lighttpd 1.4.53 released

To: Glenn Strauss <gstrauss%gluelogic.com@localhost>
Subject: lighttpd 1.4.53 released
From: Glenn Strauss <gstrauss%gluelogic.com@localhost>
Date: Sun, 27 Jan 2019 05:31:20 -0500

Dear package maintainers:

lighttpd 1.4.53 has been released!
  https://www.lighttpd.net/
  https://www.lighttpd.net/2019/1/27/1.4.53/

Please package and ship it!

NOTE:
There is an upcoming behavior change scheduled for the next release,
first announced with lighttpd 1.4.52.  Please see below and reach out
to me if you would like assistance changing the default lighttpd.conf
in the distro.

Please let me know if you have any questions or issues.  Thank you!

Cheers, Glenn


Important changes
-----------------

  * TLS-ALPN-01, systemd socket activation
  * bug fixes

Future scheduled behavior change (Q1 2019)
------------------------------------------

Beginning in Q1 2019, lighttpd defaults are scheduled to change to perform limited URL normalization on HTTP requests.

Since lighttpd 1.4.50, this URL normalization is available with server.http-parseopts <https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails>. The lighttpd default will become server.http-parseopts = (“url-normalize-unreserved” => “enable”, “url-path-2f-decode” => “enable”) unless server.http-parseopts is explicitly set in the lighttpd config. Enabling URL normalization by default will provide more consistent behavior for mod_redirect and mod_rewrite, which match against the (url-encoded) URL request. However, decoding %2F by default, while generally desirable for consistency, is potentially a breaking change for those encoding URLs in the url-path and relying on the literal ‘/’ as a delimiter. For those uses, “url-path-2f-decode” => “disable” will need to be explicitly set in the lighttpd config.

https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails

The recommended settings for server.http-parseopts are the following, unless specific use requires looser settings:

      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-dotseg-remove"   => "enable",
        "url-query-20-plus"        => "enable"
      )

Prev by Date: Circular dependency in mail/gmime3?
Next by Date: Re: webkit-gtk fails to build
Previous by Thread: Circular dependency in mail/gmime3?
Next by Thread: Failure building firefox-65.0
Indexes:

Home | Main Index | Thread Index | Old Index