* Disabled all methods of HTTP fallback when HTTPS is enabled. This
is enforced on server side so that even modified client code (JS)
can not redirect client from HTTPS to HTTP, like it was possible
before (issue #355).
* Current solution unfortunately also disables automatic upgrade from
HTTP to HTTPS (when available), since all non-SSL connections are
droped immediately.
* Protection against large HTTP requests was fixed by adding some null
pointer checks. Too large HTTP requests are now correctly handled by
returning error code and closing connection.
* Added prefixes to all log messages. Prefix should describe source of
message, like "config", "http", "ssl", "server", etc... This should
give users more info to figure out what went wrong or what is going
on. Prefixes also make automatic processing easier.
* Usage is not displayed by default when given command line options are
incorrect. This way it is easier to notice actual error.
* In case that this SSL feature is abused it is possible to overload the
server. Other web servers disable this feature by default, but users
are able to change it with configuration. This is not possible with
shellinabox as this feature is not needed.
* Solution was implemented similary as in Lighttpd web server.
* Improved user input checking and error handling for code from #320.
* Added some guards for unlinking socket file in server init and destroy
functions.
* Added peer name handling for AF_UNIX type connections in HTTP handling
code.
* Added more checks for return values and null pointers.
* Removed some dead code and unused variables.
* Fixed handling of calls to exec() family functions. If this functions
fail we need to cleanup resources.
* Recogniton of HTTP header field 'X-Real-IP' was added. Value
is used in LOGIN service with peer name as remote host identifier.
This was we are able to see real IP in login related log files
such as /var/log/auth.log, etc...
* Real IP, peer name and URL are also passed to launched service
as environment variables (SHELLINABOX_PEERNAME, SHELLINABOX_REALIP
and SHELLINABOX_URL). This can be used by custom user service shell
scripts or programs.
* Real IP can also be passed to custom user service as command line
parameter ${realip}.
Instead of making the browser sniffing more complicated, it's probably
better to use code that works for all current browsers. As such, this
swaps to use gzip compression encoding instead of deflate and drops the
IE browser sniffing code. This means shellinabox works in IE11 and
should work in every version of IE since IE7. From this commit, IE6 is
no longer supported. Thanks @lfourquaux.
was not really interested in them. This could result in inefficient I/O
behavior and most noticably it broke the ability to interrupt long running
output with CTRL-C.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@238 0da03de8-d603-11dd-86c2-0f8696b7b6f9
processed buffers. I believe, this could only be triggered by clients that
enabled HTTP pipelining. That might explain why we haven't seen bug reports
any earlier.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@216 0da03de8-d603-11dd-86c2-0f8696b7b6f9
Fixed some compiler warnings when compiling with -Wextra
Thanks to Jan Jaeger's excellent bug report, made some changes
that should make it easier to build ShellInABox for OpenWRT.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@202 0da03de8-d603-11dd-86c2-0f8696b7b6f9
problems dealing with "inherit" styles. This prevented proper switching
between color and monochrome.
Implemented a work-around.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@172 0da03de8-d603-11dd-86c2-0f8696b7b6f9
to manipulate headers more easily. We now add "Connection: close" in more cases
where we force a closing of the connection.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@171 0da03de8-d603-11dd-86c2-0f8696b7b6f9
Some more tweaks for IE6 support. Overall, IE6 is still pretty
broken. Not sure if we can do much about this.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@166 0da03de8-d603-11dd-86c2-0f8696b7b6f9
- A couple of changes to avoid false error messages in valgrind.
- Fixed a bug that could potentially lead to a double-free()
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@114 0da03de8-d603-11dd-86c2-0f8696b7b6f9
ill-advised choice, as this particular compiler options has a tendency to
generate a lot of false positives.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@62 0da03de8-d603-11dd-86c2-0f8696b7b6f9
In particular, work around a problem with gcc complaining about NULL format
strings. And added additional system header files that might be required on
some platforms.
This should fix some of the problems reported when compiling on BSD-style
systems. But we are still using SysV style session management code. This
probably needs to be rewritten before ShellInABox can be run on BSD-style
system.
In particular, we rely on grantpt(), we use the utmpx API, and we access
/dev/urandom.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@55 0da03de8-d603-11dd-86c2-0f8696b7b6f9
first release of ShellInABox that supports an AJAX interface
instead of the original Java applet.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@2 0da03de8-d603-11dd-86c2-0f8696b7b6f9
