forked from hoytech/antiweb
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGELOG
294 lines (257 loc) · 12.7 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
4.0BETA19
* Bugfix: Launch script's -reopen-log-files switch invoked a non-existent
function and was therefore broken. Thanks to primus for discovering this.
* Bugfix: Antiweb incorrectly sent a 403 forbidden response when serving an
index file from a directory that wasn't world readable. Only a directory
listing from such a directory should be forbidden. Thanks to primus for
the bug report and the initial patch.
4.0BETA18 Aug 10, 2010
* Port: SBCL support.
* Security: Fixed Denial Of Service bug where a request to an AWP file
could cause the worker to exit, interrupting connections being handled
by that worker process.
* Security: Fail-safe checks to ensure we don't apply CGI or regular
file code to a non-regular file. There is other code that prevents this,
but these checks are in case that code changes or is manipulated by
extensions.
* Change: Current directory path segments like /./ are no longer allowed.
4.0BETA17 Jul 17, 2010
* Bugfix: Don't print error message when closing a connection to an
attached antiweb process with control-D.
* Bugfix: Don't mask/mangle error message output if compiling or
loading a bundled dependency fails during build.
* Bugfix: If the hub process didn't daemonise cleanly, print out a
warning containing the exit status code.
* Bugfix: Work around ClozureCL's broken detsetf implementation which
was breaking the BerkeleyDB support. This work-around can be removed
when/if ClozureCL issue #436 is resolved.
* Change: When launching the hub in -nodaemon mode, the logger process
is also not daemonised.
* Feature: More debugging output in -nodaemon mode.
* Feature: Antiweb now supports user/group setups where the UIDs
and GIDs differ.
* Feature: There is now a script in packager/make-debian-package.pl
that creates .deb packages for easy antiweb deployment. It must be
run from a cloned antiweb git repo.
* Feature: More information on current antiweb installation are
included in -version output.
* Feature: Include Daniel Lowe's local-time library in the bundled/
software collection.
* Feature: Include Hans Hübner's yason library in the bundled/
software collection.
* Feature: New :html compile-time templating functionality for
AWP pages.
* Feature: In addition to the nil block, the AWP handler macros also
now wrap an :aw-handler block around the handlers so handlers can
either (return) or (return-from :aw-handler). This is useful if you
wish to return from inside a loop or other such form that installs
its own nil block.
4.0BETA16 Jan 17, 2010
* Bugfix: Prevent CMUCL from printing annoying Reloaded library
"libantiweb32.so" message on start-up.
* Feature: antiweb launch script shows usage() when given common
help style arguments like -h or --help.
* Feature: New antiweb launch script command -version which prints the
installed version of antiweb. If an option is passed to -version,
it will also connect to a worker or hub and determine the antiweb
version that process is actually running.
* Feature: awp-form-validation macro for back-end validation of AJAX
forms embedded into AWP pages.
* Feature: Improved output of syslog entries when a worker dies
because of an AWP error.
* Feature: :awp-failure-reaction xconf option to handlers in worker
conf files. This setting controls what happens when an unhandled
exception is raised during a request to an AWP file. Permitted
values are :die, :ignore-and-log-to-syslog, and
:ignore-and-log-to-syslog+browser.
* Change: The default value for :awp-failure-reaction used to be
the equivalent of :die. Now it is :ignore-and-log-to-syslog.
* Change: The config file rollback features have been removed. They
were making fine grained error handling more complicated.
* Change: The hub no longer tries to start multiple times if it
can't start initially.
* Change: New macro post-unwind-handler-bind. It is used the same
way as handler-bind, except that the stack will be unwound before
the handlers are executed. This means you cannot restart from
inside the body, but it also guarantees that unwind-protect forms
inside the body will be executed even if the handler terminates
the process. Handler-bind forms in antiweb.lisp that simply call
fatal were changed to reduce the chances of orphaning BDB locks.
4.0BETA15 Sep 12, 2009
* Bugfix: Don't allow already registered worker connection to
register another worker connection.
* Bugfix: Uses volatile sig_atomic_t for variables set inside
signal handlers (currently just time_for_a_reaping).
* Bugfix: Improved confusing log message when a worker requires a
worker cache but none is present.
* Bugfix: Support closures in install-hub-rewrite-host.
* Bugfix: SO_REUSEADDR wasn't being set properly so sometimes the
hub wouldn't restart until you waited for sockets to timeout.
* Change: Logging is now done by a separate logger process
which is connected to the hub. This is so that the hub process
never has to do blocking disk I/O. Furthermore, a compromised
hub process can no longer access previously created log files
because it is now chroot()ed to an empty directory.
* Change: git is now used for version control, not CVS.
* Feature: New warning flags variable for controlling warning
flags passed to gcc when compiling libantiweb.c.
4.0BETA14 Jun 14, 2009
* Bugfix: Sometimes a "Connection: close" header wouldn't be
sent when closing an HTTP connection.
* Bugfix: When the http dispatch function encounters an error
and there are no rollbacks installed, unwind the stack before
calling fatal.
* Bugfix: Worked around CMUCL "double install" annoyance by
modifying system::*global-table* before the image is saved.
* Feature: Major BerkeleyDB enhancements. DBs can now be
concurrently accessed from multiple Antiweb processes.
* Feature: New hub.conf xconf: install-hub-rewrite-host.
This option allows you to install a function in the hub
which routes requests to arbitrary virtual hosts.
* Feature: New worker.conf handler option :handle-all-hosts.
This causes the given handler to handle all virtual hosts
sent to it, even if they were not specified in :hosts.
* Feature: New function aw-fork-and-exec which is a simple
way to run external processes independent of the CGI system.
Zombies are reaped just like with CGI processes.
* Feature: Antiweb version is now displayed in -stats.
* Feature: Passwords are now hashed with 1000 iterations of SHA-1
in order to slow down offline password cracking in the event
that an Antiweb password database is stolen. This change makes
the current Antiweb incompatible with old password databases.
* Change: aw-128-bit-session-id renamed to aw-n-bit-session-id
and now returns lower-case IDs.
4.0BETA13 Feb 21, 2009
* Feature: Naked CGI scripts:
http://hoytech.com/antiweb/manual.awp/worker.html#NAKED-CGI
* Bugfix: In awp.lisp use valign=middle, not valign=center.
* Bugfix: Rare race condition that could cause workers to
fail an assertion and exit. Could only reproduce on FreeBSD.
* Bugfix: Send a 403 Forbidden if a directory in the HTML root
isn't readable instead of terminating worker.
4.0BETA12 Jan 13, 2009
* Feature: Optional Etag hashing for hiding inode information
in Etag headers.
* Feature: :accept-x-real-ip option added for handlers in
worker conf. This is so that reverse proxied connections
from a trusted IP can set an X-Real-IP header which will
contain the client's IP for logging purposes.
* Feature: :x-real-ip parameter for get and post handlers
in AWP pages.
* Docs: FAQ entry describing Etag hashing:
http://hoytech.com/antiweb/manual.awp/faq.html#ETAG-HASH
* Docs: Example nginx SSL reverse proxy configuration file:
http://hoytech.com/antiweb/manual.awp/faq.html#SSL-PROXY
4.0BETA11 Dec 30, 2008
* Port: ClozureCL support.
* Bugfix: ClozureCL sometimes wouldn't display statistics
because it didn't like us passing a "N/A" string to the
~1$ format arg in the stats function.
* Bugfix: The libantiweb shared library is now always compiled
as position independent code (gcc -fPIC).
* Feature: Added aw-bits variable. It is 32 on ILP32 machines
and 64 on LP64 machines (AW supports nothing else).
* Feature: Prints out architecture info detected during build.
* Feature: libantiweb.so is now installed as either
libantiweb32.so or libantiweb64.so, allowing both 32 and
64 bit Antiweb systems to be installed simultaneously.
* Feature: Lisp executable configuration variables added.
Now you can use lisp systems with custom executable names.
* Docs: Updated install docs about new libantiweb file names
and ClozureCL support.
* Docs: Documented local.lisp build configuration feature.
See faq.html#LOCAL-CONFIG.
* Docs: Updated faq.html#MULTIPLE-LISPS. Yes, you can run
some 32 bit processes and some 64 bit processes in the
same Antiweb system.
* Docs: Changed hyperspec links to lispworks.com because
lisp.org's are gone.
4.0BETA10 Dec 20, 2008
* Bug fix: If directory listings were enabled, requests for
CGI files using PATH_INFO would return 404.
* Bug fix: Now handles EINTR errors from open().
* Bug fix: No longer bother checking for EINTR errors
from close(). See the comment in the my_close() function
for details.
* Bug fix: Now handles errors like ECONNABORTED from accept().
* Bug fix: Now handles ECONNRESET from shutdown().
* Bug fix: Fixed rare "perfect storm" bug related to handling
EINTR signals wrong in the event loop.
* Feature: aw-bin-dir and aw-lib-dir are now variables
instead of constants so they can be overridden in
local.lisp.
* Feature: aw-mkdir-dash-p lisp wrapper for aw_mkdir_dash_p.
* Feature: Minor header file tweaks for FreeBSD support.
* Docs: Added instructions for the CMUCL "double install"
procedure to the manual. See install.html.
4.0BETA9 Nov 25, 2008
* Bug fix: jsmin.lisp used :overwrite where it should have
used :supersede which could cause corrupted javascript
files to be sent if :jsmin was enabled.
* Bug fix: When using jsmin.lisp, malformed javascript code
(unclosed comments and such) would throw an error and
terminate AW. Malformed javascript files are now sent
un-minified.
* Bug fix: When transfering a connection over a unix socket,
certain buffer sizes would cause an assertion to fail and
AW to terminate.
* Feature: Incorporated improved #>-reader into
bundled/lol.lisp from Martin Dirichs.
* Feature: Javascript code included in the :js-main fields
of AWP files is now minified.
* Feature: There is now a :cssmin option that is similar to
:jsmin. It uses Cal Henderson's CSS minification algorithm.
When :cssmin is enabled, CSS files in your HTML root are
minified, gzip compressed, and stored in the cache. :css
fields of AWP files are always minified.
* Feature: The antiweb Perl launch script now accepts the
option -eval. This option requires an argument. The
argument will be treated as a lisp expression and will
be evaluated by an antiweb lisp image. Once complete,
the lisp image will (quit).
4.0BETA8 Oct 27, 2008
* EAGAIN is always handled and logged.
* with-bdb-checkout API changes:
* Default is now :read-only t (use :write-out t)
* with-bdb-checkout is now a progn form
* :cached is gone
* bdb-get-all serialises keys now
* Added bdb-iterate and bdb-collect
* Can't use symbols in bdb keys now
* with-bdb-transaction no longer auto-checkpoints
* Added MIME type for .deb
* There is now an aw-extra-cflags parameter that can be
setq in local.lisp
* AWP cleaned up. See awp-reserved-options variable for
all the xconf options.
* $ip now holds client's IP in :rewrite phase
* ip can be used in get-handler and post-handler
* Added jsmin.lisp by Ury Marshak to bundled/
* Added :jsmin for automatic javascript minification
* axslogs now include referer and user-agent
4.0BETA7 Sep 29, 2008
* Uses either the kqueue() or epoll() stateful event APIs
in level-triggered mode
* 10,000 inactive keepalive connections consume about 3M
of userspace memory
* Connection sockets are transferred between processes with
sendmsg() for privilege-separated vhosts and SMP support
* Files are mmap()ed to avoid copying file data to userspace
* Vectored IO (aka scatter-gather IO) used everywhere
* Vhosts can be chroot()ed into separate roots
* Compromised vhosts can't intercept log messages created
by other vhosts or steal connections destined to other vhosts
* Every Antiweb process is separately exec()ed (not fork()ed) so
each has its own unique memory randomisation offsets
* Write direction of socket is shutdown() when closing connection
(required for HTTP/1.1 persistent connections)
* Native IPv6 support
* Conditional CGI/1.1 compliance
* CGI processes can be restricted with rlimits
* Directory listings
* Entity tags
* Gzipped encoded content is cached to the filesystem and then
served as static content
* Apache-like regexp-based rewrite module
* Memcached-like memory cache module
* Integrated BerkeleyDB support