December 05, 2015

We should have released sooner (due to #2670) - let’s hope we got it right this time :)

Important changes

  • mod_secdownload now requires an algorithm option to be set
  • fix a header parse bug (#2670)
  • sendfile support for darwin (just select “sendfile” as backend)


Changes from 1.4.37

  • [stat-cache] fix handling of collisions, might have returned wrong data (fixes #2669)
  • [core] allocate at least 4k buffer for incoming data
  • [core] fix search for header end if split across chunks (fixes #2670)
  • [core] check configparserAlloc() result with force_assert
  • [mod_auth] implement and use safe_memclear, using memset_s or explicit_bzero if available (thx loganaden)
  • [core] don’t buffer request bodies smaller than 64k on disk
  • add force_assert for many allocations and function results
  • [mod_secdownload] use a hopefully constant time comparison to check hash (fixes #2679)
  • [config] check config option scope; warn if server option is given in conditional
  • [core] revert increase of temp file size back to 1MB, provide a configure option “server.upload-temp-file-size” instead (fixes #2680)
  • [core] add ‘~’ to safe characters in ENCODING_REL_URI/ENCODING_REL_URI_PART encoding
  • [core] encode path with ENCODING_REL_URI in redirect to directory (fixes #2661, thx gstrauss)
  • [mod_secdownload] add required algorithm option; old behaviour available as “md5”, new options “hmac-sha1” and “hmac-sha256”
  • [mod_fastcgi/mod_scgi] zero sockaddr structs before use (fixes #2691, thx Kyle J. McKay)
  • [network] add darwin-sendfile backend (fixes #2687, thx Kyle J. McKay)
  • [core] show correct crypt support result (fixes #2690, thx Kyle J. McKay)