0.1 - Original sh-httpd by grendel@vip.net.pl http://jester.vip.net.pl:8081/ 0.2 - Charles Steinkuehler Initial CGI support Support for npf- and 'standard' CGI scripts CGI Status and Location response headers unparsed No POST support 0.3 - Charles Steinkuehler General cleanup Fixed some CGI stuff Improper handling of SCRIPT_ALIAS without extra path info Added command line argument support Status, Location, and Content-type headers are now parsed. All other headers are passed through to the client. Added protection against 'directory walking' outside DOCROOT Restricted characters allowed in URL's and CGI command line args Full text still passed to CGI in QUERY_STRING 'Fancy' error pages access based on client IP addresses Connection is immediately closed, and no data is read or sent if the remote IP does not match one of the prefixes in CLIENT_ADDRS. Leaving CLIENT_ADDRS unset allows world access Add CGI timeout & kill CGI processes when aborting If the CGI script does not complete within TIMEOUT seconds, it is sent a termination signal (SIGTERM -15). If it hangs around for more than 5 seconds after that, it is send an unblockable kill signal (SIGKILL -9). Temporary files to store the CGI output are removed, and a 500 'Internal Server Error' response is sent to the client. mime-type file(s) now supported 0.4 - Charles Steinkuehler General Cleanup All indents use tabs Use $param instead of ${param} where possible Last-modified header added Not generated for CGI scripts HEAD method supported Bug Fixes REMOTE_ADDR check failed if the entire address was specified Directories were returned as a file (instead of error message) if URL pointing to directory matched SCRIPT_ALIAS TODO: POST method I'm not really worried about this, as support for 'post' would only make folks try to use this as a configuration gateway, for LRP, and I really don't think it's secure enough for that.