I was in the process of trying to upgrade to apache-1.3.31 today. You should know we use the DSO mod_frontpage built from the FreeBSD ports system, which is based on the original "improved mod_frontpage" and further improved to support FP2002 as well as security fixes. When doing the intial authentication from Frontpage, when using 1.3.29 (which works flawlessly) you see this in the access log: 216.127.136.116 - - [27/May/2004:14:25:01 -0400] "GET /_vti_inf.html HTTP/1.1" 200 1754 216.127.136.116 - - [27/May/2004:14:25:01 - 0400] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 240 216.127.136.116 - - [27/May/2004:14:25:01 - 0400] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 480 216.127.136.116 - spagma [27/May/2004:14:25:05 - 0400] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 200 2481 When using apache 1.3.31, I get this: 16.127.136.116 - - [27/May/2004:14:00:00 -0400] "OPTIONS / HTTP/1.1" 200 - 216.127.136.116 - - [27/May/2004:14:00:00 -0400] "GET /_vti_inf.html HTTP/1.1" 200 1754 216.127.136.116 - - [27/May/2004:14:00:00 - 0400] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 240 216.127.136.116 - - [27/May/2004:14:00:00 - 0400] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 480 216.127.136.116 - - [27/May/2004:14:00:00 -0400] "method=open+service%3a4%2e0% 2e2%2e4715&service%5fname=%2f" 501 - And in the error log: [Thu May 27 13:32:06 2004] [error] [client 216.127.136.116] Invalid method in request method=open+service%3a4%2e0%2e2%2e4715&service%5fname=%2 Not being an expert on the apache code, I would assume this has something to do with the fact that the frontpage auth packets have a <CRLF><CRLF> in the middle of the header, and thus apache is seeing the rest of the header as a new request. I'm assuming you guys were addressing a potential security issue, or whatnot. All I know is the DSO works on 1.3.29 and not 1.3.31, and since I like your software so much I thought I'd pass it along, so hopefully it can be addressed in a later build. Thanks!
Can you try backing out these 1.3.31 patches individually to see if one of these resulted in the breakage? http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_protocol.c?r1=1.332&r2=1.333 http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_request.c?r1=1.173&r2=1.174
Hey! Alright, we solved that one quick. The second patch you mention is indeed the problem: http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_request.c? r1=1.173&r2=1.174 Backing out just that one restores full functionality. Thanks!
Thanks for trying so quickly! I'll point this out on the developer's mailing list for discussion. (I have no idea the meaning of all this ;) ) Now I find other discussion of this at http://www.rtr.com/fp2002disc/_disc2/00000a71.htm
Is this being researched to evaluate whether making this patch change would be a security risk? We are also experiencing this problem.
From reading the thread on the developers list, you should not be concerned with backing out this patch. It appears very likely a 1.3.32 will soon be released without this patch, as apparently it is breaking other functionality as well.
For completeness, users experiencing this problems should apply this patch: http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_request.c?r1=1.174&r2=1.175 which will be included in the next 1.3 release.
*** Bug 29237 has been marked as a duplicate of this bug. ***
*** Bug 31638 has been marked as a duplicate of this bug. ***
(In reply to comment #6) > For completeness, users experiencing this problems should apply this patch: > > http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_request.c?r1=1.174&r2=1.175 > > which will be included in the next 1.3 release. Seems this patch is still needed in 1.3.33. Apache 1.3.33 still breaks the mod_frontpage.
(In reply to comment #9) > > Seems this patch is still needed in 1.3.33. Apache 1.3.33 still breaks the > mod_frontpage. And still there in 1.3.34. Why doesn't this patch get included?
Apache HTTP Server 1.3.x is not supported anymore and no bugs will be fixed in the old codebase (cf. <http://mail-archives.apache.org/mod_mbox/httpd-announce/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E>). Since this bug seems to affect only 1.3.x, I'm closing it as WONTFIX. If this bug still affects you in a recent version (version 2.2.x or the upcoming version 2.4), please open a new bug. Thank you for reporting the bug.