release.htm

一个典型的用于嵌入式Linux环境的Webserver

</div>
<div class="section" id="goahead-webserver-2-1-5-release-notes">
<h1><a class="toc-backref" href="#id16" name="goahead-webserver-2-1-5-release-notes">GoAhead WebServer 2.1.5 Release Notes</a></h1>
<dl>
<dt>Release Date:</dt>
<dd>19 Mar 2003</dd>
</dl>
<div class="section" id="bopen-failure-mode">
<h2><a class="toc-backref" href="#id17" name="bopen-failure-mode"><tt class="literal"><span class="pre">bopen()</span></tt> failure mode</a></h2>
<dl>
<dt>Description:</dt>
<dd>New failure behavior for <tt class="literal"><span class="pre">bopen()</span></tt> (see <tt class="literal"><span class="pre">balloc.c</span></tt>)</dd>
<dt>Fix:</dt>
<dd>Changed failure behavior of the bopen() function (suggested by Simon
Byholm).  If the malloc() request fails, we reset the bopenCount
variable, and thus allow the client code to reattempt the open with
a smaller memory request.</dd>
</dl>
</div>
<div class="section" id="windows-95-98-me-aux-denial-of-service">
<h2><a class="toc-backref" href="#id18" name="windows-95-98-me-aux-denial-of-service">Windows 95/98/ME <tt class="literal"><span class="pre">AUX</span></tt> Denial of Service</a></h2>
<dl>
<dt>Description:</dt>
<dd><p class="first">When running on Windows 95/98/ME, URLs requested with path components
matching a set of reserved DOS device names caused the WebServer to crash.</p>
<p>The names that cause the crash are:</p>
<pre class="last literal-block">
aux
con
nul
clock$
config$
</pre>
</dd>
<dt>Fix:</dt>
<dd><p class="first">Code added to the <tt class="literal"><span class="pre">websValidateUrl()</span></tt> function to check the contents of
the parsed URL against the list of prohibited names. If any of those names
are present in the parsed URL, the URL is rejected as invalid.</p>
<p>The code that checks for these prohibited pathname components checks for
them in the form of either:</p>
<pre class="literal-block">
http://&lt;&lt;server address&gt;&gt;/aux
</pre>
<p>or:</p>
<pre class="literal-block">
http://&lt;&lt;server address&gt;&gt;/aux:
</pre>
<p class="last">where any non-alphanumeric character following one of the prohibited names
will cause the URL request to be rejected.</p>
</dd>
</dl>
</div>
<div class="section" id="cross-site-scripting-exploit">
<h2><a class="toc-backref" href="#id19" name="cross-site-scripting-exploit">404 Cross-site Scripting Exploit</a></h2>
<dl>
<dt>Description:</dt>
<dd>Malicious users could request an invalid URL containing embedded JavaScript
code that would be executed in the user's browser.</dd>
<dt>Fix:</dt>
<dd>404 (and other error messages) returned by the WebServer no longer display
the invalid URL.</dd>
</dl>
</div>
<div class="section" id="long-url-overflow-crash">
<h2><a class="toc-backref" href="#id20" name="long-url-overflow-crash">Long URL Overflow Crash</a></h2>
<dl>
<dt>Description:</dt>
<dd>URLs containing more than 64 levels of path components caused the WebServer
to crash, entering a buffer overflow condition.</dd>
<dt>Fix:</dt>
<dd>The WebServer now keeps track of the depth as it validates the URL. URLs
that are too long are now rejected with an error message.</dd>
</dl>
</div>
<div class="section" id="incorrect-error-code-in-security-c">
<h2><a class="toc-backref" href="#id21" name="incorrect-error-code-in-security-c">Incorrect Error Code in <tt class="literal"><span class="pre">security.c</span></tt></a></h2>
<dl>
<dt>Description:</dt>
<dd>Pages assigned an access level of <tt class="literal"><span class="pre">AM_NONE</span></tt> should return an error code
of 404 instead of 400 when an attempt it made to access them.</dd>
<dt>Fix:</dt>
<dd>Error code corrected.</dd>
</dl>
</div>
<div class="section" id="pragma-code-for-risc-architectures">
<h2><a class="toc-backref" href="#id22" name="pragma-code-for-risc-architectures">Pragma Code for RISC Architectures</a></h2>
<dl>
<dt>Description:</dt>
<dd>A pragma was not set correctly when compiling for SPARC machines.</dd>
<dt>Fix:</dt>
<dd><p class="first">Code added to <tt class="literal"><span class="pre">uemf.h</span></tt>:</p>
<pre class="last literal-block">
#ifdef sparc
# define __NO_PACK
#endif /* sparc */
</pre>
</dd>
</dl>
</div>
</div>
<div class="section" id="goahead-webserver-2-1-4-release-notes">
<h1><a class="toc-backref" href="#id23" name="goahead-webserver-2-1-4-release-notes">GoAhead庐 WebServer 2.1.4 Release Notes</a></h1>
<dl>
<dt>Release Date:</dt>
<dd>17 Oct 2002</dd>
</dl>
<div class="section" id="fixed-vulnerability-to-malicious-code-in-webs-c">
<h2><a class="toc-backref" href="#id24" name="fixed-vulnerability-to-malicious-code-in-webs-c">Fixed vulnerability to malicious code in <tt class="literal"><span class="pre">webs.c</span></tt></a></h2>
<dl>
<dt>Summary:</dt>
<dd>There were two vulnerabilities in <tt class="literal"><span class="pre">webs.c</span></tt>. Sending a POST message
with a content-length but no data resulted in an attempt to perform
a <tt class="literal"><span class="pre">strlen()</span></tt> on a NULL pointer (thanks to Richard Cullen). Also,
sending an HTTP POST message with a Content-Length header indicating
that the length of the posted data was less than zero would crash
the server (thanks to Auriemma Luigi).</dd>
<dt>Fix:</dt>
<dd>Code errors corrected.</dd>
</dl>
</div>
<div class="section" id="https-bug-in-security-handler">
<h2><a class="toc-backref" href="#id25" name="https-bug-in-security-handler"><a class="reference" href="https://">https://</a> bug in security handler</a></h2>
<dl>
<dt>Summary:</dt>
<dd>The <tt class="literal"><span class="pre">websSecurityHandler()</span></tt> function was performing a logical
OR: (<tt class="literal"><span class="pre">flags</span> <span class="pre">|</span> <span class="pre">WEBS_SECURE</span></tt>) instead of a logical AND (<tt class="literal"><span class="pre">flags</span> <span class="pre">&amp;</span>
<span class="pre">WEBS_SECURE</span></tt>), leading to incorrect results (thanks to &quot;Dhanwa T&quot;).</dd>
<dt>Fix:</dt>
<dd>Code errors corrected.</dd>
</dl>
</div>
<div class="section" id="fixed-vulnerability-to-malicious-code-in-sockgen-c">
<h2><a class="toc-backref" href="#id26" name="fixed-vulnerability-to-malicious-code-in-sockgen-c">Fixed vulnerability to malicious code in sockGen.c</a></h2>
<dl>
<dt>Summary:</dt>
<dd>At line 613 of <tt class="literal"><span class="pre">sockGen.c</span></tt>, the return value of the function
<tt class="literal"><span class="pre">socketInputBuffered()</span></tt> was being discarded, leading to incorrect
behavior in some cases. (Thanks to Richard Cullen)</dd>
<dt>Fix:</dt>
<dd>Code errors corrected.</dd>
</dl>
</div>
</div>
<div class="section" id="bug-fixes-for-version-2-1-3">
<h1><a class="toc-backref" href="#id27" name="bug-fixes-for-version-2-1-3">Bug Fixes for Version 2.1.3</a></h1>
<div class="section" id="directory-traversal-exploit">
<h2><a class="toc-backref" href="#id28" name="directory-traversal-exploit">Directory Traversal Exploit</a></h2>
<dl>
<dt>Summary:</dt>
<dd>Several sources have reported that requesting an URL with URL-encoded
backslashes (%5C) allow accessing files located outside the server's
designated web root. This should only have been possible on Windows, as
URL-encoded forward slashes (%2F) were already being handled correctly.</dd>
<dt>Fix:</dt>
<dd>Modified <tt class="literal"><span class="pre">default.c</span></tt> so that any backslash characters created as
part of decoding the URL string are converted (in place) to forward
slashes. The pre-existing directory-traversal detection code then
rejects the bad URL as expected.</dd>
</dl>
</div>
<div class="section" id="mime-type-for-external-javascript-files">
<h2><a class="toc-backref" href="#id29" name="mime-type-for-external-javascript-files">MIME type for external JavaScript files</a></h2>
<dl>
<dt>Summary:</dt>
<dd>The WebServer would not serve external JavaScript files (<tt class="literal"><span class="pre">*.js</span></tt>)
correctly.</dd>
<dt>Fix:</dt>
<dd>modified <tt class="literal"><span class="pre">mime.c</span></tt> to associate <tt class="literal"><span class="pre">.js</span></tt> files with the MIME
type <tt class="literal"><span class="pre">application/x-javascript</span></tt>.</dd>
</dl>
</div>
<div class="section" id="bug-in-if-modified-since-parsing">
<h2><a class="toc-backref" href="#id30" name="bug-in-if-modified-since-parsing">Bug in If-Modified-Since parsing</a></h2>
<dl>
<dt>Summary:</dt>
<dd>There was an off-by-one error when converting from Gregorian date to
time_t.</dd>
<dt>Fix:</dt>
<dd>modified function <tt class="literal"><span class="pre">dateToTimet</span></tt> in file <tt class="literal"><span class="pre">webs.c</span></tt>.  The <tt class="literal"><span class="pre">month</span></tt>
parameter is numbered from  0 (Jan == 0), but <tt class="literal"><span class="pre">FixedFromGregorian()</span></tt>
takes months numbered from 1 (January == 1). We need to add 1 to
the month before calling FixedFromGregorian.</dd>
</dl>
</div>
</div>
<div class="section" id="bug-fixes-for-version-2-1-2">
<h1><a class="toc-backref" href="#id31" name="bug-fixes-for-version-2-1-2">Bug Fixes for Version 2.1.2</a></h1>
<div class="section" id="ejscript-error-messages">
<h2><a class="toc-backref" href="#id32" name="ejscript-error-messages">Ejscript Error Messages</a></h2>
<p>Summary:</p>
<blockquote>
Changed ejEval() function so it displays in the browser the error string that is 
reported by the Ejscript interpreter (old code discarded it completely).</blockquote>
<dl>
<dt>Fix:</dt>
<dd>modified <tt class="literal"><span class="pre">websuemf.c</span></tt></dd>
</dl>
</div>
<div class="section" id="security-handler-response-codes">
<h2><a class="toc-backref" href="#id33" name="security-handler-response-codes">Security Handler Response Codes</a></h2>
<dl>
<dt>Summary:</dt>
<dd>Several places in the <tt class="literal"><span class="pre">websSecurityHandler()</span></tt> function were
returning error code 200 (success) instead of the correct 400-level error code.</dd>
<dt>Fix:</dt>
<dd>Corrected error codes in <tt class="literal"><span class="pre">security.c</span></tt></dd>
</dl>
</div>
<div class="section" id="security-handler-memory-leak">
<h2><a class="toc-backref" href="#id34" name="security-handler-memory-leak">Security Handler Memory Leak</a></h2>
<dl>
<dt>Summary:</dt>
<dd>In <tt class="literal"><span class="pre">websSecurityHandler()</span></tt>, if the WebServer was compiled with