2016-02-23 23:18 UTC+0100 Przemyslaw Czerpak (druzus/at/poczta.onet.pl)
Edit and function keys pressed with CTRL, ALT or SHIFT modifiers generated wrong key sequences.
* Workaround for random "Session closed" issues related to /bin/login
closing and reopening our pty during initialization. This happens only
on some systems like Fedora for example. Now we allow that our pty is
closed by ignoring POLLHUP on first read. Delay is also needed so that
login process has some time to reopen pty.
* Note that the issue may occur anyway but with this workaround we reduce
the chances.
* Disabled all methods of HTTP fallback when HTTPS is enabled. This
is enforced on server side so that even modified client code (JS)
can not redirect client from HTTPS to HTTP, like it was possible
before (issue #355).
* Current solution unfortunately also disables automatic upgrade from
HTTP to HTTPS (when available), since all non-SSL connections are
droped immediately.
* Added limited support for middle click pasting. For most browsers
and operating systems middle click pasting works only for concent
selected in current shellinabox window.
* Added new CSS class for handling reverse video with default terminal
colors. For colors given with value 0-255 background and foreground
values are just switched.
* New CSS classes were also added to Black On White and White On Black
color themes.
* Use stdout for usage and version information. Patch taken from
issue #344.
* Removed automatic usage display when command line parsing fails.
* Added version information in debug output.
* Session key is returned in first HTTP response if CGI mode is used.
Header filed is named 'X-ShellInABox-Session'. This can be used by
some special applications that need unique token.
* Added signal handling in PAM session process. Now SIGHUP signals are
forward to child process, which is the actual service. Launcher process
uses this type of signals to terminate service on http connection
timeout.
* Protection against large HTTP requests was fixed by adding some null
pointer checks. Too large HTTP requests are now correctly handled by
returning error code and closing connection.
* Added prefixes to all log messages. Prefix should describe source of
message, like "config", "http", "ssl", "server", etc... This should
give users more info to figure out what went wrong or what is going
on. Prefixes also make automatic processing easier.
* Usage is not displayed by default when given command line options are
incorrect. This way it is easier to notice actual error.
* Messages with "fatal" or "error" log level are now also passed to
syslogd service with help of vsyslog() function.
* On systems that use syslog service, these messages will be available
in default system log files like /var/log/syslog or /var/log/messages.
* In case that this SSL feature is abused it is possible to overload the
server. Other web servers disable this feature by default, but users
are able to change it with configuration. This is not possible with
shellinabox as this feature is not needed.
* Solution was implemented similary as in Lighttpd web server.
* Support for PFS is enabled with help of chiper suits that use ECDHE
key exchange. OpenSSL added support for eliptic curve operations (EC)
in version 0.9.8. Note that there are also some library distributions
which don't support EC operations.
* Added precompiler guards for builds with OpenSSL older than 0.9.8 and
builds with '--enable-runtime-loading' configure script option.
* Cleaned up some SSL related code.