There was discussion this week on the development list about allowing
encoded slash characters in URIs.
Traditionally, Apache has rejected any requests which include a
URI-encoded slash character, %2F, since otherwise these
may be passed through to CGI scripts (via the PATH_INFO
environment variable) in their un-escaped form. This is done to
prevent possible security vulnerabilities in CGI scripts which don't
perform sanity checking on input variables.
Ken Coar is working on a
patch to add a configuration directive which conditionally enables
processing of requests to URIs which include encoded slash
In other news; an improved download page has been
deployed which allows users to easily choose and download the Apache
source releases from a particular mirror site. After considerable
debate and voting, the proposals to begin branching the Apache 2.0
tree for separate "stable" and "development" series look set to be
It's only a couple of weeks until
ApacheCon is being held
in Las Vegas, USA from the 19th-21th November 2002, with
an optional day of tutorials available on November 18th. The last
ApacheCon was over 18 months ago, and the conference program is
full of new and interesting talks.
Apache Week will be on hand as always to report on the event, and for
the all-you-can-eat hotel buffets.
Find out more at the conference web site, or
read our account of ApacheCon
2001 Santa Clara.
GovExec.com report on the Red Hat sponsored open source security
summit in the story
cybersecurity officials praise 'open source' software. During
a presentation at the summit, Marcus Sachs,
a director of the White House cyber-security office talked briefly about
the Apache web server.
"...nearly one-third of all government Web sites use Apache, the leading
open-source server software. The number of military Web sites using
it is 22 percent, second to Microsoft's server software, but military
use of Apache is growing rapidly"
In this section we highlight some of the articles on the web that are of
interest to Apache users.
"Apache 2: Improvements Are Obvious, But Upgrade Choices Aren't"
revisits the benefits of using Apache 2.0 over Apache 1.3 and
unravels the mystery of the slow adoption rate of Apache 2.0. If you
are having difficulty deciding whether to upgrade or not, this article
may bring you a little closer to your decision.
O'Reilly Mac DevCenter shows you how to
build your very own Apache web server with mod_perl
on Mac OS X. It lists the reasons for replacing the default Apache
that comes with Mac OS X with a self-built version and then provides
a step-by-step guide on configuring, compiling, installing, and testing
mod_perl and Apache.
"mod_rewrite: A Beginner's Guide to URL Rewriting"
uses a few simple but practical examples to explain the basics of using
mod_rewrite. It demonstrates how to enable
mod_rewrite in your Apache web server, and set
RewriteMap directives to accomplish tasks
such as ensuring that your URLs are user-friendly, and disallowing
links to your images from external websites.
In the August 2002 issue of Linux Magazine, the article entitled
"Long Processes Through CGI"
offers a solution for running long tasks without users getting bored
or Apache dropping the connection. It walks you through a sample Perl
script which forks a process to execute the long task and redirects the
client to a new URL which points to the results of the task. If the results
are incomplete, a meta-refresh tag is added as a header to ask the client
to poll the same URL after a predefined number of seconds.
Apache Week is a weekly publication, but over the last few
months we've missed out the occasional issue. We've done
this when there is little or no news as feedback from readers
has shown that this is preferable to us sending out a tiny
issue with no content. With ApacheCon and many staff
holidays we expect to miss out a few more issues in the coming
months. However should there be important
announcements, security notifications, or new releases, we will
be sure to cover them.