Two denial of service attacks were found in the Apache 2.0 code
this week - both concerned with memory usage when sending large
requests. The first was that the server did not respect the maximum
header field length, and would consume memory indefinitely while reading
a header line. A fix for this was
quickly checked in. The second problem remains unconfirmed; using an
httpd.conf from an old installation of 2.0 with the current code
can cause a GET request with a large body to leak memory.
Neither of these problems are known to affect Apache 1.3.
The 2.0 tree was tagged for a 2.0.27 release, and the live server
at apache.org was
updated to this code from the CVS snapshot it was running
previously. The snapshot had been live for a week without any
significant problems. The group indicated that after the 2.0.27 code
had been running for three days, a public release would be made (barring any problems).
A decision was taken recently to move the SSL configuration
directives out of the default httpd.conf (as in an Apache 1.3/mod_ssl
installation) into a separate file, ssl.conf, to simplify administration of
the plethora of directives for this module. This file has now been
populated with the default configuration from mod_ssl 2.8.
In this section we highlight some of the articles on the web that are of
interest to Apache users.
This week, we deviate from our usual topic to bring you some food for
thought with "The Open
Dielectric" from ASF board member Ken Coar.
What has this got to do with Apache, you may ask. As
Apache is one of the major open-source software projects, Ken's musings
apply to the Apache community of developers and users as well. Would you
agree with him that the virtual environment appears to be almost
completely insulated from the acts and consequences in the physical world?
At WebTechniques.com, Jim Jagielski has a few tips for those who are
providing web-hosting services in "Customer
Number One". He looks at two methods for Apache on how to provide
every customer with dedicated server performance and quality guarantees in
a shared server environment as if he or she is the only customer. The
first uses mod_throttle to control various parameters,
such as the number of requests or the total bandwidth used on a per
server, virtual host, location, directory or user basis. The second allows
CGI scripts to execute under its own user and group ID using suExec. He
also discusses the pros and cons of running multiple instances of Apache
PHP provides a great assortment of functions ranging from Apache-specific
functions to database functions. In "A Basic Introduction to PHP
Images", Jon Perry examines how we can use the image functions to load
existing images as templates, create images and transparency in images,
and implement tiling in PHP. The source code used in the examples is
available for download.
Your Site from Spambots" teaches you how to use
mod_rewrite to redirect "spambots", software packages
that crawl the Web harvesting e-mail addresses and adding them to bulk
e-mail lists, to a specific page that has "special" messages just for
them. Since this method uses the content of the User-Agent: HTTP header to
identify the "spambots", it won't prevent "spambots" that masquerade as
other browsers from scraping e-mail addresses from your web site. Other
solutions are presented as well and the one recommended is "spamtraps" -
special addresses that are solely used for catching spammers. The author
concludes that the best way to combat unwanted bulk e-mail is to
immediately report spam to the ISP from which it originates as many times
as it takes until the ISP takes the necessary actions.
Is there a lack of innovation in open source development? In Russell
Pavlicek's opinion, the answer is no and he justifies it in "The