httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: lights, cameras, action
Date Wed, 08 Mar 1995 18:58:21 GMT
OK, folks, here's the list.  My proposal for a first-cut Apache is to
take *all* the bug-fixes and performance enhancements as a body, and
leave any functional enhancements for later.  If there's some
completely non-controversial and simple functional enhancement which
would buy us a lot, perhaps we should consider it.  However, many of
the items on the functional enhancements list will take some
discussion to decide if we want them, and in what form, and I don't
think those discussions should be allowed to hold up the project.

Besides, the bug-fixes are work enough by themselves.

NB this list only includes stuff for which code is *already* available
in some form; that's why items like content negotiation aren't on it,
even though a lot of people want to see them happen.  Perhaps I should
add a fourth category, Wn), for these Wish-list items....

Without further ado, The List:

Bug fixes:  (most available in multiple versions)

B1) The stack-scribbling security hole.  Note that there are two
    patches for this:

  B1a) The CIAC/CERT patch, and
  B1b) The official NCSA patch.

    The CERT patch makes the server processes substantially
    larger; the NCSA patch doesn't, but a lot of us don't trust it.
    The best thing may be a compromise which includes the CIAC/CERT
    patch, but allows the server to be compiled without it via
    something like -DINSECURE.

B2) Don't set SO_LINGER on client sockets.  (On many systems, this
    leads to processes which can't be killed because they're already
    trying to die, but can't close their last file descriptor (the
    socket either), so they just sit around taking up swap space).

    I don't know of anyone who's made this available separately as
    a formal patch; this is just *deleting* two lines from httpd.c.

B3) Server always pauses 3 seconds for scripts which send a redirect,
    then gratuitously kills the process (which is probably dead anyway
    at that point).  Again, the fix is to dike out a line of code
    (first pointed out by Eric Hagberg).

B4) <!--#config timefmt --> server-side include doesn't always take.
    Nicolas supplied a patch for this.

B5) XBITHACK not honored on <!--#include-->ed files [Andrew Wilson]

B6) access log files should be written with O_APPEND.
    Roy Fiedling has code for this.

B7) when access control is "Limit"ed with "Order allow,deny", the
    server allows by default, making any Allow directives which may be
    present redundant.

    rst has a patch for this.

B8) httpd can't handle numeric User specs in httpd.conf unless that
    uid appears in the passwd file.  If multiple usernames have the
    same uid, it sometimes sets group permissions with the wrong one.

    Patches for this are integrated with drtr's version of the
    initgroups() fix (P1 below).

Performance enhancements:  (most available in multiple versions)

P1) Don't do initgroups() once per connection.  (But do redo it after
    rereading the config files).

    Patch available from drtr.

P2) Don't do kernel read()s of one character, when reading MIME
    headers from clients, or script CGI headers.

    drtr and rst have their own versions; drtr's handles POST, but
    looks like it might have somewhat more overhead in the simple GET

P3) Don't do open_locale() and tzset() once per connection.  (These
    routines are called from C library time conversion code).

    rst has a patch for this.

P4) Shared-memory name server cache.

    rst has something like this, though its portability can't be
    guaranteed.  (There are things which claim to be Unix which don't
    support shared memory in any form).

Functional enhancements:  (Note that many of these are still in the
process of being packaged up for submittal):

E1) DBM-based user databases for HTTP authentication. [Brian]


E3) *.doit scripts (allows *any* URL to invoke a script, whether it
    ends in a magic *.cgi suffix or not). [rst]

E4) Extended UserDir --- if server sees "UserDir /foo/bar/%u/zot",
    then /~user gets translated to /foo/bar/user/zot. [rst & downstairs]

E5) Logging User-agent and Referer, at least on errors. [Roy Fielding?]

E6) Load throttling --- reject incoming connections if load is too
    high. [Robert Evans]

E7) Send Last-modified header for server-side-included docs if
    group XBIT is set. [Rob Hartill, by way of Andrew Wilson]

E8) Custom error messages [Webmaster at Cardiff, by way of Rob Hartill]

E9) CGI-based content negotiation [Hartill] [NOTE: controversial]

E10) Referer and User-agent logging.  This exists in several variants;
     there are patches on the Net which put these in separate files
     (which is awkward to cross-reference, and also would have more
     overhead than adding fields to the access_log).  Also, Roy has
     code to log these variables on separate lines after the error;
     somehow, I think there may be quibbles of taste about formatting
     here (some people might prefer to have everything on one line).

View raw message