* Better support for multiple source generators.
* Update method used to check for modification dates of source and thumbnail
images. Thanks Ben Roberts.
* Better thumbnail_high_resolution handling, including the ability to switch on
and off explicitly with a ``HIGH_RESOLUTION`` thumbnail option.
* Added configuration option to specify the infix used for high resolution
image handling.
* Optional postprocessor for image optimization. Thanks Jacob Rief!
* More remote storages optimization
* Thumbnail dimensions can now optionally be cached. Thanks David Novakovic.
* New ``zoom`` option to generate a thumbnail of a source image with a
percentage clipped off each side.
* New ``background`` source processor that can add a border color to ensure
scaled images fit within the exact dimensions given.
Fixture loading issues fixed
A regression in 0.8.3 meant that fixtures referring to models outside of the app they were in, and some other references to custom user models, were broken. This should now be fixed.
While here,
* move dependency on wget to TOOLS,
* simplify configuration file handling
dillo-3.0.4 [April 09, 2014]
+- OPTGROUP and INS elements.
- Some HTML5 elements, etc.
- Added show_ui_tooltip preference (BUG#1140).
Patches: corvid
+- Make embedding into other applications more reliable (BUG#1127).
- Add search from address bar.
- Share CSS user agent stylesheet between pages.
Patches: Johannes Hofmann
+- Better scaling (down) of images, even with consideration of gamma
correction.
- Fixed (possibly security) problem of FltkImgBuf caused by integer overflow
(BUG#1129).
- Some linebreaking fixes, and optimization for non-justified text, including
new preference stretchability_factor.
- Added white_bg_replacement preference.
- Implemented background images (except 'background-attachment'), added
load_background_images preference, as well as a new entry in the tools menu.
Patches: Sebastian Geerken
+- Fix a set of bugs reported by Oulu Univ. Secure Programming Group
(HTML parsing, URL resolution, GIF processing, etc.)
- Improved/fixed handling of HEAD, TITLE, TEXTAREA and form inputs.
- Made show_url dillorc option work again (BUG#1128)
Patches: Jorge Arellano Cid
+- Fix compiling on Hurd.
Patch: Pino Toscano
+- Avoid Dpid children becoming zombies.
Patch: Jorge Arellano, J. Gaffney
+- HTML5 WBR element.
- Fix compiling on IRIX with MIPSpro compiler.
Patches: corvid, Sebastian Geerken
Upstream changes:
0.12 2014-04-07 22:42:12 Europe/Amsterdam
[ ENHANCEMENTS ]
* GH#518: Bump jQuery to 1.10.2 (Grzegorz Ro偶niecki).
* GH#535: Support OPTIONS and PATCH requests in Server::Standalone.
(Russell Jenkins)
* GH#553: Dancer2 CLI: specify directory to write app skeleton
(Jean Stebens)
* GH#543: Additional HTTP Methods for Ajax plugin (Jean Stebens).
[ DOCUMENTATION ]
* RT#91428: POD encoding set to UTF-8 in main .pm (Gregor Herrmann).
* GH#517: Miscellaneous documentation fixes (Cesare Gargano).
* GH#518: "Getting started" demo page fixes (Grzegorz Ro偶niecki).
* GH#522: s/PerlHandler/PerlResponseHandler/ in Apache2 sample configuration
(Grzegorz Ro偶niecki)
* GH#521: Remove duplicated POD and clean up list details (Shlomi Fish)
* GH#526: Cleanup POD formating and code snippets in manual.
(Grzegorz Ro偶niecki)
[ BUG FIXES ]
* GH#528,529: Force PSGI server in dispatch scripts for CGI or fcgi
deployments (Erik Smit, Alberto Sim玫es)
* GH#550,GH#551: Update all headers in Handler::File
(Sawyer X, Stefan @racke Hornburg)
* GH#540: Fix hook execution when default scalar was used in hook code.
(baynes, Russell Jenkins)
* GH#552: Rework test suite to use Plack::Test
(Sawyer X, Stefan @racke Hornburg)
* GH#560: Return value of hooks do not alter response content.
(Jean Stebens)
* Fix CVE-2014-0050 and CVE-2013-4590,
Changelog:
Tomcat 7.0.53 (violetagg)
Catalina
add Make it easier for applications embedding and/or extending Tomcat to modify the javaseClassLoader attribute of the WebappClassLoader. (markt)
fix Improve the robustness of web application undeployment based on some code analysis triggered by the report for 54315. (markt)
fix 56219: Improve merging process for web.xml files to take account of the elements and attributes supported by the Servlet version of the merged file. (markt)
fix 56190: The response should be closed (i.e. no further output is permitted) when a call to AsyncContext.complete() takes effect. (markt)
fix 56236: Enable Tomcat to work with alternative Servlet and JSP API JARs that package the XML schemas in such as way as to require a dependency on the JSP API before enabling validation for web.xml. Tomcat has no such dependency. (markt)
fix 56246: Fix NullPointerException in MemoryRealm when authenticating an unknown user. (markt)
fix 56248: Allow the deployer to update an existing WAR file without undeploying the existing application if the update flag is set. This allows any existing custom context.xml for the application to be retained. To update an application and remove any existing context.xml simply undeploy the old version of the application before deploying the new version. (markt)
fix Redefine the globalXsltFile initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining external entities. (markt)
add Add a work around for validating XML documents (often TLDs) that use just the file name to refer to refer to the JavaEE schema on which they are based. (markt)
fix 56293: Cache resources loaded by the class loader from /META-INF/services/ for better performance for repeated look ups. (markt)
Coyote
fix 53119: Make sure the NIO AJP output buffer is cleared on any error to prevent any possible overflow if it is written to again before the connection is closed. This extends the original fix for the APR/native output buffer to the NIO connector. (kkolinko)
fix 56172: Avoid possible request corruption when using the AJP NIO connector and a request is sent using more than one AJP message. Patch provided by Amund Elstad. (markt)
fix 56213: Reduce garbage collection when the NIO connector is under heavy load. (markt)
fix Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. (markt/kkolinko)
fix Fix possible overflow when parsing long values from a byte array. (markt)
Jasper
fix 54475: Add Java 8 support to SMAP generation for JSPs. Patch by Robbie Gibson. (markt)
fix 55483: Improve handing of overloaded methods and constructors in expression language implementation. (markt)
fix 56208: Restore the validateXml option to Jasper that was previously renamed validateTld. Both options are now supported. validateXml controls the validation of web.xml files when Jasper parses them and validateTld controls the validation of *.tld files when Jasper parses them. (markt)
fix 56223: Throw an IllegalStateException if a call is made to ServletContext.setInitParameter() after the ServletContext has been initialized. (markt)
fix 56265: Do not escape values of dynamic tag attributes containing EL expressions. (kkolinko)
fix Make the default compiler source and target versions for JSPs Java 6 since Tomcat 7 requires Java 6 as a minimum. (markt)
update 56283: Update to the Eclipse JDT Compiler P20140317-1600 which adds support for Java 8 syntax to JSPs. Add support for value "1.8" for the compilerSourceVM and compilerTargetVM options. (markt)
WebSocket
fix Avoid a possible deadlock when one thread is shutting down a connection while another thread is trying to write to it. (markt)
fix Call onError if an exception is thrown calling onClose when closing a session. (remm)
Web applications
code In the documentation: add support for several documentation tags from Tomcat 8. Such as <version-major/>. (kkolinko)
add 56093: Add the SSL Valve to the documentation web application. (markt)
fix 56217: Improve readability by using left alignment for the table cell containing the request information on the Manager application status page. (markt)
fix Fixed java.lang.NegativeArraySizeException when using "Expire sessions" command in the manager web application on a context where the session timeout is disabled. (kfujino)
fix Add support for LAST_ACCESS_AT_START system property to Manager web application. (kfujino)
fix Add definition of org.apache.catalina.ant.FindLeaksTask. (kfujino)
fix 56273: If the Manager web application does not perform an operation because the web application is already being serviced, report an error rather than reporting success. (markt)
fix 56304: Add a note to the documentation about not using WebSocket with BIO HTTP in production. (markt)
Other
fix 56143: Improve service.bat so that it can be launched from a non-UAC console. This includes using a single call to tomcat7.exe to install the Windows service rather than three calls, and using command line arguments instead of environment variables to pass the settings. (markt/kkolinko)
fix Fix regression in 7.0.52: when using service.bat install to install the service the values for --StdOutput, --StdError options were passed as blank instead of "auto". (kkolinko)
fix Align options between service.bat and exe Windows installer. For service.bat the changes are in --Classpath, --DisplayName, --StartPath, --StopPath. For exe installer the changes are in --JvmMs, --JvmMx options, which are now 128 Mb and 256 Mb respectively instead of being empty. Explicitly specify --LogPath path when uninstalling Windows service, avoiding default value for that option. (kkolinko)
code Simplify Windows *.bat files: remove %OS% checks, as java 6 does not run on ancient non-NT operating systems. (kkolinko)
fix 56137: Explicitly use the BIO connector in the SSL example in server.xml so it doesn't break if APR is enabled. (markt)
fix 56139: Avoid a web application class loader leak in some unit tests when running on Windows. (markt)
fix Correct build script to avoid building JARs with empty packages. (markt)
add Allow to limit JUnit test run to a number of selected test case methods. (kkolinko)
fix 56189: Remove used file cpappend.bat from the distribution. (markt)
Tomcat 7.0.52 (violetagg) released 2014-02-17
Catalina
fix Generate a valid root element for the effective web.xml for a web application for all supported versions of web.xml. (markt)
Coyote
code Pull up SocketWrapper to AbstractProcessor. (markt)
fix In some circumstances asynchronous requests could time out too soon. (markt)
Tomcat 7.0.51 (violetagg) not released
Catalina
fix 55287: ServletContainerInitializer defined in the container may not be found. (markt/jboynes)
fix 55855: Provide a per Context option (containerSciFilter) to exclude container SCIs. (markt)
fix 55937: When deploying applications, treat a context path of /ROOT as equivalent to /. (markt)
fix 55943: Improve the implementation of the class loader check that prevents web applications from trying to override J2SE implementation classes. As part of this fix, refactor the way a null parent class loader is handled which enables a number of null checks and object creation calls to be removed. (markt)
fix 55958: Differentiate between foo.war the WAR file and foo.war the directory. (markt)
fix 55960: Improve the single sign on (SSO) unit tests. Patch provided by Brian Burch. (markt)
fix 55974: Retain order when reporting errors and warnings while parsing XML configuration files. (markt)
fix 56013: Fix issue with SPNEGO authentication when using IBM JREs. IBM JREs only understand the option of infinite lifetime for Kerberos credentials. Based on a patch provided by Arunav Sanyal. (markt)
fix 56016: When loading resources for XML schema validation, take account of the possibility that servlet-api.jar and jsp-api.jar may not be loaded by the same class loader. Patch by Juan Carlos Estibariz. (markt)
fix 56025: When creating a WebSocket connection, always call ServerEndpointConfig.Configurator.getNegotiatedSubprotocol() and always create the EndPoint instance after calling ServerEndpointConfig.Configurator.modifyHandshake(). (markt)
fix 56032: Ensure that the WebSocket connection is closed after an IO error or an interrupt while sending a WebSocket message. (markt)
fix 56042: If a request in async mode has an error but has already been dispatched don't generate an error page in the ErrorReportValve so the dispatch target can handle it. (markt)
fix Add missing javax.annotation.sql.* classes to annotations-api.jar. (markt)
fix The type of logger attribute of Context MBean should be not org.apache.commons.logging.Log but org.apache.juli.logging.Log. (kfujino)
fix 56082: Fix a concurrency bug in JULI's LogManager implementation. (markt)
fix 56096: When the attribute rmiBindAddress of the JMX Remote Lifecycle Listener is specified it's value will be used when constructing the address of a JMX API connector server. Patch is provided by Jim Talbut. (violetagg)
fix When environment entry with one and the same name is defined in the web deployment descriptor and with annotation then the one specified in the web deployment descriptor is with priority. (violetagg)
fix Change default value of xmlBlockExternal attribute of Context. It is true now. (kkolinko)
Coyote
fix Avoid possible NPE if a content type is specified without a character set. (markt)
fix 55956: Make the forwarded remote IP address available to the Connectors via a request attribute. (markt)
fix 55976: Fix sendfile support for the HTTP NIO connector. (markt)
fix 55996: Ensure Async requests timeout correctly when using the NIO HTTP connector. (markt)
add 56021: Make it possible to use the Windows-MY key store with the BIO and NIO connectors for SSL configuration. It requires a keystoreFile="" keystoreType="Windows-My" to be set on the connector. Based on a patch provided by Asanka. (markt)
Jasper
fix Correct a regression in the XML refactoring that meant that errors in TLD files were swallowed. (markt)
fix 55671: Correct typo in the log message for a wrong value of genStringAsCharArray init-param of JspServlet. This parameter had a different name in Tomcat 6. (kkolinko)
fix 55973: Fix processing of XML schemas when validation is enabled in Jasper. (kkolinko)
fix 56010: Don't throw an IllegalArgumentException when JspFactory.getPageContext is used with JspWriter.DEFAULT_BUFFER. Based on a patch by Eugene Chung. (markt)
fix 56012: When using the extends attribute of the page directive do not import the super class if it is in an unnamed package as imports from unnamed packages are now explicitly illegal. (markt)
fix 56029: A regression in the fix for 55198 meant that when EL containing a ternary expression was used in an attribute a compilation error would occur for some expressions. (markt)
fix Correct several errors in jspxml Schema and DTD. (kkolinko)
fix Change default value of the blockExternal attribute of JspC task. The default value is true. Add support for -no-blockExternal switch when JspC is run as a standalone application. (kkolinko)
Cluster
code Simplify the code of o.a.c.ha.tcp.SimpleTcpCluster.createManager(String). Remove unnecessary class cast. (kfujino)
WebSocket
fix Do not return an empty string for the Sec-WebSocket-Protocol HTTP header when no sub-protocol has been requested or no sub-protocol could be agreed as RFC6455 requires that no Sec-WebSocket-Protocol header is returned in this case. (markt)
Web applications
fix Add index.xhtml to the welcome files list for the examples web application. (kkolinko)
fix Clarify that the connectionTimeout may also be used as the read timeout when reading a request body (if any) in the documentation web application. (markt)
fix Clarify the behaviour of the maxConnections attribute for a connector in the documentation web application. (markt)
fix 55888: Update the documentation web application to make it clearer that a Container may define no more than one Realm. (markt)
fix 55956: Where available, displayed the forwarded remote IP address available on the status page of the Manager web application. (markt)
fix Correct links to the Tomcat mailing lists in the ROOT web application. (kkolinko)
fix In Manager web application improve handling of file upload errors. Display a message instead of error 500 page. Simplify parts handling code, as it is known that Tomcat takes care of them when recycling a request. (kkolinko)
Extras
fix 55166, 56045: Copy the XML schemas used for validation that are packaged in jsp-api.jar to servlet-api.jar so that an embedded Tomcat instance can start without Jasper being available. This also enables validation to work without Jasper being available. (markt/kkolinko)
fix 56039: Enable the JmxRemoteLifecycleListener to work over SSL. Patch by esengstrom. (markt)
Other
fix 55743: Enable the stop script to work when the shutdown port is disabled and a PID file is defined. This is only available on platforms that use catalina.sh. (markt)
fix 55986: When forcing Tomcat to stop via kill -9 $CATALINA_PID, the catalina.sh script could incorrectly report that Tomcat had not yet completely stopped when it had. Based on a patch by jess. (markt)
fix Package correct license and notice files with embedded JARs. (markt)
code Remove svn keywords (such as $Id) from source files and documentation. (kkolinko)
fix Fix CVE-2014-0050, a denial of service with a malicious, malformed Content-Type header and multipart request processing. Fixed by merging latest code (r1565163) from Commons FileUpload. (markt)
fix 56115: Expose the httpusecaches property of Ant's get task as some users may need to change the default. Based on a suggestion by Anthony. (markt)
Tomcat 7.0.50 (violetagg) released 2014-01-08
Catalina
fix Handle the case where a context.xml file is added to a web application deployed from a directory. Previously the file was ignored until Tomcat was restarted. Now (assuming automatic deployment is enabled) it will trigger a redeploy of the web application. (markt)
fix Fix string comparison in HostConfig.setContextClass(). (kkolinko)
code Streamline handling of WebSocket messages when no handler is configured for the message currently being received. (markt)
fix Handle the case where a WebSocket annotation configures a message size limit larger than the default permitted by Tomcat. (markt)
fix 55855: This is a partial fix that bypasses the relatively expensive check for a WebSocket upgrade request if no WebSocket endpoints have been registered. (markt)
fix 55905: Prevent a NPE when web.xml references a taglib file that does not exist. Provide better error message. (violetagg)
Coyote
fix When using the BIO connector with an internal executor, do not display a warning that the executor has not shutdown as the default configuration for BIO connectors is not to wait. This is because threads in keep-alive connections cannot be interrupted and therefore the warning was nearly always displayed. (markt)
Jasper
fix JspC uses servlet context initialization parameters to pass configuration so ensure that the servlet context used supports initialization parameters. (markt)
Cluster
fix In AbstractReplicatedMap#finalize, remove rpcChannel from channel Listener of group channel before sending MapMessage.MSG_STOP message. This prevents that the node that sent the MapMessage.MSG_STOP by normal shutdown is added to member map again by ping at heartbeat thread in the node that received the MapMessage.MSG_STOP. (kfujino)
fix Add time stamp to GET_ALL_SESSIONS message. (kfujino)
Web applications
fix Fix the sample configuration of StaticMembershipInterceptor in order to prevent warning log. uniqueId must be 16 bytes. (kfujino)
Extras
update Update dependencies that are used to build tomcat-juli extras component. Apache Avalon Framework is updated to version 4.1.5, Apache Log4J to version 1.2.17. (rjung)
Tomcat 7.0.49 (violetagg) not released
Catalina
fix Correct a regression in the new XML local resolver that triggered false failures when XML validation was configured. (markt)
fix Prevent a NPE when destroying HTTP upgrade handler for WebSocket connections. (violetagg)
Tomcat 7.0.48 (violetagg) not released
Catalina
add 51294: Add support for unpacking WARs located outside of the Host's appBase in to the appBase. (markt)
fix 55656: Configure the Digester to use the server class loader when parsing server.xml rather than the class loader that loaded StandardServer. Patch provided by Roberto Benedetti. (markt)
fix 55664: Correctly handle JSR 356 WebSocket Encoder, Decoder and MessageHandler implementations that use a generic type such as Encoder.Text<List<String>>. Includes a test case by Niki Dokovski. (markt)
fix Correctly handle WebSocket Encoders, Decoders and MessageHandlers that use arrays of generic types. (markt)
fix 55681: Ensure that the WebSocket session is made available to MessageHandler method calls. (markt)
fix Updated servlet spec version and documentation section-number reported when JAR files are rejected for containing a trigger class (e.g. javax.servlet.Servlet). (schultz)
add Modify the WebSocket handshake process so that the user properties Map exposed by the ServerEndpointConfig during the call to Configurator.modifyHandshake() is unique to the connection rather than shared by all connections associated with the Endpoint. This allows for easier configuration of per connection properties from within modifyHandshake(). (markt)
fix 55684: Log a warning but continue if the memory leak detection code is unable to access all threads to check for possible memory leaks when a web application is stopped. (markt)
fix Define the web-fragment.xml in tomcat7-websocket.jar as a Servlet 3.0 web fragment rather than as a Servlet 3.1 web fragment. (markt)
fix 55715: Add a per web application executor to the WebSocket implementation and use it for calling SendHandler.onResult() when there is a chance that the current thread also initiated the write. (markt)
fix Prevent file descriptors leak and ensure that files are closed when configuring the web application. (violetagg)
fix Fixed the name of the provider-configuration file located in tomcat7-websocket.jar!/META-INF/services that exposes information for javax.websocket.server.ServerEndpointConfig$Configurator implementation. (violetagg)
fix 55760: Remove the unnecessary setting of the javax.security.auth.useSubjectCredsOnly system property in the SpnegoAuthenticator as in addition to it being unnecessary, it causes problems with using SPNEGO with IBM JDKs. Patch provided by Arunav Sanyal. (markt)
fix 55772: Ensure that the request and response are recycled after an error during asynchronous processing. Includes a test case based on code contributed by Todd West. (markt)
fix 55778: Add an option to the JNDI Realm to control the QOP used for the connection to the LDAP server after authentication when using SPNEGO with delegated credentials. This value is used to set the javax.security.sasl.qop environment property for the LDAP connection. (markt)
fix 55798: Log an error if the MemoryUserDatabase is unable to find the specified user database file. (markt)
fix 55799: Correctly enforce the restriction in JSR356 that no more than one data message may be sent to a remote WebSocket endpoint at a time. (markt)
fix When Catalina parses TLD files, always use a namespace aware parser to be consistent with how Jasper parses TLD files. The tldNamespaceAware attribute of the Context is now ignored. (markt)
fix Deprecate the tldNamespaceAware Context attribute as TLDs are always parsed with a namespace aware parser. (markt)
fix Correct a logic error that meant that unpackWARs was ignored and the WAR was always expanded if a WAR failed to deploy. (markt)
add Add support for defining copyXML on a per Context basis. (markt)
fix Define the expected behaviour of the automatic deployment and align the implementation to that definition. (markt)
add When running under a security manager, change the default value of the Host's deployXML attribute to false. (markt)
add If a Host is configured with a value of false for deployXML, a web application has an embedded descriptor at META-INF/context.xml and no explicit descriptor has been defined for this application, do not allow the application to start. The reason for this is that the embedded descriptor may contain configuration necessary for secure operation such as a RemoteAddrValve. (markt)
fix Prevent an NPE in the WebSocket ServerContainer when processing an HTTP session end event. (markt)
add 55801: Add the ability to set a custom SSLContext to use for client wss connections. Patch provided by Maciej Lypik. (markt)
fix 55804: If the GSSCredential for the cached Principal expires when using SPNEGO authentication, force a re-authentication. (markt)
add 55811: If the main web.xml contains an empty absolute-ordering element and validation of web.xml is not enabled, skip parsing any web-fragment.xml files as the result is never used. (markt)
fix 55839: Extend support for digest prefixes {MD5}, {SHA} and {SSHA} to all Realms rather than just the JNDIRealm. (markt)
fix 55842: Ensure that if a larger than default response buffer is configured that the full buffer is used when a Servlet outputs via a Writer. (markt)
fix 55851: Further fixes to enable SPNEGO authentication to work with IBM JDKs. Based on a patch by Arunav Sanyal. (markt)
add Fix CVE-2013-4590: Add an option to the Context to control the blocking of XML external entities when parsing XML configuration files and enable this blocking by default when a security manager is used. The block is implemented via a custom resolver to enable the logging of any blocked entities. (markt)
Coyote
code Implement a number of small refactorings to the APR/native handler for upgraded HTTP connections. (markt)
fix Fix an issue with upgraded HTTP connections over HTTPS (e.g. secure WebSocket) when using the APR/native connector that resulted in the unexpected closure of the connection. (markt)
fix Ensure that the application class loader is used when calling the ReadListener and WriteListener methods when using non-blocking IO. A side effect of not doing this was that JNDI was not available when processing WebSocket events. (markt)
add Make the time that the internal executor (if used) waits for request processing threads to terminate before continuing with the connector stop process configurable. (markt)
fix 55749: Improve the error message when SSLEngine is disabled in the AprLifecycleListener and SSL is configured for an APR/native connector. (markt)
add If a request that includes an Expect: 100-continue header receives anything other than a 2xx response, close the connection This protects against misbehaving clients that may not sent the request body in that case and send the next request instead. (markt)
fix Improve the parsing of trailing headers in HTTP requests. (markt)
Jasper
fix 55735: Fix a regression caused by the fix to 55198. When processing JSP documents, attributes in XML elements that are template content should have their text xml-escaped, but output of EL expressions in them should not be escaped. (markt)
fix 55807: The JSP compiler used a last modified time of -1 for TLDs in JARs expanded in to WEB-INF/classes (IDEs often do this expansion) when creating the dependency list for JSPs that used that TLD. This meant JSPs using that TLD were recompiled on every access. (markt)
Cluster
add Add log message that initialization of AbstractReplicatedMap has been completed. (kfujino)
fix The logger of AbstractReplicatedMap should be non-static in order to enable logging of each application. Side-effects of this change is to throw RuntimeException in MapMessage#getKey() and getValue() instead of Null return and error log. (kfujino)
code Simplify the code of DeltaManager#startInternal(). Reduce unnecessary nesting for acquisition of cluster instance. (kfujino)
fix Remove unnecessary attributes of stateTransferCreateSendTime and receiverQueue from cluster manager template. These attributes should not be defined as a template. (kfujino)
fix Fix MBean attribute definition of stateTransfered. The method name is not isStateTransfered() but getStateTransfered(). (kfujino)
fix Correct stop failure log of cluster. Failure cause is not only Valve. (kfujino)
fix Remove unnecessary sleep when sending session blocks on session sync phase. (kfujino)
fix Expose stateTimestampDrop of org.apache.catalina.ha.session.DeltaManager via JMX. (kfujino)
fix When the ping timeouted, make sure that memberDisappeared method is not called by specifying the members that has already been removed. (kfujino)
add Add log message of session relocation when member disappeared. (kfujino)
fix If ping message fails, prevent wrong timeout detection of normal member that is no failure members. (kfujino)
Web applications
add Add some documentation on the SSL configuration options for WebSocket clients. (markt)
add Add to cluster document a description of notifyLifecycleListenerOnFailure and heartbeatBackgroundEnabled. (kfujino)
fix Update the documentation with information for WebSocket 1.0 specification and javadoc. (violetagg)
fix 55703: Clarify the role of the singleton attribute for JNDI resource factories. (markt)
fix 55746: Add documentation on the allRolesMode to the CombinedRealm and LockOutRealm. Patch by Cédric Couralet. (markt)
add Expand the information on web applications that ship as part of Tomcat in the security how-to section of the documentation web application. (markt)
fix Expand the description of the WebSocket buffers in the documentation web application to clarify their purpose. (markt)
add Correct the documentation for Cluster manager. (kfujino)
add Add information on how to configure integrated Windows authentication when Tomcat is running on a non-Windows host. (markt)
Extras
update Update commons-logging to version 1.1.3. (rjung)
Other
add 52323: Add support for the Cobertura code coverage tool when running the unit tests. Based on a patch by mhasko. (markt/kkolinko)
update Update sample Eclipse IDE project. Explicitly use a Java 6 SE JDK. Exclude JSR356 WebSocket classes from build path, as they cannot be compiled with Java 6. (kkolinko)
update Update the Eclipse compiler to 4.3.1. (kkolinko/markt)
* In main(), when parsing form input fails, the CGI script exits without
producing any output whatsoever. Wouldn't it be better to actually
emit an error status, instead of expecting the server to do something
sane with a script that produces no output?
* In mpRead(), a check is done to insure the requested length is not
greater than the amount of data still available, and to adjust it
if necessary. However, this check is currently done _after_ reading
data from the putback buffer, in which process len is decremented by
the amount of putback data read, but mpp->offset is not correspondingly
incremented (this happens later). As a result, the check uses too
small a value for len, and so fails to stop reading soon enough if
the requested length is greater than what is available _and_ there
was any data in the putback buffer.
The fix is to move the check to the beginning of mpRead()
* Further, if a read request is satisfied _entirely_ from the putback
buffer, mpp->offset is not updated at all, resulting in a similar
problem. The solution is to update mpp->offset in the "else if (got)"
case.
* In cgiParsePostMultipartInput(), if the Content-Disposition of a part
is not "form-data", afterNextBoundary() is not called before beginning
to process the next part. As a result, parsing of the next part headers
begins with the body of the unwanted part. It is necessary in this case
to call afterNextBoundary() before continuing with the next cycle.
* In handling out-of-memory conditions in afterNextBoundary(), *outP is
set to '\0'. While this is technically legal ('\0' is "an integral
constant expression with the value 0"), it looks funny.
* In cgiCookieString(), a change was introduced in v2.02 which purports
to prevent an overrun in cases where cgiCookie is exactly equal to
the requested cookie name. In fact, the problem can also occur if
the requested name occurs with no values at the end of cgiCookie.
Further, the change from v2.02 does not fix the problem, because it
compares the _pointers_ p and n to NULL, which they will never equal,
rather than comparing the pointers they point at to NUL.
* Also in cgiCookieString(), there is a comment suggesting that the main
loop never terminates except with a return. This is not the case.
For example, it will terminate if the requested cookie is not found
and the cgiCookie string ends in a semicolon.
* Why did days[] (formerly daysOfWeek[]) and months[] become non-static?
This pollutes the namespace of programs using CGIC.
* In cgiReadEnvironment(), when reading in the contents of an uploaded
file, it is possible that a temporary file is successfully created
but then cannot be opened. In this case, no attempt is made to remove
the tempoary file.
* Further, when a form entry does _not_ include an uploaded file,
e->tfileName is set to malloc'd but uninitialized memory. It should
be set to an empty string, by setting e->tfileName[0] to zero after
the 1-byte buffer is allocated.
Version 3.2.9 (2014-04-07)
--------------------------
### Fixed
Fixed a critical vulnerability of the install tool (see #6855).
### Fixed
Filter disabled groups in the registration module in the front end (see #6757).
### Fixed
Work around a bug in SimplePie with the "skip items" option (see #6107).
### Fixed
Fix the Swipe "continuous" option if there are exactly two slides (see #6812).
### Fixed
Apply `addslashes()` to strings in the `Config` class (see #6808).
### Fixed
Do not empty all fallback fields in sorting mode 4 (see #6498).
### Fixed
Do not allow template names to be longer than the DB fields (see #6819).
### Fixed
Correctly set the start time of a multi-day event (see #6802).
### Fixed
Correctly handle OR queries in the listing module (see #6344).
### Fixed
Use a monospaced font for the plain text newsletter preview (see #6790).
### Fixed
Adjust the `vScrollTo()` offset if the paste hint is visible (see #6478).
Upstream changes:
4.91 2014-03-29
- Added daemonize method to Mojo::Server.
- Added ensure_pid_file method to Mojo::Server::Prefork.
- Removed deprecated secret method from Mojolicious.
- Improved performance of Mojolicious::Plugin::EPRenderer and
Mojolicious::Plugin::EPLRenderer.
- Improved Mojo::Reactor::Poll portability with POLLPRI support.
4.90 2014-03-16
- Removed deprecated to_rel method from Mojo::URL.
- Updated IO::Socket::SSL requirement to 1.84 due to breaking changes in
IO::Socket::SSL.
- Improved documentation browser with more accessible links and readable
inline code.
- Fixed textarea and title parsing bugs in Mojo::DOM::HTML.
4.89 2014-03-13
- Added support for template variants.
- Improved built-in templates with unobtrusive menu bar.
- Fixed bug in Mojo::DOM::HTML where non-self-closing elements were not
handled correctly.
- Fixed bug in Mojo::DOM::HTML where <image> was not treated as an alias for
<img>.
4.88 2014-03-09
- Added build_controller method to Mojolicious.
- Added match method to Mojolicious::Routes.
- Improved Mojo::Server::Daemon to handle setuid/setgid errors more
gracefully.
- Improved Mojo::Server::Prefork to handle lock file errors more gracefully.
- Improved exception page to show better context information for templates.
- Fixed comment on last line bug in Mojo::Template.
4.87 2014-03-04
- Improved Mojo::ByteStream to allow more method chaining.
- Fixed RFC 7159 support in Mojo::JSON.
- Fixed RFC 7159 compliance bugs in Mojo::Transaction::WebSocket and
Test::Mojo.
- Fixed Unicode bugs in Test::Mojo.
4.86 2014-03-03
- Improved Mojo::IOLoop::Delay to allow more method chaining.
- Improved WebSocket and long poll performance.
4.85 2014-02-26
- Added next_tick method to Mojo::IOLoop and Mojo::Reactor.
- Added host_port and path_query methods to Mojo::URL.
- Added is_handshake method to Mojo::Message::Request.
- Improved Mojo::Reactor::EV responsiveness.
- Fixed IDNA support for CONNECT requests.
- Fixed "0" value bug in Mojo::Message::Request.
4.84 2014-02-22
- Added remaining attribute to Mojo::IOLoop::Delay.
- Added data and pass methods to Mojo::IOLoop::Delay.
- Improved Mojo::Exception context detection to better line up with user
expectations.
Version 0.9.5
-------------
Released 2014/03/21
- ``csrf_token`` for all template types `#112`_.
- Make FileRequired a subclass of InputRequired `#108`_.
Version 0.2.10
--------------
Released on March 9th, 2014
- Generalized `request_loader` introduced; ability to log users in via
customized callback over request.
- Fixes request context dependency by explicitly checking `has_request_context`.
- Fixes remember me issues since lazy user loading changes.
WTForms-reCaptcha is a convenient field for WTForms that transparently handles
reCaptcha display and validation via corresponding widget and validator classes.
Fixed in 7.36.0 - March 26 2014
Release contains security-related bug fixes
Changes:
ntlm: Added support for NTLMv2
tool: Added support for URL specific options
openssl: add ALPN support
gtls: add ALPN support
nss: add ALPN and NPN support
added CURLOPT_EXPECT_100_TIMEOUT_MS
tool: add --no-alpn and --no-npn
added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN
winssl: enable TLSv1.1 and TLSv1.2 by default
winssl: TLSv1.2 disables certificate signatures using MD5 hash
winssl: enable hostname verification of IP address using SAN or CN
darwinssl: Don't omit CN verification when an IP address is used
http2: build with current nghttp2 version
polarssl: dropped support for PolarSSL < 1.3.0
openssl: info message with SSL version used
Bugfixes:
SECURITY ADVISORY: wrong re-use of connections
SECURITY ADVISORY: IP address wildcard certificate validation
SECURITY ADVISORY: not verifying certs for TLS to IP address / Darwinssl
SECURITY ADVISORY: not verifying certs for TLS to IP address / Winssl
nss: allow to use ECC ciphers if NSS implements them
netrc: Fixed a memory leak in an OOM condition
ftp: fixed a memory leak on wildcard error path
pipeline: Fixed a NULL pointer dereference on OOM
nss: prefer highest available TLS version
100-continue: fix timeout condition
ssh: Fixed a NULL pointer dereference on OOM condition
formpost: use semicolon in multipart/mixaed
--help: add missing --tlsv1.x options
formdata: Fixed memory leak on OOM condition
ConnectionExists: reusing possible HTTP+NTLM connections better
mingw32: fix compilation
chunked decoder: track overflows correctly
curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0
dict: fix memory leak in OOM exit path
valgrind: added suppression on optimized code
curl: output protocol headers using binary mode
tool: Added URL index to password prompt for multiple operations
ConnectionExists: re-use non-NTLM connections better
axtls: call ssl_read repeatedly
multi: make MAXCONNECTS default 4 x number of easy handles function
configure: Fix the --disable-crypto-auth option
multi: ignore SIGPIPE internally
curl.1: update the description of --tlsv1
SFTP: skip reading the dir when NOBODY=1
easy: Fixed a memory leak on OOM condition
tool: Fixed incorrect return code when setting HTTP request fails
configure: Tiny fix to honor POSIX
tool: Do not output libcurl source for the information only parameters
Rework Open Watcom make files to use standard Wmake features
x509asn: moved out Curl_verifyhost from NSS builds
configure: call it GSS-API
hostcheck: Curl_cert_hostcheck is not used by NSS builds
multi_runsingle: move timestamp into INIT
remote_port: allow connect to port 0
parse_remote_port: error out on illegal port numbers better
ssh: Pass errors from libssh2_sftp_read up the stack
docs: remove documentation on setting up krb4 support
polarssl: build fixes to work with PolarSSL 1.3.x
polarssl: fix possible handshake timeout issue in multi
nss: allow to enable/disable cipher-suites better
ssh: prevent a logic error that could result in an infinite loop
http2: free resources on disconnect
polarssl: avoid extra newlines in debug messages
rtsp: parse "Session:" header properly
trynextip: don't store 'ai' on failed connects
Curl_cert_hostcheck: strip trailing dots in host name and wildcard
* Change enigmail build mechanism
Changelog:
2.25:
SeaMonkey-specific changes
Newsgroup names can now be entered using autocompletion.
See the changes page for a more complete overview.
Mozilla platform changes
The Gamepad API has been finalized and enabled (learn more).
VP9 video decoding has been implemented.
Support for Opus in WebM was added.
Volume control for HTML5 audio/video has been added.
Mac OS X Notification Center support has been added for web notifications.
Support for spdy/2 has been removed.
Support for multi-line flexbox in layout has been added.
Support for the MathML 2.0 mathvariant attribute has been added.
Background thread hang reporting has been added.
<input type=color> has been implemented and enabled.
Fixed several stability issues.
Fixed in SeaMonkey 2.25
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore
MFSA 2014-22 WebGL content injection from one domain to rendering in another
MFSA 2014-20 onbeforeunload and Javascript navigation DOS
MFSA 2014-19 Spoofing attack on WebRTC permission prompt
MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
2.24:
SeaMonkey-specific changes
The DoNotTrack and Prompt on Sanitize preferences are now kept in sync.
A pref (mailnews.p7m_external) has been added to allow users to choose an alternate application/pkcs7-mime handling.
Support for Atom Threading Extensions (RFC 4685) has been added.
Migrating profiles from Thunderbird supports the new signons file format now (support for the old format has been dropped).
Autocomplete drop-downs (e.g. used on the Location Bar and Open Location dialog) now show favicons for their entries.
The account name is now displayed in the status bar for all messages when checking mail.
IMAP alert messages now show the server of the corresponding mail account.
Newsgroup names are now searched for all search strings combined (AND-search) on the subscribe dialog.
See the changes page for a more complete overview.
Mozilla platform changes
Removed support for importing logins from the legacy signons.txt format, including the Base64 conversion (bug 717490).
Enabled support for TLS 1.2 (RFC 5246) by default (bug 861266).
Added support for the SPDY 3.1 protocol.
Added ability to reset style sheets using all:unset.
Added support for scrolled fieldsets (overflow property support, bug 261037).
Implemented allow-popups directive for iframe sandbox, enabling increased security (bug 766282).
Unprefixed CSS cursor keywords -moz-grab and -moz-grabbing (bug 880672).
Added support for ES6 generators in SpiderMonkey (blog post).
Implemented support for mathematical function Math.hypot() in ES6 (bug 896264).
Added dashed line support on Canvas (bug 768067).
Fixed Azure/Skia content rendering on Linux (bug 740200).
Fixed several stability issues.
Fixed in SeaMonkey 2.24
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-11 Crash when using web workers with asm.js
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy
MFSA 2014-05 Information disclosure with *FromPoint on iframes
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-03 UI selection timeout missing on download prompts
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
Changelog
=========
Since 2.5.1-rc
----------------
bugfix: can't view object link in notification when an email does not have a subject.
Since 2.5.1-beta
----------------
bugfix: cannot add milestones in templates
bugfix: when adding template, after adding milestone cannot select it when adding a task
Since 2.5.0.6
----------------
bugfix: Template view broken by single quote in property name.
bugfix: when edit a template if have milestones you can't see tasks.
bugfix: don't show members that cannot be used in member selector.
Since 2.5.0.5
----------------
bugfix: Tasks grouping by dimension fixed.
Since 2.5.0.4
----------------
performance: Issue when loading persons dim.
bugfix: Imap folders are not saved when editing an email account.
bugfix: Cannot unclassify mails from classify form.
bugfix: Emessage not shown when inputing dates with incorrect format.
bugfix: Add start date to task view.
bugfix: Get tasks by range query does not include logged user's timezone.
bugfix: In task complete edition form, assigned to are not displayed correctly.
bugfix: Issue in include myself in document notifications.
bugfix: Set db charset when reconnecting in abstract db adapter.
Since 2.5.0.3
----------------
bugfix: Add attachments column in queued_emails in upgrade scripts.
bugfix: Set db charset when reconnecting in abstract db adapter.
Since 2.5.0.2
----------------
bugfix: Render member selectors with preloaded member info.
bugfix: Order by name doesn't work on object list.
bugfix: People widget only display users.
Since 2.5.0.1
----------------
bugfix: on mysql 5.6 have_innodb variable is deprecated
Since 2.5
----------------
feature: Allow to configure dashboard widget position and order for each user.
feature: Allow to configure default dashboard widget position and order for all users.
feature: Comments dashboard widget.
feature: Email dashboard widget.
feature: choose to filter calendar widget or not.
feature: choose the user to filter the tasks widget.
bugfix: when add a timeslot by clock on tasks update the percent complete.
bugfix: if a file doesn't have revision when classify create one.
bugfix: several minor fixes of undefined variables, missing langs, etc.
bugfix: when disabling or reactivating users from company view, users list is not reloaded.
bugfix: member selector displayed wrong data
bugfix: on task add/edit view, assignee combo displayed wrong data
bugfix: subscribers and invited people were not shown correctly
bugfix: encoding when receiving emails
bugfix: when editing a classified timeslot, its context was not shown
bugfix: in file upload, the name is not changed if a new name is entered
bugfix: missing langs and sql changes for email user config options
Since 2.5-rc
----------------
bugfix: general search form submitted by enter key doesn't work in Google Chrome
bugfix: links are now saved as such when using WYSIWYG
bugfix: primary-breadcrumb show exact context
bugfix: mysql transaction problem when sending emails without using a cronjob
bugfix: when making a new installation, users were not shown by default
Since 2.5-beta
----------------
bugfix: if a file doesn't have a revision, when classifying an email create one.
bugfix: when adding a timeslot by clock on tasks, task progress bar was not updated correctly.
bugfix: fixed custom reports using boolean conditions in false.
bugfix: problems with paging on the overview list.
bugfix: on activity widget, when clicking on a member, change dimension.
* Applied patch #9 (Crash when more than one authplugin are selected)
by Frederic Bourgeois
* Added feature to allow Facebook mock ajax (request #6) by Jason Spiro
* Added contrib dir
* Added a new html & css validated html template in contrib (request #3).
By Chris Peschke
* Converted iso-8859 message files to utf-8 (bug #86). Suggested
by Fred Ulisses Maranhao
* Fixed Error reading Content-Length (bug #84). By Carlos Soto
* Fixed compilation error BSD due lack of string.h when using
memcpy() (bug #75). By Alexander Hornung
* Fixed exceptioniplist case sensitivity (bug #11). By Mark J Hewitt
* Fixed accept-encoding support for new tokens (bug #13). By userquin
* Applied patch 3438750 (GCC 4.4 and 4.6 compatibility) by Mathieu PARENT
* Applied patch 3438749 (French translation update) by Mathieu PARENT
* Applied patch 3418297 (Set proxy timeout in dansguardian.conf)
by Frederic Bourgeois
* Applied patch 3419088 (login/password in URL is dropped) by Mathieu PARENT
* Applied patch 3419089 ("Expect" header should be dropped) by Mathieu PARENT
* Applied patch 3438751 (Fix queue handling in OptionContainer)
by Mathieu PARENT
* Applied patch 3515167 (Fix digest identication) by Frederic Bourgeois
* Fixed GCC warnings
* LFS review in String.cpp (requires different arch review yet)
Previous release notes seem to be lost - the build structure changed, and:
Both the main configuration file and the filter group configuration
file(s) have changed since the last stable release. If you try
to re-use the configuration from an existing copy of 2.8.0.6 or
earlier, the daemon will not start. On the other hand, list
files (phrase lists, domain lists, etc.) have not changed format,
and should largely "just work". There have been improvements to
the default list files, though, so again it is recommended that
you start from the new version and re-do any customisations.
*) SECURITY: CVE-2014-0098 (cve.mitre.org)
Clean up cookie logging with fewer redundant string parsing passes.
Log only cookies with a value assignment. Prevents segfaults when
logging truncated cookies.
*) SECURITY: CVE-2013-6438 (cve.mitre.org)
mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
*) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
TE/CL conflicts.
*) mod_proxy_http: Core dumped under high load. PR 50335.
*) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
is equivalent to <ProxyMatch wildcard-url>.
*) mod_ldap: Fix a potential memory leak or corruption.
*) mod_ssl: Do not perform SNI / Host header comparison in case of a
forward proxy request.
*) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows.
* Update MESSAGE to use nginx and php-fpm.
I cannot enable with apache24 (yet).
Changelog:
Version 6.0.2 March 3rd 2014
Several security fixes
Improved trash bin performance for deleting lots of files
Mobile interface improvements
Fix key problems in encryption mode in rare situations
Smaller LDAP improvements
Fix the keep-alive ping for non standard php session lifetimes
Cleanup storage table when deleting an entry
Fix compatibility with xsendfile mode
Fix file size calculation in encryption mode
Fix image previews in trash bin
Fix public upload with enabled enryption
Added APC enabled check
Correctly localise date in notification emails
Improve compatibility with some CIFS servers
Fix shared files and Gallery
Several Contacts compatibility improvements
Several Documents improvements
A lot of smaller bug fixes
Changelog:
Fixed in Firefox ESR 24.4
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
Changelog:
NEW
VP9 video decoding implemented
NEW
Mac OS X: Notification Center support for web notifications
NEW
Horizontal HTML5 audio/video volume control
NEW
Support for Opus in WebM
CHANGED
Now that spdy/3 is implemented support for spdy/2 has been removed and servers without spdy/3 will negotiate to http/1 without any penalty
DEVELOPER
Support for MathML 2.0 'mathvariant' attribute
DEVELOPER
Background thread hang reporting
DEVELOPER
Support for multi-line flexbox in layout
FIXED
Various security fixes
Fixed in Firefox 28
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-25 Firefox OS DeviceStorageFile object vulnerable to relative path escape
MFSA 2014-24 Android Crash Reporter open to manipulation
MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore
MFSA 2014-22 WebGL content injection from one domain to rendering in another
MFSA 2014-21 Local file access via Open Link in new tab
MFSA 2014-20 onbeforeunload and Javascript navigation DOS
MFSA 2014-19 Spoofing attack on WebRTC permission prompt
MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
Approved by: wiz@
Upstream changes:
2.5.5
Highlights
MDL-43733 - Auto-saved responses are used when a quiz attempt is submitted automatically
MDL-27414 - Random short answer matching question type now works again (with thanks to Jean-Michel Védrine)
Functional changes
MDL-40821 - Language menu in Clean shows language used
API changes
MDL-43882 - "Time spent waiting for the database" value added to performance info
UI changes
MDL-44425 - Skydrive, Box.net and Google Docs are renamed OneDrive, Box and Google Drive respectively to reflect these remote service name changes.
Security issues
MSA-14-0004 Incorrect filtering in Quiz
MSA-14-0005 Access issue in Feedback activity
MSA-14-0006 Capability issue in Chat
MSA-14-0007 Access issue in Wiki
MSA-14-0008 Cross site scripting potential in Flowplayer
MSA-14-0009 Identity information leak in Forum and Quiz
MSA-14-0010 Identity information leak in Alfresco Repository
MSA-14-0011 Cross site request forgery potential in IMS enrolments
MSA-14-0012 Access issue in Badges
Fixes and improvements
MDL-40705 - Long course names are truncated in navigation menu
MDL-40205 - Long block titles are truncated in Clean
MDL-42882 - Performance improvement to missing root directory upgrade step
MDL-40849 - Assignment marking guide screen fixed in Clean
MDL-44217 - The link colour in Bootstrapbase (and Clean) is now WCAG compliant
MDL-44029 - Quiz user overrides no longer deleted by group event handler
MDL-44018 - Variant field of question_attempts is backed up by Moodle backup
MDL-43941 - Activity show/hide toggle fixed in hidden and orphaned sections
MDL-43306 - Backup no longer introduces duplicate gradeitem sortorders when restoring
2.5.4
Highlights
MDL-41819 - Able to edit a larger number of grades in the grader report
Functional changes
MDL-42504 - Quiz auto-save detects that the connection to the server has been lost and warns students
API changes
MDL-40741 - Behat tests adapted to Clean theme
MDL-42942 - Environmental information shown at the beginning of every Behat run
Security issues
MSA-14-0001 Config passwords visibility issue
MSA-14-0002 Group constraints lacking in "login as"
MSA-14-0003 Cross-site request forgery vulnerability in profile fields
Fixes and improvements
MDL-34182 - Invalid JSON no longer output on filepicker when repository plugins output invalid content
MDL-43367 - get_child_contexts() returns correct contexts when context path missing
MDL-42913 - Group cache works as expected
MDL-40003 - Assignment submission comments are restored
MDL-42085 - Default enrolment duration is now applied when manually enrolling a user
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_spdy_module, potentially resulting in arbitrary code
execution (CVE-2014-0133).
Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
Manuel Sadosky, Buenos Aires, Argentina.
*) Feature: the "proxy_protocol" parameters of the "listen" and
"real_ip_header" directives, the $proxy_protocol_addr variable.
*) Bugfix: in the "fastcgi_next_upstream" directive.
Thanks to Lucas Molas.
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_spdy_module, potentially resulting in arbitrary code
execution (CVE-2014-0133).
Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
Manuel Sadosky, Buenos Aires, Argentina.
*) Bugfix: in the "fastcgi_next_upstream" directive.
Thanks to Lucas Molas.
*) mod_ssl: Work around a bug in some older versions of OpenSSL that
would cause a crash in SSL_get_certificate for servers where the
certificate hadn't been sent.
*) mod_lua: Add a fixups hook that checks if the original request is intended
for LuaMapHandler. This fixes a bug where FallbackResource invalidates the
LuaMapHandler directive in certain cases by changing the URI before the map
handler code executes
Changes 2.4.8:
*) SECURITY: CVE-2014-0098 (cve.mitre.org)
Clean up cookie logging with fewer redundant string parsing passes.
Log only cookies with a value assignment. Prevents segfaults when
logging truncated cookies.
*) SECURITY: CVE-2013-6438 (cve.mitre.org)
mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
*) core: Support named groups and backreferences within the LocationMatch,
DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires
non-ancient PCRE library)
*) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
TE/CL conflicts.
*) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping
execution when a handler is already set.
*) mod_ssl: Do not perform SNI / Host header comparison in case of a
forward proxy request.
*) mod_ssl: Remove the hardcoded algorithm-type dependency for the
SSLCertificateFile and SSLCertificateKeyFile directives, to enable
future algorithm agility, and deprecate the SSLCertificateChainFile
directive (obsoleted by SSLCertificateFile).
*) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
and IgnoreInherit to allow RewriteRules to be pushed from parent scopes
to child scopes without explicitly configuring each child scope.
*) prefork: Fix long delays when doing a graceful restart.
*) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
5+ instead of just for FreeBSD 5.
*) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message
IDs 02445, 02446, and 02448 to TRACE1 from DEBUG.
*) mod_remoteip: Correct the trusted proxy match test.
*) mod_proxy_fcgi: Fix error message when an unexpected protocol version
number is received from the application.
*) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field.
*) mod_lua: Update r:setcookie() to accept a table of options and add domain,
path and httponly to the list of options available to set.
*) mod_lua: Fix r:setcookie() to add, rather than replace,
the Set-Cookie header.
*) mod_lua: Allow for database results to be returned as a hash with
row-name/value pairs instead of just row-number/value.
*) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to
%{REMOTE_ADDR}.
*) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't
save the socket for reuse by the next worker as if it were an
APR_SO_DISCONNECTED socket. Restores 2.2 behavior.
*) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL
that was just rewritten by mod_rewrite.
*) mod_session: When we have a session we were unable to decode,
behave as if there was no session at all.
*) mod_session: Fix problems interpreting the SessionInclude and
SessionExclude configuration.
*) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth
stanzas under virtual hosts.
*) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded
30 seconds timeout.
*) mod_proxy: Added support for unix domain sockets as the
backend server endpoint
*) build: only search for modules (config*.m4) in known subdirectories, see
build/config-stubs.
*) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk.
*) mod_ssl: Add support for OpenSSL configuration commands by introducing
the SSLOpenSSLConfCmd directive.
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
is equivalent to <ProxyMatch wildcard-url>.
*) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
require directives.
*) mod_proxy_http: Core dumped under high load.
*) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size
previously limited to 64MB.
*) mod_lua: Use binary copy when dealing with uploads through r:parsebody()
to prevent truncating files.
== 1.6.2 Doc Brown
* No longer replace response's body on HEAD request. Ensuring body.close will be called.
* Remove `---ssl-verify` option as EventMachine doesn't verify the certificate.
* Fix env['rack.peer_cert'] to return SSL certifcate.
== 1.6.1 Death Proof
* Regression: Default logger to STDOUT when using outside of CLI.
* Regression: Downgrade Rack required version back to 1.0 to work w/ prior Rails versions.
== 1.6.0 Greek Yogurt
* Accept absolute URL in request line, eg.: 'GET http://site.com/he/lo HTTP/1.1'.
* HEAD request no longer return a body in the response.
* No longer stop EventMachine's reactor loop unless it was started by Thin.
* Make request env keys upcasing locale-agnostic.
* Use Ruby's `Logger` for logging. [Akshay Moghe].
The logger can now be set using `Thin::Logging.logger=`.
Tracing of request is handled by a second logger, `Thin::Logging.trace_logger=`.
* Add --threadpool-size option to configure EM's thread pool size (default: 20).
* Pipelining is no longer supported.
=== raindrops 0.13.0 several minor fixes and improvements / 2014-02-18 20:59 UTC
Most notably, this release is necessary for Ruby 2.2 (dev).
Thanks to Koichi Sasada for the bug report!
Eric Wong (5):
Rakefile: remove raa_update task
last_data_recv: do not assume Unicorn includes all constants
raindrops.gemspec: add wrongdoc dev dependency
linux_inet_diag: fix Ruby 2.2 (dev) build
license: use LGPLv2.1 or later (was LGPL (2.1|3.0)-only)
Hleb Valoshka (1):
Remove Scope IDs from IPv6 addresses.
=== 2.8.1 / 2014-03-06
* 1 bug fixes:
* Run puma-wild with proper deps for prune_bundler
* 2 doc changes:
* Described the configuration file finding behavior added in 2.8.0 and how to disable it.
* Start the deployment doc
* 6 PRs merged:
* Merge pull request #471 from arthurnn/fix_test
* Merge pull request #485 from joneslee85/patch-9
* Merge pull request #486 from joshwlewis/patch-1
* Merge pull request #490 from tobinibot/patch-1
* Merge pull request #491 from brianknight10/clarify-no-config
=== 2.8.0 / 2014-02-28
* 8 minor features:
* Add ability to autoload a config file. Fixes#438
* Add ability to detect and terminate hung workers. Fixes#333
* Add booted_workers to stats response
* Add config to customize the default error message
* Add prune_bundler option
* Add worker indexes, expose them via on_worker_boot. Fixes#440
* Add pretty process name
* Show the ruby version in use
* 7 bug fixes:
* Added 408 status on timeout.
* Be more hostile with sockets that write block. Fixes#449
* Expect at_exit to exclusively remove the pidfile. Fixes#444
* Expose latency and listen backlog via bind query. Fixes#370
* JRuby raises IOError if the socket is there. Fixes#377
* Process requests fairly. Fixes#406
* Rescue SystemCallError as well. Fixes#425
* 4 doc changes:
* Add 2.1.0 to the matrix
* Add Code Climate badge to README
* Create signals.md
* Set the license to BSD. Fixes#432
* 14 PRs merged:
* Merge pull request #428 from alexeyfrank/capistrano_default_hooks
* Merge pull request #429 from namusyaka/revert-const_defined
* Merge pull request #431 from mrb/master
* Merge pull request #433 from alepore/process-name
* Merge pull request #437 from ibrahima/master
* Merge pull request #446 from sudara/master
* Merge pull request #451 from pwiebe/status_408
* Merge pull request #453 from joevandyk/patch-1
* Merge pull request #470 from arthurnn/fix_458
* Merge pull request #472 from rubencaro/master
* Merge pull request #480 from jjb/docs-on-running-test-suite
* Merge pull request #481 from schneems/master
* Merge pull request #482 from prathamesh-sonpatki/signals-doc-cleanup
* Merge pull request #483 from YotpoLtd/master
=== 2.7.1 / 2013-12-05
* 1 bug fix:
* Keep STDOUT/STDERR the right mode. Fixes#422
=== 2.7.0 / 2013-12-03
* 1 minor feature:
* Adding TTIN and TTOU to increment/decrement workers
* N bug fixes:
* Always use our Process.daemon because it's not busted
* Add capistrano restart failback to start.
* Change position of `cd` so that rvm gemset is loaded
* Clarify some platform specifics
* Do not close the pipe sockets when retrying
* Fix String#byteslice for Ruby 1.9.1, 1.9.2
* Fix compatibility with 1.8.7.
* Handle IOError closed stream in IO.select
* Increase the max URI path length to 2048 chars from 1024 chars
* Upstart jungle use config/puma.rb instead
0.12.0 (February 9th 2014)
FIX#1578 Fix latvian translations (@graudeejs)
FIX#1576 incorrect nl.yml translations (@fevers)
FIX#1564 do not reload apps with disabled or absent :reload flag (@ujifgc)
FIX#1571 Allow for url generation to accept stringified keys (@jsmpereira)
NEW #1570 add custom index option for form_for abstract form helper (@graudeejs)
FIX#1567 Add :app option to the component generator (@namusyaka)
FIX#1563 Fix behavior of content_tag when use with content that is not a string (@tyabe)
NEW #1422 allow options Hash in protect_from_csrf (@ujifgc)
0.12.0.rc3 (January 20th 2014)
FIX resolve_template should respect :views option (@ujifgc)
FIX#1547 Rename `showexceptions.rb` to `show_exceptions.rb` (@namusyaka)
NEW #1551 Introduce #default method to set application options (@ujifgc)
FIX#1553 Chinese time translations (@gokure)
FIX#1556 German translations (@Signum)
FIX#1555 Fix a problem the before/after filters (@namusyaka)
FIX#1550 Shove LOADING/RELOADING to devel log level
FIX#1445 Drop `PADRINO_ENV` in favour of `RACK_ENV` for further compatibility (@dariocravero)
0.12.0.rc2 (January 5th 2014)
FIX development dependency for padrino-gen (@namusyaka)
FIX#1520 Skip loading models for sequel migration tasks (@ujifgc)
FIX#1493 make admin aware of uri_root (@ujifgc)
NEW #854 allow -a master to rename admin path (@ujifgc)
FIX Get tests passing again on rubinius (@ujifgc)
FIX#1545 Don't raise on protect_from_csrf without sessions (@skade)
FIX#1546 Silence deprecation warnings for File.exists? (@fj)
REMOVE #1516 support for TestSpec component from generator (@ujifgc)
0.12.0.rc1 (December 31st 2013)
FIX#1421 Prevent double-escaped HTML in simple_format (@inkstak)
NEW #1424 Adds task generator for creating new task files (@namusyaka)
FIX#1423 Adds MIT license to gemspec (@ujifgc)
FIX#1121 Modify the encoding of crypted_password (@namusyaka)
NEW #1432 Rewritten Code Reloading (@ujifgc)
FIX#1428 logger constants to match stdlib (@spariev)
FIX#775 track I18n locale files properly (@ujifgc)
FIX#1434 additional fixes for slim templates (@minad)
FIX#1431 incorrect behavior when using content_tag with block (@namusyaka)
FIX#1435 broken slim templates (@namusyaka)
FIX AS4.1 constantize behavior compatibility (@ujifgc)
NEW #1436 support rails-style attribute hash of select options (@ujifgc)
NEW support disabled_options key for select_tag (@ujifgc)
FIX no longer monkeypatch colors onto string (@ujifgc, @nesquena)
FIX#1442 use `=` instead of `-` in slim and haml templating
NEW #1441 cleanup template handling logic (@ujifgc, @namusyaka)
FIX Cleanup file loading logic (@ujifgc)
FIX#1443 Don't step over :session_id setting on admin apps (@dariocravero)
NEW Modified `padrino start` to take an extra `–options` (`-O`) parameter (@dariocravero)
NEW #1018 Replaces Padrino::Cache::Store with Moneta (@minad)
NEW #1455 Steak generator written for acceptance tests (@eturk, @namusyaka)
FIX Better error generation for forms (@ujifgc)
FIX html_safe in labeled group (@ujifgc)
NEW #1452 Allow padrino start to take handler specific options
FIX#1462 cache content_type (@ujifgc)
FIX#1466 Change accepts to empty array to fix latest sinatra
FIX#1457 Major helpers cleanup (@ujifgc)
NEW #1405 Params is now converted to `HashWithIndifferentAccess` (@Ortuna)
FIX#1391 Skip path_traversal protection (@namusyaka)
NEW #1471 allow configuring codes of cascade apps (@ujifgc)
NEW #1477 Add :as option to form_for helper (@graudeejs)
FIX#1481 incorrect namespace of #named_routes (@namusyaka)
FIX Disambiguate the behavior of `url` (@namusyaka)
FIX#1461 Allow to render template with layout that using other template engine (@namusyaka)
NEW #767 introduces App.view_path and App.layout_path (@ujifgc)
FIX#1488 plugin generator url path to github (@bolshakov)
FIX#915 use app.root when mounting if available (@ujifgc)
FIX Allow to use extension with layout method. (@namusyaka)
NEW #1414 drop ruby 18mode, liberate ActiveSupport
NEW #711 Verify render with block now works as expected (@ujifgc)
NEW #1504 allow partial with block (@ujifgc)
FIX#1507 patch jruby utf-8 method naming (@ujifgc)
FIX#1505 Remove charset from json mimetype, fix sinatra edge (@namusyaka)
FIX#1513 Extracting logic to methods to improve readability (@scudelletti)
FIX#1517 correctly set a name of mounted application (@ujifgc)
NEW #1518 Add :flush option to content_for (@namusyaka)
FIX#1523 Add Rakefile tasks to the component generator (@tyabe)
FIX#1526 options on ActiveRecord version 3 (@tyabe)
NEW #1528 Allow asset_folders to be configured in settings
FIX#1529 double escaping of link urls (@ujifgc)
FIX#1532 allow asset_path with no kind (@ujifgc)
FIX#1535 rebase string urls to uri_root (@ujifgc)
NEW #1539 Enable :except option to :protect_from_csrf (@namusyaka)
FIX#1540 generator should abort if constant name already exists (@namusyaka)
NEW #922 resolve templates relative to controller name (@ujifgc)
NEW #1541 Reimplement authenticity token logic (@namusyaka)
=== 2.9.4 / 2014-02-10
* Bug fixes
* Improve proxy escaping from 2.9.2. Pull request #59 by Mislav Marohnić.
=== 2.9.3 / 2014-02-06
* Bug fixes
* Fix breakage in 2.9.2 for users without proxies. Pull request #56 by
Yoshihiro TAKAHARA (merged), #57 by ChuckLin, #58 by Kenny Meyer.
=== 2.9.2 / 2014-02-05
* Bug fixes
* Special characters in proxy passwords are now handled correctly. Issue
#48 by Mislav Marohnić. Pull request #54 by Juha Kajava
=== 2.9.1 / 2014-01-22
* Bug fixes
* Added license to gemspec. Issue #47 by Benjamin Fleischer
* Set Net::HTTP#keep_alive_timeout when supported by ruby. Pull request #53
by Dylan Thacker-Smith.
* The backtrace is preserved for errors in #reset to help with debugging.
Issue #41 by Andrew Cholakian.
3.2.15 (7 March 2014)
* Support &.foo when the parent selector has a newline followed by a comma.
3.2.14 (24 January 2014)
* Don't crash when parsing a directive with no name in the indented syntax.
* Clean up file paths when importing to avoid errors for overlong path names.
* Parse calls to functions named true, false, and null as function calls.
* Don't move CSS @imports to the top of the file unless it's necessary.
3.2.13 (19 December 2013)
* Numbers returned by user-defined functions now trigger division, just like
numbers stored in variables.
* Support importing files in paths with open brackets.
* Fix sass-convert's handling of rules with empty bodies when converting from
CSS.
* Fix CSS imports using url() with a quoted string and media queries.
3.2.12 (4 October 2013)
* Add a couple missing requires, fixing some load errors, especially when
using the command-line interface.
* Tune up some heuristics for eliminating redundant generated selectors. This
will prevent some selector elimination in cases where multi-layered @extend
is being used and where it seems intuitively like selectors shouldn't be
eliminated.
3.2.11 (27 September 2013)
* Fix @extend's semantics with respect to pseudo-elements. They are no longer
treated identically to pseudo-classes.
* A more understandable error is now provided when the -E option is passed to
the Sass command line in ruby 1.8
* Fixed a bug in the output of lists containing unary plus or minus operations
during sass <=> scss conversion.
* Avoid the IE7 content: counter bug with content: counters as well.
* Fix some thread-safety issues.
*) Security: memory corruption might occur in a worker process on 32-bit
platforms while handling a specially crafted request by
ngx_http_spdy_module, potentially resulting in arbitrary code
execution (CVE-2014-0088); the bug had appeared in 1.5.10.
Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
Manuel Sadosky, Buenos Aires, Argentina.
*) Feature: the $ssl_session_reused variable.
*) Bugfix: the "client_max_body_size" directive might not work when
reading a request body using chunked transfer encoding; the bug had
appeared in 1.3.9.
Thanks to Lucas Molas.
*) Bugfix: a segmentation fault might occur in a worker process when
proxying WebSocket connections.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used on 32-bit platforms; the bug had
appeared in 1.5.10.
*) Bugfix: the $upstream_status variable might contain wrong data if the
"proxy_cache_use_stale" or "proxy_cache_revalidate" directives were
used.
Thanks to Piotr Sikora.
*) Bugfix: a segmentation fault might occur in a worker process if
errors with code 400 were redirected to a named location using the
"error_page" directive.
*) Bugfix: nginx/Windows could not be built with Visual Studio 2013.
Changes with nginx 1.5.10 04 Feb 2014
*) Feature: the ngx_http_spdy_module now uses SPDY 3.1 protocol.
Thanks to Automattic and MaxCDN for sponsoring this work.
*) Feature: the ngx_http_mp4_module now skips tracks too short for a
seek requested.
*) Bugfix: a segmentation fault might occur in a worker process if the
$ssl_session_id variable was used in logs; the bug had appeared in
1.5.9.
*) Bugfix: the $date_local and $date_gmt variables used wrong format
outside of the ngx_http_ssi_filter_module.
*) Bugfix: client connections might be immediately closed if deferred
accept was used; the bug had appeared in 1.3.15.
*) Bugfix: alerts "getsockopt(TCP_FASTOPEN) ... failed" appeared in logs
during binary upgrade on Linux; the bug had appeared in 1.5.8.
Thanks to Piotr Sikora.
Changes with nginx 1.5.9 22 Jan 2014
*) Change: now nginx expects escaped URIs in "X-Accel-Redirect" headers.
*) Feature: the "ssl_buffer_size" directive.
*) Feature: the "limit_rate" directive can now be used to rate limit
responses sent in SPDY connections.
*) Feature: the "spdy_chunk_size" directive.
*) Feature: the "ssl_session_tickets" directive.
Thanks to Dirkjan Bussink.
*) Bugfix: the $ssl_session_id variable contained full session
serialized instead of just a session id.
Thanks to Ivan Risti?.
*) Bugfix: nginx incorrectly handled escaped "?" character in the
"include" SSI command.
*) Bugfix: the ngx_http_dav_module did not unescape destination URI of
the COPY and MOVE methods.
*) Bugfix: resolver did not understand domain names with a trailing dot.
Thanks to Yichun Zhang.
*) Bugfix: alerts "zero size buf in output" might appear in logs while
proxying; the bug had appeared in 1.3.9.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used.
*) Bugfix: proxied WebSocket connections might hang right after
handshake if the select, poll, or /dev/poll methods were used.
*) Bugfix: the "xclient" directive of the mail proxy module incorrectly
handled IPv6 client addresses.
Changes with nginx 1.5.8 17 Dec 2013
*) Feature: IPv6 support in resolver.
*) Feature: the "listen" directive supports the "fastopen" parameter.
Thanks to Mathew Rodley.
*) Feature: SSL support in the ngx_http_uwsgi_module.
Thanks to Roberto De Ioris.
*) Feature: vim syntax highlighting scripts were added to contrib.
Thanks to Evan Miller.
*) Bugfix: a timeout might occur while reading client request body in an
SSL connection using chunked transfer encoding.
*) Bugfix: the "master_process" directive did not work correctly in
nginx/Windows.
*) Bugfix: the "setfib" parameter of the "listen" directive might not
work.
*) Bugfix: in the ngx_http_spdy_module.
Version 3.2.8 (2014-03-12)
--------------------------
### Fixed
Add the "href" values for active breadcrumb menus to the template (see #6796).
### Fixed
The file/page tree widget did not work properly in "edit multiple" mode (#6788).
### Fixed
Preserve the referer ID when clicking the "switch to edit" button (see #6127).
### Fixed
Encode e-mail addresses in the "explanation" form field (see #6771).
### Fixed
Use a placeholder image if no thumbnail can be created (see #6754).
### Fixed
Pass additional arguments to the "replaceInsertTags" hook (see #6672).
### Fixed
Correctly initialize the `Session` class (see #6747).
### Fixed
Do not use `Input::setGet()` in the event modules (see #6733).
### Fixed
Correctly shorten the CSS `background` property (see #6709).
### Fixed
Do not use `UNION SELECT` when searching for parent pages (see #6704).
### Fixed
Disable `zlib.output_compression` when sending files to the browser (see #6717).
### Fixed
Consider the event time in the event list module (see #6719).
### Fixed
Make the newsletter recipient address available in the template (see #5782).
### Fixed
Correctly handle Unicode characters in `Validator::isGooglePlusId` (see #6707).
### Fixed
Fixed the arguments of two `CalendarEventsModel` methods (see #6781).
### Fixed
Pass the "tableless" flag to the "form_message" template (see #6772).
### Fixed
Update the `swipe.js` script so the "continuous" option works (see #6762).
### Fixed
Improve the `Search::removeEntry()` method (see #6785).
### Fixed
Correctly set the cookie path in the front mode in debug mode (see #6723).
### Fixed
Point to `Frontend::addToUrl()` in front end templates (see #6736).
### Fixed
Do not stop the cron job execution after the first interval.
2014-03-09 (2.8.8rel.2)
* correct errata in test-files which cause broken links in break-out directory
in lynx.isc.org server -TD
* amend change from 2.8.8pre.2, to ensure that MinGW libraries already
declaring 'sleep()' will build -TD
* drop unused save/compress rules from makefile.in, because fixing umask for
these is pointless -TD
* modify makefile.in to establish sane umask value in the "install-doc" rule
(report by Rajeev V Pillai) -TD
* build-fix for NetBSD, whose curses library provides use_default_colors(),
but the package turns off the keymap feature (patch by Thomas Klausner).
The underlying issue seems to be a race; if the spawned git log
command finishes before trac kills it, the os.kill() throws an
exception which is not caught. Simply catch and ignore the exception.
I sent the patch to trac-devel@.
* Avoid assertions on Range requests that trigger Squid-generated errors.
* Protect MemBlob::append() against raw-space writes
* Copyright: Relicense helpers by Treehouse Networks Ltd.
* Portability: define CMSG related structures individually
* Fix helper ID number assignment
* Fixed stalled concurrent rock store reads by insuring their ID uniqueness.
* Bug 3186, Bug 3628: Digest authentication always sending stale=false for nonce
* dynamic_cert_mem_cache_size option related fixes
* Fix umask default on crash report generated email
* Fix pthread library detection on FreeBSD 10
* Bug 4029: intercepted HTTPS requests bypass caching checks
* Bug 4026: SSL and adaptation_access does not handle aborted connections
* Bug 4001: remove use of strsep()
* Move compat/unsafe.h protections from libcompat to source maintenance
* Bug 3969: user credentials cache lookup for Digest authentication broken
* Various fixes to configure for FreeBSD 10
* Regression Bug 3769: client_netmask not evaluated since Comm redesign
*) Bugfix: the "client_max_body_size" directive might not work when
reading a request body using chunked transfer encoding; the bug had
appeared in 1.3.9.
Thanks to Lucas Molas.
*) Bugfix: a segmentation fault might occur in a worker process when
proxying WebSocket connections.
This release fixes a security issue that was introduced with the 0.7.0 release. This issue affected the source-highlighting feature and could only be exploited, if the suPHP_PHPPath option was set. In this case local users which could create or edit .htaccess files could possibly execute arbitrary code with the privileges of the user the webserver was running as.
Changes with mod_fcgid 2.3.9
*) Revert fix for PR 53693, added in 2.3.8 but undocumented. Fix
issues with a minor optimization added in 2.3.8. [Jeff Trawick]
Changes with mod_fcgid 2.3.8
*) SECURITY: CVE-2013-4365 (cve.mitre.org)
Fix possible heap buffer overwrite. Reported and solved by:
[Robert Matthews <rob tigertech.com>]
*) Add experimental cmake-based build system for Windows. [Jeff Trawick]
*) Correctly parse quotation and escaped spaces in FcgidWrapper and the
AAA Authenticator/Authorizor/Access directives' command line argument,
as currently documented. PR 51194 [William Rowe]
*) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv
assignments). PR 51657 [William Rowe]
*) Conform script response parsing with mod_cgid and ensure no response
body is sent when ap_meets_conditions() determines that request
conditions are met. [Chris Darroch]
*) Improve logging in access control hook functions. [Chris Darroch]
*) Avoid making internal sub-requests and processing Location headers
when in FCGI_AUTHORIZER mode, as the auth hook functions already
treat Location headers returned by scripts as an error since
redirections are not meaningful in this mode. [Chris Darroch]
Version 0.6.7
-----------------
Released on February 16, 2014
- Expose app instance in a command commands (manage.app). #83
- Show full help for submanagers if called without arguments. #85
- Fix ShowUrls command conflict. #88
0.9 (2014-02-20)
This release is compatible with webassets 0.9.
flask-assets now support Python 3, and drops support for Python 2.5.
- Support for Flask-S3 (Erik Taubeneck).
- Support latest Flask-Script (Chris Hacken).
* Use the reference for the mime type to get the format
Fixes: CVE-2014-0082
* Escape format, negative_format and units options of number helpers
Fixes: CVE-2014-0081
*) Bugfix: the $ssl_session_id variable contained full session
serialized instead of just a session id.
Thanks to Ivan Risti\u0107.
*) Bugfix: client connections might be immediately closed if deferred
accept was used; the bug had appeared in 1.3.15.
*) Bugfix: alerts "zero size buf in output" might appear in logs while
proxying; the bug had appeared in 1.3.9.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used.
*) Bugfix: proxied WebSocket connections might hang right after
handshake if the select, poll, or /dev/poll methods were used.
*) Bugfix: a timeout might occur while reading client request body in an
SSL connection using chunked transfer encoding.
*) Bugfix: memory leak in nginx/Windows.
Bugfixes
* fixed python3 support on older compilers/libc
* allow starting in spooler-only mode
* fixed cache bitmap support and added test suite (credits: Danila Shtan)
* fixed ftime log var
* added async remote signal management
* fixed end-for and end-if
* fixed loop in internal-routing response chain
* fixed pypy execute_source usage
* logpipe: Don\u2019t setsid() twice (credits: INADA Naoki)
New features and improvements
CGI plugin
The plugin has been improved to support streaming.
In addition to this the long-awaited async support is finally ready. Now you can
have CGI concurrency without spawning a gazillion of expensive threads/processes
Check: Running CGI scripts on uWSGI
PSGI loading improvements
The PSGI loader now tries to use Plack::Util::load_psgi() function instead of
simple eval. This addresses various inconsistences in the environment (like the
double parsing/compilation/execution of psgi scripts).
If the Plack module is not available, a simple do-based code is used (very
similar to load_psgi)
* Added useragent config setting. Closes: #737121
Thanks, Tuomas Jormola
* po: Add html_lang_code and html_lang_dir template variables
for the language code and direction of text.
Thanks, Mesar Hameed
* Allow up to 8 levels of nested directives, rather than previous 3
in directive infinite loop guard.
* git diffurl: Do not escape / in paths to changed files, in order to
interoperate with cgit (gitweb works either way)
Thanks, intrigeri.
* git: Explicity push master branch, as will be needed by git 2.0's
change to push.default=matching by default.
Thanks, smcv
* Deal with nasty issue with gettext clobbering $@ while printing
error message containing it.
Thanks, smcv
* Cleanup of the openid login widget, including replacing of hotlinked
images from openid providers with embedded, freely licensed artwork.
Thanks, smcv
* Improve templates testing.
Thanks, smcv
* python proxy: Avoid utf-8 related crash.
Thanks, Antoine Beaupré
* Special thanks to Simon McVittie for being the patchmeister for this
release.
Add LICENSE
Upstream changes:
2012-10-25 Mattias Holmlund
Version 1.1
Unlink temporary cachefiles if we fail to give them a proper name
Resolves https://rt.cpan.org/Ticket/Display.html?id=60065
Handle multiple simultaneous cache cleanups
Hopefully resolves https://rt.cpan.org/Public/Bug/Display.html?id=77015
Handle caching of zero-size documents
Resolves https://rt.cpan.org/Public/Bug/Display.html?id=76785
Populate $response->message with the default message for the code
Patch from Graham Barr
Ensure response has access to request when fetching from cache
Patch from Graham Barr.
Handle undefined content from servers.
Add LICENSE
Add missing BUILD_DEPENDS for regress test
Upstream changes:
0.23 2013/11/03
* Added REAL_SERVERS check to t/proxy-with-https.t
- Thanks to Gregor Herrmann, Debian Perl Group, for the patch
0.22 2013/09/12
* Added repository cpan metadata to Makefile.PL
- Thanks to David Steinbrunner for the patch
0.21 2013/08/29
* Updated Changes file to meet CPAN::Changes::Spec
* FIxed unparseable date for version 0.02
0.20 2013/07/18
* Updates Changes file to meet CPAN::Changes::Spec
* Changed and standardized date formats
* Changed name from CHANGES to Changes
* Added author/release test to check this going forward
0.19 2013/07/17
* Added ssl_options support
* Increased Net::HTTPS::NB requirement to 0.13
- Thanks to Heikki Vatiainen for the patch
0.18 2013/05/27
* Fixed typo in POD
- Added THANKS for Florian (fschlich)
0.17 2013/04/20
* Added local_addr and local_port support
* Standardised test names
* Added THANKS for github user c00ler-
0.16 2013/04/04
* Fixed CPAN Testers bug in bad-hosts.t
0.15 2013/04/04
* Two bug fixes provided by Josef Toman:
* Fixed header handling to use header_field_names()
* Replaced _make_url_absolute with URI::new_abs()
0.14 2013/04/01
* More diagnostics in bad-hosts.t on failure
0.13 2013/03/29
* Fixed t/real-servers.t to work whether or not Net::HTTPS::NB is available
0.12 2013/03/29
* New logic for making https requests through a proxy
* Made tests run ok in parallel by using different ports per test
* Set explicit SSL_verify_mode in real-servers.t
* Minor update to code comment about is_proxy mode
0.11 2012/11/13
* Use high ports to prevent test failure when 8080 is already used
* Travis config
0.10 2012/03/08
* added support for https requests - thanks Naveed Massjouni
Upstream changes:
0.16 Sat Aug 10 17:52:00 GMT 2013
- Added link to repository (D. Steinbrunner)
0.15 Mon Oct 1 19:14:05 GMT 2012
- Fix bugs in :contains("string") (Aaron Crane)
Add missing DEPENDS
Upstream changes:
1.00 2013-12-16
- TT template files changed - update them if you use a local copy.
Template file 'label_tag' renamed to 'label_element' - old file can
be deleted. 'field' file changed. New 'errors' file.
- TT no longer listed as a prerequisite. If you use the TT files,
you must add 'Template' to your own app's prereqs.
- Element::reCAPTCHA and Constraint::reCAPTCHA moved out to separate
distribution.
- HTML::FormFu::MultiForm moved out to separate distribution.
- auto_container_class(), auto_label_class(), auto_comment_class(),
auto_container_error_class(), auto_container_per_error_class(),
auto_error_class() no longer have default values.
See "RESTORING LEGACY HTML CLASSES" in HTML::FormFu docs to restore
previous behaviour.
- auto_label_class() no longer adds class to container.
auto_label_class() now adds class to label tag.
new auto_container_label_class() adds class to container.
See "RESTORING LEGACY HTML CLASSES" in HTML::FormFu docs to restore
previous behaviour.
- auto_comment_class() no longer adds class to both container and comment.
auto_comment_class() now only adds class to comment tag.
new auto_container_comment_class() adds class to container.
See "RESTORING LEGACY HTML CLASSES" in HTML::FormFu docs to restore
previous behaviour.
- Bug fix: param_value() form method now matches documented behaviour -
returns undef when field has errors. (Reported by Hailin Hu).
- New Element::Email and Element::URL HTML5 input fields.
- Role::Element::Input has new datalist_options(), datalist_values(),
datalist_id() and auto_datalist_id() methods to support HTML5 datalists.
auto_datalist_id() is an inherited accessor which can be set on the
Form, MultiForm, or Block.
- Form and Elements has new title() attribute short-cut.
- Constraint::Regex has new anchored() accessor.
- New Input attribute accessors: placeholder(), pattern(), autocomplete().
- New Input boolean attribute accessors: autofocus(), multiple(), required().
- New Field inherited accessors: auto_container_per_error_class(),
auto_error_container_class(), auto_error_container_per_error_class(),
error_tag(), error_container_tag
- Constraints have new experimental method fetch_error_message().
- All field elements have new method error_filename().
- default_args() now supports 'Block', 'Field', 'Input' pseudo-elements,
'|' alternatives, and '+' and '-' ancestor modifiers.
- New Czech (cs) I18N translation by Jan Grmela.
- mk_inherited_accessors() now also creates a *_no_inherit() method.
- Experimental new roles() form method.
- form methods start(), end() now respect render_method - no longer
force use of tt templates.
- Bug fix: del_attribute() on empty attribute no longer sets the attribute.
- All attribute accessors generated with mk_attrs() now have *_loc variants.
- form methods start(), end() now respect render_method - no longer
force use of tt templates.
- Tests now always require Test::Aggregate::Nested.
Re-enable aggregate tests on Win32.
Don't run all tests twice under both aggregate and t/ (doh!)
User-visible changes:
- Client-side bugfixes:
* use CryptoAPI to validate intermediary certificates on Windows (r1564623)
* fix automatic relocate for wcs not at repository root (r1541638 et al)
* diff: fix when target is a drive root on Windows (r1541635)
* wc: improve performance when used with SQLite 3.8 (r1542765)
* copy: fix some scenarios that broke the working copy (r1560690)
* move: fix errors when moving files between an external and the parent
working copy (r1551524, r1551579)
* log: resolve performance regression in certain scenarios (r1553101 et al)
* merge: decrease work to detect differences between 3 files (r1548486)
* checkout: don't require flush support for symlinks on Windows (r1547774)
* commit: don't change file permissions inappropriately (issue 4440)
* commit: fix assertion due to invalid pool lifetime (r1553376 et al)
* version: don't cut off the distribution version on Linux (r1544878 et al)
* flush stdout before exiting to avoid information being lost (r1499470)
* status: fix missing sentinel value on warning codes (r1543145)
* update/switch: improve some WC db queries that may return incorrect
results depending on how SQLite is built (r1567109)
- Server-side bugfixes:
* reduce memory usage during checkout and export (r1564215)
* fsfs: create rep-cache.db with proper permissions (issue 3437)
* mod_dav_svn: prevent crashes with SVNListParentPath on (CVE-2014-0032)
* mod_dav_svn: fix SVNAllowBulkUpdates directive merging (r1548105)
* mod_dav_svn: include requested property changes in reports (r1557522)
* svnserve: correct default cache size in help text (r1563110)
* svnadmin dump: reduce size of dump files with '--deltas' (r1554978)
* resolve integer underflow that resulted in infinite loops (r1567985)
Developer-visible changes:
- General:
* fix ocassional failure of check_tests.py 12 (r1496127 et al)
* fix failure with SQLite 3.8.1-3.8.3 when built with
SQLITE_ENABLE_STAT3/4 due to bug in SQLite (r1567286, r1567392)
* specify SQLite defaults that can be changed when SQLite is built
to avoid unexpected behavior with Subversion (r1567064)
- API changes:
* numerous documentation fixes
* svn_client_commit_item3_dup() fix pool lifetime issues (r1550803)
* ra_serf: properly ask multiple certificate validation providers for
acceptance of certificate failures (r1535532)
* release internal fs objects when closing commit editor (r1555499)
* svn_client_proplist4() don't call the callback multiple times for
the same path in order to deliver inherited properties (r1549858 et al)
- Bindings:
* javahl: make test suite run without installing on OS X (r1535115)
* swig: fix building out of tarball on OS X (r1555654)
* swig-pl: fix with --enable-sqlite-compatibility-version (r1559009)
* swig: fix building bindings on OS X when APR has the -no-cpp-precomp
flag in the apr-config --cppflags output. (r1535610)
* swig: fix building from tarball with an out-of-tree build (r1543187)
Change option name fcgi to fasrcgi
Upstream changes:
1.54 Jan 19, 2014
[ DISTRIBUTION ]
- Remake with gnutar
1.53 Jan 18, 2014
[ DISTRIBUTION ]
- Attempt to fix corrupted tar
1.52 Oct 9, 2013
[ BUG FIXES ]
- Ignore 'Software caused connection abort' errors. RT #49031. Submitted
by Morten Bjoernsvik.
- Sort hash keys to deal with Perl 5.18+ hash randomization. RT
#88708. Submitted by Zefram.
- Fix 'and' precedence with explicit parens. RT #87050. Submitted by
Alex Vandiver.
- Escape each part of substitution, not their
concatenation. github.com/jonswar/perl-HTML-Mason/pull/1. Submitted
by Ricardo Signes.
[ ENHANCEMENTS ]
- Add use_warnings flag, similar to
use_strict. github.com/jonswar/perl-HTML-Mason/pull/4. Submitted by
Aevar Bjarmason.
1.51 May 8, 2013
[ DISTRIBUTION ]
- Fix hardcoded version
[DOCS]
- Add HTML::Mason::FAQ, from old masonhq.com website
Changes to GoAccess 0.7.1 - Monday, February 17, 2014
* Added ability to get real OS names using --real-os. (Android, Windows, Mac)
* Added ability to log debug messages to a file.
* Added ability to parse tab-separated log format strings.
* Added ability to support terminals without colors.
* Added ability to turn off color output by using --no-color flag.
* Added command line option to append HTTP method to request.
* Added command line option to append HTTP protocol to request.
* Added long options to command-line.
* Added missing Win 9x 4.90 (Windows Me) user-agent.
* Added missing Windows RT user-agent.
* Ensure mouse click does not reset expanded module if it is the same.
* Fixed Amazon CloudFront tab-separated log format.
* Fixed "FreeBSD style" ncursesw built into system.
* Fixed HTML report issue where data cell would not wrap.
* Fixed issue when isatty() could not find a valid file descriptor.
* Fixed SymbianOS user-agent and retrieve its version.
Upstream changes:
4.83 2014-02-19
- Improved Mojo::JSON to handle encoding errors more gracefully.
- Fixed line numbers in Mojo::JSON error messages.
4.82 2014-02-19
- Added decode_json and encode_json functions to Mojo::JSON.
- Added data attribute to Mojo::JSON::Pointer.
- Fixed bug in "user_agent_online.t".
- Fixed small decoding bug in Mojo::JSON.
Upstream changes:
0.043 2014-02-20 20:40:23-05:00 America/New_York
[FIXED]
- Does not send absolute request URI when tunneling SSL via proxy
- Fixes regression in setting host name to verify SSL
- Protects tests from https_proxy and all_proxy when doing mock testing
0.042 2014-02-18 11:23:17EST-0500 America/New_York
[ADDED]
- If IO::Socket::IP 0.25+ is installed, HTTP::Tiny will use it for
transparent IPv4 or IPv6 support.
0.041 2014-02-17 13:07:54-05:00 America/New_York
[no code change, only an amended Changes file]
[INCOMPATIBLE CHANGES (from 0.039)]
- The 'proxy' attribute no longer takes precedence over the
'http_proxy' environment variable. With the addition of http_proxy
and https_proxy attributes (and corresponding environment variable
defaults), the legacy 'proxy' attribute now maps to the
all_proxy/ALL_PROXY environment variable and only takes effect when
other proxy attributes are not defined.
[ADDED (since 0.039)]
- Added 'keep_alive' attribute for single-server persistent connections
(Clinton Gormley)
- Added support for Basic authorization with proxies
- Added support for https proxies via CONNECT
[FIXED (since 0.039)]
- Requests are made with one less write for lower latency (Martin
Evans)
0.040 2014-02-17 13:02:47-05:00 America/New_York
[INCOMPATIBLE CHANGES]
- The 'proxy' attribute no longer takes precedence over the
'http_proxy' environment variable. With the addition of http_proxy
and https_proxy attributes (and corresponding environment variable
defaults), the legacy 'proxy' attribute now maps to the
all_proxy/ALL_PROXY environment variable and only takes effect when
other proxy attributes are not defined.
[ADDED]
- Added support for Basic authorization with proxies
- Added support for https proxies via CONNECT
URIs that contain other URIs. The basic format is:
{prefix}:{uri}
Some examples:
* `jdbc:oracle:scott/tiger@//myhost:1521/myservicename`
* `db:postgres://db.example.com/template1`
* Fix some syscall definitions in JavaScript are fixed.
Thank you, tho@.
Changelog:
FIXED
27.0.1 - Fixed stability issues with Greasemonkey and other JS that used ClearTimeoutOrInterval
FIXED
27.0.1 - JS math correctness issue (bug 941381
2014-02-14 (2.8.8rel.1)
2014-02-14 (2.8.8pre.5)
* change quoting for fixup to help_files.sed in 2.8.8dev.17 to work around
bug in cygwin's make/sed programs -TD
* change quality value for application/xhtml+xml mime type added for Debian
#184482, to ensure that it is offered as one of Lynx's internal types on
an "Accept:" line sent to the server (Debian #725178) -TD
* trim unexpected query-parameters from file: URIs when checking for their
presentation and compression types. Not all browsers do this, etc. -TD
* modify forms-submit to trim query-parameters from the action URI if it
happens to be a file-URL. IE and some other browsers do this. The RFCs
do not mention this since forms are an HTTP feature (Debian #738121) -TD
* reviewed command-line options which were not provided in lynx.cfg; added
others which could be useful for dumps (i.e., force_html, hiddenlinks,
listonly, list_inline, localhost, short_url, with_backspaces) -TD:
* add dont_wrap_pre to lynx.cfg (request by GV) -TD
* use idn_free() rather than ordinary free (patch by GV)
* build-fix when alt-bindings are disabled (patch by GV)
* correct sense of --disable-alt-bindings option in configure script (prompted
by report by GV) -TD
2014-02-04 (2.8.8pre.4)
* modify the LOCALE_CHARSET feature to provide a default value for the
ASSUMED_CHARSET feature aka "display-charset" (Debian #737416) -TD
* fix two bugs in print-to-file from 2.8.8dev.10 changes -TD
+ suggested filename suffix for text/html was ".html" rather than ".txt"
+ using ^U to clear the filename to print to did not cancel the prompt
(report by Klaus-Peter Wegge)
* disable EXP_JAPANESEUTF8_SUPPORT if the system has no iconv support -TD
* modify makefiles to perform the src/chrtrans rules from the top-level rather
than via the src-level, solving the issue of "makefile races" -TD
* reviewed minor fixes from OpenBSD CVS for these issues:
- fix makefile races [espie]
- read/write result checking fixes to avoid unsigned comparisons vs -1 [krw]
However, the former is not an improvement; kept only the latter -TD
2014-01-11 (2.8.8pre.3)
* apply analogous changes to tidytls.c interface -TD
* apply openssl patch from openSUSE package for Lynx to modify the SSL options
to omit the SSLv2 and compression features (report by BJP) -TD
* add check for alternate package "libssl" also used with Fedora20 -TD
* fix a check in configure-script for openssl subdirectory in includes. It
happened to work in most cases due to a spurious blank in the pkg-config
file; this was removed recently, e.g., for Fedora20 -TD
* fill-in some dangling links in test-files -TD
* build-fix for --disable-prettysrc (reported by Don Hsi-Yun Yang aka
"omoikane") -TD
* review/improve html helpfiles -TD
* ensure that $(sysconfdir) exists in makefile as dependency of install-help
rule -TD
* update config.guess (2014-01-01), config.sub (2014-01-01)
2013-12-17 (2.8.8pre.2)
* change makefile.msc and lynx-slang.iss to use dll for slang -TD
* change URL for HELPFILE in lynx.cfg, etc., to omit version-specifics -TD
* update example of options menu shown in user-guide -TD
* restore ^Z maxscreen-toggle for Windows, omitted in 2.8.8dev.17 cleanup -TD
* typographical fixes for manpage (Bjarni I. Gislason, Debian #732236).
* allow fallback sleep() function to be used for MinGW -GV
* remove special case in configure.in which added "-lcompat" to $LIBS
for OpenBSD, MirBSD and EkkoBSD (Christian Weisgerber, Thorsten Glaser).
* build-fix for --disable-forms-options -TD
* omit request for admin-access in NullSoft installer, since lynx could be
installed in user's directory -TD
* change Windows default for LYNX_LSS_FILE to not use a directory-path -TD
2013-11-28 (2.8.8pre.1)
2013-11-28 (2.8.8dev.17)
* revise/update counts in README.metrics, using a script replacing a manual
procedure -TD
* amend check for magic header bytes from 2.8.8dev.3 for "deflate" to limit it
to the 3-bit block header described in RFC-1951 -TD
* install the sample-files in the dpkg test-script -TD
* add configure option --with-cfg-path and environment variables LYNX_CFG_PATH
to provide search-list capability for the ".cfg" and ".lss" files -TD
* modify configuration of COLOR_STYLE value in lynx.cfg, allowing multiple
filenames to be specified and providing those as choices in the O'ptions
menu (Debian #404893) -TD
* updates for lynx_help_main.html -TD
* update URLs in about_lynx.html -TD
* add internal URL "LYNXEDITMAP:", which is (like "LYNXKEYMAP:") generated,
making that the primary page for field-editing help -TD
* improve DOSPATH-related logic in HomeEnv(), making this work properly with
Windows Vista and 7. The feature is needed to read Lynx's bookmarks file
from the user's "Personal" shell-folder (report by Manuel Nunez) -TD
* modify samples/*.bat to work when running in a directory whose pathname
contains spaces -TD
* reduce required privileges for installing in lynx.iss -TD
* improve sed expression appended to help_files.sed to fix a case for the
edit-helpfiles which left a ".gz.gz" suffix for compressed filename URLs,
overlooked since 2.8.1pre.3 -TD
* modify logic in lkcstring_to_lkc() to allow named keys, e.g., from curses,
to be used consistently in a KEYMAP directive -TD
* add version-info to LYIcon.rc -TD
* add symbols in Keysym_Strings[] and table in setup_vtXXX_keymap() for
function keys 2-12, to improve keymap-configurability -TD
* change extra-key #define's in LYStrings.h to enum -TD
* cleanup pre-2.7 debris from LYStrings.c and LYStrings.h -TD
* modify tables for key-bindings and edit-bindings to allow them to be reloaded
to their initial values -TD
* add check in get_connection() for ftp-connections to ensure that a password
from a URL is non-empty -TD
* add samples/oldlynx.bat to demonstrate how to use non-color-style -TD
* add NSIS script, to allow building Windows installer via cross-compiling -TD
* fixes to configure script and makefiles to work with empty $prefix, e.g.,
as used in MSYS -TD
* improve configure check for sleep() for cross-compiling to MinGW -TD
* modify configure check for inet_addr() for cross-compiling to MinGW -TD
* add configure check for Win32 flavor of PDCurses when cross-compiling to
MinGW using the "--with-screen=pdcurses" option -TD
* improve color-style simulation of old color scheme by coloring input fields
with color #5 -TD
* correct search logic to match links which are wrapped on the right margin.
Previous fixes to highlight arbitrarily long links overlooked this case
(Debian #546264) -TD
* modify the INFO page, normally bound to "=", to show decoded strings for
URLs, e.g., which use %xy hexadecimal encoding. The decoded strings are
shown on the line following the encoded URLs if the strings are different.
Also if display-charset is UTF-8, modify -dump "References" URLs to show
the corresponding decoded strings for consistency with the text which is
already in UTF-8. Other URLs such as that shown in the status area are
shown in encoded form per previous discussion which recommending doing this
to address phishing attempts (Debian #398274) -TD
* simplify file-URLs shown in reference list of -dump by trimming unnecessary
"localhost", e.g.,
file://localhost/XXX
becomes
file:///XXX
(Debian #334787) -TD
* extend the "Bad HTML" warning feature to -dump option when the -stderr
option is also set (Debian #398304) -TD
* add -list_inline option, which modifies -dump output to put links inline with
the text rather than in a list at the end of the dump (Debian #584080) -TD
* add clarification in manpage regarding -force_html option versus -dump or
-crawl (Debian #254603, Debian #295273) -TD
* improve manpage descriptions of -reload, -get_data and -post_data (Debian
#350853) -TD
* modify manpage synopsis to make it clearer that Lynx accepts more than one
path and/or URL on the command-line. The paragraph explaining this was
added in 2.8.6dev.5 (Debian #350853) -TD
* update COPYHEADER, clarifying license issues -TD
* minor change to Content-Length logic from 2.8.8dev.13 to work with Amazon's
cookies (Debian #720541) -TD
* improve warning message for GNUTLS_CERT_SIGNER_NOT_FOUND (Debian #695653) -TD
* ignore non-fatal return codes from gnutls_handshake introduced by SNI change
in 2.8.8dev.15 (Debian #724812, patch by Hans Wurst).
* updates for configure macros -TD
+ CF_ACVERSION_CHECK, fix from byacc for "newer" autoconf.
+ CF_ADD_LIB_AFTER, fix from xterm for problem with -Wl,xxx options
+ CF_CURSES_LIBS, modify to allow external script to set $cf_term_lib and/or
$cf_curs_lib
+ CF_INTEL_COMPILER, $host_os needs AC_CANONICAL_HOST
+ CF_MIXEDCASE_FILENAMES, add msys / msysdll to known host/platform types
+ CF_RPATH_HACK, use sort and uniq rather than sort -u, to work with HPUX
11.11, etc.
+ CF_TRY_PKG_CONFIG, set variables for consistent usage of this macro
+ CF_XOPEN_SOURCE, add msys / msysdll to known host/platform types
+ CF_X_ATHENA, trim extra X libraries after updating lists, to work with ld
--as-needed option which in effect uses only the first mention of the
library. If that does not follow everything that depends on the library,
ld will silently fail to resolve symbols.
* update config.guess (2013-06-10), config.sub (2013-09-05)
2013-07-29 (2.8.8dev.16)
* build-fix for setmode() definition on Cygwin -TD
* modify HTUtils.h to work around header conflict with Cygwin w32api and
openssl 1.0.1e (prompted by report/patch by Supriyo Biswas) -TD
* protect redefined errno values for Windows port from redefinition warnings
when using MinGW build, since the WSAxxx values are what the configuration
actually uses -TD
* modify <address> tag to treat it like <p> when used within a list -TD
* update fi.po from
http://translationproject.org/latest/lynx
* add on/off toggles to options menu for the color-style and default-colors
features, to help deal with packages which enable default colors without
adjusting the color-style settings to avoid having yellow text on a white
background (report by Stephen Isard) -TD
* add -default-colors command-line option to allow toggling the state of the
DEFAULT_COLORS setting from lynx.cfg -TD
* improve discussion of -dump and -force_html in manpage (Ubuntu #1112568) -TD
* cleanup quoting and use of ASCII "-" versus hyphen in manpage -TD
* add checks for zero-length strings in a few places to prevent infinite loop
when the focus moves to a text-field which is past the right margin due to
improper placement for the nested-tables configuration (report by Rajeev V
Pillai) -TD
* update doctype for html documentation to 4.01 strict -TD
* correct handling of backslash in TrimCommand() function introduced in
2.8.6dev.4, used to process the commands for "test=" in mime-types -TD
* correct 2.8.3dev.13 check for permissible place to split UTF-8 encoded text,
reported by Coverity -TD
* make DONT_TRACK_INTERNAL_LINKS logic configurable via lynx.cfg as
TRACK_INTERNAL_LINKS; the configure script now sets the default value -TD
* fix most issues found by clang 3.2 analyze -TD
* fix most issues found by Coverity scan -TD
2012-11-18 (2.8.8dev.15)
* corrected position of highlighting from search/whereis function when using
multibyte characters (Debian #673385) -TD
* modify default case for HTLoadGopher() to use the file's suffix to obtain
a MIME mapping rather than always storing unknown types to disk (suggested by
Dario Niederman) -TD
* modify ^X-e handling to not limit the result to the form field's length
(report by Keith Bowes) -TD
* modify the Inno Setup files to show lynx's version numbers. Development
and prerelease versions are indicated in the numeric-only versions by
prefixing a "10" or "20" -TD
* ask for filesize when downloading via ftp, to use this in the read-progress
ETA -TD
* fix special case when -dont_wrap_pre option is used, to restore space between
words which was lost when inserting a soft newline used to splice together
segments of a long line (Ubuntu #806749) -TD
* provide more readable ETA message as an option (prompted by patch by Joerg
Hahn) -TD
* add GNUTLS call to enable SNI (Server Name Indication) extension (Ubuntu
#732177) -TD
* correct typo for -bibhost option in manpage (Redhat #854574) -TD
* revise nsl-fork logic for passing addrinfo and hostent data back to eliminate
fixed limit on the number of records to return -TD
* correct problem with loop logic in fill_addrinfo() exposed by multiple
addresses from
http://fbcdn-sphotos-d-a.akamaihd.net
(report/analysis by TG) -TD
* updates for configure script macros (TD):
+ add 3rd parameter to AC_DEFINE's to allow autoheader to run
+ remove unused macros
* update nl.po from
http://translationproject.org/latest/lynx
* improve checking of certificates in the gnutls_certificate_verify_peers2()
by handling special case where self-signed certificates should be reported
(patch by Jamie Strandboge).
* update config.guess (2012-09-25), config.sub (2012-08-18)
2012-08-22 (2.8.8dev.14)
* reset anchor's actual-length calculation at the end of pumpData() to handle
scenario where this is used for internal data movement, i.e., for
decompressing files (report by Owen Leibman, Debian #681214) -TD
* drop two files overlooked in previous commit (TD):
lynx.rsp and WWW/Library/Implementation/HTFWriter.c
2012-08-15 (2.8.8dev.13)
* make nsl-fork work for the DNS lookup using getaddrinfo, i.e., for IPv6
configurations (report by FLWM) -TD
* add U+0218, U+0219, U+021a, and U+021b to 0x53, 0x73, 0x54, and 0x74,
respectively, for Romanian s/t with cedilla in def7_uni.tbl (Ralph Babel)
* modify handling of "set" in -cmd_script option to try both cfg-file and
rc-file settings (prompted by discussion with Andrew Watts) -TD
* update configure script to add --datarootdir option, which changes the
default for man-page from /usr/lib to /usr/share -TD
* modify configure check for sizeof(time_t), sizeof(off_t) to help recover if
it is run in a deficient environment such as busybox -TD
* limit downloaded files by Content-Length if any, to match behavior of IE,
Firefox and some other browsers; this is not addressed in RFC 2616 (Debian
#681214) -TD
For more information, see "Content-Length in the Real World" by Eric Law:
http://blogs.msdn.com/b/ieinternals/archive/2011/03/09/browsers-accommodate-incorrect-http-content-length-and-sites-depressingly-depend-on-it.aspx
* fix an unbounded loop in restrictions_fun() which could cause a core dump
(Debian #616107) -TD
* add LDFLAGS to top-level makefile.in, for consistency with other recursive
options (suggested by Naomasa Maruyama) -TD
* modify makefile.in and src/makefile.in to pass make-flags, e.g., "-n" for
POSIX make -TD
* updated configure macros (TD):
+ add check for clang warning options
+ check for tinfo library, which may be present
+ omit -Wpointer-arith check for pre-3.0 gcc
+ add check for 'make' programs ${MAKEFLAGS} versus ${MFLAGS}, for recursive
operation.
* updated list for "$(TABLES)" in src/makefile.in so that parallel builds work
properly (patch by Diego Elio Petteno)
* remove extra "$(LDFLAGS)" from src/makefile.in when linking lynx (patch by
Josef Sontgen)
* correct formatting of large file-sizes in directory listing (Debian
#666213) -TD
* improve checking of certificates in the gnutls_certificate_verify_peers2()
(report by Martin Georgiev) -TD
* update de.po eo.po sv.po vi.po from
http://translationproject.org/latest/lynx
* use PDCurses "wide" variation in makefile.msc -TD
* modified quoting for parameter values passed to blat mailer to ensure that
it handles embedded blanks (report by pfourier) -TD
* fix regression introduced by changes for Debian #603648 -TD
* modify makew32.bat and makefile.bcb to use GnuWin32 packages to simplify
builds with Borland 5.51 C++ compiler (prompted by discussion with
pfourier) -TD
* add configure check for windres needed for mingw build if cross-compiling -TD
2012-02-22 (2.8.8dev.12)
* treat charsets ISO-8859-8-E and ISO-8859-8-I as aliases of ISO-8859-8
(Owen Leibman)
* amend the dev.10 change to HTLoadDocument(), which broke caching of forms,
to limit it to just the case where the user has pressed ^R, etc (report by
TG) -TD
2012-02-19 (2.8.8dev.11)
* correct help-message for -html5_charset option -Kihara Hideto
* correct a typo in strtol change from dev.10 which caused hexadecimal numeric
entities to be misrendered -TG
* update eo.po, et.po and tr.po from
http://translationproject.org/latest/lynx
* correct dll name for bzip2 in lynx.iss package script -TD
2012-02-12 (2.8.8dev.10)
* updated po/lynx.pot; there are a few new messages -TD
* add "submit" and "reset" commands (Debian #603645) -TD
* add "pwd" command, to show current working directory in the statusline -TD
* modify check in HText_endForm() when a form contains only a single input
field, to allow a return in any text-like field other than textarea to cause
the form to be submitted (Debian #603648) -TD
* add bzlib to win32 makefile.msc -TD
* define WIN32_LEAN_AND_MEAN in makefile.msc to accommodate naming conflict
in recent Win32 SDKs, which otherwise include winsock.h in windows.h -TD
* fixes for the dev.9 Win32 feature to toggle between normal/fullscreen,
by checking the actual screensize after maximizing the display -TD
* use ASCII apostrophe for 7-bit approximation to U+02bd as well -TD
* use ASCII apostrophe 0x27 for 7-bit approximation to Unicode apostrophe
U+02bc (suggested by Ralph Babel)
* update LYLeaks.c / LYLeaks.h to include the bstring allocation, copy and free
functions -TD
* several fixes for the -find-leaks option, e.g., include LYLeaks.h in a few
modules, modify the StrAllocVsprintf function to update the bookkeeping,
etc -TD
* move call to LYCanWriteFile into LYValidateOutput, to make prompts for
download, print and upload more alike -TD
* correct an old bug in send_file_to_file(), used when printing a page to a
file, which prevented its check for appending to an existing file -TD
* modify LYValidateFilename to use LYTildeExpand -TD
* modify LYConvertToURL to use LYTildeExpand for Unix, and further modify
LYTildeExpand to lookup given user's home directory, thereby making commands
such as "g ~root/tmp" work as expected -TD
* replaced most LYgetStr calls with LYgetBString, except for LYMail.c and
LYNews.c since those do use LYgetStr's limits as it was designed. Other
calls generally did not need those limits -TD
* modify finish_ExtEditForm to eliminate wrapping when an edited line is longer
than MAX_LINE. The user is still offered the choice of wrapping to the
displayed size of a TEXTAREA, but if declined, the TEXTAREA's content will
not be wrapped -TD
* modify LYgetstr, making it call revised function LYgetBString which handles
bstring's, and allows editing fields which can grow without fixed buffer
limits. In particular, forms all use the same calls, which means that
their result is no longer limited by MAX_LINE -TD
* extend ^X-e editing of textarea's to include single-line fields -TD
* modify comparison for splitting lines to allow for long preformatted lines,
e.g., using 's to not wrap when the line-wrap mode is disabled -TD
* modify cfg2html.pl to handle options which contain a digit, e.g.,
HTML5_CHARSETS whose default value was not marked properly -TD
* modify HTLoadDocument() to not retain a cached document if user is explicitly
doing a refresh. This fixes the case for a #fragment url, which was
otherwise treated as the same as the address without the #fragment -TD
* clarify version of GPL used in README (request by Paul Menzel) -TD
* modify HTLoad() to discard charset information before reloading a document,
in case the server changes the content-type information between loads
(report by Stanislav Brabec) -TD
* use tidy to indent html documentation -TD
* provide a way to substitute parameters in URLs for jumpfiles (adapted from
patch by Mark Skilbeck -TD
* ensure that button/input tags have a value for display, in case the tag is
improperly terminated (report by Aki Helin) -TD
* work around glibc bug in sscanf in SGML_character() using strtol() (report by
Aki Helin) -TD
* add check for charset attribute on meta element -Kihara Hideto
* eliminate ON/OFF macros, using TRUE/FALSE both to work around breakage from
zlib 1.2.5.1 changes as well as because they were unnecessary (GenToo
#383113) -Nikos Chantziaras, TD
* updated several configure script macros (TD):
CF_ANSI_CC_CHECK, CF_CURSES_LIBS, CF_LD_RPATH_OPT, CF_NETLIBS,
CF_XOPEN_SOURCE, CF_X_ATHENA_LIBS
2011-06-12 (2.8.8dev.9)
* modfy cfg2html to add ".url" directive for referencing RFC's etc -TD
* document blat/blatj usage in lynx.cfg -TD
* add/use WriteStreamTitle(), to provide doctype for cookie-jar page, used to
help validate the page -TD
* improve readability of cookie-jar page by showing the unescaped cookie
values, other minor formatting changes -TD
* modify cookie domain-matching to accommodate RFC 6265, which states that a
leading dot on a domain attribute should be discarded (report by Sebastien
Hinderer) -TD
* integrate most of the changes from patch in 2.8.6rel.4 package at
http://en.sourceforge.jp/project/lynx-win32-pata -TH, TD
+ provide toggle between normal/fullscreen
+ ifdef'd changes for FEP.
+ correct a message translation in ja.po
+ modify Xsystem.c to not use MinGW's system() call.
+ add three items to lynx.cfg
conv_jisx0201kana
message_language
wait_viewer_termination
+ replace ifdef's for CONV_JISX0201KANA_JISX0208KANA with configuration
variable conv_jisx0201kana
+ modify makefile.bcb and lynx.rsp to use openssl and intl libraries.
+ add feature ifdef'd with USE_PROGRAM_DIR which adds fallback definitions
for pathnames to use the directory of lynx.exe
+ add check for unsafe filenames in DOS/Windows, e.g., those that correspond
to a device.
* update command-line syntax for the blat mailer, to work with blat 2.6.2 -TD
* change default in makelynx.bat to assume blat rather than blatj, because
the latter does not provide a way to authenticate user/password on a mail
server -TD
* change #define's for addrlist-page and alt-bindings to reflect their
non-experimental status -TD
* change default for --enable-addrlist-page configure option to enabled -TD
* modify blat/blatj configuration so that support for both is compiled-in
for DOSPATH configurations. Add "-altblat" option to select blat vs blatj.
Define USE_ALT_BLAT_MAILER to specify which is the default (prompted by
report by LarryL) -TD
* correct an interaction between LYCloseOutput() and LYRemoveTemp() as used in
send_file_to_mail(), to allow a temporary file to be closed and used by
external program before removing it -TD
* modify lkcstring_to_lkc() to accept hex/octal values, allowing those in the
KEYMAP configuration as suggested by the commented lines in lynx.cfg (report
by Richie Wood) -TD
* build-fix for DEC C 5.x with _DECC_V4_SOURCE defined, i.e., missing
declaration of "off_t" (report/analysis by Rod Reiger) -TD
* build-fixes for Alpha VMS V8.3 with C V7.1-015, based on lynx 2.8.7
development snapshot (report/analysis by Scott Harrod) -TD
* improve scripts/tbl2html.pl, to handle translation of octal escapes in the
approximation comments -TD
* amend implementation of "readonly" attribute from 2.8.7dev.10 to distinguish
it from "disabled" (report by David Paschal) -TD
* amend change to cookie prefix matching from Debian #460108. The discussion
overlooked this definition from RFC 2109:
Path Defaults to the path of the request URL that generated the
Set-Cookie response, up to, but not including, the
right-most /.
In that context, lynx was correct to extract the default "path" attribute
of
http://jukebox/cgi-bin/disorder
as
/cgi-bin
rather than
/cgi-bin/disorder
as asserted in the report. However, lynx warned unnecessarily (according to
the bug report) about the given path attribute. Deciding whether to suppress
this warning is under control of the user via the lynx.cfg setting
COOKIE_QUERY_INVALID_DOMAINS since 2.8.2dev.16 (report by Owen Leibman) -TD
* add eo.po (Esperanto) from
http://translationproject.org/latest/lynx
* modify format of ADVANCED_COOKIE_CONFIRMATION message in nl.po per guideline
to allow localized single-letter responses to prompt (report by Jurgen
Gaeremy) -TD
* add configure check for <bsd/random.h>, used in Debian package -TD
* modify src/tidy_tls.c to use gnutls_priority_set_direct() in preference to
various access functions, to eliminate deprecation warnings (report by
Andreas Metzler) -TD
* updated several configure script macros (TD):
CF_CURSES_CPPFLAGS, CF_CURSES_FUNCS, CF_CURSES_HEADER, CF_CURSES_LIBS,
CF_CURSES_TERM_H, CF_DISABLE_RPATH_HACK, CF_PDCURSES_X11, CF_PKG_CONFIG,
CF_RPATH_HACK, CF_STRUCT_TERMIOS, CF_XOPEN_CURSES, CF_XOPEN_SOURCE,
CF_X_ATHENA_LIBS
* update config.guess (2011-01-01), config.sub (2011-04-01)
2011-01-10 (2.8.8dev.8)
* correct sense of menu-name parameter in add_item_to_list() from dev.7
changes (report by Larry Hart) -TD
* remove duplicate copy of CF_TRY_PKG_CONFIG added to aclocal.m4 in 2.8.8dev.4,
which caused autoconf-2.13 to emit weird error messages about undefined
symbols (report by TG) -TD
2010-12-11 (2.8.8dev.7)
* add PERSONAL_MAIL_NAME to options menu and .lynxrc (Debian #603647) -TD
* remind user how to cancel message (Debian #292787) -TD
* add HTML5_CHARSETS feature, which allows the user to choose whether to
interpret pages without an explicit charset according to the HTML5
"compatibility" feature (Debian #604466, Debian #514897) -TD
* add EXTERNAL_MENU feature to lynx.cfg, which allows the user to customize the
menu-entry shown, e.g., to suppress the display of the URL
(Debian #603646) -TD
* cleanup URLs in lynx documentation -DK
* add check in getfile() when handling a "mailto:" url, to prevent it when the
user has requested a dump (Debian #563308) -TD
* improve configure check for IDNA library, which may depend upon intllib,
e.g., building with mingw on cygwin -DK
* modify autoconf macros which look for X libraries, e.g., for PDCurses, to
accommodate ongoing changes in xorg package scripts -TD
* reorganize autoconf macro CF_WITH_CURSES_DIR, to make it usable for both
curses and ncurses -TD
* several changes to autoconf macros to lessen use of legacy shell feature
"${name-value}" in favor of "${name:-value}", since the former is broken in
recent versions of bash -TD
* apply overlooked patch from pre-2.8.5, makes RMDIR_PATH configurable
(report/patch by Frank Heckenbach).
* correct one of the places where link-number is formatted, for form input
anchors. This was broken in dev.6 by the -unique_urls changes (report by
DK) -TD
* undo a cleanup change to link-types from dev.6 which broke some uses of
input-anchors (report by FLWM) -TD
* minor formatting improvements to sources using cindent 2.0-20101107 -TD
* restore \r to \n conversion in HTML_put_character(), broken in gcc warning
cleanup (report by FLWM) -TD
* fix a double-free in make_argv() (report by FLWM) -TD
* add a memset in RestoreSession(), fixes uninitialized memory reference for
the VLINK section -PBM
* update config.guess (2010-09-24), config.sub (2010-09-11)
2010-10-04 (2.8.8dev.6)
* amend change for Debian #514897 to exclude XML documents (Debian #592883) -TD
* use HTParsePort() in a few places, e.g., HTFinger.c, to allow for IPv6
addresses with colons (Debian #587330) -TD
* modify option -dump so it is parsed in the first pass, using that to suppress
requirement for lss file if lynx is used only to dump output -TD
* add option -unique-urls (Debian #586762) -TD
* fix most gcc type-conversion warnings -TD
* add configure check for ctags/etags programs, needed for some BSD ports -TD
* add configure --with-textdomain option to allow overriding the "lynx"
NLS textdomain, to help ensure that Lynx's build-script does not conflict
with alternative packages -TD
* use AC_ARG_PROGRAM in configure script, to support --program-suffix, etc.,
to help with packaging -TD
* add Debian build script, for testing (adapted from lynx-cur package) -TD
* add RPM build script, for testing -TD
2010-08-25 (2.8.8dev.5)
* modify convert_to_idna() to check for malformed urls (Debian #594300 reports
this as CVE-2010-2810) -TD
* correct typo in po/makefile.inn from removal of mkdirs.sh in dev.4 (Debian
#592078) -TD
* correct a sign-extension error in UpdateBoundary(), used for MIME boundary
computation, broken in dev.4 compiler-warning fixes -TD
2010-06-21 (2.8.8dev.4)
* check for SSL error when reading response from "GET". This incidentally
exposes a longstanding bug in GNUTLS:
https://savannah.gnu.org/support/index.php?106987
(google the message "A TLS packet with unexpected length was received")
which prevents connection to
https://www.mynortonaccount.com/amsweb/default.do
(report by Ignac Vucko) -TD
* fix ifdef/define's in LYMain.c to show GNUTLS version in user-agent when
built with tidy_tls.c -TD
* improve format of X509_NAME_oneline() in tidy_tls.c, making it compatible
with the OpenSSL function so that no post-processing is needed -TD
* correct typo in configure --enable-gnutls-compat option, which sometimes made
it enabled as a side-effect of setting --with-gnutls -TD
* add configure option --enable-wais, for test-compiles with freeWAIS -TD
* fixes to build with VMS -Christoph J Gartmann
+ created [.src]multinet_ucx.opt with a single line
multinet_root:[multinet.library]ucx$ipc/LIBRARY
+ modified build.com to have an additional option "Multinet with
UCX emulation"
+ modified libmake.com for the same reason
+ modified [.www.library.implementation]www_tcp.h for the same reason
+ provide definition of IS_CJK_TTY for HTWAIS.c by adding include of
LYStrings.h
* fix typo in users's guide -PBM
* drop mkdirs.sh and MKINSTALLDIRS symbol from makefiles, using "mkdir -p" -TD
* limit parsed URIs with new config parameter MAX_URI_SIZE, default 8192
(RedHat #605286, forwarded by Vincent Danen). For arbitrarily long URIs,
alloca() could run out of stack space -TD
* several changes to configure script, from ongoing work on xterm, etc -TD
+ workaround for broken ".pc" file for X Toolkit, which omits the ICE
library.
+ modify CF_NCURSES_CONFIG to use CF_CURSES_HEADER to pick out the particular
flavor of ncurses.h, e.g., <ncursesw/curses.h>
+ add parameter to CF_CURSES_HEADER to allow looking for specific
subdirectory ncurses/ncursesw/etc + restructured CF_X_ATHENA to use
pkg-config, if available.
+ use CF_ADD_LIB/CF_ADD_LIBS
+ CF_GNUTLS eliminates duplicate libraries when configuring with pkg-config
+ modified several macros to quote params of ifelse()
+ CF_AR_FLAGS allows $ARFLAGS to override the choice of ar-flags, in
particular check if a given choice is part of the current $ARFLAGS
+ workaround CF_XOPEN_CURSES for (temporary) problem with ncurses headers,
which did not account for the fact that _XOPEN_SOURCE_EXTENDED may be
defined in a system header.
* remove redundant updates for CFLAGS and LIBS in configure script which are
now done in CF_FIND_LINKAGE macro -TD
* fix a problem with configure script which broke "--with-gnutls=/usr" (report
by Atsuhito Kohda) -TD
* resolve warnings from "clang --analyze", tested with Fedora 12 and clang
2.6-0.5.pre1.fc12, 2.7-1.fc12 -TD
* further improvements to print_wwwfile_to_fd() -TD
+ corrected length used for radio/checkboxes.
+ fill in wrapped fields.
2010-04-25 (2.8.8dev.3)
* modify print_wwwfile_to_fd() to add field values to the printed form (Debian
#574940) -TD
* add check for magic (header bytes) before trying to decompress, since zlib
does not provide this check (Redhat #503921) -TD
* add workaround in CF_SSL configure macro for broken openssl pkg-config script
on Redhat, CentOS -TD
* add configure option --disable-rpath-hack -TD
* allow IPv6 addresses without "http://" prefix (Redhat #425879, patch by Kamil
Dudka)
* build-fixes for OpenSolaris aka Solaris 11 -TD
* add/use CF_RPATH_HACK, for constructing rpath references to libraries in
nonstandard locations -TD
* improve configure macros CF_CURSES_TERM_H and CF_FIND_LINKAGE -TD
* add synopsis entries for -get_data and -post_data options to lynx.man
(report by Dallas E. Legan II) -TD
* fix a possible conflict between CF_HEADER_PATH and CF_LIBRARY_PATH by setting
their respective target variables, not appending -TD
* improve configure macro CF_XOPEN_SOURCE by removing rather than undefining
preexisting symbols as they are added to the definitions -TD
* add configure check for -lnetwork, from tin -TD
* when renaming/copying a bookmark file, e.g., to delete a bookmark, modify
its permissions for compatibility with IsOurFile() (Redhat #486070) -TD
* fix most gcc writable-strings warnings -TD
* update config.guess (2009-12-30), config.sub (2009-12-31)
2009-11-25 (2.8.8dev.2)
* modify trimming of URI in LYSetCookie() to eliminate trimming of final leaf
(Debian #460108) -TD
* document the various xxx_PATH settings in lynx.cfg -TD
* modify cfg2html.pl to improve formatting of cattoc.html -TD
* split-up top-level makefile install-html rule to allow generating the
htmlized cfg without doing an install -TD
* suppress positioning for editor when using it to edit files via dired -TD
* modify samples/lynx-demo.cfg to suppress external file-utilities, since the
intent is to make the installer work standalone, but allow extension -TD
* add traces for builtin dired operations -TD
* modify built-in "touch" for dired to use binary mode when opening file -TD
* remove check from 2.8.5dev.11 which prevents user from moving a directory in
dired unless the external program "mv" is provided -TD
* regularize use of isEmpty(), non_empty() -BL
* match built-in "positionable" editor names more liberally -BL
* promote some experimental options to normal, tidy up related EXP_xxx vs
USE_xxx symbols -TD
EXP_ASCII_CTYPES is now USE_ASCII_CTYPES
EXP_JUSTIFY_ELTS is now USE_JUSTIFY_ELTS
EXP_CHARSET_CHOICE is now USE_CHARSET_CHOICE
The scrollbar, progressbar, sessions and session-cache options are now
enabled by default.
* modify scanning in HTRules.c to only trim comments where '#' is either at
the beginning of a line, or follows whitespace (patch by Kihara Hideto).
* correct a place where LYStrExtent2 was used where byte-count is needed
(patch by Bake Timmons).
* modify LYExecv() in LYLocal.c to allow win32 applications to use this
function -TD
* modify ok_stat() in LYLocal.c to retry with "." appended when the path syntax
indicates that it is probably a directory name -TD
* fix an old typo in configure macro CF_CHECK_FUNCDECL -TD
* change library dependency for gnutls from crypt to gcrypt, originally in
2.8.5dev.15 (Debian #555579) -TD
* update de.po from
http://translationproject.org/latest/lynx
* fix some tidy- and linklint-warnings in help-files -TD
* amend change from 2.8.7dev.14 to not use clrscr() function in stop_curses()
if using PDCurses, since clrscr() is not in the win32 api -TD
* modify configure script to check if linkage for bzlib and zlib succeeded,
before defining symbol which makes the compiler uses these libraries -TD
* update lynx_help_main.html to point to "release/lynx2-8-7" documentation -TD
2009-08-28 (2.8.8dev.1)
* add <sys/types.h> include in socklen_t configure check (from OpenBSD CVS)
* eliminate UCPutUtf8ToBuffer() - redundant -TD
* use memset's to simplify some initialization in HTML.c, extending a change
made in 2.8.7dev.10 (prompted by issue in OpenBSD) -TD
* add optional support for IDNA using GNU libidn (Debian #352596) -TD
* ignore LEFT-TO-RIGHT-MARK (U+200E) in HTML files (Debian #408835) -TD
* correct check for return-value from gnutls_certificate_verify_peers2(), which
in conjunction with unclean internals of gnutls caused caused some sites to
be treated as if they were version-1 X.509 CAs (Debian #231609,
Ubuntu 293708) -TD
* revise dired-mode's modify_tagged() function, correcting and extending the
source-paths to validate against the target path. Before, lynx's current
working directory was used to validate against target path, i.e., when moving
all tagged files to a new location. Lynx's check to ensure that
source/target paths are distinct prevented users from moving tagged files to
the current directory (report by Jasper) -TD
* change compiled-in default for SYSLOG_REQUESTED_URLS to false (prompted by
Debian #537907) -TD
* adjust ifdef in change_sug_filename() so that paths containing square
brackets are trimmed on VMS only (report by Gaute Strokkenes) -TD
* amend change to ifdef in LYMain.c (from 2.8.7dev.14), since it prevents build
on NetBSD, whose libintl.h does not include locale.h (report by Thomas
Klausner) -TD
* modify configure macro CF_GCC_ATTRIBUTES to make it more self-contained -TD
* improve configure check for _XOPEN_SOURCE for HPUX 11 to ensure mbstate_t is
declared -TD
* update config.guess (2009-08-19), config.sub (2009-08-19)
*) mod_dav: dav_resource->uri treated as unencoded. This was an
unnecessary ABI changed introduced in 2.2.25.
*) mod_dav: Do not validate locks against parent collection of COPY
source URI.
*) mod_ssl: Check SNI hostname against Host header case-insensitively.
*) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
OpenSSL 1.0.0b3.
*) mod_ssl: Change default for SSLCompression to off, as compression
causes security issues in most setups. (The so called "CRIME" attack).
*) mod_ssl: Fix compilation error when OpenSSL does not contain
support for SSLv2. Problem was introduced in 2.2.25.
*) mod_dav: Fix double encoding of URIs in XML and Location header (caused
by unintential ABI change in 2.2.25).
* Support for Python 3.3
* Simpler, faster and up-to-date with latest Python code for creating/maintaining interpreter and thread state.
* A much faster WSGI implementation (start_response now implemented in C)
(http://uwsgi-docs.readthedocs.org/en/latest/Changelog-2.0.1.html?highlight=changelog)
Bugfixes and improvements
* due to a wrong prototype declaration, building uWSGI without SSL resulted in
a compilation bug. The issue has been fixed.
* a race condition preventing usage of a massive number of threads in the PyPy
plugin has been fixed
* check for heartbeat status only if heartbeat subsystem has been enabled
* improved heartbeat code to support various corner cases
* improved psgi.input to support offset in read()
* fixed (and simplified) perl stacktrace usage
* fixed sni secured subscription
* CGI plugin does not require anymore that Status header is the first one
(Andjelko Horvat)
* fixed CPython mule_msg_get timeout parsing
* allows embedding of config files via absolute paths
* fixed symcall rpc
* fixed a memory leak in CPython spooler api (xiaost)
* The -no-orphans hardening has been brought back (currently Linux-only)
* improved dotsplit router mode to reduce DOS risk
* sub-Emperor are now loyal by default
* fixed non-shared ruby 1.8.7 support
* fixed harakiri CPython tracebacker
* request vars are now correctly exposed by the stats server
* support log-master for logfile-chown
* improved legion reload
* fixed tuntap netmask
* fixed busyness plugin without metrics subsystem
New features
* uWSGI 2.0 is a LTS branch, so do not expect too much new features. 2.0.1 is
the first maintainance release, so you still get a bunch of them (mainly
features not complete in 2.0)
* Perl native Spooler support
* -alarm-backlog
* -close-on-exec2
* simple notifications subsystem
* pid namespace for daemons (Linux only)
* Resubscriptions
* filesystem monitor api
* support for yajl 1.0
* for-readline
* %i and %j magic vars
* -inject-before and -inject-after
* -http-server-name-as-http-host
* better Emperor's Ragnarok (shutdown procedure)
* PyPy paste support
htmlcxx is a simple non-validating CSS1 and HTML parser for C++.
Although there are several other HTML parsers available, htmlcxx
has some characteristics that make it unique:
* STL like navigation of DOM tree, using the excellent tree.hh library
from Kasper Peeters
* It is possible to reproduce exactly, character by character, the
original document from the parse tree
* Bundled css parser
* Optional parsing of attributes
* C++ code that looks like C++ (not so true anymore)
* Offsets of tags/elements in the original document are stored in
the nodes of the DOM tree
The parsing politics of htmlcxx were created trying to mimic Mozilla
Firefox behavior. So you should expect parse trees similar to those
create by Firefox. However, differently from Firefox, htmlcxx does
not insert non-existent stuff in your html. Therefore, serializing
the DOM tree gives exactly the same bytes contained in the original
HTML document.
Upstream changes:
4.81 2014-02-15
- Added direct array access for child nodes to Mojo::DOM.
- Improved Mojolicious::Routes::Pattern to normalize more route variations.
- Improved routes command to show which routes are using certain features
with flags.
4.80 2014-02-13
- Merged Mojo::DOM::Node into Mojo::DOM.
- Added next_sibling and previous_sibling methods to Mojo::DOM.
- Added last method to Mojo::Collection.
- Improved many methods in Mojo::DOM to work with all node types.
- Improved Mojo::DOM::HTML to handle slashes between attributes more
gracefully.
- Fixed list parsing bug in Mojo::DOM::HTML.
4.79 2014-02-11
- Improved not found page to show request information and the exact path
used for route matching.
4.78 2014-02-08
- Deprecated Mojo::Util::get_line.
- Fixed ";" handling in Mojo::Parameters to be compliant with the HTML
Living Standard.
- Fixed case sensitivity bug in Mojolicious::Types.
4.77 2014-02-06
- Deprecated Mojo::DOM::text_after and Mojo::DOM::text_before in favor of
Mojo::DOM::contents.
- Deprecated Mojo::DOM::content_xml and Mojo::DOM::replace_content in favor
of Mojo::DOM::content.
- Deprecated Mojo::DOM::to_xml in favor of Mojo::DOM::to_string.
- Added wrap_content method to Mojo::DOM.
- Added tablify function to Mojo::Util.
- Improved wrap method in Mojo::DOM to allow wrapping of the root node.
Version 3.2.7 (2014-02-13)
--------------------------
### Fixed
Fix another weakness in the `Input` class and further harden the `deserialize()`
function. Thanks to Martin Auswöger for his input.
Version 2.11.16 (2014-02-13)
----------------------------
### Fixed
Fix another weakness in the `Input` class and further harden the `deserialize()`
function. Thanks to Martin Auswöger for his input.
Changes:
Addressed 31 bugs in 3.8, including various fixes and improvements for the new
dashboard design and new themes admin screen.
More info at http://codex.wordpress.org/Version_3.8.1
- Django 1.6 compatibility
- Using bulk_create to speed up revision creation.
- Including docs in source distribution
- Spanish translation
- Fixing edge-case bugs in revision middleware
* A couple of issues with Django 1.6 have been fixed (including bad error handling and a loaddata incompatability)
* Migrations now import datetime from a special South module which provides the correct tz-aware or tz-naive version.
* A couple of issues fixed, including double-indexing errors, and correct persistence of non-unique indexes across ALTERs.
* The new localflavor fields are automatically accepted by the introspector.
Prevented the base geometry object of a prepared geometry to be garbage collected, which could lead to crash Django.
Fixed a crash when executing the changepassword command when the user object representation contained non-ASCII characters.
The collectstatic command will raise an error rather than default to using the current working directory if STATIC_ROOT is not set. Combined with the --clear option, the previous behavior could wipe anything below the current working directory.
Fixed mail encoding on Python 3.3.3+.
Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False, the connection wasn’t in autocommit mode but Django pretended it was.
Fixed a regression in multiple-table inheritance exclude() queries.
Added missing items to django.utils.timezone.__all__.
Fixed a field misalignment issue with select_related() and model inheritance.
Fixed join promotion for negated AND conditions.
Oracle database introspection now works with boolean and float fields.
Fixed an issue where lazy objects weren’t actually marked as safe when passed through mark_safe() and could end up being double-escaped
Upstream changes:
0.039 2013-11-27 19:48:29 America/New_York
[FIXED]
- Temporary file creating during mirror() is now opened with O_EXCL
for added security
Changelog:
NEW
You can now run more than one service at a time with Firefox SocialAPI, allowing you to receive notifications, chat and more from multiple integrated services
CHANGED
Enabled TLS 1.1 (RFC 4346) and TLS 1.2 (RFC 5246) by default
CHANGED
Added support for SPDY 3.1 protocol
DEVELOPER
Ability to reset style sheets using 'all:unset'
DEVELOPER
You can now choose to deobfuscate javascript in the debugger (see 762761)
DEVELOPER
Added support for scrolled fieldsets (see 261037)
DEVELOPER
Implemented allow-popups directive for iframe sandbox, enabling increased security (see 766282)
DEVELOPER
CSS cursor keywords -moz-grab and -moz-grabbing have been unprefixed (see 880672)
DEVELOPER
Added support for ES6 generators in SpiderMonkey (see blog post)
DEVELOPER
Implemented support for mathematical function Math.hypot() in ES6 (see 896264)
HTML5
Dashed line support on Canvas (see 768067)
FIXED
Get Azure/Skia content rendering working on Linux (see 740200)
FIXED
27.0: Security fixes can be found here
Fixed in Firefox 27
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-11 Crash when using web workers with asm.js
MFSA 2014-10 Firefox default start page UI content invokable by script
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy
MFSA 2014-06 Profile path leaks to Android system log
MFSA 2014-05 Information disclosure with *FromPoint on iframes
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-03 UI selection timeout missing on download prompts
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
it will concat to next line "SPECIAL_PERMS", then it result in creating unwanted
directory and let "pinger" to install into wrong directry, and permission is not
set correctly.
Bump PKGREVISION.
0.620 (12.18.2013) - John Siracusa <siracusa@gmail.com>
* Eliminate a perl 5.19 "precedence issue with control flow operator"
warning.
0.619 (07.24.2013) - John Siracusa <siracusa@gmail.com>
* Fixed incorrect return statements (RT 87253) (Patch by Reini Urban)
This engine is designed to run as a standalone Catalyst server,
without requiring the use of another web server. Its goals are
high-performance, HTTP/1.1 compliance, and robustness. It is also
suitable for use as a faster development server with support for
automatic restarting.
This module parses HTTP headers using a C++ state machine. (Hence
this being an XS module.) The goal is to be fast, not necessarily
to do everything you could ever want.
Headers are not static, you can parse them, munge them, or even
build them using this module. See the SYNOPSIS for more information
on how to use this module.
0.1505 2013-06-10
* Fix RT#82944 - test fails on perl >= 5.17.3
* Return undef if there isn't a user. This will cause an exception
but a more helpful exception (probably from DBIC) than the inability
to call a method in this code.
0.1504 2012-10-05
* Make use_userdata_from_session use inflate_result since this is
already-stored data, not a "new" object being created
Upstream changelog:
Tomcat 6.0.39 (markt)
Catalina
fix 55166: Fix regression that broke XML validation when
running on some Java 5 JVMs. (kkolinko)
Coyote
fix Make the HTTP NIO connector tolerant of whitespace
in the individual values used for the ciphers attribute.
(markt)
fix Remove dependency introduced on the jsp-api.jar as
part of the XML validation changes introduced in 6.0.38.
(markt)
Jasper
fix Correct several errors in jspxml Schema and DTD. (kkolinko)
Cluster
code Remove an empty TestTwoPhaseCommit test from Tribes. (kkolinko)
Web applications
fix Fix broken link in Jasper How-To documentation. (markt)
fix Align index.html and index.jsp in ROOT web application.
Correct links to specifications and to the Tomcat mailing
lists. (kkolinko)
fix Remove second copy of RUNNING.txt from the full-docs
distribution. Some unpacking utilities can't handle
multiple copies of a file with the same name in a directory.
(kkolinko)
Other
update Update sample Eclipse IDE project: use JUnit 4 library
and prefer a Java 5 JDK when several JDKs are configured.
Cleanup the Ant build files. (kkolinko)
fix Correct Maven dependencies for individual JAR files. (markt)
Tomcat 6.0.38 (markt) not released
Catalina
fix Ensure that when Tomcat's anti-resource locking features
are used that the temporary copy of the web application
and not the original is removed when the web application
stops. (markt/kkolinko)
fix 55019: Fix a potential exception when accessing JSPs
while running under a SecurityManager. (jfclere)
fix 55052: Make JULI's LogManager to additionally look for
logging properties without prefixes if the property
cannot be found with a prefix. (kkolinko)
fix 55266: Ensure that the session ID is parsed from the
request before any redirect as the session ID may need
to be encoded as part of the redirect URL. (markt)
fix 55404: Log warnings about using security roles in web.xml
as warnings. (markt)
fix 55268: Added optional --service-start-wait-time
command-line option to change service start wait time
from default of 10 seconds. (schultz)
fix Correctly associate the default resource bundle with
the English locale so that requests that specify an
Accept-Language of English ahead of French, Spanish or
Japanese get the English messages they asked for. (markt)
fix Add missing JavaEE 5 XML schema definitions. (markt)
fix When Catalina parses TLD files, always use a namespace
aware parser to be consistent with how Jasper parses
TLD files. The tldNamespaceAware attribute of the Context
is now ignored. (markt)
fix As per section SRV.14.4.3 of the Servlet 2.5 specification,
a namespace aware, validating parser will be used when
processing *.tld and web.xml files if the system property
org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set
to true. (markt)
fix Ensure that sessions IDs are not parsed from URLs for
Contexts where disableURLRewriting is true. (markt)
add Add an option to the Context to control the blocking of
XML external entities when parsing XML configuration
files and enable this blocking by default when a security
manager is used. The block is implemented via a custom
resolver to enable the logging of any blocked entities.
(markt)
fix 56016: When loading resources for XML schema validation,
take account of the possibility that servlet-api.jar and
jsp-api.jar may not be loaded by the same class loader.
Patch by Juan Carlos Estibariz. (markt)
Coyote
fix 52811: Fix parsing of Content-Type header in
HttpServletResponse.setContentType(). Introduces a new
HTTP header parser that follows RFC2616. (markt)
fix 54691: Add configuration attribute "sslEnabledProtocols"
to HTTP connector and document it. (Internally this
attribute has been already implemented but not documented,
under names "protocols" and "sslProtocols". Those names
of this attribute are now deprecated). (schultz)
fix 54947: Fix the HTTP NIO connector that incorrectly
rejected a request if the CRLF terminating the request
line was split across multiple packets.
Patch by Konstantin Preißer. (markt)
fix 55228: Allow web applications to set a HTTP Date header.
(markt)
fix Better adherence to RFC2616 for content-length headers.
(markt)
fix Add support for limiting the size of chunk extensions
when using chunked encoding. (markt)
fix 55749: Improve the error message when SSLEngine is
disabled in the AprLifecycleListener and SSL is
configured for an APR/native connector. (markt)
fix Avoid possible NPE if a content type is specified without
a character set. (markt)
Jasper
fix 55198: Ensure attribute values in tagx files that include
EL and quoted XML characters are correctly quoted in
the output. (markt)
fix 55671: Consistently use the configuration option name
genStringAsCharArray rather than a mixture of
genStrAsCharArray and genStringAsCharArray but retain
support for genStrAsCharArray as in initialisation
parameter for the JSP servlet to retain backwards
compatibility with existing configurations. (markt)
fix 55691: Fix javax.el.ArrayELResolver to correctly handle
the case where the base object is an array of primitives.
(markt)
fix 55973: Fix processing of XML schemas when validation
is enabled in Jasper. (kkolinko)
Web applications
add Add documentation for
o.a.c.tribes.group.interceptors.TcpFailureDetector. (kfujino)
add Complete the documentation for MessageDispatch15Interceptor.
(kfujino)
add Add to cluster document a description of
notifyLifecycleListenerOnFailure and
heartbeatBackgroundEnabled. (kfujino)
fix 55746: Add documentation on the allRolesMode to the
CombinedRealm and LockOutRealm. Patch by Cédric Couralet.
(markt)
fix Fix the sample configuration of StaticMembershipInterceptor
in order to prevent warning log. uniqueId must be 16 bytes.
(kfujino)
fix 55119: Avoid CVE-2013-1571 when generating Javadoc. (markt)
Other
update Update Maven Central location used to download
dependencies at build time to be repo.maven.apache.org.
(kkolinko)
fix 55663: Minor correction to the wording of the NOTICE files
to align them with the requirements for NOTICE files.
(violetagg)
fix Add @since markers to the common annotations classes and
fix a few specification compliance issues. (markt)
update Update to Eclipse JDT Compiler 4.3.1. (markt)
update Update the Apache Jakarta JSTL implementation used by
the exmaples web application to 1.1.2. (markt)
0.31 2013-09-09 16:30:00
- Updated docs to reflect config key change from 'static' to
'Plugin::Static::Simple' (RT#77709)
- Migrated repository from subversion to git
- Fixed MIME::Types 2.xx compatibility be removing call to an
undocumented method
- Bumped the MIME::Types requirement to 2.03 to ensure its
improvements make it into Catalyst environments
0.30 2012-05-04 17:05:00
- Add Cache-Control:public header
- Optionally provide Expires header
- Change configuration key to 'Plugin::Static::Simple' by default.
The old 'static' key is still supported, but issues a warning.
pkgsrc changes: distfile now apparently in 'gtar' format, not standard. annoying
0.33 Mon Jan 13 2014
- Fix config loading so that if passed a directory including
a . in the file name, then loading it as a directory works
(would have previously tried to force a specific filename
and failed)
- More comprehensive tests
This module implements a very simple parser for cookies used in
HTTP applications. We've found CGI::Simple::Cookie and CGI::Cookie
rather slow according to the profiling results for our OpenResty
project, hence the rewrite in C.
WARNING: This module is obsolete; please use CGI::Cookie::XS instead.
This module implements a very simple parser for cookies used in
HTTP applications. We've found CGI::Simple::Cookie and CGI::Cookie
rather slow according to the profiling results for our OpenResty
project, hence the rewrite in C.
Special effort has been made to ensure this module works in the
same way as the latest CGI::Cookie (i.e., the pure Perl implementation).
If you find it doesn't, please let us know.
Revision history for Perl extension Catalyst::Plugin::Session
0.39 2013-10-16
- Fixed a bug when "expiry_threshold" is non-zero, where changes to the
session were not saved.
0.38 2013-09-18
- New feature: "expiry_threshold" which allows you more control over when
this plugin checks and updates the expiration date for the session.
This is useful when you have high traffic and need to reduce the number
of session expiration hits (like if you are using a database for sessions
and your db is getting pounded).
Key pkgsrc change - move p5-Class-Data-Inheritable from BUILD_DEPENDS to
DEPENDS, as is needed at runtime (previous p5-Catalyst-Runtime package would
fail to run on non build machine due to this)
5.90053 - 2013-12-21
- Reverted a change in the previous release that moved the setup_log phase
to after setup_config. This change was made to allow people to use
configuration that is late loaded (such as via the ConfigLoader Plugin)
to setup the plugin. However it also broke the ability to use the log
during plugin setup (ie, it breaks lots of plugins). Reverting the
change. See Catalyst::Delta for workarounds.
5.90052 - 2013-12-18
- Fixed first block of startup debug messages missing when using a custom
logger that gets set at runtime, for example by overriding finalize_config
- Give a more descriptive error message when trying to load middleware that
does not exist.
- Change the way we initialize plugins to fix a bug where when using the
populare ConfigLoader plugin, configs merged are not available for setting
up middleware and data handlers (and probably other things as well).
NOTE: This change might cause issues if you had code that was relying on the
broken behavior. For example external configuration that was being loaded to
late to have effect might now take effect. Please test you code carefully and
be aware of this possible issue </NOTE>.
- You may now also call 'setup_middleware' as a package method if you think
that loading middleware via configuration is a weird or broken idea.
- Various POD formating fixed.
- Improved some documentation about what type of filehandles that ->body can
accept and issues that might arise.
5.90051 - 2013-11-06
- Be more skeptical of the existance of $request->env to fix a regression
introduced in Catalyst::Action::REST by the previous release
5.90050 - 2013-11-05
- Previously public predicates on the following attributes are now considered
private and their method names have been changed to follow Perl convention
for internal methods:
-- Catalyst::Request->has_io_fh ==> _has_io_fh
-- Catalyst::Request->has_env ==> _has_env
-- Catalyst::Response->has_write_fh ==> _has_write_fh
These are breaking changes but these methods were never documented and serve
no use for external code. If you are using thing, you need to make the noted
change (but please consider finding another way to do what you are trying to
do). t0m++ for code review of Hamburg branch.
5.90049_006 - 2013-11-04
- Fixed case where test could fail when Starman was partly installed (n0body++)
- Fixed missing date information in previous release
5.90049_005 - 2013-10-31
- NEW FEATURE: New Controller action attribute 'Consumes', which allows you
to specify the content type of the incoming request. This makes it easier
to create actions that only handle certain content type POST or PUT, such
as actions that only handle JSON or actions that only understand classic
HTML forms.
- NEW FEATURE: Request->body_data is now also populated from classic HTML
Forms using CGI::Struct to support nested data. For non nested data you
should use the classic ->body_parameters method.
- Removed PSGI $env keys that are added on the 'plack.request.*' namespace
since after discussion it was clear those keys are not part of the public
API. Keys removed: 'plack.request.query', 'plack.request.body',
'plack.request.merged' and 'plack.request.http.body'. Altered some test
cases to reflect this change.
5.90049_004 - 2013-10-18
- JSON Data handler looks for both JSON::MaybeXS and JSON, and uses
whichever is first (prefering to find JSON::MaybeXS). This should
improve compatibility as you likely already have one installed.
- Fixed a warning in the server script (bokutin++)
- We now populate various Plack $env keys in order to play nice with
downstream middleware or plack apps (and to reduce processing if
those keys already exist). Keys added:
- plack.request.query
- plack.request.body
- plack.request.merged
- plack.request.http.body
(NOTE: REMOVED IN 5.90049_005)
- If incoming input (from a POST or PUT) is not buffered, create the
buffer and set the correct psgi env keys to note this for downstream
psgi apps / middleware. This should solve some issues where Catalyst
sucks up the body input but its not buffered so downstream apps can't
read it (for example FCGI does not buffer). We now also try to make
sure the body content input is reset to the start of the filehandle
so that we are polite to downstream middleware /apps.
- NEW FEATURE: Catalyst::Response can now pull response from a PSGI
specification response. This makes it easier to host external Plack
applications under Catalyst. See Catalyst::Response->from_psgi_response
- NEW FEATURE: New configuration option 'use_hash_multivalue_in_request'
will populate $request methods 'parameters', 'body_parameters' and
'query_parameters' with an instance of Hash::MultiValue instead of a
HashRef. This is used by Plack and is intended to reduce the need to
write defensive logic since you are never sure if an incoming parameter
is a scalar or arrayref.
- NEW FEATURE: We now experimentally support Net::Async::HTTP::Server
and IO-Async based event loops. Examples will follow.
5.90049_003 - 2013-09-20
- Documented the new body_data method added in the previous release
- Merged from master many important bugfixes and forward compatiblity
updates, including:
- Use modern preferred method for Moose metaclass access and many other
small changes to how we use Moose for better forward compat (ether++)
- Killed some evil use of $@ (ether++)
- spelling fixes and documentation updates (ether++), (gerda++)
- use Test::Fatal over Test::Exception (ether++)
- Misc. test case fixes to modernize code (ether++)
- Added a first pass cpanfile, to try and make it easier to bootstrap
a development setup (ether++)
5.90049_002 - 2013-08-20
- Fixed loading middleware from project directory
- Fixed some pointless warnings when middleware class lacked VERSION
- NEW FEATURE: Declare global 'data_handlers' for parsing HTTP POST/PUT
alternative content, and created default JSON handler. Yes, now Catalyst
handles JSON request content out of the box! More docs eventually but
for now see the DATA HANDLERS section in Catalyst.pm (or review the test
case t/data_handler.t
5.90049_001 - 2013-07-26
- Declare PSGI compliant Middleware as part of your Catalyst Application via
a new configuration key, "psgi_middleware".
- Increased lowest allowed module version for Module::Pluggable to be 4.7 (up
from 3.4) to solve the fact this is no longer bundled with Perl in v5.18.
Provide Regex DispatchType for Catalyst (deprecated)
Regex dispatch types have been deprecated and removed from Catalyst
core. It is recommend that you use Chained methods or other techniques
instead. As part of the refactoring, the dispatch priority of Regex
vs Regexp vs LocalRegex vs LocalRegexp may have changed. Priority
is now influenced by when the dispatch type is first seen in your
application.
This module allows transforming CGI GET/POST data into intricate
data structures. It is reminiscent of PHP's building arrays from
form data, but with a perl twist.
Upstream changes:
4.76 2014-02-04
- Added wrap method to Mojo::DOM.
- Updated IO::Socket::IP requirement to 0.20 for certain bug fixes.
- Improved Mojo::DOM::HTML to generate better HTML.
4.75 2014-02-02
- Fixed and readded support for permessage-deflate WebSocket compression.
(Mikey, sri)
4.74 2014-02-02
- Added all_contents method to Mojo::DOM.
- Removed support for permessage-deflate WebSocket compression, since there
have been too many problems with Chrome.
