Commits on Jul 25, 2016
  1. Security flaw http://httpoxy.org/ fixed

    A security flaw with HTTP_PROXY fixed. When we now construct the
    cgi env variables, we just skip the Proxy header.
    Reported by dominic@varspool.com
    Klacke Wikstrom committed Jul 25, 2016
Commits on Jul 10, 2016
  1. @vinoski
  2. @vinoski

    Fix typos in shopcart.erl

    vinoski committed Jul 10, 2016
Commits on Jul 8, 2016
  1. @cmeiklejohn @capflam

    randome/random.

    cmeiklejohn committed with capflam Jul 8, 2016
Commits on Jul 2, 2016
  1. @vinoski

    Fix #274: remove doc ref to is_default

    The is_default feature was removed a long long time ago but was still
    mentioned in yaws.tex, so remove it. Replace it with a reference to
    pick_first_virthost_on_nomatch.
    vinoski committed Jul 2, 2016
  2. Merge pull request #272 from klacke/etnt/sconf_gconf_set_functions

    Adding set functions for the sconf and gconf records
    committed on GitHub Jul 2, 2016
Commits on Jul 1, 2016
  1. @capflam @capflam

    Do not decode request path in logs

    Log files are openned in raw mode, so UTF-8 characters (>255) cannot be
    written. Their bytewise representation should be used instead. But, there is no
    good reason to decode paths. Some analyzing tools could be ascii oriented and
    this requires an extra encoding to get the original request.
    
    So now, no decoding is done on the request path in access and auth logs.
    capflam committed with capflam Jun 1, 2016
  2. @capflam @capflam

    Fix the UTF-8 handling for directories and files in yaws_ls

    This patch fixes the commit 8c0773f. See
    8c0773f for details.
    capflam committed with capflam Jun 1, 2016
Commits on Jun 30, 2016
  1. Preparing for rel 2.0.3

    Klacke committed Jun 30, 2016
  2. @capflam @capflam

    Manage modules/functions deprecated in Erlang/OTP 19.0

    'crypto:rand_bytes/1' and the 'random' module have been deprecated in Erlang/OTP
    19.0. Instead, we must use, respectively, 'crypto:strong_rand_bytes' and the
    'rand' module.
    
    Fix #277
    capflam committed with capflam Jun 30, 2016
Commits on Jun 19, 2016
  1. @vinoski

    Remove unneeded binding in yaws_websocket:send/2 call

    In yaws_api.erl, websocket_send was calling yaws_websocket:send/2 with
    a second argument of #ws_frame{}=Frame instead of just Frame.
    vinoski committed Jun 18, 2016
Commits on Jun 9, 2016
  1. Merge pull request #275 from dvaergiller/soap_srv_handle_request_conc…

    …urrent
    
    Soap srv handle request concurrent
    committed Jun 9, 2016
Commits on Jun 7, 2016
  1. @dvaergiller @dvaergiller

    Make ways_soap_srv handle requests in parallel

    This change makes the yaws_soap_srv:handler/4 function call the
    request/5 function directly, instead of having the gen_server do
    that. This avoids blocking the gen_server when handling requests and
    should provide much better parallelism.
    
    The gen_server now only manages WSDL models. The handler function will
    call the gen_server in order to retrieve the model. The rest should now
    be executed in the regular Yaws workers.
    dvaergiller committed with dvaergiller May 10, 2016
Commits on May 18, 2016
  1. Adding set functions for the sconf and gconf records

    Torbjorn Tornkvist committed May 18, 2016
Commits on May 12, 2016
  1. @capflam

    Fix a infinite loop when a client sends a request on "." or "./some-p…

    …ath"
    
    When a client sends a request on "." or "./some-path", Yaws will loop
    infinitly. This is reproducable by using a catch-all appmod (on "/")
    
    The loop can occur in "yaws_server:is_revproxy/3",
    "yaws_server:is_redirect_map/2" or "yaws_server:filter_auths/2", depending on
    the configuration. In these functions there is a check on the path to return
    when it is equal to "/". We must do the same when the path is ".".
    
    This patch fixes #271.
    capflam committed May 12, 2016
  2. Merge pull request #268 from matthiasl/ml_auth_in_ets

    Move username/password tuples from server state to an ETS table
    committed May 12, 2016
Commits on May 7, 2016
  1. @vinoski

    Add yaws_api:websocket_send for ws_state records

    Yaws documentation has been instructing users to call
    yaws_api:websocket_send with a ws_state record as the first argument,
    but there was no clause of that function supporting this. Add two new
    clauses of yaws_api:websocket_send to fix this problem. Change
    basic_echo_callback_extended example to call yaws_api:websocket_send
    instead of yaws_websockets:send.
    vinoski committed May 7, 2016
Commits on May 6, 2016
  1. @vinoski
Commits on May 5, 2016
  1. @vinoski

    Merge pull request #269 from leoliu/master

    Don't crash on unknown query string in yaws_ls:parse_query/1
    vinoski committed May 5, 2016
  2. @leoliu

    Don't crash on unknown query string in yaws_ls:parse_query/1

    and also make it case-insensitive.
    leoliu committed May 5, 2016
Commits on May 2, 2016
  1. @capflam @capflam

    Fix json parsing for UTF-8 strings

    Surrogate pairs were not handled during the string decoding and triggered an
    exception when encountered. This bug was reported in the issue #264.
    
    Some improvements have been made to sanitize error handling. And unit tests
    about json parsing have been added (tests have been retrieved from jiffy and
    jansson erlang projects).
    capflam committed with capflam Apr 27, 2016
Commits on Apr 29, 2016
  1. @leoliu @vinoski
Commits on Apr 28, 2016
  1. Password can contain colon fixed.

    Issue reported in #267
    Klacke Wikstrom committed Apr 28, 2016
Commits on Apr 27, 2016
  1. Merge pull request #266 from matthiasl/ml_docfixes

    Ml docfixes
    committed Apr 27, 2016
  2. Fix incomplete and outdated documentation of .yaws_auth

    Previously, the yaws documentation recommended storing username/password
    pairs in .yaws_auth, in the docroot. This is a bad idea because it can
    result in exposing plaintext username/password via editor backup files.
    
    Previously, the yaws documentation was missing documentation for the
    realm, pam, authmod, file, allow, deny and order directives in .yaws_auth.
    Matthias Lang committed Apr 27, 2016
  3. Move username/password tuples from server state to an ETS table

    Previously, basic authentication in YAWS stored {Username, Password}
    tuples as a list in the server state. By default, a crash in YAWS
    generates a crash dump which is served over HTTP, thus remotely
    exposing all passwords and usernames in plaintext.
    
    This patch moves the {Username, Password} to an ETS table so that
    sensitive information is kept on the server rather than leaked.
    Matthias Lang committed Apr 20, 2016
Commits on Apr 22, 2016
  1. @leoliu @vinoski
Commits on Apr 13, 2016
  1. @capflam

    Use id to build the command line in the windows startup script

    This fixes a warning about an unused variable.
    capflam committed Apr 5, 2016
  2. @capflam

    Do not use erlang:now/0 anymore in Yaws applications

    erlang:now/1 was deprecated in Erlang/OTP 18.0. We rely on yaws:get_time_tuple/0
    instead.
    capflam committed Apr 5, 2016
  3. @capflam
  4. @capflam

    Move Erlang compatibily checks from the configure to a module

    Now, the new module yaws_dynopts does all tests on the Erlang/OTP release that
    were done before in the configure. So it is possible to compile Yaws with an
    Erlang/OTP release and run it with another, all features should be dynamically
    detected.
    
    Because these checks can be expensive, when Yaws is started, we generate and
    compile a static version of yaws_dynopts.
    capflam committed Apr 1, 2016
  5. @capflam
  6. @capflam

    Remove doc about deprecated values for the SSL option 'verify'

    In the old SSL implentation, 0,1 and 2 were the possible values for the 'verify'
    option. For the new one, only verify_peer and verify_none are officialy
    supported and documentated. Old values are still supported for backward
    compatiliby, but not documented.
    
    We do the same in Yaws. Old values are translated into new ones. So if their
    support is removed from the SSL application in a futur Erlang/OTP release, Yaws
    will still work. Documentation has been updated to remove info about the old
    values.
    capflam committed Mar 31, 2016
  7. @capflam

    Remove very old use_old_ssl directive

    This directive was added to use old SSL implementation. It was removed in
    Erlang/OTP R15. So, because Yaws works with releases upper to R14B02, this
    option is only supported with Erlang/OTP R14B02, R14B03 and R14B04. For all
    other supported releases, Yaws will fails is use_old_ssl is set to true.
    
    To be honest, if you use SSL in Yaws, you'd better upgrade your Erlang/OTP
    release. The new SSL implementation is far better than the old one and many bugs
    are fixed in recent releases.
    capflam committed Mar 31, 2016