1 APACHE 2.0 STATUS: -*-text-*-
2 Last modified at [$Date: 2002/03/22 15:22:24 $]
6 2.0.34 : in development
7 2.0.33 : tagged March 6, 2002.
8 2.0.32 : released Feburary 16, 2002.
9 2.0.31 : rolled Feburary 1, 2002. not released.
10 2.0.30 : tagged January 8, 2002. not rolled.
11 2.0.29 : tagged November 27, 2001. not rolled.
12 2.0.28 : released November 13, 2001
13 2.0.27 : rolled November 6, 2001
14 2.0.26 : tagged October 16, 2001. not rolled.
15 2.0.25 : rolled August 29, 2001
16 2.0.24 : rolled August 18, 2001
17 2.0.23 : rolled August 9, 2001
18 2.0.22 : rolled July 29, 2001
19 2.0.21 : rolled July 20, 2001
20 2.0.20 : rolled July 8, 2001
21 2.0.19 : rolled June 27, 2001
22 2.0.18 : rolled May 18, 2001
23 2.0.17 : rolled April 17, 2001
24 2.0.16 : rolled April 4, 2001
25 2.0.15 : rolled March 21, 2001
26 2.0.14 : rolled March 7, 2001
27 2.0a9 : released December 12, 2000
28 2.0a8 : released November 20, 2000
29 2.0a7 : released October 8, 2000
30 2.0a6 : released August 18, 2000
31 2.0a5 : released August 4, 2000
32 2.0a4 : released June 7, 2000
33 2.0a3 : released April 28, 2000
34 2.0a2 : released March 31, 2000
35 2.0a1 : released March 10, 2000
37 Please consult the following STATUS files for information
41 * srclib/apr-util/STATUS
45 CURRENT RELEASE NOTES:
47 * 34 status: Let's get all API changes and showstoppers in this one.
50 FINAL RELEASE SHOWSTOPPERS:
52 * If any request gets to the core handler, without a flag that this
53 r->filename was tested by dir/file_walk, we need to 500 at the very
54 end of the ap_process_request_internal() processing. This provides
55 authors of older modules better compatibility, while still improving
56 the security and robustness of 2.0.
57 Status: still need to decide where this goes, OtherBill comments...
58 Message-ID: <065701c14526$495203b0$96c0b0d0@roweclan.net>
59 we need to look at halting this in the 'default handler' case,
60 and that implies pushing the 'handler election' into the request
61 internal processing phase from the run request phase.
62 Jim asks: would a stopgap be something bogus like adding another
63 flag to request_rec ala eos_sent and before we OK, if not set
65 Jeff says: reviewing the original message and the one
66 follow-up (also from OtherBill) it looks like OtherBill had a
67 good handle on the problem, though I wonder why not just put a
68 simple check in default_handler to see if dir/file_walk has
69 been done (a footprint left by dir/file_walk doesn't have to
70 be in request_rec; a better place is core_request_config)
72 gregames says: can this happen somehow without a broken module
73 being involved? If not, why waste cycles trying to defend against
74 potential broken modules? It seems futile. Please vote.
75 not a showstopper: gregames
78 * API changes planned for 2.0 that should happen before the
80 * Free lists for bucket allocation
82 * We do not properly substitute the prefix-variables in the configuration
83 scripts or generated-configs. (i.e. if sysconfdir is etc,
84 httpd-std.conf points to conf.)
85 Aaron says: This is not a showstopper, these problems have existed
86 for as long as I can remember. It would be nice to fix
87 them but they are not new.
88 Not a showstopper: Jeff, Aaron, BillS
92 * Should we always build binaries statically unless otherwise
94 Message-ID: <20020129210006.B23512@Lithium.MeepZor.Com>
99 * If the parent process dies, should the remaining child processes
100 "gracefully" self-terminate. Or maybe we should make it a runtime
101 option, or have a concept of 2 parent processes (one being a
103 See: Message-ID: <3C58232C.FE91F19F@Golux.Com>
105 Self-destruct: Ken, Martin
106 Not self-destruct: BrianP, Ian, Cliff, BillS
107 Make it runtime configurable: Aaron, Jim, Justin
108 Have 2 parents: +1: Jim
110 +0: Martin (while standing by, could it do
113 * Make the worker MPM the default MPM for threaded Unix boxes.
114 +1: Justin, Ian, Cliff
115 -0: Aaron (premature decision, needs more discussion), Lars
117 RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
119 * Rewrite core_output_filter. It is nearly impossible to support
120 it with predictable results as it is implemented now.
122 * Convert all instances of the old apr_lock_t type to the new
124 Status: Aaron has converted all but the perchild MPM to
125 use the new lock API. Since perchild has been put
126 on the back burner, this is no longer a showstopper.
127 Aaron will patch perchild as soon as it becomes
130 * With AP_MODE_EXHAUSTIVE in the core, it is finally clear to me
131 how the Perchild MPM should be re-written. It hasn't worked
132 correctly since filters were added because it wasn't possible to
133 get the content that had already been written and the socket at
134 the same time. This mode lets us do that, so the MPM can be
137 * htpasswd blindly processes the file you give it, and does no
138 sanity checking before totally corrupting whatever file it was
139 you thought you had. It should check the input file and bail
140 if it finds non-comment lines that do not contain exactly 1
142 Message-ID: <20020217150457.A31632@clove.org>
144 * Can a static httpd be built reliably?
145 Message-ID: <20020207142751.T31582@clove.org>
147 * [Ken] Test suite failures:
148 o worker is also failing some of the 'cgi' subtests
149 (see <URL:http://Source-Zone.Org/Apache/regression/>):
150 Justin says: "Worker should be fine and passes httpd-test here.
151 If you can provide evidence that it can be reproduced
152 outside of httpd-test, then it's a showstopper. I
153 think it's a perl or a httpd-test problem."
154 Not a showstopper: Justin
156 * Usage of APR_BRIGADE_NORMALIZE in core_input_filter should be
158 Message-ID: <Pine.LNX.4.33.0201202232430.318-100000@deepthought.cs.virginia.edu>
160 * There is a bug in how we sort some hooks, at least the pre-config
161 hook. The first time we call the hooks, they are in the correct
162 order, but the second time, we don't sort them correctly. Currently,
163 the modules/http/config.m4 file has been renamed to
164 modules/http/config2.m4 to work around this problem, it should moved
165 back when this is fixed. rbb
166 Justin says: "Is this really a showstopper? This has been here
167 forever. What's wrong? Does this have to do with
169 Not a showstopper: Justin, BrianP, trawick, gregames
171 * The Add...Filter and Set...Filter directives do not allow the
172 administrator to order filters, beyond the order of filename (mime)
173 extensions. It isn't clear if Set...Filter(s) should be inserted
174 before or after the Add...Filter(s) which are ordered by sequence of
175 filename extensions. At minimum, some sort of +-[0-10] syntax seems
176 like the quickest fix for a 2.0 gold release.
177 Justin says: "Could we delay this for a point release or 2.1?"
178 Not a showstopper: justin, wrowe, trawick, stoddard, Jim, Ian, Aaron,
181 * Get perchild to work on platforms other than Linux. This
182 will require a portable mechanism to pass data and file/socket
183 descriptors between vhost child groups. An API was proposed
185 Message-ID: <20020111115006.K1529@clove.org>
187 * CGI single-byte reads
188 BrianP suggests that this is caused by the ap_scan_script_header_err()
189 routine, which will do single-byte reads until it finds the end
190 of the header, at which point it constructs a pipe-bucket (buffered)
192 Proposed solution in:
193 Message-ID: <3C36ADAF.60601@cnet.com>
195 * Try to get libtool inter-library dependency code working on AIX.
196 Message-ID: <cm3n10lx555.fsf@rdu163-40-092.nc.rr.com>
198 Justin says: If we get it working on AIX, we can enable this
199 on all platforms and clean up our build system
201 Jeff says: I thought I tested a patch for you sometime in
202 January that you were going to commit within a few
205 * Handling of %2f in URIs. Currently both 1.3 and 2.0
206 completely disallow %2f in the request URI path (see
207 ap_unescape_url() in util.c). It's permitted and passed
208 through in the query string, however. Roy says the
209 original reason for disallowing it, from five years ago,
210 was to protect CGI scripts that applied PATH_INFO to
211 a filesystem location and which might be tricked by
212 ..%2f..%2f(...). We *should* allow path-info of the
213 form 'http://foo.com/index.cgi/path/to/path%2finfo'.
214 Since we've revamped a lot of our processing of path
215 segments, it would be nice to allow this, or at least
216 allow it conditionally with a directive.
218 * FreeBSD, threads, and worker MPM. All seems to work fine
219 if you only have one worker process with many threads. Add
220 a second worker process and the accept lock seems to be
221 lost. This might be an APR issue with how it deals with
222 the child_init hook (i.e. the fcntl lock needs to be resynced).
223 More examination and analysis is required.
224 Status: This has also been reported on Cygwin.
225 Message-ID: <3C2CC514.8EF3BED1@wapme-systems.de> (cygnus)
227 Justin says: So, FreeBSD-CURRENT and Cywin have the same
228 problem. Yum. If another platform has this
229 with worker, this becomes a showstopper.
230 Aaron says: I spent some time disecting this and have come to
231 the conclusion that it is not a problem in the worker MPM
232 (or at least, it is not isolated to a problem in worker).
233 I'll list some of the problems I'm seeing in case someone
234 else wants to pick up where I've left off:
235 - Delivery of just about any signal to one of the child
236 processes will send it into an infinite loop as well.
237 - Even though the parent is spinning out of control,
238 at first the child or children will appear to work
239 properly. At times it is possible to get it into a state,
240 however, where a request will hang until another concurrent
241 request "kicks" the first, at which point the second will
242 hang. My theory is that this has to do with the
243 pthread_cond_*() implementation in FreeBSD, but it's still
244 possible that it is in APR.
246 Justin adds: Oh, FreeBSD threads are implemented entirely with
247 select()/poll()/longjmp(). Welcome to the nightmare.
248 So, that means a ktrace output also has the thread
249 scheduling internals in it (since it is all the same to
250 the kernel). Which makes it hard to distinguish between
251 our select() calls and their select() calls.
252 *bangs head on wall repeatedly* But, some of the libc_r
253 files have a DBG_MSG #define. This is moderately helpful
254 when used with -DNO_DETACH. The kernel scheduler isn't
255 waking up the threads on a select(). Yum. And, I bet
256 those decrementing select calls have to do with the
257 scheduler. Time to brush up on our OS fundamentals.
259 * There is increasing demand from module writers for an API
260 that will allow them to control the server à la apachectl.
261 Reasons include sole-function servers that need to die if
262 an external dependency (e.g., a database) fails, et cetera.
263 Perhaps something in the (ever more abused) scoreboard?
264 rbb: I don't believe the scoreboard is the correct mechanism
265 for this. We already have a pipe that goes between parent
266 and child for graceful shutdown events, along with an API that
267 can be used to send a message down that pipe. In threaded MPMs,
268 it is easy enough to make that one pipe be used for graceful
269 and graceless events, and it is also easy to open that pipe
270 to both parent and child for writing. Then we just need to
271 figure out how to do graceless on non-threaded MPMs.
273 * Allow the DocumentRoot directive within <Location > scopes? This
274 allows the beloved (crusty) Alias /foo/ /somepath/foo/ followed
275 by a <Directory /somepath/foo> to become simply
276 <Location /foo/> DocumentRoot /somefile/foo (IMHO a bit more legible
277 and in-your-face.) DocumentRoot unset would be accepted [and would
278 not permit content to be served, only virtual resources such as
279 server-info or server-status.
280 This proposed change would _not_ depricate Alias.
282 * Win32: Rotatelogs sometimes is not terminated when Apache
283 goes down hard. FirstBill was looking at possibly tracking the
284 child's-child processes in the parent process.
285 OtherBill asks, wasn't this fixed?
286 stoddard: Not fixed. Shared scoreboard might offer a good
287 way for the parent to keep track of 'other child' processes
288 and whack them if the child goes down.
290 * Win32: Add a simple hold console open patch (wait for close or
291 the ESC key, with a nice message) if the server died a bad
292 death (non-zero exit code) in console mode.
293 Resolution: bring forward same ugly hacks from 1.3.13-.20
295 * Port of mod_ssl to Apache 2.0:
297 The current porting state is summarized in modules/ssl/README. The
298 remaining work includes:
299 (1) stablizing/optimizing the SSL filter logic
300 (2) Enabling SSL extentions
301 (3) Trying to seperate the https filter logic from mod_ssl -
302 This is to facilitate other modules that wish to use the https
303 filter or the mod_ssl logic or both as required.
305 * Performance & Debug: Eliminate most (and perhaps all) of the
306 malloc/free calls in the bucket brigade code. Need some
307 light weight memory management functions that allow freeing
308 memory (putting it back into a memory pool) when it is no
309 longer needed. Enabling simple debugging features like guard
310 bands, double free detection, etc. would be cool but certainly
311 not a hard requirement.
313 Status: Cliff started to implement this using SMS as has
314 been discussed at length for months, but since
315 SMS is not being used anywhere else in the server,
316 several people expressed the opinion that we should
317 get rid of it entirely, meaning that the buckets
318 need their own memory management (free list) functions.
319 Cliff will implement that this weekend so we at least
320 have something to look at/compare with.
322 * Eliminate unnecessary creation of pipes in mod_cgid
324 * Combine log_child and piped_log_spawn. Clean up http_log.c.
327 * Document mod_file_cache.
329 * Platforms that do not support fork (primarily Win32 and AS/400)
330 Architect start-up code that avoids initializing all the modules
331 in the parent process on platforms that do not support fork.
333 * Win32: Migrate the MPM over to use APR thread/process calls. This
334 would eliminate some code in the Win32 branch that essentially
335 duplicates what is in APR.
337 * There are still a number of places in the code where we are
338 losing error status (i.e. throwing away the error returned by a
339 system call and replacing it with a generic error code)
341 * Mass vhosting version of suEXEC.
343 * All DBMs suffer from confusion in support/dbmmanage (perl script) since
344 the dbmmanage employs the first-matched dbm format. This is not
345 necessarily the library that Apache was built with. Aught to
346 rewrite dbmmanage upon installation to bin/ with the proper library
347 for predictable mod_auth_dbm administration.
348 Questions; htdbm exists, time to kill dbmmanage, or does it remain
349 useful as a perl dbm management example? If we keep it,
350 do we address the issue above?
353 Some additional items remaining:
354 - case_preserved_filename stuff
355 (use the new canonical name stuff?)
356 - find a new home for ap_text(_header)
357 - is it possible to remove the DAV: namespace stuff from util_xml?
359 * ap_core_translate() and its use by mod_mmap_static and mod_file_cache
360 are a bit wonky. The function should probably be exposed as a utility
361 function (such as ap_translate_url2fs() or ap_validate_fs_url() or
362 something). Another approach would be a new hook phase after
363 "translate" which would allow the module to munge what the
364 translation has decided to do.
365 Status: Greg +1 (volunteers), Ryan +1
367 * Explore use of a post-config hook for the code in http_main.c which
368 calls ap_fixup_virutal_hosts(), ap_fini_vhost_config(), and
369 ap_sort_hooks() [to reduce the logic in main()]
371 * read the config tree just once, and process N times (as necessary)
373 * (possibly) use UUIDs in mod_unique_id and/or mod_usertrack
375 * (possibly) port the bug fix for PR 6942 (segv when LoadModule is put
376 into a VirtualHost container) to 2.0.
378 * shift stuff to mod_core.h
380 * callers of ap_run_create_request() should check the return value
381 for failure (Doug volunteers)
383 * Win32: Get Apache working on Windows 95/98. The following work
384 (at least) needs to be done:
385 - Document warning that OSR2 is required (for Crypt functions, in
386 rand.c, at least.) This could be resolved with an SSL library, or
387 randomization in APR itself.
388 - Bring the Win9xConHook.dll from 1.3 into 2.0 (no sense till it
389 actually works) and add in a splash of Win9x service code.
391 * In order to use a DSO version of mod_ssl we have to link with
392 -lssl and -lcrypto. A workaround is in place right now where the
393 entire EXTRA_LIBS macro is being appended to the objects list, but
394 this is a hack. We should either revamp the APACHE_CHECK_SSL_TOOLKIT
395 autoconf function or come up with some other autoconf checks to
396 search for libssl and libcrypto and properly add them to mod_ssl's
399 * Fix the worker MPM to use POD to kill child processes instead
400 of ap_os_killpg, regardless of how they should die. (Ryan Bloom)
402 * mod_cache: handle cache_control: no_cache "field_name" to enable
403 cacheing the response w/o header "field_name"
404 See RFC2616 section 14.9.1
406 * Scoreboard structures could be changed in the future such that
407 proper alignment is not maintained, leading to segfaults on
408 some systems. Cliff posted a patch to deal with this issue but
409 later recanted. See this message to dev@apr.apache.org:
410 Message-ID: <Pine.LNX.4.44.0203011354090.16457-200000@deepthought
413 PRs that have been suspended forever waiting for someone to
414 put them into 'the next release':
417 missing call to "setlocale();"
421 Additional status for XBitHack directive
425 Mod_proxy doesn't allow change of error pages
429 Modified PATH environemnt variable is not passed, instead
434 Proxy doesn't deliver documents if not connected
438 proxy converts ~name to %7Ename when name starts with a dot (.)
442 mod_access syntax allows hosts that should be restricted
445 * PR#557: mod_auth-any
446 ~UserHome directories are not honored in absolute pathname
451 Proxy FTP Authentication Fails
454 * PR#623: mod_include
455 A smarter "Last Modified" value for SSI documents (see PR number 600)
459 Request of "Options SymLinksIfGroupMatch"
463 Proxy doesn't do links right for OpenVMS files through ftp:
467 imap should read <MAP><AREA>*</MAP> too!
471 RLimitCPU and RLimitMEM don't apply to all children like they should
475 Uses cwd before filling it in, doesn't use syslog
479 it is useful to allow specifiction that root-owned symlinks
480 should always be followed
484 Controlling Access to Remote Proxies would be nice...
488 Adding authentication "on the fly" through the proxy module
491 * PR#1004: apache-api
492 request_config field in request_rec is moderately bogus
496 DoS attacks involving memory consumption
499 * PR#1050: mod_log-any
500 Logging of virtual server to error_log as well
504 ProxyRemote make a dead cycle.
507 * PR#1117: mod_auth-any
508 Using NIS passwd.byname dbm files with AuthDBMUserFile
512 suexec does not parse arguments to #exec cmd
515 * PR#1145: mod_include
516 Allow for Last-Modified: without resorting to XBitHack
519 * PR#1158: apache-api
520 improvements to child spawning API
524 ``nph-'' not honored (no buffering) for ProxyRemote mapping
528 Apache cannot handle continuation line in headers
532 setlogin() is not called, causing problems with e.g. identd
536 regerror() exists, use it
539 * PR#1233: apache-api
540 there is no way to keep per-connection per-module state
543 * PR#1263: mod_autoexec
544 Add frame-safe anchor attribute to mod_autoindex links
548 CGI scripts running as Apache user: security (suexec etc.)
552 Error messages could be easier to spot in cgi.log file for suexec.c
555 * PR#1287: mod_access
556 add allow,deny/deny,allow warning to mod_access
560 Need to know "hit-rate" on proxy cache
563 * PR#1358: mod_log-any
564 Selective url-encode of log fields (or maybe a pseudo
568 * PR#1383: mod_headers
569 I make mod_headers to modify request headers as well as
574 Proxy transfer logging
578 No HTTP_X_FORWARDED_FOR set...
582 ProxyRemote proxy requests fail authentication by firewall
585 * PR#1582: mod_rewrite
586 mod_rewrite forms REQUEST_URI different than mod_cgi does
589 * PR#1677: mod_headers
590 mod_headers should allow mod_log_config-style formats in
595 mod_proxy to support persistent conns?
598 * PR#1803: mod_include
599 patches to mod_include to allow for file tests
602 * PR#1809: mod_auth-any
603 Suggestion for improving authentication modules and core source
604 code, problem with 401 and ErrorDocument
608 listing of proxy cache content
612 Allow modules to set user:group for execution.
615 * PR#2024: apache-api
616 adding auth_why to conn_rec
619 * PR#2073: mod_log-any
620 pipelined connections are not logged correctly
623 * PR#2074: mod_rewrite
624 mod_rewrite doesn't pass Proxy Throughput on internal subrequests
628 HTTP Server Rebuild Line Needs Changing for the better
631 * PR#2138: mod_status
632 mod_status always displays 256 possible connection slots
635 * PR#2221: documentation
636 Make online documentation search link back to my installation
640 Can not POST to ErrorDocument - Apache/1.3b6
644 patterns in ProxyRemote
647 * PR#2343: mod_status
648 Status module averages are for entire uptime
652 suexec for general access of user content?
656 Proposal for TimeZone directive
660 /server-info doesn't check for the virtual host to list the info
664 problem specifying ndbm library for build ?with autoconfigure
668 A small addition to rotatelogs.c to improve program functionality.
672 AllowOverride FileInfo is too coarse
676 TimeOut applies to output of CGI scripts
679 * PR#2512: mod_access
680 <IfDenied> directive wanted
684 CGI's for general use still have to be run as another user
689 Cache file names in Proxy module
693 [PATCH] User/Group for <Directory> and <Location> i.e. not only
694 in global and <Virtual>.
698 mailto tags and bundling bug report script
702 Support for System Resource Controller
706 When will Apache support P3P? Any Plans?
710 Feedback/Comment on APACI
714 Inclusion of RPM spec file in CVS/distributions
718 Propose that Apache recommend $UNIQUE_ID for all "session id"
723 suggestion: power up your Include directive :)
727 cannot limit some HTTP methods
730 * PR#3143: apache-api
731 No module specific data hook for per-connection data
734 * PR#3191: mod_negotiation
735 no way to set global quality-of-source (qs) coneg values
740 Accessing URL through proxy server corrupts data.
744 Some anonymous FTP URLs ask for authentication
748 New ErrorDocumentMatch directive
752 Need to be able to override shebang line to make CGI scripts
757 "Files" and "FilesMatch" regexp does not recognize bang as
761 * PR#4448: mod_log-any
762 Please allow CGI env variables (QUERY_STRING, ...) to be logged
766 * PR#4459: mod_include
767 Suggestion for better handling of Last-modified headers
771 mod_cgi prevents handling of OPTIONS requests
774 * PR#5713: os-windows
775 [PATCH] install as win32 service with domain account
776 Status: Cannot accept password-as-arg, we should prompt the
777 user when -k install/-k config with a user argument.
780 AllowOverride should have a 'CheckNone' and 'AllowNone' argument
781 instead of only 'None'
784 Other bugs that need fixing:
786 * MaxRequestsPerChild measures connections, not requests.
787 Until someone has a better way, we'll probably just rename it
788 "MaxConnectionsPerChild".
790 * Regex containers don't work in an intutive way
791 Status: No one has come up with an efficient way to fix this
792 behavior. Dean has suggested getting rid of regex containers
794 OtherBill suggests: We at least seem to agree on eliminating
795 the <Container ~ foo> forms, and using only
796 <ContainerMatch foo> semantics.
798 * SIGSEGV on Linux (glibc 2.1.2) isn't caught properly by a
799 sigwaiting thread. We need to work around this, perhaps unless
800 there is hope soon for a fixed glibc.
802 * orig_ct in the byterange/multipart handling may not be
803 needed. Apache 1.3 just never stashed "multipart" into
804 r->content_type. We should probably follow suit since the
805 byterange stuff doesn't want the rest of the code to see the
806 multipart content-type; the other code should still think it is
807 dealing with the <orig_ct> stuff.
808 Status: Greg volunteers to investigate (esp. since he was most
809 likely the one to break it :-)
811 Other features that need writing:
813 * Finish infrastructure in core for async MPMs
816 * TODO in source -- just do an egrep on "TODO" and see what's there
820 * Jon Travis's <jtravis@covalent.net> patch to deal with thread-safe
821 issues with inet_ntoa. See message <20001201163220.A12827@covalent.net>
822 Status: This is being set aside until the IPv6 work is finished
823 so that we know exactly what is required.
825 * Martin Sojka <msojka@gmx.de>'s patch to add error reporting for failed
826 htpasswd actions due to a full /tmp volume (other programs may have
831 * Mike Abbott's <mja@trudge.engr.sgi.com> patches to improve
833 Status: These were written for 1.3, and are awaiting a port to
836 * Jim Winstead's <jimw@trainedmonkey.com> patch to add CookieDomain and
837 other small mod_usertrack features
839 * Dan Rench's <drench@xnet.com> patch to add allow the errmsg and timefmt
840 of SSI's to be modified in the config file. Patch is available in
845 * Which MPMs will be included with Apache 2.0?