Forum OpenACS Development: ANNOUNCE: NaviServer 4.99.12 available

I am pleased to announce the availability of NaviServer 4.99.12 (see [1] and [2]). NaviServer 4.99.12 was tested with OpenACS 5.9.0. See below for the changes between NaviServer 4.99.11 and 4.99.12.

all the best
-gustaf neumann

NaviServer 4.99.12, released 2016-08-21

 195 files changed, 20265 insertions(+), 13421 deletions(-)

New Features:
  * OpenSSL support integrated with NaviServer core
    - ns_http can handle now http and https urls
    - Added backward_compatibility stub for ns_ssl
    - Added configure switch --with-openssl?=path?

  * Improved crypto support (through OpenSSL)
    New commands:
      - ns_hmac
      - ns_md (generalization of ns_md5 and ns_sha1,
        but supports by default 14 different digest algorithms)
      - ns_hotp (one-time passwords as defined in RFC 4226)
      - ns_totp (time-based one-time passwords as defined in RFC 6238)

    StartTLS support (contributed by Constantin Șerban-Rădoi)
     - "ns_sendmail" is now able to connect to servers via StartTLS
        (requires the Tcl "tls" package, since ns_sendmail is
        implemented in Tcl)
      - Client and server support for StartTLS in the nssmtpd module.

  * New Command "ns_rlimit" to get/set various resource limits from
    the operating system. A typical use case for this command is to
    query or set e.g. the core size via the NaviServer startup file or
    to change it at runtime in a syntax independent from the naming
    and conventions in the various startup scripts (e.g. upstart,
    systemd, ...). This is e.g. useful when a core dump should be
    created from the running state (e.g. in combination with the
    "ns_crash" command).
  * Improvements for "ns_connchan":
     - Supports now client functionality via
          ns_connchan open ...
       (works for http:// and https:// URLs)
     - New subcommand "ns_connchan exists /channel/"
     - Added runtime switchable debug severity "Debug(connchan)"

Bug Fixes:
  * Fix ns_set management of headers (which was broken since the
    introduction of the leftover management when requests are
    pipelined in 4.99.11). The problem was that the "static" ns_set for headers is
    was freed to early in the pipelined case.

  * Fix for a serious bug in cookie management which could lead to false
    positives in ns_getcookie:

      - Previous versions of NaviServer searched the "Cookie" and
	"Set-Cookie" header files for a string "NAME=" and returned
	the value provided after this string, when found.

      - However, the "Cookie" and "Set-Cookie" header fields have
	contents in a different a different syntax (see section 4.1.1 vs. 4.2.1),
	such as e.g. Cookie: cookie1="value1"; cookie2="value2";
	style=null; ... Set-Cookie: cookie1="new- value"; Expires=Fri,
	01-Jan-2035 01:00:00 GMT; Path=/; HttpOnly

      - Therefore, searching in the "Cookie" header field e.g. for a
        cookie named "tyle" lead to a success as well as a search in
        "Set-Cookies" for e.g. a cookie named "Expires".

  * Improved handling of erroneous requests (some where treated as
    HTTP/0.9 requests before, leading to strange behavior/error

  * Fix potential memory leak for "ns_mutex eval"

  * Long standing bug when exiting "make test" should be fixed by now.
    The problem was that the the Tcl exit handler was kicking in when
    the end-of file was reached, interfering with the NaviServer
    shutdown steps.

  * Improved portability for *BSD systems and recent Windows
    build environments (e.g. Visual Studio 2015)

Documentation improvements:
  * New man pages for ns_hmac, hs_md, ns_hotp, ns_totp
  * Various man pages updated/improved
  * Improved sample config files

C API Changes:

  *  Introduction of Ns_ReturnCode: use an enumeration type instead of
     preprocessor based constants + int. The change revealed several
     places, where NS_OK/NS_ERROR and TCL_OK/TCL_ERROR were intermixed.

  * New functions

    - Ns_GetBinaryString() to obtain from a Tcl_Obj the binary
      representation if available, otherwise the string representation.
    - Ns_SetRecreate() which is a combination of a create and a move
      operation, but avoiding malloc operations on all keys/values.

    - Ns_DStringAppendTime() to ease uniform printing of
      Ns_Time structs into DStrings

    - Ns_SubcmdObjv(): New infrastructure support for commands with
      subcommands: instead of long switch statements with nested
      structures with often many returns, one can now register
      Tcl_ObjCmdProcs for subcommands in an Ns_SubCmdSpec structure.
    - New argv checkers Ns_ObjvUShort() and ObjvQueue()

Configuration Changes:
    - added configure switch --with-openssl?=path?

Code Changes:
  * Improved naming of Mutexes: much more mutexes are named now.
  * Code cleanup:
    - Modernized argv parsing by using Ns_ParseObjv() for
      many functions.
    - Introduced enumeration types Ns_ReturnCode
      and NsWriterStreamState
    - New macro INTCHAR to pass "char" values to library
    - Use "unsigned short" consistently for port numbers
      functions requiring "int" to avoid code smells 
    - Use boolean types on more occasions
    - Use more often typedef-ed function definitions
    - Reduced number of multiple returns per function
    - Removed all calls to deprecated Tcl API Function
    - Reduced calls to Tcl_AppendResult() and use explicit
      Tcl_Objs instead for results
    - Generation of error messages made more consistent
    - Removed useless calls to Ns_DStringFree() after Tcl_DStringResult()
    - Replaced deprecated atoll() by strtoll()
    - Reduced variable scopes
    - Added more const declarations
    - Don't use boolean values as arguments of comparison operators
    - Many large functions split into smaller units

  * Made testing more robust when IPv6 is available, but
    turned off in the kernel
  * NaviServer driver:
    - Added (clientInitProc, protocol and default port) to info record
    - Bumped driver version to 4
  * Ignore less soft error conditions, but report in the error.log
Posted by Michael Aram on
It is a real pleasure to see that NaviServer is actively developed!

Should the statement "Fix ns_set management of headers (which was broken since the introduction of the leftover management when requests are pipelined in 4.99.11). The problem was that the "static" ns_set for headers is was freed to early in the pipelined case." be read as "Users of NaviServer 4.99.11 should update asap to 4.99.12", or is the bug mainly affecting niche cases?
Posted by Gustaf Neumann on
it is rather the latter. Most major browser have pipelining deactivated per default. On there are per day 10-100 pipelined requests out of 50k requests, and these requests are typically for embedded resources, where the "static" ns_sets are not used (on sites with aolserver or earlier versions of naviserver the pipelined requests are ignored).

But other sites might have different requirements and well maintained sites should strive for the newest release.

all the best from greece.