| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Reported by joerg@.
|
|
|
|
|
|
|
|
|
|
|
|
This is for PR #34808.
No ChangeLog found. Changes include: add ogg mime type, lowercase
some HTML, make it more portable, get directory details using dirent
instead of running "ls".
|
|
change:
This release introduces a changed internal item lookup handling that
changes linear list searches to two step hash map lookups. While this
might improve performance it also can introduce new instabilities.
|
|
|
|
|
|
nspluginwrapper is an Open Source compatibility plugin for Netscape
4 (NPAPI) plugins. It separates the execution environment of the
plugin from the browser, allowing a plugin compiled for one ABI to
be used in a browser compiled for another.
For example the linux 32bit Adobe Flash plugin can be used in a
native Firefox under Linux/x86_64, NetBSD and FreeBSD platforms.
To install the Linux flash player into a native Firefox browser:
- Also install multimedia/ns-flash and multimedia/libflashsupport
- Run "nspluginwrapper -i /usr/pkg/lib/netscape/plugins/libflashplayer.so"
- Run Firefox
This is working at least under NetBSD/i386 4.0_BETA with native and modular
x11.
|
|
Version 7.16.1 [requires libcurl-7.16.1 or better]
--------------
* Added constants for all libcurl (error) return codes. They
are named the same as the macro constants in curl.h but prefixed
with E_ instead of CURLE. Return codes for the multi API are
prefixed with M_ instead of CURLM.
* Added CURLOPT_FTP_SSL_CCC, CURLOPT_SSH_PUBLIC_KEYFILE,
CURLOPT_SSH_PRIVATE_KEYFILE, CURLOPT_SSH_AUTH_TYPES.
* Removed CLOSEPOLICY and friends since this option is now
deprecated in libcurl.
* Set the _use_datetime attribute on the CURLTransport class
to unbreak xmlrpc_curl.py on Python 2.5.
Version 7.16.0 [no public release]
--------------
* Added CURLOPT_SSL_SESSIONID_CACHE.
* Removed SOURCE_* options since they are no longer
supported by libcurl.
Version 7.15.5.1
----------------
* Added test for basic ftp usage (tests/test_ftp.py).
* Fix broken ssl mutex lock function when using
GNU TLS (Debian bug #380156, fix by Bastian Kleineidam)
Version 7.15.5
--------------
* Added CURLOPT_FTP_ALTERNATIVE_TO_USER,
CURLOPT_MAX_SEND_SPEED_LARGE,
and CURLOPT_MAX_RECV_SPEED_LARGE.
Version 7.15.4.2
----------------
* Use SSL locking callbacks, fixes random
crashes for multithreaded SSL connections
(patch by Jayne <corvine at gmail.com>).
Version 7.15.4.1
----------------
* Fixed compilation problem with C compilers
not allowing declarations in the middle of
code blocks (patch by
K.S.Sreeram <sreeram at tachyontech.net>).
* Fixed bug in curl_multi_fdset wrapping,
max_fd < 0 is not an error (patch by
K.S.Sreeram <sreeram at tachyontech.net>).
Version 7.15.4
--------------
* Added support for libcurl shares, patch from
Victor Lascurain <bittor at eleka.net>. See the
file tests/test_share.py for example usage.
* Added support for CURLINFO_FTP_ENTRY_PATH.
Version 7.15.2
--------------
* Added CURLOPT_CONNECT_ONLY, CURLINFO_LASTSOCKET,
CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE.
Version 7.15.1
--------------
2006-01-31 Kjetil Jacobsen <kjetilja>
* Fixed memory leak for getinfo calls that return a
list as result. Patch by Paul Pacheco.
Version 7.15.0
--------------
2005-10-18 Kjetil Jacobsen <kjetilja>
* Added CURLOPT_FTP_SKIP_PASV_IP.
Version 7.14.1
--------------
2005-09-05 Kjetil Jacobsen <kjetilja>
* Added CURLOPT_IGNORE_CONTENT_LENGTH, CURLOPT_COOKIELIST as
COOKIELIST and CURLINFO_COOKIELIST as INFO_COOKIELIST.
Version 7.14.0
--------------
2005-05-18 Kjetil Jacobsen <kjetilja>
* Added missing information returned from the info() method
in the high-level interface.
* Added the FORM_FILENAME option to the CURLFORM API
with HTTPPOST.
Version 7.13.2
--------------
2005-03-30 Kjetil Jacobsen <kjetilja>
* Unbreak tests/test_gtk.py and require pygtk >= 2.0.
2005-03-15 Kjetil Jacobsen <kjetilja>
* Cleaned up several of the examples.
2005-03-11 Kjetil Jacobsen <kjetilja>
* WARNING: multi.select() now requires the previously optional
timeout parameter. Updated the tests and examples to reflect
this change. If the timeout is not set, select could block
infinitely and cause problems for the internal timeout handling
in the multi stack. The problem was identified by
<unknownsoldier93 at yahoo.com>.
Version 7.13.1
--------------
2005-03-04 Kjetil Jacobsen <kjetilja>
* Use METH_NOARGS where appropriate.
2005-03-03 Kjetil Jacobsen <kjetilja>
* Added support for CURLFORM API with HTTPPOST: Supports a
a tuple with pairs of options and values instead of just
supporting string contents. See tests/test_post2.py
for example usage. Options are FORM_CONTENTS, FORM_FILE and
FORM_CONTENTTYPE, corresponding to the CURLFORM_* options,
and values are strings.
2005-02-13 Markus F.X.J. Oberhumer <mfx>
* Read callbacks (pycurl.READFUNCTION) can now return
pycurl.READFUNC_ABORT to immediately abort the current transfer.
* The INFILESIZE, MAXFILESIZE, POSTFIELDSIZE and RESUME_FROM
options now automatically use the largefile version to handle
files > 2GB.
* Added missing pycurl.PORT constant.
Version 7.13.0
--------------
2005-02-10 Kjetil Jacobsen <kjetilja>
* Added file_upload.py to examples, shows how to upload
a file.
* Added CURLOPT_IOCTLFUNCTION/DATA.
* Added options from libcurl 7.13.0: FTP_ACCOUNT, SOURCE_URL,
SOURCE_QUOTE.
* Obsoleted options: SOURCE_HOST, SOURCE_PATH, SOURCE_PORT,
PASV_HOST.
Version 7.12.3
--------------
2004-12-22 Markus F.X.J. Oberhumer <mfx>
* Added CURLINFO_NUM_CONNECTS and CURLINFO_SSL_ENGINES.
* Added some other missing constants.
* Updated pycurl.version_info() to return a 12-tuple
instead of a 9-tuple.
Version 7.12.2
--------------
2004-10-15 Kjetil Jacobsen <kjetilja>
* Added CURLOPT_FTPSSLAUTH (and CURLFTPAUTH_*).
* Added CURLINFO_OS_ERRNO.
2004-08-17 Kjetil Jacobsen <kjetilja>
* Use LONG_LONG instead of PY_LONG_LONG to make pycurl compile
on Python versions < 2.3 (fix from Domenico Andreoli
<cavok at libero.it>).
|
|
|
|
|
|
gitweb provides an easy to use and full-fledged web interface to
your Git repositories. It allows users to browse the contents of
all served projects, including the ability to inspect individual
files and their history for any of the available branches.
|
|
hotfix's content without chaging its name.
- Correct MASTER_SITES.
|
|
in README.txt.
|
|
|
|
equivalent functionality in recent versions of tomcat and the JSP standard.
Mark them as BROKEN= to see if anyone is using them. They will go away soon.
|
|
go away -- I have real doubts that a version 1.1 jdk and the accompanying
swing are any use to anyone, but am not sure the newer stuff we have
supports all ports which are supported by lang/jdk.
|
|
http://www.zope.org/Products/Zope/Hotfix-2007-03-20/
Bump PKGREVISION.
|
|
version:
* Security update: MFSA 2007-11 (FTP PASV port-scanning) has been fixed.
* Website Compatibility: Fixed various web compatibility regressions.
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.3/releasenotes/
|
|
* Security update: MFSA 2007-11 (FTP PASV port-scanning) has been fixed.
* Website Compatibility: Fixed various web compatibility regressions.
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.11.html
|
|
- default it to off
|
|
|
|
This fixes a DoS security problem.
http://www.squid-cache.org/Advisories/SQUID-2007_1.txt
Changes to squid-2.6.STABLE12 (Mar 20 2007)
- Assertion error on TRACE
|
|
|
|
------
v3.1.4
------
[jan] SECURITY: Correctly quote file names in cleanup script for temporary
files.
[jan] Fix RPC authentication on CGI SAPIs.
[jan] Detect unencrypted PGP messages.
----------
v3.1.4-RC1
----------
[jan] SECURITY: Fix an XSS vulnerability in the language selection.
[jan] Complete Cyrus virtual domain support in cyrsql driver (Vilius Sumskas
<vilius@lnk.lt>, Request #4967).
[jan] Add option whether to strip domains from usernames in the account block
(Request #4955).
[jan] Fix email lists not being validated under certain conditions (Bug #4834).
[cjh] Add a REST-ful preferences interface.
[cjh] Faster DataTree-to-SQL History migration script
(josh@endries.org, Request #4732).
[cjh] Improved automatic webroot detection (Ben Klang, Request #4126).
[cjh] Rewrite and fix the OCI8 SessionHandler (Bug #3452).
[cjh] Allow signup hooks to override the user_name and password fields
(thomas@gelf.net, Request #2904).
[cjh] Fix creation of mailbox quotas by the Auth_cyrus driver
(pascal@vmfacility.fr, Bug #4678).
[cjh] Add "Save and Finish" to the share edit window (webmgr@muskingum.edu,
Request #4307).
[cjh] Let mailto: and anchor (#) links through Horde::externalUrl (Bug #3079).
[cjh] Add smbclient version of the SMB Auth class (larry@wimble.biz,
Request #4338).
[cjh] Remove problematic "data descriptor" segment from generated ZIP files
(reitsma@denison.edu, Bug #4670).
[cjh] Strip accesskeys from menu tooltips when only showing icons (Bug #4667).
[jan] Fix saving files in the root directory of an SQL VFS backend (Bug #4652,
Ben Klang <ben@alkaloid.net>).
[jan] Fix displaying all maintenance tasks to be confirmed at once (Bug #4377).
[cjh] Fix return format of DataTree_null::getByAttributes()
(thomas.jarosch@intra2net.com, Bug #4651).
[jan] Support departments in vCard's ORG properties (martin@matuska.org,
Request #4285).
[cjh] Rename Auth_sasl backend to Auth_peclsasl to avoid conflicts with PEAR's
Auth_SASL (Bug #4547).
[cjh] Implement handling of vTimezones in iCalendar data
(Carl Thompson <lists-horde@carlthompson.net>, Bug #4399).
[cjh] keybindings.js now works with Safari/KHTML.
[jan] Avoid recursive folder creation when sharing Kolab folders
(michael.sheldon@credativ.de, Bug #4325).
[jan] Add Kolab specific account block driver to support special Kolab users
(mzizka@hotmail.com, Request: #4119).
[mms] Only dim below the last signature line of input text in the dimsignature
Text_Filter driver.
|
|
Changes to squid-2.6.STABLE11 (Mar 17 2007)
- Bug #1915: assertion failed: client_side.c:4055: "buf != NULL ||
!conn->body.request"
- Handle garbage helper responses better in concurrent protocol format
- Fix kqueue when overflowing the changes queue
- Make sure the child worker process commits suicide if it could
not start up
- Don't log short responses at debug level 1
- Fix bswap16 & bwsap32 error on NetBSD
- Fix collapsed_forwarding for non-GET requests
|
|
Changes:
* Depend on Action Pack 1.13.3
|
|
Changes:
* Apply [5709] to stable.
* session_enabled? works with session :off.
* Performance: patch cgi/session to require digest/md5 once rather than per
#cre ate_new_id.
|
|
4.20 - Monday, December 4, 2006
* INTERNAL: No Changes since 4.20_1. Declaring stable.
4.20_1 - Friday, November 24, 2006
* FIX: -ip_match now works even when it's not the last import item. (RT#21779)
* FIX: In the PostgreSQL driver, a race condition is when storing is now worked around. (Mark Stosberg)
* FIX: Added important clarification and example to MySQL driver docs that the session column
needs to be defined as a primary key to avoid duplicate sessions. (Justin Simoni, Mark Stosberg)
* FIX: The default serializer now works correctly with certain data structures. (RT#?) (Matt LeBlanc)
* FIX: A documentation bug in find() was fixed (Matt LeBlanc)
* FIX: Documented how to declare a database handle to be used on demand, which was introduced
in 4.04. (Mark Stosberg)
* FIX: Connections made with SQLite now disconnect only when appropriate, instead of always.
This addresses a symptom seen as "attempt to prepare on inactive database handle"
(Jaldhar Vyas, Sherzod, Mark Stosberg)
* FIX: Args to the constructor for CGI::Session and the drivers are now always shallow
copied rather than used directly, to prevent modification.
(RT#21952, Franck Porcher, Sherzod, Mark Stosberg)
* FIX: The documentation for expire($param, $time) was made more explicit
(pjf, Mark Stosberg)
* NEW: Added recommended use of flush() to the Synopsis (Michael Renner, RT#22333)
* NEW: Added links to Japanese translations of the documentation (Makio Tsukamoto)
http://digit.que.ne.jp/work/index.cgi?Perldoc/ja
* INTERNAL: Update test to workaround YAML versions less than 0.58. (Matt LeBlanc)
* INTERNAL: param() code was refactored for clarity (Mark Stosberg, Ali ISIK, RT#21782)
* INTERNAL: new() and load() were refactored (Ali Isik)
* INTERNAL: renamed some environment variables used for testing (Ron Savage)
* INTERNAL: Multi key-value syntax of param() now always returns number of keys
successfully processed, 0 if no key/values were processed.
4.14 - Sunday, June 11, 2006
* NEW: The find() command now has better documentation. (Ron Savage, Matt LeBlanc)
* FIX: find() no longer changes the access or modified times (RT#18442) (Matt LeBlanc)
* FIX: param() called with two parameters now returns the value set, if any (RT#18912) (Matt LeBlanc)
* FIX: driver, serializer, and id generator names are now untainted (RT#18873) (Matt LeBlanc)
* INTERNAL: automatic flushing has been documented to be unreliable, although
it was recommended in the past. Automatic flushing can be affected adversely
in persistent environments and in some cases by third party software. There are
also some cases in which flushing happened automatically in 3.x, but quit working
with 4.x. See these tickets for details.
http://rt.cpan.org/Ticket/Display.html?id=17541
http://rt.cpan.org/Ticket/Display.html?id=17299
4.13 - Wednesday, April 12, 2006
* FIX: Applied patch to fix cookie method (RT#18493,Nobuaki ITO)
* FIX: Berkeley DB 1.x exhibits a bug when used in conjunction with O_NOFOLLOW. Because of this,
we've removed it from the db_file driver. It will still attempt to stop symlinks but the
open itself has dropped the flag. (Matt LeBlanc)
* FIX: json and yaml db_file tests now check for the presence of DB_File. (Matt LeBlanc)
4.12 - Friday, April 7, 2006
* SECURITY: Fix possible SQL injection attack. (RT#18578, DMUEY)
4.11 - Friday, March 31, 2006
* FIX: Since 4.10, using name() as a class method was broken. This has
been fixed, and regression tests for both uses have been added. (Matt LeBlanc)
4.10 - Tuesday, March 28, 2006
* SECURITY: Hopefully this settles all of the problems with symlinks. Both the file
and db_file drivers now use O_NOFOLLOW with open when the file should exist and
O_EXCL|O_CREAT when creating the file. Tests added for symlinks. (Matt LeBlanc)
* SECURITY: sqlite driver no longer attempts to use /tmp/sessions.sqlt when no
Handle or DataSource is specified. This was a mistake from a security standpoint
as anyone on the machine would then be able to create and therefore insert data
into your sessions. (Matt LeBlanc)
* NEW: name is now an instance method (RT#17979) (Matt LeBlanc)
4.09 - Friday, March 16th, 2006
* SECURITY: Applying security patch from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555 (Julien Danjou)
4.08 - Thursday, March 15th, 2006
* FIX: DESTROY was sometimes wiping out exception handling. RT#18183, Matt LeBlanc.
* SECURITY: Resolve some issues in: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555
- db_file and file now check for symlinks either explicitly or by using O_EXCL on sysopen
- file creation umask defaults to 660
* NEW: db_file and file drivers now accepts a UMask option. (Matt LeBlanc)
* INTERNAL: test suite clean up (Tyler MacDonald)
|
|
VERSION 3.0301
This is a bugfix release to repair these main items:
- optgroups bugfix for complex arrays
- removal of HTML::Entities support due to utf8 issues
- new es_ES Messages module with better translations
- a patch from Mark Hedges to enable plugin modules for mailresults()
The rest of the features remain the same as below.
VERSION 3.03
Subclassable Fields
Each field is now rendered by its own class, named for the field type.
For example, text fields are rendered by
"CGI::FormBuilder::Field::text". This allows you to create custom field
types and plugging them in by creating your own
"CGI::FormBuilder::Field::whatever_you_want" module. Thanks to Peter
Eichman for his contributions to this scheme.
Messages Localization
All messages are now handled in a similar way to field types: They are
delegated to "CGI::FormBuilder::Messages::locale" where "locale" is the
appropriate string such as "en_US" or "da_DK". A number of localizations
are included as part of the standard distribution.
There are two ways to use these messages: Either the 'auto' messages
mode or by specifying a specific locale:
my $form = CGI::FormBuilder->new(messages => 'auto'); # check client
my $form = CGI::FormBuilder->new(messages => ':da_DK'); # specified
You can create your own messages by copying "_example.pm" and modifying
it for your language. When using messages in this way, the HTTP Charset
is changed to "utf-8".
Select optgroup support
By using the "field()" option "optgroups", you can now cause select
fields to automatically generate optgroup tags:
$form->field(name => 'browser', options => \@opt, optgroups => 1);
See the documentation on "optgroups" for more details.
Data::FormValidator Support
Thanks to another great patch from Peter Eichman, "Data::FormValidator"
is supported as a validation option to "new()", just by passing it in as
an object. See the documentation on "validate" for more information.
Option sorting by LABELNAME or LABELNUM
You can now sort options by "LABELNAME" or "LABELNUM", similar to the
value-based sorting of "NAME" and "NUM". See the documentation for more
details.
XHTML Compliance
Generated code now validates against <http://validator.w3.org>. This
includes stuff like lowercase "get" and "post" methods, lowercase
"onchange" and "onsubmit" actions, and so on.
|
|
Version 3.27
1. Applied patch from Steve Taylor that allows checkbox_groups to be
disabled with a new -disabled=> option.
Version 3.26
1. Fixed alternate stylesheet behavior so that it is insensitive to order of declarations.
2. Patch from John Binns to allow users to provide a callback to CGI::Carp.
3. Added "~" as an unreserved character in escape().
4. Patch from Chris Fedde to prevent HTTP_HOST from inhibiting SERVER_PORT in url() generation.
5. Fixed outdated documentation (and behavior) of -language in start_html -script option.
6. Fixed bug in seconds calculation in CGI::Util::expire_calc.
Version 3.25
1. Fixed the link to the Netscape frames page.
2. Added ability to specify an alternate stylesheet.
3. Add support for XForms POST submssion both as application/xml or as multipart/related
Version 3.24
1. In startform(), if request_uri() returns undef, then falls back
to self_url(). This should rarely happen except when run outside of
the CGI environment.
2. image button alignment options were mistakenly being capitalized, causing xhtml validation to fail.
Version 3.23
1. Typo in upload() persisted, now fixed for real. Thanks to
Emanuele Zeppieri for correct patch and regression test.
Version 3.22
1. Typo in upload() function broke uploads. Now fixed (CPAN bug 21126).
Version 3.21
1. Don't try to read data at all when POST > $POST_MAX.
2. Fixed bug that caused $cgi->param('name',undef,'value') to unset param('name') entirely.
3. Fixed bug in which upload() sometimes returns empty. (CPAN bug #12694).
4. Incorporated patch from BURAK@cpan.org to support HTTPcookies (CPAN bug 21019).
|
|
|
|
or the www/seamonkey/gecko-*.mk - Brian de Alwis
|
|
Changes since 1.0.6:
Bluefish 1.0.7 (05 November 2006)
---------------------------------
- Updated translations: French, Japanese.
- Adds datarootdir to all Makefile.in to avoid warnings with autoconf 2.60
- Fixes application/bluefish-project MIME type icon name
- Fixes Tcl highlighting
- Fixes a bug when trying to save a file with a new install and a file has
never been opened or a project is not open. Closes bug #360401.
- Fix a bug where Bluefish would crash when deleting multiple bookmarks.
- Fix a bookmark memory leak
- Fix a bug where the editor tab was incorrectly displayed when moving a
document to another window.
- README: more complete README
|
|
Trac-0.10.3.1-ja-1 (Mar 12, 2007)
* Merge trac-0.10.3.1
* Translate Messages into Japanese.
* trac/attachment.py
* trac/versioncontrol/web_ui/browser.py
* Fixes unified diff download error.
* trac/versioncontrol/web_ui/changeset.py
* Update to current statement.
* README.trac-ja
Trac 0.10.3.1 (March 8, 2007)
http://svn.edgewall.org/repos/trac/tags/trac-0.10.3.1
Trac 0.10.3.1 is a security release:
* Always send "Content-Disposition: attachment" headers where potentially
unsafe (user provided) content is available for download. This behaviour
can be altered using the "render_unsafe_content" option in the
"attachment" and "browser" sections of trac.ini.
* Fixed XSS vulnerability in "download wiki page as text" in combination with
Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc.
|
|
changes:
-minor cleanup and bugfixes
-minor UI improvements
-translation updates
|
|
change (keeping BUILDLINK_ABI_DEPENDS bump).
|
|
|
|
Based on package provided by David Rankin in PR 33249.
This is Kwiki plugin to allow Apache to use Kwiki via ModPerl (1 or 2).
|
|
* Fix buffer under-read in URI parser (Laszlo Boszormenyi, CVE-2007-0157)
* Fix regression in handling of "attempt" argument passed to auth callbacks;
ensure the value only increments for each invocation of the callback
* Fix handling of "nextnonce" parameter in Digest authentication
Changes 0.26.2:
* Fix error reported for LOCK responses lacking a Lock-Token header.
* Use Libs.private in neon.pc for newer versions of pkg-config.
* Build fix for platforms without libintl.h.
* Build fixes for MinGW.
* Build fix for h_errno detection on HP-UX 10.
* Win32: enable debugging; build fixes with some SDKs.
Changes 0.26.1:
* Build fixes for Win32 (D.J. Heap) and OS X.
* Add Simplified Chinese translation
Changes in release 0.26.0:
* Added internationalization support:
* Added support for GnuTLS
* Changes and additions to URI support:
* Changed results callbacks for ne_lock_discover, PROPFIND interfaces:
* Added functions which give control over authentication protocol use:
* Added ne_unhook_* functions to remove hooks
* Added ne_set_session_flags()/ne_get_session_flags() functions:
* Added ne_set_request_flags()/ne_get_request_flags() functions:
* Change ne_md5.h interface to make struct ne_md5_ctx opaque:
* Fixed ne_get_range(), added ne_get_range64()
* Removed NE_FREE() macro from ne_alloc.h
* Added ne_strcasecmp(), ne_strncasecmp(), ne_tolower() functions
* Changed ne_sock_init()/ne_sock_exit() such that ne_sock_exit()
* Added "--enable-threadsafe-ssl=posix" configure flag, to enable
* The manual is now licensed under the GPL rather than the GFDL
|
|
libraries. no PKGREVISION bump as the module is not built by default.
needed for upcoming new php-oracle package.
|
|
|
|
Packaged by David Rankin and provided in PR 33248.
Kwiki plugin to archive pages using CVS.
(This package includes the http://www.kwiki.org/?PatchKwikiArchiveCvs patches
to make Kwiki::Archives::Cvs work with Kwiki::Revision.)
|
|
Trac 0.10.3.1 (March 8, 2007)
http://svn.edgewall.org/repos/trac/tags/trac-0.10.3.1
Trac 0.10.3.1 is a security release:
* Always send "Content-Disposition: attachment" headers where potentially
unsafe (user provided) content is available for download. This behaviour
can be altered using the "render_unsafe_content" option in the
"attachment" and "browser" sections of trac.ini.
* Fixed XSS vulnerability in "download wiki page as text" in combination with
Microsoft IE. Reported by Yoshinori Oota, Business Architects Inc.
|
|
1.22 Fri Mar 2 00:05:57 CST 2007
[INTERNALS]
Added new tests.
Added Perl::Critic changes and a perlcriticrc file.
1.21_04 Sat Oct 7 21:35:42 CDT 2006
[FIXES]
* $mech->content( type => 'text' ) was not freeing memory. Thanks to
Cat Okita for finding it.
[INTERNALS]
* Made the order of parms to $mech->content() not relevant.
1.21_03 Sat Oct 7 01:21:46 CDT 2006
[THINGS THAT MAY BREAK YOUR CODE]
* The methods $mech->form() and $mech->follow() have been removed.
They've been deprecated since 1.10, which was released in Feb 2005.
[ENHANCEMENTS]
* I'm trying to nail down what seems to be a memory leak on long-running
Mech programs. I'm stringifying URI::URL objects wherever I can.
[INTERNALS]
* No longer uses UNIVERSAL.
1.21_02 Wed Oct 4 13:14:30 CDT 2006
[ENHANCEMENTS THAT MAY BREAK YOUR CODE]
* The $mech->stack_depth() setting had no way to say "don't cache any
pages at all". How silly!
Now, if you set $mech->stack_depth(0), no history of pages will be kept.
In the past, it would mean "Keep all pages." This means that if you want
to set it to keep all pages, set it to some ridiculously large number.
[DOCUMENTATION]
* The docs previously refered to Compress::Gzip instead of Compress::Zlib.
1.21_01 Mon Sep 18 17:18:43 CDT 2006
[ENHANCEMENTS]
* If Compress::Zlib is installed, gzipped content is now
accepted and transparently decoded. No additional syntax needed!
This should save time and bandwidth in a number of cases.
(Mark Stosberg)
* Added a put() method. It also calls a subfunction called
_SUPER_put that will be removed once LWP::UserAgent supports put().
|
|
"gettext" versions (e.g. under NetBSD-i386 3.1_STABLE).
|
|
New features (some are compile-time options):
* INFO and Options pages are laid out properly for multibyte locales,
accounting for character widths.
* change configure option default for --enable-justify-elts to true.
Change default for JUSTIFY to "false".
* add PREFERRED_ENCODING to lynx.cfg, along with an options-menu
selection for this, to set "Accept-Encoding:" string
* add PREFERRED_MEDIA_TYPES to lynx.cfg, corresponding to the option for
HTFilterPresentations(). A minimal set of media types is used by
default, though the old behavior can be selected
* add -nonumbers option, which modifies the output of -dump to suppress
the link-numbering
* add -listonly option, which modifies the output of -dump to show only
the list of links
* add -syslog-urls option and lynx.cfg settings (SYSLOG_TEXT,
SYSLOG_REQUESTED_URLS) to allow syslog'ing of URLs to be optional.
This cannot be set from the options menu
* the -version option shows the version of ncurses, curses, etc., from
runtime data when available.
* add -notitle option to suppress title line and following blank line to
maximize screen use for small displays
* add -nomargins option to suppress left/right margins to maximize
screen use for small displays
* add NO_MARGINS and NO_TITLE to lynx.cfg
* add NESTED_TABLES setting to lynx.cfg to allow site override of the
built-in default
* add DEFAULT_COLORS item to lynx.cfg to allow disabling the default
colors feature at runtime, allowing better matching of old color
scheme via a script
* add -stderr option to write error messages when doing a -dump -or
-source. Normally these are written to the status line but that does
not exist when dumping to standard output
* add configure --enable-largefile / --disable-largefile options.
* add --enable-widec configure option to allow building lynx without
wide character support using ncursesw, to accommodate users with older
releases of ncurses
Other enhancements:
* improve SSL support:
* updated README.sslcerts
* update CF_GNUTLS macro to look for -lgnutls-openssl as well as
the older -lgnutls-extra library
* modify HTLoadHTTP() to interpret leading asterisks in common name
fields as wildcards
* suppress OpenSSL URL from version message if it happens to be
built using GNU TLS (or other libraries which happen to define
symbols to pretend they are OpenSSL).
* improve HTML interpretation:
* fix function, which was checking for the absence only of some
nonstandard encodings (8bit, 7bit, binary) rather than for the
presence of the encodings as specified in RFC 2068 (gzip,
compress, etc). This makes lynx able to view a site which puts
the charset as the Content-Type
* add "deflate" to the encoding types which lynx implements. This
consists of several parts
* adapted logic from w3m's inflate.c to construct an internal
"deflate" decompressor. Tested this with
http://carsten.codimi.de/gzip.yaws/
* add "deflate" to the options menu.
* modify logic that builds "Accept-Encoding" value to omit
encodings which have no external decompressor associated.
The effect of this change is to allow lynx to behave as it
did before adding the (possibly incomplete) "inflate"
support.
* add INFLATE_PATH to lynx.cfg, to optionally specify an
external program which can be used to decompress deflated
files. For testing, a shell script using w3m's utility,
e.g., /usr/lib/w3m/inflate, sufficed. NOTE: As currently
implemented, lynx requires the external decompression
programs to be specified even if it can decompress using
library calls.
* use ".zz" for suffix of downloaded (but not inflated)
deflated files, mapped to application/deflate and
application/x-deflate.
* modify source-view toggle to keep the current anchor visible.
Toggling source view may change the line number on which the
anchor is found, requiring some adjustment. This feature is
implemented only for source cached pages
* fixes to source-view of ftp:// and file:// URLs, i.e., eliminate
redundant PRE's, add DOCTYPE and meta tags
* correct parsing of embedded URLs which have parameters but no
path, e.g., base
http://wj55.org/Minutes.php
and embedded
?date_meeting=2004-08-31
* add presentation type for application/xml and text/xml mime types
as per
http://www.w3.org/TR/xhtml-media-types/
http://www.w3.org/TR/2002/NOTE-xhtml-media-types-20020801
which states that they may be used, though application/xhtml+xml
is the preferred media type
* add presentation type for application/xhtml+xml mime type as per
RFC 3236
* add presentation for text/css, to allow browsing ".css" files
* force a newline in HTML_end_element() after a </pre>, which
causes lines containing only whitespace before the </pre> to
display a new line, rather than putting that whitespace before
text that follows the </pre>
* following a link consisting of a "#" fragment will move the
cursor to the link containing the target rather than simply
ensuring that it is visible
* improvements to character sets and display:
* new message files for localization: rw.po, vi.po
* updated message files for localization: cs.po, da.po, de.po,
et.po, fr.po, hu.po, nl.po, pt_BR.po, sv.po, tr.po
* use puts() rather than printf() in some messages to avoid chance
of "%" in the translation
* modify HTConfirmCookie() to ensure the translator's note is
copied into the lynx.pot file, by adding a gettext("Y/N/A/V")
call after the comment
* improve layout of options-menu and info-page for multibyte
character sets by computing the extent of the labels. This works
only for wide-character curses.
* add ISO-8859-13 and ISO-8859-14 chrtrans tables, revise
ISO-8859-10 based on
http://czyborra.com/charsets/iso8859.html
Change display name for ISO-8859-10 to indicate the region
* improve checking if the current character set does not match the
character set inferred from the locale. This reduces the number
of cases where line-drawing in the options menu does not work
* improve recovery when a charset is found that cannot be
translated. Before this change, the charset was not stripped from
the format string, e.g.,
text/html; charset=big5
and since there would be no match for the format, lynx would
offer to simply download the page (if interactive), or refuse to
format (for dumps). Although the content of the page is unusable,
the user can still navigate the page using the links which may be
there
* modify logic for locale_charset configuration variable so it is
not modified simply by saving the .lynxrc while in running in a
non-locale configuration. That does not alter the display charset
used by lynx
* improve workaround for line-drawing characters with
font-switching by checking if the loaded font has line-drawing
characters in the same positions as the terminal description,
rather than simply ignoring line-drawing when the codeset differs
* workaround for codepage support on OS/2 by changing the effect of
unctrl(). Add/use new preferred function use_legacy_coding() to
ncurses which provides the same effect with the wide-character
ncursesw
* improve def7_uni.tbl substitutions for the symbols beginning at
U+2600
* add experimental option --enable-japanese-utf8 for using libiconv
for Japanese and UTF-8
* improvements to color-style:
* change configure script --enable-color-style so it is enabled by
default
* add COLOR_STYLE setting to lynx.cfg
* change default initialization of color-style code when no lss
file is given to simulate the non-color-style code. There are
some visual differences, e.g., links that contain a mixture of
styles will display with mixed colors, but overall the visual
effect matches the non-color-style code well enough to change the
default configuration. If an empty string is given for the lss
filename, this is treated as an empty style file, and lynx will
not use its built-in default color style. To make the behavior
easier to diagnose, lynx will now exit with an error if it cannot
find the lss file.
* improve interaction with user:
* highlight the target and pause for 20 milliseconds when selecting
a link with the mouse
* modify behavior when user attempts to toggle a radiobutton off,
to make the message that one radio button must be selected only
in novice mode
* modify column limits, allowing text to be written to the last
column on the screen. This allows users to view text which is
formatted for 80 columns without the last character of each line
wrapping to the next line
* prompt user, displaying the command that would be executed, to
confirm that it should be. This makes it easier to notice when a
local program would be run by activating a lynxcgi link. This is
not done in advanced mode, since the URL is already visible in
the status line
* modify HTSaveAndExecute() to check first for result from
HTFileSuffix() before choosing between BIN_SUFFIX and
HTML_SUFFIX. This allows the PDF viewer on OS X to get the proper
suffix (.pdf) rather than .bin
* add check for failure to write to disk, e.g., on disk full, and
report error condition via HTAlert()
* modify suggested_filename() to strip bzip2's ".bz2" suffixes as
well as ".zz" suffixes
* modify INFO-page to list the rendered size in bytes if the
Content-Length is not available
* print the contents of image maps, if any, at the end of a dump
* command-line options that toggle or set a boolean now accept
"true" and "false" strings.
* improve interaction with other programs:
* strip special characters such as '%' from parameters passed to
external programs for EXTERNAL mechanism on Windows platform.
This is ifdef'd with WIN_EX
* improve cookie support:
* modify HTConfirmCookie() and statusline() to allow cookie prompt
message in Japanese to not be truncated when using wide-curses
* make the maximum number of cookies configurable in lynx.cfg,
added MAX_COOKIES_DOMAIN, MAX_COOKIES_GLOBAL and
MAX_COOKIES_BUFFER
* improvements to debug/traces:
* use symbol USE_VERTRACE in HTUtils.h to allow makefiles that do
not use the configure script to turn on the equivalent --enable
vertrace feature
* improvements to scripting/logging:
* make "lynx -version" work in the absence of ".cfg" or ".lss"
files
* modify print_wwwfile_to_fd() and print_crawl_to_fd() to ensure
that no trailing blanks are written in a -dump, etc.
* correct parsing of "key 0xNN" lines in command-scripts, had
omitted a "!" to invert a check
* modify initialization so that
cat options.txt | lynx -
will allow interactive use
* other improvements:
* modify logic for -dump so it can dump all pages listed on the
command line
* lynx accepts multiple URLs on the command line; all are added to
G)oto history. Documented this in manpage
* add (ifdef'd with EXP_HTTP_HEADERS) code to display the full text
of the HTTP headers in the INFO page.
* modify treatment of symbolic links for ftp-URLs to show the link
target, as with the local directory editor
* correct sort-order of local directory listing, using the target
of a symbolic link to determine whether it is grouped with files
or directories
* modified mailcap command and testcommand substitutions to provide
for running the testcommand's after program initialization
* read user's ".newsauth" file for news-server authentication
information
* escape "From " when it appears in a page which is mailed, to
avoid confusing mail clients
* add "Anonymous FTP Password" to Options menu, to allow user to
override use of personal email address as the anonymous ftp
password
New/improved sample files:
* add script samples/oldlynx, which gives the non-color-style scheme
using an executable built for color-style
* add scripts/tbl2html.pl, which can be used to generate test pages for
the charsets from src/chrtrans/*.tbl
* add test/special_urls.html
* modify ".lss" files to work equally well on terminals setup with white
text on black background, or the reverse. This also required fixing a
few places in LYsubwindow() and curses_w_style() to make window
backgrounds use the colors given in the ".lss" default- and
normal-colors lines
* make ".lss" example files somewhat readable by modifying parser to
remove blanks from the color description lines and modifying the
example files to use this feature
New ports:
* none
(it seems to run everywhere, but there are a few possibilities)
Improvements to existing ports:
* UNIX:
* improve configure script macro CF_XOPEN_SOURCE, ensuring that
_POSIX_C_SOURCE is defined with a value.
* revise configure script check whether _POSIX_C_SOURCE should be
defined, taking into account the _POSIX_SOURCE definition
* Linux:
* add codepage 857 (DOSTurkish), since console-tools package
provides a suitable font
* update Linux console font support to use console-tools package.
The configure script checks for consolechars and setfont programs
(must find at least one). The corresponding SETFONT_PATH can be
set in lynx.cfg to provide a choice between the two
* modify configure script to check for Intel compiler 8.0 (and
9.0).
* some others [stripped]
Improvements for maintainability and testing:
* remove macros such as ARGS1, NOPARM which supported K&R compilers
* make ANSI C required, drop support for K&R C.
* add scripts/indent.sh, use this to reindent C source files
* add tags rules to makefile.in's
* modify makefile.in to ensure that scripts are prefixed with $(SHELL),
in case packager has stripped executable permissions from scripts,
e.g., by using CVS
* modify configure script and makefiles to allow cross-compiling
* add --with-system-type option to configure script to simplify testing
the case-statements involving $host_os
* change configure script to put the ".cfg" and ".lss" files by default
in the --sysconfdir, e.g., $prefix/etc, and the help-files in lynx_doc
and lynx_help directories under --datadir, e.g.,
$prefix/share/lynx_doc, $prefix/share/lynx_doc. To obtain the old
behavior, use configure --sysconfdir=/usr/local/lib
--datadir=/usr/local/lib
* add configure options --with-cfg-file and --with-lss-file to allow one
to specify the names and paths of the default configuration and
color-style files
* filter out obsolete URLs from the customizations saved during install
of lynx.cfg
* rename test/iso8859-1.html and test/iso88592.html to
test/iso-8859-1.html and test/isoi-8859-2.html, corresponding to the
proper MIME names to simplify test-scripts
* update test/iso8859-1.html (minor fixes) from
http://www.ramsch.org/martin/uni/fmi-hp/iso8859-1.html
* applied lynx's changes to updated files from ftp.unicode.org to take
advantage of less restrictive copyright
As well as security-related changes:
* eliminate fixed-size buffers in HTrjis() and related functions to
avoid potential buffer overflow in nntp pages
* eliminate fixed-size buffers in LYExpandHostForURL() to guard against
buffer overflow resulting from too-long domain prefix/suffix data from
lynx.cfg
* reduce TRST_MAXROWSPAN and TRST_MAXCOLSPAN to 200, which is more
plausible than 10000 by 1000.
* limit TEXTAREA columns to the screen width, and rows to 3 times the
screen height.
And finally:
* A lot of bug fixes
* A lot of documentation changes.
* A lot of dead code removed
|
