Errata

"Malcom" should read "Malcolm".

It says "-e $r->finfo" when it should say "-e $file".

And, a few lines later it says "unless (-r _)" when it should say "unless -r $file".

ucfirst(...) should probably ucfirst(lc(...)) if you're really "tidying them
up" and "canonicalizing" them as the text claims.

"rarely seen >&= notation"

Really, the "&=" is the rarely seen part, ">" is just an ordinary
open-for-output marker.

The line

} continue {

has no effect and should be deleted.

$r-.set_last_modified;

should read

$r->set_last_modified;

The third line,

my $rc = $r-> meets_conditions

should read

my $rc = $r->meets_conditions;

"unless" should read "if".

return OK unless $r->header_only;

should read

return OK if $r->header_only;

This is similar to the change you made for the 6/99 printing on page 146.

Where the script parses param('action') in the CASE: statement, the line that reads:

/^view/i and do { view_guestbook(1); last CASE; };

the parameter of '1' causes an error under the 'use strict' pragma:

[error] Can't use string ("1") as a symbol ref while "strict refs" in use
at /path/to/guestbook_lean.pl line 109.

OK for what you're doing there, but change it only slightly (as readers are
likely to do) and there's a security hole like one that affected PGP. If you
keep "bit boundaries" outside the hash then you can change the "protected"
information. Roughly, PGP concatenated the bits of n and e and "protected"
them. But the "number of bits in n" was kept outside. An attacker could
construct a key by moving the boundary (one bit less/more for n; one bit
more/less for e) and they'd hash the same. Security is always difficult to
explain but it might be worth at least telling readers to include "boundaries"
or "counts" before concatenation and hashing.

I haven't read through this in great detail but key reuse or IV (of the crypto
kind, not the perl kind :-) reuse can totally remove any crypto protection
when non-crypto kinds (like most readers) try to roll their own
chaining/streaming crypto.

France has now legalised crypto, if I recall.

"peak" should read "peek".

At least add PostgreSQL and Informix to the initial list :-)

MySQL licence change

split(':', ...) should read split(/:/, ...) (and similarly anywhere else).

The use of split and join causes trailing slashes in URIs to be silently
dropped. This can cause extra internal redirects in the case where the URI
refers to a directory, with the dubious side-effect of causing the browser to
effectively lose the session information.

I have found that the equivalent of adding

$new_uri .= '/' if substr($r->uri, -1, 1) eq '/';

before the

$r->uri( $new_uri );

line solves this problem.

Delete "(hits)" and append it to the previous (comment) line.

regexp should allow "-" in domain name (and arguably should disallow "_" in
domain name since w matches underscore but it's an illegal character in
domains which well-run places now enforce).

Actually, the salt is mainly to make it much less likely that two people who
pick the same password on a non-shadowed system will end up with the same
crypted password (and hence can use their own password to log into the other's
account).

The TransHandler is supposed to return BAD_REQUEST if the uri does not have a
'/' as the first character, or if there is a '*' anywhere in it.

The code given is:

if ($uri !~ m:^/: or index($uri, '*')) {

however, index returns -1 if there is no '*', not zero (0). Therefore
the code should be:

if ($uri !~ m:^/: or (index($uri, '*') >= 0)) {

This line:

$r->log->error("Invalid URI in request ", $r->the_request);

should be

$r->log_error("Invalid URI in request ", $r->the_request);

(This is in the 03/1999 printing, I have not seen it listed in errata for
later versions either...)

sends the HTTP headers itself before running a subrequest.

However, on p. 468, the documentation for the run() method says in part:

When you invoke the subrequest's response handler in
this way, it will do everything a response handler is
supposed to, including sending the HTTP headers and the
document body. ... If you are invoking the subrequest
uri() method from within your own content handler, you
must not set the HTTP headers and document body
yourself ...

These seem to contradict each other. From testing, however, it seems as though
the example on p. 128 is correct and the documentation on p. 468 isn't.

I believe

r->allowed = M_GET | M_HEAD;

should be

r->allowed = (1 << M_GET) | (1 << M_HEAD);

The first line reads:

int length;

where it should read

int clength;

as the variable clength holds the request (C)ontent (Length).

The request_rec description on page 515 states that "long length" holds the
outgoing Content-length. It should be "long clength."

The description states "This is a version of ap_pstrdup(), but it only
allocates and copies n bytes." According to the source (and common sense) it
actually allocates n+1 bytes, copies n bytes and NUL-terminates the new string.

I suggest that "int rc" should be initialed as DECLINED or otherelse. Because
"if(ap_should_client_bolck(r))" maybe return 'false', it results in return
uninitialized "rc".

In the example for the ap_satisfies function, you have:

" if (!(r->satisfies == SATISFY_ANY && ap_some_auth_required(r))) "

However, in the declaration for the request_rec, I cannot find a "satisfies" member.
Don't you instead mean:

" if (!(ap_satisfies(r)==SATISFY_ANY && ap_some_auth_required(r))) "

The WIN32 version returns back to the caller, but

r->filename and
r->args

have been overwritten with values for the ap_call_exec function. In UNIX,
this is not a problem because the code exits after the exec. But in Windows,
the exec returns and code continues with these bogus values.

Do s/.makepl_args.mod_perl/.makepl_args.mod_perl/

(??)