Upgrading NCSA HTTPd

HTTPd 1.5.2a

Maintenance Release

Only enable keep alive from CGI scripts with content lengths and if keep alive is enabled on the server
Delete preceding white space on CGI headers
Fix HTTP/1.1 protocal bug (if agent requested HTTP/1.1, server responded with HTTP, now responds with HTTP/1.0 which is spec)
Added SERVER_ROOT CGI var
Should escape # character in directory indexing
Add MaxRequestsPerChild support, so that errors in state can be swept under the carpet

HTTPd 1.5.2

Changed getline rfc822 line wrap to check for validity of the next bits before attempting to see them
Changed imagemap.c so relative URLs actually work
Don't core dump on a method only request
reset errno to 0 in send_fp so we break out of loop
somewhere we stopped killing cgi scripts on SIGALRM and SIGPIPE, fixed
changed group handling support to support multiple groups again
reset content_length before scanning cgi headers, not after, which allows scripts (such as Adobe's byteserver.pl) which set the content-length to work correctly
don't free env var in replace (it uses allocate now)
Only look for path_info if its part of the requested URL (as opposed to keep looking until you hit a real directory)
Make make_dirstr() in util.c return / instead of null if n = 1
Added FCGI support from Openmarket
Added support for Linux 2.0
Added support for SCO OpenServer 5

HTTPd 1.5.1

New Features
- Imagemaps can now take relative paths (relative to map file)
- Imagemaps can now use either NCSA or CERN configuration
- Redirects in .htaccess files work without requiring the file to exist
- Redirects in .htaccess files can now take regular expressions
- Redirects no longer require a full URL, the server will construct a local URL if a URL Path is given
- LIMIT directive now understand referer allow/deny directives to restrict access by the Referer: header (ie, where the browser comes from)
- Added OnDeny command for Limit directive which allows a redirect on failure (especially useful for denying by referer)
- Added CONTENT_MD5 header support from patches by Martin Hamilton (martin@net.lut.ac.uk)
- Added hack to allow SSI of CGI, at a great expense of speed (CGI_SSI_HACK)
- Added string allocating mechanism for speed
Bug Fixes
- A couple logging functions didn't check reqInfo->remote_name for a NULL
- change getuid to geteuid in httpd.c so that effectively root people can start the server and have it change uids
- Server doesn't keep creating more structures in the event of KeepAlive
- Added bounds checking for security structures
- Fixed Order mutual-failure
- Attempting to make the server thread safe
- First attempt at allowing ErrorDocument 401s as html files (still broken)
- Fixed string searching for user in group
- Close csd (socket) on exec of CGI scripts so that client doesn't hang waiting for the scripts (and their children) to finish
- made a single interface for most output functions to make it easier to go to different output functions (SSL is a good example)
- remove path_args/path_alias junk, and put it in reqInfo structure
- Made getline() code re-entrant (now has its own sock_buf struct)
- Got that memory leak

HTTPd 1.5c

Maintenance release

add newline character to list of characters to strip from shell cmds to prevent security hole
in_ip patch is broken, revert to the old way
Clean up possible memory leak in status_line code from CGI scripts
Fix possible SIGSEGV condition in send_fd_timed_out()
Fixed Mutual-Failure
If you don't have a require or allow line in the .htaccess LIMIT section, it wouldn't work (ie, just deny), now fixed
change getuid to geteuid in httpd.c so that effectively root people can start the server and have it change uids
Fix group checking
Couple of off by one errors in the DBM support (server and support files)
HP/Apollo Domain/OS support updated
SCO ODT and SCO SVR3 support updated
Typo in LOCALHACK
No error message for NO_CONTENT default imagemap
clean up after directory indexing (memory leak)
Typo/Thinko for http_access.c which makes order deny/allow not work as documented

HTTPd 1.5

Primary Focus on Security

Multiple Directory Indexes
Redirects from .htaccess files
RedirectPermanent
MD5 authentication
Kerberos v4 authentication
Kerberos v5 authentication
HTTP 1.0 KeepAlive
DBM .htpasswd/.htgroup files
Enhanced Access Control
Multihome/Virtual Interface support
Multiple RefererIgnore
Fixed problems with -HUP restart on some systems

HTTPd 1.4.2

Maintenance Release

Few more bug fixes:
- minor access bug
- Patch to avoid cfg_getline loop on user error
- fix AddType application/x-httpd-cgi cgi in .htaccess files
- Don't log 2 transactions on errors handled via ErrorDocument
- Don't add DOCUMENT_ROOT environment variable twice
- Fix inetd support in set_group_privs()
Support for AIX 4.1.x and HP/Apollo DomainOS

HTTPd 1.4.1

Maintenance Release

The few bug fixes, most notably:
- If you set StartServers/MaxServers to 0, httpd might crash
- Hopefully, the Content-type with 302 scripts problem
- segmentation faults on local redirects
- Really changed to REDIRECT_ on ErrorDocument env vars
Removed PEM/PGP hooks so as to comply with ITAR (International Trade in Arms Regulations), at the recommendation of the NSA (these hooks will be available on an export-controlled ftp server, to be set up soon)
Added SECURE_LOG define to close possible security hole of leaving the logfiles open for the CGI scripts

HTTPd 1.4

The primary focus of release 1.4 of the NCSA HTTPd server is to improve performance.

Changes from HTTPd 1.3R

Two new configuration directives have been added: StartServers, MaxServers
Previously, the HTTPd server forked with each new request To reduce this overhead the NCSA HTTPd was modified to support a hunt group. A pool of servers (of size _StartServers_) is created initially. As the load increase additional servers are started as needed to the configured maximum (_MaxServers_). These servers remain in the server pool. If additional requests are received, new servers are forked which answer the request, and die in a similar fashion to previous standalone versions of the code. If you don't want to have a pool of servers at all, you can set up StartServers and MaxServers to 0. In this way, HTTPd's behavior will be similar to previous versions of the code in standalone form. For more Information
Introduced a new mail script: /cgi-bin/mail
Associated file: /cgi-bin/mail.list
This PERL script uses the sendmail binary and an authorized list of recipients to generate an email form for the users on your Web server. It should fulfill the mail needs of Web users everywhere currently asking about custom email scripts and mailto: for sending form results: If called directly, it will output a blank form to fill in, and sends the values to itself for mailing. If referenced in the ACTION line of a form, it will forward the FORM INPUT to the named recipient.
Configuration documentation is provided at the top of the script. Official documentation will be available soon.
Previously each forked child made initialization calls to retrieve information available to the parent. This information is now retrieved by the parent processed once and passed to all child processes.
Additional performance and memory management improvements internal to the server have been made.
Several string copies have been modified to prevent buffer overflows. This addresses the problem reported in CERT Advisory CA-95:04. The CERN suggestion of increasing the buffer size was not implemented because we took a different approach. We do not recommend blindly increasing the buffer sizes because this can cause excessive swapping and performance degredation.

The NCSA HTTPd 1.4 supports modifiable error messages for the following errors using a new server resource map directive, ErrorDocument.

Modifiable error messages
REDIRECT	302
BAD_REQUEST	400
AUTH_REQUIRED	401
FORBIDDEN	403
NOT_FOUND	404
SERVER_ERROR	500
NOT_IMPLEMENTED	501

Two new logs are supported, an agent log and a referral log. The agent log lists the identity of the requesting client. The referral log lists the URL containing the link to the requested document.
Three new configuration directives have been added: AgentLog, RefererLog, and RefererIgnore.

HTTPd 1.3R

Fixed the vulnerablity described in Cert Advisory CA-95:04. For more information, please read the description.

HTTPd 1.3

HTTPd 1.3 is a maintenance release designed to fix some of the bugs which were introduced in HTTPd 1.2.

Changes from HTTPd 1.2

Now compiles cleanly under A/UX and Solaris.
Directory indexing bugs repaired, new options to suppress last modified, size, and description columns (thanks Tanmoy.)
Wildcard based access control should work this time.
Fixed core dump related to recursive parsed document include.
Fixed bug by which HTTPd would not follow a symbolic link it should have.
Fixed file typing (no longer case sensitive like in 1.2.)
Parent directory escaped in indexes.
IdentityCheck should work again.
LAST_MODIFIED and #flastmod are now local zone.
Time related functions work with NeXT now.
Fixed spelling error in 500 error page.
Server will log proper timeout message for non-DNS hosts.
Added x-bit hack for people to use the x-bit of an HTML file to determine if it is parsed or not.
Added compile defines so people can customize the amount of DNS the server performs (for speed).

HTTPd 1.2

HTTPd 1.2 makes some significant changes over HTTPd 1.1. These changes make its "look and feel" a bit different than 1.1.

New features

The CGI interface is now revised to version 1.1. See the changes that were made.
A new logfile format was agreed upon which should simplify the lives of the authors of logfile analyzers. Quickly, the format is:
```
host rfc931 authuser [DD/Mon/YYYY:hh:mm:ss [+/-]HHMM] "request" status bytes
```
Host = hostname
rfc931 = RFC931 user name if IdentityCheck active, - if not.
authuser = HTTP/1.0 authenticated user, - if none.
DD/Mon/YYY:hh:mm:ss [+/-]HHMM: Local time of the request with timezone offset from GMT at end.
"request" = the request as sent by the client
status = the HTTP/1.0 status code from this transaction
bytes = the count of the bytes sent in this transaction, not including the header. If not applicable, this will be a - character.
CGI scripts are now allowed anywhere. See this tutorial on the new setup (and how it relates to the old setup), and how to disable this feature in places you don't want it.
The server side includes interface has been completely rewritten. See this tutorial to learn how to convert your old INC SRV documents, and to learn how to take advantage of the new features.
There is a new access control option to disable symbolic links only if the owner of the pointer is not the same as the owner of that which is pointed to. This means your users can have symbolic links to things they own, but not to dangerous things like /etc.
A new access control method called mutual-failure has been added. This method is a bit unorthodox, but allows you to allow hosts from one domain while excluding certain hosts (such as public access machines) from that domain.
Wildcard expressions are now allowed in various areas of server configuration, to allow patterns to be specified. This is most useful in the Directory directive.
Directory indexing has been revamped. It looks much different, and I've written a short tutorial on how to set it up.
Access Control Files now allow the indexing directives as well as the DefaultType directive.
require user now allows quotes for PGP usernames with spaces.
Server now explicitly kills CGI scripts when the client aborts.
Server now verifies the DNS hostname it gets from the IP number to prevent PTR spoofs.
Support for 304 and If-modified-since.

Bug fixes

All of the known bugs in 1.1 have now been fixed. Now it's time to find the ones I introduce with 1.2.

Fixed problem running scripts in ServerMode inetd under IRIX.
Fixed bad port problem under OSF/1.
Inserted missing return statement for the IdentityCheck directive.
Fixed problem whereby errors would stop being logged after a restart.
Fixed 256 character limitation on CGI URLs.

HTTPd 1.1

HTTPd 1.1 should plug right in if you already have httpd 1.0.

Introduced experimental PEM/PGP based encrypted user authentication. See this overview to read about trying it out.
Improved directory indexing. See the new directives in srm.conf to use it.
Cleaned up error output and fixed horrible output when server-side include error occurred
Fixed slight bug in buffering code
Directory indexing for user-supported directories fixed
Retrieval of user supported directory with no trailing slash issues redirect again
Now supports RFC931 identd for logging purposes. See the IdentityCheck directive.
stderr for scripts and server side includes now sent to error_log
Fixed bug in NCSA POST script code which would cause Location: to be ignored for local files
Removed misfeature wherein Location: url's were being escaped by the server
Args to INC SRVURL escaped to avoid unpleasant surprises
Location: /cgi-bin/foo?arg now works
HEAD only for CGI scripts now ignores body put out by stupid scripts

HTTPd 1.0

HTTPd 1.0 is fairly similar to HTTPd 1.0a5.

Changes which directly require configuration changes

CGI script interface introduced
ScriptAlias now used for CGI scripts only, access your NCSA scripts with OldScriptAlias
Fixed AddType directive
The NCSA scripts are no longer included, CGI replacements are now included

Other changes

NCSA POST scripts now have REMOTE_HOST set
Added AddEncoding directive to srm.conf and .htaccess
error_log now logs all failed accesses and the reason for failure
Time headers are now RFC822 compliant
You can now alias or disable user-supported directories
Added a require directive to allow you to allow any valid user
I/O is now buffered into chunks for speed
Redirect no longer supported from .htaccess files.
Added -v and -f command line flags

HTTPd 1.0a5

Fixed horrible bug in 1.0a4

HTTPd 1.0a4

Introduced user authentication (Basic scheme)
Multiple script directories now supported
Fixed bug in http_request.c related to clients not sending a method
Fixed bug in http_request.c which caused DirectoryIndex to be ignored and index.html to be used anyway
Added overrule for mime types in srm.conf and access config. so the user doesn't have to edit mime.types
Requests for directories which do not come with a trailing slash and will return a prewritten index are now redirected to the same URL with a trailing slash
The HEAD method is now supported
Fixed a getline call which was hardcoded to 1024 instead of HUGE_STRING_LEN
Fixed problem in which a user could GET /~user/../../../ and gain access outside of DocumentRoot
httpd.conf split into two files: a server configuration and a document configuration file
Introduced Redirect directive which allows you to redirect clients to documents' new locations
Introduced htpasswd program for managing user authentication
Fixed problems in http_access.c where certain .htaccess files were ignored and some symlinks were being followed when they shouldn't have
Distribution now places config files as foo.conf-dist instead of foo.conf so it doesn't write over your old files
Config files now case insensitive
MIME header scans are now case insensitive per the RFC
Added server config. diretive Timeout to control the timeouts when listening to or writing to a client
Script execution now uses execl() instead of system() to eliminiate extra tmp files and to allow system() from scripts.
New document config. directive DefaultType for type of files which cannot be typed from filename
Script arguments now not touched: Added support program to decode them for shell scripts
Added support for the post method of accessing forms
Added support for "extra path" in script name
Fixed so that an un-executable script now returns FORBIDDEN instead of blank page
Spaces in content type returned from scripts no longer included, so include files now work from imagerect script.
Thanks to Arjan de Vet, script execution no longer uses system() or popen(), reducing chroot requirements as well as allowing scripts to use system().
Added DefaultType directive to define what type a document with an unknown or missing extension should be
Added Timeout directive to allow servers to choose the length of time a client is given to send a request and to recieve the data.
Added preliminary support for POST scripts, or more importantly, support for scripts which interpret the new form submission methods.
Scripts now do all of their own URL decoding, which can be done either with provided C code, or with the support program unescape
Scripts may now have extra path information after the script name, so allowing filters
Improved Imagerect Script
Allowed non-URL location returns from script to allow access control, user authentication, and typing (great idea, Ari).
Returning content-length and last-modified headers

HTTPd 1.0a3

.htaccess files now affect subdirectories
Added option FollowSymLinks for security
Fixed MAJOR bug in init_mime function
Enhanced Makefile and httpd.h for people compiling httpd themselves
Added env. vars DOCUMENT_ROOT and SERVER_NAME for scripts

HTTPd 1.0a2

Introduced support for HTTP/1.0 3xx redirection from server scripts
Introduced per-directory access by host and options control
Added flags for BSD 4.2 compatibility (no killpg and no setsid)
Enhanced documentation
Introduced support for server restart through SIGHUP
Fixed bug which caused system not to return port when HTTPd is done
Fixed bug which caused server to go into infinite spin with GET /htbin
Bug in directory indexing repaired (thanks to neal@ctd.comsat.com).
Added timeout while sending data to client so as to alleviate zombie servers laying around when the client drops.

HTTPd 1.0a1

Introduced server scripts
Server scripts for a variety of UNIX commands like archie added
Server-side forms handling scripts added
Image rectangling scripts added
Introduced more extensible configuration file format
Server now replies to HTTP/1.0 clients in HTTP/1.0 format
Introduced MIME data type determination on the fly
Improved logging of client access as well as server errors
Major internal reworking
Added timeout for clients that disconnect
Added server include files

HTTPd 0.5

Introduced standalone support
Final release for gopher support and experimental group annotation support
No reported outstanding bugs

HTTPd 0.4beta

Introduced experimental group annotation support
Introduced access logging
Introduced HTTP/1.0 tolerance
Handling of full hostnames added
Bug fixed with index.html not being recognized without a trailing slash
Fixed bug with extraneous character being added to the end of the data stream
Fixed bug handling directory URL's with trailing slashes
Made a little more friendly to Ultrix's brain death

HTTPd 0.3beta

Introduced drop-in gopher support
Fixed security hole
Not being able to find the config file does not send back a path

HTTPd 0.2beta

Two security holes fixed
Double slashes in index of root fixed
Not being able to find error files no longer hangs the server

Return to Overview

NCSA HTTPd Development Team / httpd@ncsa.uiuc.edu / Last Modified 08-01-95