$NetBSD: CHANGES,v 1.25.4.4 2021/03/27 13:38:51 martin Exp $ changes in bozohttpd 20210227: o new support for content types: .tar.bz2, .tar.xz, .tar.lz, .tar.zst, .tbz2, .txz, .tlz, .zipx, .xz, .zst, .sz, .lz, .lzma, .lzo, .7z, .lzo, .cab, .dmg, .jar, and .rar. should fix netbsd PR#56026: MIME type of .tar.xz file on ny{cdn,ftp}.NetBSD.org is invalid changes in bozohttpd 20210211: o fix various NULL derefs from malformed headers. mostly from . o fix memory leaks in library interface: add bozo_cleanup(). changes in bozohttpd 20201014: o also set -D_GNU_SOURCE in Makefile.boot. from hadrien.lacour@posteo.net. o fix array size botch (assertion, not exploitable.) from martin@netbsd.org. o also match %2F as well as %2f. from leah@vuxu.org. o many manual and help fixes. clean ups for higher lint levels, consistency/style clean ups. various option fixes including made -f imply -b. from for freebsd. changes in bozohttpd 20200912: o add .m4a and .m4v file extensions. changes in bozohttpd 20200820: o make this work on sun2 by reducing mmap window there. o fix SSL shutdown sequence. from spz@netbsd.org. o add readme support to directory indexing. from jmcneill@netbsd.org o add blocklist(8) support. from jruoho@netbsd.org. changes in bozohttpd 20190228: o extend timeout facility to ssl and stop servers hanging forever if the client never sends anything. reported by Steffen in netbsd PR#50655. o don't display special files in the directory index. they aren't served, but links to them are generated. o fix CGI '+' parameter handling, some error checking, and a double free. from rajeev_v_pillai@yahoo.com o more directory indexing clean up. from rajeev_v_pillai@yahoo.com changes in bozohttpd 20181215: o fix .htpasswd bypass for authenticated users. reported by JP, from leot@netbsd.org o avoid possible null dereference when receiving a big request that timeout. reported by maya@netbsd.org, from leot@netbsd.org o fix handling of -T option, from leot@netbsd.org o cleanups and portability improvements, from maya@netbsd.org o change directory indexing to use html tables, from rajeev_v_pillai@yahoo.com changes in bozohttpd 20181125: o fixes for option parsing introduced in bozohttpd 20181123 changes in bozohttpd 20181121: o add url remap support via .bzremap file, from martin@netbsd.org o handle redirections for any protocol, not just http: o fix a denial of service attack against header contents, which is now bounded at 16KiB. reported by JP o reduce default timeouts, and add expand timeouts to handle the initial line, each header, and the total time spent o add -T option to expose new timeout settings o minor RFC fixes related to timeout handling o fix special file (.htpasswd, .bz*) bypass. reported by JP changes in bozohttpd 20170201: o fix an infinite loop in cgi processing o fixes and clean up for the testsuite o no longer sends encoding header for compressed formats changes in bozohttpd 20160517: o add a bozo_get_version() function which returns the version number changes in bozohttpd 20160415: o add search-word support for CGI o fix a security issue in CGI suffix handler support which would allow remote code execution, from shm@netbsd.org o -C option supports now CGI scripts only changes in bozohttpd 20151028: o add CGI support for ~user translation (-E switch) o add redirects to ~user translation o fix bugs around ~user translation o add schema detection for absolute redirects o fixed few memory leaks o bunch of minor tweaks o removed -r support o smarter redirects changes in bozohttpd 20150320: o fix redirection handling o support transport stream (.ts) and video object (.vob) files o directory listings show correct file sizes for large files changes in bozohttpd 20140717: o properly handle SSL errors changes in bozohttpd 20140708: o fixes for virtual host support, from rajeev_v_pillai@yahoo.com o avoid printing double errors, from shm@netbsd.org o fix a security issue in basic HTTP authentication which would allow authentication to be bypassed, from shm@netbsd.org changes in bozohttpd 20140201: o support .svg files o fix a core dump when requests timeout changes in bozohttpd 20140102: o update a few content types o add support for directly calling lua scripts to handle processes, from mbalmer@netbsd.org o properly escape generated HTML o add authentication for redirections, from martin@netbsd.org o handle chained ssl certifications, from elric@netbsd.org o add basic support for gzipped files, from elric@netbsd.org o properly escape generated URIs changes in bozohttpd 20111118: o add -P option, from jmmv@netbsd.org o avoid crashes with http basic auth, from pooka@netbsd.org o add support for REDIRECT_STATUS variable, from tls@netbsd.org o support .mp4 files in the default map o directory indexes with files with : are now displayed properly, from reed@netbsd.org o allow -I option to be useful in non-inetd mode as well changes in bozohttpd 20100920: o properly fully disable multi-file mode for now o fix the -t and -U options when used without the -e option, broken since the library-ifcation o be explicit that logs go to the FTP facility in syslog o use scandir() with alphasort() for sorted directory lists, from moof o fix a serious error in vhost handling; "Host:.." would allow access to the next level directory from the virtual root directory, from seanb o fix some various non standard compile time errors, from rudolf o fix dynamic CGI content maps, from rudolf changes in bozohttpd 20100617: o fix some compile issues o fix SSL mode. from rtr o fix some cgi-bin issues, as seen with cvsweb o disable multi-file daemon mode for now, it breaks o return 404's instead of 403's when chdir of ~user dirs fail o remove "noreturn" attribute from bozo_http_error() that was causing incorrect runtime behaviour changes in bozohttpd 20100509: o major rework and clean up of internal interfaces. move the main program into main.c, the remaining parts are useable as library add bindings for lua. by Alistair G. Crooks o fix http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566325 changes in bozohttpd 20090522: o avoid dying in daemon mode for some uncommon, but recoverable, errors o close leaking file descriptors for CGI and daemon mode o handle poll errors properly o don't try to handle more than one request per process yet o add subdirs for build "debug" and "small" versions o clean up a bad merge / duplicate code o make mmap() usage portable, fixes linux & ranges: support o document the -f option o daemon mode now serves 6 files per child changes in bozohttpd 20090417: o make bozohttpd internally more modular, preparing the way to handle more than one request per process o fix http-auth, set $REMOTE_USER not $REMOTEUSER. also fix cgi-bin with cvsweb, from Holger Weiss o fix an uninitialised variable use in daemon mode o fix ssl mode with newer OpenSSL o mmap large files in manageable sizes so we can serve any size file o refactor url processing to handle query strings correctly for CGI from Sergey Katsev at Coyote Point o add If-Modified-Since support, from Joerg Sonnenberger o many more manual fixes, from NetBSD changes in bozohttpd 20080303: o fix some cgi header processing, from o add simple Range: header processing, from o man page fixes, from NetBSD o clean up various parts, from NetBSD changes in bozohttpd 20060710: o prefix some function names with "bozo" o align directory indexing
markers o clean up some code GCC4 grumbled about changes in bozohttpd 20060517: o don't allow "/.." or "../" files o don't write ":80" into urls for the http port o fix a fd leak when fork() fails o make directory indexing mode not look so ugly o build a text version of the manual page o make "make clean" work properly changes in bozohttpd 20050410: o fix some off-by-one errors from o properly support nph- CGI o make content maps case insensitive o fix proto header merging to include the missing comma o major source reorganisation; most features are in separate files now o new -V flag that makes unknown virtualhosts use slashdir from o HTTP/1.x protocol headers are now properly merged for CGI changes in bozohttpd 20040808: o CGI status is now properly handled (-a flag has been removed) o CGI file upload support works o %xy translations are no longer ever applied after the first '?', ala RFC2396. from lukem o daemon mode (-b) should no longer hang spinning forever if it sees no children. from lukem o new .bzabsredirect file support. from o return a 404 error if we see %00 or %2f (/) o don't print 2 "200" headers for CGI o support .torrent files changes in bozohttpd 20040218: o new .bzredirect file support for sane directory redirection o new -Z option that enables SSL mode, from o the -C option has been changed to take two explicit options, rather than a single option with a space separating the suffix and the interpreter. ``-C ".foo /path/to/bar"'' should now be written as ``-C .foo /path/to/bar'' o the -M option has been changed like -C and no longer requires or supports a single argument with space-separated options o with -a, still print the 200 OK. from o with -r, if a .bzdirect file appears in a directory, allow direct access to this directory changes in bozohttpd 20031005: o fixes for basic authorisation. from o always display file size in directory index mode o add .xbel, .xml & .xsl -> text/xml mappings. from changes in bozohttpd 20030626: o fix a recent core dump when given no input o add new -r flag that ensures referrer is set to this host o fix several compile time errors with -DNO_CGIBIN_SUPPORT o fix some man page details. from lukem@wasabisystems.com o re-add a missing memset(), fixing a core dump. from lukem o support HTTP basic authorisation, disabled by default. from lukem o print the port number in redirects and errors. from lukem o only syslog the basename of the program. from lukem o add __attribute__() format checking. from lukem o fix cgibin SCRIPT_NAME to have a leading /. from zakj@nox.cx o simplify some code in -C to avoid a core dump. from lukem o add a .css -> css/text entry to the content_map[]. from zakj@nox.cx changes in bozohttpd 20030409: o -d without DEBUG enabled only prints one warning and continues o one can now define the C macro SERVER_SOFTWARE when building to change the Server: header and CGI variable of the same name o add new -s flag the force logging output to stderr. from zakj@nox.cx o add new -a flag for CGI bin that stops bozohttpd from outputting any HTTP reply, the CGI program must output these. from zakj@nox.cx o new REQUEST_URI and DATE_GMT environment variables for CGI. from zakj@nox.cx o add a "Makefile.boot" that should work with any make program o build on linux again o fix core dumps when using -C changes in bozohttpd 20030313: o deprecate -r flag; make this the default and silently ignore -r now o add support for file extentions to call CGI programs (from lukem) o add dynamic support to add new content map entries, allowing both new file types and non /cgi-bin CGI programs to be run with the new -C "suffix cgihandler" and -M "suffix type encoding encoding11" options o in -b mode, set the http date after accept() returns, not before we call accept() o in -b mode, bind all addresses found not just the first one o unsupport old hostname API o in -b mode, set the SO_REUSEADDR socket option (lukem) o allow -x (index.html) mode to work with CGI handlers changes in bozohttpd 20021106: o add .bz2 support o properly escape <, > and & in error messages, partly from Nicolas Jombart o new -H flag to hide .* files in directory index mode o fix buffer reallocation when parsing a request, to avoid overflowing the buffer with carriage returns (\r) o do not decode "%XY"-style cgi-bin data beyond the "?" changes in bozohttpd 5.15 (20020913): o add .ogg support -> `application/x-ogg' o fix CGI requests with "/" in the query part changes in bozohttpd 5.14 (20020823): o allow -X mode to work for "/" o work on systems without MADV_SEQUENTIAL o make a local cut-down copy of "queue.h" (fixes linux & solaris support at the very least) o portability fixes for pre-ipv6 socket api systems (eg, solaris 7) o portability fixes for missing _PATH_DEFPATH, LOG_FTP and __progname o better documentation on virtual host support changes in bozohttpd 5.13 (20020804): o support .mp3 files (type audio/mpeg) o use stat() to find out if something is a directory, for -X mode changes in bozohttpd 5.12 (20020803): o constification o fixes & enhancements for directory index mode (-X) changes in bozohttpd 5.11 (20020730): o more man page fixes from Thomas Klausner o de-K&R C-ification o fix Date: header for daemon mode o fix core dump when asking for /cgi-bin/ when CGI isn't configured o use a valid Server: header changes in bozohttpd 5.10 (20020710): - add freebsd support - fix a couple of header typos - many cgi-bin fixes from lukem@netbsd.org - add -T chrootdir and -U user, plus several minor other cleanups with signals and return values. from xs@kittenz.org - add -e that does not clear the environment for -T/-U - fix a formatting error noticed by ISIHARA Takanori changes in bozohttpd 5.09 (20010922): - add a daemon mode - document how to use bozohttpd in netbsd inetd with more than 40 connections per minute and also with cgibin - man page fixes from wiz@netbsd.org changes in bozohttpd 5.08 (20010812): - add directory index generation support (-X) from ad@netbsd.org - add .pa as an alias for .pac - make server software version configurable (RFC) changes in bozohttpd 5.07 (20010610): - add .png support - new "-x index.html" flag to change default file - new "-p public_html" flag to change default ~user directory - fixes cgi-bin support and more from chuck@research.att.com - add many new content-types, now support most common ones changes in bozohttpd 5.06 (20000825): - add IPv6 support from itojun@iijlab.net - man page fixes from jlam@netbsd.org changes in bozohttpd 5.05 (20000815): - fix a virtual host bug, from kleink@netbsd.org changes in bozohttpd 5.04 (20000427): - fix virtual host support; URI takes precedence over Host: changes in bozohttpd 5.03 (20000427): - fix a bug with chdir() changes in bozohttpd 5.02 (20000426): - .pac spport from simonb changes in bozohttpd 5.01 (20000421): - .swf support - virtual hosting support