CppCMS is a free high performance web development framework.
It uses modern C++ and a design borrowing heavily from frameworks
like Django or Java Servlets to handle very high load levels while
minimizing CPU and memory use.
- SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
- core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]
- core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. Bug#55121. [Bradley Heilbrun
<apache heilbrun.org>]
- mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
- mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
- mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. Bug#53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
- mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
- mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. Bug#52212, Bug#54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
- mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
- mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]
- htdigest: Fix buffer overflow when reading digest password file
with very long lines. Bug#54893. [Rainer Jung]
- mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
<ben reser.org>]
- mod_dav: Ensure URI is correctly uriencoded on return. Bug#54611
[Timothy Wood <tjw omnigroup.com>]
- mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. Bug#53910 [Timothy Wood <tjw omnigroup.com>]
- mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood <tjw omnigroup.com>]
- mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. Bug#52559 [Diego Santa Cruz
<diego.santaCruz spinetix.com>]
- mod_dav: Do not fail PROPPATCH when prop namespace is not known.
Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
- mod_dav: Do not segfault on PROPFIND with a zero length DBM.
Bug#52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
are replaced with .include "../../devel/readline/buildlink3.mk", and
USE_GNU_READLINE are removed,
* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
are replaced with .include "../../mk/readline.buildlink3.mk".
Upstream changes:
0.27 02/26/2013
- Remove more HTTP::Headers assumptions
0.26 02/26/2013
- Add parent dependency
0.25 11/10/2012
- Fix problem with META.yml
0.24 11/10/2012
- Skip CONNECT test on Windows
0.23 11/05/2012
- Fix test failures from newer HTTP::Headers
0.22
- Filter out Status header since it's forbidden in PSGI spec (miyagawa)
0.21
- Bump version to fix some CPAN issues.
0.20
- Fix auto guessing of RewriteLocation.
Upstream changes:
1.0028 2013-06-15 01:42:52 PDT
[IMPROVEMENTS]
- Skip cgi related tests for Win32 (chorny) #413
- Skip tests that could potentially write empty bytes, which could cause
issues on some servers on local sockets with HTTP::Tiny
- Skip tests that require HTTP::Cookies, if not available #414
1.0027 2013-06-13 21:30:12 PDT
[IMPROVEMENTS]
- Not a dev release, including XS free version of Plack::Test*
- Fix cgibin tests that often fail on Win32 #375
1.0026 2013-06-12 23:00:21 PDT
[INCOMPATIBLE CHANGES]
- use HTTP::Tiny in Plack::Test::Suite and Plack::Test::Server rather than skipping it.
1.0025 2013-06-12 13:08:58 PDT
[INCOMPATIBLE CHANGES]
- No XS! Eliminates dependency to LWP::UserAgent by making it completely optional for
testing. If you run Plack::Test with Server implemenetation or run Plack::Test::Suite
(for PSGI handlers) without LWP installed, the tests will automatically be skipped.
This removes the eventual sub-dependency to HTML::Parser, which is the only XS dependency
in Plack. #408
[IMPROVEMENTS]
- Fixed the warning in OO usage of Plack::Builder (doy) #407
- Shotgun loader now dies if used in Win32 since it leaks memory #320, #400
- Suppress warnings for Test::TCP (kazeburo) #406
- $res->to_app shortcut (ether) #409
* Protect against buffer overrun in DNS query generation
* SourceFormat Enforcement
* Bug 3297: Fix openSSL related build failures
* Fix build on FreeBSD 9.x platform with clang
* Update enigmail to 1.5.2.
Changelog:
SeaMonkey-specific changes
Mark -> As Read now checks the state of all selected messages instead of only the first one's.
Notifications for mixed content blocker have been implemented.
A new 3rd-party cookie restriction to visited websites option has been added to the Cookies pref pane.
The context menu Search option is now available for textareas and input fields.
Website storage mechanisms are now available in the Data Manager (localStorage, indexedDB, etc.).
"Open Containing Folder" is now already available during download.
See the changes page for minor changes.
Mozilla platform changes
asm.js optimizations (OdinMonkey) have been enabled for major performance improvements.
Improved WebGL rendering performance through asynchronous canvas updates.
Plain text files displayed within the browser will now word-wrap.
For user security, the Components object is no longer accessible from web content.
Improved memory usage and display time when rendering images.
The Pointer Lock API can now be used outside of fullscreen.
CSS3 Flexbox has been implemented and enabled by default.
The new Web Notifications API has been implemented.
Added clipboardData API for JavaScript access to a user's clipboard.
Support for new HTML5 <data> and <time> elements has been added.
Fixed several stability issues.
* Deal with git behavior change in 1.7.2 and newer that broke support
for commits with an empty commit message.
* Pass --no-edit when used with git 1.7.8 and newer.
o properly escape generated HTML
o add authentication for redirections, from martin@netbsd.org
o handle chained ssl certifications, from elric@netbsd.org
o add basic support for gzipped files, from elric@netbsd.org
o properly escape generated URIs
* blogspam: Fix encoding issue in RPC::XML call.
Thanks, Changaco
* comments: The formats allowed to be used in comments can be configured
using comments_allowformats.
Thanks, Michal Sojka
* calendar: When there are multiple pages for a given day, they're
displayed in a popup on mouseover.
Thanks, Louis
* osm: Remove trailing slash from KML maps icon.
* page.tmpl: omit searchform, trails, sidebar and most metadata in CGI
(smcv)
* openid: Automatically upgrade openid_realm to https when
accessed via https.
* The ip() pagespec can now contain glob characters to match eg, a subnet
full of spammers.
* Fix crash that could occur when a needsbuild hook returned a file
that does not exist.
* Fix python proxy to not crash when fed unicode data in getstate
and setstate.
Thanks, chrysn
* Fix committing attachments when using svn.
[SECURITY]
- CR escaping for Set-Cookie and P3P headers was improved. There was potential
for newline injection in these headers.
(Thanks to anazawa, https://github.com/markstos/CGI.pm/pull/23)
[INTERNALS]
- Changed how the deprecated endform function was defined for compatibilty
with the development version of Perl.
- Fix failures in t/tmpdir.t when run as root
https://github.com/markstos/CGI.pm/issues/22, RT#80659)
- Made it possible to force a sorted order for things like hash
attributes so that tests are not dependent on a particular hash
ordering. This will be required in modern perls which will
change the ordering per process. (Yves, RT#80659)
- formatting of CGI::Carp documentation was improved. Thanks to benkasminbullock.
- un-TODO some tests in t/tmpdir.t that were passing in most cases.
More on this:
https://github.com/markstos/CGI.pm/issues/19#cc73dc9807
* Mock http responses to avoid unnecessary network requests -- Randy Stauner
* Fix for RT#55591: Incorrect default value for 'codes_to_determinate'
from yibe via github.
- Makefile.PL updated
- removed TLS test for now, some cpan testers reporting issues with
the configuration, seems pointless given the Makefile
- removed some of the tests that seem to fail on congested machines
(eg: cpantesters).
- [SREZIC] added mirror support:
https://rt.cpan.org/Ticket/Display.html?id=44569
Version 0.8.4
-------------
Released 2013/3/28
- Recaptcha Validator now returns provided message (issue #66)
- Minor doc fixes
- Fixed issue with tests barking because of nose/multiprocessing issue.
Version 0.10.1
--------------
(bugfix release, released on June 14th 2013)
- Fixed an issue where ``|tojson`` was not quoting single quotes which
made the filter not work properly in HTML attributes. Now it's
possible to use that filter in single quoted attributes. This should
make using that filter with angular.js easier.
- Added support for byte strings back to the session system. This broke
compatibility with the common case of people putting binary data for
token verification into the session.
- Fixed an issue were registering the same method twice for the same endpoint
would trigger an exception incorrectly.
Version 0.10
------------
Released on June 13nd 2013, codename Limoncello.
- Changed default cookie serialization format from pickle to JSON to
limit the impact an attacker can do if the secret key leaks. See
:ref:`upgrading-to-010` for more information.
- Added ``template_test`` methods in addition to the already existing
``template_filter`` method family.
- Added ``template_global`` methods in addition to the already existing
``template_filter`` method family.
- Set the content-length header for x-sendfile.
- ``tojson`` filter now does not escape script blocks in HTML5 parsers.
- ``tojson`` used in templates is now safe by default due. This was
allowed due to the different escaping behavior.
- Flask will now raise an error if you attempt to register a new function
on an already used endpoint.
- Added wrapper module around simplejson and added default serialization
of datetime objects. This allows much easier customization of how
JSON is handled by Flask or any Flask extension.
- Removed deprecated internal ``flask.session`` module alias. Use
``flask.sessions`` instead to get the session module. This is not to
be confused with ``flask.session`` the session proxy.
- Templates can now be rendered without request context. The behavior is
slightly different as the ``request``, ``session`` and ``g`` objects
will not be available and blueprint's context processors are not
called.
- The config object is now available to the template as a real global and
not through a context processor which makes it available even in imported
templates by default.
- Added an option to generate non-ascii encoded JSON which should result
in less bytes being transmitted over the network. It's disabled by
default to not cause confusion with existing libraries that might expect
``flask.json.dumps`` to return bytestrings by default.
- ``flask.g`` is now stored on the app context instead of the request
context.
- ``flask.g`` now gained a ``get()`` method for not erroring out on non
existing items.
- ``flask.g`` now can be used with the ``in`` operator to see what's defined
and it now is iterable and will yield all attributes stored.
- ``flask.Flask.request_globals_class`` got renamed to
``flask.Flask.app_ctx_globals_class`` which is a better name to what it
does since 0.10.
- `request`, `session` and `g` are now also added as proxies to the template
context which makes them available in imported templates. One has to be
very careful with those though because usage outside of macros might
cause caching.
- Flask will no longer invoke the wrong error handlers if a proxy
exception is passed through.
- Added a workaround for chrome's cookies in localhost not working
as intended with domain names.
- Changed logic for picking defaults for cookie values from sessions
to work better with Google Chrome.
- Added `message_flashed` signal that simplifies flashing testing.
- Added support for copying of request contexts for better working with
greenlets.
- Removed custom JSON HTTP exception subclasses. If you were relying on them
you can reintroduce them again yourself trivially. Using them however is
strongly discouraged as the interface was flawed.
- Python requirements changed: requiring Python 2.6 or 2.7 now to prepare
for Python 3.3 port.
- Changed how the teardown system is informed about exceptions. This is now
more reliable in case something handles an exception halfway through
the error handling process.
- Request context preservation in debug mode now keeps the exception
information around which means that teardown handlers are able to
distinguish error from success cases.
- Added the ``JSONIFY_PRETTYPRINT_REGULAR`` configuration variable.
- Flask now orders JSON keys by default to not trash HTTP caches due to
different hash seeds between different workers.
- Added `appcontext_pushed` and `appcontext_popped` signals.
- The builtin run method now takes the ``SERVER_NAME`` into account when
picking the default port to run on.
- Added `flask.request.get_json()` as a replacement for the old
`flask.request.json` property.
Version 0.9.1
-------------
(bugfix release, released on June 14th 2013)
- Fixed an issue with integers no longer being accepted in certain
parts of the routing system or URL quoting functions.
- Fixed an issue with `url_quote` not producing the right escape
codes for single digit codepoints.
- Fixed an issue with :class:`~werkzeug.wsgi.SharedDataMiddleware` not
reading the path correctly and breaking on etag generation in some
cases.
- Properly handle `Expect: 100-continue` in the development server
to resolve issues with curl.
- Automatically exhaust the input stream on request close. This should
fix issues where not touching request files results in a timeout.
- Fixed exhausting of streams not doing anything if a non-limited
stream was passed into the multipart parser.
- Raised the buffer sizes for the multipart parser.
Version 0.9
-----------
Released on June 13nd 2013, codename Planierraupe.
- Added support for :meth:`~werkzeug.wsgi.LimitedStream.tell`
on the limited stream.
- :class:`~werkzeug.datastructures.ETags` now is nonzero if it
contains at least one etag of any kind, including weak ones.
- Added a workaround for a bug in the stdlib for SSL servers.
- Improved SSL interface of the devserver so that it can generate
certificates easily and load them from files.
- Refactored test client to invoke the open method on the class
for redirects. This makes subclassing more powerful.
- :func:`werkzeug.wsgi.make_chunk_iter` and
:func:`werkzeug.wsgi.make_line_iter` now support processing of
iterators and streams.
- URL generation by the routing system now no longer quotes
``+``.
- URL fixing now no longer quotes certain reserved characters.
- The :func:`werkzeug.security.generate_password_hash` and
check functions now support any of the hashlib algorithms.
- `wsgi.get_current_url` is now ascii safe for browsers sending
non-ascii data in query strings.
- improved parsing behavior for :func:`werkzeug.http.parse_options_header`
- added more operators to local proxies.
- added a hook to override the default converter in the routing
system.
- The description field of HTTP exceptions is now always escaped.
Use markup objects to disable that.
- Added number of proxy argument to the proxy fix to make it more
secure out of the box on common proxy setups. It will by default
no longer trust the x-forwarded-for header as much as it did
before.
- Added support for fragment handling in URI/IRI functions.
- Added custom class support for :func:`werkzeug.http.parse_dict_header`.
- Renamed `LighttpdCGIRootFix` to `CGIRootFix`.
- Always treat `+` as safe when fixing URLs as people love misusing them.
- Added support to profiling into directories in the contrib profiler.
- The escape function now by default escapes quotes.
- Changed repr of exceptions to be less magical.
- Simplified exception interface to no longer require environmnts
to be passed to recieve the response object.
- Added sentinel argument to IterIO objects.
- Added pbkdf2 support for the security module.
- Added a plain request type that disables all form parsing to only
leave the stream behind.
- Removed support for deprecated `fix_headers`.
- Removed support for deprecated `header_list`.
- Removed support for deprecated parameter for `iter_encoded`.
- Removed support for deprecated non-silent usage of the limited
stream object.
- Removed support for previous dummy `writable` parameter on
the cached property.
- Added support for explicitly closing request objects to close
associated resources.
- Conditional request handling or access to the data property on responses no
longer ignores direct passthrough mode.
- Removed werkzeug.templates and werkzeug.contrib.kickstart.
- Changed host lookup logic for forwarded hosts to allow lists of
hosts in which case only the first one is picked up.
- Added `wsgi.get_query_string`, `wsgi.get_path_info` and
`wsgi.get_script_name` and made the `wsgi.pop_path_info` and
`wsgi.peek_path_info` functions perform unicode decoding. This
was necessary to avoid having to expose the WSGI encoding dance
on Python 3.
- Added `content_encoding` and `content_md5` to the request object's
common request descriptor mixin.
- added `options` and `trace` to the test client.
- Overhauled the utilization of the input stream to be easier to use
and better to extend. The detection of content payload on the input
side is now more compliant with HTTP by detecting off the content
type header instead of the request method. This also now means that
the stream property on the request class is always available instead
of just when the parsing fails.
- Added support for using :class:`werkzeug.wrappers.BaseResponse` in a with
statement.
- Changed `get_app_iter` to fetch the response early so that it does not
fail when wrapping a response iterable. This makes filtering easier.
- Introduced `get_data` and `set_data` methods for responses.
- Introduced `get_data` for requests.
- Soft deprecated the `data` descriptors for request and response objects.
- Added `as_bytes` operations to some of the headers to simplify working
with things like cookies.
- Made the debugger paste tracebacks into github's gist service as
private pastes.
Version 0.8.4
-------------
(bugfix release, release date to be announced)
- Added a favicon to the debugger which fixes problem with
state changes being triggered through a request to
/favicon.ico in Google Chrome. This should fix some
problems with Flask and other frameworks that use
context local objects on a stack with context preservation
on errors.
- Fixed an issue with scolling up in the debugger.
- Fixed an issue with debuggers running on a different URL
than the URL root.
- Fixed a problem with proxies not forwarding some rarely
used special methods properly.
- Added a workaround to prevent the XSS protection from Chrome
breaking the debugger.
- Skip redis tests if redis is not running.
- Fixed a typo in the multipart parser that caused content-type
to not be picked up properly.
Changelog:
Add support for time to first byte in the AccessLogValve. Patch provided by Jeremy Boynes.
Correct a regression introduced in 7.0.39 (refactoring of base 64 encoding and decoding) that broke the JNDI Realm when userPassword was set and passwords were hashed with MD5 or SHA1.
Ensure that the build process produces Javadoc that is not vulnerable to CVE-2013-1571. Based on a patch by Uwe Schindler.
Upstream changes:
2.5.1
Highlights
MDL-39824 - Simplification of themes
MDL-38434 - Functional tests added for the Chat activity
MDL-39723 - Two unnecessary course queries were removed from most pages
Functional changes
MDL-39790 - My Latest badges block appears on the course page
API changes
MDL-40137 - Correct naming of functions in theme/clean/lib.php
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-39778 - Course deletion now functions with badges.
MDL-40120 - Issue when recent PostgreSQL versions retrieve the number of records from course table fixed.
MDL-39697 - Bootstrap layouts now have 'Maintenance' layout and related options.
MDL-40065 - Bootstrap Theme only sends content to "side-pre" if necessary.
MDL-40088 - Can now edit course settings if course is in a hidden category.
MDL-39979 - Teachers no longer see errors when Show Activity Reports is set to yes.
MDL-39363 - SCORM pass/fail status is set for a grade of 0.
MDL-39227 - SCORM navigation panel is no longer hidden when a Bootstrap theme is active.
MDL-39177 - Overwriting files always observes the "alias" attribute.
MDL-33719 - When overwriting a copy of a file with an alias/shortcut of a file, the file thumbnail is refreshed.
MDL-40142 - No JavaScript error is caused by the navigation block in relation to course categories.
MDL-40289 - Badges capabilities now have correct risks, levels and archetypes. Note for sites which are upgrading from 2.5: See the section 'Upgrading from Moodle 2.5 to 2.5.1' in Upgrading for details of how to correctly set badge permissions for each role archetype.
enables you to integrate WebDAV server capabilities to your application.
A fully working example on how to use the library is included. You can find a
server in the DAVServer package. This server is fully functional and can even
be run as daemon.
There is no dedicated change log but version 2.10 was introduced to
pkgsrc 2.5 years ago. The current capability is described by
http://docs.adacore.com/aws-docs/aws.html
This is roughly equivalent to Adacore release 2013 of aws.
The "gnutls" option was added as an alternative to ssl.
Upstream changes:
4.17 2013-07-04
- Updated jQuery to version 2.0.3.
- Improved Mojo::IOLoop::Server to use Perfect Forward Secrecy for TLS.
- Fixed Mojo::Transaction::WebSocket to generate RFC 6455 compliant
Sec-WebSocket-Key headers. (josh)
- Fixed bug where not all uppercase methods were hidden from the router.
4.16 2013-06-19
- Improved Perl 5.10.x and 5.12.x compatibility. (trinitum)
4.15 2013-06-18
- Added around_action hook.
- Improved ojo to make the current controller object available to actions
as $_. (jberger, sri)
- Fixed a few error reporting bugs in Mojo::IOLoop::Client and
Mojo::IOLoop::Server.
- Fixed small emit_chain bug in Mojolicious::Plugins.
REPLACE_PYTHON in two files. From ChangeLog.txt:
## 2012-06-26 0.37
* Fixed datestr issue on Windows -- #155
* Fixed Python 2.4 compatability issues (tx fredludlow)
* Fixed error in utils.safewrite (tx shuge) -- #95
* Allow use of web.data() with app.request() -- #105
* Fixed an issue with session initializaton (tx beardedprojamz) -- #109
* Allow custom message on 400 Bad Request (tx patryk) -- #121
* Made djangoerror work on GAE. -- #80
* Handle malformatted data in the urls. -- #117
* Made it easier to stop the dev server -- #100, #122
* Added support fot customizing cookie_path in session (tx larsga) -- #89
* Added exception for "415 Unsupported Media" (tx JirkaChadima) -- #145
* Added GroupedDropdown to support `<optgroup>` tag (tx jzellman) -- #152
* Fixed failure in embedded interpreter - #87
* Optimized web.cookies (tx benhoyt) - #148
