- - - - - - - - - - high priority - - - - - - - - - -

Why is the client's IP address showing up in paths?

Add option to syslog to a named pipe, for use in chroot trees.

Fetches with numeric IP addresses and no Host: header are screwing up the
vhost code?
143.90.193.229 - - [06/Apr/2000:09:21:34 -0700] "GET /209.133.38.22/software/thttpd/ HTTP/1.0" 200 12093 "http://www.dbphotography.demon.co.uk/index.html" "Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)"
143.90.193.229 - - [06/Apr/2000:09:21:37 -0700] "GET /143.90.193.229/software/thttpd/anvil_thttpd.gif HTTP/1.0" 403 - "http://www.acme.com/software/thttpd/" "Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)"

Have directory indexing skip files that start with dot?  Except ..?
In libhttpd.c:
+               if (*(de->d_name) == '.' && *(de->d_name+1) != '.')
+                   continue;
                namlen = NAMLEN(de);

Add comment on INDEX_NAMES that it should be simple filenames only.

The error page generated for non-local referers should include the
original URL as an active link.

Does the initgroups() call work?  Or does it need to be moved to
before the chroot()?

Make open in mmc.c use O_NONBLOCK flag, to prevent DOS attack via
a named pipe?

Sites that clog with lots of TCP connections in CLOSING (not CLOSE_WAIT).
Related to throttling, and timers?

On A SIGUSR1, thttpd sometimes gives 'fdwatch - Bad file descriptor'
instead of the usual exit message.  Looks like we have to do any
closes in the main loop, and only set flags in the signal routines.
And once we got a CPU-bound loop.

Switch all signal handling to use sigaction.

- - - - - - - - - - later - - - - - - - - - -

Document how symlinks interact with .htpasswd - authorization is checked
on the result of the symlink, and not the origin.

SIGHUP log re-opening doesn't work if you started as root.

Change redirect to put the Refresh command in the HTTP headers, instead of
a META tag.

Add TCP_NODELAY, but after CGIs get spawned.

Add stat cache?  1 minute expiry?

Ifdef the un-close-on-exec CGI thing for Linux only.

Try using shutdown(2) in lingering close.

Check whether phf can still syslog from within chroot (probably not).

Can we remove the "if ( errno == EINTR )" check on the select()?

Add keep-alives, via a new state in thttpd.c.

- - - - - - - - - - someday - - - - - - - - - -

The special world-permissions checking is probably bogus.  For one
thing, it doesn't handle restrictive permissions on parent directories
properly.  It should probably just go away.

redirect should interpret a path with a trailing / as /index.html

ssi should change $cwd to the source document's location.

Allow .throttle files in individual directories.

Log-digesting scripts.

Config web page.
    Common errors:
	Not realizing that -c overrides CGI_PATTERN instead of augmenting it.
	Using a directory name for the -c pattern.

- - - - - - - - - - 3.x - - - - - - - - - -

Tasklets re-write.

- - - - - - - - - - general - - - - - - - - - -

Release process:
  - update version number in version.h README INSTALL and
    contrib/redhat-rpm/thttpd.spec
  - do a tdiff and update the local installation
  - do an rcstreeinfo, and check in all files
  - make tar
  - mv it to web
  - update version number in web/thttpd.html
  - update ~acmeweb/updates.html
  - mail announcement to thttpd-announce