<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.3.0: http://docutils.sourceforge.net/" />
<title>GoAhead WebServer 2.1.8 Release Notes</title>
<link rel="stylesheet" href="default.css" type="text/css" />
</head>
<body>
<div class="document" id="goahead-webserver-2-1-8-release-notes">
<h1 class="title">GoAhead WebServer 2.1.8 Release Notes</h1>
<!-- NOTES: -->
<!-- This document is maintained using the reStructuredText markup system.  -->
<!-- You may download this from <http://docutils.sf.net>. Also note that running  -->
<!-- the docutils code requires that a version of Python version 2.1 or later -->
<!-- be installed on the machine. Since the GoAhead release procedure itself  -->
<!-- runs in Python, this should not be a problem. -->
<!--  -->
<!-- To add new entries to the release notes, follow the markup shown below  -->
<!-- (releases should be underlined with a row of '=' characters, each item -->
<!-- noted within a release should be underlined with '-' characters. -->
<div class="contents topic" id="contents">
<p class="topic-title"><a name="contents">Contents</a></p>
<ul class="simple">
<li><a class="reference" href="#id1" id="id2" name="id2">GoAhead WebServer 2.1.8 Release Notes</a><ul>
<li><a class="reference" href="#problems-with-unicode-build" id="id3" name="id3">Problems with Unicode build</a></li>
<li><a class="reference" href="#modified-for-windows-ce-net" id="id4" name="id4">Modified for Windows CE .NET</a></li>
<li><a class="reference" href="#bug-with-urls-like-asp" id="id5" name="id5">Bug with URLs like &quot;&lt;...&gt;.asp/&quot;</a></li>
</ul>
</li>
<li><a class="reference" href="#goahead-webserver-2-1-7-release-notes" id="id6" name="id6">GoAhead WebServer 2.1.7 Release Notes</a><ul>
<li><a class="reference" href="#added-support-for-the-mocana-ssl-toolkit" id="id7" name="id7">Added support for the Mocana SSL Toolkit</a></li>
<li><a class="reference" href="#changes-to-dbsearchstring" id="id8" name="id8">Changes to <tt class="literal"><span class="pre">dbSearchString()</span></tt></a></li>
<li><a class="reference" href="#use-memcpy-when-converting-to-from-unicode" id="id9" name="id9">Use <tt class="literal"><span class="pre">memcpy()</span></tt> when converting to/from Unicode</a></li>
<li><a class="reference" href="#bug-when-using-utf-8-encoded-text-inside-asp-ejscript-blocks" id="id10" name="id10">Bug when using UTF-8 encoded text inside ASP/Ejscript blocks</a></li>
<li><a class="reference" href="#wrong-error-code-on-invalid-password" id="id11" name="id11">Wrong error code on invalid password</a></li>
<li><a class="reference" href="#windows-ce-net" id="id12" name="id12">Windows CE .NET</a></li>
<li><a class="reference" href="#lynx-makefile" id="id13" name="id13">LYNX <tt class="literal"><span class="pre">Makefile</span></tt></a></li>
</ul>
</li>
<li><a class="reference" href="#goahead-webserver-2-1-6-release-notes" id="id14" name="id14">GoAhead WebServer 2.1.6 Release Notes</a><ul>
<li><a class="reference" href="#null-pointer-crash-in-webssafeurl" id="id15" name="id15"><tt class="literal"><span class="pre">NULL</span></tt> pointer crash in <tt class="literal"><span class="pre">websSafeUrl()</span></tt></a></li>
</ul>
</li>
<li><a class="reference" href="#goahead-webserver-2-1-5-release-notes" id="id16" name="id16">GoAhead WebServer 2.1.5 Release Notes</a><ul>
<li><a class="reference" href="#bopen-failure-mode" id="id17" name="id17"><tt class="literal"><span class="pre">bopen()</span></tt> failure mode</a></li>
<li><a class="reference" href="#windows-95-98-me-aux-denial-of-service" id="id18" name="id18">Windows 95/98/ME <tt class="literal"><span class="pre">AUX</span></tt> Denial of Service</a></li>
<li><a class="reference" href="#cross-site-scripting-exploit" id="id19" name="id19">404 Cross-site Scripting Exploit</a></li>
<li><a class="reference" href="#long-url-overflow-crash" id="id20" name="id20">Long URL Overflow Crash</a></li>
<li><a class="reference" href="#incorrect-error-code-in-security-c" id="id21" name="id21">Incorrect Error Code in <tt class="literal"><span class="pre">security.c</span></tt></a></li>
<li><a class="reference" href="#pragma-code-for-risc-architectures" id="id22" name="id22">Pragma Code for RISC Architectures</a></li>
</ul>
</li>
<li><a class="reference" href="#goahead-webserver-2-1-4-release-notes" id="id23" name="id23">GoAhead廬 WebServer 2.1.4 Release Notes</a><ul>
<li><a class="reference" href="#fixed-vulnerability-to-malicious-code-in-webs-c" id="id24" name="id24">Fixed vulnerability to malicious code in <tt class="literal"><span class="pre">webs.c</span></tt></a></li>
<li><a class="reference" href="#https-bug-in-security-handler" id="id25" name="id25">https:// bug in security handler</a></li>
<li><a class="reference" href="#fixed-vulnerability-to-malicious-code-in-sockgen-c" id="id26" name="id26">Fixed vulnerability to malicious code in sockGen.c</a></li>
</ul>
</li>
<li><a class="reference" href="#bug-fixes-for-version-2-1-3" id="id27" name="id27">Bug Fixes for Version 2.1.3</a><ul>
<li><a class="reference" href="#directory-traversal-exploit" id="id28" name="id28">Directory Traversal Exploit</a></li>
<li><a class="reference" href="#mime-type-for-external-javascript-files" id="id29" name="id29">MIME type for external JavaScript files</a></li>
<li><a class="reference" href="#bug-in-if-modified-since-parsing" id="id30" name="id30">Bug in If-Modified-Since parsing</a></li>
</ul>
</li>
<li><a class="reference" href="#bug-fixes-for-version-2-1-2" id="id31" name="id31">Bug Fixes for Version 2.1.2</a><ul>
<li><a class="reference" href="#ejscript-error-messages" id="id32" name="id32">Ejscript Error Messages</a></li>
<li><a class="reference" href="#security-handler-response-codes" id="id33" name="id33">Security Handler Response Codes</a></li>
<li><a class="reference" href="#security-handler-memory-leak" id="id34" name="id34">Security Handler Memory Leak</a></li>
<li><a class="reference" href="#ejscript-write-corruption" id="id35" name="id35">Ejscript Write Corruption</a></li>
<li><a class="reference" href="#error-in-dsnprintf-x-format" id="id36" name="id36">Error in dsnprintf(): &quot;%X&quot; format</a></li>
<li><a class="reference" href="#bug018565-re-fixed" id="id37" name="id37">BUG018565 Re-fixed</a></li>
<li><a class="reference" href="#potential-error-in-error" id="id38" name="id38">Potential Error in <tt class="literal"><span class="pre">error()</span></tt></a></li>
<li><a class="reference" href="#added-support-for-customized-access-control" id="id39" name="id39">Added Support For Customized Access Control</a></li>
<li><a class="reference" href="#memory-leak-in-websparserequest" id="id40" name="id40">Memory Leak in websParseRequest()</a></li>
</ul>
</li>
<li><a class="reference" href="#macintosh-os-x-support" id="id41" name="id41">Macintosh OS X Support</a></li>
<li><a class="reference" href="#bug-fixes-for-version-2-1-1" id="id42" name="id42">Bug Fixes for Version 2.1.1</a><ul>
<li><a class="reference" href="#intermittent-access-error-for-cgi-scripts-bug01937" id="id43" name="id43">Intermittent Access Error for CGI Scripts (BUG01937)</a></li>
<li><a class="reference" href="#cpu-utilization-hangs-at-100-on-a-socket-disconnect-bug01865" id="id44" name="id44">CPU Utilization Hangs at 100% on a Socket Disconnect (BUG01865)</a></li>
<li><a class="reference" href="#security-features-can-be-bypassed-by-adding-an-extra-slash-in-the-url-bug01518" id="id45" name="id45">Security Features can be Bypassed by Adding an Extra Slash in the URL (BUG01518)</a></li>
<li><a class="reference" href="#call-to-webssetvar-causes-a-crash-bug01938" id="id46" name="id46">Call to <tt class="literal"><span class="pre">websSetVar</span></tt> causes a crash (BUG01938)</a></li>
<li><a class="reference" href="#remove-stray-semicolon-in-emfdb-c-bug01820" id="id47" name="id47">Remove stray semicolon in <tt class="literal"><span class="pre">emfdb.c</span></tt> (BUG01820)</a></li>
</ul>
</li>
<li><a class="reference" href="#novell-netware-support" id="id48" name="id48">Novell Netware Support</a></li>
<li><a class="reference" href="#copyright-information" id="id49" name="id49">Copyright Information</a></li>
</ul>
</div>
<div class="section" id="id1">
<h1><a class="toc-backref" href="#id2" name="id1">GoAhead WebServer 2.1.8 Release Notes</a></h1>
<dl>
<dt>Release Date:</dt>
<dd>02 Dec 2003</dd>
</dl>
<div class="section" id="problems-with-unicode-build">
<h2><a class="toc-backref" href="#id3" name="problems-with-unicode-build">Problems with Unicode build</a></h2>
<dl>
<dt>Description:</dt>
<dd>Missing T() caused trouble in Unicode build.</dd>
<dt>Fix:</dt>
<dd>Added T() macros.</dd>
</dl>
</div>
<div class="section" id="modified-for-windows-ce-net">
<h2><a class="toc-backref" href="#id4" name="modified-for-windows-ce-net">Modified for Windows CE .NET</a></h2>
<dl>
<dt>Description:</dt>
<dd>Modified to work with Windows CE .NET and eMbedded Visual C++ 4.</dd>
</dl>
</div>
<div class="section" id="bug-with-urls-like-asp">
<h2><a class="toc-backref" href="#id5" name="bug-with-urls-like-asp">Bug with URLs like &quot;&lt;...&gt;.asp/&quot;</a></h2>
<dl>
<dt>Description:</dt>
<dd>URLs ending in &quot;.asp/&quot;, &quot;.asp\&quot;, &quot;.as%70&quot; and other variants made the
WebServer serve Ejscript source code.</dd>
<dt>Fix: </dt>
<dd>Added code to ignore these differences.</dd>
</dl>
</div>
</div>
<div class="section" id="goahead-webserver-2-1-7-release-notes">
<h1><a class="toc-backref" href="#id6" name="goahead-webserver-2-1-7-release-notes">GoAhead WebServer 2.1.7 Release Notes</a></h1>
<dl>
<dt>Release Date:</dt>
<dd>01 Oct 2003</dd>
</dl>
<div class="section" id="added-support-for-the-mocana-ssl-toolkit">
<h2><a class="toc-backref" href="#id7" name="added-support-for-the-mocana-ssl-toolkit">Added support for the Mocana SSL Toolkit</a></h2>
<dl>
<dt>Description:</dt>
<dd>Added support for Mocana Corporation's embedded SSL server</dd>
</dl>
</div>
<div class="section" id="changes-to-dbsearchstring">
<h2><a class="toc-backref" href="#id8" name="changes-to-dbsearchstring">Changes to <tt class="literal"><span class="pre">dbSearchString()</span></tt></a></h2>
<p>Description:</p>
<blockquote>
Pass <tt class="literal"><span class="pre">DB_CASE_INSENSITIVE</span></tt> as the &quot;flags&quot; argument to
dbSearchString() to force a case-insensitive search.</blockquote>
</div>
<div class="section" id="use-memcpy-when-converting-to-from-unicode">
<h2><a class="toc-backref" href="#id9" name="use-memcpy-when-converting-to-from-unicode">Use <tt class="literal"><span class="pre">memcpy()</span></tt> when converting to/from Unicode</a></h2>
<dl>
<dt>Description:</dt>
<dd>The functions <tt class="literal"><span class="pre">uniToAsc()</span></tt> and <tt class="literal"><span class="pre">ascToUni()</span></tt> were using the relatively
slow <tt class="literal"><span class="pre">strncpy()</span></tt> runtime library function.</dd>
<dt>Fix:</dt>
<dd>A new preprocessor macro <tt class="literal"><span class="pre">kUseMemcopy</span></tt> was added to <tt class="literal"><span class="pre">misc.c</span></tt>, and both
functions were recoded to use <tt class="literal"><span class="pre">memcpy()</span></tt> when that macro is defined.
Remove the definition to revert to the earlier code, using <tt class="literal"><span class="pre">strncpy()</span></tt>.</dd>
</dl>
</div>
<div class="section" id="bug-when-using-utf-8-encoded-text-inside-asp-ejscript-blocks">
<h2><a class="toc-backref" href="#id10" name="bug-when-using-utf-8-encoded-text-inside-asp-ejscript-blocks">Bug when using UTF-8 encoded text inside ASP/Ejscript blocks</a></h2>
<dl>
<dt>Description:</dt>
<dd>When reading ASP code containing UTF-8 encoded source text, any characters
encountered having a value &gt; 127 were treated as an error by the parser.</dd>
<dt>Fix:</dt>
<dd>The ring queue code in <tt class="literal"><span class="pre">ringq.c</span></tt> was modified so that it can correctly
handle any character it encounters by casting to unsigned char before
casting back to signed integer.</dd>
</dl>
</div>
<div class="section" id="wrong-error-code-on-invalid-password">
<h2><a class="toc-backref" href="#id11" name="wrong-error-code-on-invalid-password">Wrong error code on invalid password</a></h2>
<dl>
<dt>Description:</dt>
<dd>The WebServer was sending back an inappropriate error code when it received
an incorrect password.</dd>
<dt>Fix:</dt>
<dd>Changed error code returned from <tt class="literal"><span class="pre">405</span></tt> to <tt class="literal"><span class="pre">401</span></tt>. (Thanks to Jay
Chalfant).</dd>
</dl>
</div>
<div class="section" id="windows-ce-net">
<h2><a class="toc-backref" href="#id12" name="windows-ce-net">Windows CE .NET</a></h2>
<dl>
<dt>Description:</dt>
<dd>Removed &quot;compatibility functions&quot; that are directly supported in Windows
CE .NET.</dd>
</dl>
</div>
<div class="section" id="lynx-makefile">
<h2><a class="toc-backref" href="#id13" name="lynx-makefile">LYNX <tt class="literal"><span class="pre">Makefile</span></tt></a></h2>
<dl>
<dt>Description:</dt>
<dd>Corrected problem in LYNX Makefile that prevented OpenSSL from being linked
in correctly.</dd>
</dl>
</div>
</div>
<div class="section" id="goahead-webserver-2-1-6-release-notes">
<h1><a class="toc-backref" href="#id14" name="goahead-webserver-2-1-6-release-notes">GoAhead WebServer 2.1.6 Release Notes</a></h1>
<dl>
<dt>Release Date:</dt>
<dd>25 Mar 2003</dd>
</dl>
<div class="section" id="null-pointer-crash-in-webssafeurl">
<h2><a class="toc-backref" href="#id15" name="null-pointer-crash-in-webssafeurl"><tt class="literal"><span class="pre">NULL</span></tt> pointer crash in <tt class="literal"><span class="pre">websSafeUrl()</span></tt></a></h2>
<dl>
<dt>Description:</dt>
<dd>Passing a NULL pointer into the <tt class="literal"><span class="pre">websSafeUrl()</span></tt> function (as would happen
when the server is processing an invalid URL) crashes the server.</dd>
<dt>Fix:</dt>
<dd>Code modified to check for NULL pointer before performing any string
operations.</dd>
</dl>
</div>