1.4.41

July 31, 2016

Important changes

  • security fixes
  • fix bugs introduced in 1.4.40

Downloads

Highlights

  • security fixes
    • security: encode quoting chars in HTML and XML
    • security: ensure gid != 0 if server.username is set, but not server.groupname
    • security: disable stat_cache if server.follow-symlink = “disable”
    • security: httpoxy defense: do not emit HTTP_PROXY to CGI env
  • fix bugs introduced in 1.4.40 (sorry)
    • bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
    • bug: lighttpd 1.4.40 times out on TLS requests with POST data
    • bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP[“remoteip”]
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER[“socket”] scope identifier
    • bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
    • bug: lighttpd 1.4.40 might trigger assert when converting to hex string
  • behavior changes
    • new: use TMPDIR if server.upload-dirs is not defined, “/var/tmp” if neither
    • new: inherit server.use-ipv6 and server.set-v6only from global scope
    • reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd <= 1.4.39

Future scheduled behavior changes in lighttpd 1.4.42

  • mod_ssi will set REQUEST_URI to original, client-requested URI
    to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml

Changes from 1.4.40

  • remove long-deprecated, non-functional config opts
  • [config] inherit server.use-ipv6 and server.set-v6only (fixes #678)
  • [mod_auth] fix Digest auth to be better than Basic (fixes #1844)
  • [mod_ssi] fix #config sizefmt=”bytes”
  • [autobuild] move inet_pton detection later
  • [core] #include <sys/filio.h> for FIONREAD (fixes #2726)
  • [autobuild] clock_gettime() -lrt with glibc < 2.17
  • [security] do not emit HTTP_PROXY to CGI env
  • [build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes #2737)
  • [core] avoid spurious trace and error abort
  • [core] stay in CON_STATE_CLOSE until done with req
  • [core] $HTTP[“remoteip”] must handle IPv6 w/o []
  • [mod_status] show keep-alive status w/ text output (fixes #2740)
  • do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738)
  • revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738)
  • [core] permit IPv6 address scope identifier
  • [TLS] better handling of SSL_ERROR_WANT_READ/WRITE
  • [TLS] read all available records from SSL_read()
  • [core] try AF_INET after AF_INET6 if use-ipv6
  • [core] set chunkqueue tempdirs at startup
  • [security] ensure gid != 0 if server.username set (fixes #2725)
  • [security] disable stat_cache if !follow-symlink (fixes #2724)
  • [core] fix buffer_copy_string_hex() assert (fixes #2742)
  • [security] encode quoting chars in HTML and XML
  • [cmake] always define _GNU_SOURCE
  • [cmake] enable warnings for GCC and Clang
  • [cmake] set cmake_minimum_required to 2.8.2