Makefile 1.30-1.31
Makefile.boot 1.7-1.9
auth-bozo.c 1.25-1.26
bozohttpd.8 1.80-1.87
bozohttpd.c 1.114-1.123,1.125-1.128
bozohttpd.h 1.61-1.68
cgi-bozo.c 1.49-1.53
content-bozo.c 1.17-1.20
daemon-bozo.c 1-.22
dir-index-bozo.c 1.33-1.34
main.c 1.23-1.27
printenv.lua 1.4-1.5
ssl-bozo.c 1.27-1.29
libbozohttpd/libbozohttpd.3 1.5-1.6
small/Makefile 1.4
testsuite/Makefile 1.14
testsuite/t16.in 1.1
testsuite/t16.out 1.1
testsuite/t17.in 1.1
testsuite/t17.out 1.1
testsuite/t18.in 1.1
testsuite/t18.out 1.1
Update to bozohttpd 20210227.
changes in bozohttpd 20210227:
o new support for content types: .tar.bz2, .tar.xz, .tar.lz,
.tar.zst, .tbz2, .txz, .tlz, .zipx, .xz, .zst, .sz, .lz, .lzma,
.lzo, .7z, .lzo, .cab, .dmg, .jar, and .rar. should fix
netbsd PR#56026:
MIME type of .tar.xz file on ny{cdn,ftp}.NetBSD.org is invalid
changes in bozohttpd 20210211:
o fix various NULL derefs from malformed headers. mostly from
<emily@ingalls.rocks>.
o fix memory leaks in library interface: add bozo_cleanup().
changes in bozohttpd 20201014:
o also set -D_GNU_SOURCE in Makefile.boot. from
hadrien.lacour@posteo.net.
o fix array size botch (assertion, not exploitable.) from
martin@netbsd.org.
o also match %2F as well as %2f. from leah@vuxu.org.
o many manual and help fixes. clean ups for higher lint levels,
consistency/style clean ups. various option fixes including made
-f imply -b. from <henrik@gulbra.net> for freebsd.
changes in bozohttpd 20200912:
o add .m4a and .m4v file extensions.
changes in bozohttpd 20200820:
o make this work on sun2 by reducing mmap window there.
o fix SSL shutdown sequence. from spz@netbsd.org.
o add readme support to directory indexing. from jmcneill@netbsd.org
o add blocklist(8) support. from jruoho@netbsd.org.
libexec/httpd/CHANGES 1.31-1.40
libexec/httpd/Makefile 1.28
libexec/httpd/auth-bozo.c 1.23-1.24
libexec/httpd/bozohttpd.8 1.75-1.79
libexec/httpd/bozohttpd.c 1.100-1.113
libexec/httpd/bozohttpd.h 1.58-1.60
libexec/httpd/cgi-bozo.c 1.46-1.48
libexec/httpd/daemon-bozo.c 1.20-1.21
libexec/httpd/dir-index-bozo.c 1.29-1.32
libexec/httpd/ssl-bozo.c 1.26
libexec/httpd/testsuite/Makefile 1.12-1.13
libexec/httpd/testsuite/t11.out 1.2
libexec/httpd/testsuite/test-bigfile 1.6
libexec/httpd/testsuite/test-simple 1.6
Don't display special files in the directory index. They aren't
served, but links to them are generated.
---
All from "Rajeev V. Pillai" <rajeev_v_pillai@yahoo.com>:
- use html tables for directory index.
- don't include "index.html" in html headers
- additional escaping of names
- re-add top/bottom borders
- adds an aquamarine table header
- Zebra-stripes table rows using CSS instead of code
- fix CGI '+' param and error handling.
- remove unused parameter to daemon_poll_err().
- avoid sign extension in % handling
fix a few problems pointed out by clang static analyzer:
- bozostrnsep() may return with "in = NULL", so check for it.
- nul terminating in bozo_escape_rfc3986() can be simpler
- don't use uniinit variables in check_remap()
- don't use re-used freed data in check_virtual().
- fix bozoprefs->size setting when increasing the size (new total was
being added to the prior total.)
however, bozostrdup() may reference request->hr_file.
---
Add ssl specific timeout value (30s). If SSL_accept() doesn't
work with in this timeout value, ssl setup now fails.
---
Fix handling of bozo_set_timeout() timeouts (and `-T' option parsing)
---
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.
---
Avoid possible NULL dereference when sending a big request that timeout.
---
Use strings.h for strcasecmp (on linux)
---
Account for cgihandler being set when counting the number of CGI environment
headers we are about to set. Avoids an assertion failure (and overruninng
the array) later.
Originally, MKCRYPTO was introduced because the United States
classified cryptography as a munition and restricted its export. The
export controls were substantially relaxed fifteen years ago, and are
essentially irrelevant for software with published source code.
In the intervening time, nobody bothered to remove the option after
its motivation -- the US export restriction -- was eliminated. I'm
not aware of any other operating system that has a similar option; I
expect it is mainly out of apathy for churn that we still have it.
Today, cryptography is an essential part of modern computing -- you
can't use the internet responsibly without cryptography.
The position of the TNF board of directors is that TNF makes no
representation that MKCRYPTO=no satisfies any country's cryptography
regulations.
My personal position is that the availability of cryptography is a
basic human right; that any local laws restricting it to a privileged
few are fundamentally immoral; and that it is wrong for developers to
spend effort crippling cryptography to work around such laws.
As proposed on tech-crypto, tech-security, and tech-userlevel to no
objections:
https://mail-index.netbsd.org/tech-crypto/2017/05/06/msg000719.htmlhttps://mail-index.netbsd.org/tech-security/2017/05/06/msg000928.htmlhttps://mail-index.netbsd.org/tech-userlevel/2017/05/06/msg010547.html
P.S. Reviewing all the uses of MKCRYPTO in src revealed a lot of
*bad* crypto that was conditional on it, e.g. DES in telnet... That
should probably be removed too, but on the grounds that it is bad,
not on the grounds that it is (nominally) crypto.
free it. Allocating from the stack does not return null, and freeing it
will have unpredictable results. use malloc instead.
- now we are using malloc remove -Wno-stack-protector kludge
This prevents it from embedding a timestamp in the output. We pass
"-n" unconditionally, not conditional on MKREPRO, because many other
invocations of gzip already passed the -n flag unconditionally.
outside */dist/* subdirectories.
When USE_PIGZGZIP=yes, bsd.own.mk sets TOOL_GZIP=${TOOL_PIGZ},
so there's no need to test USE_PIGZGZIP in these Makefiles.
martin