1.2b10 (BETA) 7 Oct. 1999 |
- Fixed a great security whole in CGI mode. Because Apache passes
anything after the first '?' to the cgi script as commandline
arguments, embpexec.pl could be tricked into offline mode, where
it returned any file that is readable by the httpd! So if you are
using CGI mode, I strongly recommend to update to 1.2b10.
Now you must use embpcgi.pl instead of embpexec.pl in CGI mode.
Spotted by Jason Holt.
- Added EMBPERL_ALLOW. If the file doesn't EMBPERL_ALLOW Embperl
will return forbidden. This is primarly another security
feature, because dependig on the way you use Embperl in CGI mode,
it will not honour all Apache access restrictions. With
EMBPERL_ALLOW, you can now force it to serve only certain
files. Suggested by Jason Holt.
- Fixed a problem that had occured with magic SVs (tied scalar)
as source for the Execute function. Spotted by Todd Eigenschink.
- Embperl works now with Apache::Session 0.17, 1.02 and 1.04
(1.03 is errornous)
- Fixed a SIGSEGV that occurs when the req_rec parameter of the
Execute functions gets a Apache::Request object instead of a
Apache object, which occured due to the different ways the
Apache internal request_rec is stored inside the object.
Spotted by Francis J. Lacoste.
- Fixed a SIGSEGV that occured when outputting to a scalar and
optReturnError is set. Spotted by Francis J. Lacoste.
- Added a ; after the begin block in startup.pl, which seems had
cause a syntax error in some situations. Spotted by Oyvind Gjerstad.
- exit now works the same in offline, mod_perl and cgi mode, it
ends the execution of the page, but not the programm itself.
- exit inside a sub will now really exit the page. (but exit inside
a file called via Execute will only exit this file, not the whole
request) Spotted by Cliff Rayman.
- Added new hash %http_headers_out which could be used to set arbitary
http header under mod_perl _and_ in cgi mode. "Location" header will
automaticly set status to 301.
- setting http headers and <META HTTP-EQUIV=..> now works also
in cgi mode.
- Session Handling now also works in CGI mode (needs
Apache::Session >= 1.04)
- ACTION attribute of Formtag is now URL en/decoded. Spotted by
Hartmut Palm.
|