CHANGES revision 1.33
1$NetBSD: CHANGES,v 1.33 2018/12/18 23:11:40 mrg Exp $ 2 3changes in bozohttpd 20181215: 4 o avoid .htpasswd exposure to authenticated users. reported by JP, 5 from leot@netbsd.org 6 o avoid possible null dereference when receiving a big request that 7 timeout. reported by maya@netbsd.org, from leot@netbsd.org 8 o fix handling of -T option, from leot@netbsd.org 9 o cleanups and portability improvements, from maya@netbsd.org 10 o change directory indexing to use html tables, from 11 rajeev_v_pillai@yahoo.com 12 13changes in bozohttpd 20181125: 14 o fixes for option parsing introduced in bozohttpd 20181123 15 16changes in bozohttpd 20181121: 17 o add url remap support via .bzremap file, from martin@netbsd.org 18 o handle redirections for any protocol, not just http: 19 o fix a denial of service attack against header contents, which 20 is now bounded at 16KiB. reported by JP 21 o reduce default timeouts, and add expand timeouts to handle the 22 initial line, each header, and the total time spent 23 o add -T option to expose new timeout settings 24 o minor RFC fixes related to timeout handling 25 o fix special file (.htpasswd, .bz*) bypass. reported by JP 26 27changes in bozohttpd 20170201: 28 o fix an infinite loop in cgi processing 29 o fixes and clean up for the testsuite 30 o no longer sends encoding header for compressed formats 31 32changes in bozohttpd 20160517: 33 o add a bozo_get_version() function which returns the version number 34 35changes in bozohttpd 20160415: 36 o add search-word support for CGI 37 o fix a security issue in CGI suffix handler support which would 38 allow remote code execution, from shm@netbsd.org 39 o -C option supports now CGI scripts only 40 41changes in bozohttpd 20151028: 42 o add CGI support for ~user translation (-E switch) 43 o add redirects to ~user translation 44 o fix bugs around ~user translation 45 o add schema detection for absolute redirects 46 o fixed few memory leaks 47 o bunch of minor tweaks 48 o removed -r support 49 o smarter redirects 50 51changes in bozohttpd 20150320: 52 o fix redirection handling 53 o support transport stream (.ts) and video object (.vob) files 54 o directory listings show correct file sizes for large files 55 56changes in bozohttpd 20140717: 57 o properly handle SSL errors 58 59changes in bozohttpd 20140708: 60 o fixes for virtual host support, from rajeev_v_pillai@yahoo.com 61 o avoid printing double errors, from shm@netbsd.org 62 o fix a security issue in basic HTTP authentication which would allow 63 authentication to be bypassed, from shm@netbsd.org 64 65changes in bozohttpd 20140201: 66 o support .svg files 67 o fix a core dump when requests timeout 68 69changes in bozohttpd 20140102: 70 o update a few content types 71 o add support for directly calling lua scripts to handle 72 processes, from mbalmer@netbsd.org 73 o properly escape generated HTML 74 o add authentication for redirections, from martin@netbsd.org 75 o handle chained ssl certifications, from elric@netbsd.org 76 o add basic support for gzipped files, from elric@netbsd.org 77 o properly escape generated URIs 78 79changes in bozohttpd 20111118: 80 o add -P <pidfile> option, from jmmv@netbsd.org 81 o avoid crashes with http basic auth, from pooka@netbsd.org 82 o add support for REDIRECT_STATUS variable, from tls@netbsd.org 83 o support .mp4 files in the default map 84 o directory indexes with files with : are now displayed properly, from 85 reed@netbsd.org 86 o allow -I option to be useful in non-inetd mode as well 87 88changes in bozohttpd 20100920: 89 o properly fully disable multi-file mode for now 90 o fix the -t and -U options when used without the -e option, broken since 91 the library-ifcation 92 o be explicit that logs go to the FTP facility in syslog 93 o use scandir() with alphasort() for sorted directory lists, from moof 94 o fix a serious error in vhost handling; "Host:.." would allow access to 95 the next level directory from the virtual root directory, from seanb 96 o fix some various non standard compile time errors, from rudolf 97 o fix dynamic CGI content maps, from rudolf 98 99changes in bozohttpd 20100617: 100 o fix some compile issues 101 o fix SSL mode. from rtr 102 o fix some cgi-bin issues, as seen with cvsweb 103 o disable multi-file daemon mode for now, it breaks 104 o return 404's instead of 403's when chdir of ~user dirs fail 105 o remove "noreturn" attribute from bozo_http_error() that was 106 causing incorrect runtime behaviour 107 108changes in bozohttpd 20100509: 109 o major rework and clean up of internal interfaces. move the main 110 program into main.c, the remaining parts are useable as library 111 add bindings for lua. by Alistair G. Crooks <agc@netbsd.org> 112 o fix http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566325 113 114changes in bozohttpd 20090522: 115 o avoid dying in daemon mode for some uncommon, but recoverable, errors 116 o close leaking file descriptors for CGI and daemon mode 117 o handle poll errors properly 118 o don't try to handle more than one request per process yet 119 o add subdirs for build "debug" and "small" versions 120 o clean up a bad merge / duplicate code 121 o make mmap() usage portable, fixes linux & ranges: support 122 o document the -f option 123 o daemon mode now serves 6 files per child 124 125changes in bozohttpd 20090417: 126 o make bozohttpd internally more modular, preparing the way 127 to handle more than one request per process 128 o fix http-auth, set $REMOTE_USER not $REMOTEUSER. also fix 129 cgi-bin with cvsweb, from Holger Weiss <holger@CIS.FU-Berlin.DE> 130 o fix an uninitialised variable use in daemon mode 131 o fix ssl mode with newer OpenSSL 132 o mmap large files in manageable sizes so we can serve any size file 133 o refactor url processing to handle query strings correctly for CGI 134 from Sergey Katsev at Coyote Point 135 o add If-Modified-Since support, from Joerg Sonnenberger 136 <joerg@netbsd.org> 137 o many more manual fixes, from NetBSD 138 139changes in bozohttpd 20080303: 140 o fix some cgi header processing, from <thelsdj@gmail.com> 141 o add simple Range: header processing, from <bad@bsd.de> 142 o man page fixes, from NetBSD 143 o clean up various parts, from NetBSD 144 145changes in bozohttpd 20060710: 146 o prefix some function names with "bozo" 147 o align directory indexing <hr> markers 148 o clean up some code GCC4 grumbled about 149 150changes in bozohttpd 20060517: 151 o don't allow "/.." or "../" files 152 o don't write ":80" into urls for the http port 153 o fix a fd leak when fork() fails 154 o make directory indexing mode not look so ugly 155 o build a text version of the manual page 156 o make "make clean" work properly 157 158changes in bozohttpd 20050410: 159 o fix some off-by-one errors from <roland.illig@gmx.de> 160 o properly support nph- CGI 161 o make content maps case insensitive 162 o fix proto header merging to include the missing comma 163 o major source reorganisation; most features are in separate files now 164 o new -V flag that makes unknown virtualhosts use slashdir 165 from <rumble@ephemeral.org> 166 o HTTP/1.x protocol headers are now properly merged for CGI 167 168changes in bozohttpd 20040808: 169 o CGI status is now properly handled (-a flag has been removed) 170 o CGI file upload support works 171 o %xy translations are no longer ever applied after the first '?', 172 ala RFC2396. from lukem 173 o daemon mode (-b) should no longer hang spinning forever if it 174 sees no children. from lukem 175 o new .bzabsredirect file support. from <martin@netbsd.org> 176 o return a 404 error if we see %00 or %2f (/) 177 o don't print 2 "200" headers for CGI 178 o support .torrent files 179 180changes in bozohttpd 20040218: 181 o new .bzredirect file support for sane directory redirection 182 o new -Z option that enables SSL mode, from <rtr@eterna.com.au> 183 o the -C option has been changed to take two explicit options, rather 184 than a single option with a space separating the suffix and the 185 interpreter. ``-C ".foo /path/to/bar"'' should now be written 186 as ``-C .foo /path/to/bar'' 187 o the -M option has been changed like -C and no longer requires or 188 supports a single argument with space-separated options 189 o with -a, still print the 200 OK. from <rtr@eterna.com.au> 190 o with -r, if a .bzdirect file appears in a directory, allow direct 191 access to this directory 192 193changes in bozohttpd 20031005: 194 o fixes for basic authorisation. from <ecu@ipv42.net> 195 o always display file size in directory index mode 196 o add .xbel, .xml & .xsl -> text/xml mappings. from 197 <wiz@danbala.ifoer.tuwien.ac.at> 198 199changes in bozohttpd 20030626: 200 o fix a recent core dump when given no input 201 o add new -r flag that ensures referrer is set to this host 202 o fix several compile time errors with -DNO_CGIBIN_SUPPORT 203 o fix some man page details. from lukem@wasabisystems.com 204 o re-add a missing memset(), fixing a core dump. from lukem 205 o support HTTP basic authorisation, disabled by default. from lukem 206 o print the port number in redirects and errors. from lukem 207 o only syslog the basename of the program. from lukem 208 o add __attribute__() format checking. from lukem 209 o fix cgibin SCRIPT_NAME to have a leading /. from zakj@nox.cx 210 o simplify some code in -C to avoid a core dump. from lukem 211 o add a .css -> css/text entry to the content_map[]. from zakj@nox.cx 212 213changes in bozohttpd 20030409: 214 o -d without DEBUG enabled only prints one warning and continues 215 o one can now define the C macro SERVER_SOFTWARE when building to 216 change the Server: header and CGI variable of the same name 217 o add new -s flag the force logging output to stderr. from zakj@nox.cx 218 o add new -a flag for CGI bin that stops bozohttpd from outputting 219 any HTTP reply, the CGI program must output these. from zakj@nox.cx 220 o new REQUEST_URI and DATE_GMT environment variables for CGI. from 221 zakj@nox.cx 222 o add a "Makefile.boot" that should work with any make program 223 o build on linux again 224 o fix core dumps when using -C 225 226changes in bozohttpd 20030313: 227 o deprecate -r flag; make this the default and silently ignore -r now 228 o add support for file extentions to call CGI programs (from lukem) 229 o add dynamic support to add new content map entries, allowing both 230 new file types and non /cgi-bin CGI programs to be run with the 231 new -C "suffix cgihandler" and -M "suffix type encoding encoding11" 232 options 233 o in -b mode, set the http date after accept() returns, not before we 234 call accept() 235 o in -b mode, bind all addresses found not just the first one 236 o unsupport old hostname API 237 o in -b mode, set the SO_REUSEADDR socket option (lukem) 238 o allow -x (index.html) mode to work with CGI handlers 239 240changes in bozohttpd 20021106: 241 o add .bz2 support 242 o properly escape <, > and & in error messages, partly from 243 Nicolas Jombart <ecu@mariejeanne.net> 244 o new -H flag to hide .* files in directory index mode 245 o fix buffer reallocation when parsing a request, to avoid 246 overflowing the buffer with carriage returns (\r) 247 o do not decode "%XY"-style cgi-bin data beyond the "?" 248 249changes in bozohttpd 5.15 (20020913): 250 o add .ogg support -> `application/x-ogg' 251 o fix CGI requests with "/" in the query part 252 253changes in bozohttpd 5.14 (20020823): 254 o allow -X mode to work for "/" 255 o work on systems without MADV_SEQUENTIAL 256 o make a local cut-down copy of "queue.h" (fixes linux & solaris 257 support at the very least) 258 o portability fixes for pre-ipv6 socket api systems (eg, solaris 7) 259 o portability fixes for missing _PATH_DEFPATH, LOG_FTP and __progname 260 o better documentation on virtual host support 261 262changes in bozohttpd 5.13 (20020804): 263 o support .mp3 files (type audio/mpeg) 264 o use stat() to find out if something is a directory, for -X mode 265 266changes in bozohttpd 5.12 (20020803): 267 o constification 268 o fixes & enhancements for directory index mode (-X) 269 270changes in bozohttpd 5.11 (20020730): 271 o more man page fixes from Thomas Klausner 272 <wiz@danbala.ifoer.tuwien.ac.at> 273 o de-K&R C-ification 274 o fix Date: header for daemon mode 275 o fix core dump when asking for /cgi-bin/ when CGI isn't configured 276 o use a valid Server: header 277 278changes in bozohttpd 5.10 (20020710): 279 - add freebsd support 280 - fix a couple of header typos 281 - many cgi-bin fixes from lukem@netbsd.org 282 - add -T chrootdir and -U user, plus several minor other cleanups 283 with signals and return values. from xs@kittenz.org 284 - add -e that does not clear the environment for -T/-U 285 - fix a formatting error noticed by ISIHARA Takanori <ishit@oak.dti.ne.jp> 286 287changes in bozohttpd 5.09 (20010922): 288 - add a daemon mode 289 - document how to use bozohttpd in netbsd inetd with more than 40 290 connections per minute and also with cgibin 291 - man page fixes from wiz@netbsd.org 292 293changes in bozohttpd 5.08 (20010812): 294 - add directory index generation support (-X) from ad@netbsd.org 295 - add .pa as an alias for .pac 296 - make server software version configurable (RFC) 297 298changes in bozohttpd 5.07 (20010610): 299 - add .png support 300 - new "-x index.html" flag to change default file 301 - new "-p public_html" flag to change default ~user directory 302 - fixes cgi-bin support and more from chuck@research.att.com 303 - add many new content-types, now support most common ones 304 305changes in bozohttpd 5.06 (20000825): 306 - add IPv6 support from itojun@iijlab.net 307 - man page fixes from jlam@netbsd.org 308 309changes in bozohttpd 5.05 (20000815): 310 - fix a virtual host bug, from kleink@netbsd.org 311 312changes in bozohttpd 5.04 (20000427): 313 - fix virtual host support; URI takes precedence over Host: 314 315changes in bozohttpd 5.03 (20000427): 316 - fix a bug with chdir() 317 318changes in bozohttpd 5.02 (20000426): 319 - .pac spport from simonb 320 321changes in bozohttpd 5.01 (20000421): 322 - .swf support 323 - virtual hosting support 324