Guess what: this is our 100th release!
A bug fix for the bug fix, and a couple other bug fixes, including one security fix for PHP sites. We think all users should upgrade after giving it a whirl in their test environments. Please note some changes in this patch:
max_idle_conns_per_hostoption has been removed (both Caddyfile and JSON). This may be a breaking change for a few of you, but it only breaks configs that relied on a bug. Instead of silently failing, you will get an error if you continue using the property. For Caddyfile, we basically renamed the property to
keepalive_idle_conns_per_host. In JSON, we simply removed the property, and you should instead set
keep_alive/max_idle_conns_per_hostif you weren't already. Previously, the Caddyfile subdirective set both MaxConnsPerHost and MaxIdleConnsPerHost, which was confusing; and the JSON properties overwrote each other, so one was removed. Issue #4201.
🛡️Security patch in the FastCGI transport that now sanitizes paths against directory traversal outside the site root. PR #4207. 🐛Fix canonicalization redirects in
file_server. v2.4.2 introduced a bugfix (#4179) for these redirects when used inside
handle_path(i.e. rewriting the path by stripping a prefix), but caused a regression for many other use cases. This release includes a proper fix for all known, tested cases. Basically: these redirects are not issued if the filename of a path was rewritten internally. Issue #4205.
9d4ed3a caddyhttp: Refactor and export SanitizedPathJoin for use in fastcgi (#4207)
e8ae80a fileserver: Don't persist parsed template (fix #4202)
fbd6560 fileserver: Only redirect if filename not rewritten (fix #4205)
32c284b reverseproxy: Adjust test related to #4201
7c68809 reverseproxy: Fix overwriting of max_idle_conns_per_host (closes #4201)