ChangeLog - metacpan.org

Changes in 1.7:

	** This document changes from "since" to "in" starting with this
		new version of HTTPi, covering changes from 1.6.2 to 1.7.

	new:
	* New Security Model now mandatory
	* PATH_INFO support, based on code by Rob Sayers and Denis Fortin
	enhanced:
	* Additional security and sanity checks during installation
	fixes:
	* Repairs taintperl bug introduced in 1.6.2 (will pass perl -T again)
	* Redirects now properly aware of port number (except Generic)

Changes since 1.6.1:

	fixes:
	* clean up after testing for socket constants (thanks Mark Olesen)
	* don't load the whole POSIX namespace (thanks Mark Olesen)
	* log errors better if preparsing fails. This requires using a stub
	  function for the New Security Model to support installations that
	  disable it. ** IN 1.7, THE NEW SECURITY MODEL WILL BE MANDATORY
	  AND THE STUB WILL BE TAKEN OUT! YOU ARE WARNED **
	* assert proper signals in child processes
	* internal code refactoring
	enhanced:
	* xsl => text/xml (thanks Mark Olesen)
	* Perl expressions accepted to certain configure responses
		(thanks Mark Olesen)
	* custom-config.pl for packages using HTTPi as a front end
		(thanks Mark Olesen)

Changes since 1.6:

	fixes:
	* filesystems where // != / now should work (MachTen, others)
	* New Security Model did not always drop all groups
	* &nsecmodel should be called before setting HTTP 200

Changes since 1.5.2:

	new:
	* SSL is now supported using stunnel (http://www.stunnel.org/)
		and your crypto libraries with configure.stunnel
		** EXPERIMENTAL ONLY! **
	* Mac OS X launchd is now supported with configure.launchd
	* If-Modified-Since exact-prefix support (returns 304)
	* compatibility verified against Perl 5.10
	enhanced:
	* additional explicit header support (thanks Robert Brown)
		and MIME types
	* additional STATIOS load tracking statistics and clarified prompts
	* progress indicator on process list for transfers
	fixes:
	* Makefile executables and logic cleaned up (but NOT for installation)
	* file extension filtering for filesystems with weird execute bits
		(thanks Al Guintu)
	* STATIOS requests bug out if they are the very first after startup
	* meta tags added to prevent status page indexing
	* transcript files are locked to HTTPi flavour to eliminate confusion

Changes since 1.5.1:

	fixes:
	* leftover compatibility fixes to configure.*
	* looser timeouts for better tolerance of slower clients
	enhanced:
	* dmg img MIME types
	* tweaks to STATIOS for future changes

Changes since 1.5:

	fixes:
	* potential socket-binding bug in Demonic and newer Perls
	* directory sorts and bugs with browsed

Changes since 1.4:

	new:
	* &hterror, &hterror301 and &hterror404 are in the new userfunc.in
		to allow you to make changes and carry these into new versions.
		also use userfunc.in for all yer new global library funs
		instead of sticking them in httpi.in.
	* absolver bullet-proof(?) DNS handling
	* New Security Model now default
	enhanced:
	* logging option for IP and hostname together for anti-spoofing
	* preprocessor enhancements
	fixes:
	* POSIX-based signals handling (new process model) for new Perls
		under Demonic (and fixes to code to make it more compatible)
		this adds &defaultsignals and &alarmsignals, and replaces the
		"hotfix" for 1.4.
	* old $SIG-based method still there if you don't have POSIX.pm, or
		if you use 5.6.x or earlier
	* less laggy under load
	* tested under 5.00503 through 5.8.6
	* corrected/expanded content type list
	* tools/phproxy and tools/browsed compatibility tweaks
	removed:
	* asynch logging, never achieved its potential anyway

Changes since 1.3.2:

	new:
	* change log now divided into new stuff, enhancements, and fixes
	* New Security Model enables granular and more secure
		document access by matching uids to documents
	* primitive bandwidth throttling facility
	* logging now can be asynchronous (requires fork support)
	* cookies now handled
	enhanced:
	* include facility for pre-parsed files
	* process string now displays request on those systems allowing it
	* sock_to_host now caches DNS reverse lookups ... much faster
	* more content types
	* hooks within HTTPi for handlers and proxies (see tools/phproxy/)
	fixes:
	* tested "guaranteed" with 5.8.* and 5.6.*
	* subtle bug in /setr?e?uid/ logic fixed
	* installation as root no longer fails taint checking in 5.6.1 and up
		(thanks Nick Brown)
	* logging bug where $variables == 0 (smacks self on head)
	* one less sockcons.c warning with gcc
	* port binding bug on multi-homed Demonic fixed
	* several erroneous content types fixed
	* better handling of systems without a working setruid() (AIX4, ...)
	* somewhat more resistant of stupid clients not parsing paths right
	* startup failure with missing virtual files fixed (properly issues
		non-fatal warning now)
	* incorrect transcript filenames now properly error out

Changes since 1.3.1:

	* possible security exploit allowing HTTPi to escape its mount
	  point defeated. thanks to Denis Fortin.
	* improved? performance logic with weird proxy activity

Changes since 1.3:

	* possible security exploit with malformed URLs containing shell
	  metacharacters. changed URL-dependent open() statements to sysopen()
	  to defeat this
	* additional content types mp3 lnk mpg mpeg

Changes since 1.2.2:

	**** WE'VE MOVED! Look for us at http://httpi.floodgap.com/ ****

	* virtual files allow overriding/non-interactive content caching
		(Demonic only) based on uservar.in::%virtual_files hash
	* major MIME types now maintained in httpi.in -- only overrides
		and additional types go in the uservar.in::%content_types
		hash. still compatible with 1.2.x-style uservar.in files
		tho'.
	* added wml wbmp wbm js mov jar MIME types to httpi.in
	* bug with HTTP/0.9 undefined methods closed (more for completeness
		than any practical reason)
	* sock_to_host() should reference DEF_AF_INET, not hardcoded 2 ...
	* ... and because of this, configure.* must now ask for this constant
		(except Demonic, which grabs it anyway) -- fortunately, I
		think it's 2 on just about every architecture
	* compiler is now the primary source for socket constants in
		configure.demonic -- problems with Socket.pm on some
		[misconfigured??] architectures (SunOS 5.5.1?)
	* configure.inetd reports wrong architecture but builds okay (fixed)
	* fix to sockcons.c for better compilation (SunOS for one)
	* Range: header support added (thanks Henry Ptasinski)
	* tweaks to the makefile which no one uses
	* last remnants of old /1.1 kludge stripped from configure.demonic

Changes since 1.2.1:

	* fixed possible exploit that might allow HTTPi to inadvertently
		access files outside its mountpoint (thanks Marcus
		Kreutzberger)

Changes since 1.2:

	* fixed bug with bad port redirects where port wasn't 80
		(thanks Aaron Spangler)
	* fixed bug with null Host: header when virtual hosting was
		disabled (thanks Glauber Ribeiro)

Changes since 1.0b2:

	* HTTP/1.1 KeepAlive now removed: Connections all non-persistent.
		Never worked right anyway :-) also aids speed and spec
		compliancy (thanks Marc Slemko)
	* Linux inetd kills HTTPi under conditions of slow links and
		big files. Timeout kludge added. Other OSes may also
		need this (inetd version only, thanks Bill Benedetto)
	* user-modifiable hashes, restriction matrix, etc. now in outside
		files to aid upgrading
	* and speaking of upgrading: new UPGRADING file, some changes to
		preprocessor to facilitate nested includes
	* couple extra MIME types
	* saves memory: file serves now in a read loop rather than a big
		slurp-up when it can
	* fixed: URL-escaped requests now work (thanks Marc Slemko)
	* understands Expect header
	* proper handling of methods other than GET, HEAD and POST
	* proper handling of 1.1 requests w/o Host: header

Changes since first 1.0:

	* fixed configure-time bug that caused syntax errors if preparsing
		not turned on. duh. (thanks Fergus Gallagher)
	* better socket handling for Demonic
	
Changes since 0.99:

	* logging. one final change: user, since it's not through identd,
		should be in the second -. so, fixed. that's it! that's all the
		changes I'm going to make to that! finito!
	* fixed: bug in HTTPerl and POST executables where a runtime over
		10sec causes premature termination. no real damage but
		inexplicable behaviour was quite annoying (very subtle bug)
	* first preparsing support for inline Perl. ewwww icky gross inline
		perl ptui spit. you specify the extensions, you cover the
		damage your users do with the server's UID (and don't say you
		weren't warned). also adds &output and &flush methods, and
		.shtm?l? MIME types
	* fixed: perl ./configure didn't work. oops
	* added lzh lha pdf fdf MIME types
	* mild methods tweak to how hostname/IP info is stored. now cached
		if the restriction matrix already looked that info up
	* transcript files are now version tagged to stop upgrade snarls

Changes since 0.7:

	* logging ... didn't change. phew, for once :-)
	* user file system allows http://foo/~bar/, getpwnam() check added
	* don't be running no root-owned executables now ;-) it didn't run
		them before either but the error was very cryptic
		(thanks Bill Benedetto)
	* HTTP authentication through restriction matrix
	* better HTTP/0.9 support, especially for 301 responses
	* IP-less virtual hosting (new global %nameredir)
	* configure.xinetd no longer depends on /etc/services
	* configure.inetd patched for really anal inetd systems (like HP/UX)
		(thanks Bill Benedetto)
	* 404 and 301 responses now handled by dedicated subroutines
	* authentication check now precedes file existence check for allowing
		modules to be protected
	* new global $raddress now contains resolved filesystem address
	* alarm() no longer required but really really really recommended
		(this to help porting HTTPi to non-Unixy things)
	* statios statistics module (demonic only)
	* hostname lookups may be turned off for speed (sheesh, 150% boost
		in Demonic mode)
	* some extra MIME types
	* new utilities: crapword, browsed (see instructions)

Changes since 0.4:

	* IP-based virtual hosting (xinetd and demonic only)
	* argh!!!! I *still* can't get logging right!!! fixed to once and
		for all obey CERN spec
	* new daemonized version (configure.demonic)
	* subtle bug where sock_to_host returns nil could corrupt logs. fixed.
	* configure.inetd now NIS aware (thanks Bill Benedetto)
	* tons (too many) new environment variables for executables a la CGI
		1.1 specification
	* now aware of its host name, always a good thing :-)
	* checks for alarm() and fork() availability in your Perl
	* incomplete configures left null transcripts. fixed.
	* error conditions in conquests.pl would sometimes give spurious
		"conquests.pl not found" errors. fixed.
	* HTTPerl allows same interpreter instance to be reused for speed
	* version string now reflects OS type and configure type
	* HEAD now correctly logs actual data transferred
	* HTTP/1.1 requests in non-1.1 mode come back as HTTP/1.0 (RFC
		compliancy issue)

Changes since 0.1:

	* new environment variables: HTTP_REFERER, HTTP_USER_AGENT
	* REMOTE_ADDR and REMOTE_HOST no longer equivalent, in line with CGI
		spec
	* fixed CERN date bug
	* your choice of logging: with referer/useragent, with referer, or
		neither
	* user agent now acquired in this version
	* restriction matrix security
	* generic configure script for non-inetd systems
	* xinetd configure script for xinetd systems
	* common config questions and subroutines moved to conquests.pl
		and consubs.pl, respectively
	* sock_to_host internal function hardcoded to use STDIN filehandle
	* new globals $httpua, %restrictions
	Global
`s`	Focus search bar
`?`	Bring up this help dialog
	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)
	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse
	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)