diff options
Diffstat (limited to 'data/lighttpd/lighttpd-1.4.53/NEWS')
| -rw-r--r-- | data/lighttpd/lighttpd-1.4.53/NEWS | 2192 |
1 files changed, 2192 insertions, 0 deletions
diff --git a/data/lighttpd/lighttpd-1.4.53/NEWS b/data/lighttpd/lighttpd-1.4.53/NEWS new file mode 100644 index 000000000..d5eec9658 --- /dev/null +++ b/data/lighttpd/lighttpd-1.4.53/NEWS @@ -0,0 +1,2192 @@ + +==== +NEWS +==== + +- 1.4.53 - 2019-01-27 + * [mod_cml,mod_flv_streaming] fix NULL ptr deref + * [mod_simple_vhost] t/test_mod_simple_vhost + * [mod_evhost] split uri handler func for testing + * [mod_evhost] restructure for unit tests + * [mod_evhost] t/test_mod_evhost + * [mod_access] restructure for unit tests + * [mod_access] t/test_mod_access + * [tests] include first.h and NDEBUG early + * [core] use kill_signal for gw_proc_kill() + * [tests] t/test_keyvalue + * [tests] some test config cleanup + * [tests] update skip count in mod-fastcgi.t + * [multiple] reduce initial buffer sz if large POST (fixes #2922) + * [mod_fastcgi] fix NULL ptr deref from bugfix #2922 (fixes #2923) + * [tests] more test config cleanup + * [core] perf: incremental hash of pathname w/o copy + * [core] perf: reuse buffer to redirect to directory + * [core] do not free() reused buffer + * [core] use connected sock port in dir redirect + * [core] http_response_buffer_append_authority() + * [core] use con->server_name for dir redir + * [core] memeq compare rounded to 64, not next 1M + * [core] define MD5_DIGEST_LENGTH 16 + * [mod_auth] permit additional auth backends to load + * [core] send Connection: close if reqbody not read (fixes #2924) + * [core] cache rev DNS for localhost for dir redir + * [doc/conf] resolve some mime type conflicts from debian buster, regenerate mime.conf + * [core] move winsock init to network_init() + * [core] move /dev/stdin graceful restart handling + * [core] network_srv_sockets_append() shared code + * [core] systemd socket activation support + * [build] autotools: try mysqlclient.pc and mariadb.pc (fixes #2925) + * [mod_expire] look up expire fallback "" explicitly + * [multiple] calloc match ptr type (clang --analyze) + * [multiple] quiet clang --analyze where trivial + * [mod_webdav] compare COPY, MOVE Destination scheme + * [core] con->uri.scheme is maintained lowercase + * [mod_openssl] ALPN and acme-tls/1 (fixes #2931) + * [core] Fix recursive include_shell invocations + * [mod_openssl] ssl.privkey directive (optional) + +- 1.4.52 - 2018-11-28 + * [mysql] MySQL 8 deprecates my_bool + * [core] typo in trace + * [build] Fix unportable test(1) operator + * [core] perf: call connection_reset() fewer times + * [core] perf: array_reset_data_strings() + * [core] perf: buffer_free_ptr() __attribute__ cold + * [core] perf: one-element cache for host normalize + * [core] perf: buffer_copy_string_len() + * [core] perf: skip redundant prepare copy calls + * [core] perf: buffer_align_size() identity if align + * [core] perf: size write buffers for reuse + * [core] perf: prepend headers directly into write q + * [core] perf: copy small strings; better buf reuse + * [core] perf: copy small strings; extend last chunk + * [core] perf: specialized func for array sorting + * [core] perf: append response directly into write q + * [core] perf: better buf reuse reading from backend + * [core] chunk.c code reuse + * [multiple] perf: write headers to backend write cq + * [multiple] perf: power-2 alloc large headers + * [multiple] perf: use larger initial backend buffer + * [core] permit env vars to be set with blank value + * [mod_fastcgi] perf: reduce data copies + * [mod_fastcgi] perf: reduce data copies + * [core] perf: chunk.c chunk pool + * [multiple] perf: reuse large buffers w/ backend + * [multiple] better packing of struct chunk + * [core] perf: inline buffer_append_string_buffer() + * [core] slightly simpler flag append to string + * [mod_cgi] perf: reuse buffers for creating CGI env + * [mod_fastcgi,mod_scgi] perf: env accumulation + * [core] Don't call RAND_cleanup with OpenSSL 1.1.x + * [mod_openssl] move SSL_shutdown() to separate func + * [mod_openssl] SSL_read before second SSL_shutdown + * [mod_cgi] perf: use stat_cache for cgi handler + * [mod_openssl] prefer using TLS_server_method() + * [mod_webdav] return 403 if file should exist + * [core] perf: chunkqueue buffers already sized up + * [core] perf: simpler buffer_string_space() + * [multiple] dynamic handlers hint backend header sz + * [core] use chunk_buf_sz instead of hard-coded num + * [multiple] perf: simplify chunkqueue_get_memory() + * [mod_wstunnel] perf: reuse large buffers + * [mod_cgi] perf: cache getenv() results at start up + * [core] fix 301 -> 302 overwrite with Location (fixes #2918) + * [core] fix setting of headers previously reset (fixes #2919) + * [mod_webdav] quiet coverity false positive + * [core] server.compat-module-load = "disable" + * [core] server.chunkqueue-chunk-sz = 4096 + * [core] perf: simpler buffer_string_space() (fixed) + * [core] perf: faster HTTP pipelined requests + * [core] perf: simpler buffer_string_space() (tests) + * [mod_cgi] reset reused buffer on internal redir + * [core] clear chunk buffer upon release + * [mod_fastcgi] minor: copy packet without padding + * [mod_redirect,mod_rewrite] use server_name + * [mod_fastcgi] transfer chunks minus packet padding + * [core] separate func to reset FILE_CHUNK + * [core] perf: simple, quick buffer_clear() + * [core] perf: small improvement to encoding CGI var + * [core] perf: small improvement buffer_string_space + * [core] simpler physical path concatenation + * [mod_webdav] fix LOCK on incorrect URI path + * [mod_webdav] one fewer buffer copy for COPY,MOVE + * [core] perf: simplify buffer_move() + * [mod_cml] parse query string without modifying it + * [core] perf: buffer optimizations + * [mod_wstunnel] use buffer_string_length() + * [core] perf: inline buffer_copy_buffer() + * [core] cygwin helper func for getcwd + * [core] cygwin sample to run lighttpd under NSSM + * [core] limit con->uri.authority < 1024 octets + * [mod_webdav] separate func for each request method + * [core] reject decoded url-path without leading '/' + * [multiple] validate UTF-8 in url-decoded paths + * [mod_proxy] silence coverity false positive + * [core] fix typo + * [core] buffer_append_path_len() + * [core] quiet indexfile warning if mod not loaded + +- 1.4.51 - 2018-10-14 + * [core] split parsing header line into separate function + * [core] explicitly return 0 instead of constant result + * [core] header parsing: use goto for error handling + * [core,security] process headers after combining folded headers + * [core] replace folding whitespace with a single space + * [buffer] fix duplicate assert and comment + * [core] redo HTTP header line folding + * [core] parse header line strings before copying + * [core] abstraction to insert/modify response hdrs + * [core] code reuse with array_insert_key_value() + * [core] simplify parsing hdr key whitespace then : + * [core] http_request_parse_reqline() separate func + * [core] abstraction layer for HTTP header manip + * [core] code reuse with http_response_body_clear() + * [mod_proxy] fix proxy.forwarded and proxy.replace-http-host (fixes #2902) + * [mod_rewrite] fix url.rewrite-repeat and url.rewrite-if-not-file (fixes #2908) + * [core] fastcgi.h link to Open Market License (OML) (fixes #2901) + * [mod_proxy,mod_wstunnel] copy full plugin_config (fixes #2903) + * [mod_fastcgi,mod_scgi] error on oversized request (fixes #2905) + * [mod_auth] send 401 for mismatch HTTP auth scheme (fixes #2906) + * [core] code reuse array_match_*() routines + * [mod_skeleton] review and simplify + * [multiple] code reuse: employ array_match_*() + * [doc] lighttpd.service uses network-online.target + * [mod_flv_streaming] code simplifications + * [mod_authn_pam] mod_auth PAM support (fixes #688) + * [mod_sockproxy] add to build + * [core] fix include_shell on inline shell commands (fixes #2910) + * [multiple] code reuse: using array_*() funcs + * [tests] t/test_array.c + * [core] array_get_int_ptr() + * [core] more memory-efficient fn table for data_* + * [tests] #undef NDEBUG before assert.h in t/test_* + * [core] inline status_counter routines + * [core] log_failed_assert() __attribute__((cold)) + * [core] http_status_append() + * [core] http_method_append() + * [core] prefer buffer_append_string_len() + * [build] fix SCons build for mod_authn_pam + * [mod_userdir] security: skip username "." and ".." + * [mod_deflate] null-check to quiet coverity warning + * [core] quiet coverity false positive + * [multiple] quiet compiler warnings --without-pcre + * [mod_secdownload] support if HMAC() is a macro + * [TLS] sys-crypto.h abstraction + * [TLS] sys-crypto.h abstraction + * [build] put request.c in common src + * [meson] build fixes for libmariadb and libsasl2 + * [core] PATH_INFO calculation when basedir is "/" (fixes #2911) + * [core] better consistency in buffer_is_equal*() + * [core] fix missing param from prev commit + * [mod_openssl] no renegotiation in TLS 1.3 (fixes #2912) + * [core] reject Transfer-Encoding from proxy (#2913) + * [mod_auth] use SHA1_Init,Update,Final + * [mod_openssl] add support for wolfSSL + * [build] automake support for wolfSSL + * [build] SCons support for wolfSSL + * [build] meson support for wolfSSL + * [build] CMake support for wolfSSL + * [core] perf: buffer.c internal inlines + * [mod_openssl] wolfSSL does not support SSLv2 + * [core] perf: buffer_string_append_len() + * [core] permit server.error_handler to static file + +- 1.4.50 - 2018-08-13 + * [mod_extforward] allow explict IPs to be untrusted (#2860) + * [core] fix crash if 'host' empty in config (fixes #2876) + * [mod_magnet] fix regression in lighty.stat (fixes #2877) + * [core] minor code cleanup in gw_recv_response() + * [core] fix rare race condition from backends (fixes #2878) + * [mod_proxy] fix segfault in Set-Cookie reverse map (fixes #2879) + * [core] fdevent_accept_listenfd() nonblock cloexec + * [build] remove m4 AC_PATH_PROG for PKG_CONFIG + * [core] some header cleanup + * [mod_wstunnel] better Sec-WebSocket-Protocol parse + * [mod_magnet] code reuse + * [mod_magnet] reduce buffer copies + * [mod_fastcgi,mod_scgi] fastcgi.balance,scgi.balance (fixes #2882) + * [core] check if SOCK_NONBLOCK is ignored (fixes #2883) + * [core] buffer_append_string_encoded_hex_lc() + * [core] more efficient hex2int() + * [mod_secdownload] compare bin MAC instead of hex + * [core] li_tohex_lc() explicitly uses lc hex chars + * [core] buffer_append_uint_hex_lc() uses lc hex + * [core] buffer_append_string_encoded() uc hex + * [tests] reduce test_base64 brute force tests + * [tests] remove test_buffer output, except on error + * [core] check for continuation in server.tag + * [core] CONNECT must be handled before fs hooks + * [mod_redirect, mod_rewrite] code reuse (sharing) + * [core] data_config_pcre_compile,exec() + * [tests] test_request unit tests + * [core] http_kv.[ch] method, status, version str + * [core] remove unused get_http_status_body_name() + * [core] remove proc_open.[ch], reduce stdio.h use + * [tests] move src/test_*.c to src/t/ + * [core] server.http-parseopts URL normalization opt (fixes #1720) + * [core] inline some buffer.[ch] routines + * [core] remove some duplicative code in log.c + * [core] debug server.log-request-header-on-error + * [mod_redirect,mod_rewrite] short-circuit earlier + * [core] fix buffer_to_upper() + * [mod_cgi] handle CGI partial response header write + * [mod_redirect,mod_rewrite] pass request URI info + * [mod_redirect,mod_rewrite] encoding options (fixes #443, fixes #911) + * [mod_redirect,mod_rewrite] fix segfault w/ invalid syntax (fixes #2892) + * [mod_fastcgi] fix memleak with FastCGI auth,resp (fixes #2894) + * [mod_alias] security: potential path traversal with specific configs + * [mod_wstunnel] quiet 32-bit compiler warnings + * [core] POLLRDHUP handling for transparent proxying + * [mod_redirect,mod_rewrite] support up to 19 match + * [core] add missing includes to quiet compiler warn + * [mod_redirect,mod_rewrite] base64url encoding opt + * [mod_rewrite] require rewrite result to begin '/' + * [core] security: use-after-free invalid Range req + * [core] reset var if FAMMonitorDirectory() fails + * [core] option to propagate TCP FIN to backend host + * mod_sockproxy - socket forwarding + * [core] workaround Coverity cov-build bug with gcc7 + * [build] add missing file for test_burl + * [core] quell insignificant coverity warning + * [core] extend server.http-parseopts + * [mod_alias] security: path traversal in mod_alias (in some use cases) (fixes #2898) + * [core] security: use-after-free after invalid Range request (fixes #2899) + +- 1.4.49 - 2018-03-11 + * [core] adjust offset if response header blank line + * [mod_accesslog] %{canonical,local,remote}p (fixes #2840) + * [core] support POLLRDHUP, where available (#2743) + * [mod_proxy] basic support for HTTP CONNECT method (#2060) + * [mod_deflate] fix deflate of file > 2MB w/o mmap + * [core] fix segfault if tempdirs fill up (fixes #2843) + * [mod_compress,mod_deflate] try mmap MAP_PRIVATE + * [core] discard from socket using recv MSG_TRUNC + * [core] report to stderr if errorlog path ENOENT (fixes #2847) + * [core] fix base64 decode when char is unsigned (fixes #2848) + * [mod_authn_ldap] fix mem leak when ldap auth fails (fixes #2849) + * [core] warn if mod_indexfile after dynamic handler + * [core] do not reparse request if async cb + * [core] non-blocking write() to piped loggers + * [mod_openssl] minor code cleanup; reduce var scope + * [mod_openssl] elliptic curve auto selection (fixes #2833) + * [core] check for path-info forward down path + * [mod_authn_ldap] auth with ldap referrals (fixes #2846) + * [core] code cleanup: separate physical path sub + * [core] merge redirect/rewrite pattern substitution + * [core] fix POST with chunked request body (fixes #2854) + * [core] remove unused func + * [doc] minor update to *outdated* doc + * [mod_wstunnel] fix for frames larger than 64k (fixes #2858) + * [core] fix 32-bit compile POST w/ chunked request body (#2854) + * [core] add include sys/poll.h on Solaris (fixes #2859) + * [core] fix path-info calculation in git master (fixes #2861) + * [core] pass array_get_element_klen() const array * + * [core] increase stat_cache abstraction + * [core] open additional fds O_CLOEXEC + * [core] fix CONNECT w strict header parsing enabled + * [mod_extforward] CIDR support for trusted proxies (fixes #2860) + * [core] re-enable overloaded backends w/ multi wkrs + * [autoconf] reduce minimum automake version to 1.13 + * [mod_auth] constant time compare plain passwords + * [mod_auth] check that digest realm matches config + * [core] fix incorrect hash algorithm impl + +- 1.4.48 - 2017-11-11 + * [mod_webdav] fix crash if stat fails, not ENOENT + * [core] fix build --disable-ipv6 (fixes #2832) + * [scons] Merge branch 'personal/stbuehler/scons-cleanup' + * [autobuild] Merge branch 'personal/stbuehler/autobuild-cleanup' + * [meson] new build system + * [core] fix var.CWD (regression in 1.4.46) (fixes #2835) + * [core] fix implicit wildcard IPv4 and IPv6 listen + * [autobuild] remove obsolete warning about mmap use + * [core] isolate sock_addr manipulation + * [stat_cache] remove debug code littered in file + * [core] cleanup unused ifndef + * [core] cleanup: consolidate FAM code in stat_cache + * [core] consolidate backend network write handlers + * [autobuild] allow sendfile() in cross-compile (fixes #2836) + * [core] quiet pedantic cc warning for excess comma + * [core] isolate backend fdevent handler defs + * [mod_openssl] error if ssl.engine in wrong section (fixes #2837) + * [core] fix lighttpd -1 one-shot graceful shutdown + * [mod_cgi] quiet trace if mod_cgi sends SIGTERM (fixes #2838) + * [build] fix link of test_configfile.c + * [core] quiet coverity false positive + * [mod_openssl] more pedantic check of return values + * [mod_openssl] allow specifying server cert chain (fixes #2692) + * [mod_openssl] ssl.openssl.ssl-conf-cmd (fixes #2758) + * [doc] NEWS - fix improper format line breaks + * [mod_authn_ldap] replace use of deprecated funcs + * [mod_authn_sasl] SASL auth (new) (fixes #2275) + * [mod_openssl] quiet trace from TCP probes (#2784) + * [core] fix dup typedef compiler warning + * [scons] fix various python2/3 incompatibilities + * [doc] fix doc/config/conf.d/fastcgi.conf example + +- 1.4.47 - 2017-10-22 + * [mod_authn_gssapi] needs -lcom_err under Darwin + * [core] stricter validation of request-URI begin + * [core] fix 1.4.46 regression in config match (fixes #2830) + * [core] normalize config addrs for != match (#2830) + * [core] normalize config addrs for eq and ne (#2830) + * [doc] use https:// URLs to .lighttpd.net resources + * [core] fix 1.4.46 regression in Last-Modified + +- 1.4.46 - 2017-10-21 + * [TLS] mark code that uses -lcrypto but not -lssl + * remove redundant calls to end-of-request hooks + * [mod_mysql_vhost] remove dev debug code + * [core] con interface for read/write; isolate SSL + * [core] new plugin hooks to help isolate SSL + * [mod_openssl] new module (preliminary layout) + * [core] move network_open_file_chunk() to chunk.c + * [mod_openssl] move openssl code into mod_openssl + * [mod_openssl] move openssl config into mod_openssl + * [core] move connection_read_cq() to connections.c + * [mod_geoip] call from handle_request_env hook + * [build] only mod_openssl depends on -lssl + * [mod_auth] enable optional authz if extern authn (fixes #2481) + * [mod_openssl] allow ssl.verifyclient on url paths (fixes #2245) + * [core] do not emit req/response hdrs w/ blank val + * [mod_setenv] directives to overwrite/remove hdrs (fixes #650, fixes #2295) + * [mod_secdownload] new directives modify hash path (fixes #646, fixes #1904) + * [core] move con throttling to connections-glue.c + * [core] support Expect: 100-continue with HTTP/1.1 (fixes #377, #1017, #1953, #2438) + * [mod_openssl] use TLS SNI to set host-based certs + * [mod_ssi] send #exec cmd="..." output to temp file + * [mod_scgi] tests/mod-scgi.t unit tests + * [mod_auth] support LDAP groups for HTTP auth (fixes #1817) + * [core] use getaddrinfo,inet_pton vs gethostbyname (fixes #2783) + * [mod_auth] LDAP escape username in DN and filters + * mod_vhostdb* (dbi,mysql,pgsql,ldap) (fixes #485, fixes #1936, fixes #2297) + * [mod_auth] have LDAP template replace '?' + * apply debian/patches/spelling.patch + * [core] permit connection-level state in modules + * [TLS] include <openssl/opensslv.h> in rand.c + * [core] config match w/ arbitrary HTTP request hdrs (fixes #1556) + * [mod_flv_streaming] add end pos param (fixes #1887) + * [core] X-LIGHTTPD-KBytes-per-second from backends (fixes #954) + * [core] improve accuracy of bandwidth write limits + * [core] quicker graceful shutdown + * [tests] remove unused file depending on CGI.pm + * [doc] doc/initscripts.txt (fixes #2782) + * [core] check issetugid() early in main() + * [core] combine duplicated getrlimit, network_init + * [core] move interval timer near worker event loop + * [core] initialize globals at top of main() + * [core] graceful restart with SIGUSR1 (fixes #2785) + * [mod_authn_mysql] fix minor memleak at shutdown + * [mod_rrdtool] no error if loaded but no config + * [doc] SIGUSR1 doc and lighttpd-angel SIGUSR1 + * [mime.conf] add text/markdown to utf-8 list, regenerate mime.conf + * [mod_cgi] RFC3875 CGI local-redir strict adherence (#2108) + * [mod_cgi] do not send "Status" back to client + * [core] add label for 308 Permanent Redirect + * [mod_openssl] inherit ssl.* from global scope + * [core] handle if backend sends Transfer-Encoding (#2786) + * [core] use kqueue in level-triggered mode (fixes #2788) + * [mod_fastcgi,mod_scgi] backend spawn EINTR retry (#2788) + * [core] config opt to intercept dynamic handler err (fixes #974) + * [core] set default server_tag in server.c + * [core] include lighttpd vers in server started msg + * [core] move version.h logic into server.c + * [core] issue trace if max-fds too large (fixes #2789) + * [mod_fastcgi,mod_scgi] consistent waitpid handling (fixes #2791) + * [mod_cgi] fix CGI local-redir w/ url.rewrite-once (fixes #2793) + * [mod_scgi] fix unused_procs bidirectional-links + * [mod_scgi] fix potential repeated use of proc->id + * [mod_fastcgi,mod_scgi] consolidate backend process accounting (#2788) + * [mod_cgi] status 200 OK if no hdrs (deprecated) (#2786) + * [core] fix regex condition subst w/ mod_extforward (fixes #2794) + * [tests] correct skip count for mod-scgi.t + * [mod_vhostdb_ldap] fix inverted logic (coverity) + * [mod_cgi] cgi.local-redir = [enable|disable] (#2108, #2793) + * [core] $REQUEST_HEADER[...] subsumes other config (#1556) + * [mod_usertrack] usertrack.cookie-attrs config opt (fixes #2795) + * [core] default server.max-fds=4096 if unspecified (#2789) + * update .gitignore, add .gitattributes + * [core] reduce con allocation for small max_conns + * [config] more specific checks for array lists + * [mod_authn_gssapi] needs -lcom_err under cygwin + * [mod_cgi,fastcgi,scgi,proxy] fix streaming response (fixes #2796) + * [mod_auth] Digest nonce on system with time <=1978 + * [doc] simple-vhost.debug takes an integer value (fixes #2797) + * [core] fix crash if invalid config file (fixes #2798) + * [core] remove unused member con->in_joblist + * [mod_proxy] remove use of con->got_response + * [core] consolidate dynamic handler response parse + * [core] remove now-unused buffer_search_string_len + * [mod_cgi] eliminate warning when compiled -Os + * [mod_scgi] do not reconnect after connect succeeds + * [tests] reduce time waiting for backends to start + * [core] server.syslog-facility (fixes #2800) + * [core] server.syslog-facility (use -1 for unset) (#2800) + * [core] allow overriding prior config values (fixes #2799) + * [mod_proxy] set Content-Length, if available + * [mod_proxy] set X-Forwarded-Host (fixes #418) + * [core] remove redundant Content-Length digit check + * [core] remove some unused header includes + * [core] use con->dst_addr_buf instead of ip recalc + * [core] include "fdevent.h" where needed + * [core] make stat_cache private to stat_cache.c + * [core] collect ioctl FIONREAD code + * [core] include <netdb.h> where needed + * [core] report file path when mkstemp() fails (fixes #2802) + * [core] export http_request_host_policy() for reuse + * [mod_extforward] simplify header search + * [mod_extforward] consolidate ipstr_to_sockaddr() + * [mod_extforward] upd scheme after ipstr validated + * [mod_extforward] rearrange code; prep Forwarded + * [mod_extforward] support Forwarded HTTP Extension (#2703) + * [mod_proxy] support Forwarded HTTP Extension (fixes #2703) + * [core] inet_pton(), inet_ntop() on (sock_addr *) + * [core] save connection-level proto in con->proto + * [mod_extforward] support HAProxy "PROXY" protocol (fixes #2804) + * [mod_extforward] fix typos in Forwarded handling + * [core] fix stat_cache initialization error + * [core] perf: stat_cache_mimetype_by_ext() + * [core] inet_ntop_cache now 4-element cache + * [mod_openssl] free local_send_buffer at exit + * [core] extend mimetype search w/o leading '.' + * [core] no SOCK_CLOEXEC on Linux kernel < 2.6.27 + * [core] inline simple buffer is empty checks + * [core] buffer_substr_replace() + * [core] sys-strings.h abstraction for strings.h + * [mod_proxy] fix backslash escaping + * [core] omit default port from normalized host str + * [core] fix build issue without ipv6 support + * [core] permit strings and integers in config array + * [mod_accesslog] flag high precision ts for %T (fixes #2807) + * [core] permit strings,ints,arrays in config array + * [core] calloc plugin_config for consistent init + * [mod_proxy] simple host/url mapping in headers (fixes #152) + * [mod_uploadprogress] handle query str progress ID (fixes #2808) + * [mod_fastcgi] consolidate backend read code + * [mod_proxy,mod_scgi] fix truncated error trace + * [core] skip socket shutdown() if con->fd negative + * [core] act as transparent proxy after con Upgrade + * [core] remove redundant resets of fde_ndx + * [core] configparser: fix resource handling in error cases (fixes #2809) + * [core] fix crash for invalid syntax in config file (fixes #2810) + * [core] prep mod transitions to transparent proxy + * [mod_proxy] basic support for Upgrade: websocket (fixes #2811) + * [mod_extforward] compile on OSX + * [core] set server.max-keep-alive-requests = 100 (fixes #2205) + * [core] perf: skip redundant strlen() if len known + * [core] optional condition in config "else" clause (fixes #1268) + * [mod_cgi] basic support for Upgrade: websocket + * [core] buffer to disk streaming to slow backends + * [core] silence compiler warnings if !HAVE_FORK + * [build] -Werror if --enable-extra-warnings=error + * [build] autotools use AC_PROG_CC_STDC macro + * [mod_openssl] ssl.ca-crl-file for CRL (fixes #2319) + * [mod_openssl] ssl.ca-dn-file (fixes #2694) + * [mod_proxy] fix typo identified by coverity + * [mod_openssl] ignore client verification error if not enforced + * [mod_openssl] fix compile with openssl 1.1.0 + * [mod_extforward] quiet clang compiler warning + * [mod_dirlisting] sort "../" to top of names + * [mod_openssl] safer_X509_NAME_oneline() (fixes #2693) + * [core] allow earlier plugin init for SSL/TLS + * [mod_openssl] adjust use of ssl.ca-dn-file + * [core] fix compiler warnings on Mac OS X + * [core] server.socket-perms to set perms on unix (fixes #656) + * [core] get port from sock_addr if AF_INET,AF_INET6 + * [core] server.error_handler_404 X-Sendfile ENOENT (#2474) + * [core] consolidate fork()/execve() code (#1393) + * [core] mv log_error_{open,cycle.close} to server.c + * [core] rename fd_close_on_exec() + * [core] remove unused includes of stat_cache.h + * [core] add missing include of stdlib.h + * [core] reduce exposure of unistd.h, other includes + * [core] sock_addr_from_str_hints reusable name res + * [core] continue collecting use of netdb.h + * [core] continue collecting use of netdb.h + * [core] continue collecting use of netdb.h + * [core] fdevent_connect_status() shared code + * [core] add const to reduce .data segment size + * [mod_proxy] move data_fastcgi into mod_proxy.c + * [mod_proxy] store address family at config time + * [mod_fastcgi] slightly simplify counters + * [mod_fastcgi] consolidate connect() error handling + * [mod_fastcgi] set request_id in fcgi_create_env() + * [mod_fastcgi] move delayed connect() into switch() + * [mod_fastcgi,mod_scgi] consistent connect() error + * [mod_scgi] remove unused parse_response member + * [mod_fastcgi,mod_scgi] struct member consistency + * [mod_fastcgi,mod_scgi] parse bin_path at startup + * [mod_fastcgi,mod_scgi] use temp buffer for cgi_env + * [core] shared code for socket backends + * [core] spread load on socket backend procs + * [core] store sockaddr for socket backend procs + * [core] resolve DNS at startup for socket backends + * [core] adaptive spawning for socket backend procs (fixes #1162) + * quell compiler warnings for -Wimplicit-fallthrough + * [doc] update README + * [core] fdevent_cycle_logger() + * [core] reap lighttpd worker pids precisely + * [core] restart piped loggers if they exit (fixes #1393) + * [mod_webdav] PROPFIND getetag attr must match GET + * [core] consistent behavior w/ and w/o SA_SIGINFO + * [core] do not remove pid-file in test mode + * [core] add public domain SHA1() if no crypto + * [mod_wstunnel] websocket tunnel to other protocol + * [core] forward SIGHUP only to lighttpd workers + * [mod_dirlisting] treat README and HEADER as paths (fixes #2818) + * [core] set one-shot mode fd O_NONBLOCK, FD_CLOEXEC + * [core] remove fdevent fcntl_set hook + * [mod_extforward] typo in comment + * [mod_cgi] add missing #include + * [core] fix invalid sizeof() identified by coverity + * [core] add missing #include + * [core] base_decls.h to quiet compiler warnings + * [core] set socket perms after bind, before listen + * [core] warn if backend server config contains '_' + * [mod_extforward] PROXY proto and SSL_CLIENT_VERIFY + * [core] workaround for AIX mmap define + * [mod_accesslog] flush access logs every 4 seconds + * [mod_cgi] fix bug to properly exec interpreter + * [mod_fastcgi] fix return when streaming min buffer + * [core] attempt to quiet coverity false positives + * [core] attempt to quiet coverity false positives + * [core] attempt to quiet compiler warning in LEDE + * [core] SIGCHLD handle_waitpid hook for modules + * [mod_rrdtool] handle_trigger returns HANDLER_GO_ON + * [mod_openssl] ssl.read-ahead="disable" for stream + * [mod_cgi] add FDEVENT_IN upon CGI exit + * [mod_cgi] omit cgi_handle_fdevent after proc exit + * [mod_webdav] check HAVE_UUID for -luuid + * [core] adjust li_rand_pseudo* interfaces + * [mod_wstunnel] fix config parsing bug + * [core] fdevent setsockopt() helper functions + * [core] make strftime_cache_get() 16-element cache + * [core] disable Nagle if streaming to backend + * [core] fix triggered assert on HTTP chunked input (fixes #2822) + * [mod_wstunnel] fix NULL ptr deref + * [algo_sha1] fix compile break and warnings + * [lemon] fix gcc implicit-fallthrough warning + * [core] URI scheme is case-insensitive + * [network] do not append port to unix socket paths + * [unittests] consolidate base64 test code + * [core] use sun_path for addr string for AF_UNIX (fixes #2826) + * [core] cleaner code; remove goto from network.c + * [core] /dev/stdin listener for inetd wait yes + * [core] compare listen addrs after DNS resolution + * [core] inline chunkqueue_is_empty() + * [core] limit use of TCP_CORK + * [core] return from http_response_read if small rd + * [core] gateways might Upgrade con before body read + * [mod_wstunnel] set Sec-WebSocket-Protocol if bin + * [mod_wstunnel] remove invalid appended '\0' + * [core] quiet coverity warning + * [core] handle fds pending close after poll timeout (fixes #2827) + * [core] fix $REQUEST_HEADER[...] parsing in config (#1556) + * [mod_dirlisting] custom js date parse func (fixes #2823) + * [core] remove fd interest if create_env returns + * [mod_openssl] copy data for larger SSL packets + * [mod_openssl] remove erroneous SSL_set_shutdown() + * [core] permit LF to end lines if !header-strict + * [core] add back REQUEST_SCHEME for backends + * [core] remove fdevent_sched_run from fdevent_libev (#2827) + * [mod_openssl] ssl.read-ahead="disable" by default + * [core] adjust parser for valid variable expansion + * [cmake] handle WITH_WEBDAV_LOCKS option + * [cmake] fix attr header detection and linking + * [cmake] link mod_cml with memcached + * [core] reproducible build: hide __DATE__ __TIME__ (fixes #2828) + * [core] perf: more efficient fdevent_sched_run() + * [core] translate DNS to IP str for cond socket cmp + +- 1.4.45 - 2017-01-14 + * [mod_cgi] skip local-redir handling if to self (fixes #2779, #2108) + * [mod_webdav] fix crash when plugin_ctx cleaned up (fixes #2780) + * [mod_fastcgi] detect child exit, restart proactively + * [mod_scgi] detect child exit, restart proactively + * [TLS] ssl.read-ahead = "disable" for low mem (fixes #2778) + +- 1.4.44 - 2016-12-24 + * [mod_scgi] fix segfault (fixes #2762) + * [mod_authn_gssapi] fix memory leak + * [config] warn if mod_authn_ldap,mysql not listed + * [mod_magnet] fix magnet_cgi_set() set of env vars (fixes #2763) + * [mod_cgi] FreeBSD 9.3/MacOSX does not have pipe2() (fixes #2765) + * [mod_extforward] fix crash on invalid IP (fixes #2766) + * [mod_fastcgi] fix segfault if all backends down (fixes #2768) + * [mod_cgi] fix out of sockets error for POST to CGI (fixes #2771) + * [mod_auth] compile fix for Mac OS X XCode (fixes #2772) + * [mod_authn_gssapi] better resource cleanup + * [core] compile fix for Mac OS X 10.6 (old) (fixes #2773) + * fix race in dynamic handler configs (reentrancy) (fixes #2774) + * [mod_authn_mysql] close mysql_conn in cleanup + * [mod_webdav] compile fix when locking not enabled + * load mod_auth & mod_authn_file in sample/test.conf + * comment out auth.backend.ldap.* in tests/*.conf + * [mod_fastcgi,mod_scgi] warn if invalid "bin-path" + * RAND_pseudo_bytes() is deprecated in openssl 1.1.0 + * openssl 1.1.0 init and cleanup + * [mod_cgi] remove direct calls to network_backend* + * [build] build network_*.c into lighttpd executable + * suggest inclusion of mod_geoip... before mod_ssi. + * set systemd settings similar to lighttpd2 + * [doc] remove reference to Linux rt-signals + * [mod_authn_gssapi] fix missing error ret, coverity + * [core] rename li_rand() to li_rand_pseudo_bytes() + * remove #include "stream.h" where not used + * [mod_cml] include lua headers before base.h + * [core] combine duplicated connection reset code + * [mod_ssi] produce content in subrequest hook + * [core] remove srv->entropy[] + * [core] defer li_rand_init() until first use + * [core] permit connection-level state in modules + * [mod_dirlisting] render dirlisting as HTML (fixes #2767) + * [mod_proxy] replace HTTP Host sent to backend (fixes #2770) + * [mod_ssi] basic recursive SSI include virtual (fixes #536) + * [mod_ssi] implement, ignore <!--#comment ... --> + * [core] consolidate duplicated read-to-close code + * [core] fix segfault when parsing a bad config file + * [core] support Transfer-Encoding: chunked req body (fixes #2156) + * [autobuild] set NO_RDYNAMIC=yes for midipix + * [mod_proxy] proxy.balance = "sticky" option (fixes #2117) + * [mod_secdownload] warn if SHA used w/o SSL crypto + * [build] compile fixes for AIX + * [build] check for pipe2() at configure time + * [mod_evhost] fix an incorrect error trace + * [tests] mark tests/docroot/www/*.pl scripts a+x + * [mod_cgi] fall back to pipe() if pipe2() fails + * fix SCons fullstatic build with glibc pthreads + * [TLS] openssl 1.1.0 makes SSL_OP_NO_SSLv2 no-op + +- 1.4.43 - 2016-10-31 + * [autobuild] remove mod_authn_gssapi dep on resolv + * [mod_deflate] ignore '*' in deflate.mimetypes + * [autobuild] omit module stubs when missing deps + * [TLS] openssl 1.1.0 hides struct bignum_st + * [autobuild] move http_cgi_ssl_env() for Mac OS X (fixes #2757) + * [core] use paccept() on NetBSD (replace accept4()) + * [TLS] remote IP conditions are valid for TLS SNI (fixes #2272) + * [doc] lighttpd-angel.8 (fixes #2254) + * [cmake] build fcgi-auth, fcgi-responder for tests + * [mod_accesslog] %{ratio}n logs compression ratio (fixes #2133) + * [mod_deflate] skip deflate if loadavg too high (fixes #1505) + * [mod_expire] expire by mimetype (fixes #423) + * [mod_evhost] partial matching patterns (fixes #1194) + * build: use CC_FOR_BUILD for lemon when cross-compiling + * [mod_dirlisting] config header and readme files + * [config] warn if mod_authn_ldap,mysql not listed + * fix FastCGI, SCGI, proxy reconnect on failure + * [core] network_open_file_chunk() temp file opt + * [mod_rewrite] add more info in error log msg + * [core] fix fd leak when using libev (fixes #2761) + * [core] fix potential streaming tempfile corruption (fixes #2760) + * [mod_scgi] fix prefix matching to always match url + * [autobuild] adjust Makefile.am for FreeBSD + * [build] move some build scripts to scripts/ + * [autotools] fix configure.ac for opensuse 13.2 + +- 1.4.42 - 2016-10-16 + * [TLS] SSL_shutdown() only if handshake finished + * [mod_proxy,mod_scgi] shutdown remote only if local (#2743) + * [core] check if client half-closed TCP if POLLHUP (#2743) + * [core] enforce wait for POLLWR after EINPROGRESS (fixes #2744) + * [core] do not enter handler twice after read body + * [core] proxy,scgi omit shutdown() to backend (fixes #2743) + * [mod_dirlisting] dirlist does not handle POST + * [mod_dirlisting] js column sort for dirlist table (fixes #613, fixes #2315) + * [mod_auth] Digest auth fails after rewrite (fixes #2745) + * [mod_auth] refactor out auth backend code + * [mod_auth] extensible interface for auth backends + * [core] better DragonFlyBSD support (fixes #2746) + * [mod_auth] include base.h for USE_OPENSSL def + * [mod_auth] support CRYPT-MD5-NTLM algorithm (fixes #1743) + * [mod_auth] terminate salt for CRYPT-MD5-NTLM + * [core] fix crash if ready events on abandoned fd (fixes #2748) + * [mod_auth] http_auth_md5_hex2bin() + * [mod_auth] remove empty mod_auth.h + * [mod_auth] mod_authn_mysql.c MySQL auth backend (fixes #752, fixes #1845) + * [mod_cgi] permit CGI exec of unreadable files (fixes #2374) + * [mod_uploadprogress] add to default build + * [mod_geoip] add to default build (fixes #2705, fixes #2101, fixes #2092, fixes #2025, fixes #1962, fixes #1938) + * [mod_fastcgi] Authorizer support with Responder (fixes #321, fixes #322) + * [tests] test coverage for issues (#321, #322) + * dynamic handlers store debug flag in handler_ctx + * [mod_fastcgi] allow authorizer, responder for same path/ext (#321) + * backport mod_deflate to lighttpd 1.4 (fixes #1824, fixes #2753) + * [autobuild] test_configfile might need vector.c (fixes #2752) + * [mod_deflate] fix longjmp clobber compiler warning + * remove unused array type TYPE_COUNT data_count + * [mod_auth] structured data, register auth schemes + * [mod_auth] mod_authn_gssapi Kerberos auth backend (fixes #1899) + * [autobuild] skip two new tests if no fcgi-auth + * [SCons] define with_krb5 for SCons build + * [SCons] fix syntax error in SConstruct + * [SCons] define with_geoip for SCons build + * [CMake] fix clang -Wcast-align warnings in lemon.c + * remove excess initializers (fix compiler warnings) + * fix errors detected by Coverity Scan + * performance: use Linux extended syscalls and flags + * [mod_scgi] add uwsgi protocol support + * [mod_auth] refactor LDAP code into smaller funcs + * [mod_auth] HTTP Basic auth backends also do authz (#1817) + * [mod_auth] ldap filter subst user for multiple '$' (fixes #1508) + * [mod_auth] permit specifying ldap DN; skip search (fixes #1248) + * [autobuild] update module/feature report + * [cmake] build mod_authn_gssapi if WITH_KRB5 + * [mod_auth] fix printing of IP in error trace + * [mod_mysql_vhost] support multiple '?' replacement (fixes #2163) + * [core] make server.max-request-size scopeable (#1901) + * [core] server.max-request-field-size (fixes #2130) + * [core] optional condition in config "else" clause (fixes #1268) + * [core] restrict where config "else" clauses occur (#1268) + * silence warnings from clang ccc-analyzer + * consistent, shared code to create CGI env + * [TLS] replace env entries in https_add_ssl_entries + * [TLS] set SSL_CLIENT_M_SERIAL w/ client cert SN (fixes #2268) + * [TLS] set SSL_CLIENT_VERIFY w/ client cert (#1288, #2693) + * [TLS] set SSL_PROTOCOL, SSL_CIPHER* (fixes #2511) + * [core] rand.[ch] to use better RNGs when available + * [mod_cgi] fix pipe_cloexec() when no O_CLOEXEC + * ignore return value from fcntl() FD_CLOEXEC + * build w/o compiler warnings if no zlib or bz2lib + +- 1.4.41 - 2016-07-31 + * remove long-deprecated, non-functional config opts + * [config] inherit server.use-ipv6 and server.set-v6only (fixes #678) + * [mod_auth] fix Digest auth to be better than Basic (fixes #1844) + * [mod_ssi] fix #config sizefmt="bytes" + * [autobuild] move inet_pton detection later + * [core] #include <sys/filio.h> for FIONREAD (fixes #2726) + * [autobuild] clock_gettime() -lrt with glibc < 2.17 + * [security] do not emit HTTP_PROXY to CGI env + * [build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes #2737) + * [core] avoid spurious trace and error abort + * [core] stay in CON_STATE_CLOSE until done with req + * [core] $HTTP["remoteip"] must handle IPv6 w/o [] + * [mod_status] show keep-alive status w/ text output (fixes #2740) + * do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738) + * revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738) + * [core] permit IPv6 address scope identifier + * [TLS] better handling of SSL_ERROR_WANT_READ/WRITE + * [TLS] read all available records from SSL_read() + * [core] try AF_INET after AF_INET6 if use-ipv6 + * [core] set chunkqueue tempdirs at startup + * [security] ensure gid != 0 if server.username set (fixes #2725) + * [security] disable stat_cache if !follow-symlink (fixes #2724) + * [core] fix buffer_copy_string_hex() assert (fixes #2742) + * [security] encode quoting chars in HTML and XML + * [cmake] always define _GNU_SOURCE + * [cmake] enable warnings for GCC and Clang + * [cmake] set cmake_minimum_required to 2.8.2 + +- 1.4.40 - 2016-07-16 + * [mod_ssi] enhance support for ssi vars (thx fbrosson) + * add handling for lua 5.2 and 5.3 (fixes #2674) + * use libmemcached instead of deprecated libmemcache + * add force_assert for more allocation results + * [mod_cgi] use MAP_PRIVATE to mmap temporary file (fixes #2715) + * [core] do not send SIGHUP to process group unless server.max-workers is used (fixes #2711) + * [mod_cgi] edge case chdir "/" when docroot "/" (fixes #2460) + * [mod_cgi] issue trace and exit if execve() fails (closes #2302) + * [configparser] don't continue after parse error (fixes #2717) + * [core] never evaluate else branches until the previous branches are ready (fixes #2598) + * [core] fix conditional cache handling + * [core] improve conditional enabling (thx Gwenlliana, #2598) + * [mod_compress] case-insensitive content-codings (fixes #2645) + * [plugins] don't include dlfcn.h if not needed (fixes #2548) + * [mod_fastcgi] 404 for X-Sendfile file not found (fixes #2474) + * [mod_cgi] send 500 if CGI ends and there is no response (fixes #2542) + * [mod_cgi] consolidate CGI cleanup code + * [mod_cgi] simplify mod_cgi_handle_subrequest() + * [mod_cgi] kill CGI if fail to write request body + * [mod_proxy] use case-insensitive comparision to filter headers, send Connection: Close to backend (fixes #421) + * [mod_dirlisting] dir-listing.hide-dotfiles = "enabled" by default (fixes #1081) + * [mod_secdownload] fix buffer overflow in secdl_verify_mac (reported by Fortify Open Review Project) + * [mod_fastcgi,mod_scgi] fix leaking file-descriptor when backend spawning failed (reported by Fortify Open Review Project) + * [core] improve array API to prevent memory leaks + * [core] refactor array search; raise array size limit to SSIZE_MAX + * [core] fix memory leak in configparser_merge_data + * [core] provide array_extract_element and use it + * [core] configparser: error on duplicate keys in array merge (fixes #2685) + * [core] more careful parse of $SERVER["socket"] config str (prepare #2204) + * [core] accept $SERVER["socket"] without port, use server.port as fallback (fixes #2204) + * [mod_magnet] define lua_pushglobaltable (for lua5.1) and use it (fixes #2719) + * [ssl] support disabling ssl.verifyclient.activate in SNI callback (fixes #2531) + * restart (some) syscalls after SIGCHLD interrupted them; should fix LDAP problems (fixes #2464) + * [core] log remote address on request timeouts (fixes #652) + * [autobuild] use AC_CANONICAL_HOST instead of AC_CANONICAL_TARGET (fixes #1866) + * [core] fix request_start in keep-alive requests to mark time when received first byte (fixes #2412) + * [core] truncate pidfile on exit (fixes #2695) + * consistent inclusion of config.h at top of files (fixes #2073) + * [core] add generic vector implementation + * [core] replace array weakref with vector + * [base64] fix crash due to broken force_assert + * [unittests] add test_buffer and test_base64 unit tests + * [buffer] refactor buffer_path_simplify (fixes #2560) + * validate return values from strtol, strtoul (fixes #2564) + * [mod_ssi] Add SSI vars SCRIPT_{URI,URL} and REQUEST_SCHEME (fixes #2721) + * [config] warn if server.upload-dirs has non-existent dirs (fixes #2508) + * [mod_proxy] accept LF delimited headers, not just CRLF (fixes #2594) + * [core] wait for grandchild to be ready when daemonizing (fixes #2712, thx pasdVn) + * [core] respond 411 Length Required if request has Transfer-Encoding: chunked (fixes #631) + * [core] fixed the loading for default modules if they are specified explicitly + * [core] lighttpd -tt performs preflight startup checks (fixes #411) + * [stat] mimetype.xattr-name global config option (fixes #2631) + * [mod_webdav] allow Depth: Infinity lock on file (fixes #2296) + * [mod_status] use snprintf() instead of sprintf() + * pass buf size to li_tohex() + * use li_[iu]tostrn() instead of li_[iu]tostr() + * [stream] fstat() after open() to obtain file size + * [core] clean up srv before exiting for lighttpd -[vVh] + * [mod_fastcgi,mod_scgi] check for spawning on same unix socket (fixes #319) + * [mod_cgi] always set QUERY_STRING (fixes #1339) + * [mod_auth] send charset="UTF-8" in WWW-Authenticate (fixes #1468) + * [mod_magnet] rename var for clarity (fixes #1483) + * [mod_extforward] reset cond_cache for scheme (fixes #1499) + * [mod_webdav] readdir POSIX compat (fixes #1826) + * [mod_expire] reset caching response headers for error docs (fixes #1919) + * [mod_status] page refresh option (fixes #2170) + * [mod_status] table w/ count of con states (fixes #2427) + * [mod_dirlisting] class for dir <tr> (fixes #2304) + * [core] define __STDC_WANT_LIB_EXT1__ (fixes #2722) + * [core] setrlimit max-fds <= rlim_max for non-root (fixes #2723) + * [mod_ssi] config ssi.conditional-requests + * [mod_ssi] config ssi.exec (fixes #2051) + * [mod_redirect,mod_rewrite] short-circuit if blank replacement (fixes #2085) + * [mod_indexfile] save physical path to env (fixes #448, #892) + * [core] open fd when appending file to cq (fixes #2655) + * [config] server.listen-backlog option (fixes #1825, #2116) + * [core] retry tempdirs on partial write, ENOSPC (fixes #2588) + * [core] compile with upcoming openssl 1.1.0 release (fixes #2727) + * [core] improve dynamic handler control flow logic + * [core] defer reading request body until handle subrequest (fixes #2541) + * [core] always poll for client POLLHUP/POLLERR events (fixes #399) + * [mod_fastcgi,mod_scgi,mod_proxy] handlers can read response before sending req body (fixes #131, #2566) + * [mod_cgi] asynchronous send of request body to CGI + * [core] compile with upcoming openssl 1.1.0 release (fixes #2727) + * [core] set REDIRECT_STATUS to error_handler_saved_status (fixes #1828) + * [core] server.error-handler new directive for error pages (fixes #2702) + * [core] support IPv6 in $HTTP["remote-ip"] CIDR cond match (fixes #2706) + * [core] http_response_send_file() shared code (#2017) + * [mod_fastcgi] use http_response_xsendfile() (fixes #799, fixes #851, fixes #2017, fixes #2076) + * [mod_scgi] X-Sendfile feature (fixes #2253) + * [mod_cgi] X-Sendfile feature (fixes #2313) + * [mod_webdav] lseek,read if fs can not mmap (#2666, fixes #962) + * [mod_compress] use mmap and trap SIGBUS (#2666, fixes #1879) + * fallback to lseek()/read() if mmap() fails (#fixes 2666) + * [mod_auth] skip blank lines and comment lines (fixes #2327) + * [core] fallback to write if sendfile not supported (fixes #471, #987) + * [core] preserve PATH_INFO case on case-insensitive fs (fixes #406) + * [mod_ssi, mod_cml] set DOCUMENT_ROOT to basedir (fixes #2383) + * [core] cmd line opt to shutdown after idle time limit (fixes #2696) + * [core] lighttpd -1 handles single request on stdin socket (fixes #1584) + * [mod_fastcgi,mod_scgi] IPv6 support (fixes #2372) + * [mod_status] add JSON output option (fixed #2432) + * [mod_webdav] map COPY/MOVE Destination to aliases (fixes #1787) + * [mod_webdav] improve PROPFIND,PROPPATCH (#1818, #1953) + * [core] reset response headers, write_queue for error docs + * build with libressl + * static build instructions using SCons or make + * [mod_auth] preserve WWW-Authenticate for error docs (fixes #2730) + * check close() return code after writing to file + * adjustments for openssl 1.1.0 pre-release + * [config] support include file glob (fixes #1221) + * [mod_evasive] 302 redirect option if limit reached (fixes #2199) + * [build] enhancements for cross-compiling (fixes #2276) + * [mod_accesslog] report aborted con state with %X (fixes #1890) + * [mod_ssi] fix SSI statement parser + * [mod_ssi] include relative to alias,userdir (fixes #222) + * [mod_ssi] add PCRE_* options to constrain regex + * [mod_ssi] more flexible quoting (fixes #1768) + * [core] wrap IPv6 literal in "[]" in redirect URL + * [mod_ssi] fix parse of tag across buf boundary (fixes #2732) + * [mod_cgi,mod_scgi] X-Sendfile sets file_started (fixes #2733) + * [mod_fastcgi] no chunked response w/ X-Sendfile (fixes #2733) + * [config] opts for http header parsing strictness (fixes #551, fixes #1086, fixes #1184, fixes #2143, #2258, #2281, fixes #946, fixes #1330, fixes #602, #1016) + * [config] normalize IP strings in lighttpd.conf + * [build_cmake] use MODULE on Mac OS X (fixes #1761) + * [config] server.bsd-accept-filter option + * [mod_webdav] create file w/ LOCK request if ENOENT + * [core] buffer large responses to tempfiles (fixes #758, fixes #760, fixes #933, fixes #1387, #1283, fixes #2083) + * [core] stream response to client (#949) + * [TLS] release openssl buffers as used (fixes #1265, fixes #1283, #881) + * [config] config options to stream request/response (#949, #376) + * [core] option to stream request body to backend (fixes #376) + * [core] option to stream response body to client (fixes #949, #760, #1283, #1387) + * drain backend socket/pipe bufs upon FDEVENT_HUP + * remove excess calls to joblist_append() + * defer choosing "Transfer-Encoding: chunked" + * asynchronous, bidirectional streaming options + * fix errors detected by Coverity Scan + * [cygwin] fix mod_proxy and mod_fastcgi ioctl use + * [mod_webdav] remove excess SQL param to UNLOCK + * graceful shutdown without unnecessary 1 sec delay + * [core] disable Nagle algorithm (TCP_NODELAY) + * [core] add declarations to fdevent.h (#2373) + * [tests] remove dependency on CGI.pm + * [TLS] fix return value checks during cert init + * [core] fix server.max-request-size to be precise (fixes #2131) + * [mod_webdav] fix proppatch mem leak, other fixes (#fixes 1334, #fixes 2000) + * [autobuild] CMake check for struct tm tm_gmtoff (fixes #2014) + * [mod_uploadprogress] fix mem leak (#1858) + * [core] make server.max-request-size scopeable (fixes #1901) + * [mod_fastcgi,mod_scgi] check for spawning on same unix socket (#319) + * [mod_accesslog] %a %A %C %D %k %{}t %{}T (fixes #1145, fixes #1415, fixes #2081) + * [mod_access] new directive url.access-allow (fixes #1421) + * [core] fdevent_libev: update use of ev_timer + * [mod_cgi] handle local redirect response (fixes #2108) + +- 1.4.39 - 2016-01-02 + * [core] fix memset_s call (fixes #2698) + * [chunk] fix use after free / double free (fixes #2700) + +- 1.4.38 - 2015-12-05 + * [stat-cache] fix handling of collisions, might have returned wrong data (fixes #2669) + * [core] allocate at least 4k buffer for incoming data + * [core] fix search for header end if split across chunks (fixes #2670) + * [core] check configparserAlloc() result with force_assert + * [mod_auth] implement and use safe_memclear, using memset_s or explicit_bzero if available (thx loganaden) + * [core] don't buffer request bodies smaller than 64k on disk + * add force_assert for many allocations and function results + * [mod_secdownload] use a hopefully constant time comparison to check hash (fixes #2679) + * [config] check config option scope; warn if server option is given in conditional + * [core] revert increase of temp file size back to 1MB, provide a configure option "server.upload-temp-file-size" instead (fixes #2680) + * [core] add '~' to safe characters in ENCODING_REL_URI/ENCODING_REL_URI_PART encoding + * [core] encode path with ENCODING_REL_URI in redirect to directory (fixes #2661, thx gstrauss) + * [mod_secdownload] add required algorithm option; old behaviour available as "md5", new options "hmac-sha1" and "hmac-sha256" + * [mod_fastcgi/mod_scgi] zero sockaddr structs before use (fixes #2691, thx Kyle J. McKay) + * [network] add darwin-sendfile backend (fixes #2687, thx Kyle J. McKay) + * [core] show correct crypt support result (fixes #2690, thx Kyle J. McKay) + +- 1.4.37 - 2015-08-30 + * [mod_proxy] remove debug log line from error log (fixes #2659) + * [mod_dirlisting] fix dir-listing.set-footer not showing + * fix out-of-filedescriptors when uploading "large" files (fixes #2660, thx rmilecki) + * increase upload temporary chunk file size from 1MB to 16MB + * fix undefined integer shift + * rewrite network sendfile/mmap/writev/write backends + * fix some unchecked return value warnings + * [kqueue] fix kevent call + * [autoconf] define HAVE_CRYPT when crypt() is present + * [bsd xattr] fix compile break with BSD extended attributes in stat_cache + * [mod_cgi] rewrite mmap and generic (post body) send error handling + * [mmap] fix mmap alignment + * [plugins] when modules are linked statically still only load the modules given in the config + * [mmap] handle SIGBUS in network; those get triggered if the file gets smaller during reading + * fix some warnings found by coverity ("leak" in setup phase, not catching too long unix socket paths in mod_proxy) + +- 1.4.36 - 2015-07-26 + * use keep-alive timeout while waiting for HTTP headers; use always the read timeout while waiting for the HTTP body + * fix bad shift in conditional netmask ".../0" handling + * add more mime types and a script to generate mime.conf (fixes #2579) + * add support for (Free)BSD extended attributes + * [build] use fortify flags with "extra-warnings" + * [mod_dirlisting,mod_redirect,mod_rewrite] abort config parsing if pcre-compile fails or isn't available + * [ssl] disable SSL3.0 by default + * fixed typo in example config found by openSUSE user (boo# 907709) + * [network] fix compile break in calculation of sockaddr_un size if SUN_LEN is not defined (fixes #2609) + * [connections] fix bug in connection state handling + * print backtrace in assert logging with libunwind + * major refactoring of internal buffer/chunk handling + * [mod_auth] use crypt_r instead of crypt if available + * fix error message for T_CONFIG_ARRAY config values if an entry value is not a string + * fix segfaults in many plugins if they failed configuration + * escape all strings for logging (fixes #2646 log file injection, reported by Jaanus Kääp) + * fix hex escape in accesslog (fixes #2559) + * show extforward re-run warning only with debug.log-request-handling (fixes #2561) + * parse If-None-Match for ETag validation (fixes #2578) + * fix memory leak in mod_status when no counters are set (found by coverity) + * [mod_magnet] fix segfault when accessing not existing lighty.req_env[] entry (found by coverity) + * fix segfault when temp file for upload couldn't be created (found by coverity) + * mime.conf: add some new mime types, remove .dat, .sha1, .md5, update .vcf + * [mod_proxy] add unix domain socket support (fixes #2653) + * [configfile] fix reading uninitialized variable (found by Willian B.) + +- 1.4.35 - 2014-03-12 + * [network/ssl] fix build error if TLSEXT is disabled + * [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active) + * [mod_rrdtool] fix invalid read (string not null terminated) + * [mod_dirlisting] fix memory leak if pcre fails + * [mod_fastcgi,mod_scgi] fix resource leaks on spawning backends + * [mod_magnet] fix memory leak + * add comments for switch fall throughs + * remove logical dead code + * [buffer] fix length check in buffer_is_equal_right_len + * fix resource leaks in error cases on config parsing and other initializations + * add force_assert() to enforce assertions as simple assert()s are disabled by -DNDEBUG (fixes #2546) + * [mod_cml_lua] fix null pointer dereference + * force assertion: setting FD_CLOEXEC must work (if available) + * [network] check return value of lseek() + * fix unchecked return values from stream_open/stat_cache_get_entry + * [mod_webdav] fix logic error in handling file creation error + * check length of unix domain socket filenames + * fix SQL injection / host name validation (thx Jann Horn) + +- 1.4.34 - 2014-01-20 + * [mod_auth] explicitly link ssl for SHA1 (fixes #2517) + * [mod_extforward] fix compilation without IPv6, (not) using undefined var (fixes #2515, thx mm) + * [ssl] fix SNI handling; only use key+cert from SNI specific config (fixes #2525, CVE-2013-4508) + * [doc] update ssl.cipher-list recommendation + * [stat-cache] FAM: fix use after free (CVE-2013-4560) + * [stat-cache] fix FAM cleanup/fdevent handling + * [core] check success of setuid,setgid,setgroups (CVE-2013-4559) + * [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken) + * maintain physical.basedir (the "acting" doc-root as prefix of physical.path) in more places + * [core] decode URL before rewrite, enabling it to work in $HTTP["url"] conditionals (fixes #2526) + * [auto* build] remove -no-undefined from linker flags, as we actually link modules with undefined symbols (fixes #2533) + * [mod_mysql_vhost] fix memory leak on config init (#2530) + * [mod_webdav] fix fd leak found with parfait (fixes #2530, thx kukackajiri) + +- 1.4.33 - 2013-09-27 + * mod_fastcgi: fix mix up of "mode" => "authorizer" in other fastcgi configs (fixes #2465, thx peex) + * fix handling of If-Modified-Since if If-None-Match is present (don't return 412 for date parsing errors); + follow current draft for HTTP/1.1, which tells us to ignore If-Modified-Since if we have matching etags. + * [mod_fastcgi,log] support multi line logging (fixes #2252) + * call ERR_clear_error only for ssl connections in CON_STATE_ERROR + * reject non ASCII characters in HTTP header names + * [mod_auth] use crypt() on encrypted password instead of extracting salt first (fixes #2483) + * [mod_auth] add htpasswd -s (SHA1) support if openssl is used (needs openssl for SHA1). This doesn't use any salt, md5 with salt is probably better. + * [mod_auth] fix base64_decode (#2484) + * fix some bugs found with canalyze (fixes #2484, thx Zhenbo Xu) + * fix undefined stuff found with clang + * [cmake] Use TARGET_LINK_LIBRARIES instead of LINK_FLAGS for library dependencies, also add -Wl,--as-needed to extra warnings (fixes #2448) + * [mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478) + * [auto* build] simplify autogen.sh, handle automake 1.13 test running (fixes #2490) + * [mod_userdir] add userdir.active option, "enabled" by default + * [core] return 501 Not Implemented in static file mode for all methods except GET/POST/HEAD/OPTIONS + * [core] recognize more http methods to forward to backends (fixes #2346) + * [ssl] use DH only if openssl supports it (fixes #2479) + * [network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes #2470) + * [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501) + * [ssl] accept ssl renegotiations if they are not disabled (fixes #2491) + * [ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492) + * [auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes #2495) + * [auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436) + * [core] remove requirement that default doc-root has to exist, there are reasonable scenarios not requiring static files at all + * [core] check whether server.chroot exists + * [mod_simple_vhost] fix cache; skip module if simple-vhost.server-root is empty (thx rm for reporting) + * [mod_accesslog] add accesslog.syslog-level option (fixes #2480) + * [core] allow files to be used as document-root (fixes #2475) + * [core] set signal handlers before forking child processes in modules/plugins_call_set_defaults (fixes #2502) + +- 1.4.32 - 2012-11-21 + * Code cleanup with clang/sparse (fixes #2437, thx kibi) + * Ignore EPIPE/ECONNRESET after SSL_shutdown + * Handle ENAMETOOLONG, return 404 Not Found (fixes #2396, thx dererkazo) + * configure.ac: remove old stuff, add some new to fix warnings in automake 1.12 (fixes #2419, thx blino) + * add PATCH method (fixes #2424) + * fix :port handling in $HTTP["host"] checks (fixes #2135. thx liming) + * network_server_init: fix double free and memleak on error (fixes #2440, thx kyprizel) + * detect "x-gzip"/"x-bzip2" as separate encodings, more strict encoding matching (fixes #2443) + * tests: make sure mod_proxy doesn't leave running processes (fixes #2435, thx kibi) + * mod_extforward: log address of untrusted proxy with debug.log-request-handling + * fix DoS in Connection header value split (reported by Jesse Sipprell, CVE-2012-5533) + * remove whitespace at end of header keys + +- 1.4.31 - 2012-05-31 + * [ssl] fix segfault in counting renegotiations for openssl versions without TLSEXT/SNI (thx carpii for reporting) + * Move fdevent subsystem includes to implementation files to reduce conflicts (fixes #2373) + * [mod_compress] fix handling if etags are disabled but cache-dir is set - may lead to double response + * disable mmap by default (fixes #2391) + * buffer_caseless_compare: always convert letters to lowercase to get transitive results, fixing array lookups (fixes #2405) + * Fix handling of empty header list entries in http_request_split_value, fixing invalid read in valgrind (fixes #2413) + * Fix access log escaping of " and \\ (fixes #1551) + * [mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410) + * [auth] Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround, add fastcgi test case (fixes #889) + * [mod_*cgi,mod_accesslog] Fix splitting :port with ipv6 (fixes #2333, thx simoncpu) + * Detect multiple -f options: show error message instead of assert (fixes #2416) + * [mod_extforward] Support ipv6 addresses (fixes #1889) + * [mod_redirect] Support url.redirect-code option (fixes #2247) + * Fix --enable-mmap handling in configure.ac + +- 1.4.30 - 2011-12-18 + * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331) + * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems. + * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled + * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file + * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341) + * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351) + * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) + * [ssl] count renegotiations to prevent client renegotiations + * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack) + * [core] accept dots in ipv6 addresses in host header (fixes #2359) + * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb) + * [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes #2324) + +- 1.4.29 - 2011-07-03 + * Fix mod_proxy waiting for response even if content-length is 0 (fixes #2259) + * Silence annoying "connection closed: poll() -> ERR" error.log message (fixes #2257) + * mod_cgi: make read buffer as big as incoming data block + * [build] Fix detection of libev (fixes #2300) + * ssl: Support for Diffie-Hellman and Elliptic-Curve Diffie-Hellman key exchange (fixes #2301) + add ssl.use-sslv3 (fixes #2246) + load all algorithms (fixes #2239) + * [ssl/md5] prefix our own md5 implementation with li_ so it doesn't conflict with the openssl one (fixes #2269) + * [ssl/build] some minor fixes; fix compile without ssl, cleanup ssl config buffers + * [proc,include_shell] log error if exec shell fails (fixes #2280) + * [*cgi] Use physical base dir (alias, userdir) as DOCUMENT_ROOT in cgi environments (fixes #2216) + * [doc] Move docs to outdated/ subdir and refer to wiki instead (fixes #2248) + * fdevent: add solaris eventports (fixes #2171) + +- 1.4.28 - 2010-08-22 + * Rename fdevent_event_add to _set to reflect what the function does. Fix some handlers. (fixes #2249) + * Fix buffer.h to include stdio.h as it is needer for SEGFAULT() (fixes #2250) + +- 1.4.27 - 2010-08-13 + * Fix handling return value of SSL_CTX_set_options (fixes #2157, thx mlcreech) + * Fix mod_proxy HUP handling (send final chunk, fix usage counter) + * mod_proxy: close connection on write error (fixes #2114) + * Check uri instead of physical path for directory redirect + * Fix detecting git repository (fixes #2173, thx ncopa) + * [mod_compress] Fix segfault when etags are disabled (fixes #2169) + * Reset uri.authority before TLS servername handling, reset all "keep-alive" data in connection_del (fixes #2125) + * Print double quotes properly when dumping config file (fixes #1806) + * Include IP addresses on error log on password failures (fixes #2191) + * Fix stalls while reading from ssl sockets (fixes #2197) + * Fix etag formatting on boxes with 32-bit longs + * Fix two compiler warnings + * mod_accesslog: fix %p for ipv6 sockets (fixes #2228, thx jo.henke) + * mod_fastcgi: Send 502 "Bad Gateway" if we couldn't open the file for X-Sendfile (fixes #2226) + * mod_staticfile: add debug output if we ignore a file with static-file.exclude-extensions (fixes #2215) + * mod_cgi: fix race condition leaving response not forwarded to client (fixes #2217) + * mod_accesslog: Fix var declarations mixed in source (fixes #2233) + * mod_status: Add version to status page (fixes #2219) + * mod_accesslog: optimize accesslog_append_escaped (fixes #2236, thx crypt) + * openssl: silence annoying error messages for errno==0 (fixes #2213) + * array.c: improve array_get_unused_element to check data type; fix mem leak if unused_element didn't find a matching entry (fixes #2145) + * add check to stop loading plugins twice + * cleanup fdevent code, removed linux-rtsig handler, replaced some fprintf calls + * only require FDEVENT_IN bit to be set for listening connections (fixes #2227) + * add libev fdevent handler: server.event-handler = "libev" + * mod_proxy: return response as soon as it is available (fixes #2196) + * don't overwrite global server.force-lowercase-filenames setting (fixes #2042) + * bind to IPV6-only if ipv6 address was specified (https://redmine.lighttpd.net/projects/lighttpd/wiki/IPv6-Config) + +- 1.4.26 - 2010-02-07 + * Fix request parser to handle packets with splitted \r\n\r\n (fixes #2105) + * Remove dependency on automake >= 1.11 with m4_ifdef check + * mod_accesslog: support %e (fixes #2113, thx presbrey) + * Fix mod_cgi cgi.execute-x-only option in global block + * mod_fastcgi: x-sendfile2 parse error debugging + * Fix mod_proxy dead host detection if connect() fails + * Fix fd leaks in mod_cgi (fds not closed on pipe/fork failures, found by Rodrigo, fixes #2158, #2159) + * Fix segfault with broken rewrite/redirect patterns (fixes #2140, found by crypt) + * Append to previous buffer in con read, fix DoS/OOM vulnerability (fixes #2147, found by liming, CVE-2010-0295) + * Fix HUP detection in close-state if event-backend doesn't support FDEVENT_HUP (like select or poll on FreeBSD) + +- 1.4.25 - 2009-11-21 + * mod_magnet: fix pairs() for normal tables and strings (fixes #1307) + * mod_magnet: add traceback for printing lua errors + * mod_rewrite: fix compile error if compiled without pcre + * disable warning "CLOSE-read" (fixes #2091) + * mod_rrdtool: fix creating file if it doesn't exist (#1788) + * reset tlsext_server_name in connection_reset - fixes random hostnames in the $HTTP["host"] conditional + * export some SSL_CLIENT_* vars for client cert validation (fixes #1288, thx presbrey) + * mod_fastcgi: fix mod_fastcgi packet parsing + * mod_fastcgi: Don't reconnect after connect() succeeded (fixes #2096) + * Fix configure.ac to allow autoreconf, also enables make V=0 + +- 1.4.24 - 2009-10-25 + * Add T_CONFIG_INT for bigger integers from the config (needed for #1966) + * Use unsigned int (and T_CONFIG_INT) for max_request_size + * Use unsigned int for secdownload.timeout (fixes #1966) + * Keep url/host values from connection to display information while keep-alive in mod_status (fixes #1202) + * Add server.breakagelog, a "special" stderr (fixes #1863) + * Fix config evaluation for debug.log-timeouts option (#1529) + * Add "cgi.execute-x-only" to mod_cgi, requires +x for cgi scripts (fixes #2013) + * Fix FD_SETSIZE comparision warnings + * Add "lua-5.1" to searched pkg-config names for lua + * Fix unused function webdav_lockdiscovery in mod_webdav + * cmake: Fix crypt lib check + * cmake: Add -export-dynamic to link flags, fixes build on FreeBSD + * Set FD_CLOEXEC for bound sockets before pipe-logger forks (fixes #2026) + * Reset ignored signals to SIG_DFL before exec() in fastcgi/scgi (fixes #2029) + * Show "no uri specified -> 400" error only when "debug.log-request-header-on-error" is enabled (fixes #2030) + * Fix hanging connection in mod_scgi (fixes #2024) + * Allow digits in hostnames in more places (fixes #1148) + * Use connection_reset instead of handle_request_done for cleanup callbacks + * Change mod_expire to append Cache-Control instead of overwriting it (fixes #1997) + * Allow all comparisons for $SERVER["socket"] - only bind for "==" + * Remove strptime failed message (fixes #2031) + * Fix issues found with clang analyzer + * Try to fix server.tag issue with localized svnversion + * Fix handling network-write return values (#2024) + * Use disable-time in fastcgi for all disables after errors, default is 1sec (fixes #2040) + * Remove adaptive spawning code from fastcgi (was disabled for a long time) + * Allow mod_mysql_vhost to use stored procedures (fixes #2011, thx Ben Brown) + * Fix ipv6 in mod_proxy (fixes #2043) + * Print errors from include_shell to stderr + * Set tm.tm_isdst = 0 before mktime() (fixes #2047) + * Use linux-epoll by default if available (fixes #2021, thx Olaf van der Spek) + * Print an error if you use too many captures in a regex pattern (fixes #2059) + * Combine Cache-Control header value in mod_expire to existing HTTP header if header already added by other modules (fixes #2068) + * Remember keep-alive-idle in separate variable (fixes #1988) + * Fix header inclusion order, always include "config.h" before any system header + * mod_webdav: Patch to skip login information for domain part of Destination field (fixes #1793) + * mod_webdav: Delete old properties before updating new for MOVE (fixes #1317) + * Read hostname from absolute uris in the request line (fixes #1937) + * mod_fastcgi: don't disable backend if disable-time is 0 (fixes #1825) + * mod_compress: match partial+full content-type (fixes #1552) + * mod_fastcgi: fix is_local detection, respawn backends if bin-path is set (fixes #897) + * Fix linger-on-close behaviour to avoid rare failure conditions (was r2636, fixes #657) + * mod_fastcgi: restart local procs immediately after they terminated, fix local procs handling + * Fix segfault on invalid config "duplicate else conditions" (fixes #2065) + * mod_usertrack: Use T_CONFIG_INT for max-age, solves range problem (#1455) + * mod_accesslog: configurable timestamp logging (fixes #1479) + * always define _GNU_SOURCE + * Add some iterators for mod_magnet (fixes #1307) + * Fix close_timeout_ts trigger (should finally fix lingering close) + * mod_rewrite: add url.rewrite-[repeat-]if-not-file to rewrite if file doesn't exist or is not a regular file (fixes #985, thx lucas aerbeydt) + * Add TLS servername indication (SNI) support (fixes #386, thx Peter Colberg <peter@colberg.org>) + * Add SSL Client Certificate verification (#1288) + * mod_fastcgi: Fix host->active_procs counter, return 503 if connect wasn't successful after 5 tries (fixes #1825) + * mod_accesslog: escape special characters (fixes #1551, thx icy) + * fix mod_webdav crash from #1793 (fixes #2084, thx hiroya) + * Don't print ssl error if client didn't support TLS SNI + * Fix linger close timeout handling, drop timeout to 5 seconds (fixes #2086) + * Fix broken return values from int to enum in mod_fastcgi + +- 1.4.23 - 2009-06-19 + * Added some extra warning options in cmake and fix the resulting warnings (unused/static functions) + * New lighttpd man page (moved it to section 8) (fixes #1875) + * Create rrd file for empty rrdfile in mod_rrdtool (#1788) + * Fix workaround for incorrect path info/scriptname if fastcgi prefix is "/" (fixes #729) + * Finally removed spawn-fcgi + * Allow xattr to overwrite mime type (fixes #1929) + * Remove link from errormsg about fastcgi apps (fixes #1942) + * Strip trailing dot from "Host:" header + * Remove the optional port info from SERVER_NAME (thx Mr_Bond) + * Fix mod_proxy RoundRobin (off by one problem if only one backend is up) + * Rename configure.in to configure.ac, with small cleanups (fixes #1932) + * Add proper SUID bit detection (fixes #416) + * Check for regular file in mod_cgi, so we don't try to start directories + * Include mmap.h from chunk.h to fix some problems with #define mmap mmap64 (fixes #1923) + * Add support for pipe logging for server.errorlog (fixes #296) + * Add revision number to package version for svn/git checkouts + * Use server.tag for SERVER_SOFTWARE if configured (fixes #357) + * Fix trailing zero char in REQUEST_URI after "strip-request-uri" in mod_fastcgi + * mod_magnet: Add env["request.remote-ip"] (fixes #1740) + * mod_magnet: Add env["request.path-info"] + * Change name/version separator back to "/" (affects every place where the version is printed) + * Fix bug with FastCGI request id overflow under high load; just use always id 1 as we don't use multiplexing. (thx jgray) + * Add some dirlisting enhancements (fixes #1458) + * Add option to enable TCP_DEFER_ACCEPT (fixes #1447) + * Limit amount of bytes read for one read-event (fixes #1070) + * Add evasive.silent option (fixes #1438) + * Make mod_extforward headers configurable (fixes #1545) + * Add '%_' pattern for complete hostname in mod_evhost (fixes #1737) + * Add IPv6 support to mod_proxy (fixes #1537) + * mod_ssi printenv: print cgi env, add environment vars to cgi env (fixes #1713) + * Fix error message if no auth backend was set + * Fix SERVER_NAME port stripping (fixes #1968) + * Fix x-sendfile 2gb limiting (fixes #1970) + * Fix mod_cgi environment keys mangling (fixes #1969) + * Fix workaround for incorrect path info/scriptname if scgi prefix is "/" (fixes #729) + * Fix max-age value in mod_expire for 'modification' (fixes #1978) + * Fix evasive.silent option (#1438) + * Fix mod-fastcgi counters + * Modify fastcgi error message + * Backup errno for later usage (reported by Guido Reina via mailinglist) + * Improve FastCGI performance (fixes #1999) + * Workaround broken operating systems: check for trailing '/' in filenames (fixes #1989) + * Allow using pcre with cross-compiling (pcre-config got fixed; fixes #1986) + * Add "lighty.req_env" table to mod_magnet for setting/getting environment values for cgi (fixes #1967, thx presbrey) + * Fix segfault in mod_expire after failed config parsing (fixes #1992) + * Add ssi.content-type option (default text/html, fixes #615) + * Add support for "real" entropy from /dev/[u]random (fixes #1977) + * Adding support for additional chars in LDAP usernames (fixes #1941) + * Ignore multiple "If-None-Match" headers (only use first one, fixes #753) + * Fix 100% cpu usage if time() < 0 (thx to gaspa and cate, fixes #1964) + * Allow max-keep-alive-requests to depend on conditional (fixes #1881) + * Make dependency on svnversion/git optional (for devel versionstamp, fixes #2009) + +- 1.4.22 - 2009-03-07 + * Fix wrong lua type for CACHE_MISS/CACHE_HIT in mod_cml (fixes #533) + * Fix default vhost in mod_simple_vhost (fixes #1905) + * Handle EINTR in mod_rrdtool (fixes #604) + * Fix rrd error after graceful restart (fixes #419) + * Fix EAGAIN handling for freebsd sendfile (fixes #1913, thx AnMaster for spotting the problem) + * Fix segfault in mod_scgi (fixes #1911) + * Treat EPIPE as connection-closed error in network_freebsd_sendfile.c (another fix from #1913) + * Fix useless redirection of stderr in mod_rrdtool, as it gets redirected to /dev/null later. (fixes #1922) + * Fix some problems with more strict compilers (#1923) + * Fix segfault if siginfo_t* is NULL in sigaction handler (fixes #1926) + +- 1.4.21 - 2009-02-16 + + * Fix base64 decoding in mod_auth (#1757, thx guido) + * Fix mod_cgi segfault when bound to unix domain socket (#653) + * Do not rely on ioctl FIONREAD (#673) + * Now really fix mod auth ldap (#1066) + * Fix leaving zombie process with include_shell (#1777) + * Removed debian/, openwrt/ and cygwin/; they weren't kept up-to-date, and we decided to remove dist. specific stuff + * Try to convert string options to shorts for numeric options in config file; allows to use env-vars for numeric options. (#1159, thx andrewb) + * Do not cache default vhost in mod_simple_vhost (#709) + * Trust pcre-config, do not check for pcre manually (#1769) + * Fix fastcgi authorization in subdirectories with check-local=disabled; don't split pathinfo for authorizer. (#963) + * Add possibility to disable methods in mod_compress (#1773) + * Fix duplicate connection keep-alive/transfer-encoding headers (#960) + * Fixed fix for round-robin in mod_proxy (forgot to increment the index) (#1715) + * Fix fastcgi-authorizer handling; Status: 200 is now accepted as the doc requests + * Compare address family in inet_ntop_cache + * Revert CVE-2008-4359 (#1720) fix "encoding+simplifying urls for rewrite/redirect": too many regressions. + * Use FD_CLOEXEC if possible (fixes #1821) + * Optimized buffer usage in mod_proxy (fixes #1850) + * Fix uninitialized value in time struct after strptime + * Do not pass Proxy-Connection: header from client to backend http server in mod_proxy (#1877) + * Fix wrong malloc sizes in mod_accesslog (probably nothing bad happened...) (fixes #1855, thx ycheng) + * Some small buffer.c fixes (closes #1837) + * Remove floating point math from server.c (fixes #1402) + * Disable SSLv2 by default + * Use/enforce sane max-connection values (fixes #1803) + * Allow mod_compress to return 304 (Not Modified); compress ignores the static-file.etags option.(fixes #1884) + * Add option to ignore the "Expect: 100-continue" header instead of returning 417 Expectation failed (closes #1017) + * Use modified etags in mod_compress (fixes #1800) + * Fix max-connection limit handling/100% cpu usage (fixes #1436) + * Fix error handling in freebsd-sendfile (fixes #1813) + * Silenced the annoying "request timed out" warning, enable with the "debug.log-timeouts" option (fixes #1529) + * Allow tabs in header values (fixes #1822) + * Added Language conditional (fixes #1119); patch by petar + * Fix wrong format strings (#1900, thx stepancheg) + +- 1.4.20 - 2008-09-30 + + * Fix mod_compress to compile with old gcc version (#1592) + * Fix mod_extforward to compile with old gcc version (#1591) + * Update documentation for #1587 + * Fix #285 again: read error after SSL_shutdown (thx marton.illes@balabit.com) and clear the error queue before some other calls (CVE-2008-1531) + * Fix mod_magnet: enable "request.method" and "request.protocol" in lighty.env (#1308) + * Fix segfault for appending matched parts if there was no regex matching (just give empty strings) (#1601) + * Use data_response_init in mod_fastcgi x-sendfile handling for response.headers, fix a small "memleak" (#1628) + * Don't send empty Server headers (#1620) + * Fix conditional interpretation of core options + * Enable escaping of % and $ in redirect/rewrite; only two cases changed their behaviour: "%%" => "%", "$$" => "$" + * Fix accesslog port (should be port from the connection, not the "server.port") (#1618) + * Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local) + * Overwrite Content-Type header in mod_dirlisting instead of inserting (#1614), patch by Henrik Holst + * Handle EINTR in mod_cgi during write() (#1640) + * Allow all http status codes by default; disable body only for 204,205 and 304; generate error pages for 4xx and 5xx (#1639) + * Fix mod_magnet to set con->mode = p->id if it generates content, so returning 4xx/5xx doesn't append an error page + * Remove lighttpd.spec* from source, fixing all problems with it ;-) + * Do not rely on PATH_MAX (POSIX does not require it) (#580) + * Disable logging to access.log if filename is an empty string + * Implement a clean way to open /dev/null and use it to close stdin/out/err in the needed places (#624) + * merge spawn-fcgi changes from trunk (from @2191) + * let spawn-fcgi propagate exit code from spawned fcgi application + * close connection after redirect in trigger_b4_dl (thx icy) + * close connection in mod_magnet if returned status code + * fix bug with IPv6 in mod_evasive (#1579) + * fix scgi HTTP/1.* status parsing (#1638), found by met@uberstats.com + * [tests] fixed system, use foreground daemons and waitpid + * [tests] removed pidfile from test system + * [tests] fixed tests needing php running (if not running on port 1026, search php in env[PHP] or /usr/bin/php-cgi) + * fixed typo in mod_accesslog (#1699) + * replaced buffer_{append,copy}_string with the _len variant where possible (#1732) (thx crypt) + * case insensitive match for secdownload md5 token (#1710) + * Handle only HEAD, GET and POST in mod_dirlisting (same as in staticfile) (#1687) + * fixed mod_secdownload problem with unsigned time_t (#1688) + * handle EAGAIN and EINTR for freebsd sendfile (#1675) + * Use filedescriptor 0 for mod_scgi spawn socket, redirect STDERR to /dev/null (#1716) + * fixed round-robin balancing in mod_proxy (#1715) + * fixed EINTR handling for waitpid in mod_fastcgi + * mod_{fast,s}cgi: overwrite environment variables (#1722) + * inserted many con->mode checks; they should prevent two modules to handle the same request if they shouldn't (#631) + * fixed url encoding to encode more characters (#266) + * allow digits in [s]cgi env vars (#1712) + * fixed dropping last character of evhost pattern (#161) + * print helpful error message on conditionals in global block (#1550) + * decode url before matching in mod_rewrite (#1720) -- (reverted for 1.4.21) + * fixed conditional patching of ldap filter (#1564) + * Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server) [2281] + * fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1" (CVE-2008-4360) + * fixed format string bugs in mod_accesslog for SYSLOG + * replaced fprintf with log_error_write in fastcgi debug + * fixed mem leak in ssi expression parser (#1753), thx Take5k + * hide some ssl errors per default, enable them with debug.log-ssl-noise (#397) + * do not send content-encoding for 304 (#1754), thx yzlai + * fix segfault for stat_cache(fam) calls with relative path (without '/', can be triggered by x-sendfile) (#1750) + * fix splitting of auth-ldap filter + * workaround ldap connection leak if a ldap connection failed (restarting ldap) + * fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie) + * fix memleak in request header parsing (#1774, thx qhy) (CVE-2008-4298) + * fix mod_rewrite memleak/endless loop detection (#1775, thx phy - again!) + * use decoded url for matching in mod_redirect (#1720) (CVE-2008-4359) -- (reverted for 1.4.21) + +- 1.4.19 - 2008-03-10 + + * added support for If-Range: <date> (#1346) + * added support for matching $HTTP["scheme"] in configs + * fixed initgroups() called after chroot (#1384) + * fixed case-sensitive check for Auth-Method (#1456) + * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428) + * fixed a bug that made /-prefixed extensions being handled also when + matching the end of the uri in fcgi,scgi and proxy modules (#1489) + * print error if X-LIGHTTPD-send-file cannot be done; reset header + Content-Length for send-file. Patches by Stefan Buehler + * prevent crash in certain php-fcgi configurations (#841) + * add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507) + * open log immediately after daemonizing, fixes SIGPIPEs on startup (#165) + * HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499) + * generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491) + * support letterhomes in mod_userdir (#1473) + * support chained proxies in mod_extforward (#1528) + * fixed bogus "cgi died ?" if we kill the CGI process on shutdown + * fixed ECONNRESET handling in network-openssl + * fixed handling of EAGAIN in network-linux-sendfile (#657) + * reset conditional cache (#1164) + * create directories in mod_compress (was broken with alias/userdir) (#1027) + * fixed out of range access in fd array (#1562, #372) (CVE-2008-0983) + * mod_compress should check if the request is already handled, e.g. by fastcgi (#1565) + * remove broken workaround for buggy Opera version with ssl/chunked encoding (#285) + * generate etag/last-modified header for on-the-fly-compressed files (#1171) + * req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324) + * fixed memory leak on windows (#1347) + * fixed building outside of the src dir (#1349) + * fixed including of stdint.h/inttypes.h in etag.c (#1413) + * do not add Accept-Ranges header if range-request is disabled (#1449) + * log the ip of failed auth tries in error.log (enhancement #1544) + * fixed RoundRobin in mod_proxy (#516) + * check for symlinks after successful pathinfo matching (#1574) + * fixed mod-proxy.t to run with a builddir outside of the src dir + * do not suppress content on "307 Temporary Redirect" (#1412) + * fixed Content-Length header if response body gets removed in connections.c (#1412, part 2) + * do not generate a "Content-Length: 0" header for HEAD requests, added test too + * remove compress cache file if compression or write failed (#1150) + * fixed body handling of status 300 requests + * spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575) + * fix sending source of cgi script instead of 500 error if fork fails (CVE-2008-1111) + * fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623) + * fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440) + * workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) (CVE-2008-1270) + * make configure checks for --with-pcre, --with-zlib and --with-bzip2 failing if the headers aren't found + * fixed handling of waitpid() == EINTR mod_ssi on solaris + +- 1.4.18 - 2007-09-09 + + * fixed compile error on IRIX 6.5.x on prctl() (#1333) + * fixed forwarding a SIGINT and SIGHUP when using max-workers (#902) + * fixed FastCGI header overrun in mod_fastcgi (reported by mattias@secweb.se) + * fixed hanging redirects with keep-alive due to missing + "Content-Length: 0" headers + * fixed crashing when using undefined environment variables in the config + * fixed compilation of mod_mysql_vhost on irix (#1341) + +- 1.4.17 - 2007-08-29 + + * added dir-listing.set-footer in mod_dirlisting (#1277) + * added sending UID and PID for SIGTERM and SIGINT to the logs + * fixed hardcoded font-sizes in mod_dirlisting (#1267) + * fixed different ETag length on 32/64 platforms (#1279) + * fixed compression of files < 128 bytes by disabling compression (#1241) + * fixed mysql server reconnects (#518) + * fixed disabled keep-alive for dynamic content with HTTP/1.0 (#1166) + * fixed crash on mixed EOL sequences in mod_cgi + * fixed key compare (#1287) + * fixed invalid char in header values (#1286) + * fixed invalid "304 Not Modified" on broken timestamps + * fixed endless loop on shrinked files with sendfile() on BSD (#1289) + * fixed counter overrun in ?auto in mod_status (#909) + * fixed too aggresive caching of nested conditionals (#41) + * fixed possible overflow in unix-socket path checks on BSD (#713) + * fixed extra Content-Length header on 1xx, 204 and 304 (#1002) + * fixed handling of duplicate If-Modified-Since to return 304 + * fixed extracting status code from NPH scripts (#1125) + * fixed prctl() usage (#1310) + * removed config-check if passwd files exist (#1188) + * fixed crash when etags are disabled but the client sends one (#1322) + * fixed crash when freeing the config in mod_alias + * fixed server.error-handler-404 breakage from 1.4.16 (#1270) + * fixed entering 404-handler from dynamic content (#948) + * added more debug infos for FAM based stat-cache + * use more LSB like paths in the sample config (#1242) + +- 1.4.16 - 2007-07-25 + + * added static-file.etags, etag.use-inode, etag.use-mtime, etag.use-size + to customize the generation of ETags for static files. (#1209) + (patch by <Yusufg@gmail.com>) + * fixed typecast of NULL on execl() (#1235) + (patch by F. Denis) + * fixed circumventing url.access-deny by trailing slash (#1230) + * fixed crash on duplicate headers with trailing WS (#1232) + * fixed accepting more connections then requested (#1216) + * fixed mem-leak in mod_auth (reported by Stefan Esser) + * fixed crash with md5-sess and cnonce not set in mod_auth (reported by Stefan Esser) + * fixed missing check for base64 encoded string in mod_auth and Basic auth + (reported by Stefan Esser) + * fixed possible crash in Auth-Digest header parser on trailing WS in + mod_auth (reported by Stefan Esser) + * fixed check on stale errno values, which broke handling of broken fastcgi + applications. (#1245) + * fixed crash on 32bit archs when debug-msgs are printed in mod_scgi, mod_fastcgi + and mod_webdav (#1263) + +- 1.4.15 - 2007-04-13 + + * fixed broken Set-Cookie headers + +- 1.4.14 - 2007-04-13 + + * fix crash if gethostbyaddr() failed on redirect [1718] + * properly handle 206 responses generated by *cgi scripts. (#755) [1716] + * added HTTPS=on to the environment of cgi scripts (#861) [1684] + * fix handling of 303 (#1045) [1678] + * made the configure check for lua more portable [1677] + * added mod_extforward module [1665] + * references to the fam stat cache engine should be conditional (#1039) [1664] + * fix http 500 errors (colin.stephen/at/o2.com) #1041 [1663] + * prevent wrong pidfile unlinking on graceful restart (Chris Webb) [1656] + * ignore empty packets from STDERR stream. #998 + * fix a crash for files with an mtime of 0 reported by cubiq on irc [1519] + CVE-2007-1870 + * allow empty passwords with ldap (Jörg Sonnenberger) [1516] + * mod_scgi.c segfault fix #964 [1501] + * Added round-robin support to mod_fastcgi [1500] + * Handle DragonFlyBSD the same way as Freebsd (Jörg Sonnenberger) [1492,1676] + * added now and weeks support to mod_expire. #943 + * fix cpu hog in certain requests [1473] CVE-2007-1869 + * fix for handling hostnames with trailing dot [1406] + * fixed header-injection via server.tag (#1106) + * disabled caching of files without a content-type to solve the + aggressive caching of FF + * remove trailing white-spaces from HTTP-requests before parsing (#1098) + * fixed accesslog.use-syslog in a conditional and the caching of the + accesslog for files (fixes #1064) + * fixed various crashes at startup on broken accesslog.format strings (#1000) + * fixed handling of %% in accesslog.format + * fixed conditional dir-listing.exclude (#930) + * reduced default PATH_MAX to 255 (#826) + * ECONNABORTED is not known on cygwin (#863) + * fixed crash on url.redirect and url.rewrite if %0 is used in a global context + (#800) + * fixed possible crash in debug-message in mod_extforward + * fixed compilation of mod_extforward on glibc < 2.3.4 + * fixed include of empty in the configfiles (#1076) + * send SIGUSR1 to fastcgi children before SIGTERM. libfcgi wants SIGUSR1. (#737) + * fixed missing AUTH_TYPE entry in the fastcgi environment. (#889) + * fixed compilation in network_writev.c on MacOS X 10.3.9 (#903) + * added kill-signal as another setting for fastcgi backends. See the wiki for more. + +- 1.4.13 - 2006-10-09 + + * added initgroups in spawn-fcgi (#871) + * added apr1 support htpasswd in mod-auth (#870) + * added lighty.stat() to mod_magnet + * fixed segfault in splitted CRLF CRLF sequences + (introduced in 1.4.12) (#876) + * fixed compilation of LOCK support in mod-webdav + * fixed fragments in request-URLs (#869) + * fixed pkg-config check for lua5.1 on debian + * fixed Content-Length = 0 on HEAD requests without + a known Content-Length (#119) + * fixed mkdir() forcing 0700 (#884) + * fixed writev() on FreeBSD 4.x and older (#875) + * removed warning about a 404-error-handler + returned 404 + * backported and fixed the buildsystem changes for + webdav locks + * fixed plugin loading so we can finally load lua + extensions in mod_magnet scripts + * fixed large uploads if xattr is enabled + +- 1.4.12 - 2006-09-23 + + * added experimental LOCK support for webdav + * added Content-Range support for PUT in webdav + * added support for += on empty arrays in config-files + * added ssl.cipher-list and ssl.use-sslv2 + * added $HTTP["querystring"] conditional + * added mod_magnet as long-term replacement for mod_cml + * added work-around for a Opera Bug with SSL + Chunked-Encoding + * changed --print-config to print to stdout instead of stderr + * changed no longer use 0600 for new files with webdav. umask is + honored. Make sure you have set a proper umask. + * fixed upload hangs with SSL + * fixed connection drops with SSL (aka bad retry) + * fixed path traversal with \ on cygwin + * fixed mem-leak in mod_flv_streaming + * fixed required trailing newline in configfiles (#142) + * fixed quoting the autoconf files (#466) + * fixed empty Host: + $HTTP["host"] handling (#458) + * fixed handling of If-Modified-Since if ETag is not set + * fixed default-shell if SHELL is not set (#441) + * fixed appending and assigning of env.* vars + * fixed empty FCGI_STDERR packets + * fixed conditional server.allow-http-11 + * fixed handling of follow-symlink + lstat() + * fixed SIGHUP handling if max-workers is used + * fixed "Software caused connection abort" messages on FreeBSD + +- 1.4.11 - 2006-03-09 + + * added ability to specify which ip address spawn-fci listens on + (agkr/at/pobox.com) + * added mod_flv_streaming to streaming Flash Movies efficiently + * fixed handling of error codes returned by mod_dav_svn behing a + mod_proxy + * fixed error-messages in mod_auth and mod_fastcgi + * fixed re-enabling overloaded local fastcgi backends + * fixed handling of deleted files in linux-sendfile + * fixed compilation on BSD and MacOSX + * fixed $SERVER["socket"] on a already bound socket + * fixed local source retrieval on windows + (secunia) + * fixed hanging cgi if remote side is dieing while reading + from the pipe (sandy/at/meebo.com) + +- 1.4.10 - 2006-02-08 + + * added docs for mod_dirlisting + * added fastcgi.map-extensions to mod_fastcgi + * fixed load balancing for mod_fastcgi + * fixed extra newline for syslog() in mod_accesslog + * fixed user-track cookie for IE in mod_usertrack + * fixed crash in digest handling in mod_auth + * fixed handling of 301 response-bodies from a mod_proxy backend + * fixed loading of base modules if server.modules is not set + * fixed broken cgi if mod_scgi is loaded + +- 1.4.9 - 2006-01-14 + + * added server.core-files option (sandy <sandy/at/meebo.com>) + * added docs for mod_status + * added mod_evasive to limit the number of connections by IP (<w1zzard/at/techpowerup.com>) + * added the power-magnet to mod_cml + * added internal statistics to mod_fastcgi + * added server.statistics-url to get internal statistics from mod_status + * added support for conditional range-requests through If-Range + * added static building via scons + * fixed 100% cpu loops in mod_cgi ("sandy" <sjen/at/cs.stanford.edu>) + * fixed handling for secure-download.timeout (jamis/at/37signals.com) + * fixed IE bug in content-charset in the output of mod_dirlisting (sniper/at/php.net) + * fixed typos and language in the docs (ryan-2005/at/ryandesign.com) + * fixed assertion in mod_cgi on HEAD request is Content-Length (<sandy/at/meebo.com>) + * fixed handling if equal but duplicate If-Modified-Since request headers + * fixed endless loops in mod_fastcgi if backend is dead + * fixed Depth: 1 handling in PROPFIND requests on empty dirs + * fixed encoding of UTF8 encoded dirlistings (Jani Taskinen <sniper/at/iki.fi>) + * fixed initial bind to a unix-domain socket through server.bind + * fixed handling of lowercase filesystems + * fixed duplicate request headers cause by mod_setenv + +- 1.4.8 - 2005-11-23 + + * added auto-reconnect to ldap-server in mod_auth + (joerg/at/netbsd.org) + * changed auth.ldap-cafile to be optional + (joerg/at/netbsd.org) + * added strip_request_uri in mod_fastcgi + * added more X-* headers to mod_proxy + (Ben Grimm <bengrimm/at/gmail.com>) + * added 'debug' to simple-vhost to suppress the + (mod_simple_vhost.c.157) No such file or directory /servers/ww.lighttpd.net/pages/ + messages by default + * added support to let the server listen on UNIX-socket + * changed default stat-cache-engine to 'simple' + * removed debian/ dir from source package on request by packager + * fixed max-age timestamps in mod_expire + * fixed encoding the filenames in PROPFIND in mod_webdav + * fixed range request handling in network_writev + * fixed retry on connect error in mod_fastcgi + (Robert G. Jakabosky <bobby/at/alphatrade.com>) + * fixed possible crash in mod_webdav if sqlite3 support + is available but not use + * fixed fdvent-handler init if server.max-worker was used + (Siddharth Vijayakrishnan <mail/at/bluefireworks.net>) + * fixed missing cleanup in mysql_vhost + * fixed assert() in "connections.c:962: + connection_handle_read_state: Assertion 'c->mem->used' failed." + * fixed 64bit issue in md5 + * fixed crash in mod_status + * fixed duplicate headers in mod_proxy + * fixed Content-Length in HEAD request in mod_proxy + * fixed unsigned/signed comparisions + * fixed streaming in mod_cgi + * fixed possible overflow in password-salt handling + (reported on slashdot by james-web/at/and.org) + * fixed server-traffic-limit if connection limit is not set + +- 1.4.7 - 2005-11-02 + + * added FD_CLOEXEC to fds which are kept open for a longer time + * added smaller, moving mmaped windows to network_writev + * added madvise() to instruct the kernel the do proper read-ahead in network_writev + * added support for %I in mod_accesslog + * added better compat to Apache for ?auto in mod_status + * added support for userdirs without a entry in /etc/passwd in mod_userdir + (rob/at/inversepath.com) + * added startup-time selectable network-backend + * added location of upload-files to config as array + * added webdav.log-xml for logging xml-content in mod_webdav + * added Cache-Control: max-age to mod_expire + * workaround missing client-bug by assuming we received a close-notify on + non-keep-alive requests in SSL request + * disabled kerberos5 support by default to fix compilation on RHEL + * fixed order of library checks to fix compilation on Solaris 9 + * fixed open file-descriptors on read-error + * fixed crash if /var/tmp is not writable + +- 1.4.6 - 2005-10-09 + + * fixed compilation on MacOS X and cygwin + * fixed compressed output if caching was disabled (seen in IE and Opera) + * fixed range-request option + * fixed mysql-vhost module (was broken in 1.4.5) + * fixed false positive in the detection of case-insensitive FS + +- 1.4.5 - 2005-10-02 + + * added all DeltaV methods as known methods + * added buffer-to-disk of request content + * added warning for unused variables in conditionals + * added global index-generators to mod_indexfile + * fixed caching for remote-ip conditionals with keep-alive + * fixed redirects with content + * fixed infinite loop in exec-cmd in mod_ssi + * fixed segfault in config handling for mod_mysql_vhost + * fixed segfault on FIFOs/Sockets + * fixed possible crash on uninit memory if If-Modified-Since was too long + * fixed accounting of mem-chunks + * fixed starving of connections on high load + * fixed crc errors in mod_compress on 64bit platforms + * fixed handling of overlapping fastcgi packets (bug added in 1.4.4) + * fixed logic of conditionals if a header was not set + * fixed a segfault in mod_rewrite if %1 references were used + * fixed handling of empty request URIs in HTTP requests + +- 1.4.4 - 2005-09-16 + * added support for %V in mod_accesslog + * added a option for a FastCGI responser to send static files + * added md5 and blowfish hashes to htpasswd + * fixed METHOD in mod_accesslog of WebDAV methods + * fixed check for permission before files in sent + * fixed mod-proxy and content for non-POST requests + * fixed compilation of mod_cml on MacOS X + * fixed SSL errmsg after accept() + * fixed memleak in stat-cache + * fixed aborted connections if file was moved while in transfer + * fixed mem-usage for large FastCGI transfers + +- 1.4.3 - 2005-09-01 + + * added gracefull shutdown + * added server.max-connections + * fixed compilation on all BSD platforms + * fixed init of kqueue and /dev/poll after daemonize + * fixed segfault if select() is event-handler and more than FD_SETSIZE + fds are opened + * fixed compilation of mod_cml + * fixed bin-copy-env in mod_fastcgi + +- 1.4.2 - 2005-08-29 + + * fixed mimetype detection on uppercase extensions + * fixed memleak in stat-cache + * fixed infinite loop in mod_cgi + * fixed alignment crashes on sparc64 and alpha64 + * fixed test system for gentoo ebuild + * fixed infinite loop in SSL + * fixed range request for files > 2Gb + +- 1.4.1 - 2005-08-22 + + * added a complete Class 1 complient mod_webdav + * fixed ssl support (especially on OpenBSD) + * fixed response header in body problem in mod_cgi + * fixed numbers before body problem + * fixed compilation on Solaris and FreeBSD + * fixed conditional options in mod_dirlisting + * fixed segfault in mod_dirlisting for NFS directories + * fixed check for docroot in change-root environments + +- 1.4.0 - 2005-08-17 + + * added nested conditionals + * added remote-ip to $HTTP + * added support for stat-cache via FAM + * added a read-only WebDAV module + * fixed cleanup in mod_proxy and mod_fastcgi + * fixed handling of filenames on case-insensitive filesystems + +- 1.3.16 - 2005-07-31 + + * added Date: headers to dynamic HTTP/1.0 requests + * added support for OPTION * HTTP/1.1 + * added support for accesslog to syslog + * added support for PATH_INFO guessing if check-local is disabled in + mod_fastcgi + * added switch to disable range-requests + * added valid-user option for mod_auth (tigger at gentoo.org) + * added JavaScript based sorting to mod_status (erik) + * added selective TCP_CORK (Christian von Roques) + * break up endless loops with Status: 500 + * fixed endless loops in mod_rewrite + * mapped url.rewrite and url.rewrite-final to uri.rewrite-once + * fixed compilation for mod_trigger_b4_dl + * fixed 'can't reach host' in mod_proxy + * error-handler-404 defaults to Status: 200 and static files work now + +- 1.3.15 - 2005-07-15 + + * added mod_cml + * added mod_trigger_b4_dl + * added encoding to mod_dirlisting + * added ?auto to mod_status + * relaxed handling of characters in URIs even more + * fixed detection of sendfile() on Linux 2.4.x + * fixed comparision of buffers for short strings + * server.errorfile-prefix is now conditional + * fixed mod_rrdtool to close STDERR + +- 1.3.14 - 2005-06-15 + + * added SCGI support via mod_scgi + * added hash-based and round-robin load balancing to mod_proxy + * fixed range requests larger than 2Gb + * fixed compilation on Solaris + * fixed endless loops in mod_fastcgi, mod_cgi and mod_proxy + * fixed handling of URIs for '+' and characters > 127 + +- 1.3.13 - 2005-03-06 + + * added customizable directory listings + * fixed compile error on all BSD unixes + * fixed PATHINFO handling for FastCGI + * fixed handling of remote-close on FreeBSD and OpenSSL + +- 1.3.12 - 2005-03-02 + + * added ssl.ca-file + * added support for \n\n as terminator + * rewrote test-framework and added more tests + * fixed cgi.assign with empty handler + * fixed segfault in debug-code + * fixed mod_expire if modification-timestamps are used + * fixed segfault on duplication Host-headers + * fixed endless loop in mod_fastcgi + * fixed handling of dead fastcgi-processes + +- 1.3.11 - 2005-02-20 + + * added REMOTE_PORT and SERVER_ADDR to CGI-env + * relaxed handling of newlines before keep-alive requests + * relaxed uri-parser again + * fixed PHP_SELF for php + * fixed compilation on MacOS X + * fixed handling of EPIPE and ECONNRESET + * fixed crash in mod_auth if config-options are missing + * fixed handling of missing trailing / in mod_userdir + * fixed conditional secdownload.secret + * fixed REPORT ME error due to failed reconnects in mod_fastcgi + * fixed cmdline handling in mod_fastcgi + +- 1.3.10 - 2005-02-06 + + * added support for full commandline in spawn-fcgi + * fixed missing check for IP-address in mod_fastcgi + * fixed compile error with openssl in mod_fastcgi + * removed a debug-message from network-functions + +- 1.3.9 - 2005-02-06 + + * added a stricter URI parser + * added a check to the CGI spawner if the cgi-handler exists + * added documentation for SSL and mod_status + * added handling of startup environment to FastCGI + * improved performance in FastCGI in buildind the FastCGI header + * fixed min-procs and max-procs in FastCGI on PowerPC + * fixed crash in setenv.add-response-header + * fixed handling of nph-scripts in CGI + * fixed accidently sending out physical file in CGI on error + * fixed cygwin support + * fixed handling of missing files + * fixed HEAD requests for dynamic requests + +- 1.3.8 - 2005-01-30 + + * added traffic shaping by remote host and virtual server + * added auto-spawning of FastCGI process on demand + * added virtual host based on MySQL + * added mod_setenv to add envirnoment and http headers on the fly + * added support for syslog in mod_accesslog + * improved output of mod_status + * improved debug output in request handling + * fixed build problems on netbsd 1.4.x and 1.5.x + * fixed status.url configuration + * fixed handling of != and !~ in configutation + * fixed special cases in keep-alive handling + * fixed timeout handling in handling POST requests + * fixed mode AUTHORIZER in FastCGI + * fixed handling if internal redirects if no Host: is supplied + * fixed mod_alias + pathinfo + * fixed directory indexes and permissions + * enabled sending errorlog to syslog again + +- 1.3.7 - 2004-12-11 + + * added retries for a fastcgi connect if a php-childs + dies at startup + * update the debian directory + * added setgroups() to drop all group-privs + * added native port to windows via mingw32 + * added server.tag = '...' + * added support for ${...} in mod_ssi + * ported all plugins to conditional support + * fixed multipart handling in cgi + * fixed kqueue event-handler + * fixed wrap-around in mod_status + * fixed crash with SSL + FastCGI + * fixed detection of SSL headers + * fixed handling of dangling SSL_shutdown + * fixed detection of keep-alive of Firefox + +- 1.3.6 - 2004-11-03 + + * added spawn-fcgi to the distribution + * added support in fastcgi module to spawn fastcgi + processes itself + * fixed logfile cycling if external logging is used + * fixed connection handling in fastcgi if no chunk + encoding is used + * fixed internal redirects on directories if a query + string is supplied + * fixed cgi-module for POST request above 4k + * fixed mod_alias and follow-symlink + +- 1.3.5 - 2004-10-31 + + * added mod_alias + * added mod_userdir + * added the exec command to the SSI handler + * added a switch to disable follow-symlinks + * added a switch to disable IPv6 at compile-time + * fixed compilation on FreeBSD and NetBSD 1.3.x + * fixed segfault in pipelining + * fixed a segfault in writev() handler if LFS is used + +- 1.3.4 - 2004-10-24 + + * added limiter for open files + * added logging of user supplied data to accesslogs + * added build target for OpenWRT + * added plain backend support for auth-digest + * fixed handling the external accesslog processes + * fixed SERVER_NAME in CGI and FastCGI + +- 1.3.3 - 2004-10-16 + + * added support for NL terminators in CGI-scripts + * added support for conditionals in mod_auth, + mod_simple_vhost and mod_evhost + * added a error-handler for 404 codes + * fixed request counter in the rrdtool module + * fixed log-file cycling + * fixed seg-fault + +- 1.3.2 - 2004-09-30 + + * fixed file-cache + +- 1.3.1 - 2004-09-30 + + * fixed file-cache + * fixed parsing of IPv6 adresses + * fixed cgi for cygwin + * fixed test-suite for FreeBSD and IRIX + * fixed handling of shrinked files + * fixed handling of REQUEST_URI after rewrite + +- 1.3.0 - 2004-09-17 + + * added build for MacOS X and Cygwin + * added handling of more than one socket + * added config-conditions for User-Agent and Referer + * added final rewrite-rules + +- 1.2.8 - 2004-09-11 + + * added a cache for mimetypes + * added X-Forwarded-For for mod_proxy + * fixed handling of comments in If-Modified-Since + * fixed error handling in FastCGI code + * fixed expire plugin for second Expire header + +- 1.2.7 - 2004-09-04 + + * added mod_rrdtool for internal statistics + * added xattr support + * added user-controlable timeouts + * improved documentation for many plugins + * fixed POST requests for mod_proxy + * fixed rare hang with CGI + * fixed seg-fault if no configfile is specified + * fixed rare problem in FastCGI header generation + +- 1.2.6 - 2004-08-26 + + * added apache-like accesslog definition + * enabled timestamp cache again + * improved performance in the string compare functions + * fixed double-free in fastcgi handler + * fixed error-handling in cgi handler + +- 1.2.5 - 2004-08-10 + + * added skeleton for solaris 10 port-API + * added compression support even if no cachedir is set + * added conditional configoptions + * fixed compilation on OpenBSD + * fixed kqueue support + * fixed pipelining bug + * fixed parallel build (triggered by Gentoo) + * updated debian postinst + +- 1.2.4 - 2004-07-31 + + * added kqueue support + * added server-side includes (mod_ssi) + * fixed large post uploads in fastcgi + * fixed rt-signals handling of delayed events + +- 1.2.3 - 2004-07-10 + + * added a proxy module for Java and friends + * added support to pass accesslog through an external programm + * added mimetypes for text/css and text/javascript + * fixed index-files for FastCGI if webserver is in chroot + * fixed error messages of CGI process fails to exec() + * fixed detection of pcre on IRIX and FreeBSD + * fixed timestamps in Last-Modified checks + * fixed 64bit builds + * fixed mmap-caching of large files + * relaxed the HTTP parser on empty headerfields + +- 1.2.2 - 2004-06-15 + + * added support for unix domain sockets in FastCGI + * fixed mmap caching + * fixed compile-time check for linux sendfile() + * fixed check for pcre.h on Fedora Core 2 + +- 1.2.1 - 2004-05-30 + + * added experimental support for AIX send_file() + * added an mmap cache to the filehandle cache + * enabled FreeBSD sendfile support again + * added support for calling CGI binaries directly + * fixed pipelining for POST requests + * fixed some seg-faults if no configfile is used + +- 1.2.0 - 2004-05-17 + + * added conforming Expect: handling + * added a module for secure and fast downloading + * rewrote the event handling interface + * fixed array handling which might lead to 'missing header' + * fixed pipelining support + * fixed build of the localizer extension + * fixed cgi handling for headers which are flushed to often + * fixed compilation on Solaris 2.5 + +- 1.1.9 - 2004-04-29 + + * added AUTHORIZER mode to the FastCGI module + * added 'check-local' option to disable local stat() in the FastCGI module + * added prefix-notation for FastCGI module + * added 'mod_usertrack' + * improved CGI/FastCGI spec conformance + * more code cleanup + * fixed HTTP/1.1 chunk headers + * fixed POST handling + * fixed SSL network handler + * fixed writev() network handler + +- 1.1.8 - 2004-04-16 + + * code cleanup + * limiting the size of the request-body and the request-header + * minor speed improvements + * tightend the HTTP-Parser again + +- 1.1.7 - 2004-04-12 + + * added REMOTE_USER to the Server->FastCGI parameters + * added bzip2 compression + * improved the error-messages from the new configfile parser + * fixed accesslog writing for errornous requests + * fixed LFS (64bit filesizes) handling + * fixed Content-Length for HEAD requests + * fixed some memory leaks in the configfile parser + +- 1.1.6 - 2004-04-10 + + * tightend the HTTP-Parser + * rewrote the configfile parser (based on lemon) + * fixed openssl support + * fixed mmap+write support + * use localtime in accesslog if possible + +- 1.1.5 - 2004-04-07 + + * added ldap backend to the auth + * added a mod_expire + * added debian packaging structure + * merged redhat and suse spec-file + * fixed eventhandler for solaris + * fixed 64bit fileoffsets + * fixed permissions of the PID-file + +- 1.1.4 - 2004-04-04 + + * added server.pid-file + * added support for solaris /dev/poll and solaris sendfilev() + * added support for writev() + * added PATHINFO support (again) + * fixed CLF logfile writing + +- 1.1.3 - 2004-03-25 + + * set default event-handler to 'poll' + * fixed logcycling in chroot() + * fixed hostname detection + * added syslog() as fallback for error-logging + +- 1.1.2 - 2004-03-22 + + * added a "docroot" setting for fastcgi processes + * performance improvements + * improved configure script + * rewrote the fastcgi config parser + * added a rc-script for RedHat + * added epoll() support for Linux 2.6.x + +- 1.1.1 - 2004-03-15 + + * added localizer module + * performance improvements + * code cleanup + +- 1.1.0 - 2004-03-06 + + * changed some configuration keys for better readability + * moved the virtual-host code to mod_simple_vhost + * added enhanced virtual host plugin from Christian Kruse + * added two new auth-backends (htpasswd, htdigest) + * fixed and improved authentification + * stricter parsing of the Host: field + * added a warning for unused configuration keys + * improved FastCGI documentation + +- 1.0.3 - 2004-02-13 + + * a startup script has been added (LSB compliant) + * HEAD requests were submitting the content like a GET request + * the virtual directory listing got a face-lifting and fixes + * request-headers are now handled case-in-sensitive as required + by the standard. this fixes POST requests for w3m and some Proxies. + +- 1.0.2 - 2004-02-07 + + * rearrangement of the default configfile + * some updates in the documentation + * a entry in the error-log for a 404 + * stdout is no longer the default for the accesslog |