Release: 1.1.1
Beta: None
Bugs reported in 1.1.1:
-
Function names in md5.c conflict with those in libdce.a,
and possibly other libraries which use md5 functions
Bugs fixed in next release:
-
The last line in .htaccess and config files was being
ignored if it did not include a trailing newline
-
A request for a CGI program which contained a PATH_INFO
segment that was also a symbolic link, and where that
symbolic link would be denied because the
SymLinksIfOwnerMatch option was on, caused the script to
fail and returned a 500 error.
The following items are under development and may be included
in the next release of Apache. See our Apache 1.2
Sneak Preview for other new features in the next release.
The 'scoreboard' containing details of what child processes
are running is stored in special memory accessible by all the
child processes and the parent process. Depending on the
system this memory is obtained as either a memory-map (mmap),
or as shared memory (shmem). The choice is made automatically
based on the OS in use. In previous Apache releases, HP-UX
systems used the 'mmap' memory by default. However there are
problems with mmap on some versions of this OS, so a
configuration directive NO_MMAP was added, which if set told
Apache to not use mmap, but to use a scoreboard file instead.
Now it seems all HP-UX system have 'shmem', so that is now
the default for HP-UX, and there is no NO_MMAP option.
The status page will be updated to show the virtual host of
the resource being processed by each child, if appropriate.
The timeout code in Apache tries to ensure that if the remote
client goes away and doesn't tell the server (e.g. if there
is a network break or other serious problem), then Apache
doesn't spend forever waiting for more data. The timeout
period can be set with the TimeOut directive. By
default, it is set to 1200 seconds (20 minutes). In terms of
sending a file, this timeout is the maximum time Apache will
wait between successful writes of data - not the total
time to send the data.
This timeout is also applied when reading the initial
request. However, typically requests will be much shorter
than responses, so Apache could be waiting unnecessarily long
for a request which never arrives. A possible solution would
be to implement way of setting the timeout for reading a
request to a different value from the timeout for sending the
response. Sites which do not expect requests to take very
long could set the request timeout to a lower value (say 60
seconds). Those sites which accept large requests (file
uploads) could set this timeout much larger.
One way of attacking systems on the Internet is to try to
prevent the target system from operating correctly by
overloading it. This is called a 'denial of service' attack.
One method of doing this is to open multiple connections to a
server and never close them. The more connection the server
has open at once, the more resources are tied up holding
details of those connection, which can lead to increased load
and eventually to the server running out of resources.
There are two main ways of doing this sort of attack: the
first is to simply open the connection and not send any data.
In this case Apache's timeout mechanism will automatically
drop the connection after the timeout period. The second way
is to appear to open or close a connection, but the to fiddle
with the TCP transmissions to prevent the client from
acknowledging the open or close. The remote host will hold
the resources used for the connection until this
acknowledgment is received. This is done within the operating
system's implementation of TCP.
This sort of attack is not specific to Apache, nor to
http servers, but is generic to any TCP-based server which
listens for incoming connections (which included most host
services). Attacks based on incompletely opening a connection
is the subject of a
CERT advisory.
In the HTTP/1.1 specification, each resource can be
associated with one or more languages. Typically, most
documents are not identified as being in a particular
language, however sites with multilingual content can mark
what language a document is in. This is done in Apache using
the AddLanguage directive and using file extensions.
For example, the following AddLanguage commands
define file extensions to signify French, German and English:
AddLanguage en en
AddLanguage de de
AddLanguage fr fr
(the first argument is the official language tag for the
language, and the second argument is the file extension to
use - in these examples, the file extension is the same as
the language tag, although this is not necessarily the case).
To mark a document as being in a particular language, the
language extension (from the AddLanguage directive)
should be added to the file name. For example, to mark the
file welcome.html as being intended for readers of
English, rename it to welcome.html.en. Similarly,
documents could be created called welcome.html.de
and welcome.html.fr.
Normally, some form of content negotiation would be used to
let the server automatically choose the best language in
response to a query. The user would not know that there are
multiple languages available, since the request URL would
omit the language extension (it would consist of just
http://server/welcome.html). This is
implemented using either the MultiViews option, or a
variants (var) file. This is explained in the Apache Week
feature on content
negotiation.
In Apache 1.2, language negotiation will probably be
extended. Most importantly, each resource on the server can
be identified with more than one language. For example, a
document intended for both English and German readers could
be stored in the file
welcome.html.en.de
(In Apache 1.1.1, documents can only contain a single
language).
If no document is acceptable to the browser (perhaps because
it indicated it could only accept a language for which there
is no document on the server), Apache will return a new "406"
error status (this could also result for other types of
content negotiation, such as negotiation based on media type,
character set and encoding). A 406 response indicates that
the document does exist but not in an acceptable form based
on the browser's preferences. It will then list all the forms
it is available as, in an HTML document with links. The user
can then decide which (if any) of the forms they would like
to see.