NetBSD/libexec/httpd/CHANGES

384 lines
16 KiB
Plaintext

$NetBSD: CHANGES,v 1.53 2022/01/04 06:08:14 kim Exp $
changes in bozohttpd 20220104:
o remove obsolete .bzdirect handling.
changes in bozohttpd 20210824:
o new "-m tlsversion" option to set the minimum TLS version
available. partially from <sunil@nimmagadda.net>.
o extend the list of available ciphers to include most of the
openssl "HIGH" with some additional disables. retain the current
list of bad options. should deal with PR#51278.
changes in bozohttpd 20210504:
o don't assume host BUFSIZ is sufficient. small BUFSIZ leads to
always happens errors in the testsuite. switch all these buffers
to be 4KiB sized. reported by embr <git@liclac.eu>
changes in bozohttpd 20210403:
o fix a denial of service attack against initial request contents,
now bounded at 16KiB. reported by Justin Parrott in PR#56085
changes in bozohttpd 20210227:
o new support for content types: .tar.bz2, .tar.xz, .tar.lz,
.tar.zst, .tbz2, .txz, .tlz, .zipx, .xz, .zst, .sz, .lz, .lzma,
.lzo, .7z, .lzo, .cab, .dmg, .jar, and .rar. should fix
netbsd PR#56026:
MIME type of .tar.xz file on ny{cdn,ftp}.NetBSD.org is invalid
changes in bozohttpd 20210211:
o fix various NULL derefs from malformed headers. mostly from
<emily@ingalls.rocks>.
o fix memory leaks in library interface: add bozo_cleanup().
changes in bozohttpd 20201014:
o also set -D_GNU_SOURCE in Makefile.boot. from
hadrien.lacour@posteo.net.
o fix array size botch (assertion, not exploitable.) from
martin@netbsd.org.
o also match %2F as well as %2f. from leah@vuxu.org.
o many manual and help fixes. clean ups for higher lint levels,
consistency/style clean ups. various option fixes including made
-f imply -b. from <henrik@gulbra.net> for freebsd.
changes in bozohttpd 20200912:
o add .m4a and .m4v file extensions.
changes in bozohttpd 20200820:
o make this work on sun2 by reducing mmap window there.
o fix SSL shutdown sequence. from spz@netbsd.org.
o add readme support to directory indexing. from jmcneill@netbsd.org
o add blocklist(8) support. from jruoho@netbsd.org.
changes in bozohttpd 20190228:
o extend timeout facility to ssl and stop servers hanging forever
if the client never sends anything. reported by Steffen in netbsd
PR#50655.
o don't display special files in the directory index. they aren't
served, but links to them are generated.
o fix CGI '+' parameter handling, some error checking, and a double
free. from rajeev_v_pillai@yahoo.com
o more directory indexing clean up. from rajeev_v_pillai@yahoo.com
changes in bozohttpd 20181215:
o fix .htpasswd bypass for authenticated users. reported by JP,
from leot@netbsd.org
o avoid possible null dereference when receiving a big request that
timeout. reported by maya@netbsd.org, from leot@netbsd.org
o fix handling of -T option, from leot@netbsd.org
o cleanups and portability improvements, from maya@netbsd.org
o change directory indexing to use html tables, from
rajeev_v_pillai@yahoo.com
changes in bozohttpd 20181125:
o fixes for option parsing introduced in bozohttpd 20181123
changes in bozohttpd 20181121:
o add url remap support via .bzremap file, from martin@netbsd.org
o handle redirections for any protocol, not just http:
o fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP
o reduce default timeouts, and add expand timeouts to handle the
initial line, each header, and the total time spent
o add -T option to expose new timeout settings
o minor RFC fixes related to timeout handling
o fix special file (.htpasswd, .bz*) bypass. reported by JP
changes in bozohttpd 20170201:
o fix an infinite loop in cgi processing
o fixes and clean up for the testsuite
o no longer sends encoding header for compressed formats
changes in bozohttpd 20160517:
o add a bozo_get_version() function which returns the version number
changes in bozohttpd 20160415:
o add search-word support for CGI
o fix a security issue in CGI suffix handler support which would
allow remote code execution, from shm@netbsd.org
o -C option supports now CGI scripts only
changes in bozohttpd 20151028:
o add CGI support for ~user translation (-E switch)
o add redirects to ~user translation
o fix bugs around ~user translation
o add schema detection for absolute redirects
o fixed few memory leaks
o bunch of minor tweaks
o removed -r support
o smarter redirects
changes in bozohttpd 20150320:
o fix redirection handling
o support transport stream (.ts) and video object (.vob) files
o directory listings show correct file sizes for large files
changes in bozohttpd 20140717:
o properly handle SSL errors
changes in bozohttpd 20140708:
o fixes for virtual host support, from rajeev_v_pillai@yahoo.com
o avoid printing double errors, from shm@netbsd.org
o fix a security issue in basic HTTP authentication which would allow
authentication to be bypassed, from shm@netbsd.org
changes in bozohttpd 20140201:
o support .svg files
o fix a core dump when requests timeout
changes in bozohttpd 20140102:
o update a few content types
o add support for directly calling lua scripts to handle
processes, from mbalmer@netbsd.org
o properly escape generated HTML
o add authentication for redirections, from martin@netbsd.org
o handle chained ssl certifications, from elric@netbsd.org
o add basic support for gzipped files, from elric@netbsd.org
o properly escape generated URIs
changes in bozohttpd 20111118:
o add -P <pidfile> option, from jmmv@netbsd.org
o avoid crashes with http basic auth, from pooka@netbsd.org
o add support for REDIRECT_STATUS variable, from tls@netbsd.org
o support .mp4 files in the default map
o directory indexes with files with : are now displayed properly, from
reed@netbsd.org
o allow -I option to be useful in non-inetd mode as well
changes in bozohttpd 20100920:
o properly fully disable multi-file mode for now
o fix the -t and -U options when used without the -e option, broken since
the library-ifcation
o be explicit that logs go to the FTP facility in syslog
o use scandir() with alphasort() for sorted directory lists, from moof
o fix a serious error in vhost handling; "Host:.." would allow access to
the next level directory from the virtual root directory, from seanb
o fix some various non standard compile time errors, from rudolf
o fix dynamic CGI content maps, from rudolf
changes in bozohttpd 20100617:
o fix some compile issues
o fix SSL mode. from rtr
o fix some cgi-bin issues, as seen with cvsweb
o disable multi-file daemon mode for now, it breaks
o return 404's instead of 403's when chdir of ~user dirs fail
o remove "noreturn" attribute from bozo_http_error() that was
causing incorrect runtime behaviour
changes in bozohttpd 20100509:
o major rework and clean up of internal interfaces. move the main
program into main.c, the remaining parts are useable as library
add bindings for lua. by Alistair G. Crooks <agc@netbsd.org>
o fix http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566325
changes in bozohttpd 20090522:
o avoid dying in daemon mode for some uncommon, but recoverable, errors
o close leaking file descriptors for CGI and daemon mode
o handle poll errors properly
o don't try to handle more than one request per process yet
o add subdirs for build "debug" and "small" versions
o clean up a bad merge / duplicate code
o make mmap() usage portable, fixes linux & ranges: support
o document the -f option
o daemon mode now serves 6 files per child
changes in bozohttpd 20090417:
o make bozohttpd internally more modular, preparing the way
to handle more than one request per process
o fix http-auth, set $REMOTE_USER not $REMOTEUSER. also fix
cgi-bin with cvsweb, from Holger Weiss <holger@CIS.FU-Berlin.DE>
o fix an uninitialised variable use in daemon mode
o fix ssl mode with newer OpenSSL
o mmap large files in manageable sizes so we can serve any size file
o refactor url processing to handle query strings correctly for CGI
from Sergey Katsev at Coyote Point
o add If-Modified-Since support, from Joerg Sonnenberger
<joerg@netbsd.org>
o many more manual fixes, from NetBSD
changes in bozohttpd 20080303:
o fix some cgi header processing, from <thelsdj@gmail.com>
o add simple Range: header processing, from <bad@bsd.de>
o man page fixes, from NetBSD
o clean up various parts, from NetBSD
changes in bozohttpd 20060710:
o prefix some function names with "bozo"
o align directory indexing <hr> markers
o clean up some code GCC4 grumbled about
changes in bozohttpd 20060517:
o don't allow "/.." or "../" files
o don't write ":80" into urls for the http port
o fix a fd leak when fork() fails
o make directory indexing mode not look so ugly
o build a text version of the manual page
o make "make clean" work properly
changes in bozohttpd 20050410:
o fix some off-by-one errors from <roland.illig@gmx.de>
o properly support nph- CGI
o make content maps case insensitive
o fix proto header merging to include the missing comma
o major source reorganisation; most features are in separate files now
o new -V flag that makes unknown virtualhosts use slashdir
from <rumble@ephemeral.org>
o HTTP/1.x protocol headers are now properly merged for CGI
changes in bozohttpd 20040808:
o CGI status is now properly handled (-a flag has been removed)
o CGI file upload support works
o %xy translations are no longer ever applied after the first '?',
ala RFC2396. from lukem
o daemon mode (-b) should no longer hang spinning forever if it
sees no children. from lukem
o new .bzabsredirect file support. from <martin@netbsd.org>
o return a 404 error if we see %00 or %2f (/)
o don't print 2 "200" headers for CGI
o support .torrent files
changes in bozohttpd 20040218:
o new .bzredirect file support for sane directory redirection
o new -Z option that enables SSL mode, from <rtr@eterna.com.au>
o the -C option has been changed to take two explicit options, rather
than a single option with a space separating the suffix and the
interpreter. ``-C ".foo /path/to/bar"'' should now be written
as ``-C .foo /path/to/bar''
o the -M option has been changed like -C and no longer requires or
supports a single argument with space-separated options
o with -a, still print the 200 OK. from <rtr@eterna.com.au>
o with -r, if a .bzdirect file appears in a directory, allow direct
access to this directory
changes in bozohttpd 20031005:
o fixes for basic authorisation. from <ecu@ipv42.net>
o always display file size in directory index mode
o add .xbel, .xml & .xsl -> text/xml mappings. from
<wiz@danbala.ifoer.tuwien.ac.at>
changes in bozohttpd 20030626:
o fix a recent core dump when given no input
o add new -r flag that ensures referrer is set to this host
o fix several compile time errors with -DNO_CGIBIN_SUPPORT
o fix some man page details. from lukem@wasabisystems.com
o re-add a missing memset(), fixing a core dump. from lukem
o support HTTP basic authorisation, disabled by default. from lukem
o print the port number in redirects and errors. from lukem
o only syslog the basename of the program. from lukem
o add __attribute__() format checking. from lukem
o fix cgibin SCRIPT_NAME to have a leading /. from zakj@nox.cx
o simplify some code in -C to avoid a core dump. from lukem
o add a .css -> css/text entry to the content_map[]. from zakj@nox.cx
changes in bozohttpd 20030409:
o -d without DEBUG enabled only prints one warning and continues
o one can now define the C macro SERVER_SOFTWARE when building to
change the Server: header and CGI variable of the same name
o add new -s flag the force logging output to stderr. from zakj@nox.cx
o add new -a flag for CGI bin that stops bozohttpd from outputting
any HTTP reply, the CGI program must output these. from zakj@nox.cx
o new REQUEST_URI and DATE_GMT environment variables for CGI. from
zakj@nox.cx
o add a "Makefile.boot" that should work with any make program
o build on linux again
o fix core dumps when using -C
changes in bozohttpd 20030313:
o deprecate -r flag; make this the default and silently ignore -r now
o add support for file extensions to call CGI programs (from lukem)
o add dynamic support to add new content map entries, allowing both
new file types and non /cgi-bin CGI programs to be run with the
new -C "suffix cgihandler" and -M "suffix type encoding encoding11"
options
o in -b mode, set the http date after accept() returns, not before we
call accept()
o in -b mode, bind all addresses found not just the first one
o unsupport old hostname API
o in -b mode, set the SO_REUSEADDR socket option (lukem)
o allow -x (index.html) mode to work with CGI handlers
changes in bozohttpd 20021106:
o add .bz2 support
o properly escape <, > and & in error messages, partly from
Nicolas Jombart <ecu@mariejeanne.net>
o new -H flag to hide .* files in directory index mode
o fix buffer reallocation when parsing a request, to avoid
overflowing the buffer with carriage returns (\r)
o do not decode "%XY"-style cgi-bin data beyond the "?"
changes in bozohttpd 5.15 (20020913):
o add .ogg support -> `application/x-ogg'
o fix CGI requests with "/" in the query part
changes in bozohttpd 5.14 (20020823):
o allow -X mode to work for "/"
o work on systems without MADV_SEQUENTIAL
o make a local cut-down copy of "queue.h" (fixes linux & solaris
support at the very least)
o portability fixes for pre-ipv6 socket api systems (eg, solaris 7)
o portability fixes for missing _PATH_DEFPATH, LOG_FTP and __progname
o better documentation on virtual host support
changes in bozohttpd 5.13 (20020804):
o support .mp3 files (type audio/mpeg)
o use stat() to find out if something is a directory, for -X mode
changes in bozohttpd 5.12 (20020803):
o constification
o fixes & enhancements for directory index mode (-X)
changes in bozohttpd 5.11 (20020730):
o more man page fixes from Thomas Klausner
<wiz@danbala.ifoer.tuwien.ac.at>
o de-K&R C-ification
o fix Date: header for daemon mode
o fix core dump when asking for /cgi-bin/ when CGI isn't configured
o use a valid Server: header
changes in bozohttpd 5.10 (20020710):
- add freebsd support
- fix a couple of header typos
- many cgi-bin fixes from lukem@netbsd.org
- add -T chrootdir and -U user, plus several minor other cleanups
with signals and return values. from xs@kittenz.org
- add -e that does not clear the environment for -T/-U
- fix a formatting error noticed by ISIHARA Takanori <ishit@oak.dti.ne.jp>
changes in bozohttpd 5.09 (20010922):
- add a daemon mode
- document how to use bozohttpd in netbsd inetd with more than 40
connections per minute and also with cgibin
- man page fixes from wiz@netbsd.org
changes in bozohttpd 5.08 (20010812):
- add directory index generation support (-X) from ad@netbsd.org
- add .pa as an alias for .pac
- make server software version configurable (RFC)
changes in bozohttpd 5.07 (20010610):
- add .png support
- new "-x index.html" flag to change default file
- new "-p public_html" flag to change default ~user directory
- fixes cgi-bin support and more from chuck@research.att.com
- add many new content-types, now support most common ones
changes in bozohttpd 5.06 (20000825):
- add IPv6 support from itojun@iijlab.net
- man page fixes from jlam@netbsd.org
changes in bozohttpd 5.05 (20000815):
- fix a virtual host bug, from kleink@netbsd.org
changes in bozohttpd 5.04 (20000427):
- fix virtual host support; URI takes precedence over Host:
changes in bozohttpd 5.03 (20000427):
- fix a bug with chdir()
changes in bozohttpd 5.02 (20000426):
- .pac spport from simonb
changes in bozohttpd 5.01 (20000421):
- .swf support
- virtual hosting support