httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Revised patch list
Date Wed, 01 Mar 1995 09:56:46 GMT
Here's a revision of yesterday's patch list, including everything I saw
brought up on the list, and a few others I'd forgotten:

Bug fixes:  (most available in multiple versions)

 *) The stack-scribbling security hole.  Note that there are two
    patches for this -- the CIAC/CERT patch, and the official NCSA
    patch.  The CERT patch makes the server processes substantially
    larger; the NCSA patch doesn't, but a lot of us don't trust it.

 *) Don't set SO_LINGER on client sockets.  (On many systems, this
    leads to processes which can't be killed because they're already
    trying to die, but can't close their last file descriptor (the
    socket either), so they just sit around taking up swap space).

 *) Server always pauses 3 seconds for scripts which send a redirect,
    then gratuitously kills the process (which is probably dead anyway
    at that point).

 *) <!--#config timefmt --> server-side include doesn't always take.

 *) XBITHACK not honored on <!--#include-->ed files [Andrew Wilson]

 *) log files should be written with O_APPEND.

 *) when access control is "Limit"ed with "Order allow,deny", the
    server allows by default, making any Allow directives which may be
    present redundant.

 *) httpd can't handle numeric User specs in httpd.conf unless that
    uid appears in the passwd file.  If multiple usernames have the
    same uid, it sometimes sets group permissions with the wrong one.
    (Integrated with drtr's version of the initgroups() fix).

Performance enhancements:  (most available in multiple versions)

 *) Don't do initgroups() once per connection.  (But do redo it after
    rereading the config files).

 *) Don't do kernel read()s of one character, when reading MIME
    headers from clients, or script CGI headers.

 *) Don't do open_locale() and tzset() once per connection.  (These
    routines are called from C library time conversion code).

 *) Shared-memory name server cache.  [I have this, though it's less
    portable than it could be].

Functional enhancements:  (Note that many of these are still in the
process of being packaged up for submittal):

 *) DBM-based user databases for HTTP authentication. [Brian]


 *) *.doit scripts (allows *any* URL to invoke a script, whether it
    ends in a magic *.cgi suffix or not). [rst]

 *) Extended UserDir --- if server sees "UserDir /foo/bar/%u/zot",
    then /~user gets translated to /foo/bar/user/zot. [rst & downstairs]

 *) Logging User-agent and Referer, at least on errors. [Roy Fielding?]

 *) Load throttling --- reject incoming connections if load is too
    high. [Robert Evans]

 *) Send Last-modified header for server-side-included docs if
    group XBIT is set. [Rob Hartill, by way of Andrew Wilson]

 *) Custom error messages [Webmaster at Cardiff, by way of Rob Hartill]

 *) CGI-based content negotiation [Hartill] [NOTE: controversial]

 *) Referer and User-agent logging. [The Net].  [NOTE: do we really
    want separate log files for this?  The overhead of writing log
    files actually adds up, in my profiles...]

View raw message