include
421 Allow for Last-Modified: without resorting to XBitHack
424 * PR#1158: apache-api
425 improvements to child spawning API
429 ``nph-'' not honored (no buffering) for ProxyRemote mapping
433 Apache cannot handle continuation line in headers
437 setlogin() is not called, causing problems with e.g. identd
441 regerror() exists, use it
444 * PR#1233: apache-api
445 there is no way to keep per-connection per-module state
448 * PR#1263: mod_autoexec
449 Add frame-safe anchor attribute to mod_autoindex links
453 CGI scripts running as Apache user: security (suexec etc.)
457 Error messages could be easier to spot in cgi.log file for suexec.c
460 * PR#1287: mod_access
461 add allow,deny/deny,allow warning to mod_access
465 Need to know "hit-rate" on proxy cache
468 * PR#1358: mod_log-any
469 Selective url-encode of log fields (or maybe a pseudo
473 * PR#1383: mod_headers
474 I make mod_headers to modify request headers as well as
479 Proxy transfer logging
483 No HTTP_X_FORWARDED_FOR set...
487 ProxyRemote proxy requests fail authentication by firewall
490 * PR#1582: mod_rewrite
491 mod_rewrite forms REQUEST_URI different than mod_cgi does
494 * PR#1677: mod_headers
495 mod_headers should allow mod_log_config-style formats in
500 mod_proxy to support persistent conns?
503 * PR#1803: mod_include
504 patches to mod_include to allow for file tests
507 * PR#1809: mod_auth-any
508 Suggestion for improving authentication modules and core source
509 code, problem with 401 and ErrorDocument
513 listing of proxy cache content
517 Allow modules to set user:group for execution.
520 * PR#2024: apache-api
521 adding auth_why to conn_rec
524 * PR#2073: mod_log-any
525 pipelined connections are not logged correctly
528 * PR#2074: mod_rewrite
529 mod_rewrite doesn't pass Proxy Throughput on internal subrequests
533 HTTP Server Rebuild Line Needs Changing for the better
536 * PR#2138: mod_status
537 mod_status always displays 256 possible connection slots
540 * PR#2221: documentation
541 Make online documentation search link back to my installation
545 Can not POST to ErrorDocument - Apache/1.3b6
549 patterns in ProxyRemote
552 * PR#2343: mod_status
553 Status module averages are for entire uptime
557 suexec for general access of user content?
561 Proposal for TimeZone directive
565 /server-info doesn't check for the virtual host to list the info
569 problem specifying ndbm library for build ?with autoconfigure
573 A small addition to rotatelogs.c to improve program functionality.
577 AllowOverride FileInfo is too coarse
581 TimeOut applies to output of CGI scripts
584 * PR#2512: mod_access
585 <IfDenied> directive wanted
589 CGI's for general use still have to be run as another user
594 Cache file names in Proxy module
598 [PATCH] User/Group for <Directory> and <Location> i.e. not only
599 in global and <Virtual>.
603 mailto tags and bundling bug report script
607 Support for System Resource Controller
611 When will Apache support P3P? Any Plans?
615 Feedback/Comment on APACI
619 Inclusion of RPM spec file in CVS/distributions
623 Propose that Apache recommend $UNIQUE_ID for all "session id"
628 suggestion: power up your Include directive :)
632 cannot limit some HTTP methods
635 * PR#3143: apache-api
636 No module specific data hook for per-connection data
639 * PR#3191: mod_negotiation
640 no way to set global quality-of-source (qs) coneg values
645 Accessing URL through proxy server corrupts data.
649 Some anonymous FTP URLs ask for authentication
653 New ErrorDocumentMatch directive
657 Need to be able to override shebang line to make CGI scripts
662 "Files" and "FilesMatch" regexp does not recognize bang as
666 * PR#4448: mod_log-any
667 Please allow CGI env variables (QUERY_STRING, ...) to be logged
671 * PR#4459: mod_include
672 Suggestion for better handling of Last-modified headers
676 mod_cgi prevents handling of OPTIONS requests
679 * PR#5713: os-windows
680 [PATCH] install as win32 service with domain account
684 AllowOverride should have a 'CheckNone' and 'AllowNone' argument
685 instead of only 'None'
688 Other bugs that need fixing:
690 * MaxRequestsPerChild measures connections, not requests.
691 Until someone has a better way, we'll probably just rename it
692 "MaxConnectionsPerChild".
694 * Regex containers don't work in an intutive way
695 Status: No one has come up with an efficient way to fix this
696 behavior. Dean has suggested getting rid of regex containers
699 * SIGSEGV on Linux (glibc 2.1.2) isn't caught properly by a
700 sigwaiting thread. We need to work around this, perhaps unless
701 there is hope soon for a fixed glibc.
703 * orig_ct in the byterange/multipart handling may not be
704 needed. Apache 1.3 just never stashed "multipart" into
705 r->content_type. We should probably follow suit since the
706 byterange stuff doesn't want the rest of the code to see the
707 multipart content-type; the other code should still think it is
708 dealing with the <orig_ct> stuff.
709 Status: Greg volunteers to investigate (esp. since he was most
710 likely the one to break it :-)
712 Other features that need writing:
714 * Finish infrastructure in core for async MPMs
717 * TODO in source -- just do an egrep on "TODO" and see what's there
721 * Jon Travis's <jtravis@covalent.net> patch to deal with thread-safe
722 issues with inet_ntoa. See message <20001201163220.A12827@covalent.net>
723 Status: This is being set aside until the IPv6 work is finished
724 so that we know exactly what is required.
726 * Martin Sojka <msojka@gmx.de>'s patch to add error reporting for failed
727 htpasswd actions due to a full /tmp volume (other programs may have
732 * Mike Abbott's <mja@trudge.engr.sgi.com> patches to improve
734 Status: These were written for 1.3, and are awaiting a port to
737 * Jim Winstead's <jimw@trainedmonkey.com> patch to add CookieDomain and
738 other small mod_usertrack features
740 * Dan Rench's <drench@xnet.com> patch to add allow the errmsg and timefmt
741 of SSI's to be modified in the config file. Patch is available in
746 * Which MPMs will be included with Apache 2.0?