Commits on Aug 10, 2011
  1. ENH: avoid defining/undefining system_content_types

    - simply merge in the hash values directly. This is more efficient,
      especially if we assume that there are fewer user-defined types than
      system types
    Mark Olesen committed Aug 10, 2011
Commits on Aug 8, 2011
  1. ENH: provide a minimal safe PATH (/usr/bin:/bin) for CGI scripts

    - older HTTPi passed through existing PATH - potentially dangerous
    - newer HTTPi set PATH to be empty - interferes with using standard
      tools like cut/awk/etc
    - compromise: provide a minimal safe PATH
    Mark Olesen committed Aug 7, 2011
Commits on Aug 7, 2011
  1. ENH: provide interprompt alias for compatibility

    - the sub interprompt was removed by ac485f7, but people might
      expect it to continue to exist.
    Mark Olesen committed Aug 7, 2011
Commits on Jun 21, 2011
  1. BUG: incorrect handling of PATH_INFO for border cases

    New behaviour is consistent with Apache.
    Mark Olesen committed Jun 21, 2011
Commits on Jun 7, 2011
  1. STYLE: reduce scope of some variables

    Mark Olesen committed Jun 7, 2011
  2. ENH: combine interprompt into prompt

    - logs the expanded variables
    Mark Olesen committed Jun 7, 2011
  3. STYLE: replace @answers array with $DEFAULT as array ref

    Mark Olesen committed Jun 7, 2011
  4. BUG: odd replacement trashes PATH

        PATH=".:/usr/bin:foo" perl configure.demonic
    Mark Olesen committed Jun 7, 2011
  5. BUG: aggressive detainting trashes PATH

        PATH=".:/usr/bin" perl configure.demonic
    Mark Olesen committed Jun 7, 2011
Commits on Mar 2, 2010
  1. Release 1.7

    * New Security Model now mandatory
    * PATH_INFO support, based on code by Rob Sayers and Denis Fortin
    * Additional security and sanity checks during installation
    * Repairs taintperl bug introduced in 1.6.2 (will pass perl -T again)
    * Redirects now properly aware of port number (except Generic)
    Cameron Kaiser committed with Mark Olesen Mar 2, 2010
Commits on Nov 29, 2009
  1. Release 1.6.2

    Changes since 1.6.1:
    * clean up after testing for socket constants (thanks Mark Olesen)
    * don't load the whole POSIX namespace (thanks Mark Olesen)
    * log errors better if preparsing fails. This requires using a stub
      function for the New Security Model to support installations that
    * assert proper signals in child processes
    * internal code refactoring
    * xsl => text/xml (thanks Mark Olesen)
    * Perl expressions accepted to certain configure responses
      (thanks Mark Olesen)
    * for packages using HTTPi as a front end
      (thanks Mark Olesen)
    Cameron Kaiser committed Nov 5, 2009
  2. Release 1.6.2

    * filesystems where // != / now should work (MachTen, others)
    * New Security Model did not always drop all groups
    * &nsecmodel should be called before setting HTTP 200
    Cameron Kaiser committed Mar 16, 2009
  3. Release 1.6

    Changes since 1.5.2:
    * SSL is now supported using stunnel (
      and your crypto libraries with configure.stunnel
    * Mac OS X launchd is now supported with configure.launchd
    * If-Modified-Since exact-prefix support (returns 304)
    * compatibility verified against Perl 5.10
    * additional explicit header support (thanks Robert Brown)
      and MIME types
    * additional STATIOS load tracking statistics and clarified prompts
    * progress indicator on process list for transfers
    * Makefile executables and logic cleaned up (but NOT for installation)
    * file extension filtering for filesystems with weird execute bits
      (thanks Al Guintu)
    * STATIOS requests bug out if they are the very first after startup
    * meta tags added to prevent status page indexing
    * transcript files are locked to HTTPi flavour to eliminate confusion
    Cameron Kaiser committed May 5, 2008
  4. Release 1.5.2

    Changes since 1.5.1:
    * leftover compatibility fixes to configure.*
    * looser timeouts for better tolerance of slower clients
    * dmg img MIME types
    * tweaks to STATIOS for future changes in 1.6
    Cameron Kaiser committed May 16, 2007
  5. Release 1.5.1

    Changes since 1.5:
    * potential socket-binding bug in Demonic and newer Perls
    * directory sorts and bugs with browsed
    Cameron Kaiser committed Nov 21, 2006
  6. Release 1.5

    Changes since 1.4:
    * &hterror, &hterror301 and &hterror404 are in the new
      to allow you to make changes and carry these into new versions.
      also use for all yer new global library funs
      instead of sticking them in
    * absolver bullet-proof(?) DNS handling
    * New Security Model now default
    * logging option for IP and hostname together for anti-spoofing
    * preprocessor enhancements
    * POSIX-based signals handling (new process model) for new Perls
      under Demonic (and fixes to code to make it more compatible)
      this adds &defaultsignals and &alarmsignals, and replaces the
      "hotfix" for 1.4.
    * old $SIG-based method still there if you don't have, or
      if you use 5.6.x or earlier
    * less laggy under load
    * tested under 5.00503 through 5.8.6
    * corrected/expanded content type list
    * tools/phproxy and tools/browsed compatibility tweaks
    * asynch logging, never achieved its potential anyway
    Cameron Kaiser committed Apr 12, 2006
  7. Release 1.4

    Changes since 1.3.2:
    * change log now divided into new stuff, enhancements, and fixes
    * New Security Model enables granular and more secure
      document access by matching uids to documents
    * primitive bandwidth throttling facility
    * logging now can be asynchronous (requires fork support)
    * cookies now handled
    * include facility for pre-parsed files
    * process string now displays request on those systems allowing it
    * sock_to_host now caches DNS reverse lookups ... much faster
    * more content types
    * hooks within HTTPi for handlers and proxies (see tools/phproxy/)
    * tested "guaranteed" with 5.8.* and 5.6.*
    * subtle bug in /setr?e?uid/ logic fixed
    * installation as root no longer fails taint checking in 5.6.1 and up
      (thanks Nick Brown)
    * logging bug where $variables == 0 (smacks self on head)
    * one less sockcons.c warning with gcc
    * port binding bug on multi-homed Demonic fixed
    * several erroneous content types fixed
    * better handling of systems without a working setruid() (AIX4, ...)
    * somewhat more resistant of stupid clients not parsing paths right
    * startup failure with missing virtual files fixed (properly issues
      non-fatal warning now)
    * incorrect transcript filenames now properly error out
    Cameron Kaiser committed Nov 13, 2003
  8. Release 1.3.2

    Changes since 1.3.1:
    * possible security exploit allowing HTTPi to escape its mount
      point defeated. thanks to Denis Fortin.
    * improved? performance logic with weird proxy activity
    Changes since 1.3:
    * possible security exploit with malformed URLs containing shell
      metacharacters. changed URL-dependent open() statements to sysopen()
      to defeat this
    * additional content types mp3 lnk mpg mpeg
    Changes since 1.2.2:
    **** WE'VE MOVED! Look for us at ****
    * virtual files allow overriding/non-interactive content caching
      (Demonic only) based on hash
    * major MIME types now maintained in -- only overrides
      and additional types go in the
      hash. still compatible with 1.2.x-style files
    * added wml wbmp wbm js mov jar MIME types to
    * bug with HTTP/0.9 undefined methods closed (more for completeness
      than any practical reason)
    * sock_to_host() should reference DEF_AF_INET, not hardcoded 2 ...
    * ... and because of this, configure.* must now ask for this constant
      (except Demonic, which grabs it anyway) -- fortunately, I
      think it's 2 on just about every architecture
    * compiler is now the primary source for socket constants in
      configure.demonic -- problems with on some
      [misconfigured??] architectures (SunOS 5.5.1?)
    * configure.inetd reports wrong architecture but builds okay (fixed)
    * fix to sockcons.c for better compilation (SunOS for one)
    * Range: header support added (thanks Henry Ptasinski)
    * tweaks to the makefile which no one uses
    * last remnants of old /1.1 kludge stripped from configure.demonic
    Cameron Kaiser committed Oct 7, 2001
  9. Release 1.2.2

    Changes since 1.2.1:
    * fixed possible exploit that might allow HTTPi to inadvertently
      access files outside its mountpoint (thanks Marcus Kreutzberger)
    Changes since 1.2:
    * fixed bug with bad port redirects (where port wasn't 80) --
      thanks Aaron Spangler
    * fixed bug with null Host: header when virtual hosting was
      disabled (thanks Glauber Ribeiro)
    Changes since 1.0b2:
    * HTTP/1.1 KeepAlive now removed: Connections all non-persistent.
      Never worked right anyway :-) also aids speed and spec
      compliancy (thanks Marc Slemko)
    * Linux inetd kills HTTPi under conditions of slow links and
      big files. Timeout kludge added. Other OSes may also
      need this (inetd version only, thanks Bill Benedetto)
    * user-modifiable hashes, restriction matrix, etc. now in outside
      files to aid upgrading
    * and speaking of upgrading: new UPGRADING file, some changes to
      preprocessor to facilitate nested includes
    * couple extra MIME types
    * saves memory: file serves now in a read loop rather than a big
      slurp-up when it can
    * fixed: URL-escaped requests now work (thanks Marc Slemko)
    * understands Expect header
    * proper handling of methods other than GET, HEAD and POST
    * proper handling of 1.1 requests w/o Host: header
    Cameron Kaiser committed May 15, 2000
  10. Release 1.0b2

    Changes since first 1.0:
    * fixed configure-time bug that caused syntax errors if preparsing
      not turned on. duh. thanks Fergus Gallagher.
    * better socket handling for Demonic
    Changes since 0.99:
    * logging. one final change: user, since it's not through identd,
      should be in the second -. so, fixed. that's it! that's all the
      changes I'm going to make to that! finito!
    * fixed: bug in HTTPerl and POST executables where a runtime over
      10sec causes premature termination. no real damage but
      inexplicable behaviour was quite annoying (very subtle bug)
    * first preparsing support for inline Perl. ewwww icky gross inline
      perl ptui spit. you specify the extensions, you cover the
      damage your users do with the server's UID (and don't say you
      weren't warned). also adds &output and &flush methods, and
      .shtm?l? MIME types
    * fixed: perl ./configure didn't work. oops
    * added lzh lha pdf fdf MIME types
    * mild methods tweak to how hostname/IP info is stored. now cached
      if the restriction matrix already looked that info up
    * transcript files are now version tagged to stop upgrade snarls
    Cameron Kaiser committed Oct 28, 1999
  11. Release httpi-0.99

    Changes since 0.7:
    * logging ... didn't change. phew, for once :-)
    * user file system allows http://foo/~bar/, getpwnam() check added
    * don't be running no root-owned executables now ;-) it didn't run
      them before either but the error was very cryptic
    * HTTP authentication through restriction matrix
    * better HTTP/0.9 support, especially for 301 responses
    * IP-less virtual hosting (new global %nameredir)
    * configure.xinetd no longer depends on /etc/services
    * configure.inetd patched for really anal inetd systems (like HP/UX)
    * 404 and 301 responses now handled by dedicated subroutines
    * authentication check now precedes file existence check for allowing
      modules to be protected
    * new global $raddress now contains resolved filesystem address
    * alarm() no longer required but really really really recommended
      (this to help porting HTTPi to non-Unixy things)
    * statios statistics module (demonic only)
    * hostname lookups may be turned off for speed (sheesh, 150% boost
      in Demonic mode)
    * some extra MIME types
    * new utilities: crapword, browsed (see instructions)
    Cameron Kaiser committed Jun 17, 1999
  12. Release httpi-0.7

    Changes since 0.4:
    * argh!!!! I *still* can't get logging right!!! fixed to once and
      for all obey CERN spec
    * new daemonized version (configure.demonic)
    * subtle bug where sock_to_host returns nil could corrupt logs. fixed.
    * configure.inetd now NIS aware
    * tons (too many) new environment variables for executables a la CGI
      1.1 specification
    * now aware of its host name, always a good thing :-)
    * checks for alarm() and fork() availability in your Perl
    * incomplete configures left null transcripts. fixed.
    * error conditions in would sometimes give spurious
      " not found" errors. fixed.
    * HTTPerl allows same interpreter instance to be reused for speed
    * HTTPerl-compatible noodle
    * version string now reflects OS type and configure type
    * HEAD now correctly logs actual data transferred
    * HTTP/1.1 requests in non-1.1 mode come back as HTTP/1.0 (RFC
    	compliancy issue)
    Cameron Kaiser committed Mar 18, 1999
  13. Release httpi-0.4

    Changes since 0.1:
    * new environment variables: HTTP_REFERER, HTTP_USER_AGENT
    * REMOTE_ADDR and REMOTE_HOST no longer equivalent, in line with CGI spec
    * fixed CERN date bug
    * your choice of logging: with referer/useragent, with referer, or neither
    * user agent now acquired in this version
    * restriction matrix security
    * generic configure script for non-inetd systems
    * xinetd configure script for xinetd systems
    * common config questions and subroutines moved to
      and, respectively
    * sock_to_host internal function hardcoded to use STDIN filehandle
    * new globals $httpua, %restrictions
    Cameron Kaiser committed Jan 5, 1999
  14. Initial commit - httpi-0.1

    Cameron Kaiser committed Nov 17, 1998