lightweight http server release . The new version introduces 149 changes, the highlights being the inclusion of default URL normalization, mod_webdav rework, and some performance optimization work.
Since lighttpd 1.4.54 server behavior related to URL normalization when processing HTTP requests. The options for hard checking of values ββin the Host header are activated, as well as the normalization of links transmitted in headers and blocking of links with unescaped control characters. The normalization process included automatic conversion of '\' to '/', '%2F' to '/', '%20' to '+', resolution and removal of parts of file paths with directories '.' and '..', decoding the escaped characters '-', '.', '_' and '~'.
If desired, the behavior of URL processing can be changed in the settings using the options "header-strict", "host-strict", "host-normalize", "url-normalize", "url-normalize-unreserved", "url-normalize-required" ",
"url-ctrls-reject", "url-path-2f-decode", "url-path-dotseg-remove" and "url-query-20-plus" are now set to "enable".
Other changes include a complete redesign of the mod_webdav module, which made it possible to achieve full compatibility with the specifications, improve performance and reliability. One of the incompatibility-breaking changes in mod_webdav is the blocking of incomplete PUT requests. Added support for the SHA-256 algorithm for hashing authentication parameters (HTTP Auth Digest) in mod_auth.
Instead of mod_geoip, a new module mod_maxminddb has been proposed (mod_geoip is now deprecated).
Source: opennet.ru