In this issue
Bugs reported in 1.1.1:
Core dump in directory module on Solaris in empty directory
Permission checking when running sub-program does not check
user's other groups
If Apache fails to fork children at startup it immediately
tries again, pushing up the load
ErrorLog | does not work
Domain names on allow and deny lines are case-sensitive
Report of CGIs occasionally failing with 'premature end of
.cgi extension is mapped to CGI magic type in mime.types,
which should only happen if .cgi is to be treated as a CGI
extension in the document tree (and should really by
handled by AddHandler).
The following items are under development and may be included
in the next release of Apache. See our Apache 1.2
Sneak Preview for other new features in the next release.
Blocking User Agents
The 'deny from' directive can be used to block particular
user agents. This could be used to stop robots which are
continually requesting resources, based on the 'user agent'
text they send.
Configuration guesses OS
The configuration process now guesses the type of operating
system, so this does not need to be configured manually. The
only things that need configuring before compilation are the
choice of modules and any additional options needed (e.g. dbm
Error Messages Available to ErrorDocument Scripts
When a ErrorDocument is configured to call a script when an
error occurs, the script does not know the cause of the
error. An update to the code will pass the error message as
readable text in an environment variable to the script.
Turning off Keepalives for Netscape 2.*
Netscape Navigator version 2 had some bugs in it's
implementation of 'keepalives'. Apache will now automatically
disable keepalives if the user-agent of a request indicates
it comes from this program. It uses the new
BrowserMatch directive to set an special environment
variable if the user-agent string starts "Mozilla/2".
With this update, the hack where Apache did a flush after
sending the headers is removed. This was a work-around to
make keepalives work with Navigator 2, but it also caused a
delay on connection.
Since last week's article on extra modules for Apache, we've
come across a few more.
mod_disallow_id module can be used to prevent access to
files owned by specified users or in certain groups. This
could be used, for example, to prevent all access to
mod_log_peruser logs requests for a particular user's
pages to a log file in the user's directory.
Both these modules are listed here,
along with an ehanced mod_cgi based on the suCGI package
(although most of this functionality will be built into the
next Apache release).
The next version of Apache will be 1.2. This will include a
lot of new features, as previewed in our Apache
1.2 article (from issue 29). It will also fix most of the
outstanding bugs identified in 1.1.1. In this issue we
summarise these bugs sorting them by affected function.
There are quite a few bugs listed here, but most will not
have a serious affect on most setups. Many are restricted to
specific operating systems, or to particular configurations
and modules. It should be remembered that Apache 1.1.1 is a
stable release and most users are unlikely to come across
For each bug we have tried to identify its current status in
the latest development version of Apache. If the bug is
followed by the word FIXED then the bug has been fixed and
tested. If the status is VERIFIED then the bug exists but has
not yet been fixed (although in many cases a fix will be in
progress or undergoing initial testing). If neither word is
present, then the bug has not been verified or fixed. We have
tried to ensure that only real bugs are listed here, but the
Apache group receives quite a few bug reports, many of which
relate to incorrectly configured systems or which are caused
by the operating system or other software.
These bugs affect the operation of the core server, or are
related to low-level networking or operating system
DNS Failure causes core dump
Apache can core dump if it cannot obtain the local hostname
from the ServerName directive or from the DNS. FIXED.
High Load Problems
At startup Apache forks the initial children. If it fails
to fork (perhaps because of resource limitations), it
immediately tries again, which can make the load situation
A race condition can cause occasional hung processes on
very high load systems. VERIFIED.
Memory allocation failure causes core dump
The memory allocation return value is not checked which
could cause core dumps. FIXED.
ErrorDocument redirect fails, displays filename.
Docs claim %s in ErrorDocument string prints reason for
error - no code to implement this. VERIFIED
ErrorDocument displays " in string message. FIXED
When a sub-program is about to be run, Apache checks for
correct permissions, but it does not account for other
groups that the current user might be in.
Scoreboard sometimes out of date (shows PID of children
that have died) FIXED
Domains Starting with Numbers
Hostnames starting with a number (e.g. 123.domain.com)
are incorrectly treated as IP addresses. VERIFIED.
Domain name capitalisation
Domain names on allow and deny lines are not compared
Apache is not setting Expires header on 304 responses
Doesn't support HTTP continuation headers FIXED
Netscape Navigator 2 has bugs in its keepalive support,
so Apache should turn off keepalives when accessed from
Navigator 2. FIXED.
The proxy module has been extensively modified since
1.1.1 to correct a large number of problems and
NULL requests logged
Report of request "NULL" being logged in access log
Reports of access_log missing some hits (possibly
related to keepalives)
ErrorLog | does not work. VERIFIED.
Other Module Bugs
Long URLs (>100 chars) can cause buffer
overflows (possible core dump) VERIFIEDo
Can gives wrong start-up time on some systems
Core dumps on a few systems (OSF, SCO)
Wraps bytes total at 4.2GB FIXED
Transfer bytes per second figures wrong FIXED
Language negotiation doesn't work for cgi scripts
without extensions, which are in a valid
Charset negotiation is not implemented. VERIFIED.
Language negotiation doesn't match languages
against sub-languages, i.e. it treats en and en-US
as completely different languages. FIXED.
Directory Index Module
Core dump on Solaris 2 with empty directories
Truncating file size in listing (e.g. 1.8Mb is
displayed as 1Mb) FIXED
UserDir cannot handle certain configurations, such
as http://10.1.2.3/~* VERIFIED
Possible mod_include bug causing core dumps if SSI
include fails due to incorrect .htaccess directive
Current working directory can change while
OS Specific Bugs
These bugs are related to specific operating systems.
A/UX: Linger close fails on A/UX FIXED
AIX: Compile warning for SERVICE_UNAVAILABLE
Apollo Domain: Some compilation errors on Apollo
Digital Unix/OSF: V4.0 requires -lm because the
frexp() function has been removed from libc.so.
Incompatible pointer type warning.
IRIX: IRIX kernel fails to notify Apache of dead
Linux: File descriptor bug causing SEGV in
includes module. FIXED.
NeXTSTEP: support/logresolve.c does not compile
because of strdup
OS/2: Simplified code for OS/2 FIXED. OS/2
filesystem is case-independent, can cause URLs to fail
to match protection limitations
QNX: Missing prototypes for QNX FIXED.
SCO: Dumps core in status module with a Floating
exception when compiled with -DSTATUS on SCO ODT 3.0
SGI: Compile warning in http_bprintf FIXED
Ultrix: Compile error in http_main.c
UnixWare: Configuration updated for UnixWare
Example URLs for status and info
Example URLs for status and info pages (/status and
/info) can intercept other URLs (e.g. anything in a
directory called /info or /information). FIXED.
ScriptAlias and PATH_INFO problem
Bug in the SCRIPT_NAME passed to CGI where the
ScriptAlias directory included some PATH_INFO. FIXED
Host: header can override IP virtual hosts to give
access to other vhosts's information. VERIFIED.
IP-based Virtual hosts on main IP address but different
ports not working. VERIFIED.
Directives with on/off arguments
Directives that taken an argument that is either "on"
or "off" infact accepted any argument. FIXED.
Default configuration mime types can conflict with
Default mime.types contains content-types for gz and Z
extensions, but should be given as encodings with
Apache accepts non-numeric Port number. FIXED.
Spelling of authoritative (as authorative) wrong in
auth_anon and auth_msql FIXED.
Finally, a few bugs reports cannot by verified or
discounted. That is, they may or may not exist, but
cannot be reliably reproduced. While they may be Apache
bugs, they could also be bugs in the operating system, or
problems related to particular load conditions or
configurations. Any further information about these
possible bugs should be reported on the apache-bugs email
address or Web page.
CGIs intermittently fail with 'premature end of file
error' on site with 100 vhosts. Occurs even with low
Server will not respond after a few days of running.
Instead of the 5 processes typically running, there is
only one. Server accepts the requests, but never
responds. This site makes heavy use of CGIs (>50% of
Some hits are not logged in the access_log, or logged