2023-01-13 Richard Frith-Macdonald  <rfm@gnu.org>

        * GNUmakefile: bump version to 1.6.0 for release

2022-11-03 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	Set max age for strict transport security to 1 year by default.

2022-11-03 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	If -block: is called with a negative argument, it now uses the value
	returned by -blockOnAuthenticationFailure.

2022-11-01 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* Internal.h:
	* WebServer.m:
	* WebServerConnection.m:
	Implement a lockout mechanism to help deal with DoS attacks.
	The -[WebServerResponse block:] method can be used to block subsequent
	requests from an IP address for a period of time.
	The -[WebServer setBlockOnAuthenticationFailure:] method controls
	automatic blocking after a failed authentication attempt (default 1
	second).

2022-10-18 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	Catch the possible case where we are configured to be behind a trusted
	proxy but we are not getting the headers the proxy should provide to
	let us know who sent the request.

2022-09-22 Richard Frith-Macdonald  <rfm@gnu.org>

	* Internal.h:
	* WebServer.m:
	* WebServerConnection.m:
	Fix errors in code to count connectons by host in the case where the
	server is running behind a proxy.

2022-07-08 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	* WebServerConnection.m:
	Make the default number of idle connections per thread be unlimited
	and made the -description method report the number of idle connectios
	in total.

2022-07-07 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	Provide [-threadPool] accessor for the thread pool used by the web
	server instance.

2022-03-09 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m: Return 400 error if the request starts with
	a 0x16 byte ... that's not part of th method name and is probably the
	start of a TLS session header for handshake with the remote end trying
	to use HTTPS when the server is confgured to use HTTP.

2022-02-17 Richard Frith-Macdonald  <rfm@gnu.org>

	* Internal.h:
	* WebServer.h:
	* WebServer.m:
	* WebServerConnection.m:
	Changes when running behind a trusted proxy (if the WebServer instance
	is configured with Proxy=YES in the Secure dictionary, or has had the
	-setSecureProxy: called to say it is behind a proxy).
	Alter the behavior of the maximum connections per host limit so that
	we use the host information from the headers rather than the TCP/IP
	address of the connection.
	Similarly, if the host address from the headers is listed in the
	WebServerQuiet configuration, refrain from logging the connection. 

2021-09-15 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m:
	* WebServerConnection.m:
	Fix a couple of uninitialised variables and fix error in setting
	strict transport security information.

2021-08-03 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServerConnection.m:
	On receipt of a method which is not permitted, respond with a 405
	method not allowed code rather than a 501 (and provide an Allow
	header).

2016-06-12 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.5.6 bugfix release

2020-06-12 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m:
	* WebServerConnection.m:
	Fix counting of connections per host in case where we cannot get the
	address of the remote host from the socket (use the name 'unknown').

2020-01-27 Richard Frith-Macdonald  <rfm@gnu.org>

	* Internal.h:
	* WebServer.h:
	* WebServer.m:
	* WebServerConnection.m:
	Fix logging of remote IP address (of last request including proxied
	information if possible).

2019-05-17 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: generate a log when we remove untrusted certificate
	header information.

2019-05-09 Richard Frith-Macdonald  <rfm@gnu.org>

	* Internal.h:
	* WebServer.m:
	* WebServerConnection.m:
	* WebServerHeader.m:
	Fix bug adding the same header twice to an incoming request.

2019-01-11 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h: Add -address method for WebServerRequest
	* WebServerConnection.m: Add -address for WebServerRequest

2019-01-08 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m:
	* WebServerConnection.m:
	Ensure that x-cert-issuer and x-cert-owner headers passed in the
	incoming request are removed unless the process is configured to
	know that it is using a trusted proxy.  This prevents spoofing of
	client certificate information.  When configured to use a secure
	proxy, headers provided by the proxy take precedence and the values
	from the TLS session between the proxy and the server are provides
	in additional headers.

2018-08-24 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServerConnection.m:
	x-cert-issuer and x-cert-owner headers are set to provide the
	distinguished names of the issuer and owenr/subject of any client
	certificate used by an incoming request.

2017-04-19 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	Fix counter of keepalive per thread so we always decrement the
	count when removing a connection from list of keepalives.
	Fixes a bug where connection keepalive would stop working after
	a while and all connections would be closed after one request.

2017-04-19 Richard Frith-Macdonald  <rfm@gnu.org>

	New WebServerFrameOptions user default (DENY if not set) to sert a
	default X-Frame-Options header value for use by all responses.

2016-10-28  Wolfgang Lux  <wolfgang.lux@gmail.com>

	* WebServerBundles.m (-dealloc): Unregister from notification
	center.

2016-05-19 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.5.5 bugfix release

2016-05-05 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	* WebServer.m:
	* Internal.h:
	Check to prevent a response being completed more than once.

2016-01-20 Niels Grewe <niels.grew@halbordnung.de>

	* WebServerHeader.m: Fix the x-count-* headers. The WSHType
	was never assigned to the instance variable, so -value
	would always return nil. Also re-arrange things to not 
	depend on the presence of the GSMimeHeader ivars, ensuring
	compatibility with the (pure) non-fragile ABI.

2016-01-15 Niels Grewe <niels.grew@halbordnung.de>

	* WebServer.h: Ensure that the header can be used from ARC
	  code.

2016-01-14 Niels Grewe <niels.grew@halbordnung.de>

	* GNUmakefile: Build correctly with the ng and gnugc
	runtime library variants

2015-09-19 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.5.4 bugfix release

2015-08-19 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m: Don't delete close down connections just
	because the per-thread count is exceeded ... we have a contract
	with the client to keep those connections open.

2015-08-18 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m: Don't delete content-encoding header
	which may have been set by the application.

2014-10-02 Sergei Golovin

	* WebServer.m: Fix memory management error ... failure to retain
	the thread used for the main I/O ... was resulting in double
	release of the thread when the WebServer instance was destroyed.

2014-08-04 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Run the main run loop and wait for connections to
	shut down when shutting down the server.
	* GNUmakefile: bump subminor version
	Version 1.5.3:

2014-07-15 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m: Fix minor error logging raw data ... we now
	use backslash escapes to avoid problems wioth embedded nul characters.
	* GNUmakefile: bump subminor version
	Version 1.5.2:

2014-05-08 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: bump subminor version
	Version 1.5.1: adds minor accessor methods

2014-04-27 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	Add accessor method -delegate.

2014-04-05 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	Add accessor methods -address and -port.

2014-03-17 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: fix for bug 41887 ("T.Somequare" <thumb_@mcn.ne.jp>)
	Also, make 1.5.0 release

2014-02-24 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	* WebServer.h:
	* WebServer.m:
	* Internal.h:
	Added -setFooldHeaders: methods to turn off header folding either
	for a single response or for all connections established after the
	setting change.
	This is an improvement (bug#41643) to allow the WebServer code to
	be used to respond to clients which don't support folded lines as
	they should.
	NB. No longer fold headers by default ... more libraries support
	long headers than support folding.

2013-06-30 Sebastian Reitenbach <sebastia@l00-bugdead-prods.de>

	* WebServer.h: fix some typos in comments

2013-06-27 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m: Fix subtle bug handling connections kept
        alive when the remote end sent an extra CRLF at the end of the
        preceding request.

2013-01-26 Richard Frith-Macdonald  <rfm@gnu.org>

        * WebServer.m: Allow for the fact that a json document is a string
	* WebServerConnection.m: 64bit system integer printout fix.
        * GNUmakefile: bump version pending new release.

2012-10-31 Richard Frith-Macdonald  <rfm@gnu.org>

	* Internal.h:
	* WebServer.h:
	* WebServer.m:
	* WebServerConnection.m:
        Attempt to add support for streaming data to a client as an alternative
        to writing it all in one go.

2012-10-30 Richard Frith-Macdonald  <rfm@gnu.org>

	* Internal.h:
	* WebServer.h:
	* WebServer.m:
	* WebServerBundles.h:
	* WebServerBundles.m:
	* WebServerConnection.m:
	* WebServerField.m:
	* WebServerForm.m:
	* WebServerHeader.m:
	* WebServerTable.m:
	* testWebServer.m:
        Change to use WebServerRequest and WebServerResponse instances
        rather than GSMimeDocument ... so we can carry more information
        than a mime doucment.
        Add support for incremental handling of incoming requests, allowing
        the application to handle partially read requests (once the entre
        header has been read).

2012-10-25 Richard Frith-Macdonald  <rfm@gnu.org>

        * Source/WebServer.m: Improve error logging for the case when a
        response is to be handled but we can't find its connection.

2012-10-19 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.4.8 minor bugfix release
	* WebServerConnection.m: Fix error in 'quiet' host logic when
        refusing access due to unkown/not-allowed client host.

2012-07-18 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m: When logging the data read/written, allow
        for text truncation due to nul byts, and log an NSData object
        (hexadecimal representation) after the native text representation.

2012-01-17 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Fix bug with access control ... need to do it before
	main processing if we didn't do it in the pre-process stage.

2011-12-20 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.4.7 minor release
	* WebServer.m: Escape a few more characters when generating
	URL encoded forms.  In particular the '/'.

2011-12-13 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.4.6 minor release
	* WebServerConnection.m: Fix excess space in -description

2011-12-13 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	* WebServer.h:
	* WebServer.m:
	* Internal.h:
	Add new -setLogRawIO: option to log I/O on connections.

2011-09-23 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.4.5 minor release

2011-09-12 Richard Frith-Macdonald  <rfm@gnu.org>

	* Extend API to set listening address.

2011-09-09 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.4.4 bugfix release

2011-08-26 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	Fix bug updating keepalive counts to avoid possible hang in loop
	removing old connections.

2011-08-06 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	* Internal.h:
	Changes to support initialisation of a WebServer instance to operate
	in a thread other than the main one.  Not really tested though.
	eg. svr = [[WebServer alloc] initForThread: [NSThread currentThread]]

2011-08-06 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m:
	* WebServerConnection.m:
	Change to only start processing new request when write of preceeding
	request has completed, to prevent attempts to have two reads at a
	time.

2011-08-04 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.4.3 bugfix release
	* WebServer.m: Close listener immediately when we are done with it.

2011-08-04 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Version 1.4.2 bugfix release

2011-07-16 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	* WebServer.h:
	* WebServer.m:
	* Internal.h:
	Implement maximum number of connections in a keepalive state.

2011-07-15 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	* WebServer.m:
	Improve/strengthen checking for connection close.

2011-07-12 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m: Take advantage of base changes to avoid
	potential stack overflow when processing lots of slow SSL handshakes.

2011-07-09 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m: Fix possible null pointer reference if
	connection times out while waiting for ssl handshake.

2011-07-08 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m: Check for errors on write ... if a write
	fails, end the connection immediately.  Modify code to ensure that
	threads won't attept to read/write a handle which has been removed
	from the connection.

2011-05-04 Richard Frith-Macdonald  <rfm@gnu.org>

	* GNUmakefile: Increment subminor version for 1.4.1 bugfix release.

2011-05-04 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	* WebServer.h:
	* WebServer.m:
	* Internal.h:
	Add code to make shutdown faster by immediately terminating any
	connection which is not already responding to or processing a request.
	Add method to return an array of connections ... so an app can count
	how many connections still exist, and wait until shutdown is done.
	Fix retain cycle between server and header objects, so an instance
	can be deallocated as long as it has been shut down properly.
	Fix bug with connection timeouts when running single-threaded.
	Add tiny optimisation for audit logging suggested by <thumb_@mcn.ne.jp>

2011-05-04 Richard Frith-Macdonald  <rfm@gnu.org>

	* Internal.h: new ivar for connection to count requests.
	* WebServerConnection.m: remove redundant audit log and generate
	connection end report only in verbose mode or if there have been
	no requests.
	* WebServer.m: cope with case where there is no audit logging to do.

2011-04-01 Richard Frith-Macdonald  <rfm@gnu.org>

	Version 1.4.0:

2011-03-08 Richard Frith-Macdonald  <rfm@gnu.org>

	* Internal.h:
	* WebServerConnection.m:
	* WebServer.m:
	* WebServer.h:
	* GNUmakefile:
	Add -setPermittedMethods: configuration option.
	Bump version number ready for next release.

2011-01-12 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerHTML.h:
	* WebServerForm.m:
	* WebServerField.m:
	* WebServerTable.m:
	Fixup instance variables, designated initialiser, and make sure all
	items have a name.

2011-01-11 Richard Frith-Macdonald  <rfm@gnu.org>

	Consolidated WebServerForm.h and WebServerTable.h into a single file
	WebServerHTML.h and fixed minor documentation errors.

2010-12-03 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	Check to see if the app asked the connection to close.

2010-12-02 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	New method ([-closeConnnectionAfter:]) to allow a connection closure
	to be forced ... eg when sending a redirect to a different site.

2010-11-28 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	Add convenience method to match an IP address of a remote host against
	a pattern containing multiple addresses and masks.

2010-09-30 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	* WebServer.h:
	* WebServer.m:
	* Internal.h:
	Alterations for scalibilty.

2010-09-28 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: fix bug setting extra info for a request

2010-09-27 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	* WebServer.h:
	* WebServer.m:
	* Internal.h:
	iAdd support for a pool of IO threads.

2010-09-26 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerConnection.m:
	* GNUmakefile:
	* WebServer.h:
	* WebServer.m:
	* Internal.h:
	* WebServerHeader.m:
	Minor optimisation and restructuring to avoid unnecessary creation of
	some special headers.

2010-09-23 Richard Frith-Macdonald  <rfm@gnu.org>

	* webserver/WebServerConnection.m
	* webserver/WebServer.m
	* webserver/Internal.h
	Cleanup a little, fix bugs in thread code.

2010-09-23 Richard Frith-Macdonald  <rfm@gnu.org>

	* Internal.h:
	* WebServer.h:
	* WebServer.m:
	* WebServerConnection.m:
	* GNUmakefile:
	Initial work on restructuring to support multiple threads.

2010-09-17 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Modify response handling to deal with changes to
	GSMimeDocument equality testing ... we must treat each response
	as unique.

2010-04-07 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Fix descriptor leak caused by 11th march change.

2010-03-13 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Avoid hang if client sends excess data at end of
	request (bug in handling clients streaming multiple requests
	without waiting for responses).

2010-03-11 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Close handle immediately on end of connection to
	avoid running out of descriptors if hit by huge numbers of
	simultaneous requests.

2009-12-09 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Workaround for denial of service issues with HTTPS.
	An attacker could connect in and stop responding during the SSL
	handshake.  Because the handshake in gnustep-base has a 30 second
	timeout, this could have two nasty conserquences.
	Firstly the minor issue, if the connection idle timer was short
	enough (and the default is 30 seconds) the connection could time
	out before the handshaker completes.
	The major issue is that the code was not starting a new background
	accept until after the ssl handshake ... so the server would not
	be able to handle any new connections while the handshake was
	taking place.
	The solution is simply to schedule the next accept before performing
	the handshake for the current connection.

2009-09-24 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Add convenience methods to build the base URL of the
	current request ... the URL that was used to connect to the server.

2009-09-16 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Add convenience methods to build new URLs with query
	string information and to redirect to a new URL.

2009-09-16 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: Attempt to handle client sending more than one request
	at a time (ie sending a second request before we have sent the reponse
	to the first one).
	* WebServerForms.m: Fix bug setting prefill value for menu.
	Support field size and multiple select.

2009-09-08 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServerForms.m:
	* GNUmakefile:
	Add new classes for form handling.

2009-09-01 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h: Add ivars and new class methods.  Document new
	pseudo-headers providing connection/host information.
	* WebServer.m: Add new class methods, cache class pointers for
	minor optimisation.
	* GNUmakefile: Bump version number.

2008-04-23 Richard Frith-Macdonald  <rfm@gnu.org>

        * WebServer.m: Add ReverseHostLookup user default.

2008-03-13 Richard Frith-Macdonald  <rfm@gnu.org>

        * WebServer.m: Close down in an orderly way if a nil port is set.

2007-09-24 Richard Frith-Macdonald  <rfm@gnu.org>

        * WebServer.m: On receipt of an unparsable request, send a 400
	response.
		
2007-09-14 Richard Frith-Macdonald  <rfm@gnu.org>

	Update to LGPL3

2007-07-21 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m: When responding with a 503 status due to too many
	incoming connections, set the Retry-After header to 120 (two minutes).

2007-05-25 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m:
	Add support for the unofficial old-style (http-1.0) implementation of
	keep-alive.  Also add fix for buggy browsers/libraries which
	illegally add a CR-LF after POSTed data.

2007-03-07 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.m:
	Force content-length header to be set even if our delegate doesn't
	supply one and provides zero length data.

2006-11-29 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	New audit method to redirect audit logs if required.
	Log audit info to stdout for each request.

2006-06-04 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServer.h:
	* WebServer.m:
	Add thread support and support for very old clients sending simple
	http0.9 requests.

2006-03-02 Richard Frith-Macdonald  <rfm@gnu.org>

	* WebServerBundles.m: Add missing method.
	* WebServer.h:
	* WebServer.m:
	Change use of term 'session' to 'connection' throughout, for clarity
	as connection is the term generally used for the concept in the http
	world
	* GNUmakefile: Bump version to 1.1 because of API changes.

2005-10-27 Richard Frith-Macdonald  <rfm@gnu.org>

	New WebServer library (1.0) ... extracted from SQLClient library.
