"Fossies" - the Fresh Open Source Software Archive

Member "cgiwrap-4.1/htdocs/changes.html" (16 Jun 2008, 17142 Bytes) of package /linux/www/old/cgiwrap-4.1.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) HTML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

A hint: This file contains one or more very long lines, so maybe it is better readable using the pure text view mode that shows the contents as wrapped lines within the browser window.

    1 <TITLE>CGIWrap - Change Log</TITLE>
    2 <CENTER><H2>CGIWrap - Change Log</H2></CENTER>
    4 These are some of the changes that have occured in CGIWrap from version 
    5 to version.
    7 <HR>
    8 <P><H3>New in version 4.1:</H3><UL>
    9     <LI>Added support for specifying a character set to use for cgiwrap output to address a vulnerability in how IE handles documents without a charset specified. The vulnerability allowed cross site scripting when cgiwrap URLs were accessed from a JA version of IE. To specify the charset to use, provide the "--with-charset=X" option to configure when building cgiwrap. It will default to iso-8859-1 if not specifically set.
   10 </UL>
   12 <HR>
   13 <P><H3>New in version 4.0:</H3><UL>
   14     <LI>Bumped version number to 4.0 to deal with screwed up release numbering of earlier versions.
   15     <LI>Added --with-soft-rlimits-only option based on patch from jplinderman@sf.net
   16     <LI>Added --with-block-svn-paths and --with-block-cvs-paths options to prevent execution of files in those dirs.
   17     <LI>Added --with-eruby-interpreter option from BlackSun, Inc.
   18     <LI>Added support for setting SIGXCPU even when sigset unavailable - from BlackSun, Inc.
   19     <LI>Fixed some warnings.
   20     <LI>Added support for overriding DESTDIR to install in separate dir (for packaging), from debian/d3xter
   21 </UL>
   23 <P><H3>New in version 3.10:</H3><UL>
   24     <LI>Applied several patches from Javier Fernandez-Sanguino Pen~a <jfs@computer.org> for information release security. Removes additional output when quiet errors is enabled.
   25     <LI>Fixed setting of LD_LIBRARY_PATH when configured to do so.
   26     <LI>Fixed setting of ARGV for both regular and interpreted scripts when script is in a subdir. Clean up code
   27     related to this based on a patch from Jack <ms419@freezone.co.uk>.
   28     <LI>Updated autoconf helpers to much newer release
   29 </UL>
   31 <P><H3>New in version 3.9:</H3><UL>
   32     <LI>Fixed a minor typo preventing allow files from working
   33     <LI>Added support for +@netgroup syntax optionally in allow/deny files.
   34     <LI>Fixed problem with php-nonexec-only not working properly since exec check done too late.
   35     <LI>Applied Piotr's patch few support of newer PHP versions.
   36     <LI>Added support for ASP interpreter execution, similar to PHP support.
   37     <LI>Fix content of PATH_INFO when it should be / or undefined. Based on patch from Cliff Woolley.
   38 </UL>
   40 <P><H3>New in version 3.8:</H3><UL>
   41     <LI>Merged in special handling for PHP scripts by popular demand. This is based mostly on
   42 Piotr Klaban's php-cgiwrap patch, with minor changes.
   43     <LI>Added options for php support. --with-php-interpreter and --with-php-cgiwrap
   44     <LI>Rewrote the path translated support. Is it finally correct?
   45     <LI>Patch from san@cobalt.rmnet.it to use REDIRECT_URL if available for SCRIPT_NAME.
   46     <LI>Added support for access control files specific to each HTTP_HOST, useful for ISP's using Apache handlers to run
   47 cgi's that want to restrict which userids can run cgi's on certain vhosts. If enabled, the vhost access control files must exist.
   48     <LI>Added option to require that REDIRECT_URL be specified in environment. Can be used to require that cgiwrap be invoked via a handler/action or some other internal apache redirection/rewrite. Primarily of use when invoking cgi's for virtual hosts via Action/SetHandler.
   49     <LI>Modified san's REDIRECT_URL support to be --with-use-redirect-url instead of --with-check-redirect-url, since it's more a functional change, not a security check.
   50     <LI>Added a --with-quiet-errors option to allow significantly restricting the amount of
   51 internal information that an error message displays.
   52     <LI>Added ability to override the vhost that cgiwrap users via an optional CGIWRAP_AUTH_VHOST env var, which if present and feature enabled, will be used instead of HTTP_HOST. This is useful for
   53 when you have wildcard servernames in apache. Enable the --with-vhost-override option if you want this capabillity. Only applicable if vhost allow/deny dir is enabled.
   54     <LI>Added ability to only allow scripts run by a specific userid if the CGIWRAP_REQUIRE_USER env var is specified and the --with-env-require-user feature is enabled.
   55     <LI>Changed to autoconf 2.5 style templates and eliminated acconfig.h.
   56     <LI>Added option to enable the special PHP support only for non-executable files.
   57     <LI>Added modified patch by Gabriel Ambuehl to use SCRIPT_URL for SCRIPT_NAME generation.
   58 </UL>
   60 <P><H3>New in version 3.7.1:</H3><UL>
   61     <LI>Added --with-minimum-gid option to check minimum user GID and auxilliary groups. This is
   62         in response to complaints on BugTraq about suexec not checking auxgroups.
   63 </UL>
   65 <P><H3>New in version 3.7:</H3><UL>
   66     <LI>Encode user supplied output in error messages to fix cross-site
   67 scripting vulnerability reported by Hiromitsu Takagi.
   68     <LI>Minor warning cleanup
   69     <LI>Slight improvement to a couple diagnostic messages.
   70 </UL>
   72 <P><H3>New in version 3.6.5:</H3><UL>
   73     <LI>Fixed small problem with glibc2.1 and errno.h vs. sys/errno.h
   74     <LI>Added simple chroot support for expert installations.
   75     <LI>Applied fix for path translated, removed option for not enabling
   76     correct path_translated value.
   77     <LI>Added multiuser cgi script directory support.
   78     <LI>Added patch from Scott Sutherland for fixing parsing of auth files.
   79     <LI>Added patch from Christian Kruse for better symlink handling.
   80 </UL>
   82 <P><H3>New in version 3.6.4:</H3><UL>
   83     <LI>Changed license to GPL finally.
   84     <LI>Fixed netmask comparison
   85     <LI>Added anonymous CVS server info
   86     <LI>Updates from David Hollenberg for misc. error checking/handling and overflow protection.
   87     <LI>Added check for making sure cgiwrap is setuid and printing out a usable
   88 error message if not.
   89     <LI>Now prints out path to access control files if one or both are missing.
   90     <LI>Slight changes to aux groups code just in case setgroups() doesn't
   91 support a empty list.
   92     <LI>Added some extra info to server userid error message.
   93     <LI>Added some info to the FAQ.
   94 </UL>
   96 <P><H3>New in version 3.6.3:</H3><UL>
   97     <LI>Added support for checking if user has a valid shell, similar to 
   98 what ftpd does. The BSD licensed getusershell.o has been included for support
   99 where needed.
  100     <LI>Bug fix for SEGV condition when certain syntax is used for the request. 
  101 It did not appear exploitable, but would cause cgiwrap to core as root. Thanks
  102 to Michael Bryan (michael@blueneptune.com) for the fix.
  103 </UL>
  105 <P><H3>New in version 3.6.2:</H3><UL>
  106     <LI>Fixed the !logfd check. Thanks to Alexander Wolgast for pointing
  107 this out.
  108     <LI>Added support for reporting rusage/return code after executing
  109 script.
  110     <LI>Changed logging to use close-on-exec flag of file descriptor, so
  111 it can be left open for reporting rusage if enabled.
  112     <LI>Added support for reporting approximate elapsed execution 
  113 time of a cgi script.
  114 </UL>
  116 <P><H3>New in version 3.6.1:</H3><UL>
  117     <LI>Fixed the UserInFile routine. It broke cause I forgot to remove
  118 newlines.
  119 </UL>
  121 <P><H3>New in version 3.6:</H3><UL>
  122     <LI>Removed check for ./ in the path of the script. The check for 
  123 ../ is still there. There doesn't seem to be any need for this check as 
  124 it appears to be harmless. It is being removed to allow for users with 
  125 "./" in their home dir (for chrooting with wuftpd) to be able to use cgiwrap.
  126     <LI>Added code to optionally prevent script execution if the 
  127 script is group or world writable. I cannot make the check for world 
  128 writable forced on, since on my site using AFS, the permission bits 
  129 aren't used, and some scripts might be marked as world writable. Can't 
  130 break user scripts without a major hassle.
  131     <LI>Added code to optionally check if script file is a symbolic 
  132 link. Of course, the script dir itself could still be a symbolic link.
  133     <LI>Changed to GNU autoconf for configuration
  134     <LI>Makefile now supports 'install' target with --install-path is 
  135 specified with configure.
  136     <LI>Support added for setting PATH and TZ environment variables
  137 before executing script
  138     <LI>Support added for setting a bunch of different RLIMIT_ parameters
  139 before executing script, as well as allowing the administrator to set the
  140 limits with the --with-rlimit-*=value option to configure.
  141     <LI>Error messages are now more verbose and output in HTML if possible.
  142     <LI>Support for calling script using system() has been removed as it is
  143 not really needed for anything, and just slows things down.
  144     <LI>Fixed malloc() error check in GetUserDir routines
  145     <LI>Fixed race condition with permissions and opening of log file
  146     <LI>initgroups() and setgroups() support now enabled by default
  147     <LI>Eliminated buffer overrun in error message about chmod'ing 
  148 script. Thanks to Duncan Simpson (dps@io.stargate.co.uk)
  149     <LI>Added --with-minimum-uid option
  150     <LI>Fixed the subdirectory restrict option. (Thanks to Jeffery 
  151 Chow <j8g1@ugrad.cs.ubc.ca>) for pointing this out and for testing the fix.
  152     <LI>Added CondenseSlashes routine to eliminate doubled and 
  153 trailing slashes
  154     <LI>Added SafeMalloc routine to eliminate the need to check 
  155 malloc result throughout the code.
  156     <LI>Changed tardist target to touch all files and directories
  157 so that a consistent time stamp is reached. This should eliminate spurious
  158 calls to autoheader when building cgiwrap.
  159     <LI>Added in code to configure.in for the various information options
  160 such as local-site-url, local-contact-phone, etc.
  161     <LI>Added fcntl.h include, needed by open(). Problem reported by 
  162 Seth Chaiklin <seth@psy.au.dk>. Also fixed quoting in the configure.in related
  163 to log file.
  164     <LI>Finished splitting up logging functions and changes to use the 
  165 Context structure.
  166     <LI>Minor changes to the makefile, including telling it to use
  167 the CFLAGS, and improving the tardist target.
  168     <LI>Moved extra flag stuff for AFS into it's own section and only
  169 run it if needed for AFS support.
  170     <LI>Not sure why, but 3.6 works with AIX 4, 3.5 did not.
  171     <LI>Cleaned up Makefile, finished support for building in a 
  172 separate directory from the source, added a 'dep' target using depend.awk
  173 from mutt distribution.
  174     <LI>Fixed problem with CHECKHOST/CHECKHOSTS typos.
  175     <LI>Added support for using "*" with checkhost support to restrict
  176 ALL userids from being accessed from that host. (*@x.x.x.x/y.y.y.y)
  177     <LI>Made 'no way to change uids' a compile time error with #error
  178     <LI>Fixed bug with ALLOWFILE define in util.c.
  179 </UL>
  181 <P><H3>New in version 3.5:</H3><UL>
  182     <LI>Fixed strerror checking in Configure script and util.c for systems 
  183 without strerror, can now use strerror, sys_errlist, perror, or just errno.
  184     <LI>Major documentation overhaul, create all HTML based docs
  185     <LI>Added option (defaulting to yes) to correctly set the 
  186 PATH_TRANSLATED environment variable.
  187     <LI>Fixed bug with the configure script and the use_system 
  188 option. It would cause a preprocessor error if the system call was not 
  189 found.
  190     <LI>Cleaned up various things with the Configure script
  191     <LI>Changed file prompting to allow using ~ paths.
  193 </UL><P><H3>New in version 3.4:</H3><UL>
  194     <LI>Fixed typo "&" instead of "&&" in setgroups stuff
  195     <LI>Added cgiwrap.aliases option to rewrite home dirs of users.
  196     <LI>Moved entire cgiwrap source build tree to CVS, will make 
  197 tracking changes easier.
  198     <LI>CGIwrap now changes directories to the directory the script is located in before executing the script. Before, it always just changed
  199 to the main CGI directory. This behavior is only different if you
  200 were using scripts in subdirectories.
  201     <LI>Changed style of cgiwrap.allow, cgiwrap.deny files to be the same as
  202 cron's allow/deny files.
  204 </UL><P><H3>New in version 3.3:</H3><UL>
  205     <LI>Added support for attaching a label to syslog log messages.
  206     <LI>Added code to rewrite the PATH_TRANSLATED environment variable.
  208 </UL><P><H3>New in version 3.24:</H3><UL>
  209     <LI>Added support for logging to syslog.
  211 </UL><P><H3>New in version 3.23:</H3><UL>
  212     <LI>Setgroups was being used no matter what you said in configure - fixed
  213     <LI>Problem with undefined variables in Log call for subdirectories - fixed
  214     <LI>Removed declaration of sys_errlist, and errno in util.c, since I don't 
  215 think they were necessary. And they were causing problems on some 
  216 architectures.
  217     <LI>Added in user contributed host address checking code
  218     <LI>Upgraded to using dist-3.0 PL60 for building the Configure script.
  219     <LI>Separated initgroups() and setgroups() checks into two separate 
  220 defines, and improved documentation in configure script for these options.
  222 </UL><P><H3>New in version 3.22:</H3><UL>
  223     <LI>argv[0] is now automatically changed to the name of the script that is
  224 being executed
  226 </UL><P><H3>New in version 3.21:</H3><UL>
  227     <LI>Rlimit defines weren't set properly when rlimit not available - fixed
  228     <LI>The optimizer/debugger flag wasn't being used in the makefile -- fixed
  229     <LI>Defaults for checks (y/n) were not being set - fixed
  231 </UL><P><H3>New in version 3.2:</H3><UL>
  232     <LI>MAJOR code cleanup and simplification. The code should be ALOT 
  233 easier to read and understand.
  234     <LI>Fixed the problem in the Makefile on certain architectures with the 
  235 $(var) not being escaped properly. This should solve problems with Linux 
  236 machines and BSD machines that I know of.
  237     <LI>Changes way PATH_INFO is modified, CGIwrap will now correct SCRIPT_NAME 
  238 for ?user=USER&script=SCRIPT type requests as well as /user/script type 
  239 requests.
  240     <LI>Subdirectories are now supported for both types of requests
  241     <LI>Debugging output has been condensed and is a little easier to read.
  242     <LI>Documentation has been reworked, it should be a little easier to use.
  243     <LI>Fixed prototypes for all the functions in the cgiwrap source.
  244     <LI>Removed a few unnecessary routines
  245     <LI>Changed "mystrcpy" to be "strdup", and is compiled only if the current 
  246 architecture does not have strdup available in it's standard library.
  248 </UL><P><H3>New in version 3.11:</H3><UL>
  249     <LI>Fixed incorrectly indented # directives that were causing problems with
  250 some machines.
  252 </UL><P><H3>New in version 3.1:</H3><UL>
  253     <LI>Added CONF_ALLOWFILE and CONF_DENYFILE options.
  254     <LI>Added logging of REMOTE_USER and a status message to the log file
  255     <LI>Added an unsupported directory for user contributed scripts and add-ons
  256     <LI>Restructured logic for which 'set' method gets used.
  257     <LI>Removed option to not check if gid changed, it was an oversight that 
  258 this was left in. There isn't any case I know of that you wouldn't want 
  259 to check this.
  260     <LI>Moved id setting routines into util.c
  261     <LI>Added new source file for allow/deny code.
  262     <LI>Removed some error output that didn't make sense (system error 
  263 messages that were getting returned when I issued a regular cgiwrap error)
  264     <LI>Added a 'remake' target to the makefile which does a clean, then a 
  265 Configure -S, then a make all to rebuild he entire binary. This is useful 
  266 if you have multiple config.sh files (eg. you're building for several 
  267 setups from the same dir)
  269 </UL><P><H3>New in version 3.0:</H3><UL>
  270     <LI>Set up Configure scripts for CGIwrap
  271     <LI>Renamed many of the config options to make more consistent
  272     <LI>Rearranged directory structure of CGIwrap distribution
  273     <LI>Removed "CONF_SANITIZE" option, it is always on now.
  274     <LI>Removed "CONF_CHECK_UID" option, it is always on now.
  275     <LI>Removed "CONF_FORCE_DEBUG" option, and "CONF_DEBUG_BY_NAME" option, 
  276 cgiwrap automatically does debugging output by name now.
  277     <LI>Added info about setting up an access-controlled cgiwrap which allows
  278 users to control access to their scripts.
  279     <LI>Renamed DEBUG to CONF_DEBUG to solve a compile problem with some systems
  280 wanting to add -DDEBUG to CFLAGS.
  282 </UL><P><H3>New in version 2.7:</H3><UL>
  283     <LI>Added HTTPD_USER and CHECK_HTTPD_USER to verify that cgiwrap is being
  284 called by the server. This is for (access to scripts) security, it 
  285 doesn't affect system security any. 
  286     <LI>Added AFS PAG support
  288 </UL><P><H3>New in version 2.6:</H3><UL>
  289     <LI>Moved rlimit call into new subroutine SetLimits
  290     <LI>Changed exec call to an execv and passed argv to support argument passing
  291 This will only work correctly for scripts called with no other 
  292 arguments... Eg, must use "cgiwrap/user/script?" syntax
  294 </UL><P><H3>New in version 2.5:</H3><UL>
  295     <LI>Fixed problem with not correctly falling back from PATH_INFO
  296     <LI>Added SETUID_SETEUID option for setting UID's 
  297     <LI>Added checks to make sure effective ugid changed as well as real.
  299 </UL><P><H3>New in version 2.4:</H3><UL>
  300     <LI>Fixed incorrect exec call, added null at end.
  302 </UL><P><H3>New in version 2.3:</H3><UL>
  303     <LI>Fixed location of setgroups() call
  304     <LI>Added INSTALL file and fixed PROMO that was old.
  306 </UL><P><H3>New in version 2.2:</H3><UL>
  307     <LI>More debug outpt for environment variables
  308     <LI>Option to check exec bit on script and error msg if not set
  310 </UL><P><H3>New in version 2.1:</H3><UL>
  311     <LI>Fixed ~ bug                     
  312     <LI>Added PATH_INFO and SCRIPT_NAME rewrite code                
  313     <LI>Added SETGROUPS option to config
  314     <LI>Added RLIMIT option to config
  316 </UL><P><H3>New in version 2.0:</H3><UL>
  317     <LI>Added support for PATH_INFO specification of user/script     
  318     <LI>Added stderr redirection to stdout                           
  319     <LI>Added option for doing debugging output by cmd name          
  320     <LI>Added option to use exec or system calls                     
  322 </UL><P><H3>New in version 1.0:</H3><UL>
  323     <LI>Everything! This is the first public distribution.
  324 </UL>