Mailing List Archive

[ANNOUNCE] libapreq2-2.07 Released
libapreq2-2.07 Released

The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.07 release of libapreq2. This
Announcement notes significant changes introduced by this release.

libapreq2-2.07 is released under the Apache License
version 2.0. It is now available through the ASF mirrors

and has entered the CPAN as

file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.07.tar.gz
size: 787249 bytes
md5: 6f2e5e4a14e8b190dead0fe91fc13080

libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides

1) version 2.5.7 of the libapreq2 library,

2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,

3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.

This release contains an important security bugfix which impacts all
previous developer releases of libapreq2. The Common Vulnerabilities
and Exposures project assigned the name CVE-2006-0042 to this issue.


Changes with libapreq2-2.07 (released February 12, 2006)

- C API [joes]
SECURITY: CVE-2006-0042 (
Eliminate potential quadratic behavior in apreq_parse_headers() and

- Perl API [Philip M. Gollucci]
Fix Apache2::Cookie->cookies() to comply with its documentation

- C API [Philip M. Gollucci]
Use the APREQ_DEFAULT_READ_LIMIT constant for the read_limit

- C API [Ville Skyttä, Dirk Nehring]
Add explicit cast in apreq_escape()/apreq_util.h to keep
C++ compilers happy.

- C API [joes]
Protect against arbitrary recursion depth in apreq_parse_multipart()
by adding a reasonable compile-time MAX_LEVEL limit.

- C API [joes]
Clean up end-of-file parsing for apreq_parse_multipart(),
conforming to rfc-2046 § 5.1.1.

- Perl API [joes]
Move APR::Request::Param::Table and APR::Request::Cookie::Table
packages to APR::Request module.

- Perl XS [Steve Hay]
Fix compile problems on Win32 without PERL_IMPLICIT_SYS
related to link being an unresolved symbol.

- Perl API [joes]
APR::Request::Cookie::thaw() isn't a class method.

- C API [joes]
Fix off-by-one bug in the continuation-lines portion of the
header parser.

- Perl API [joes]
Move APR::Request::upload to APR::Request, where it belongs.

- Perl XS [Nikolay Ananiev]
Use MP_STATIC declarations to allow Cygwin builds.

- Perl API [joes]
encode()/decode() were busted with zero-length args. This caused
Apache2::Cookie::new() to segfault on cookie value of "".

- C API [joes]
Add apreq_charset_divine() and eliminate charset offset from return
value of apreq_decode(v).

- C API [joes]
Improve the cp1252-charset heuristics for apreq_decode(v).

- C API [Ralph Mattes]
Add explicit casts for apreq_param_charset_* to keep c++ compilers happy.

To unsubscribe, e-mail:
For additional commands, e-mail: