Permalink
Commits on Aug 22, 2016
  1. @ofavre @vinoski

    Fix #283: FastCGI protocol error for empty HTTP body requests

    In my setup I receive the following 500 error when POSTing an empty
    request to any PHP script.
    
      CGI failure: {"recv from application server failed",closed}
    
    My investigations showed that the FCGI_STDIN <<>> frame was sent twice
    and the FastCGI server closes the connection right away, (most of the
    time) before having time to anwser.
    
    The FastCGI protocol describes the end of a stream as an empty record
    for that stream. What Yaws does is it basically closes the stream
    twice. Moreover, a stream is described as zero or more non-empty
    records, followed by an empty record.
    
    http://www.mit.edu/~yandros/doc/specs/fcgi-spec.html#S3.3
    
      "A stream record is part of a stream, i.e. a series of zero or more
      non-empty records (length != 0) of the stream type, followed by an
      empty record (length == 0) of the stream type."
    
    http://www.nongnu.org/fastcgi/#id2854157
    
      "Furthermore, it will forward any POST data it receives from the
      client to the application via the STDIN stream. Once all data have
      been forwarded, an empty STDIN packet is sent to close the stream."
    
    Though the specification is not as precise as an RFC, sending two
    empty records is not in the spirit of the spec.
    
    Add special handling for empty body requests to
    yaws_cgi:fcgi_pass_through_client_data/1.
    ofavre committed with vinoski Aug 22, 2016
Commits on Jul 25, 2016
  1. Security flaw http://httpoxy.org/ fixed

    A security flaw with HTTP_PROXY fixed. When we now construct the
    cgi env variables, we just skip the Proxy header.
    Reported by dominic@varspool.com
    Klacke Wikstrom committed Jul 25, 2016
Commits on Jul 10, 2016
  1. @vinoski
  2. @vinoski

    Fix typos in shopcart.erl

    vinoski committed Jul 10, 2016
Commits on Jul 8, 2016
  1. @cmeiklejohn @capflam

    randome/random.

    cmeiklejohn committed with capflam Jul 8, 2016
Commits on Jul 2, 2016
  1. @vinoski

    Fix #274: remove doc ref to is_default

    The is_default feature was removed a long long time ago but was still
    mentioned in yaws.tex, so remove it. Replace it with a reference to
    pick_first_virthost_on_nomatch.
    vinoski committed Jul 2, 2016
  2. Merge pull request #272 from klacke/etnt/sconf_gconf_set_functions

    Adding set functions for the sconf and gconf records
    committed on GitHub Jul 2, 2016
Commits on Jul 1, 2016
  1. @capflam @capflam

    Do not decode request path in logs

    Log files are openned in raw mode, so UTF-8 characters (>255) cannot be
    written. Their bytewise representation should be used instead. But, there is no
    good reason to decode paths. Some analyzing tools could be ascii oriented and
    this requires an extra encoding to get the original request.
    
    So now, no decoding is done on the request path in access and auth logs.
    capflam committed with capflam Jun 1, 2016
  2. @capflam @capflam

    Fix the UTF-8 handling for directories and files in yaws_ls

    This patch fixes the commit 8c0773f. See
    8c0773f for details.
    capflam committed with capflam Jun 1, 2016
Commits on Jun 30, 2016
  1. Preparing for rel 2.0.3

    Klacke committed Jun 30, 2016
  2. @capflam @capflam

    Manage modules/functions deprecated in Erlang/OTP 19.0

    'crypto:rand_bytes/1' and the 'random' module have been deprecated in Erlang/OTP
    19.0. Instead, we must use, respectively, 'crypto:strong_rand_bytes' and the
    'rand' module.
    
    Fix #277
    capflam committed with capflam Jun 30, 2016
Commits on Jun 19, 2016
  1. @vinoski

    Remove unneeded binding in yaws_websocket:send/2 call

    In yaws_api.erl, websocket_send was calling yaws_websocket:send/2 with
    a second argument of #ws_frame{}=Frame instead of just Frame.
    vinoski committed Jun 19, 2016
Commits on Jun 9, 2016
  1. Merge pull request #275 from dvaergiller/soap_srv_handle_request_conc…

    …urrent
    
    Soap srv handle request concurrent
    committed Jun 9, 2016
Commits on Jun 7, 2016
  1. @dvaergiller @dvaergiller

    Make ways_soap_srv handle requests in parallel

    This change makes the yaws_soap_srv:handler/4 function call the
    request/5 function directly, instead of having the gen_server do
    that. This avoids blocking the gen_server when handling requests and
    should provide much better parallelism.
    
    The gen_server now only manages WSDL models. The handler function will
    call the gen_server in order to retrieve the model. The rest should now
    be executed in the regular Yaws workers.
    dvaergiller committed with dvaergiller May 10, 2016
Commits on May 18, 2016
  1. Adding set functions for the sconf and gconf records

    Torbjorn Tornkvist committed May 18, 2016
Commits on May 12, 2016
  1. @capflam

    Fix a infinite loop when a client sends a request on "." or "./some-p…

    …ath"
    
    When a client sends a request on "." or "./some-path", Yaws will loop
    infinitly. This is reproducable by using a catch-all appmod (on "/")
    
    The loop can occur in "yaws_server:is_revproxy/3",
    "yaws_server:is_redirect_map/2" or "yaws_server:filter_auths/2", depending on
    the configuration. In these functions there is a check on the path to return
    when it is equal to "/". We must do the same when the path is ".".
    
    This patch fixes #271.
    capflam committed May 12, 2016
  2. Merge pull request #268 from matthiasl/ml_auth_in_ets

    Move username/password tuples from server state to an ETS table
    committed May 12, 2016
Commits on May 7, 2016
  1. @vinoski

    Add yaws_api:websocket_send for ws_state records

    Yaws documentation has been instructing users to call
    yaws_api:websocket_send with a ws_state record as the first argument,
    but there was no clause of that function supporting this. Add two new
    clauses of yaws_api:websocket_send to fix this problem. Change
    basic_echo_callback_extended example to call yaws_api:websocket_send
    instead of yaws_websockets:send.
    vinoski committed May 7, 2016
Commits on May 6, 2016
  1. @vinoski
Commits on May 5, 2016
  1. @vinoski

    Merge pull request #269 from leoliu/master

    Don't crash on unknown query string in yaws_ls:parse_query/1
    vinoski committed May 5, 2016
  2. @leoliu

    Don't crash on unknown query string in yaws_ls:parse_query/1

    and also make it case-insensitive.
    leoliu committed May 5, 2016
Commits on May 2, 2016
  1. @capflam @capflam

    Fix json parsing for UTF-8 strings

    Surrogate pairs were not handled during the string decoding and triggered an
    exception when encountered. This bug was reported in the issue #264.
    
    Some improvements have been made to sanitize error handling. And unit tests
    about json parsing have been added (tests have been retrieved from jiffy and
    jansson erlang projects).
    capflam committed with capflam Apr 27, 2016
Commits on Apr 29, 2016
  1. @leoliu @vinoski
Commits on Apr 28, 2016
  1. Password can contain colon fixed.

    Issue reported in #267
    Klacke Wikstrom committed Apr 28, 2016
Commits on Apr 27, 2016
  1. Merge pull request #266 from matthiasl/ml_docfixes

    Ml docfixes
    committed Apr 27, 2016
  2. Fix incomplete and outdated documentation of .yaws_auth

    Previously, the yaws documentation recommended storing username/password
    pairs in .yaws_auth, in the docroot. This is a bad idea because it can
    result in exposing plaintext username/password via editor backup files.
    
    Previously, the yaws documentation was missing documentation for the
    realm, pam, authmod, file, allow, deny and order directives in .yaws_auth.
    Matthias Lang committed Apr 27, 2016
  3. Move username/password tuples from server state to an ETS table

    Previously, basic authentication in YAWS stored {Username, Password}
    tuples as a list in the server state. By default, a crash in YAWS
    generates a crash dump which is served over HTTP, thus remotely
    exposing all passwords and usernames in plaintext.
    
    This patch moves the {Username, Password} to an ETS table so that
    sensitive information is kept on the server rather than leaked.
    Matthias Lang committed Apr 20, 2016
Commits on Apr 22, 2016
  1. @leoliu @vinoski
Commits on Apr 13, 2016
  1. @capflam

    Use id to build the command line in the windows startup script

    This fixes a warning about an unused variable.
    capflam committed Apr 5, 2016
  2. @capflam

    Do not use erlang:now/0 anymore in Yaws applications

    erlang:now/1 was deprecated in Erlang/OTP 18.0. We rely on yaws:get_time_tuple/0
    instead.
    capflam committed Apr 5, 2016
  3. @capflam
  4. @capflam

    Move Erlang compatibily checks from the configure to a module

    Now, the new module yaws_dynopts does all tests on the Erlang/OTP release that
    were done before in the configure. So it is possible to compile Yaws with an
    Erlang/OTP release and run it with another, all features should be dynamically
    detected.
    
    Because these checks can be expensive, when Yaws is started, we generate and
    compile a static version of yaws_dynopts.
    capflam committed Apr 1, 2016
  5. @capflam
  6. @capflam

    Remove doc about deprecated values for the SSL option 'verify'

    In the old SSL implentation, 0,1 and 2 were the possible values for the 'verify'
    option. For the new one, only verify_peer and verify_none are officialy
    supported and documentated. Old values are still supported for backward
    compatiliby, but not documented.
    
    We do the same in Yaws. Old values are translated into new ones. So if their
    support is removed from the SSL application in a futur Erlang/OTP release, Yaws
    will still work. Documentation has been updated to remove info about the old
    values.
    capflam committed Mar 31, 2016