Created attachment 208749 [details] www/wt3 v3.4.1 to v3.4.2 patch file Release 3.4.2 (October 30, 2019) This release fixes the following issues: wthttp security issues: Wt internally used an SSL-Client-Certificates header to send client certificates to child processes when using dedicated process mode. It was however always accepted even when Wt was not behind a reverse proxy, and sent to child processes as-is. wthttp now correctly disregards it when not received from a reverse proxy. The header was also renamed to X-Wt-Ssl-Client-Certificates to clarify that it is a non-standard internal Wt header. When using dedicated session processes with wthttp, the parent process would trust X-Forwarded-Proto and X-Forwarded-Port even when Wt was not configured to be behind a reverse proxy. These are now discarded. issue #7292: OAuthService now correctly uses refresh_token instead of refreshToken Http::Client fixes: fixed issue #7272: support @ character in the path of a URL fixed 204 No Content response code behavior (would hang before, waiting for content) (issue #7273) More informative error and exception messages: QueryModel's "geometry inconsistent with database" exception now contains row and cache start and size information WebSession's "not serving this" info message contains more context so it's less confusing Documentation fix: The release notes for Wt 3.3.8 incorrectly referred to allowed-hosts, while this property is actually named allowed-origins
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/92956222
A commit references this bug: Author: dmgk Date: Fri Nov 1 19:00:47 UTC 2019 New revision: 516261 URL: https://svnweb.freebsd.org/changeset/ports/516261 Log: www/wt3: Update to 3.4.2 Changes: https://webtoolkit.eu/wt/wt3/doc/reference/html/Releasenotes.html PR: 241629 Submitted by: Mohammad S. Babaei <info@babaei.net> (maintainer) Approved by: tz (mentor, implicit) Changes: head/www/wt3/Makefile head/www/wt3/distinfo head/www/wt3/pkg-plist
Committed, thanks!