-
Notifications
You must be signed in to change notification settings - Fork 27
/
ChangeLog
68 lines (57 loc) · 3.55 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# See http://github.com/bmuller/mod_auth_openid for a full ChangeLog history.
# Some issue references are from an old Trac installation. New bugs can be found
# at http://github.com/bmuller/mod_auth_openid/issues and are prefixed with a #
Version 0.8
Added support for Apache 2.4
Fixed issue with str_replace causing segfault on empty string
Fixed issue preventing valid authentication when session cookie wasn't being used
Version 0.7
Fixed issue #13 - issue with handling POST data
Fixed issue #10 - curl_unescape deprecated / libcurl doesn't unescape '+' as a space
Fixed "configure: error: conditional "DEBUG" was never defined." message when running autogen.sh.
Single OP mode
Set HttpOnly on session-scoped cookies too
Can now validate AX attrs by regex
Added AuthOpenIDSecureCookie directive to limit session cookie retrieval to HTTPS connections
Implemented AuthOpenIDAXUsername and AuthOpenIDSecureCookie
Described functionality of AuthOpenIDSingleIdP, AuthOpenIDAXRequire, AuthOpenIDAXUsername, AuthOpenIDSecureCookie
Fixed security vulnerability - sqlite DB should not be world readable
Version 0.6
Now a true authorization module (using ap_hook_check_user_id) (issue 79)
Because now using propper hook, REMOTE_USER now accessible to mod_rewrite (issue #2)
Now using integrated apache logging rather than logging directly to apache log with printing to stderr
Fixed error that caused openid_identifier to leak into return_to, causes cancel messages to fail (issue 92)
Fixed problem with module not always recognizing when locked URL was using https (issue 83)
Version 0.5
Added support for HTML form submission (POSTs) per the 2.0 spec (issue 52)
Created AuthOpenIDCookiePath option (issue 76)
Nonce is now more secure (issue 77)
Version 0.4
Fixed bug involving custom auth cookie names (issue 27)
No longer clearing attribute exchange parameters (issue 34) - see wiki page for attribute exchange
Added ability to specify external program for authorization (issues 8, 35, and 17)
Fixed bug that left openid params in referrer param after custom login page redirect (issue 28).
Fixed bug that resulted in referrer param not having http/s being set correctly (issue 26).
Fixed bug that resulted in auth error when too many requests were hitting Session DB (issue 36).
Fixed bug that set REMOTE_USER to normalized id rather than claimed id (issue 37).
Version 0.3
Added support for OpenID 2.0 spec - using new libopkele
Removed support for BDB - now SQLite only
Fixed security issue with sessions potentially being valid for too long (issue 16)
Changed get param from openid.identity to openid_identifier (per 2.0 spec - issue 14)
Version 0.2.1
302 Redirect issue fixed - nasty, reason for 0.2.1 release (issue 6)
AuthOpenIDEnabled now allowed in .htaccess files (issue 9)
Fixed links on default login page (issue 12)
Version 0.2
openid.ax and openid.sreg parameters are no longer cleansed from URL (issue 1)
Added AuthOpenIDServerName configuration option (issue 3)
Removed dependency on libpcre++ (libpcre still required)
Added a modauthopenid.referrer parameter that is passed on to login pages (issue 4)
Updated code to work with libopkele version 3 API
Version 0.1
Changed license to less restrictive MIT license to avoid legal nasties in the future.
Added sqlite support as an alternative to bdb.
Added AuthOpenIDCookieLifespan option.
Fixed bug where REMOTE_USER CGI environment variable was not being set correctly when ID was delegated.
Fixed bug where REMOTE_USER CGI environment variable was not being set if the session cookie wasn't enabled.