java-libhttpd - A Java HTTP Server Library
Copyright (c) 2002-2007  Reliable Bits, Rick Blommers
-----------------------------------------------------------------------

V1.03.000 (2007-07-23)
======================

- 145: (2007-07-20) It should be possible to add a mimetype to the mimetype detector (rblommers)
- 144: (2007-05-05) It should be possible to use a different class loader for HttpHandlers. (rblommers)
- 128: (2007-04-25) [misc] Add session hits to session object (rblommers)
- 131: (2007-04-23) [misc] Use dateFormatter in HttpUtils (rblommers)
- 127: [misc] Add method setSettings to HttpServer (rblommers)
- 136: (2007-01-02) Add a listener that is called just before the headers are
   sent, allow header ajust. example: set caching headers for images. (rblommers)
- 125: (2007-01-02) Support HEAD requests. Only headers are outputted to the
    client. HttpHandler data is written to /dev/null. (rblommers)
- 140: (2007-01-02) Make the HttpRequest and HttpResponse objects accessible
    via the ServerThread object. (rblommers)
- 129: (2007-01-02) Added Session getter to HttpSessionManager: getSessions() (rblommers)
- 122: (2007-01-02) When accessing JAR resources sizes should also be sent.
   (This is difficult, because we use Classpath resources! and I don't know
   of any method of retrieving the sizes of a single resource, without reading
   the complete stream).(rblommers)
- 137: (2006-11-28) IE7 isn't using persistent connections with the webserver.
   IE doesn't sent the "Keep-Alive" header. Only the "Connection: Keep-Alive"
   header. The webserver only used the Keep-Alive header. Now it useses the
   Connection header. (rblommers)
- 134: (2006-11-21) Added support for HttpHandler routes. It is possible to define
   routes the way it is done in Ruby on Rails. See API docs in package
   com.blommersit.httpd.routes for more info. You can add routes via the
   HttpServer.getServerSettings().getRoutes(); (rblommers)
- (2006-11-20) Added a method for setting GET and POST variables in HttpRequest
   At the moment there's no Setter for modifying an array GET or POST
- 138: (2006-11-20) Added a write method to directly write a File or Stream to
   the HttpResponse stream. ( HttpResponse: writeFile and writeStream). (rblommers)
- 130: (2006-11-14) Added list support for Get, Post and Cookie parameters to
   HttpRequst. For example: getPostSize() and getPost(name,idx,def). (rblommers)
- 133: (2006-11-14) Posting a multi-part form didn't fill the rawPostString
   data. Which actually was correct, but now a rawPostStr is synthesized. (rblommers)
- 132: (2006-11-14) If a file isn't found a 404 is given, mozilla keeps
   waiting until timout, fixed this by closing the connection on a 404. (rblommers)
- 123: (2006-11-14) File / Resource request handler should be much faster! It
   was extremely inefficient!! (rblommers)
- 120: (2006-11-13) Support (basic) Persistent Connections to drasticly improve
   performance. At the moment this only works for file resources!! (rblommers)
- 121: (2006-11-13) When retrieving file resources like images etc.. sizes
   should be sent. This is required for persistent connections! Currently this
   only works for file resources. At the moment JAR file resources cannot be
   done because I cannot retrieve the size of a resource before sending.  (rblommers)
- 115: (2006-11-13) Added better Logging / Debugging Support. This can be done
   easily by adding a HttpServerLogListener (accessible via settings, via
   LogListenerManager). (rblommers)
- 118: (2006-11-13) Alias redirection doesn't stop the processing of the
   request, which usually results in an attempt to change the header to 404. (rblommers)
- 119: (2006-11-13) Alias redirection's flush causes an exception when flushing
   the output buffer. No exception should be reported. (rblommers)
- 117: (2006-11-13) Exceptions in handleHttpRequest should be printed to the
   console and be logged. At the moment these are silently being catched! (rblommers)
- 116: (2006-11-13) Add methods for retrieving the HttpResponse HTTP result code (rblommers)
- 114: (2006-11-13) Added methods for changing the default settings (rblommers)

======================
V1.02.000 (2004-09-27)
======================
- (Gennadiy from Ukraine) Found an error in the HttpServerThread. The wrong
  accessfilter rule was used. THANKS!
- (Gennadiy from Ukraine) When checking for a HttpHandler interface the
  webserver didn't inspect the parent's interfaces. Gennadidy fixed this.


======================
V1.01.000 (2003-09-01)
======================
- Fixed a memory leak, in HttpSessionManager.java.  Replaced
  'sessions.remove(session)' by 'iterator.remove()'
  Without this, the memory would never be cleaned up!
  Contributed by Gabriel Klein. THANKS!
- Included (very basic) file upload support. The initial
  fileupload support was contributed by Herbert Poul. THANKS!
  The webserver is sort of protected by a maximum number of
  bytes that can be uploaded.
- Fixed a bug with HttpResponse.java. The expires value of the cookies wasn't
  returned correctly in all java implementations. I used an incorrect
  date formatter, (c.toString()... Ooops ;) ). In some java implementations this
  returned the object info: expires=java.util.GregorianCalendar[time=1062341617864,
  areFiel...,ZONE_OFFSET=0,DST_OFFSET=0];
  Contributed by Herbert Poul. THANKS!
- Added version information to the library. When building the
  application with JBuilder (and the plugin build.num) the
  version info is updated automaticly
- Gabriel Klein mentioned that you can use the ".." trick to get out of the base
  dir when reading a file.  Example c:/persoweb/wwwpub/../../secretDir.
  There is perhaps others tricks that can be used (like unicode encoding of /)
  Rick: After some brainstorming found a very simple solution for this problem,
  using the following trick: (HttpServerThread.java)
    // build absolute path (without) '. and '..'  and check if the user can access the directory
    // Prevent '..' and unicode tricks
    // SINCE v1.01
    file = file.getCanonicalFile();
    File root = (new File( this.server.getSettings().getFileDocumentRoot() )).getCanonicalFile();
    String sFile = file.getPath();
    String sRoot = root.getPath();
    // NOT SAFE??
    if(!sFile.startsWith(sRoot) )
    {
      //System.out.println("Denied Request: " + sFile );
      return false;
    }
  NOTE: There's still a security problem in the package access, I will fix
  this the next release...
- Gabriel Klein: You can use my CryptUtils class if you want to generate better
  pseudo-random cookies in your public String generateNewSessionId()
  function. (JDK 1.4 only...).


======================
V1.00.000 (2002-12-02)
======================
- Initial release of the library