aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog478
1 files changed, 478 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 905110cb..a1a80e70 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,15 +1,493 @@
1January 2024
2 add missing lock, do not call 'close(-1)' on very rare error path.
3 use correct HTTP header (content type, not content encoding) for mime type
4 in examples.
5 fix memory leak on error path. -CG
6 MHD_OPTION_CONNECTION_MEMORY_{LIMIT,INCREMENT}: added ignore of zero value.
7 test_upgrade{,_large}{,_tls}: unified code, removed workarounds, added new
8 test.
9 digest_auth_example_adv: added new advanced example for the new Digest
10 Auth API use.
11 Fixed compiler warnings in configure, lib, examples, tests.
12 test_digestauth2: supported old libcurl versions.
13 Fixed tests with GnuTLS in non-default path.
14 configure: sorted messages in final config summary.
15 Fixed non-debug build without HTTPS.
16 configure: removed old workaround for Solaris.
17 test_upgrade: adapted for macOS. -EG
18
19December 2023
20 "Upgraded" TLS connections: fixed data pumping in various edge conditions.
21 'bootstrap': fixes and simplifications.
22 Digest Auth: added default timeout and max nc values, added daemon options
23 for default nonce timeout and max nc values, added testing, implemented
24 setting DAuth defaults by configure parameters. -EG
25
26November 2023
27 Updated HTTP methods, headers and reason phrases.
28 Renamed one new basic auth function, improved doxy.
29 digest auth: updated header, slightly modified multi-value processing. -EG
30 websocket_threaded_example: fix websocket url string. -Evgeniy Gavrilenko
31 configure: warn if building without threads. -EG
32 configure: added detection of FD_SETSIZE value and ability to override it.
33 internal.h: added macros for polling mode detection.
34 Added use of configure-detected system default FD_SETSIZE value.
35 internal.h: added macros for internal threads modes detection.
36 Added MHD_OPTION_APP_FD_SETSIZE and MHD_FEATURE_FLEXIBLE_FD_SETSIZE.
37 daemon.c: moved processing and checking of app-provided listen socket.
38 MHD_start_daemon(): mark listen as UNIX based on available information.
39 MHD_start_daemon(): added stricter checks for bind() and listen() return
40 values.
41 MHD_start_daemon(): added check for epoll FD to fit fd_set for external
42 polling mode.
43 Implemented and documented MHD_OPTION_LISTEN_SOCKET followed by
44 MHD_INVALID_SOCKET.
45 Fixed ignored daemon port when MHD_OPTION_LISTEN_SOCKET or
46 MHD_OPTION_SOCK_ADDR are used as documented.
47 MHD_start_daemon(): further improved UNIX / IP socket detection.
48 Implemented new option MHD_OPTION_SOCK_ADDR_LEN.
49 MHD_start_daemon(): added check for app-provided socket to fit fd_set.
50 MHD_start_daemon(): fixed leaked listen socket when daemon start failed.
51 MHD_add_connection(): added more checks for correct members of sockaddr.
52 Timeout handling added detection of more conditions to process the data
53 without waiting.
54 MHD_quiesce_daemon(): fixed return value if already quiesced.
55 MHD_start_daemon(): reject INTERNAL_POLLING_THREAD if threads are disabled.
56 test_daemon: fixed to not skip the test if failed.
57 test_digestauth2: fixed order of the initial checks.
58 Improved daemon shutdown handling in external polling mode.
59 Unified and simplified fd_set filling.
60 Added new daemon flag MHD_USE_NO_THREAD_SAFETY and testing.
61 Officially support zero for MHD_OPTION_THREAD_POOL_SIZE.
62 test_upgrade: used sized send and receive, removed VLA, other improvements.
63 test_upgrade: implemented proper timeout detection and handling. -EG
64
65September 2023
66 fix #7928: correct tutorial direntry.
67 proper fix for #7757. -CG
68 W32 VS projects: added perf_replies.
69 W32 VS projects: added .editorconfig.
70 perf_replies improvements for W32.
71 mhd_threads: muted compiler warning on W32.
72 mhd_threads: fixed check for error when starting a new thread on W32.
73 Renamed 'pid' -> 'tid' when used for threads.
74 mhd_str: fixed possible compiler and run-time sanitizers warnings.
75 Muted and fixed some compiler warnings.
76 W32 VS project: corrected compiler settings.
77 W32 VS: really muted run-time false warnings about data truncation.
78 examples/sessions.c: fixes.
79 Fixed missing <errno.h> includes.
80 Refactored threads support to handle platforms without "invalid" ID value.
81 Fixed MHD_CONNECTION_INFO_DAEMON: return master daemon. -EG
82 check rvalues from pthread_mutex_, MHD_add_response_header,
83 MHD_post_process in examples.
84 Theoretical use-after-free in test on error path. -CG
85 Do no use internal magic number if it is used by the remote client.
86 Refactoring: store "request target" original length.
87 Detect error earlier if request HTTP version is bad.
88 Added calculation of request headers total size.
89 Rewritten handling of exhaustion of memory pool when receiving.
90 tests: fixed compiler warnings, copy-paste error, added error reporting.
91 test_long_header: re-use the same port for all checks.
92 Control acceptance of LF as CRLF in chunked encoding in the same way as
93 in headers parsing.
94 Improved compatibility with old compilers.
95 Fixed more compiler warnings. -EG
96
1Sun Sep 3 12:23:18 AM CEST 2023 97Sun Sep 3 12:23:18 AM CEST 2023
2 Prevent queueing of responses if connection is not currently in the 98 Prevent queueing of responses if connection is not currently in the
3 access handler callback (which was always not allowed per API spec, 99 access handler callback (which was always not allowed per API spec,
4 but is now met with an appropriate error response). Fixes #7757. -CG 100 but is now met with an appropriate error response). Fixes #7757. -CG
5 101
102August 2023
103 Improved CPU cores detection in perf_replies. -EG
104
105July 2023
106 Added new tool perf_replies with automatic detection of number of available
107 CPU on system and for the program. -EG
108
109June 2023
110 Bump version numbers as v0.9.77 was released on parallel branch.
111 Added test for MHD_get_version{,_bin} function and related macros.
112 base64 decoding: added more compact code version.
113 Refactoring: check whether memory pool block is resizeable.
114 Re-implemented parsing of the request line from scratch with strict
115 conformance with RFC 9110 and 9112 requirements.
116 Re-implemented parsing of the request headers and footers from scratch with
117 strict conformance with RFC 9110 and 9112 requirements.
118 Fuzzing tests: almost completely re-implemented. The new version is unified
119 and much easier to maintain.
120 Added new tests for folded headers.
121 Corrected HTTP error responses for clients.
122 connection: fixed pipelined requests processing.
123 Added checks for correct values specified for connection memory limits.
124 process new connection: fixed missing mutex unlock in error handling path.
125 W32 VS Projects: fixed code parsing by GUI.
126 Focused all read-buffer grows in a single point, related improvements. -EG
127
128May 2023
129 Improved portability of boostrap (and autogen.sh)
130 Muted more compiler warnings in configure.
131 Tests: updated to support new libcurl APIs and fixed deprecation
132 warnings with new versions (the old versions are supported still).
133 Tests: minor and cosmetic fixes and improvements.
134 Tests: compiler warnings fixes.
135 configure: bump gettext version.
136 Tests: fixed build with C89 compilers.
137 Tests: fixed tests on Darwin 22.x (Ventura).
138 Tests: redesigned one tests group to avoid stress-testing of the OS.
139 configure: improved portability for exotic platforms.
140 examples: removed non-portable functions, added some checking,
141 fixed compiler warnings, fixed erroneously commented out code.
142 configure: fixed detection of __FUNCTION__ magic macro.
143 Unified function name magic macros usage in code.
144 W32 VS projects: supported ARM and ARM64.
145 Fixed compiler warning on x32.
146 Some minor fixes for W32 VS compilation. -EG
147
148
149April 2023
150 Implemented and used new function MHD_pool_deallocate().
151 Updated libtool fixes.
152 Removed some autotools files from git.
153 Added autoconf patches and fixes.
154 {md5,sha256}_ext.c: fixed processing of initialisation error with NULL
155 handler. -EG
156
157March 2023
158 Upgraded TLS: fixed inefficient communication.
159 Upgraded TLS: use more available memory for pumping the data. -EG
160
6Web 29 Mar 2023 20:56:00 CEST 161Web 29 Mar 2023 20:56:00 CEST
7 Bumped version as the hotfix was released based on the separate branch. -EG 162 Bumped version as the hotfix was released based on the separate branch. -EG
8 163
164March 2023
165 configure: reordered checks for compiler flags.
166 configure: fixed checks for tsearch() and related changes.
167 Makefile: fixed build with 'make' without nested vars support.
168 configure: fixed compiler warnings.
169 libcurl.m4: patched to fix compiler warning.
170 configure: internal fixes, compiler warning fixes, cosmetics, better
171 POSIX compatibility, fixed compatibility with old autoconf.
172 Upgraded TLS: warn if emergency buffer is used. -EG
173
9Sun Feb 26 05:49:30 PM CET 2023 174Sun Feb 26 05:49:30 PM CET 2023
10 Fix potential DoS vector in MHD_PostProcessor discovered 175 Fix potential DoS vector in MHD_PostProcessor discovered
11 by Gynvael Coldwind and Dejan Alvadzijevic (CVE-2023-27371). -CG 176 by Gynvael Coldwind and Dejan Alvadzijevic (CVE-2023-27371). -CG
12 177
178February 2023
179 epoll: immediately notice when other side closes the socket, instead of
180 waiting for timeout. -CG
181
182December 2022
183 Refactored cookies parsing.
184 Always close connection after reply if both Content-Length and chucked are
185 used. This is specified by RFC.
186 Added new daemon option MHD_OPTION_CLIENT_DISCIPLINE_LV with more detailed
187 control of accepted/rejected non-standard requests.
188 Added new M4 helper macro.
189 configure: used better detection of some functions when cross-compiling.
190 configure: try to detect whether eventfd is enabled.
191 Compiler warning fixes.
192 Improved reported strings in tests. -EG
193
194November 2022
195 connection: refuse requests with unsupported Transfer-Encoding.
196 connection: reject or log requests with both chunked encoding and
197 Content-Length.
198 tests: fixed checking response headers as null-terminated string.
199 Some tests fixes.
200 configure: check fixes.
201 Refactored user-poison: minimized scope of non-sanitized code.
202 digestauth: avoided malloc() repeating by using the new function.
203 MHD_get_version_bin(): added new function.
204 test_parse_cookies: rewritten. -EG
205
206October 2022
207 Reworked HTTPS tests. Removed hardcoded TLS version and ciphers, updated
208 self-signed certificate.
209 Fixed delayed call of connection notification callback in
210 thread-per-connection mode.
211 Fixed delayed new connection notification in thread-per-connection mode.
212 Minor internal code improvements.
213 Added handling of "DEBUG" preprocessor macro as an alias of "_DEBUG".
214 TLS initialisation: re-implemented. New implementation trying to use
215 "libmicrohttpd" system-wide GnuTLS configuration by default with fallbacks
216 to generic system-wide GnuTLS configuration and default GnuTLS
217 configuration.
218 New daemon option to use addition to default configuration instead of
219 specifying full configuration string.
220 Added relevant tests for GnuTLS initialization.
221 Added reporting of failed part of GnuTLS configuration string.
222 Added MHD_FEATURE_DEBUG_BUILD value.
223 Implemented internal protection from some wild data hypothetically reported
224 by accept4().
225 Internal refactoring.
226 Prevented sending "100 continue" if request has no body or if any part of
227 request data has been received.
228 Reworked handling of situation when app just partially processed the data:
229 if any data was processed then zero timeout if used for polling sockets,
230 if no data was processed then callback in not called until the new data
231 arrived.
232 Fixed handling of various errors conditions detected in requests.
233 Added test with Content-Length broken value in request.
234 test_head: added check for excess data in reply
235 Improved epoll connection handling.
236 Fuzzing tests: fixed CPPFLAGS.
237 configure: do not pass AM_TESTS_ENVIRONMENT directly.
238 configure: added summary message about heavy and fuzzing tests
239 test-suite: marked some tests as "very heavy" tests
240 configure: improved check for asserts. -EG
241
242September 2022
243 Added testing of userdigest and userhash calculations.
244 Implemented SHA-512/256 from scratch.
245 Digest Auth: implemented SHA-512/256 support, added
246 MHD_FEATURE_DIGEST_AUTH_SHA512_256 and relevant tests.
247 Made all algorithms (MD5, SHA-256, SHA-512/256) optional with ability
248 to remove by configure parameter.
249 Digest Auth: internal refactoring and improvements.
250 configure: minor improvements.
251 Fixed initialisation of very old GnuTLS versions.
252 Replace public domain MD5 implementation with the new implementation
253 written from scratch.
254 MD5, SHA-256, SHA-512/256: various code improvements, special versions for
255 compact code.
256 Digest Auth: changed internal algorithm for re-use of nonce-nc slot.
257 Digest Auth: used weak pseudo-random generators to avoid slot clashes.
258 Implemented optional ability to use GnuTLS functions for MD5 and SHA-256
259 calculations.
260 Fixed harmless unwanted extra data processing resulting in triggering of
261 the assert.
262 Added testing of HEAD requests.
263 Minor internal changes.
264 Fixed compiler warnings for compact code version.
265 Muted compiler warnings with clang.
266 Configure: more workarounds for clang on W32 with incorrect headers.
267 Removed long-unused "gauger" from tests.
268 Fixed compiler warnings in test.
269 test_add_conn: added reasonable limits. -EG
270
271August 2022
272 Added testing of userhash parameter parsing.
273 Added testing of the auth type headers in one request.
274 Warn in log if random data has not been initialised.
275 Digest Auth: improved response header in RFC2069 mode.
276 Added more string processing internal functions.
277 Digest Auth: added new option MHD_OPTION_DIGEST_AUTH_NONCE_BIND_TYPE to
278 control nonces generation.
279 Increased testing for Digest Auth.
280 Digest Auth: do not use reproducible nonces generation by default.
281 Minor correction for auth headers processing.
282 Digest Auth: internal refactoring.
283 Digest Auth: added algorithm value to username info (required for userhash
284 values).
285 Digest Auth: added new public functions for userhash and userdigest
286 calculations. -EG
287
288July 2022
289 Digest Auth: internal optimisations and refactoring, digest_auth_check
290 almost completely rewritten.
291 Digest Auth: removed use of VLA.
292 Digest Auth: added support for username in extended notation and test
293 for extended notation.
294 Digest Auth: implemented userhash support and tests for extended notation.
295 MHD_add_response_entry(): refactoring
296 Digest Auth: implemented DAuth response function
297 MHD_queue_auth_required_response3() from scratch. Removed old
298 implementations, old functions converted to wrappers for the new function.
299 Digest Auth: added new group of tests.
300 Digest Auth: added related MHD_FEATURES_* values.
301 Digest Auth: added detection of the algorithm used by the client and
302 use specified algorithm if allowed by application.
303 Configure: cosmetics and reports improvements, control static and shared
304 enablement by --enable-build-type=.
305 Added new daemon option MHD_OPTION_DIGEST_AUTH_RANDOM_COPY and tests.
306 Digest Auth: implemented support for old RFC 2069 (if allowed by app) and
307 tests for RFC 2069.
308 Internal refactoring: moved all request-related connection struct members
309 to dedicated struct. The same for reply-related struct members.
310 Implemented support for both Basic and Digest headers in the same
311 request. -EG
312
313June 2022
314 Fixed compiler warnings in main code and examples.
315 Added error checking in examples.
316 Added test for parsing auth headers.
317 Improved parsing of auth headers.
318 Added more internal functions for quoted string processing.
319 Added test for quoting string processing.
320 Digest Auth: internal optimisations.
321 Basic Auth: fixed handling of realms with slashes and/or double quotes.
322 Digest Auth: fixed use of possible maximum client nonce length as maximum
323 server nonce length. Reduced size of internal arrays.
324 Basic Auth: new function MHD_queue_basic_auth_fail_response3() with support
325 for RFC 7617.
326 Basic Auth: added new function MHD_basic_auth_get_username_password3() with
327 more details about username and password. Technically allow binary zero in
328 username and in password.
329 Fixed data races when closing upgraded connection.
330 Replaced public domain Base64 decoder with the new implementation written
331 from scratch. The new implementation has very precise checks for the input
332 data.
333 Added new test for Base64 decoding.
334 Updated examples to use new Basic Auth functions.
335 Fixed and improved postprocessor tests.
336 Ported test to non-VLA compilers.
337 Added configure parameter --enable-compact-code.
338 Removed duplication of "Connection: upgrade" header. Patch by Alexander
339 Irion.
340 Configure: removed some unneeded compiler flags.
341 Digest Auth: improved RFC match (qop value caseless match), check
342 parameters length validity before checking the values validity, correctly
343 compare URLs with binary zeros, check URL arguments only in the same order
344 as specified in DAuth header.
345 Added internal functions for percent-decoding and tests for
346 percent-decoding.
347 Added internal function for hex to bin decoding, tests for hex<->bin
348 decoding.
349 Digest Auth: added new function MHD_digest_auth_get_request_info3() and
350 MHD_digest_auth_get_username3() with detailed information about DAuth
351 request. -EG
352 Fixed memory leaks in tests.
353 Fixed wrong array size for Digest Auth. -CG
354
355May 2022
356 Improved public doxy.
357 Digest Auth: fixed missing mark on 'nc' value as 'used'.
358 Digest Auth: added internal checks for unrealistically high values.
359 Digest Auth: added check for correct values from application.
360 Digest Auth: nonce timestamps changed to milliseconds to lower conflict
361 probability.
362 Digest Auth: implemented management nonce-nc map array slots so old
363 entries are removed safely while trying to avoid to remove the new entries.
364 configure: added 'debugger' build type.
365 Added more tests for cookies parsing.
366 Digest Auth: use nonce-nc map arrays with locks in master daemon only
367 so works can re-use the nonces and nc information.
368 MHD_set_connection_option(): reduced scope for the lock.
369 Fixed leak of mutexes when daemon creation failed and when closing daemon
370 with thread pool.
371 Digest Auth: fixed stale nonce result value ambiguity.
372 Digest Auth: added special check for fabricated nonces.
373 Added new functions MHD_digest_auth_check3() and
374 MHD_digest_auth_check_digest3() with detailed result of the checks.
375 Added return NULL MHD_CONNECTION_INFO_CLIENT_ADDRESS when information is
376 not available.
377 Improved internal handling of non-IP connections (UNIX sockets or pipes)
378 when processing the client address.
379 Fixed compiler warnings.
380 Increased testing of cookies parsing.
381 Completely re-written cookies parsing. The new code follow RFC 6265.
382 Made cookies parsing functionality optional, can be disabled by configure.
383 Configure: added more warning flags.
384 Configure: internal improvements.
385 Globally changed '#if HAVE_SOMETHING' to '#ifdef HAVE_SOMETHING'.
386 Enabled more compiler warnings in W32 projects.
387 Fixed MHD functionality with blocking sockets. Patch by Kolja Nowak.
388 Moved some macros and declaration to new specialised headers: basicauth.h
389 and digestauth.h.
390 Added new function to process quoted strings.
391 Digest Auth: reworking support for multiple digest algorithms.
392 Response processing: better handle unrealistic but broken situation.
393 Basic and Digest Auth: completely reworked headers parsing, unified code.
394 Added new autoconf macros.
395 Configure: added more workarounds for clang.
396 Fixed possible use of uninitialised variable.
397 Added new test for Basic Auth.
398 Some code readability improvements. -EG
399
400April 2022
401 Added autoconf macro for checking compiler parameter/flag.
402 Improved -fvisibility compiler flag support detection in configure.
403 Fixed compiler warnings.
404 Moved fixed libtool-specific flags to Makefile from configure.
405 Configure: added reporting of final compiler/linker flags.
406 Fixed ignored user linker flags when building library binary.
407 Improved makefiles dependency specification.
408 Implemented --enable-build-type=TYPE configure parameters for ready-to-use
409 configuration sets (defaults).
410 Separated internal types for request headers and response headers.
411 Fixed many unneeded drops of 'const' qualifier, converted some pointers
412 to 'const'.
413 Added use of _MHD_EXTERN with all external function definitions.
414 Refactored response creation functions.
415 Added new function MHD_create_response_from_buffer_static() to avoid
416 unwanted dropping of 'const' when application is using static strings.
417 Added new API function MHD_create_response_from_buffer_copy().
418 Public doxy improvments.
419 Improved handling of TLS backends for libcurl when testing HTTPS.
420 Updated TLS certificates for tests and examples. New certificates
421 were generated with SAN fields to match actual requirements.
422 Fixed old style function definitions in examples.
423 Tuned compiler warning flags.
424 Fixed many preprocessor macros (removed space before bracket).
425 Fixed printf() format specifications in examples.
426 Removed non-literal strings for printf in examples.
427 Improved portability of examples.
428 Fixed unaligned access via sockaddr_in pointers.
429 Fixed unaligned access in MHD_get_connection_info() and
430 MHD_get_daemon_info().
431 Compiler warning fixes.
432 Changed: any negative number returned by response data generation
433 callback function is treated as an error.
434 Fixed setting custom connection timeout value for thread-per-connection
435 mode.
436 Fixed short (lees then one second) busy-waiting when connection is about
437 to expire by switching to milliseconds accuracy instead of seconds.
438 Added new functions MHD_get_timeout64(), MHD_get_timeout64s(),
439 MHD_get_timeout_i().
440 Added some checks for possible value trim due to width conversion.
441 Digest Auth: continuation of refactoring, optimisations.
442 Digest Auth: do not use nonces provided by the client if they were not
443 generated previously by MHD. -EG
444
445March 2022
446 Added internal check for suitability of used response.
447 Improved doxy.
448 Improved handling of application-provide "Content-Length" header.
449 Internally separated "Icy" flag from the response code.
450 Fixed Address Sanitizer unpoison of memory when memory pool is destroyed.
451 Improved log messages.
452 Added more checks for "Upgrade" handling.
453 Better internally separated response type handling:
454 headers only without
455 body-specific headers, body-specific headers without body
456 (Content-Length/Transfer-Encoding),
457 all headers with body.
458 Blocked MHD_SIZE_UNKNOWN value for buffer-based responses.
459 Significantly improved doxy for MHD_queue_response().
460 Added new function MHD_create_response_empty()
461 Fixed compiler flags for UBsan in configure.
462 Added new option for "--enable-sanitizers=" parameter.
463 Improved autoconf macros. -EG
464
465January 2022
466 Tuned automake options.
467 Fixed compiler warning in examples.
468 Fixed use of initialised variable in tests.
469 Removed unused autotools files.
470 .gitignore: cleanup and update.
471 Autotools: always let user override build flags.
472 Moved 'po' files to separate directory.
473 Fixed missing include file in docs.
474 Fixed 'make distcheck'.
475 Fixed use on GNU/kFreeBSD.
476 Fixed HTTP/1.1 or 1.0 selection in tests.
477 Other tests improvements and fixes.
478 Digest Auth: changed "md5" / "sha-256" to "MD5" / "SHA-256" to better
479 match RFC (while clients should use caseless matching).
480 Initial digest auth refactoring, reject invalid input.
481 Global rename of callback parameter 'con_cls' -> 'req_cls'.
482 Digest auth tests improvements and fixes.
483 Added test for parallel digest auth requests.
484 Minor autoconf macros fixes. -EG
485
486December 2021
487 configure: fixed unwanted output on Fedora.
488 configure: clarified licence message.
489 Doxy corrections and improvments. -EG
490
13Sun 26 Dec 2021 20:30:00 MSK 491Sun 26 Dec 2021 20:30:00 MSK
14 Releasing GNU libmicrohttpd 0.9.75 -EG 492 Releasing GNU libmicrohttpd 0.9.75 -EG
15 493