2008-06-18 Oyvind Harboe * src/jim-aio.c (JimAioHandlerCommand): GCC 4.3.1 pointed out a buffer overrun. 2008-06-17 Anthony Tonizzo Jumbo patch containing many individual patches from a number of different contributors on different days. The ChangeLog entries for all these individual patches are: 2007-12-02 Anthony Tonizzo * src/socket.c src/httpd.c: Corrected a bug in cyg_httpd_write_chunked(): Now the CRLF that terminates a chunk is added by the function and not expected to be there already in the data supplied by the user. Modified the function cyg_httpd_end_chunked() so that the flag CYG_HTTPD_MODE_TRANSFER_CHUNKED is always cleared after it terminates. The cyg_httpd_process_request() now loops as many times as the number of full requests received. Renamed header_end to request_end to better reflect its real use, and the fact that the former name was misleading for POST requests (Danny Sade). Changed the function that collects a request: Now the remaining part of an incomplete request is copied back to the beginning of the buffer. This avoids that multiple split headers might creep towards the end of the buffer. 2007-11-28 Rene' Nielsen and Anthony Tonizzo * doc/athttpd.sgml: Included Digest (MD5) authentication as fully supported. * cdl/httpd.cdl: Updated the cdl to reflect the fact that MD5 authentication is now a fully tested feature, at least on some clients (Thanks to Tad for testing this!) * src/httpd.c: Added the initialization of the global variable cyg_httpd_md5_response. This corrects a security hole that could allow unauthenticated browsers to access pages that require authentication. This required a minor change (switch of variables used) in the authentication code. Added code to avoid a buffer overflow during the parsing of headers for authenticated pages. Clear the CYG_HTTPD_MODE_SEND_HEADER_ONLY at the beginning of any request. * src/auth.c: Removed dead code and made static a bunch of functions and variables. * src/auth.h: The AUTH_STORAGE_BUFFER_LENGTH value is now split into two numbers, one that gives the maximum length of the login phrase and one for the password. * src/socket.c: Added a NULL terminator after each header packet that is received. Now the strstr() is guaranteed to find terminated string. 2007-11-27 Tad Artis * src/auth.c: Modified the cyg_httpd_digest_data() and cyg_httpd_digest_skip() functions to support IE7. A careful read of the augmented BNF in RFC2616 indicates that spaces within the elements of the authentication header are optional. The original atHTTPD code incorrectly relied on a space after the comma. Moved the authentication check inside cyg_httpd_process_method() so that each request, regardless of the type, will have to go through authentication. 2007-11-26 Tad Artis and Anthony Tonizzo * src/forms.c: Checked for a null terminator inside cyg_httpd_store_form_variable, so that we do not scan past the end of the packet. Check the form variables for both length and content, to avoid false positives. Modified cyg_httpd_from_hex() to return -1 in case of error. * src/httpd.c: Corrected the strings sent back by the server to challenge the client to an MD5 authentication. Adds a couple of commas to separate the items in the string. * src/http.h: * src/socket.h: Corrected a number of indexes where CYGNUM_FILEIO_NFILE was used instead of the correct CYGPKG_NET_MAXSOCKETS. 2008-03-04 Danny Sade * src/socket.c: put NULL at the end of inbuff on each iteration, preventing strstr from looking at old data beyond inbuffer_len 2007-11-12 Oyvind Harboe 2007-11-12 Jonathan Larmour * doc/athttpd.sgml: added an example of a tcl script. * src/http.c, forms.c: serve cgi requests before file system requests, that way it isn't possible to download the actual cgi/.o script and cgi works even if the http root directory is above the cgi directory. * src/http.c: if only tcl cgi is enabled, cgi requests are now forwarded to tcl * include/jim.h: include file order fix; now compiles again. * doc/athttpd.sgml: Fixed typos in doc. Return value from handler is not used, recommend returning 0 in doc. 2006-12-03 Anthony Tonizzo * cdl/httpd.cdl: Corrected a CDL error in the requirements of CYGOPT_NET_ATHTTPD_USE_FS 2006-11-27 Jonathan Larmour * cdl/httpd.cdl: Improve CDL dependencies. 2006-11-08 Anthony Tonizzo * doc/athttpd.sgml: Updated to describe lasted changes and corrected minor typos. * src/http.c: Check for "Content-Type" header. This is needed if we want to support parsing form variables in POST requests. * src/jim.c: Updated with latest release from Jim CVS. * src/cgi.c: streamlined cyg_httpd_exec_cgi_tcl(), now uses the 'source' command of tcl to execute a tcl script. * src/forms.c: Modified cyg_handle_method_POST so that the variables in the payload are scanned only if the request has a Content-Type of 'application/x-www-form-urlencoded' * src/jim-aio.c: Added to package. Now tcl has IO functions to access a file system. * include/httpd.h: Added a new mode, CYG_HTTPD_MODE_FORM_DATA which is set when a POST request has a Content-Type of 'application/x-www-form-urlencoded' 2006-10-16 Lars Povlsen and Anthony Tonizzo * cdl/httpd.cdl: add CYGOPT_NET_ATHTTPD_CLOSE_CHUNKED_CONNECTIONS. Default is set to CLOSE, so it is backward compatible with previous versions of the browser. * src/socket.c: cyg_httpd_process_request() uses a loop to collect at least one full frame (til a header terminator is found), cyg_httpd_start_chunked() only close if configured to do so. * src/httpd.c: Overhaul of cyg_httpd_send_error to avoid the use of inbuffer as temporary storage (conflicts with pipelined frames), removed the option to send a page after calling a C language handler * include/httpd.h: Added a new mode, CYG_HTTPD_MODE_NO_CACHE 2006-10-12 Lars Povlsen and Anthony Tonizzo * cdl/httpd.cdl: add CYGNUM_ATHTTPD_SERVER_MAX_POST to limit POST'ed data * include/http.h: Added header_end, post_data fields to httpstate, Added "302 Found" for POST handler redirect (CYG_HTTPD_STATUS_MOVED_TEMPORARILY) * src/forms.c: Fixed variable decoding, fixed large POST processing * src/http.c: Fixed some debug ouptuts, cleanup after POST processing, overhaul of the pipelined requests code which can now handle multiple requests per frame. * src/socket.c: Removed assert for socket write failure, Accumulating receiving of requests (Browsers (Firefox) may pass partial headers in separate fragments). Fixed some diagnostics output. 2006-07-19 Anthony Tonizzo and Sergei Gavrikov * cdl/httpd.cdl: * doc/athttpd.sgml: Corrected some typos and rectified some omissions. * include/jim.h: Added an inline to Jim_InitExtension() * src/cgi.c: used malloc() instead of cyg_ldr_malloc(); * src/forms.c: Added a #define to be able tio use the TCL scripting without OBJLOADER * src/http.c: * src/socket.c: Lots of typos stamped out, and some better comments too. 2006-07-19 Anthony Tonizzo * src/socket.c: Corrected a typo that generated an assertion. Modified slightly the source of cyg_httpd_write and cyg_httpd_writev to make the code more consistent as to when assertions are thrown. 2006-07-19 Sergei Gavrikov * doc/athttpd.sgml: jade doesn't allow underscores in id attributes, so fix. 2006-07-18 Jonathan Larmour * cdl/httpd.cdl: Add -D __ECOS in compiler flags. Change include_dir to cyg/athttpd. Rename all CDL options from *_HTTPD_* to *_ATHTTPD_*. * All files: Rename cyg/httpd include directory to cyg/athttpd. Rename all CDL options from *_HTTPD_* to *_ATHTTPD_*. * doc/athttpd.sgml: Document MD5 algorithm licensing. * src/socket.c: Remove unused SNTP include. 2006-06-13 Anthony Tonizzo * cdl/httpd.cdl: * doc/athttpd.sgml: * doc/mime_types.txt: * include/auth.h: * include/cgi.h: * include/digcalc.h: * include/forms.h: * include/global.h: * include/handler.h: * include/http.h: * include/jim.h: * include/md5.h: * include/socket.h: * src/auth.c: * src/cgi.c: * src/forms.c: * src/handler.c: * src/http.c: * src/jim.c: * src/md5c.c: * src/socket.c: Created ATHTTPD package. //=========================================================================== //####ECOSGPLCOPYRIGHTBEGIN#### // ------------------------------------------- // This file is part of eCos, the Embedded Configurable Operating System. // Copyright (C) 2005, 2006 eCosCentric Ltd. // // eCos is free software; you can redistribute it and/or modify it under // the terms of the GNU General Public License as published by the Free // Software Foundation; either version 2 or (at your option) any later version. // // eCos is distributed in the hope that it will be useful, but WITHOUT ANY // WARRANTY; without even the implied warranty of MERCHANTABILITY or // FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License // for more details. // // You should have received a copy of the GNU General Public License along // with eCos; if not, write to the Free Software Foundation, Inc., // 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. // // As a special exception, if other files instantiate templates or use macros // or inline functions from this file, or you compile this file and link it // with other works to produce a work based on this file, this file does not // by itself cause the resulting work to be covered by the GNU General Public // License. However the source code for this file must still be made available // in accordance with section (3) of the GNU General Public License. // // This exception does not invalidate any other reasons why a work based on // this file might be covered by the GNU General Public License. // // ------------------------------------------- //####ECOSGPLCOPYRIGHTEND#### //===========================================================================