httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Agenda for 1.2b7
Date Sat, 01 Feb 1997 20:23:37 GMT
1.2b7 status as of Sat Feb  1 13:22:59 MST 1997

  * Committed since 1.2b6:
	* FIN_WAIT_2 page to documentation
	* mod_info corruption bug
	* mod_rewrite sizeof() bug
	* allow keepalive on 304 responses
	* full headers on 2xx or 3xx status
	* fix extra CRLF -> buffers not flushed problem
	* output all HTTP/1.1 header fields on responses
	* mod_info bug fix for if sizeof(char) != 1, not that that can
	  happen.

  * Some mirrors are out-of-date, Brian will investigate

Agenda for 1.2b7-dev
====================

Patches ready for testing, voting:

  * Using the directive "RLimitCPU 10" core dumps
	Status: Ed posted patch.  +1 Marc

  * Ralf's mod_rewrite updates
	Status: patch posted and reposted, Roy +1, Marc +1 (only after 
	my comments addressed; need to review changes)

  * update bug report page to not have email form
	Status: +1 Roy, Dean, Marc (but some changes suggested)

  * http_monitor doesn't understand scoreboard format (PR#134)
	Status: Paul Sutton posted patch 9 Jul(!); probably needs a 
	repost and some +1s.  Jim, Marc +1 once we see patch.  Should
	it just be removed?
	Update: patch reposted



Should be done before 1.2b7:

  * some better suexec docs would be really nice, detailing some of the
    security risks and compromises discussed
	Status: I think Randy said something about doing it at one point,
		but no one can write what  I think should be there better
		than me, if I ever have time.

  * suexec free()s memory while it is still needed. (PR#142)

  * identitycheck and hostnamelookups not allowed in .htaccess but
    documentation says they are.  Update the documentation or perhaps
    make them work as documented.

  * mod_include is slow.  Ed posted a patch to remove feof and
    ferror from GET_CHAR.  Can we do more?

  * redirect of index file causes SEGV [Marc]
	Status: have a way to stop the core dump, but that doesn't make
	it work properly.

  * In your security tips, you use the invalid
    directive <Directory>.  It used to be (correctly)
    <Directory />.  But I would suggest that it isn't
    paranoid enough, anyway, as PUT shouldn't be
    allowed for arbitrary directories. [Nick Maclaren <nmm1@cus.cam.ac.uk>]

  * Hitachi HI-UX/WE2 port patches [Nick Maclaren <nmm1@cus.cam.ac.uk>]
	Status: Jim looking at them

  * 64-bit issues; general cleanup, ap_snprintf("%d", (int)-1) giving
    wrong behavior on Alpha boxes.

  * Randy says "seems that the processes on a Unixware machine are
    eventually all dying off. Mind you, I have not seen this, but
    that is what is being reported.  Sounds like perhaps the server is not 
    respawning new children after MaxRequestsPerChild has been reached."

  * mod_proxy returns incorrect results when given a 'Location:'
    redirect (PR#137)

  * http_request.c: directory_walk() misses some <Directory ...> directives
    (PR#131).  I'm not sure the way things are done is really incorrect, 
    but should be looked at.

  * user and server get confused over what should be a virtual host
	and what is the main server, resulting in access to something
	other than the name defined in the virtualhost directive (but
	with the same IP address) failing.  
		Status: should be looked at, may not be a nice way to fix 
			since it is likely not technically a bug.

  * Improvements in chunked performance by reducing buffer count sent
       Status: no patch; Dean may do

  * conflicting definitions for is_proxy_available
	status: marc posted patch, on hold until see about latest
	version?


  * Satisfy Any can be changed if .htaccess exists
        If you give Satisfy Any in access.conf for a particular directory,
        and have a .htaccess in that directory, Satisfy mode reverts
        to Satisfy All even if the .htaccess has _no_ authentication
        directives.

  * error compiling on NeXT:
	In file included from http_main.c:108:
	/NextDeveloper/Headers/bsd/netinet/tcp.h:57: duplicate member `th_off'
	/NextDeveloper/Headers/bsd/netinet/tcp.h:58: duplicate member `th_x2'

	Status: unknown

  * suexec sets environ to local variable, possibly to overwrite
    memory by too many environ variables

	status: Randy looking into it; perhaps calloc array

  * infinite loop in mod_imap due to parsing bug
		status: Marc found problem, wants input on which way to solve

  * Marc says Apache won't compile with HAVE_SNPRINTF defined as things
    are now because not everything includes conf.h.
       Status: Fix it when we have a platform which has snprintf.  Jim
	will look at; perhaps just include conf.h everywhere

  * warnings in regex
       Status: Roy would like to see this fixed since it makes Apache
               a mess on Solaris when using -Wall.  Roy will make patch.

  * warning on SunOS4, http_log.c:164, pointer from int without cast
       Status: Marc analyzed

  * core dump if an error in .htaccess & subrequest
       Status: no patch yet
       Info: <lampa@fee.vutbr.cz> reports that if sub_req_lookup_uri() is
             called, then per_dir_config in subrequest is not initialized
             until directory_walk is done. If any error is encountered during
             this time, log_reason() will core dump, since it calls
             get_remote_host() with r->per_dir_config. 
       Solution: Initialize per_dir_config in set_sub_req_protocol()
             (see initialization of regular request in read_request()!).

  * Solaris 2.6 apparently has a getwd() or getcwd() prototype, see PR#89
       Status: easy to fix, but will require testing by 2.6beta person

  * suexec setuid() before directory checks for nfs mounted filesystems, PR#70
       Status: no patch yet

  * MAXPATHLEN undefined in suexec on some systems
	Status: randy looking into it(?)

  * new header_parse API hook is called too often
       Status: RobH posted patch, had second thoughts.  He
       suggests that mod_browser be optimised by detecting if it has been
       called already and returning early if it has.

  * lingering_close generates the following error message
      shutdown: Transport endpoint is not connected - lingering_close
    using 1.2b6 (only a few a day).  I think this is what 
    happens when a client disconnects during transmission, which
    is a normal condition for web servers.  I suggest not logging
    an error if errno == ENOTCONN.
      Marc says that this may not be "normal", it may be if the client
    sends a RST to terminate the connection (as per recent discussion on
    end2end-interest) and it gets here before we get to that point in
    lingering_close.
       Status: no patch, waiting to see if it it improves debugging.

  * accept errors EPROTO and ECONNABORTED should not be logged
       Status: no patch, ditto above, but will require ifdefs

  * directory redirect returns 302 not 301, see PR 77
       Status: easy to fix, but will require testing

  * SO_DEBUG in proxy_ftp.c may not be portable, see PR 116, 104
       Status: Chuck says it is a leftover, will fix

  * bugs in mod_negotiation (serious)
       Status: reported by lampa@fee.vutbr.cz on Jan 6 to apache-bugs.
               It is a very good, detailed report with patches.

  * 3 seconds delay in CGI execution on SunOS 4.x, see PR 122
       Status: no patch.
       Info: Pages containing script output show up with a delay of 3
             seconds (there was no such delay in Apache 1.1.1). 
             [rindfuss@medea.wz-berlin.de] tracked the problem down to
             source file alloc.c, function free_proc_chain. This function
             contains a conditional call to sleep(3), which causes the delay.

       for (p = procs; p; p = p->next) {
          if (p->kill_how == kill_after_timeout) {
            /* Subprocess may be dead already.  Only need the timeout if not. */
            if (kill (p->pid, SIGTERM) != -1)  
              need_timeout = 1;
          } else if (p->kill_how == kill_always) {
            kill (p->pid, SIGKILL);
          }
        }
 
        /* Sleep only if we have to... */
  
        if (need_timeout) sleep (3);

        [RobH: So CGI included as SSI hangs around for longer and needs
               to be SIGTERM'ed.  Why?]

        [Roy: note also that a call to sleep will blow-out any other timeout]



Planning/design items:

    * Should we change the default timeout of 1200?
	Status: discussion ongoing, +1 concept Jim, Randy, Marc

    * do we want a half-hearted attempt at fixing logfile opening security
      holes?  
	Status: Jim & Randy say no  How about check to be sure directory
		is owned by the user that started httpd and not group
		or world writable?

    * should the bug report page be in CVS?  Should it be in the htdocs
      tree or a seperate place?  Should it be distributed with Apache?
      The same holds for everything on the Apache web site.  Marc would
      like to see it all in CVS, but not necessarily distributed
      with Apache.

    * should perhaps start to think about exactly how we want to 
      handle contrib patches/programs in 1.2.  Directory on the web site?  
      Include in distribution?


Contrib stuff / future:

    * Chris Adams <cadams@ro.com> patch to mod_log_config to add %m
      and %c.

    * "Large groups cause authentication errors" on FreeBSD
      [salari@cs.ubc.ca]; problem looks to be MAX_STRING_LEN buffer
      in groups_for_user.  

  * mod_log_config patch for conditional logging
	Status: contrib, not in server


Mime
View raw message