In this issue

Release: 1.1.1
Beta: None
Bugs reported in 1.1.1:

• Core dump in directory module on Solaris in empty directory
• Permission checking when running sub-program does not check user's other groups
• If Apache fails to fork children at startup it immediately tries again, pushing up the load
• ErrorLog | does not work
• Domain names on allow and deny lines are case-sensitive
• Report of CGIs occasionally failing with 'premature end of script headers'
• .cgi extension is mapped to CGI magic type in mime.types, which should only happen if .cgi is to be treated as a CGI extension in the document tree (and should really by handled by AddHandler).

The following items are under development and may be included in the next release of Apache. See our Apache 1.2 Sneak Preview for other new features in the next release.

The 'deny from' directive can be used to block particular user agents. This could be used to stop robots which are continually requesting resources, based on the 'user agent' text they send.

The configuration process now guesses the type of operating system, so this does not need to be configured manually. The only things that need configuring before compilation are the choice of modules and any additional options needed (e.g. dbm libraries).

When a ErrorDocument is configured to call a script when an error occurs, the script does not know the cause of the error. An update to the code will pass the error message as readable text in an environment variable to the script.

Netscape Navigator version 2 had some bugs in it's implementation of 'keepalives'. Apache will now automatically disable keepalives if the user-agent of a request indicates it comes from this program. It uses the new BrowserMatch directive to set an special environment variable if the user-agent string starts "Mozilla/2".

With this update, the hack where Apache did a flush after sending the headers is removed. This was a work-around to make keepalives work with Navigator 2, but it also caused a delay on connection.

Since last week's article on extra modules for Apache, we've come across a few more.

The mod_disallow_id module can be used to prevent access to files owned by specified users or in certain groups. This could be used, for example, to prevent all access to root-owned files.

The module mod_log_peruser logs requests for a particular user's pages to a log file in the user's directory.

Both these modules are listed here, along with an ehanced mod_cgi based on the suCGI package (although most of this functionality will be built into the next Apache release).

The next version of Apache will be 1.2. This will include a lot of new features, as previewed in our Apache 1.2 article (from issue 29). It will also fix most of the outstanding bugs identified in 1.1.1. In this issue we summarise these bugs sorting them by affected function.

There are quite a few bugs listed here, but most will not have a serious affect on most setups. Many are restricted to specific operating systems, or to particular configurations and modules. It should be remembered that Apache 1.1.1 is a stable release and most users are unlikely to come across these bugs.

For each bug we have tried to identify its current status in the latest development version of Apache. If the bug is followed by the word FIXED then the bug has been fixed and tested. If the status is VERIFIED then the bug exists but has not yet been fixed (although in many cases a fix will be in progress or undergoing initial testing). If neither word is present, then the bug has not been verified or fixed. We have tried to ensure that only real bugs are listed here, but the Apache group receives quite a few bug reports, many of which relate to incorrectly configured systems or which are caused by the operating system or other software.

These bugs affect the operation of the core server, or are related to low-level networking or operating system interaction.

• DNS Failure causes core dump
  Apache can core dump if it cannot obtain the local hostname from the ServerName directive or from the DNS. FIXED.
• High Load Problems
  At startup Apache forks the initial children. If it fails to fork (perhaps because of resource limitations), it immediately tries again, which can make the load situation worse. FIXED.
  A race condition can cause occasional hung processes on very high load systems. VERIFIED.
• Memory allocation failure causes core dump
  The memory allocation return value is not checked which could cause core dumps. FIXED.
• ErrorDocuments
  ErrorDocument redirect fails, displays filename. FIXED
  Docs claim %s in ErrorDocument string prints reason for error - no code to implement this. VERIFIED
  ErrorDocument displays " in string message. FIXED
  
• Executing sub-programs
  When a sub-program is about to be run, Apache checks for correct permissions, but it does not account for other groups that the current user might be in.
• Scoreboard
  Scoreboard sometimes out of date (shows PID of children that have died) FIXED

• Domains Starting with Numbers
  Hostnames starting with a number (e.g. 123.domain.com) are incorrectly treated as IP addresses. VERIFIED.
• Domain name capitalisation
  Domain names on allow and deny lines are not compared case-insensitively. VERIFIED.

• Expires Header
  Apache is not setting Expires header on 304 responses FIXED
• Continuation Headers
  Doesn't support HTTP continuation headers FIXED
• Keep Alives
  Netscape Navigator 2 has bugs in its keepalive support, so Apache should turn off keepalives when accessed from Navigator 2. FIXED.

The proxy module has been extensively modified since 1.1.1 to correct a large number of problems and omissions.

• NULL requests logged
  Report of request "NULL" being logged in access log
• Missing Hits
  Reports of access_log missing some hits (possibly related to keepalives)
• ErrorLog
  ErrorLog | does not work. VERIFIED.

• Imagemap Module
  
  • Long URLs (>100 chars) can cause buffer overflows (possible core dump) VERIFIEDo
• Status Module
  
  • Can gives wrong start-up time on some systems
  • Core dumps on a few systems (OSF, SCO)
  • Wraps bytes total at 4.2GB FIXED
  • Transfer bytes per second figures wrong FIXED
• Negotiation Module
  
  • Language negotiation doesn't work for cgi scripts without extensions, which are in a valid ScriptAlias directory.
  • Charset negotiation is not implemented. VERIFIED.
  • Language negotiation doesn't match languages against sub-languages, i.e. it treats en and en-US as completely different languages. FIXED.
• Directory Index Module
  
  • Core dump on Solaris 2 with empty directories
  • Truncating file size in listing (e.g. 1.8Mb is displayed as 1Mb) FIXED
• Userdir
  
  • UserDir cannot handle certain configurations, such as http://10.1.2.3/~* VERIFIED
• Includes Module
  
  • Possible mod_include bug causing core dumps if SSI include fails due to incorrect .htaccess directive
  • Current working directory can change while processing includes

These bugs are related to specific operating systems.

• A/UX: Linger close fails on A/UX FIXED
• AIX: Compile warning for SERVICE_UNAVAILABLE FIXED
• Apollo Domain: Some compilation errors on Apollo Domain
• Digital Unix/OSF: V4.0 requires -lm because the frexp() function has been removed from libc.so. Incompatible pointer type warning.
• IRIX: IRIX kernel fails to notify Apache of dead children FIXED
• Linux: File descriptor bug causing SEGV in includes module. FIXED.
• NeXTSTEP: support/logresolve.c does not compile because of strdup
• OS/2: Simplified code for OS/2 FIXED. OS/2 filesystem is case-independent, can cause URLs to fail to match protection limitations
• QNX: Missing prototypes for QNX FIXED.
• SCO: Dumps core in status module with a Floating exception when compiled with -DSTATUS on SCO ODT 3.0
• SGI: Compile warning in http_bprintf FIXED
• Ultrix: Compile error in http_main.c
• UnixWare: Configuration updated for UnixWare (needs NEED_LINGER)

• Example URLs for status and info
  Example URLs for status and info pages (/status and /info) can intercept other URLs (e.g. anything in a directory called /info or /information). FIXED.
• ScriptAlias and PATH_INFO problem
  Bug in the SCRIPT_NAME passed to CGI where the ScriptAlias directory included some PATH_INFO. FIXED
• VHosts
  Host: header can override IP virtual hosts to give access to other vhosts's information. VERIFIED.
  IP-based Virtual hosts on main IP address but different ports not working. VERIFIED.
• Directives with on/off arguments
  Directives that taken an argument that is either "on" or "off" infact accepted any argument. FIXED.
• Default configuration mime types can conflict with encodings
  Default mime.types contains content-types for gz and Z extensions, but should be given as encodings with AddEncoding. FIXED
• Port directive
  Apache accepts non-numeric Port number. FIXED.
• Authoritative misspelt
  Spelling of authoritative (as authorative) wrong in auth_anon and auth_msql FIXED.

Finally, a few bugs reports cannot by verified or discounted. That is, they may or may not exist, but cannot be reliably reproduced. While they may be Apache bugs, they could also be bugs in the operating system, or problems related to particular load conditions or configurations. Any further information about these possible bugs should be reported on the apache-bugs email address or Web page.

• CGIs intermittently fail with 'premature end of file error' on site with 100 vhosts. Occurs even with low load.
• Server will not respond after a few days of running. Instead of the 5 processes typically running, there is only one. Server accepts the requests, but never responds. This site makes heavy use of CGIs (>50% of all requests).
• Some hits are not logged in the access_log, or logged as "NULL".