o add search-word support for CGI
o fix a security issue in CGI suffix handler support which would
allow remote code execution, from shm@netbsd.org
o -C option supports now CGI scripts only
- don't call getpwuid(0) if we don't need to, or fail it it fails,
and remove the 'username' member of bozohttpd_t since it is not
used outside of bozo_setup().
- bozostrdup() gains a request parameter, and uses it to determine
what sort of error handling is required
- bozo_strdup() dies
- size_arrays() reduced slightly, pushing error handling into the caller
- convert to size_t for some array indices
- bozo_set_pref() and bozo_init_prefs() gain httpd parameters
- apply a bunch of manual CSE to vastly reduce the number of times the
string "request->hr_httpd" appears.
- CGI parse_header() takes a request not httpd now
XXX: lua glue updated to call bozo_init_prefs() with htttpd parameter,
but i'm only guessing here.
* add redirects to ~user translation
* fix bugs around ~user translation
* add schema detection for absolute redirects
* fixed few memory leaks
* bunch of minor tweaks
* removed -r support
* smarter redirects
OK mrg@
virtual server support - in daemonized mode mixed virtual and "main"
server usage would alter the virtual hostname depending on order of
requests.
To fix, move the effective virtual hostname into the request structure
and leave the httpd server description static.
CGI variable to "200". This approximates the Apache behavior which is
required by phpcgi in PHP 5.3 (and by some compilations of older PHP
versions).
I have a revolutionary idea. Perhaps instead of imposing bizarre
requirements on other programs in the name of "security", the PHP
developers should make their own code compile with oh, I don't know,
maybe -Wuninitialized. That might have an effect on the security of
systems using PHP rather than on the "security" of such systems...
...excuse me, got to go now, I think my airquotes just wore out.
1) Fix an issue where because of the reordering of transform_request
and process_cgi, the cgi-script name was being cut off
by one character (transform_request for some reason
cuts off the leading '/' for the file name as part of its
processing). As an 'easy' fix, simply re-add the '/' to the
front of the filename, which means that we don't have to
mess with the logic that sometimes adds +1 and sometimes doesn't.
2) Work around ridiculous bug in PHP reported by lukem in 2004,
but stubbornly never fixed by the PHP maintainers:
Change the SCRIPT_NAME and SCRIPT_FILENAME variables
to contain the file name only, not the query if one exists.
Having the query in SCRIPT_FILENAME causes php-cgi to not
work, as per the bug information here:
http://bugs.php.net/bug.php?id=28227
3) Fix a memory leak because URL wasn't being freed.
CGI handling, including bin/40355 . There are two main changes here:
1) call process_cgi() after transform_request(), not before. Now it is
possible to have a default cgi handler catch a request for a path that
was produced by transformation, e.g. by index generation -- so now the
index can be "generated" by a CGI if that is what the user desires.
2) More clearly distinguish "file" from "query" portions of the request
URL, so we do not feed ?-suffixed "arguments" to plain files, fail to
match filename extensions due to ?-suffixes, etc.
After this change, there are only two cases which use the "query"
portion of the request (the portion after the ?):
a) A redirect issued by HTTPD will redirect to the new file, but
with the same query string.
b) process_cgi() will, of course continue to use the query string.
- remove unused write_str var
+ move header parsing to new function separation of parsing vs processing
+ alter some variable names to avoid confusion between header value and
header name (caused breakage with previous rev)
(i.e. free(): warning: modified (chunk-) pointer))
+ don't leak memory for ptr actually returned from strdup()
+ don't strdup() if we don't have to
+ don't break without free() if we did strdup()
+ as well as freeing h_value also free the header.
