[APACHE DOCUMENTATION]

Known Bugs in Apache

The most up-to-date resource for bug tracking and information is the Apache bug database. All existing bugs will be noted there. Below is a synopsis of significant outstanding bugs at release time.

See Also: Compatibility notes


Version 1.2

  1. users have reported problems with many connections stuck in the FIN_WAIT_2 state due to server timeouts. This is an issue with the OS TCP stack, as some OS never timeout from this state. An example patch for BSDI is available here.
  2. hard_timeout() for request reads uses incorrect logic, and ends up waiting for an initial request read for the default "timeout" number of seconds, 1200, yet only the "KeepAliveTimeout" number of seconds on keepalive connections.
  3. mod_info output is not displaying current configuration as it should.
  4. Invalid commands in .htaccess files may cause segmentation faults.

Version 1.1.1

  1. Hostnames such as "123.hotwired.com" are valid, yet find_allowdeny does not properly handle them. This should be put on Known Bugs. Be careful when fixing this because just removing the isalpha() check creates a security hole, consider the DNS map "1.1.1.1.in-addr.arpa IN PTR 2.2.2." if the user has a config line "allow from 2.2.2" it will allow 1.1.1.1 in (unless -DMAXIMUM_DNS). -- which is bad because it breaks people who understand double reverse lookup and are trying to avoid it by using only ip addresses on allow/deny statements. - reported by Dean Gaudet, fixed in 1.2.

Version 1.1.0

  1. mod_auth_msql misbehaviors. Grab a newer version from the modules distribution directory. -fixed in 1.1
  2. Hanging on Netscape 2.0-3.0b4 on MSWindows (3.1 and 95) - we investigated pretty seriously, and as best we can tell this is a Netscape bug, and was fixed in 3.0b5. Please read our lab report.

Version 1.1b2 (beta)

  1. SunOS has trouble compiling mod_status.c . It'll be fixed before 1.1 is released.
  2. CGI which spawn background processes may fail to return immediately. No fix exists yet.
  3. mod_dir appears to have problems when the DocumentRoot has a trailing slash.

Version 1.1b1 (beta)

  1. The logfile can sometimes contain only part of a host address. This occurs if the Cookie module is compiled in and enabled.

Version 0.8.16 (beta)

  1. (Feature) You cannot use relative pathnames for the -f or -d flags to httpd.

  2. .asis files cannot be used for content-negotiation.

Version 0.8.13 (beta)

  1. AddDescription doesn't seem to work (a fix is imminent)

Version 0.8.11 (beta)

  1. http_main.c function accept_mutex_init() horrible bug, lock_fname should be defined larger, e.g.
    char lock_fname[30];

    Ooops.

  2. There's a bug with NeXT. Restarting the server causes an infinite loop. A fix has been provided by a user and should be included in a future update.

Version 0.8.10 (beta)

  1. Server side includes which include CGI output can have unbareable delays on some platforms. We're looking into a fix.

  2. NCSA 1.3 and beyond allow wildcards in <Directory> tags; e.g. <Directory /home/*/public_html> - Apache doesn't (yet), but we have a patch coming real soon now

  3. Buggy scripts can cause server misbehavior on Solaris at least.

  4. Some of the default directives in srm.conf-dist are outdated

  5. Descriptions of args to AddIcon and AddAlt are wrong in command table.

  6. DirectoryIndex sometimes gets spuriously reset to the default value.

  7. ErrorDocument is a little shakey, " Some text %s doesn't agree with the documentation.

  8. All Aliases are checked before any ScriptAliases --- the fully compatible behavior would be to check both in one pass, in the order in which they occur in srm.conf.

Version 0.8.8 (beta)

  1. There's a known compilation problem with NeXT. Knock out the 2nd argument to setjmp when your compiler complains.

  2. exec cgi="" produces reasonable malformed header responses when used to invoke non-CGI scripts.
    The NCSA code ignores the missing header. (bad idea)
    Solution: write CGI to the CGI spec or use exec cmd="" instead.

    We might add virtual support to exec cmd to make up for this difference.

  3. A scoreboard file for process management is currently created in /tmp. We now find this to be a bad idea, and have plans to move it into the /logs directory along with other files created by Apache.

    If you have any /tmp cleaning scritps (e.g. from crontab), you should have them ignore the scoreboard file, which is named /tmp/htstatus.XXXXXXX. If the scoreboard file is damaged, Apache can become very confused (a SIGHUP repairs the damage). Furthermore, not having a /tmp at all can cause disastrous results, as there's no error checking yet.

  4. Putting authorization information (like AuthName and AuthType) into a <Directory> directive without a "requires" field in the <Limit> directive can result in a core dump.

  5. AddIcon is broken. The fix is to change
    { "AddIcon", add_icon, BY_TYPE, DIR_CMD_PERMS, ITERATE2,
    to
    { "AddIcon", add_icon, BY_PATH, DIR_CMD_PERMS, ITERATE2,

    in mod_dir.c

  6. Under IRIX, the "Group" directive in httpd.conf needs to be a valid group name (i.e. "nogroup") not the numeric group ID. The distribution httpd.conf, and earlier ones, had the default Group be "#-1", which was causing silent exits at startup.

  7. Server push as regular CGI's don't work - actually, any normal CGI script that outputs additional attributes to the Content-type line (separated by a semicolon) gets that extra information chopped off, which means that the line Content-type: multipart/x-mixed-replace; boundary=ThisRandomString gets munged to just Content-type: multipart/x-mixed-replace, which means it doesn't know what the boundary is, and fails. You can get around this until 0.8.9 by making the CGI script a "No Parsed Header" script by prefixing the name of the script with a "nph-", but then you have to be responsible for correct HTTP headers. If the server-push animation is a constant, unchanging stream that terminates at some point, you could also put that stream into a whole file and use the .asis file extension functionality.

  8. ErrorDocument is a little shakey, " Some text %s doesn't agree with the documentation.


Version 0.6.4

  1. As with NCSA 1.3 (and 1.4 ?), some HEAD requests on directories without an index.html fail to be logged... harmless.
  2. Typo in Virtual Host #defines (accidentally defined #VIRUAL_HOST"). 0.6.4b fixes this.

Version 0.6.2 (first beta)

  1. Apache error_log might show httpd: caught SIGBUS, dumping core after a successful redirect. We hope to fix this in 0.6.3

  2. If you see a lot of messages such as,

    access to /something: failed for foo.bar.com, reason: no multi in this directory
    in your error log, don't panic !. It means "File not found", and we will fix it sooner or later.

  3. WARNING: Apache logs all URLs redirected from and to. This isn't bug, it's deliberate, but you should be aware of it. It's a recognition of the fact that the Common Log File format doesn't have any place to log the real object that was returned for the internally redirected request. This will be changed soon.

  4. BSDI problems: One of the test machines (Hyperreal) has noticed "flocks" of child processes sucking up large amounts of resources when moderately hit (on a Pentium 90 running 1.1 serving ~2 hits/second). Killing and restarting the daemon helps this disappear - it's being investigated, it might be a kernel bug, but then every server developer likes to say that. Let us know how well it works for you if you are using BSDI and have a high number of hits.


Index Home