Changes in 1.7:
** This document changes from "since" to "in" starting with this
new version of HTTPi, covering changes from 1.6.2 to 1.7.
new:
* New Security Model now mandatory
* PATH_INFO support, based on code by Rob Sayers and Denis Fortin
enhanced:
* Additional security and sanity checks during installation
fixes:
* Repairs taintperl bug introduced in 1.6.2 (will pass perl -T again)
* Redirects now properly aware of port number (except Generic)
Changes since 1.6.1:
fixes:
* clean up after testing for socket constants (thanks Mark Olesen)
* don't load the whole POSIX namespace (thanks Mark Olesen)
* log errors better if preparsing fails. This requires using a stub
function for the New Security Model to support installations that
disable it. ** IN 1.7, THE NEW SECURITY MODEL WILL BE MANDATORY
AND THE STUB WILL BE TAKEN OUT! YOU ARE WARNED **
* assert proper signals in child processes
* internal code refactoring
enhanced:
* xsl => text/xml (thanks Mark Olesen)
* Perl expressions accepted to certain configure responses
(thanks Mark Olesen)
* custom-config.pl for packages using HTTPi as a front end
(thanks Mark Olesen)
Changes since 1.6:
fixes:
* filesystems where // != / now should work (MachTen, others)
* New Security Model did not always drop all groups
* &nsecmodel should be called before setting HTTP 200
Changes since 1.5.2:
new:
* SSL is now supported using stunnel (http://www.stunnel.org/)
and your crypto libraries with configure.stunnel
** EXPERIMENTAL ONLY! **
* Mac OS X launchd is now supported with configure.launchd
* If-Modified-Since exact-prefix support (returns 304)
* compatibility verified against Perl 5.10
enhanced:
* additional explicit header support (thanks Robert Brown)
and MIME types
* additional STATIOS load tracking statistics and clarified prompts
* progress indicator on process list for transfers
fixes:
* Makefile executables and logic cleaned up (but NOT for installation)
* file extension filtering for filesystems with weird execute bits
(thanks Al Guintu)
* STATIOS requests bug out if they are the very first after startup
* meta tags added to prevent status page indexing
* transcript files are locked to HTTPi flavour to eliminate confusion
Changes since 1.5.1:
fixes:
* leftover compatibility fixes to configure.*
* looser timeouts for better tolerance of slower clients
enhanced:
* dmg img MIME types
* tweaks to STATIOS for future changes
Changes since 1.5:
fixes:
* potential socket-binding bug in Demonic and newer Perls
* directory sorts and bugs with browsed
Changes since 1.4:
new:
* &hterror, &hterror301 and &hterror404 are in the new userfunc.in
to allow you to make changes and carry these into new versions.
also use userfunc.in for all yer new global library funs
instead of sticking them in httpi.in.
* absolver bullet-proof(?) DNS handling
* New Security Model now default
enhanced:
* logging option for IP and hostname together for anti-spoofing
* preprocessor enhancements
fixes:
* POSIX-based signals handling (new process model) for new Perls
under Demonic (and fixes to code to make it more compatible)
this adds &defaultsignals and &alarmsignals, and replaces the
"hotfix" for 1.4.
* old $SIG-based method still there if you don't have POSIX.pm, or
if you use 5.6.x or earlier
* less laggy under load
* tested under 5.00503 through 5.8.6
* corrected/expanded content type list
* tools/phproxy and tools/browsed compatibility tweaks
removed:
* asynch logging, never achieved its potential anyway
Changes since 1.3.2:
new:
* change log now divided into new stuff, enhancements, and fixes
* New Security Model enables granular and more secure
document access by matching uids to documents
* primitive bandwidth throttling facility
* logging now can be asynchronous (requires fork support)
* cookies now handled
enhanced:
* include facility for pre-parsed files
* process string now displays request on those systems allowing it
* sock_to_host now caches DNS reverse lookups ... much faster
* more content types
* hooks within HTTPi for handlers and proxies (see tools/phproxy/)
fixes:
* tested "guaranteed" with 5.8.* and 5.6.*
* subtle bug in /setr?e?uid/ logic fixed
* installation as root no longer fails taint checking in 5.6.1 and up
(thanks Nick Brown)
* logging bug where $variables == 0 (smacks self on head)
* one less sockcons.c warning with gcc
* port binding bug on multi-homed Demonic fixed
* several erroneous content types fixed
* better handling of systems without a working setruid() (AIX4, ...)
* somewhat more resistant of stupid clients not parsing paths right
* startup failure with missing virtual files fixed (properly issues
non-fatal warning now)
* incorrect transcript filenames now properly error out
Changes since 1.3.1:
* possible security exploit allowing HTTPi to escape its mount
point defeated. thanks to Denis Fortin.
* improved? performance logic with weird proxy activity
Changes since 1.3:
* possible security exploit with malformed URLs containing shell
metacharacters. changed URL-dependent open() statements to sysopen()
to defeat this
* additional content types mp3 lnk mpg mpeg
Changes since 1.2.2:
**** WE'VE MOVED! Look for us at http://httpi.floodgap.com/ ****
* virtual files allow overriding/non-interactive content caching
(Demonic only) based on uservar.in::%virtual_files hash
* major MIME types now maintained in httpi.in -- only overrides
and additional types go in the uservar.in::%content_types
hash. still compatible with 1.2.x-style uservar.in files
tho'.
* added wml wbmp wbm js mov jar MIME types to httpi.in
* bug with HTTP/0.9 undefined methods closed (more for completeness
than any practical reason)
* sock_to_host() should reference DEF_AF_INET, not hardcoded 2 ...
* ... and because of this, configure.* must now ask for this constant
(except Demonic, which grabs it anyway) -- fortunately, I
think it's 2 on just about every architecture
* compiler is now the primary source for socket constants in
configure.demonic -- problems with Socket.pm on some
[misconfigured??] architectures (SunOS 5.5.1?)
* configure.inetd reports wrong architecture but builds okay (fixed)
* fix to sockcons.c for better compilation (SunOS for one)
* Range: header support added (thanks Henry Ptasinski)
* tweaks to the makefile which no one uses
* last remnants of old /1.1 kludge stripped from configure.demonic
Changes since 1.2.1:
* fixed possible exploit that might allow HTTPi to inadvertently
access files outside its mountpoint (thanks Marcus
Kreutzberger)
Changes since 1.2:
* fixed bug with bad port redirects where port wasn't 80
(thanks Aaron Spangler)
* fixed bug with null Host: header when virtual hosting was
disabled (thanks Glauber Ribeiro)
Changes since 1.0b2:
* HTTP/1.1 KeepAlive now removed: Connections all non-persistent.
Never worked right anyway :-) also aids speed and spec
compliancy (thanks Marc Slemko)
* Linux inetd kills HTTPi under conditions of slow links and
big files. Timeout kludge added. Other OSes may also
need this (inetd version only, thanks Bill Benedetto)
* user-modifiable hashes, restriction matrix, etc. now in outside
files to aid upgrading
* and speaking of upgrading: new UPGRADING file, some changes to
preprocessor to facilitate nested includes
* couple extra MIME types
* saves memory: file serves now in a read loop rather than a big
slurp-up when it can
* fixed: URL-escaped requests now work (thanks Marc Slemko)
* understands Expect header
* proper handling of methods other than GET, HEAD and POST
* proper handling of 1.1 requests w/o Host: header
Changes since first 1.0:
* fixed configure-time bug that caused syntax errors if preparsing
not turned on. duh. (thanks Fergus Gallagher)
* better socket handling for Demonic
Changes since 0.99:
* logging. one final change: user, since it's not through identd,
should be in the second -. so, fixed. that's it! that's all the
changes I'm going to make to that! finito!
* fixed: bug in HTTPerl and POST executables where a runtime over
10sec causes premature termination. no real damage but
inexplicable behaviour was quite annoying (very subtle bug)
* first preparsing support for inline Perl. ewwww icky gross inline
perl ptui spit. you specify the extensions, you cover the
damage your users do with the server's UID (and don't say you
weren't warned). also adds &output and &flush methods, and
.shtm?l? MIME types
* fixed: perl ./configure didn't work. oops
* added lzh lha pdf fdf MIME types
* mild methods tweak to how hostname/IP info is stored. now cached
if the restriction matrix already looked that info up
* transcript files are now version tagged to stop upgrade snarls
Changes since 0.7:
* logging ... didn't change. phew, for once :-)
* user file system allows http://foo/~bar/, getpwnam() check added
* don't be running no root-owned executables now ;-) it didn't run
them before either but the error was very cryptic
(thanks Bill Benedetto)
* HTTP authentication through restriction matrix
* better HTTP/0.9 support, especially for 301 responses
* IP-less virtual hosting (new global %nameredir)
* configure.xinetd no longer depends on /etc/services
* configure.inetd patched for really anal inetd systems (like HP/UX)
(thanks Bill Benedetto)
* 404 and 301 responses now handled by dedicated subroutines
* authentication check now precedes file existence check for allowing
modules to be protected
* new global $raddress now contains resolved filesystem address
* alarm() no longer required but really really really recommended
(this to help porting HTTPi to non-Unixy things)
* statios statistics module (demonic only)
* hostname lookups may be turned off for speed (sheesh, 150% boost
in Demonic mode)
* some extra MIME types
* new utilities: crapword, browsed (see instructions)
Changes since 0.4:
* IP-based virtual hosting (xinetd and demonic only)
* argh!!!! I *still* can't get logging right!!! fixed to once and
for all obey CERN spec
* new daemonized version (configure.demonic)
* subtle bug where sock_to_host returns nil could corrupt logs. fixed.
* configure.inetd now NIS aware (thanks Bill Benedetto)
* tons (too many) new environment variables for executables a la CGI
1.1 specification
* now aware of its host name, always a good thing :-)
* checks for alarm() and fork() availability in your Perl
* incomplete configures left null transcripts. fixed.
* error conditions in conquests.pl would sometimes give spurious
"conquests.pl not found" errors. fixed.
* HTTPerl allows same interpreter instance to be reused for speed
* version string now reflects OS type and configure type
* HEAD now correctly logs actual data transferred
* HTTP/1.1 requests in non-1.1 mode come back as HTTP/1.0 (RFC
compliancy issue)
Changes since 0.1:
* new environment variables: HTTP_REFERER, HTTP_USER_AGENT
* REMOTE_ADDR and REMOTE_HOST no longer equivalent, in line with CGI
spec
* fixed CERN date bug
* your choice of logging: with referer/useragent, with referer, or
neither
* user agent now acquired in this version
* restriction matrix security
* generic configure script for non-inetd systems
* xinetd configure script for xinetd systems
* common config questions and subroutines moved to conquests.pl
and consubs.pl, respectively
* sock_to_host internal function hardcoded to use STDIN filehandle
* new globals $httpua, %restrictions