Important changes
security fixes
fix bugs introduced in 1.4.40
Downloads
Highlights
security fixes
security: encode quoting chars in HTML and XML
security: ensure gid != 0 if server.username is set, but not server.groupname
security: disable stat_cache if server.follow-symlink = “disable”
security: httpoxy defense: do not emit HTTP_PROXY to CGI env
fix bugs introduced in 1.4.40 (sorry)
bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
bug: lighttpd 1.4.40 times out on TLS requests with POST data
bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP[“remoteip”]
bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER[“socket”] scope identifier
bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
bug: lighttpd 1.4.40 might trigger assert when converting to hex string
behavior changes
new: use TMPDIR if server.upload-dirs is not defined, “/var/tmp” if neither
new: inherit server.use-ipv6 and server.set-v6only from global scope
reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd <= 1.4.39
Future scheduled behavior changes in lighttpd 1.4.42
mod_ssi will set REQUEST_URI to original, client-requested URI
to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml
Changes from 1.4.40
remove long-deprecated, non-functional config opts
[config] inherit server.use-ipv6 and server.set-v6only (fixes #678 )
[mod_auth] fix Digest auth to be better than Basic (fixes #1844 )
[mod_ssi] fix #config sizefmt=”bytes”
[autobuild] move inet_pton detection later
[core] #include <sys/filio.h> for FIONREAD (fixes #2726 )
[autobuild] clock_gettime() -lrt with glibc < 2.17
[security] do not emit HTTP_PROXY to CGI env
[build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes #2737 )
[core] avoid spurious trace and error abort
[core] stay in CON_STATE_CLOSE until done with req
[core] $HTTP[“remoteip”] must handle IPv6 w/o []
[mod_status] show keep-alive status w/ text output (fixes #2740 )
do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738 )
revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738 )
[core] permit IPv6 address scope identifier
[TLS] better handling of SSL_ERROR_WANT_READ/WRITE
[TLS] read all available records from SSL_read()
[core] try AF_INET after AF_INET6 if use-ipv6
[core] set chunkqueue tempdirs at startup
[security] ensure gid != 0 if server.username set (fixes #2725 )
[security] disable stat_cache if !follow-symlink (fixes #2724 )
[core] fix buffer_copy_string_hex() assert (fixes #2742 )
[security] encode quoting chars in HTML and XML
[cmake] always define _GNU_SOURCE
[cmake] enable warnings for GCC and Clang
[cmake] set cmake_minimum_required to 2.8.2
Posted by gstrauss
Please note that we won't accept comments for posts older than 3 months! Also please use our bug tracker to reports bugs, and our irc channel #lighttpd@libera to chat.
Enable javascript to load comments.