aboutsummaryrefslogtreecommitdiff
path: root/NEWS
blob: d56f582441a1abcb47d0a31680442f31e29d2f21 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
Thu 01 Feb 2024 15:00:00 CET
Released GNU libmicrohttpd 1.0.0.

    This is the first non-bugfix release since version 0.9.75 and the first
    ever stable release of GNU libmicrohttpd. It is a huge with new features
    and fixes.

    The major changes:
    * Rewritten parsing of clients' requests, fully aligned with current
      RFCs (9110 and 9112) requirements. Added detailed control of strict
      or lenient specification enforcement. Application may choose between
      more compatible mode or more strict and secure mode.
    * Reworked Digest Auth, greater enhanced support for current RFC 7617
      features. MHD currently is the only known server-side implementation
      with support for SHA-512/256, userhash and username in extended
      notation. At the same time the very old RFC2069 is supported, as
      well as MD5 and SHA-256.
    * Improved functionality in multi-threading environment, especially with
      external sockets polling modes.
    * Reworked Basic Auth, adding new convenient API functions.
    * Re-implemented GnuTLS initialisation. Now supported
      libmicrohttpd-specific system-wide configuration, as well as generic
      GnuTLS system-wide configuration. Application may adjust settings based
      on system configuration instead of specifying its own full
      configuration.
    * Tons of other new functionality and various fixes. For detailed changes
      see the ChangeLog or Git commit logs.


    Since last non-bugfix release there are 1062 commits added with
    67007 lines insertions and 26616 deletions.

    -- Evgeny Grin (Karlson2k)

Sun 28 May 2023 18:00:00 MSK
Released GNU libmicrohttpd 0.9.77.

    This is mostly a bugfix release.
    This version created by taking patches from the current development
    branch and back-porting them on top of version 0.9.76.
    The most notable changes are: some improvements for Digest and Basic
    authorizations, fixed efficiency for TLS upgraded connections, fixed
    processing of folded headers in requests, fixed functionality with 
    blocking sockets, improved and fixed internal test-suite.

    The more detailed list of the important changes:

    API changes:
    + Added new function MHD_get_version_bin().

    Improvements and enhancements:
    * Digest Auth: changed algorithm identifiers in server generated
      headers from "md5" / "sha-256" to "MD5" / "SHA-256" to better match
      RFC (while clients should use caseless matching).
    * Improved Base64 decoding by new implementation with robust input
      data validation checks.
    * Improved configure for cross-compiling, for better compatibility
      with POSIX and for better compatibility with the latest compiler
      versions.
    * New internal tests: for Base64 decoding, Basic Auth and folded
      headers.
    * Supported new libcurl API in tests to mute deprecation warnings.
    * Supported ARM and ARM64 for VC compilers.

    Functionality changes:
    * any negative number returned by response data generation callback
      function is treated as an error. Previously negative values except
      predefined error codes could produce undefined behaviour.
    * Added handling of "DEBUG" preprocessor macro as an alias of "_DEBUG".

    Fixes:
    # Fixed functionality with blocking sockets.
    # Fixed very inefficient data pumping for upgraded TLS connections.
    # Fixed processing of folded headers in the requests.
    # Fixed data races when closing upgraded connection.
    # Removed duplication of "Connection: upgrade" header.
    # Digest auth: fixed thread sync to avoid "stale hash" results.
    # Fixed harmless unwanted extra data processing resulting in triggering
      of the assert.
    # Fixed tests for LTO.
    # Removed removed non-portable functions in examples.
    # Fixed delayed call of connection notification callback in
      thread-per-connection mode.
    # Fixed Address Sanitizer unpoison of memory when memory pool is
      destroyed. This fixed periodic ASAN error when used for a long time
      with the sanitizer.
    # Fixed compiler warnings in library code, examples, tests and configure
      checks.
    # New TLS certificates for test-suite: all with SAN fields and SHA-256
      hash.
    # Tests: fixed tests on Darwin 22.x (Ventura).
    # Tests: redesigned one tests group to avoid stress-testing of the OS.

    -- Evgeny Grin (Karlson2k)

Sun 26 Feb 2023 17:49:30 CET
Released GNU libmicrohttpd 0.9.76 hotfix. -CG

    This is a hotfix release.
    This only change since previous release is fixed potential DoS vector
    in MHD_PostProcessor discovered by Gynvael Coldwind and Dejan
    Alvadzijevic (CVE-2023-27371).
    While the researchers have not been able to exploit this attack vector
    when libmicrohttpd is compiled with the standard GNU C library, it is
    recommended that you update MHD as soon as possible if your
    applications are using (optional) MHD_PostProcessor functionality.

    -- Evgeny Grin (Karlson2k)

Sun 26 Dec 2021 20:30:00 MSK
Released GNU libmicrohttpd 0.9.75 -EG

    This is a correction release.
    The main improvement is the implementation of workaround for some
    OSes (like OpenBSD 7) where "monotonic" clock may jump back. Now
    MHD is able to automatically detect such situation and recover if
    the jump is small. This workaround is needed with increased
    accuracy of connection timeout introduced in previous version, as
    with lower accuracy (v0.9.73 and before) these jumpbacks were
    unnoticeable.
    Other changes: fixed some compiler, Makefile, and configure
    warnings on specific platforms; one test further improved.

    -- Evgeny Grin (Karlson2k)


Sun 19 Dec 2021 18:30:00 MSK
Released GNU libmicrohttpd 0.9.74

    This release brings a lot of fixes and improvements, and
    important new features.
    The most significant addition is the new experimental
    implementation of WebSockets contributed by David Gausmann. This
    implementation is not fully tested yet so currently it is disabled
    by default.
    Other changes include a lot of improvements and clarifications
    in doxy comments in microhttpd.h header file, improved compliance
    with the RFC HTTP specifications, the new implementation of reply
    header forming, the new implementation of request chunked encoding
    parsing, new automatic error replies, internal optimisations, and
    many important fixes, including fixes for long-standing bugs.

    More detailed list of notable changes:

    API changes:
    + Added new function MHD_get_reason_phrase_len_for().
    + Added MHD_CONNECTION_INFO_HTTP_STATUS type of information
      queried by MHD_get_connection_info().
    + Added new response flag MHD_RF_SEND_KEEP_ALIVE_HEADER to force
      sending of "keep-alive" header even if not required by RFC.
    + Added new response creation function
      MHD_create_response_from_buffer_with_free_callback_cls() with
      custom cleanup callback.
    + Added new response flag MHD_RF_HTTP_1_0_COMPATIBLE_STRICT with
      the same functionality as existing MHD_RF_HTTP_VERSION_1_0_ONLY
      flag. The old flag will be deprecated.
    + Added new response flag MHD_RF_HTTP_1_0_SERVER with the same
      functionality as existing MHD_RF_HTTP_VERSION_1_0_RESPONSE flag.
      The old flag will be deprecated.

    New features:
    + Added experimental WebSockets extension with separate header.
      Disabled by default as it is not fully tested yet.
    + Added '--enable-sanitizers[=address,undefined,leak,user-poison]'
      configure parameter (instead of '--enable-sanitizer'),
      implemented custom memory poisoning for memory pools.

    Improvements and enhancements:
    * Doxy function descriptions was corrected, clarified, extended,
      and improved. Now it should be much easier to learn MHD just by
      reading the headers.
    * Completely rewritten reply header forming. New implementation is
      more robust, simpler maintainable and expandable, and better
      follows RFC HTTP specifications.
    * Performance improvements: now HTTP version and request method are
      decoded one time only (previously MHD used string comparison many
      times during processing the data).
    * Rewritten request chunked payload decoding. The new
      implementation better conforms to the HTTP RFC, detects format
      problems earlier, replies to the clients with description of
      detected problems, handles untypical (but syntactically correct)
      values properly.
    * Added special replies for wrong/unsupported HTTP versions in
      requests, broken HTTP chunked encoding in requests,
    * As required by HTTP RFC, added automatic error replies if client
      used broken chunked encoding, too large chunk size, too large
      payload size, or broken Content-Length header.
    * Optimized connection's memory pool handling.
    * Changed timeout precision from one second to one millisecond.
    * Added some checks for incorrect user data, reporting problems in
      MHD log.
    * Improved performance of hash calculations functions by using
      compiler built-ins (if available).
    * Implemented SHA-1 calculations (required for WebSockets).
    * Added universal MSVC project that works with any (sufficiently
      new) version of MSVC.
    * Developed simple HTTP client to test MHD under very special
      conditions.
    * Implemented 45 new tests.
    * Improved existing tests to test more aspects of MHD.
    * Added check for correct results of system and libcurl functions.
    * Response headers are checked during forming of responses.
    * HTTPS tests were improved.
    * Added rebuild on W32 of all required files if files are missing.
    * Many internal optimisations and improvements.

    Functionality changes:
    * Keep-alive header is omitted by default for HTTP/1.1 connections.
      Use of header can be enforced by response flag.
    * Chunked encoding is used for HTTP/1.1 non-keep-alive connections
      for responses with unknown size. Previously MHD used "indication
      of the end of the response by closing connection" in such cases,
      however it is not correct for HTTP/1.1 connections as per HTTP
      RFC.
    * As required by HTTP RFC, use HTTP/1.1 version instead of HTTP/1.0
      in reply headers when client is HTTP/1.0 . HTTP/1.0 version can
      be enforced by response flag.
    * User response headers are used in replies in the same order as
      was added by application.
    * Allowed tab characters in response header values.
    * All custom "Connection:" response headers are automatically
      combined into single "Connection:" header.
    * "keep-alive" token silently dropped from custom "Connection:"
      response header. "Keep-alive" cannot be enforced and used
      automatically if possible.
    * Allow tab character in custom response header value.
    * Disallow space character in custom response header value.
    * Do not allow responses with 1xx codes for HTTP/1.0 requests.
    * Detected and reported incorrect "Upgrade" responses.
    * W32 targets are changed to Vista+ by default. XP is supported
      still.

    Fixes:
    # Fixed short busy-waiting (up to one second) when connection is
      going to be expired and closed.
    # Fixed handling of errors during start of new connection, fixed
      inability to accept new connections in thread-per-connection mode
      due to the missing decrement of number of daemon's connections if
      start of new thread is failed.
    # Fixed incorrect parsing of LFLF, LFCR, CRCR, and bare CR as
      single linefeed in request header and request chunked payload.
      Now only CRLF or bare LF are recognized as linefeed.
    # Fixed response chunked encoding handling. Now it works properly
      with non-keep-alive connection, with fixed size replies (if
      chunked was enforced by header), and in other situations.
    # Other fixes for chunked replies.
    # Fixed handling of custom connection timeout in thread-per-
      connection mode.
    # Fixed wrongly used MHD_REQUEST_TERMINATED_COMPLETED_OK code for
      application notification when MHD_REQUEST_TERMINATED_WITH_ERROR
      code must be used.
    # Fixed code MHD_REQUEST_TERMINATED_READ_ERROR not reported (code
      MHD_REQUEST_TERMINATED_WITH_ERROR was incorrectly used instead).
    # Fixed handling of request chunked encoding with untypical
      formatting.
    # Fixed processing of last part of hex-encoded values under
      certain conditions.
    # Fixed value returned for MHD_CONNECTION_INFO_REQUEST_HEADER_SIZE.
    # Fixed returned value for MHD_FEATURE_AUTOSUPPRESS_SIGPIPE on W32,
      now it is MHD_YES as W32 does not need SIGPIPE suppression.
    # Fixed portability of bitwise NOT for enums values.
    # Fixed SHA-256 and MD5 calculations with unaligned data.
    # Fixed incorrect caseless matching for HTTP version.
    # Fixed incorrect caseless matching for request method.
    # Fixed compatibility with old GnuTLS versions.
    # Fixed compiler warnings on 32-bits platforms.
    # Fixed blocking sockets setting in tests and examples for W32.
    # Fixed examples to really use libmagic if present.
    # HTTPS tests were fixed.
    # Fixed libcurl test with case-insensitive match for HTTP methods,
      method names must use case-sensitive match.
    # Fixed tests compatibility with old libcurl versions.
    # Fixed build on W32 with llvm-dlltool (this tool is too 
      oversimplified)

    -- Evgeny Grin (Karlson2k)


Sun 25 Apr 2021 14:00:00 MSK
Released GNU libmicrohttpd 0.9.73

    This release brings new features, improvements, and a few fixes.
    The most important addition is the new function for vector-backed
    responses, based on the patch contributed by NASA engineers.
    Other changes include compatibility with autoconf 2.70+, improved
    testsuite compatibility with CI systems, fixed and improved MSVC
    builds, and implementation of ALPN support.

    More detailed list of notable changes:

    API changes:
    + Added new function MHD_create_response_from_iovec(), based on the
      patch provided by Lawrence Sebald and Damon N. Earp from NASA.
    + Added MHD_OPTION_SIGPIPE_HANDLED_BY_APP daemon option.
    + Added new function MHD_run_wait().
    + Added MHD_OPTION_TLS_NO_ALPN to disable usage of ALPN even if
      it is supported by TLS library.

    New features:
    + Added '--enable-heavy-tests' configure parameter (disabled by
      default).
    + Implemented support for ALPN.

    Improvements and enhancements:
    * Return timeout of zero also for connections awaiting cleanup.
    * Compatibility with autoconf >=2.70, used new autoconf features.
    * Warn user when custom logger option is not the first option.
    * Added information to the header about minimal MHD version when
      particular symbols were introduced.
    * Updated test certificates to be compatible with modern browsers.
    * Added on-fly detection of UNIX domain sockets and pipes, MHD does
      not try to use TCP/IP-specific socket options on them.
    * Report more detailed error description in the MHD log for send
      and receive errors.
    * Enabled bind port autodetection for MSVC builds.

    Fixes:
    # Fix PostProcessor to always properly stop iteration when
      application callback tells it to do so.
    # Fixed MD5 digest authorization broken when compiled without
      variable length arrays support (notably with MSVC).
    # Fixed detection of type of send errors on W32.

    -- Evgeny Grin (Karlson2k)


Mon 28 Dec 2020 21:36:00 MSK
Released GNU libmicrohttpd 0.9.72

    This release is mostly a bugfix release, with greatly improved
    compatibility with various OSes/kernels, including FreeBSD, Windows,
    OpenBSD, NetBSD, Darwin (macOS), Solaris. Performance is improved,
    especially with HTTPS connections and stay-alive HTTP connections.

    Notable changes since version 0.9.71:

    API changes:
    + New function MHD_create_response_from_pipe()

    Improvements and enhancements:
    * Fully rewritten code for buffering/pushing from kernel network buffers
      for compatibility with various OSes. Reduced number of additional
      sys-calls, network is better utilized, responses are delivered faster.
    * Restored optimal sendfile() usage on FreeBSD.
    * MHD now takes care about SIGPIPE handling by blocking it in internal
      threads and avoiding functions (like sendfile()) that could generate
      SIGPIPE when blocking of this signal is not possible.

    Fixes:
    # Fixed crash in PostProcessor.
    # Fixed several resources leaks in corner cases.
    # Improved thread sync, thread safety and fixed one use-after-free under
      special conditions during stopping of daemon.
    # Updated HTTP status codes, header names and methods from the
      registries.
    # Fixed functioning without listen socket and with internal threads.
    # Fixed streaming of chunked responses for both HTTP and HTTPS.
    # Various compatibility fixes.

    -- Evgeny Grin (Karlson2k)


Tue Jan  9 20:52:48 MST 2007
	Project posted.