1 APACHE 2.0 STATUS: -*-text-*-
2 Last modified at [$Date: 2001/12/08 01:38:04 $]
6 2.0.30 : In development
7 2.0.29 : tagged November 27, 2001
8 2.0.28 : released November 13, 2001
9 2.0.27 : rolled November 6, 2001
10 2.0.26 : tagged October 16, 2001. not rolled.
11 2.0.25 : rolled August 29, 2001
12 2.0.24 : rolled August 18, 2001
13 2.0.23 : rolled August 9, 2001
14 2.0.22 : rolled July 29, 2001
15 2.0.21 : rolled July 20, 2001
16 2.0.20 : rolled July 8, 2001
17 2.0.19 : rolled June 27, 2001
18 2.0.18 : rolled May 18, 2001
19 2.0.17 : rolled April 17, 2001
20 2.0.16 : rolled April 4, 2001
21 2.0.15 : rolled March 21, 2001
22 2.0.14 : rolled March 7, 2001
23 2.0a9 : released December 12, 2000
24 2.0a8 : released November 20, 2000
25 2.0a7 : released October 8, 2000
26 2.0a6 : released August 18, 2000
27 2.0a5 : released August 4, 2000
28 2.0a4 : released June 7, 2000
29 2.0a3 : released April 28, 2000
30 2.0a2 : released March 31, 2000
31 2.0a1 : released March 10, 2000
33 Please consult the following STATUS files for information
37 * srclib/apr-util/STATUS
42 * If any request gets to the core handler, without a flag that this
43 r->filename was tested by dir/file_walk, we need to 500 at the very
44 end of the ap_process_request_internal() processing. This provides
45 authors of older modules better compatibility, while still improving
46 the security and robustness of 2.0.
47 Status: still need to decide where this goes, OtherBill comments...
48 Message-ID: <065701c14526$495203b0$96c0b0d0@roweclan.net>
49 we need to look at halting this in the 'default handler' case,
50 and that implies pushing the 'handler election' into the request
51 internal processing phase from the run request phase.
53 * There is a bug in how we sort some hooks, at least the pre-config
54 hook. The first time we call the hooks, they are in the correct
55 order, but the second time, we don't sort them correctly. Currently,
56 the modules/http/config.m4 file has been renamed to
57 modules/http/config2.m4 to work around this problem, it should moved
58 back when this is fixed. rbb
60 * The Add...Filter and Set...Filter directives do not allow the
61 administrator to order filters, beyond the order of filename (mime)
62 extensions. It isn't clear if Set...Filter(s) should be inserted
63 before or after the Add...Filter(s) which are ordered by sequence of
64 filename extensions. At minimum, some sort of +-[0-10] syntax seems
65 like the quickest fix for a 2.0 gold release.
67 * mod_negotiation needs a new option or directive, something like
68 ForceLanguagePriority, to fall back to the LanguagePriority
69 directive instead of returning a "no acceptable variant" error.
70 Status: Bill has some code in his tree that accomplishes
71 this, and will commit it Friday after it's tested.
73 * Fold mod_auth_db features back into mod_auth_dbm, and depricate it.
74 This can't wait until we have a 2.0-gold release, if folks need
75 to move over to auth_dbm, we can't do that to them after 2.0 gold.
76 Status: Ian says.. now that apr-util can handle multiple DBM types
77 we can probably deprecate it completly by adding a directive
78 'AuthDBMType' to mod_auth_dbm.
80 * Convert all instances of the old apr_lock_t type to the new
81 types (once they are fully supported in APR).
82 Status: Aaron is working on converting INTRAPROCESS
83 to apr_thread_mutex_t types. Full replacements for
84 LOCKALL and CROSS_PROCESS are not yet complete on all
85 platforms, and should only be used in MPMs like worker
86 with limited OS exposure.
88 * make_exports.awk doesn't handle declarations that span multiple
89 lines. Thus, stuff like ap_hook_error_log doesn't end up in
90 exports.c and httpd.exp. This can cause DSO modules which call
91 ap_hook_error_log (or other missing functions -- if there are
92 any) to segfault on AIX and can probably cause load or other
93 errors on some other platforms.
95 RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
97 * There is increasing demand from module writers for an API
98 that will allow them to control the server à la apachectl.
99 Reasons include sole-function servers that need to die if
100 an external dependency (e.g., a database) fails, et cetera.
101 Perhaps something in the (ever more abused) scoreboard?
102 rbb: I don't believe the scoreboard is the correct mechanism
103 for this. We already have a pipe that goes between parent
104 and child for graceful shutdown events, along with an API that
105 can be used to send a message down that pipe. In threaded MPMs,
106 it is easy enough to make that one pipe be used for graceful
107 and graceless events, and it is also easy to open that pipe
108 to both parent and child for writing. Then we just need to figure
109 out how to do graceless on non-threaded MPMs.
111 * revamp the input filter behavior, per discussions since
112 February (and especially at the hackathon last
113 April). Specifically, ap_get_brigade will return a brigade with
114 *up to* a specific number of bytes, or a "line" of data. The
115 read may be blocking or nonblocking. ap_getline() will be
116 refactored into apr_brigade_getline(), and then DECHUNK can use
117 f->next (ap_getline will always read "top of input stack"). Also
118 fix the bug where request body content will end up closing the
119 connection (buggering up persistent conns).
120 Status: Justin is working on this as fast as he can.
121 The core input filters, HTTP-related filters, mod_ssl, and
122 mod_proxy are switched to the new logic.
123 However, ap_getline() still needs to be refactored out. But,
124 there's a problem there: ap_getline() peeks ahead for MIME
125 continuation (first character on line is space or \t) and
126 stores unused data in core_request_config which violates the
127 abstraction. That's cheating. So, we may not be able to
128 implement this without setting some data aside (yuck!).
129 I believe this is OtherBill's main complaint with the current
131 AIUI (correct me if I'm wrong!), OtherBill believes we
132 should have a pushback option so that we can return unread
133 data - this would solve this case. However, my question to
134 him is how do we handle stuff like mod_ssl - we can't "unread"
135 data. So, do we have two brigades for each filter? An in
136 brigade and a returned brigade? That seems messy. To
137 everyone else, can we refactor ap_getline() without pushback
140 - socket bucket and core input filter changes. see end of
141 message ID (Feb 27): <20010227075326.S2297@lyra.org>
143 - fix up ap_get_brigade() semantics, fix bug in DECHUNK /
144 ap_getline. many messages (plus their threads) (Apr/May):
145 Message-ID: <20010402101207.J27539@lyra.org>
146 Message-ID: <3AF7F921.D2EEC41A@algroup.co.uk>
147 Message-ID: <20010508190029.E18404@lyra.org>
149 - further work with combining/tweaking the builtin filters:
150 Message-ID: <20010509115445.D1374@lyra.org>
152 - thoughts on filter modes:
153 Message-ID: <021b01c14dee$09782af0$93c0b0d0@roweclan.net>
155 * Allow the DocumentRoot directive within <Location > scopes? This
156 allows the beloved (crusty) Alias /foo/ /somepath/foo/ followed
157 by a <Directory /somepath/foo> to become simply
158 <Location /foo/> DocumentRoot /somefile/foo (IMHO a bit more legible
159 and in-your-face.) DocumentRoot unset would be accepted [and would
160 not permit content to be served, only virtual resources such as
161 server-info or server-status.
162 This proposed change would _not_ depricate Alias.
164 * daedalus: mod_cgid and suexec have a problem co-existing. suexec
165 sees a null command string sometimes. The problem happens when
166 you access bugs.apache.org, then click on the "search the bug db"
169 * Win32: Rotatelogs sometimes is not terminated when Apache
170 goes down hard. FirstBill was looking at possibly tracking the
171 child's-child processes in the parent process.
172 OtherBill asks, wasn't this fixed?
174 * Win32: Add a simple hold console open patch (wait for close or
175 the ESC key, with a nice message) if the server died a bad
176 death (non-zero exit code) in console mode.
177 Resolution: bring forward same ugly hacks from 1.3.13-.20
179 * Port of mod_ssl to Apache 2.0:
181 The current porting state is summarized in modules/ssl/README. The
182 remaining work includes:
183 (1) stablizing/optimizing the SSL filter logic
184 (2) Enabling the various SSL caching mechanisms (shmcb, shmht)
185 (3) Enabling SSL extentions
186 (4) Trying to seperate the https filter logic from mod_ssl -
187 This is to facilitate other modules that wish to use the https
188 filter or the mod_ssl logic or both as required.
189 Justin: mod_ssl filter logic is redone, so that should be fine.
190 Madhu has submitted a patch for SSL caching - however, I
191 am -0 on that patch as I *think* we could implement the
192 shared memory another way that is much cleaner (i.e.
193 treat shmem directly as a dbm via APR routines). Justin
194 also thinks that the https filter logic may be sufficiently
195 decoupled now, but isn't really sure.
197 * Performance: Get the SINGLE_LISTEN_UNSERIALIZED_ACCEPT
198 optimization working in worker. prefork's new design for how
199 to notice data on the pod should be sufficient.
201 * Performance & Debug: Eliminate most (and perhaps all) of the
202 malloc/free calls in the bucket brigade code. Need some
203 light weight memory management functions that allow freeing
204 memory (putting it back into a memory pool) when it is no
205 longer needed. Enabling simple debugging features like guard
206 bands, double free detection, etc. would be cool but certainly
207 not a hard requirement.
209 Status: Cliff started to implement this using SMS as has
210 been discussed at length for months, but since
211 SMS is not being used anywhere else in the server,
212 several people expressed the opinion that we should
213 get rid of it entirely, meaning that the buckets
214 need their own memory management (free list) functions.
215 Cliff will implement that this weekend so we at least
216 have something to look at/compare with.
218 * Eliminate unnecessary creation of pipes in mod_cgid
220 * the autoconf setup should be fixed to default to using the
221 "Apache" layout from config.layout, and each variable settable
222 in a layout should be overridable on the command line. Plus,
223 what we do right now just doesn't seem to fully fit into how autoconf
224 works, eg. AC_PREFIX_DEFAULT issues.
225 Message-ID: <Pine.BSF.4.20.0104031557420.20876-100000@alive.znep.com>
227 * Combine log_child and piped_log_spawn. Clean up http_log.c.
230 * Document mod_file_cache.
232 * OS/2: Make mod_status work for spmt_os2 MPM.
234 * Platforms that do not support fork (primarily Win32 and AS/400)
235 Architect start-up code that avoids initializing all the modules
236 in the parent process on platforms that do not support fork.
238 * Win32: Migrate the MPM over to use APR thread/process calls. This
239 would eliminate some code in the Win32 branch that essentially
240 duplicates what is in APR.
242 * There are still a number of places in the code where we are
243 losing error status (i.e. throwing away the error returned by a
244 system call and replacing it with a generic error code)
246 * Mass vhosting version of suEXEC.
248 * All DBMs suffer from confusion in support/dbmmanage (perl script) since
249 the dbmmanage employs the first-matched dbm format. This is not
250 necessarily the library that Apache was built with. Aught to
251 rewrite dbmmanage upon installation to bin/ with the proper library
252 for predictable mod_auth_db/dbm administration.
253 Status: Mladen Turk has posted several patches and ideas.
254 Key question, part of htpasswd, or a seperate utility?
256 prefer seperate: OtherBill
258 * use apu_dbm in mod_auth_dbm
259 Status: Greg +1 (low-priority volunteer)
260 Justin says: "Seems like this is already there, so should we just
261 remove the other DBM code in that file? If you want
262 to use gdbm, or dbm, etc, you should tell apr-util."
263 Will says: "bs - I may choose the fastest - most efficient native
264 dbm implementation, for shared proc caches, ssl session
265 caching, etc, but that has nothing to do with maintaining
266 a userlist via dbm, which has to remain readable between
267 builds/machines, etc. The use-multiple database schema
268 for apr-util would let us do this with just apr, though."
271 Some additional items remaining:
272 - case_preserved_filename stuff
273 (use the new canonical name stuff?)
274 - find a new home for ap_text(_header)
275 - is it possible to remove the DAV: namespace stuff from util_xml?
277 * ap_core_translate() and its use by mod_mmap_static and mod_file_cache
278 are a bit wonky. The function should probably be exposed as a utility
279 function (such as ap_translate_url2fs() or ap_validate_fs_url() or
280 something). Another approach would be a new hook phase after
281 "translate" which would allow the module to munge what the
282 translation has decided to do.
283 Status: Greg +1 (volunteers), Ryan +1
285 * Explore use of a post-config hook for the code in http_main.c which
286 calls ap_fixup_virutal_hosts(), ap_fini_vhost_config(), and
287 ap_sort_hooks() [to reduce the logic in main()]
289 * read the config tree just once, and process N times (as necessary)
291 * (possibly) use UUIDs in mod_unique_id and/or mod_usertrack
293 * (possibly) port the bug fix for PR 6942 (segv when LoadModule is put
294 into a VirtualHost container) to 2.0.
296 * shift stuff to mod_core.h
298 * callers of ap_run_create_request() should check the return value
299 for failure (Doug volunteers)
301 * Win32: Get Apache working on Windows 95/98. The following work
302 (at least) needs to be done:
303 - winnt MPM: Fix 95/98 code paths in the winnt MPM. There is some NT
304 specific code that is still not in NT only code paths
305 - IOL binds to APR sendfile, implemented with TransmitFile, which
306 is not available on 95/98.
307 - Document warning that OSR2 is required (for Crypt functions, in
308 rand.c, at least.) This could be resolved with an SSL library, or
309 randomization in APR itself.
310 - Bring the Win9xConHook.dll from 1.3 into 2.0 (no sense till it
311 actually works) and add in a splash of Win9x service code.
313 * In order to use a DSO version of mod_ssl we have to link with
314 -lssl and -lcrypto. A workaround is in place right now where the
315 entire EXTRA_LIBS macro is being appended to the objects list, but
316 this is a hack. We should either revamp the APACHE_CHECK_SSL_TOOLKIT
317 autoconf function or come up with some other autoconf checks to
318 search for libssl and libcrypto and properly add them to mod_ssl's
321 * Make the worker MPM the default MPM for threaded Unix boxes.
322 +1: Justin, Jeff, Ian
323 -0: Aaron (premature decision, needs more discussion)
324 -0: Cliff (I think the default config should be the safest possible)
326 PRs that have been suspended forever waiting for someone to
327 put them into 'the next release':
330 missing call to "setlocale();"
334 Additional status for XBitHack directive
338 Mod_proxy doesn't allow change of error pages
342 Modified PATH environemnt variable is not passed, instead
347 Proxy doesn't deliver documents if not connected
351 proxy converts ~name to %7Ename when name starts with a dot (.)
355 mod_access syntax allows hosts that should be restricted
358 * PR#557: mod_auth-any
359 ~UserHome directories are not honored in absolute pathname
364 Proxy FTP Authentication Fails
367 * PR#623: mod_include
368 A smarter "Last Modified" value for SSI documents (see PR number 600)
372 Request of "Options SymLinksIfGroupMatch"
376 Proxy doesn't do links right for OpenVMS files through ftp:
380 imap should read <MAP><AREA>*</MAP> too!
384 RLimitCPU and RLimitMEM don't apply to all children like they should
388 Uses cwd before filling it in, doesn't use syslog
392 it is useful to allow specifiction that root-owned symlinks
393 should always be followed
397 Controlling Access to Remote Proxies would be nice...
401 Adding authentication "on the fly" through the proxy module
404 * PR#1004: apache-api
405 request_config field in request_rec is moderately bogus
409 DoS attacks involving memory consumption
412 * PR#1050: mod_log-any
413 Logging of virtual server to error_log as well
417 ProxyRemote make a dead cycle.
420 * PR#1117: mod_auth-any
421 Using NIS passwd.byname dbm files with AuthDBMUserFile
425 suexec does not parse arguments to #exec cmd
428 * PR#1145: mod_include
429 Allow for Last-Modified: without resorting to XBitHack
432 * PR#1158: apache-api
433 improvements to child spawning API
437 ``nph-'' not honored (no buffering) for ProxyRemote mapping
441 Apache cannot handle continuation line in headers
445 setlogin() is not called, causing problems with e.g. identd
449 regerror() exists, use it
452 * PR#1233: apache-api
453 there is no way to keep per-connection per-module state
456 * PR#1263: mod_autoexec
457 Add frame-safe anchor attribute to mod_autoindex links
461 CGI scripts running as Apache user: security (suexec etc.)
465 Error messages could be easier to spot in cgi.log file for suexec.c
468 * PR#1287: mod_access
469 add allow,deny/deny,allow warning to mod_access
473 Need to know "hit-rate" on proxy cache
476 * PR#1358: mod_log-any
477 Selective url-encode of log fields (or maybe a pseudo
481 * PR#1383: mod_headers
482 I make mod_headers to modify request headers as well as
487 Proxy transfer logging
491 No HTTP_X_FORWARDED_FOR set...
495 ProxyRemote proxy requests fail authentication by firewall
498 * PR#1582: mod_rewrite
499 mod_rewrite forms REQUEST_URI different than mod_cgi does
502 * PR#1677: mod_headers
503 mod_headers should allow mod_log_config-style formats in
508 mod_proxy to support persistent conns?
511 * PR#1803: mod_include
512 patches to mod_include to allow for file tests
515 * PR#1809: mod_auth-any
516 Suggestion for improving authentication modules and core source
517 code, problem with 401 and ErrorDocument
521 listing of proxy cache content
525 Allow modules to set user:group for execution.
528 * PR#2024: apache-api
529 adding auth_why to conn_rec
532 * PR#2073: mod_log-any
533 pipelined connections are not logged correctly
536 * PR#2074: mod_rewrite
537 mod_rewrite doesn't pass Proxy Throughput on internal subrequests
541 HTTP Server Rebuild Line Needs Changing for the better
544 * PR#2138: mod_status
545 mod_status always displays 256 possible connection slots
548 * PR#2221: documentation
549 Make online documentation search link back to my installation
553 Can not POST to ErrorDocument - Apache/1.3b6
557 patterns in ProxyRemote
560 * PR#2343: mod_status
561 Status module averages are for entire uptime
565 suexec for general access of user content?
569 Proposal for TimeZone directive
573 /server-info doesn't check for the virtual host to list the info
577 problem specifying ndbm library for build ?with autoconfigure
581 A small addition to rotatelogs.c to improve program functionality.
585 AllowOverride FileInfo is too coarse
589 TimeOut applies to output of CGI scripts
592 * PR#2512: mod_access
593 <IfDenied> directive wanted
597 CGI's for general use still have to be run as another user
602 Cache file names in Proxy module
606 [PATCH] User/Group for <Directory> and <Location> i.e. not only
607 in global and <Virtual>.
611 mailto tags and bundling bug report script
615 Support for System Resource Controller
619 When will Apache support P3P? Any Plans?
623 Feedback/Comment on APACI
627 Inclusion of RPM spec file in CVS/distributions
631 Propose that Apache recommend $UNIQUE_ID for all "session id"
636 suggestion: power up your Include directive :)
640 cannot limit some HTTP methods
643 * PR#3143: apache-api
644 No module specific data hook for per-connection data
647 * PR#3191: mod_negotiation
648 no way to set global quality-of-source (qs) coneg values
653 Accessing URL through proxy server corrupts data.
657 Some anonymous FTP URLs ask for authentication
661 New ErrorDocumentMatch directive
665 Need to be able to override shebang line to make CGI scripts
670 "Files" and "FilesMatch" regexp does not recognize bang as
674 * PR#4448: mod_log-any
675 Please allow CGI env variables (QUERY_STRING, ...) to be logged
679 * PR#4459: mod_include
680 Suggestion for better handling of Last-modified headers
684 mod_cgi prevents handling of OPTIONS requests
687 * PR#5713: os-windows
688 [PATCH] install as win32 service with domain account
692 AllowOverride should have a 'CheckNone' and 'AllowNone' argument
693 instead of only 'None'
696 Other bugs that need fixing:
698 * MaxRequestsPerChild measures connections, not requests.
699 Until someone has a better way, we'll probably just rename it
700 "MaxConnectionsPerChild".
702 * Regex containers don't work in an intutive way
703 Status: No one has come up with an efficient way to fix this
704 behavior. Dean has suggested getting rid of regex containers
707 * SIGSEGV on Linux (glibc 2.1.2) isn't caught properly by a
708 sigwaiting thread. We need to work around this, perhaps unless
709 there is hope soon for a fixed glibc.
711 * orig_ct in the byterange/multipart handling may not be
712 needed. Apache 1.3 just never stashed "multipart" into
713 r->content_type. We should probably follow suit since the
714 byterange stuff doesn't want the rest of the code to see the
715 multipart content-type; the other code should still think it is
716 dealing with the <orig_ct> stuff.
717 Status: Greg volunteers to investigate (esp. since he was most
718 likely the one to break it :-)
720 Other features that need writing:
722 * Finish infrastructure in core for async MPMs
725 * TODO in source -- just do an egrep on "TODO" and see what's there
729 * Jon Travis's <jtravis@covalent.net> patch to deal with thread-safe
730 issues with inet_ntoa. See message <20001201163220.A12827@covalent.net>
731 Status: This is being set aside until the IPv6 work is finished
732 so that we know exactly what is required.
734 * Martin Sojka <msojka@gmx.de>'s patch to add error reporting for failed
735 htpasswd actions due to a full /tmp volume (other programs may have
740 * Mike Abbott's <mja@trudge.engr.sgi.com> patches to improve
742 Status: These were written for 1.3, and are awaiting a port to
745 * Jim Winstead's <jimw@trainedmonkey.com> patch to add CookieDomain and
746 other small mod_usertrack features
748 * Dan Rench's <drench@xnet.com> patch to add allow the errmsg and timefmt
749 of SSI's to be modified in the config file. Patch is available in
754 * Which MPMs will be included with Apache 2.0?