Date: Thu, 1 May 1997 15:22:53 -0700 (PDT) From: Dean Gaudet To: new-httpd@apache.org Subject: [STATUS] Thu May 1 15:22:06 PDT 1997 Message-ID: 1.2b11 status as of Thu May 1 15:22:06 PDT 1997 * Committed since 1.2b10: * ErrorDocument CGI responding to error from another CGI fixed * PR#512: signal redefinition problem on QNX Agenda for 1.2b11-dev ==================== Patches available: * Ken's [PATCH] PR#501: mod_status doesn't escape printed URLs [Dean would like to see us write a general "escape ascii text" function so that it could be used by mod_status, mod_info, mod_dir, etc. rather than fix this one bug at a time.] * Petr's [PATCH] mod_dir HTTP_NOT_ACCEPTABLE fixup <199704301848.UAA13894@boco.fee.vutbr.cz> Status: Petr +1, Dean +1 Roy notes that a general solution is required as this one does not handle all cases. * Roy's [PATCH] CGIWrap Problems <9704301533.aa28802@paris.ics.uci.edu> Status: Roy +1 No patches yet, showstoppers: * PR#502: keepalive not timing out on IRIX 5.3 * PR#503: rewrite worked with 1.2b{6,7,8} but fail with 1.2b10 Note that it's not related to the Configuration.tmpl rearrangement, I asked the user to verify that. Documentation Changes that should make 1.2: * some better suexec docs would be really nice, detailing some of the security risks and compromises discussed Status: I think Randy said something about doing it at one point. Randy says he thinks Jason is perhaps doing them. [And Roy says: either somebody needs to document how it works (I don't know), or I'll go through and remove the documentation about how "good" it is to use it.] New Status: not really worth holding 1.2 on * Document problems with mismatch on FD_SETSIZE=1024? * Deal with Martin Kraemer's documentation notes: <199704081013.MAA02907@deejai.mch.sni.de> <199704081045.MAA02997@deejai.mch.sni.de> Post 1.2: * Various minor tweaks to port to different platforms: PR#383, PR#388, PR#399, PR#333, PR#327, PR#445, PR#511 * Fix mod_negotiation to follow latest TCN draft * Doug MacEachern's [PATCH] merge dbm auth configs Status: The question is, should we be merging auth configs? Ken says not by default and not unless it's configurable. * redo lingering_close to check for old sockets to close out before accept() in child. Status: doesn't look to be overly clean to do in the current framework. Will not have time to do implementation for this beta in any case. If it turns out to be a big issue, could go in later. (1.2.1?) * Marc wants to have a check to be sure log directory(ies) isn't writable by anyone except the user starting the server. The posting in bugtraq only highlites the problem. Needs override. See NCSA code for sample implem. Status: Marc busy writing * error compiling on NeXT: In file included from http_main.c:108: /NextDeveloper/Headers/bsd/netinet/tcp.h:57: duplicate member `th_off' /NextDeveloper/Headers/bsd/netinet/tcp.h:58: duplicate member `th_x2' Status: got a login in a NeXT OpenStep 4.x machine to test, looks like an interaction between gcc and the header files. It is trying to include definitions for both big and little endian platforms, and that no work. * Type map can't find appropriate document for language on Solaris 2.x. (I can't gistify this one; full details in message ID .) Reporter has provided tar.gz file of config info. (no PR#, 1.2b7, 24/2/1997, ) Status: Dean might have fixed this one (the table overlay bug) [Dean has mailed the submitter to ask them to test 1.2b8 or b9] * SONY NEWS port. See both: Jim working on a patch, but not until after 1.2b8 Should be added to the bugdb: * [BUG]: "mod_dld problem: variable in httpd_config.c counted wrong"on Irix and Dirk says he's got something to fix it that needs some work. * crates [sic] zombies on FreeBSDLinux (see for the details; I'm not going to try to decode 'em) Reporter says hackers have told it the cause lies in an error in the loop structure in alloc.c's fork()/signal()/wait() handling (no PR#, 1.1.1/1.2.something (?), 23/2/1997, ) - Marc said it *might* be related to the kindercide issue * "Large groups cause authentication errors" on FreeBSD [salari@cs.ubc.ca]; problem looks to be MAX_STRING_LEN buffer in groups_for_user. * Solaris "accept: Too many levels of remote in path" [marc] * [BUG?] /cgi-bin/foo/bar%2fbaz unescape_url in util.c is forbidding %2f in PATH_INFO. The problem is that we use the %2f check to avoid security problems with stupid scripts. Roy thinks the best solution would be to decode all %2f's before doing any processing on the path, and thus reduce %2f.. to /.. before doing the path checks. This makes it impossible to have a filename containing slash, but no big deal. Contrib stuff / future: * Start digital signing the distributions. * Chris Adams patch to mod_log_config to add %m and %c. * mod_log_config patch for conditional logging Status: contrib, not in server * Jim has patch for time taken to handle a request in status module * Ed has an updated patch for limiting connections per IP * mod_include could use boyer-moore searching for