1 APACHE 2.0 STATUS: -*-text-*-
2 Last modified at [$Date: 2001/12/24 13:24:30 $]
6 2.0.30 : In development
7 2.0.29 : tagged November 27, 2001
8 2.0.28 : released November 13, 2001
9 2.0.27 : rolled November 6, 2001
10 2.0.26 : tagged October 16, 2001. not rolled.
11 2.0.25 : rolled August 29, 2001
12 2.0.24 : rolled August 18, 2001
13 2.0.23 : rolled August 9, 2001
14 2.0.22 : rolled July 29, 2001
15 2.0.21 : rolled July 20, 2001
16 2.0.20 : rolled July 8, 2001
17 2.0.19 : rolled June 27, 2001
18 2.0.18 : rolled May 18, 2001
19 2.0.17 : rolled April 17, 2001
20 2.0.16 : rolled April 4, 2001
21 2.0.15 : rolled March 21, 2001
22 2.0.14 : rolled March 7, 2001
23 2.0a9 : released December 12, 2000
24 2.0a8 : released November 20, 2000
25 2.0a7 : released October 8, 2000
26 2.0a6 : released August 18, 2000
27 2.0a5 : released August 4, 2000
28 2.0a4 : released June 7, 2000
29 2.0a3 : released April 28, 2000
30 2.0a2 : released March 31, 2000
31 2.0a1 : released March 10, 2000
33 Please consult the following STATUS files for information
37 * srclib/apr-util/STATUS
42 * Test suite failures:
43 o perchild doesn't even build
44 o all MPMs fail the LimitRequestBody directive test
45 o both worker and prefork are failing some of the 'chunked' subtests
46 o worker is also failing some of the 'cgi' subtests
47 (see <URL:http://Source-Zone.Org/Apache/regression/>):
49 * If any request gets to the core handler, without a flag that this
50 r->filename was tested by dir/file_walk, we need to 500 at the very
51 end of the ap_process_request_internal() processing. This provides
52 authors of older modules better compatibility, while still improving
53 the security and robustness of 2.0.
54 Status: still need to decide where this goes, OtherBill comments...
55 Message-ID: <065701c14526$495203b0$96c0b0d0@roweclan.net>
56 we need to look at halting this in the 'default handler' case,
57 and that implies pushing the 'handler election' into the request
58 internal processing phase from the run request phase.
60 * There is a bug in how we sort some hooks, at least the pre-config
61 hook. The first time we call the hooks, they are in the correct
62 order, but the second time, we don't sort them correctly. Currently,
63 the modules/http/config.m4 file has been renamed to
64 modules/http/config2.m4 to work around this problem, it should moved
65 back when this is fixed. rbb
67 * The Add...Filter and Set...Filter directives do not allow the
68 administrator to order filters, beyond the order of filename (mime)
69 extensions. It isn't clear if Set...Filter(s) should be inserted
70 before or after the Add...Filter(s) which are ordered by sequence of
71 filename extensions. At minimum, some sort of +-[0-10] syntax seems
72 like the quickest fix for a 2.0 gold release.
74 * mod_negotiation needs a new option or directive, something like
75 ForceLanguagePriority, to fall back to the LanguagePriority
76 directive instead of returning a "no acceptable variant" error.
77 Status: Bill has some code in his tree that accomplishes
78 this, and will commit it Friday after it's tested.
80 * Fold mod_auth_db features back into mod_auth_dbm, and depricate it.
81 This can't wait until we have a 2.0-gold release, if folks need
82 to move over to auth_dbm, we can't do that to them after 2.0 gold.
83 Status: Ian says.. now that apr-util can handle multiple DBM types
84 we can probably deprecate it completly by adding a directive
85 'AuthDBMType' to mod_auth_dbm.
87 * Convert all instances of the old apr_lock_t type to the new
88 types (once they are fully supported in APR).
89 Status: Aaron is working on converting INTRAPROCESS
90 to apr_thread_mutex_t types. Full replacements for
91 LOCKALL and CROSS_PROCESS are not yet complete on all
92 platforms, and should only be used in MPMs like worker
93 with limited OS exposure.
95 * ap_create_scoreboard() can exit the process, leaving stuff like
96 mod_cgid's daemon process stranded. Either ap_create_scoreboard()
97 needs to be called at a different time or the pre-mpm hook needs
98 to be able to return an error code.
100 RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
102 * Handling of %2f in URIs. Currently both 1.3 and 2.0
103 completely disallow %2f in the request URI path (see
104 ap_unescape_url() in util.c). It's permitted and passed
105 through in the query string, however. Roy says the
106 original reason for disallowing it, from five years ago,
107 was to protect CGI scripts that applied PATH_INFO to
108 a filesystem location and which might be tricked by
109 ..%2f..%2f(...). We *should* allow path-info of the
110 form 'http://foo.com/index.cgi/path/to/path%2finfo'.
111 Since we've revamped a lot of our processing of path
112 segments, it would be nice to allow this, or at least
113 allow it conditionally with a directive.
115 * FreeBSD, threads, and worker MPM. All seems to work fine
116 if you only have one worker process with many threads. Add
117 a second worker process and the accept lock seems to be
118 lost. This might be an APR issue with how it deals with
119 the child_init hook (i.e. the fcntl lock needs to be resynced).
120 More examination and analysis is required.
122 * There is increasing demand from module writers for an API
123 that will allow them to control the server à la apachectl.
124 Reasons include sole-function servers that need to die if
125 an external dependency (e.g., a database) fails, et cetera.
126 Perhaps something in the (ever more abused) scoreboard?
127 rbb: I don't believe the scoreboard is the correct mechanism
128 for this. We already have a pipe that goes between parent
129 and child for graceful shutdown events, along with an API that
130 can be used to send a message down that pipe. In threaded MPMs,
131 it is easy enough to make that one pipe be used for graceful
132 and graceless events, and it is also easy to open that pipe
133 to both parent and child for writing. Then we just need to figure
134 out how to do graceless on non-threaded MPMs.
136 * revamp the input filter behavior, per discussions since
137 February (and especially at the hackathon last
138 April). Specifically, ap_get_brigade will return a brigade with
139 *up to* a specific number of bytes, or a "line" of data. The
140 read may be blocking or nonblocking. ap_getline() will be
141 refactored into apr_brigade_getline(), and then DECHUNK can use
142 f->next (ap_getline will always read "top of input stack"). Also
143 fix the bug where request body content will end up closing the
144 connection (buggering up persistent conns).
145 Status: Justin is working on this as fast as he can.
146 The core input filters, HTTP-related filters, mod_ssl, and
147 mod_proxy are switched to the new logic.
148 However, ap_getline() still needs to be refactored out. But,
149 there's a problem there: ap_getline() peeks ahead for MIME
150 continuation (first character on line is space or \t) and
151 stores unused data in core_request_config which violates the
152 abstraction. That's cheating. So, we may not be able to
153 implement this without setting some data aside (yuck!).
154 I believe this is OtherBill's main complaint with the current
156 AIUI (correct me if I'm wrong!), OtherBill believes we
157 should have a pushback option so that we can return unread
158 data - this would solve this case. However, my question to
159 him is how do we handle stuff like mod_ssl - we can't "unread"
160 data. So, do we have two brigades for each filter? An in
161 brigade and a returned brigade? That seems messy. To
162 everyone else, can we refactor ap_getline() without pushback
165 - socket bucket and core input filter changes. see end of
166 message ID (Feb 27): <20010227075326.S2297@lyra.org>
168 - fix up ap_get_brigade() semantics, fix bug in DECHUNK /
169 ap_getline. many messages (plus their threads) (Apr/May):
170 Message-ID: <20010402101207.J27539@lyra.org>
171 Message-ID: <3AF7F921.D2EEC41A@algroup.co.uk>
172 Message-ID: <20010508190029.E18404@lyra.org>
174 - further work with combining/tweaking the builtin filters:
175 Message-ID: <20010509115445.D1374@lyra.org>
177 - thoughts on filter modes:
178 Message-ID: <021b01c14dee$09782af0$93c0b0d0@roweclan.net>
180 * Allow the DocumentRoot directive within <Location > scopes? This
181 allows the beloved (crusty) Alias /foo/ /somepath/foo/ followed
182 by a <Directory /somepath/foo> to become simply
183 <Location /foo/> DocumentRoot /somefile/foo (IMHO a bit more legible
184 and in-your-face.) DocumentRoot unset would be accepted [and would
185 not permit content to be served, only virtual resources such as
186 server-info or server-status.
187 This proposed change would _not_ depricate Alias.
189 * daedalus: mod_cgid and suexec have a problem co-existing. suexec
190 sees a null command string sometimes. The problem happens when
191 you access bugs.apache.org, then click on the "search the bug db"
194 * Win32: Rotatelogs sometimes is not terminated when Apache
195 goes down hard. FirstBill was looking at possibly tracking the
196 child's-child processes in the parent process.
197 OtherBill asks, wasn't this fixed?
199 * Win32: Add a simple hold console open patch (wait for close or
200 the ESC key, with a nice message) if the server died a bad
201 death (non-zero exit code) in console mode.
202 Resolution: bring forward same ugly hacks from 1.3.13-.20
204 * Port of mod_ssl to Apache 2.0:
206 The current porting state is summarized in modules/ssl/README. The
207 remaining work includes:
208 (1) stablizing/optimizing the SSL filter logic
209 (2) Enabling the various SSL caching mechanisms (shmcb, shmht)
210 (3) Enabling SSL extentions
211 (4) Trying to seperate the https filter logic from mod_ssl -
212 This is to facilitate other modules that wish to use the https
213 filter or the mod_ssl logic or both as required.
214 Justin: mod_ssl filter logic is redone, so that should be fine.
215 Madhu has submitted a patch for SSL caching - however, I
216 am -0 on that patch as I *think* we could implement the
217 shared memory another way that is much cleaner (i.e.
218 treat shmem directly as a dbm via APR routines). Justin
219 also thinks that the https filter logic may be sufficiently
220 decoupled now, but isn't really sure.
222 * Performance: Get the SINGLE_LISTEN_UNSERIALIZED_ACCEPT
223 optimization working in worker. prefork's new design for how
224 to notice data on the pod should be sufficient.
226 * Performance & Debug: Eliminate most (and perhaps all) of the
227 malloc/free calls in the bucket brigade code. Need some
228 light weight memory management functions that allow freeing
229 memory (putting it back into a memory pool) when it is no
230 longer needed. Enabling simple debugging features like guard
231 bands, double free detection, etc. would be cool but certainly
232 not a hard requirement.
234 Status: Cliff started to implement this using SMS as has
235 been discussed at length for months, but since
236 SMS is not being used anywhere else in the server,
237 several people expressed the opinion that we should
238 get rid of it entirely, meaning that the buckets
239 need their own memory management (free list) functions.
240 Cliff will implement that this weekend so we at least
241 have something to look at/compare with.
243 * Eliminate unnecessary creation of pipes in mod_cgid
245 * the autoconf setup should be fixed to default to using the
246 "Apache" layout from config.layout, and each variable settable
247 in a layout should be overridable on the command line. Plus,
248 what we do right now just doesn't seem to fully fit into how autoconf
249 works, eg. AC_PREFIX_DEFAULT issues.
250 Message-ID: <Pine.BSF.4.20.0104031557420.20876-100000@alive.znep.com>
252 * Combine log_child and piped_log_spawn. Clean up http_log.c.
255 * Document mod_file_cache.
257 * OS/2: Make mod_status work for spmt_os2 MPM.
259 * Platforms that do not support fork (primarily Win32 and AS/400)
260 Architect start-up code that avoids initializing all the modules
261 in the parent process on platforms that do not support fork.
263 * Win32: Migrate the MPM over to use APR thread/process calls. This
264 would eliminate some code in the Win32 branch that essentially
265 duplicates what is in APR.
267 * There are still a number of places in the code where we are
268 losing error status (i.e. throwing away the error returned by a
269 system call and replacing it with a generic error code)
271 * Mass vhosting version of suEXEC.
273 * All DBMs suffer from confusion in support/dbmmanage (perl script) since
274 the dbmmanage employs the first-matched dbm format. This is not
275 necessarily the library that Apache was built with. Aught to
276 rewrite dbmmanage upon installation to bin/ with the proper library
277 for predictable mod_auth_db/dbm administration.
278 Status: Mladen Turk has posted several patches and ideas.
279 Key question, part of htpasswd, or a seperate utility?
281 prefer seperate: OtherBill
283 * use apu_dbm in mod_auth_dbm
284 Status: Greg +1 (low-priority volunteer)
285 Justin says: "Seems like this is already there, so should we just
286 remove the other DBM code in that file? If you want
287 to use gdbm, or dbm, etc, you should tell apr-util."
288 Will says: "bs - I may choose the fastest - most efficient native
289 dbm implementation, for shared proc caches, ssl session
290 caching, etc, but that has nothing to do with maintaining
291 a userlist via dbm, which has to remain readable between
292 builds/machines, etc. The use-multiple database schema
293 for apr-util would let us do this with just apr, though."
296 Some additional items remaining:
297 - case_preserved_filename stuff
298 (use the new canonical name stuff?)
299 - find a new home for ap_text(_header)
300 - is it possible to remove the DAV: namespace stuff from util_xml?
302 * ap_core_translate() and its use by mod_mmap_static and mod_file_cache
303 are a bit wonky. The function should probably be exposed as a utility
304 function (such as ap_translate_url2fs() or ap_validate_fs_url() or
305 something). Another approach would be a new hook phase after
306 "translate" which would allow the module to munge what the
307 translation has decided to do.
308 Status: Greg +1 (volunteers), Ryan +1
310 * Explore use of a post-config hook for the code in http_main.c which
311 calls ap_fixup_virutal_hosts(), ap_fini_vhost_config(), and
312 ap_sort_hooks() [to reduce the logic in main()]
314 * read the config tree just once, and process N times (as necessary)
316 * (possibly) use UUIDs in mod_unique_id and/or mod_usertrack
318 * (possibly) port the bug fix for PR 6942 (segv when LoadModule is put
319 into a VirtualHost container) to 2.0.
321 * shift stuff to mod_core.h
323 * callers of ap_run_create_request() should check the return value
324 for failure (Doug volunteers)
326 * Win32: Get Apache working on Windows 95/98. The following work
327 (at least) needs to be done:
328 - winnt MPM: Fix 95/98 code paths in the winnt MPM. There is some NT
329 specific code that is still not in NT only code paths
330 - IOL binds to APR sendfile, implemented with TransmitFile, which
331 is not available on 95/98.
332 - Document warning that OSR2 is required (for Crypt functions, in
333 rand.c, at least.) This could be resolved with an SSL library, or
334 randomization in APR itself.
335 - Bring the Win9xConHook.dll from 1.3 into 2.0 (no sense till it
336 actually works) and add in a splash of Win9x service code.
338 * In order to use a DSO version of mod_ssl we have to link with
339 -lssl and -lcrypto. A workaround is in place right now where the
340 entire EXTRA_LIBS macro is being appended to the objects list, but
341 this is a hack. We should either revamp the APACHE_CHECK_SSL_TOOLKIT
342 autoconf function or come up with some other autoconf checks to
343 search for libssl and libcrypto and properly add them to mod_ssl's
346 * Make the worker MPM the default MPM for threaded Unix boxes.
347 +1: Justin, Jeff, Ian
348 -0: Aaron (premature decision, needs more discussion)
349 -0: Cliff (I think the default config should be the safest possible)
351 PRs that have been suspended forever waiting for someone to
352 put them into 'the next release':
355 missing call to "setlocale();"
359 Additional status for XBitHack directive
363 Mod_proxy doesn't allow change of error pages
367 Modified PATH environemnt variable is not passed, instead
372 Proxy doesn't deliver documents if not connected
376 proxy converts ~name to %7Ename when name starts with a dot (.)
380 mod_access syntax allows hosts that should be restricted
383 * PR#557: mod_auth-any
384 ~UserHome directories are not honored in absolute pathname
389 Proxy FTP Authentication Fails
392 * PR#623: mod_include
393 A smarter "Last Modified" value for SSI documents (see PR number 600)
397 Request of "Options SymLinksIfGroupMatch"
401 Proxy doesn't do links right for OpenVMS files through ftp:
405 imap should read <MAP><AREA>*</MAP> too!
409 RLimitCPU and RLimitMEM don't apply to all children like they should
413 Uses cwd before filling it in, doesn't use syslog
417 it is useful to allow specifiction that root-owned symlinks
418 should always be followed
422 Controlling Access to Remote Proxies would be nice...
426 Adding authentication "on the fly" through the proxy module
429 * PR#1004: apache-api
430 request_config field in request_rec is moderately bogus
434 DoS attacks involving memory consumption
437 * PR#1050: mod_log-any
438 Logging of virtual server to error_log as well
442 ProxyRemote make a dead cycle.
445 * PR#1117: mod_auth-any
446 Using NIS passwd.byname dbm files with AuthDBMUserFile
450 suexec does not parse arguments to #exec cmd
453 * PR#1145: mod_include
454 Allow for Last-Modified: without resorting to XBitHack
457 * PR#1158: apache-api
458 improvements to child spawning API
462 ``nph-'' not honored (no buffering) for ProxyRemote mapping
466 Apache cannot handle continuation line in headers
470 setlogin() is not called, causing problems with e.g. identd
474 regerror() exists, use it
477 * PR#1233: apache-api
478 there is no way to keep per-connection per-module state
481 * PR#1263: mod_autoexec
482 Add frame-safe anchor attribute to mod_autoindex links
486 CGI scripts running as Apache user: security (suexec etc.)
490 Error messages could be easier to spot in cgi.log file for suexec.c
493 * PR#1287: mod_access
494 add allow,deny/deny,allow warning to mod_access
498 Need to know "hit-rate" on proxy cache
501 * PR#1358: mod_log-any
502 Selective url-encode of log fields (or maybe a pseudo
506 * PR#1383: mod_headers
507 I make mod_headers to modify request headers as well as
512 Proxy transfer logging
516 No HTTP_X_FORWARDED_FOR set...
520 ProxyRemote proxy requests fail authentication by firewall
523 * PR#1582: mod_rewrite
524 mod_rewrite forms REQUEST_URI different than mod_cgi does
527 * PR#1677: mod_headers
528 mod_headers should allow mod_log_config-style formats in
533 mod_proxy to support persistent conns?
536 * PR#1803: mod_include
537 patches to mod_include to allow for file tests
540 * PR#1809: mod_auth-any
541 Suggestion for improving authentication modules and core source
542 code, problem with 401 and ErrorDocument
546 listing of proxy cache content
550 Allow modules to set user:group for execution.
553 * PR#2024: apache-api
554 adding auth_why to conn_rec
557 * PR#2073: mod_log-any
558 pipelined connections are not logged correctly
561 * PR#2074: mod_rewrite
562 mod_rewrite doesn't pass Proxy Throughput on internal subrequests
566 HTTP Server Rebuild Line Needs Changing for the better
569 * PR#2138: mod_status
570 mod_status always displays 256 possible connection slots
573 * PR#2221: documentation
574 Make online documentation search link back to my installation
578 Can not POST to ErrorDocument - Apache/1.3b6
582 patterns in ProxyRemote
585 * PR#2343: mod_status
586 Status module averages are for entire uptime
590 suexec for general access of user content?
594 Proposal for TimeZone directive
598 /server-info doesn't check for the virtual host to list the info
602 problem specifying ndbm library for build ?with autoconfigure
606 A small addition to rotatelogs.c to improve program functionality.
610 AllowOverride FileInfo is too coarse
614 TimeOut applies to output of CGI scripts
617 * PR#2512: mod_access
618 <IfDenied> directive wanted
622 CGI's for general use still have to be run as another user
627 Cache file names in Proxy module
631 [PATCH] User/Group for <Directory> and <Location> i.e. not only
632 in global and <Virtual>.
636 mailto tags and bundling bug report script
640 Support for System Resource Controller
644 When will Apache support P3P? Any Plans?
648 Feedback/Comment on APACI
652 Inclusion of RPM spec file in CVS/distributions
656 Propose that Apache recommend $UNIQUE_ID for all "session id"
661 suggestion: power up your Include directive :)
665 cannot limit some HTTP methods
668 * PR#3143: apache-api
669 No module specific data hook for per-connection data
672 * PR#3191: mod_negotiation
673 no way to set global quality-of-source (qs) coneg values
678 Accessing URL through proxy server corrupts data.
682 Some anonymous FTP URLs ask for authentication
686 New ErrorDocumentMatch directive
690 Need to be able to override shebang line to make CGI scripts
695 "Files" and "FilesMatch" regexp does not recognize bang as
699 * PR#4448: mod_log-any
700 Please allow CGI env variables (QUERY_STRING, ...) to be logged
704 * PR#4459: mod_include
705 Suggestion for better handling of Last-modified headers
709 mod_cgi prevents handling of OPTIONS requests
712 * PR#5713: os-windows
713 [PATCH] install as win32 service with domain account
717 AllowOverride should have a 'CheckNone' and 'AllowNone' argument
718 instead of only 'None'
721 Other bugs that need fixing:
723 * MaxRequestsPerChild measures connections, not requests.
724 Until someone has a better way, we'll probably just rename it
725 "MaxConnectionsPerChild".
727 * Regex containers don't work in an intutive way
728 Status: No one has come up with an efficient way to fix this
729 behavior. Dean has suggested getting rid of regex containers
732 * SIGSEGV on Linux (glibc 2.1.2) isn't caught properly by a
733 sigwaiting thread. We need to work around this, perhaps unless
734 there is hope soon for a fixed glibc.
736 * orig_ct in the byterange/multipart handling may not be
737 needed. Apache 1.3 just never stashed "multipart" into
738 r->content_type. We should probably follow suit since the
739 byterange stuff doesn't want the rest of the code to see the
740 multipart content-type; the other code should still think it is
741 dealing with the <orig_ct> stuff.
742 Status: Greg volunteers to investigate (esp. since he was most
743 likely the one to break it :-)
745 Other features that need writing:
747 * Finish infrastructure in core for async MPMs
750 * TODO in source -- just do an egrep on "TODO" and see what's there
754 * Jon Travis's <jtravis@covalent.net> patch to deal with thread-safe
755 issues with inet_ntoa. See message <20001201163220.A12827@covalent.net>
756 Status: This is being set aside until the IPv6 work is finished
757 so that we know exactly what is required.
759 * Martin Sojka <msojka@gmx.de>'s patch to add error reporting for failed
760 htpasswd actions due to a full /tmp volume (other programs may have
765 * Mike Abbott's <mja@trudge.engr.sgi.com> patches to improve
767 Status: These were written for 1.3, and are awaiting a port to
770 * Jim Winstead's <jimw@trainedmonkey.com> patch to add CookieDomain and
771 other small mod_usertrack features
773 * Dan Rench's <drench@xnet.com> patch to add allow the errmsg and timefmt
774 of SSI's to be modified in the config file. Patch is available in
779 * Which MPMs will be included with Apache 2.0?
projects / apache / blob