***** Revision 1.8.8 2004/10/05 - Update release to 1.8.8 cvs diff -r1.11 -r1.12 makefile.vers - Update Apache from (1.3.27, 1.1.26, 1.3.23) to (1.3.31, 1.3.29, 1.3.27) cvs diff -r1.10 -r1.11 makefile.vers cvs diff -r1.17 -r1.18 compil/Makefile cvs add doc/proxy_headers-1.3.31.diff cvs add doc/proxy_headers-1.3.29.diff - Add "intel29" arch and remove $(sdiclient0) cvs diff -r1.19 -r1.20 Makefile cvs diff -r1.20 -r1.21 Makefile cvs diff -r1.21 -r1.22 Makefile cvs diff -r1.12 -r1.13 makefile.vers cvs diff -r1.62 -r1.63 tests/Makefile cvs diff -r1.34 -r1.35 src/Makefile cvs diff -r1.9 -r1.10 src/tools/Makefile cvs diff -r1.18 -r1.19 compil/Makefile - Correct "Cache-Control" response header from no-cache" to "no-store" cvs diff -r1.17 -r1.18 src/mod_securid.c cvs diff -r1.5 -r1.6 tests/logs/out.06-35.web.ref - Auto-tests: avoid repeated messages for errors_log.*.ref cvs diff -r1.61 -r1.62 tests/Makefile cvs diff -r1.12 -r1.13 tests/logs/errors_log.vhost.ref cvs diff -r1.28 -r1.29 tests/logs/errors_log.web.ref ***** Revision 1.8.7 2004/01/05 - Correct "/priv/securid/..." path (priv_path) for (reverse only) proxy, when access is restricted with "" (and not ""): skip 'proxy:' *and then* 'scheme:', '://' & host part (was 'proxy:', 'scheme:', '://' & host part - Allow any custom "error" file(s) to use "%%" - Avoid 2 gcc warnings ***** Revision 1.8.6 2003/07/01 - Cookie fix for some browsers (Lynx or Mozilla/7 for example): when "/priv/" needs to be authenticated with SecurID, then mod_securid will use: - /priv/securid/auth for securid-auth handler, - /priv/securid/check for securid-check handler, SecurID status is still available, using: - /priv/securid/status for securid-status handler. During authentication, "/priv/securid" is used for cookie path and then "/priv/" when authentication succeded. Please also note that custom "error" file(s) have changed (using "ACTION=%s" and no more "ACTION=/securid-..."). ***** Revision 1.8.5 2003/03/11 - Correct 'path=/' for webid2 cookie: this may not be always 'path=/', but 'path=_private_uri_', where _private_uri_ is the that wanted to use the SecurID authentication. This may be important for cache server: suppose "/priv/" is the ; then the webid2 cookie only has to be sent for /priv/..., and not for example for "/..."; else the doc "/..." could be cached *with* the webid2 cookie and that's not what we want... A new directive, AuthSecurID_PathCookie, has also been added to control this 'path=...' for some special cases. !! Please note that the user authentication cache (AuthSecurID_Cache) has !! changed with this new release, and so you need to remove it before starting !! your Web/Proxy/ReverseProxy server. ***** Revision 1.8.4 2003/02/17 - Add auto-focus on authentication forms - Correct AuthSecurID_DomainCookie checks to allow more than 2 periods domains (thanks to Jon.Williams@xansa.com for this) ***** Revision 1.8.3 2002/10/02 - Correct "graceful restart" (kill -USR1). ***** Revision 1.8.2 2002/08/27 - Correct some "new pin" / "next code" problems on Solaris (ok for ACE/Server but failed for mod_securid). ***** Revision 1.8.1 2002/06/20 - Correct AuthSecurID_DomainCookie usage: domains must have at least 2 (and not sometimes 3) periods. ***** Revision 1.8.0 2002/06/04 - Correct API (ACE/Lib) usage and solve several auth. problems: - auth. ok for ACE/Server but denied for mod_securid; - old "stability problem with the ACE Server"; - warning messages about shared memory; ***** Revision 1.7 2001/12/14 - Better "Invalid From-Agent" & "Invalid User-Agent" error messages ***** Revision 1.6 2001/11/08 - 1.5.2.6 -> 1.6 ***** Revision 1.5.2.6 2001/10/12 - Bug on AuthSecurID_MaxTTL: the directive's value was not correctly used (the value of AuthSecurID_TTL was used instead...) Thanks to Tim Thackaberry. - Bug on AuthSecurID_Cache with "noreset": Revision 1.5.2.2 broke this... Thanks to Jari Ahonen. ***** Revision 1.5.2.5 2001/08/20 - Improvements for AuthSecurid_FromAgent: AuthSecurid_FromAgent [from:]key[/mask] ... ***** Revision 1.5.2.4 2001/07/26 - Referer bug when running in reverse-proxy mode: QUERY_STRING was cancelled. (thanks to Frank Scholz ) ***** Revision 1.5.2.3 2001/07/01 - avoid warnings - correct bug on for standard-proxy - correct bug on - check if connection to ACE is "dead" ***** Revision 1.5.2.2 2001/04/06 - cleanup on stop: remove cache & lock files. ***** Revision 1.5.2.1 2001/03/12 - "bug": mod_securid now works with mod_perl (no more core dump); - minor changes for debug messages format; ***** Revision 1.5.2.0 2001/03/05 - perf: no more "LogLevel debug" messages if you do not use -DSECURID_DEBUG ***** Revision 1.5.1.9 2001/02/19 - stability problem with the ACE Server: add a Time To Live for ACE client/server communication (see AuthSecurID_AceTTL). ***** Revision 1.5.1.8 2001/02/16 - minor change: [error] msg => [warning] msg... ***** Revision 1.5.1.7 2001/02/16 - better "noreset" behaviour ***** Revision 1.5.1.6 2001/01/30 - Some minor changes for custom files (thanks to Jari Ahonen for .nl files). ***** Revision 1.5.1.5 2001/01/12 - Bug: doubling args in referer for standard-proxy (thanks to Jim Drash for this bug). ***** Revision 1.5.1.4 2000/12/21 - Better auto-configure for static module. - Upgrade install doc (index.html). ***** Revision 1.5.1.3 2000/12/21 - Better "ACE init" [notice] messages. ***** Revision 1.5.1.2 2000/12/20 - Bug (and core dump) when using several virtual hosts with the same SecurID config as the main server. ***** Revision 1.5.1.1 2000/12/15 - Avoid passcodes to be stored in cache (db). ***** Revision 1.5.1.0 2000/12/15 - Better static module auto-config. ***** Revision 1.5 2000/12/05 - 1.4.2.12 -> 1.5 ***** Revision 1.4.2.12 2000/12/03 - Cleanup: just a wrong debug message when we were authoritative (was saying we were not autho...); ***** Revision 1.4.2.11 2000/12/03 - Future: add multiple groups support; ***** Revision 1.4.2.10 2000/12/03 - Cleanup: - fixed memory leaks with gdbm; - fixed gdbm scan problem in auth_dos() & child_exit(); - fixed some problems with strnxxx(); - fixed some directives checks/limits; - fixed some "follow symlinks" problems (and add CustomSymLinks directive) ***** Revision 1.4.2.9 2000/11/21 - Future: auto check custom files (and no more core dump for bad formats...) ***** Revision 1.4.2.8 2000/11/15 - "Little" bug: body was not always completely discarded. ***** Revision 1.4.2.7 2000/11/01 - Change: AuthSecurID_CustomDir: default is now "null"; So you have to use explicit "AuthSecurID_CustomDir ..." to enable custom files. ***** Revision 1.4.2.6 2000/10/31 - Change: AuthSecurID_Custom => AuthSecurID_CustomDir - Add: AuthSecurID_CustomType to set Content-Type of custom files - Enable: - `BrowserMatch "..." "AuthSecurID_CustomDir=..."' - `BrowserMatch "..." "AuthSecurID_CustomType=..."' ***** Revision 1.4.2.5 2000/10/31 - No more -DSECURID_MULTIPLE_VARACE: code is correct (if you use libaceclnt.a, not sdiclient.a that is buggy...). ***** Revision 1.4.2.4 2000/10/19 - Avoid some DoS: 3 new directives: - AuthSecurID_MaxCacheSize - AuthSecurID_MaxAuthGet - AuthSecurID_MaxAuthPost - Better HTML error documents: - custom error file err.0 => err.0.0 - new custom files err.0.1 .. err.0.4 ***** Revision 1.4.2.3 2000/09/19 - More checks for directives values: - AuthSecurID_VarAce - AuthSecurID_DomainCookie ***** Revision 1.4.2.2 2000/09/18 - Solaris cleanup. ***** Revision 1.4.2.1 2000/09/17 - Better error messages. ***** Revision 1.4.2.0 2000/09/17 - Full VirtualHost support (but with an ACE limitation: see doc and AuthSecurID_VarAce directive). - Better checks on /securid-check. - "ACE init deferred" now really works. ***** Revision 1.4.1.9 2000/09/14 - Add AuthSecurID_HandleCookie & _WebidCookie directives: this allow to customize `AceHandle' & `webid2' cookies name. - Also change webid2 cookie separator so it is now isprint()able: this is still for some web servers that do not allow nonprintable chars in cookie (and they are right because a cookie value should be a "quoted-string", iae with %hh). ***** Revision 1.4.1.8 2000/09/13 - No more twice ACE init. This also correct an ACE init bug when using some VirtualHost config. ***** Revision 1.4.1.7 2000/09/08 - Change the "webid2" cookie separator: as "binary" characters are not always supported on some web servers, separator in now the PILCROW SIGN 8-bit character. Thanks to Doug Becker for this problem report. ***** Revision 1.4.1.6 2000/09/08 - Support for VirtualHost. Thanks to Doug Becker for this problem report. ***** Revision 1.4.1.5 2000/09/07 - Doc upgrade for AuthSecurID_Authoritative directive. ***** Revision 1.4.1.4 2000/09/04 - "Windows CE" support (!): prefix all form field names with "sd_": NAME=action => NAME=sd_action NAME=username => NAME=sd_username NAME=passcode => NAME=sd_passcode NAME=referer => NAME=sd_referer So all your custom files have to be changed... ("action" is a reserved keyword for Pocket Internet Explorer, that does not support " ..."; thanks to Martin Marshall for this information) ***** Revision 1.4.1.2 2000/09/03 - Better checks in /securid-check for "strange" data in body; this will solve some `core dump' (and perhaps some DoS). Thanks to Chris O'Regan for this problem. ***** Revision 1.4.1.1 2000/08/01 - Carefully reset errno to 0; this is for some boggus systems; - Use a cache lock file (logs/securid_auth.lck); this is to avoid some file locking problems; ***** Revision 1.4 2000/07/09 - Stable version (1.3.2.29) ***** Revision 1.3.2.29 2000/07/09 - Bug correction for some very special referers... ***** Revision 1.3.2.28 2000/07/09 - Properly escape referer sent to the client; this is to avoid some potential Cross Site Scripting security problems. ***** Revision 1.3.2.27 2000/07/08 - User-Agent checking: add "AuthSecurID_UserAgent "; - File locking: better error checks. ***** Revision 1.3.2.26 2000/07/05 - Now use "Expires: 0" instead of "Expires: _request_time_": this is a better choice that will prevent from proxies caching. So default for AuthSecurID_NoCache is now off. ***** Revision 1.3.2.25 2000/06/30 - ChangeLog corrupted... ***** Revision 1.3.2.24 2000/06/30 - Bug with IE, when this "browser" is talking in httpS and handling the URL with external program. mod_securid now adds: "Pragma: no-cache" for HTTP/1.0; "Cache-Control: no-cache" for HTTP/1.1; This makes IE happy... - Also add SecurID_NoCache directive. ***** Revision 1.3.2.23 2000/06/15 - Apache/mod_securid may now start without ACE/Server running; init will then be done later... ***** Revision 1.3.2.22 2000/06/14 - cleanup code for Linux/Solaris ***** Revision 1.3.2.21 2000/06/14 - No more -DSECURID_DEBUG: use "LogLevel debug" (to debug), or "LogLevel error" (for normal use). ***** Revision 1.3.2.20 2000/06/13 - rename SecurID handler names: - /securid/auth/ => /securid-auth - /securid/check/ => /securid-check - add SecurID status handler: - /securid-status[?logout] ***** Revision 1.3.2.19 2000/06/07 - "/server-info" messages updated. ***** Revision 1.3.2.18 2000/06/07 - Add "noreset" for AuthSecurID_Cache. ***** Revision 1.3.2.17 2000/06/06 - unused variable... ***** Revision 1.3.2.16 2000/06/06 - Simpler! - no more "Alias /securid/..." & "..." directives, - add "AuthSecurID_Custom" directive for custom directory, - add multi-language custom files. ***** Revision 1.3.2.15 2000/05/24 - Security update: now mod_securid takes care of User-Agent and Browser's IP address. Also add FromAgent directive. - More error messages: see doc/index.html. ***** Revision 1.3.2.14 2000/05/19 - Add AuthSecurID_MaxTTL. ***** Revision 1.3.2.13 2000/05/19 - Add "always_after" / "if_not_used" in AuthSecurID_TTL directive. ***** Revision 1.3.2.12 2000/05/04 - Correct dbm bug when starting for the 1st time Apache/SecurID: - now chown (User) .dir and* .pag files. - Cleanup for ap_table_set(n) calls. - Cleanup code (because of "#define const" in ACE sdi_defs.h!) ***** Revision 1.3.2.11 2000/04/01 - One more bug with multiple AuthType (see previous): mod_securid.check_auth() and* check_access have to declines... ***** Revision 1.3.2.10 2000/04/01 - Bug with multiple AuthType (for ex., Basic & SecurID): now mod_securid declines if AuthType != SecurID... ***** Revision 1.3.2.9 2000/03/23 - Authoritative debug ***** Revision 1.3.2.8 2000/03/21 - Add DomainCookie & SecureCookie. ***** Revision 1.3.2.7 2000/03/18 - "proxy:" restrict bug (recursive auth. loop), (only "proxy:http://host/xxx" was working...). ***** Revision 1.3.2.6 2000/03/17 - Mod_securid now works fine for standard proxy. (It was already working fine for web and reverse proxy) ***** Revision 1.3.2.5 2000/03/10 - Prevent gdbm locking as we already do it. - Rename USE_GDBM -> SECURID_USE_GDBM. - No more C++ coments. ***** Revision 1.3.2.4 2000/03/09 - No more hardcoded "index.html"; use . ***** Revision 1.3.2.3 2000/02/29 - Add auto-refresh for NEW_PIN_{GENERATED,ACCEPTED}. ***** Revision 1.3.2.2 2000/02/29 - Chown auth cache file if root is starting apache. - Some better error and debug messages. ***** Revision 1.3.2.1 2000/02/29 - SECURID_AUTH_FAILED_ => SECURID_FMT_CHECK_* - Add SECURID_FMT_AUTH ***** Revision 1.3.2.0 2000/02/29 - 1.3.1.12 -> 1.3.2.0 ***** Revision 1.3.1.12 2000/02/27 - New text for NEW_PIN sys/user ***** Revision 1.3.1.11 2000/02/26 - Bug: "delete error for AuthSecurID_Cache file (dbm err=0 ...)" message. - Bug on referer when calling http://srv/cgi/toto?qsdfqsdf without any auth. ***** Revision 1.3.1.10 2000/02/26 - Log an error when action=... is unknown (not debug). - Next_code bug (sd->username was cleared). - New_pin bug (sd->system_pin was cleared). ***** Revision 1.3.1.9 2000/02/25 - Cleanup auth. cache in child_exit(). ***** Revision 1.3.1.8 2000/02/25 - Better solution for "back button" problem. ***** Revision 1.3.1.7 2000/02/24 - Better debug & error messages. ***** Revision 1.3.1.6 2000/02/23 - \n were missing in some HTML. - Next Tokencode: NEXT_CODE_OK means ACM_OK (and redirect). ***** Revision 1.3.1.5 2000/02/23 - Debug using cc -DSECURID_DEBUG. - Could not use custom file ACM_NEW_PIN_GENERATED. ***** Revision 1.3.1.4 2000/02/22 - Core dump with a brand new browser that does not provide any handle... ***** Revision 1.3.1.3 2000/02/21 - Ok for Solaris & Linux ***** Revision 1.3.1.2 2000/02/21 - Full custom... ***** Revision 1.3.1.1 2000/02/18 - New PIN/CODE seems to be ok for Linux. ***** Revision 1.3.1.0 2000/02/14 - Add next code and new pin facilities ***** Revision 1.3.0.11 2000/02/08 - no debug... ***** Revision 1.3.0.10 2000/02/08 - Custom form and error responses. ***** Revision 1.3.0.9 2000/01/17 - no debug... ***** Revision 1.3.0.8 2000/01/17 - "back" button problem ***** Revision 1.3.0.7 2000/01/16 - Add "full" gdbm ***** Revision 1.3.0.6 2000/01/16 - bug (and core dump) around next_code ***** Revision 1.3.0.5 2000/01/13 - auto-config for VAR_ACE ***** Revision 1.3.0.4 2000/01/13 - english comments... ***** Revision 1.3.0.3 2000/01/12 - LIBS and CFLAGS under /var/ace (no more /home/pasty/compil/ace_simul...) - No SECURID_DEBUG by default - Use {auth,check}/index.html (faster...) ***** Revision 1.3.0.2 1999/12/15 - DEBUG off ... ***** Revision 1.3.0.1 1999/12/14 - ok (?) ***** Revision 1.3 1999/12/07 - still one DBM bug with solaris... ***** Revision 1.2 1999/12/06 - initial #2 ***** Revision 1.1 1999/11/05 - initial