Boa Webserver

The relevant additions to the changelog are:

 * shift from GNU Autoconf 2.58 to GNU Autoconf 2.59
 * increase warning level in GCC_FLAGS another notch
 * skip superfluous unsigned qualifier for char in get_alias_hash_value
 * skip check for error in umask(), since it doesn't happen
 * reorder read_config_files() and create_common_env()
 * drop incorrect preprocessor usage in TIMEZONE macro
 * make bloody sure default_type is set
 * correct error message in index_dir for .gz files
 * make mmap_cache 64-bit clean
 * try to deal with signed file offsets when using sendfile()
 * clean up signed/unsigned char issues in read_header()
 * use socklen_t where appropriate in request.c
 * call range_pool_empty() in response to SIGHUP
 * add more const qualifiers
 * eliminate signed/unsigned comparison warnings: change ka_timeout to signed
 * spelling fixes
 * miscellaneous whitespace changes
 * update Copyright dates
 * drop webindex.pl
        

The relevant additions to the changelog are:

 * fix potential NULL-pointer dereference in hash_insert, introduced
   in 0.94.14rc16.
 * try to make SuSE-ready:
   rpm/{boa.init, boa.init-redhat, boa.init-suse, boa.spec}
 * use S_ISREG combined with access(2) rather than
   using the statbuf stuff to determine if a cgi is accessible
 * optionally #define EXIT_FAILURE and EXIT_SUCCESS, and use them
   everywhere.
 * mark a few variables and functions 'static'
 * use %u instead of %d when printing an unsigned int
 * mmap returns void * not char *
 * change access_node->type to an enum
 * make boa.h #include 'config.h' *first*
 * use -1 instead of ULONG_MAX (that way, if the datatype ever changes,
   we always get it's maximum)
 * fix bug in multiple non-contiguous range requests for files that
   use sendfile(2)
 * reduce some noise if a request in a keepalive chain is shut down
   without having read a single byte.
 * fix potential memory access bug in hashing
 * update config.sub and config.guess to the latest available
 * use CHANGES not ChangeLog
        

The relevant additions to the changelog are:

 * change many instances of log_error_mesg + send_r_error to boa_perror
 * set timezone right away at program startup
 * add new_clean_pathname from now-defunct 0.95 branch
   (unused via #if 0)
 * change common_cgi_env to be dynamically sized, using realloc.
 * add new keyword, CGIEnv, which takes 2 parameters and adds them as
   the key and value of another common environment variable for CGI.
   This item requires the previous change.
 * split modified_since into 2 routines:
   date_to_tm, which parses various date formats into a 'struct tm', and
   modified_since, which then just compares the struct tm to the
    items from a statbuf.
 * remove fake status codes R_413 and R_415, and manually set
   R_REQUEST_URI_TOO_LONG to 414 and R_INVALID_RANGE to 416
 * move CRLF macro definition to defines.h
 * use CRLF macro everywhere
 * don't print content-length in print_partial_content_continue
 * remove extra CRLF in print_partial_content_done
 * *do* print content-length in 206 response's "primary" headers IFF There
   is only 1 range.
 * move CRLF in 206 *after* to the print_partial_content_continue
 * in 503, remove \r from the human-readable message.
 * #define and use CRLF macro, fix some tabs/spaces issues
 * in date_to_tm, use 70 not 50 as the cutoff date (makes sense, 1970)
 * adapt some code from Squid to return -1 in date_to_tm on invalid dates
   (seconds > 59, etc...)
 * implement ConcealServerIdentity
 * treat headers with blank content as non-error but do not parse them
        

The relevant additions to the changelog are:

 * add log_error_mesg_fatal, which does log_error_mesg and then exits
 * fix malloc thinko in buffer code
 * use ULONG_MAX instead of -1 to describe unbounded ranges
 * log '-' instead of req->logline if req->logline is undefined
 * remove some superflous send_r_error statements.
 * fix a logic inversion regarding QUIET_DISCONNECT
 * move rate limit code very slightly, and force http version of 1.0
 * move req->ka_count decrement out of sanitize_request
 * /always/ issue log_access in free_request
 * use BOA_FD_CLR to clear file descriptors out of the FD_SETs that
   they might be in.
 * disable keepalive when response status is 0 or >= 500
 * update a comment regarding the 100 Continue response
 * use BOA_READ and BOA_WRITE macros in select.c
 * backport (but leave it commented out) USE_SETRLIMIT stuff for cgi's
 * backport DEBUG debugging and logging code
   disable with --disable-verbose (worth about 4K of binary size)
 * split out usage and parsing commandline tasks into their own functions
   (usage and parse_commandline)
 * in poll.c, don't just check for BOA_READ, but handle all "error"
   conditions first, then check for /any/ revent.
 * force response code to 400 when client closes connection before request
   is fully read.
 * use code 408 to indicate timed-out response
 * use isalnum instead of isalpha to verify hostname as per Alan's
   suggestion
 * fix 2 copy-and-paste error messages in mmap_cache.c (error message
   was wrong)
 * add and use TIMED_OUT state for requests that time out.
 * reset signals (in child process) after forking for CGI
 * fix multipart range responses
          

The relevant additions to the changelog are:

 * #define QUIET_DISCONNECT to silence read and write errors to client
 * when range requests are determined to be invalid, use log_error_doc
 * make log messages when URI contains invalid characters or doesn't
   start with a '/' less scary
 * if creating a temporary file, or setting it to close-on-exec fails,
   send_r_error
 * if key or value for an http header is invalid, log it.
 * be more strict with range parsing
 * handle 0-byte sendfile attempt better
          

The relevant additions to the changelog are:

 * be more stringent about verifying that all of the proper variables got
   allocated in create_common_env
 * when unable to add an environment to the CGI space, note what the key
   and values are to the error log.
 * use log_error_doc instead of log_error_time in some places
 * make sure to _exit if strdup fails in create_argv
 * DO NOT accept control characters in the http header stream
 * DO NOT accept control characters in the decoded URI
 * warn when the hash function is sent an NULL or empty value
 * warn when find_alias is sent a uri_len of 0.
 * clean up and fix some of the path construction code paths
 * add log_error_doc in some places
 * when checking for a user home dir, if the full URI is "/~" then
   log it and send back a bad request response
 * mild clean up of req_write_escape_html
 * refactor code so all hash functions start with hash
 * check for and complain about empty or NULL keys and values
   in the various hash function
 * change the maximum number of environment variables to 100 from 50
          

The relevant additions to the changelog are:

 * fix a potential NULL-pointer dereference when generating
   CGI environment variables *and* we are extremely low on memory
 * when unable to set new sockets to non-block or close-on-exec, don't
   just warn, also close it down and place on the free list.
 * use log_error_doc in some places instead of log_error_time
 * clean up logline parsing.  This fixes a potential sigseg!
 * fix use of ACCEPT_ON #define in process_option_line
          

The relevant additions to the changelog are:

 * fix more spelling errors (LRD) and remove use of const int
 * better sa_family_t detection on *BSD (Peter Pentchev)

The relevant additions to the changelog are:

 * force select and poll to always be included in dependency stuff
 * fix use of HAVE_FUNC
 * if FD_SETSIZE is undefined, set MAX_FD to OPEN_MAX instead of
   arbitarily setting it to 2048.
 * improve the poll code slightly
 * give Boa more breathing room WRT MaxConnections and total current
   connections -- currently simply set at 20.
 * forcibly clear the server_s from the block_read_fdset when it won't
   be checked.

The relevant additions to the changelog are:

 * check for and use __func__, a C99 construct that is used
   in the DIE and WARN macros to also describe the name of the current
   function.
 * fix a very minor IPv6 issue, and include netdb.h in compat.h so that
   NI_MAXHOST is defined for IPv6
 * when we can't mmap a file, fall back to IOSHUFFLE.  If we couldn't
   mmap the file due to an error in mmap or madvise, report the error,
   otherwise it is safe to assume we simply ran out of hash table space.
 * The following 2 changes borrowed from Hydra (which is itself
   based on Boa):
   * Some optimizations in HTTP header parsing.
   * Added DefaultCharset configuration directive. The default
     character set given, will be appended to all text mime types.
 * update boa.texi with some missing configuration directives

The relevant additions to the changelog are:

 * fix 'HEAD' requests (bug introduced in rc6)
 * *huge* patch to try to eliminate shadow variables, use unsigned ints
   instead of signed ints, and "const" where appropriate.

The relevant additions to the changelog are:

 * change to using PF_ prefix instead of AF_ prefix (PF_ is POSIX?)
 * fix copying too-much-memory (read-side, write-side was OK) in
   ascii_sockaddr.  Also optimize slightly (note, may actually be a wee
   slower due to strlen check -- is there a way around this?)
 * fix a few shadow variable problems and improve select and poll loops
 * check for and use madvise (may or may not help)
 * update depends (the cause of SIGSEGs when ./configure was re-run to
   switch from select to poll, *without* running make clean)
 * always remove select.o and poll.o (and access.o) because these are
   the usual conditional files.
 * if we aren't using IPv6, define BOA_NI_MAXHOST to 20. 1025 is
   far too huge for a single IPv4 IP address in dotted-quad notation.
 * move access_init to earlier in the config reading
 * allow a MAX_FILE_MMAP value of 0 to mean "always mmap"

The relevant additions to the changelog are:

 * fix reversed argument passing in add_mime_type
 * disable-gunzip support
 * capitalization changes, etc.. to configure.in
 * use slightly newer AC_DEFINE 3-argument style in configure.in
 * add new member of struct, bytes_written, and use it to more accurately
   report the number of bytes actually written to the socket.
 * When sendfile(2) reports ECONNRESET treat it like EPIPE, which is to
   say silently shut it down and don't be noisy about logging it.
 * wrap sa_family_t typedef in
   #ifdef DONT_HAVE_SA_FAMILY_T
   to deal with non-POSIX (1g) systems (Cygwin?)
 * add req->bytes_written member variable, and use it instead of filepos
 * apply Peter Korsgaard's "configure --help" patch
 * apply Peter Korsgaard's "configure --disable-gunzip" patch
 * use newer 3-argument AC_DEFINE
 * update config.sub and config.guess
 * clean up and update configure.in somewhat
 * don't close stderr in terminal signal handlers
 * free range pool and server_name in (final) sigterm handler
 * refactor select and poll loops

 * update specfile (thanks to Supreet Sethi via SourceForge)
 * support optional config file name argument
 * tentatively support Ranges

 * add conditional support for http/1.1
 * replace many #defines with enumerations

** Changes from 0.94.13 to 0.94.14
 * SUBSTANTIALLY UPDATE AUTOCONF SYSTEM
   - all of the autoconf stuff is now located in the top level
     directory, and creates the appropriate Makefiles for building
     the system and documentation.
 * add [optional, Linux-only] check for sendfile system call
 * add new state, IOSHUFFLE, which utilizes sendfile (or
   emulates it using the request's buffer, otherwise)
 * make the default socket size 32K.  The client_stream_size stays constant
   at 8K, and the new 'buffer' size is 4K
   Note also that the new code uses the "default" socket buffer size
   it obtains with the first accept()ed socket.
 * use setjmp, instead of sigsetjmp (we dont mess with the signal mask
   so why bother!  it's one less syscall)
 * explicitly set pending_requests to 0 in select.c when sigterm_flag has
   been set, and also when the server socket is *not* set despite checking
   for it.
 * make default behavior be to leave stderr alone, but tie it
   to cgilog otherwise
 * add initial vhost_root support
 * remove support for normalize_path
 * use --disable-sendfile to disable sendfile support
   sendfile support for files > 100K is default, now.
   It's significantly faster and easier than the alternative
 * add "Host" header support to CGI environment
 * umask ~0770 before exec
 * backport hash.c from 0.95 and use fnv1a hash (see CREDITS)
 * don't set stderr close-on-exec
 * make some minor for very useful optimizations in the read/write
   loop for CGIs
 * make some adjustments for Solaris and other platforms
 * add yyerror function definition to boa_lexer.l
 * tie stdout to the access_log, unless there is no access_log,
   in which case tie it to /dev/null
 * use sensible defaults for umask (077) and (027 for CGI)
 * add and document new parameters (CGILog and CGIumask)
 * vast improvements to the cgi-test.cgi program, by Jon Nelson
   and Landon Curt Noll.
 * next 3 items by Don Mahurin (patches modified somewhat):
 * pidfile patch
 * default mime_types patch
 * NCSA environment environment variables wrapped in
   #ifdef USE_NCSA_CGI_ENV
 * fix some escaping issues with the directory indexer
   (Ulf Harnhammar)
 * backport poll support from 0.95

** Changes from 0.94.12 to 0.94.13
 * Change many instances of log_error_mesg + exit to DIE macro
 * Change all instance of log_error_mesg (without exit) to WARN macro
 * do a much better job of checking return values from malloc and
   especially strdup.
 * check results of calling umask and getrlimit
 * server_s is no longer a global int
 * check results of fork via switch instead of if (fork())
 * check for getopt.h and include it if found
 * remove unused #defines, and add WARN macro, and replace
   many calls to log_error_mesg(..) with WARN macro
 * fix bug in get_commonlog_time where time_offset calculation was
   the opposite of what it should be ('-' and '+' were swapped)
 * fix compatability bug with old and newer versions of flex/yacc
 * add check for AC_FUNC_MMAP to configure.in
 * fix really lame thinko in normalize_path, which would prepend the
   results of earlier calls to results from later calls
 * Add MaxConnections, a configuration directive which allows the
   user to specify the maximum number of connections that Boa will
   accept concurrently.
 * add SERVER_ADDR and REQUEST_URI to environment of CGI
 * handle SIGBUS during writes of data that has been memory mapped
 * minor optimization in select.c that prevents DEAD requests from
   being added to the block set
 * fix bug in CGI environment script_name - closes sf.net bug #576725
 * make 'status' variable local to requests.c, not local to every file
   by forgetting to declare 'extern' in globals.h :-|
 * make getsockname non-fatal, and do it every time because we may
   need it for the CGI
 * some minor refactoring optimizations in hash.c

 * adapted fix for alias expansion from Brieuc Jeunhomme

* add send_r_bad_gateway and use it
 * tie stderr to either cgi_log_fd or devnullfd - either way
   make sure stderr is a valid filehandle before cgi execution
 * cgi_env is no longer allocated, it's part of the struct now
 * fix bug in CgiPath logic
 * when unable to allocate memory for an environment variable, log it
 * add clear_common_env, which de-allocates the cgi_common_env stuff
   [NEVER USE THIS outside of a terminal signal handler!]
 * don't be so wasteful of memory in normalize_path

 * add function boa_atoi, which wraps atoi, but does not
   accept negative values. Additionally, it checks to make sure
   the converted value and the original value are the same, avoiding
   issues like "124.3" -> "123" and "123abc" -=> "123".
   Either a value is an int or it isn't - no middle ground.
 * use boa_atoi to convert content-length from client.
 * add new #define - SINGLE_POST_LIMIT_DEFAULT, which defines
   (in bytes) the *default* single_post_limit.
 * single_post_limit is now in bytes.
 * when adding aliases, only "normalize" paths that start
   with "./" - this is a departure from previous behavior
 * add "?" to the list of characters that it is safe to leave unescaped

 * fix POST bug where a content-length < 0 would cause Boa to
   consume its full share of CPU until killed
   Bug report by Landon Curt Noll
 * add CGIPath configuration variable
   based upon a patch by Landon Curt Noll

 * try to make NOBLOCK handling in compat.h compatible with Solaris
 * make sure to update current_time before calling signal handlers
 * alter primary loop to make sure that select gets called even
   when there are requests that are not blocking, and call fdset_update
   and process_requests (when appropriate) after signal handlers but
   before select to make sure that blocked requests are still handled
   by select after a sighup. (Thanks to Karl Olsen)
 * pull select loop into select.c
 * poll server socket once per active connection
 * add send_r_service_unavailable and use it when appropriate
 * state uptime in seconds at normal program termination
 * include sys/fcntl.h if it is found by configure

 * add some new hash routines, and use djb2 (a variant on a
   hash alrogithm popularized by Dan J. Bernstein)
 * a side-effect of the new hash routines is a bugfix,
   involving negative return values from hash routines.
   This has been fixed.
 * add a routine, show_hash_stats, which is called with other
   statistical output via sigalarm
 * remove some duplicate prototypes from config.c
 * make simple_itoa take an unsigned int