./net/libupnp, Portable Universal Plug and Play (UPnP) SDK

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.14.7, Package name: libupnp-1.14.7, Maintainer: pkgsrc-users

The portable SDK for UPnP* Devices (libupnp) provides developers with an
API and open source code for building control points, devices, and bridges
that are compliant with Version 1.0 of the Universal Plug and Play Device
Architecture Specification and support several operating systems like
Linux, *BSD, Solaris and others.

UPnP is an architecture that enables discovery, event notification, and
control of devices on a network, independent of operating system,
programming language, or physical network connection. UPnP is based on
common Internet standards and specifications such as TCP/IP, HTTP, and XML.


Required to build:
[pkgtools/cwrappers]

Package options: inet6

Master sites:

Filesize: 663 KB

Version history: (Expand)


CVS history: (Expand)


   2021-10-26 13:07:15 by Nia Alarie | Files touched by this commit (958)
Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):

net/radsecproxy/distinfo

The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
   2021-10-07 16:43:07 by Nia Alarie | Files touched by this commit (962)
Log message:
net: Remove SHA1 hashes for distfiles
   2021-06-04 20:56:40 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
libupnp: updated to 1.14.7

Version 1.14.7
Fixes broken windows build.

Version 1.14.6
Fix for a DNS Rebind exploit. A special thanks for the collaboration
of the following people:
- Alaric Senat
- Fabrice Fontaine
- Gabriel Corona
- Ian Whyman
- Jean-Francois Dockes
- Marvin Scholz
- Werner Mahr

When upnp uses ixml to parse SOAP messages which contains too many node,
services are unavailable.

Version 1.14.5
Avoid potential memory leak in http_SendMessage()

Get rid of alloca()'s.

Non-recursive version of ixmlNode_free() avoids stack overflow attack.
Fixes CVE-2021-28302.

Version 1.14.4
Add more missing CMake infrastructure to the tarball.

Version 1.14.3
Add CMake infrastructure to the tarball.

Fix for gena leak.

Version 1.14.2
upnpapi.c: Fix crash in UpnpGetIfInfo

Per getifaddrs documentation, the ifa_addr field of an ifaddrs structure
can be null. In a real world example, an entry may be provided for the
non-existent hardware address of a tunnel device. This behavior was
observed with the netlink based getifaddrs implementation in glibc.

Handle interfaces without address

I got a crash on gerbera startup because at least one interface did not have \ 
`ifa_addr` set.

The reason is quite simple: they are the physical interfaces which are part of \ 
my channel
```
2: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc fq_codel \ 
master bond0 state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc fq_codel \ 
master bond0 state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
4: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue \ 
state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
```

CMake:
- Fix tests for all occasions. (Hopefully)
- Set right so-version and don't yell commands.
- Reverted libname-change till decided

Fix IPv6 GENA subscription

Use LOCAL_PORT_V6_ULA_GUA or LOCAL_PORT_V6 depending on the IPv6 address

samples: allow the user to specify the control point interface

This is useful to test UPnP on specific interface (e.g. IPv6-only).
This was already possible on the device sample.

upnp/src/api/upnpapi.c: don't set gIF_IPV4 if there is no IPv4

Don't set gIF_IPV4 if no IPv4 is found to keep the default value of '\0'
otherwise SSDP will try to register IPv4 multicast with address 0.0.0.0
which will result in a runtime failure

Version 1.14.1
CMake Github Actions, including windows build.

upnpapi.c: assume that getifaddrs is available

Assume that getifaddrs is available even if it is not POSIX-compliant,
this will simplify the code and, as a side effect, this allow pupnp to
work on an interface that does not have an IPv4 address.

CMake support.

Fixes the inclusion of alloca.h in WIN32.

Remove the now unused file ClientSubscription.c.

Remove port >= 49152 restriction.

Version 1.14.0
Reworked the miniserver code to deal with SO_REUSEADDR

Factored the common socket code and test for EADDRINUSE returning from
listen() when SO_REUSEADDR is turned on.

Removed template classes.

The files generated through template classes had some drawbacks:

1 - You could not read the code.
2 - You could not step through the code with a debugger.
3 - Doxygen was unable to document it.

This patch removes the templates and creates an auto generator for these
boilerplate generated code in the same spirit of the templates, but
solves the above problems.

Still, dealing with documentation still needs some work, but should be
much easier now.

upnpapi.c: retrieve gIF_IPV4_NETMASK with BSD

BSD is using getifaddrs, update the code to retrieve the IPv4 netmask
(used in the CallStranger fix)

Signed-off-by: Fabrice Fontaine fontaine.fabrice@gmail.com

Drop UpnpInit

This function is deprecated since a long time moreover it is vulnerable
to CallStranger a.k.a. CVE-2020-12695 and can't be fixed without
breaking the API as HostIP only allows the user to pass an IP address
and not a netmask.

If we want to discover the netmask from the HostIP provided in UPnPInit,
we'll have to loop through all the available interfaces to find the
interface with the given IP address to finally retrieve the netmask.
This is a lot of work/modification for a deprecated function. Moreover,
in the end UPnPInit will be like a "deprecated" (i.e. IPv4-only) version
of UPnPInit2.

So it is time to remove this deprecated function.

As a result, also remove getlocalhostname and DEFAULT_INTERFACE which
are not needed anymore and replace UpnpInit by UpnpInit2 in comments.

Signed-off-by: Fabrice Fontaine fontaine.fabrice@gmail.com

Partial fix for CallStranger on IPv4

This is a partial fix for CallStranger a.k.a. CVE-2020-12695

Check that DeliveryURLs are in the expected network segment as requested
by the new UPnP UDA:
https://openconnectivity.org/upnp-specs/UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf.

Here is an extract of the new requirement:

The subscription request containing a delivery URL not on the same
network segment as the fully qualified event subscription URL shall not
be accepted. For private networks this means that the delivery URL
provided will adhere to the following IP ranges:

. 10.0.0.0 - 10.255.255.255 (10/8 prefix)
. 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
. 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

In the context of pupnp, this means that the IPv4 netmask is now
retrieved when using UPnPInit2. Then, each DeliveryURL is checked
against the device's IPv4 address and netmask. If one of them are not
compliant, the whole subscription is rejected.

This first commit should be enhanced / updated to:

. remove UPnPInit (it is deprecated for a long time) or update it so
. the user can also pass the netmask
. fix IPv6
. fix Windows code
. retrieve the netmask in the BSD code of UPnPInit2

Signed-off-by: Fabrice Fontaine fontaine.fabrice@gmail.com

NULL pointer dereference in FindServiceControlURLPath

Version 1.12.1
setsockopt(IP_MULTICAST_IF) fails on 64-bit CPUs

Do not use usleep when using newer POSIX C source.

usleep is deprecated and is optionally unavailable with uClibc-ng.

Add Os/UserAgent information to UpnpActionRequest and UpnpFileInfo

Add CtrlPtIPAddr to UpnpFileInfo class

List: Add extern C for C++ users

Version 1.12.0
    Reduce spurious HTTP 416 errors due to ill-defined bytes header

    I (re)discovered this behavior trying to use the Gerbera media server
    with Chromecast (built in to my Vizio P55-F1 TV).  Chromecast specifies
    "bytes:0-" with no end range, which caused pupnp to return
    RANGE_NOT_SATISFIABLE.  Jin, the author of MediaTomb, of which Gerbera
    is a continuation, fixed this in 2007 in MediaTomb's fork of pupnp, see
    gerbera@ccd7994d45 "made sure that range requests specified as
    "bytes=0-" do not trigger...", but never passed the fix \ 
upstream.  When
    restarted as Gerbera, pupnp was removed from the local tree in favor of
    using the upstream version, and the patch was lost which lead to me
    rediscovering it recently.

    This is Jin's original patch applied to pupnp 1.8.  This teaches pupnp to
    ignore the bytes header if it matches "0-" and return HTTP_OK.

When building v1.8.6 (on GNU/Linux) with --disable-device, pupnp doesn't build:
/bin/bash ../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. \ 
-I../upnp/inc  -I./inc -I../ixml/inc  -DNDEBUG -I./src/inc -I./src/threadutil \ 
-I/foo/contrib/x86_64-linux-gnu/include -fPIC  -pthread  \ 
-I/foo/contrib/x86_64-linux-gnu/include -DNDEBUG=1 -O3  -DUPNP_STATIC_LIB -Os \ 
-Wall -c -o src/genlib/util/libupnp_la-util.lo `test -f 'src/genlib/util/util.c' \ 
|| echo './'`src/genlib/util/util.c
In file included from src/genlib/miniserver/miniserver.c:58:0:
./src/inc/upnpapi.h:208:2: error: unknown type name 'service_info'
service_info **serv_info
^~~~~~~~~~~~

This patch fixes compilation for the --disable-device case.

GitHub PRs:
* Remove unused files
* UpnpEnableWebserver: Error correctly when web server compiled-out
* CI: Remove .travis.yml
* Remove TRUE/FALSE defines and BOOL typedef
* CI: Add address sanitizer and leak sanitizer enabled test run
* Add list test
* Add -Wextra and -Wpedantic to get more warnings
* More warning fixes
* Doxygen changes
* Remove unused headers
* Remove IN, OUT and INOUT defines
* Remove unused defines in uri.h
* Use stdbool.h instead of BOOL typedef and defines
* Various compiler warning fixes
* configure.ac: Fix Windows detection
* configure.ac: Enable silent rules
* LinkedList: Simplify _WIN32 check
* Remove checks of __OSX__ define
* Add Github Actions based CI

Github PR * Add forgotten Windows dll export qualifiers

Github PR * Remove and replace the list.h file

Github PRs:
* Overhaul list.h to fix various issues
* Use rand_s in get_random_info on Windows
* Do not redeclare timezone struct if already defined in Mingw
* Fix interface filtering for Windows
- The mentioned fix is not only needed for MSVC, but when
cross-compiling for Windows with mingw-w64 too.
* config.h: Remove DEBUG_TARGET
- The DEBUG_TARGET is no longer used, it was previously used in
upnpdebug.c to disable logging to a file, which now is done
by just not calling UpnpSetLogFileNames.
* Check for -lpthread too
- Updates pthread m4 check from upstream

Version 1.10.1
Fix format string for ExtraHeaders

Version 1.10.0
Fix sed command for upnp patch in configure.ac

Proper allocation for an array of structs and a check for an unlikely
overflow when calling the SIOCGIFCONF ioctl().

It still bugs me the stack requirements of getlocalhostname() and
UpnpGetIfInfo().

Version 1.8.6
Fix format string for ExtraHeaders

Version 1.8.5
Fixed a wrong ifdef in ssdp_device.c that was causing problems with
ipv6.
   2020-03-20 21:46:40 by Joerg Sonnenberger | Files touched by this commit (3)
Log message:
Don't redefine standard identifiers. Bump revision.
   2020-01-26 06:26:29 by Roland Illig | Files touched by this commit (189)
Log message:
all: migrate some SourceForge homepage URLs back from https to http

https://mail-index.netbsd.org/pkgsrc-changes/2020/01/18/msg205146.html

In the above commit, the homepage URLs were migrated from http to https,
assuming that SourceForge would use the same host names for both http and
https connections. This assumption was wrong. Their documentation at
https://sourceforge.net/p/forge/documentation/Custom%20VHOSTs/ states
that the https URLs use the domain sourceforge.io instead.

To make the homepages from the above commit reachable again, pkglint has
been extended to check for reachable homepages. This check is only
enabled when the --network command line option is given.

Each of the homepages that referred to https://$project.sourceforge.net
before was migrated to https://$project.sourceforge.io (27), and if that
was not reachable, to the fallback URL http://$project.sourceforge.net
(163).
   2020-01-19 00:36:14 by Roland Illig | Files touched by this commit (3046)
Log message:
all: migrate several HOMEPAGEs to https

pkglint --only "https instead of http" -r -F

With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.

This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
   2019-09-02 14:58:54 by Nia Alarie | Files touched by this commit (4) | Package updated
Log message:
libupnp: Update to 1.8.4.

*******************************************************************************
Version 1.8.4
*******************************************************************************

2017-11-17 Marcelo Jimenez <mroberto(at)users.sourceforge.net>

	GitHub #57 - 1.8.3 broke ABI without changing SONAME
	Opened by jcowgill

	This change in 1.8.3 broke the ABI and therefore the SONAME should have
	been changed (ie: age reset to 0):

	EXPORT_SPEC int UpnpAddVirtualDir(
	        /*! [in] The name of the new directory mapping to add. */
	-       const char *dirName);
	+       const char *dirName,
	+       /*! [in] The cookie to associated with this virtual directory */
	+       const void *cookie,
	+       /*! [out] The cookie previously associated, if mapping is already present */
	+       const void **oldcookie);

	If only the cookie argument was added, you could probably get away with
	this because all that would happen is that a garbage value is passed
	around without being used. With the addition of oldcookie, any old
	programs will not initialise this value and will probably segfault when
	libupnp tries to write to it.

*******************************************************************************
Version 1.8.3
*******************************************************************************

2017-09-07 Dave Overton <david(at)insomniavisions.com>

	Add userdata/cookie to virtualDir callbacks

	As with the main Device APIs (UpnpRegisterRootDevice etc), it is useful
	to have a userdata/cookie pointer returned with each callback.

	This patch allows one cookie per registered path which enables a variety
	of functionality in client apps.

2017-09-03 Uwe Kleine-König <uwe@kleine-koenig.org>

	Fix large file system support

	libupnp uses large file support (if available). If a program linking to
	libupnp does not however it creates mismatches in callframes. See
	Issue #51 for the results.

	This simplifies LFS support by using AC_SYS_LARGEFILE_SENSITIVE instead of
	manually defining _LARGE_FILE_SOURCE and _FILE_OFFSET_BITS (which is
	useless on architectures where the size of off_t is fixed).

	Furthermore additional logic is introduced to catch a library user without
	64 bit wide off_t on such a platform.

	upnp.h also makes use of off_t, but as this file includes FileInfo.h, the
	latter is the single right place for this check.

	This fixes #52 which is a generalized variant of #51.

2017-08-19 Uwe Kleine-König <uwe@kleine-koenig.org>

	configure.ac: Drop copying of include files

	The comment suggests this is for windows compilation. It should be easily
	possible to add the source directory as an include path to the windows
	compiler, too, so drop this. (Otherwise this should better be done using
	AC_CONFIG_COMMANDS.)

2017-09-03 Uwe Kleine-König <uwe@kleine-koenig.org>

	Let source code use autoconfig.h not the public upnpconfig.h

	The former is the one supposed to be used for internal code. upnpconfig.h is only
	for public stuff.

2017-08-19 Uwe Kleine-König <uwe@kleine-koenig.org>

	configure.ac: Fix typo s/optionnal/optional/

2017-08-08 Marcelo Jimenez <mroberto(at)users.sourceforge.net>

	Fix broken samples when configured with --disable-ipv6.

*******************************************************************************
Version 1.8.2
*******************************************************************************

2017-07-24 Michael Osipov

	Initialize in_addr and in6_addr to avoid garbage output if never written

	If any of the address families isn't available in UpnpGetIfInfo(),
	especially IPv6, always init both structs with zero to avoid garbage
	output with inet_ntop() to gIF_IPV4 and gIF_IPV6.

	See v00d00/gerbera#112 (https://github.com/v00d00/gerbera/issues/112)
	for consequences: bind for IPv6 will fail.

2013-10-28 Vladimir Fedoseev <va-dos(at)users.sourceforge.net>

	Attached patch allows to register multiple clients from single app.

2014-11-14 Philippe <philippe44ca(at)users.sourceforge.net>

	Hi - I recently compiled libupnp on C++ Builder XE7 and had to do a few
	changes to make it work. In thase this helps, I've generated a small
	patch file.

2015-04-30 Hugo Beauzée-Luyssen <chouquette(at)users.sourceforge.net>

	When building using a strict mode (-std=c++11 instead of -std=gnu++11,
	for instance), the WIN32 macro isn't defined. The attached patch fixes
	it by using _WIN32 instead.

2015-02-06 Jean-Francois Dockes <jf@dockes.org>

	Queue events on their subscription object instead of adding them to the
	thread pool immediately.

	Events destined for a non-responding control point would flood the
	thread pool and prevent correct dispatching to other clients, sometimes
	to the point of disabling the device. Events are now queued without
	allocating thread resources and properly discarded when a client is not
	accepting them.

2015-02-03 Jean-Francois Dockes <jf@dockes.org>

	genaInitNotify()/genaInitNotifyExt() and
	genaNotifyAll()/genaNotifyAllExt() are relatively complicated methods
	which only differ by the format of an input parameter. This update
	extracts the common code for easier maintenance, esp. relating to the
	queueing modifications to follow.

*******************************************************************************
Version 1.8.1
*******************************************************************************

2017-04-26 Marcelo Jimenez <mroberto(at)users.sourceforge.net>

	Fix some compiler warning messages on md5.c

2017-03-07 Fabrice Fontaine <fontaine.fabrice(at)gmail.com>

	Enable IPv6 by default

2017-03-07 Fabrice Fontaine <fontaine.fabrice(at)gmail.com>

	Move threadutil source code to libupnp

	With this patch, threadutil library is removed as the only public
	header that has been kept in 1.8.x is ithread.h which is mainly a
	wrapper to pthread with inline functions.
	threadutil source code will now be a part of libupnp library.

*******************************************************************************
Version 1.8.0
*******************************************************************************

2014-01-15 Peng <howtofly(at)gmail.com>

	Fix memory leaks.

2013-04-27 Thijs Schreijer <thijs(at)thijsschreijer.nl>

	Renamed SCRIPTSUPPORT to IXML_HAVE_SCRIPTSUPPORT for consistency. Also
	updated autoconfig and automake files, so it also works on non-windows.
	Option is enabled by default, because it adds an element to the node
	structure. Not using an available field is better than accidentally
	using an unavailable field.

2012-07-11 Thijs Schreijer <thijs(at)thijsschreijer.nl>

	Changed param to const UpnpAcceptSubscriptionExt() for consistency

2012-06-07 Thijs Schreijer <thijs(at)thijsschreijer.nl>

	updated ixmlDocument_createAttributeEx() and ixmlDocument_createAttribute()
	to use parameter DOMString instead of char * (same but now consistent)

2012-05-06 Thijs Schreijer <thijs(at)thijsschreijer.nl>

	Added script support (directive SCRIPTSUPPORT) for better support of
	garbage collected script languages. The node element gets a custom tag
	through ixmlNode_setCTag() and ixmlNode_getCTag(). And a callback upon
	releasing the node resources can be set using ixmlSetBeforeFree()
	See updated readme for usage.

2012-03-24 Fabrice Fontaine <fabrice.fontaine(at)orange.com>

	SF Bug Tracker id 3510595 - UpnpDownloadXmlDoc : can't get the file

	Submitted: Marco Virgulti ( mvirg83 ) - 2012-03-23 10:08:08 PDT

	There is a problem, perhaps, during downloading a document by
	UpnpDownloadXmlDoc. During debugging i've found that in an not exported
	api (unfortunately i forgot the code line...) where it is setted a
	local variable "int timeout" to -1 then passed directly to another
	function for sending data through tcp socket. I patched this setting it
	to 0 (there is an IF section that exits if timeout < 0). It is normal
	behavior or it is a bug?

2012-03-08 Fabrice Fontaine <fabrice.fontaine(at)orange-ftgroup.com>

	Check for NULL pointer in TemplateSource.h

	calloc can return NULL so check for NULL pointer in CLASS##_new and
	CLASS##_dup.

2012-03-08 Fabrice Fontaine <fabrice.fontaine(at)orange-ftgroup.com>

	Replace strcpy with strncpy in get_hoststr

	Replace strcpy with strncpy to avoid buffer overflow.

2012-03-08 Fabrice Fontaine <fabrice.fontaine(at)orange-ftgroup.com>

	Memory leak fix in handle_query_variable

	variable was never freed.

2011-02-07 Chandra Penke <chandrapenke(at)mcntech.com>

	Add HTTPS support using OpenSSL. HTTPS support is optional and can
	be enabled by passing the --enable-open-ssl argument to the
	configure script.

	The following methods are introduced to the public API:
	UpnpInitOpenSslContext

	When enabled, HTTPS can be used by using "https://" instead of
	"http://" when passing URLs to the HTTP Client API.

2011-02-07 Chandra Penke <chandrapenke(at)mcntech.com>

	Refactor HTTP Client API to be more generic.

	The following features are added:

	- Support for persistent HTTP connections (reusing HTTP
	  connections). Tthis is still a work in progress and relies on
	  applications to interpret the 'Connection' header
	  appropriately.

	- Support for specifying request headers when making
	  requests. Useful for interacting with web services that require
	  custom headers.

	- Support for retrieving response headers (this is a API only
	  change, some more work needs to be done to implement the actual
	  functionality. Specifically copy_msg_headers in httpreadwrite.c
	  needs to be implemented)

	- Common API for all HTTP methods.

	- Support for PUT, and DELETE methods.

	The following methods are introduced to the public HTTP Client API

	UpnpOpenHttpConnection, UpnpCloseHttpConnection, UpnpMakeHttpRequest,
	UpnpWriteHttpRequest, UpnpEndHttpRequest, UpnpGetHttpResponse,
	UpnpReadHttpResponse.

	Removed a lot of duplicate code in httpreadwrite.c

2011-01-17 Chandra Penke <chandrapenke(at)mcntech.com>

	Include upnpconfig.h in FileInfo.h to automatically include large
	file macros

2011-01-17 Chandra Penke <chandrapenke(at)mcntech.com>

	Fix for warnings Apple systems related to macros defined in list.h.

	In list.h, in apple systems, undefine the macros prior to defining them.

2011-01-16 Marcelo Jimenez <mroberto(at)users.sourceforge.net>

	Fix for UpnpFileInfo_get_LastModified() in http_MakeMessage().

	UpnpFileInfo_get_LastModified() returns time_t, and http_MakeMessage()
	takes a "time_t *". Thanks to Chandra Penke for pointing the bug.

2010-11-22 Marcelo Jimenez <mroberto(at)users.sourceforge.net>

	Template object for ssdp_ResultData.

2010-11-10 Fabrice Fontaine <fabrice.fontaine(at)orange-ftgroup.com>

	Support for "polling" select in sock_read_write.

	Currently, in sock_read_write function, if the timeout is 0, pupnp
	realizes a "blocking" select (with an infinite timeout). With this
	patch, if timeout is set to 0, pupnp will realize a "polling" select
	and returns immediately if it can not read or write on the socket. This
	is very useful for GENA notifications when pupnp is trying to send
	events to a disconnected Control Point. "Blocking" select can now be
	done by putting a negative timeout value.

2010-09-18 Chandra Penke <chandrapenke(at)mcntech.com>

	This is a minor build fix. The new Template*.h files added in the latest
	code need to be exported. Patch against the latest sources is attached.

2010-08-22 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* upnp/src/api/Discovery.c: Fix a serious bug and memory leak in
	UpnpDiscovery_strcpy_DeviceType(). Thanks to David Blanchet for the
	patch.

2010-04-25 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	Separation of the ClientSubscription object.

2010-04-24 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	Protect the object destructors agains null pointers on deletion, which
	should be something valid.

2010-03-27 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	SF Patch Tracker [ 2987390 ] upnp_debug vs. ixml_debug
	Thanks for the load of updates, I'm still assimilating them ! Could I make
	a suggestion though? The addition of printNodes(IXML_Node) to upnpdebug a
	dds a new dependency on ixml.h for anything using upnpdebug.h. I'm making
	quite a bit of use of upnpdebug in porting things to version 1.8.0, and I'd
	prefer it if printNodes could be added to ixmldebug.h instead. I'm attach
	ing a patch, what do you think ?

	Nick

2010-03-27 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Forward port of svn revision 505:
	SF Patch Tracker [ 2836704 ] Patch for Solaris10 compilation and usage.
	Submitted By: zephyrus ( zephyrus00jp )

2010-03-20 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* SF Patch Tracker [ 2969188 ] 1.8.0: patch for FreeBSD compilation
	Submitted By: Nick Leverton (leveret)
	Fix the order of header inclusion for FreeBSD.

2010-03-20 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Forward port of svn revision 502:
	SF Patch Tracker [ 2836704 ] Search for nested serviceList (not
	stopping at the first lis
	Submitted By: zephyrus ( zephyrus00jp )

	Internet Gateway Device description contains nested serviceList (rootdevice
	-> servicelist, subdevice
	and subdevice has the lower-level serviceList, etc..)

	Unfrotunately, the sample code sample_util.c used by tv_device sample,
	etc.
	has a code that looks for only the first top-level serviceList.
	This results in the failure to read all the services of an IGD xml
	description.

	Attached patch modifies this behavior and looks for the service by
	visiting all the serviceList in xml document in turn.

	With the modified patch (ad additional modification), I could
	simulate an IGD device and created a modified control program for that.

	Patch against 1.6.6

	TIA.

2010-03-20 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* SF Patch Tracker [ 2973319 ] Problem in commit 499
	Submitted By: Nick Leverton (leveret)
	Afraid that this doesn't compile, it seems retval should be retVal in two
	places.

2010-03-16 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Fix for the ithread_mutex_unlock() logic in UpnpInit().
	Thanks for Nicholas Kraft.

2010-03-15 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* SF Patch Tracker [ 2962606 ] Autorenewal errors: invalid SID,
	too-short renewal interval
	Submitted By: Nick Leverton (leveret)

	Auto-renewals send an invalid SID due to a missing UpnpString_get_String
	call. They also send a renewal interval of 0 instead of copying it from
	the original subscription.

2010-03-15 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* SF Patch Tracker [ 2964685 ] patch for avoiding inet_ntoa (1.8.0)
	Submitted By: Nick Leverton (leveret)

	Seems like SF's tracker won't let me add a patch to someone else's issue ?!
	This refers to https://sourceforge.net/support/tracker.php?aid=2724578

	The calls to inet_ntoa are in getlocalhostname(), which is called from
	UpnpInit when it is returning the bound IP address.
	UpnpInit/getlocalhostname hasn't been updated to IPv6, I presume this is
	deliberate so that it doesn't start returning IPv6 addresses and
	overwriting the caller's IPv4-sized allocation.

	The attached patch just updates getlocalhostname to use inet_ntop instead
	of inet_ntoa, and also documents the fact that UpnpInit is IPv4 only whilst
	UpnpInnit2 is both IPv4 and IPv6.

	A fuller solution might be to change UpnpInit to use some variant on
	UpnpGetIfInfo. UpnpInit could still be left as IPv4 only if desired -
	perhaps UpnpGetIfInfo could take an option for the desired address family.
	getlocalhostname and its own copy of the interface scanning code would then
	be redundant. I don't have IPv6 capability here though so I'm reluctant to
	change the IPv6 code, as I have no way to test it.

2010-03-15 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* SF Patch Tracker [ 2724578 ] patch for avoiding memory leaks when
	add devices

	each time a device been added, UpnpInit() is called, on exit, UpnpFinish()
	is called, but the memories allocated by ThreadPoolInit() may lost because
	there's no code to call ThreadPoolShutdown() to release the memories. And
	inet_ntoa() is not thread safe, so in my patch, I substitute inet_ntoa()
	with inet_ntop().

2010-03-14 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* SF Patch Tracker [ 2964687 ] Add new string based accessors to upnp
	object API

	As per email to pupnp-devel, this is the patch to add the _strget_
	accessors for string-like objects in the interface.

	Will add a further patch shortly to udpate the sample programs.

2008-06-27 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Nicholas Kraft's patch to fix some IPv6 copy/paste issues. He
	reported to be getting infinite loops with the svn code.

2008-06-13 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* SF Bug Tracker [ 1984541 ]
	ixmlDocumenttoString does not render the namespace tag.
	Submitted By: Beliveau - belivo

	Undoing the patch that fixed this problem. In fact, there was no
	problem and the patch was wrong.

2008-06-11 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Ingo Hofmann's patch for "Content-Type in Subscription responses".
	Adds charset="utf-8" attribute to the CONTENT-TYPE header line.

	Hi,

	I have found an inconsistency regarding the text/xml content-type
	returned by libupnp. It looks like only subscription responses send
	"text/xml" where all other messages contain "text/xml; \ 
charset="utf-8"".
	Since I'm working on an DLNA device the latter behaviour is mandatory.
	I changed the according lines in gena_device.c (see attached patch).
	I'm not sure if it would be ok for other device to have the charset
	field but it would help me a lot :)

	Best regards,
	Ingo

2008-06-04 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* SF Bug Tracker [ 1984541 ]
	ixmlDocumenttoString does not render the namespace tag.
	Submitted By: Beliveau - belivo

	The problem occurs when converting a xml document using
	ixmlDocumenttoString containing a namespace tag created with
	ixmlDocument_createElementNS. The namespace tag doesn't get rendered.

	example: The following code fragment prints:

	<?xml version="1.0"?>
	<root></root>

	instead of:
	<?xml version="1.0"?>
	<root xmlns="urn:schemas-upnp-org:device-1-0"></root>

	Code:

	#include <stdlib.h>
	#include <upnp/ixml.h>

	int main()
	{
		IXML_Document* wDoc = ixmlDocument_createDocument();
		IXML_Element* wRoot = ixmlDocument_createElementNS(wDoc,
			"urn:schemas-upnp-org:device-1-0", "root");
		ixmlNode_appendChild((IXML_Node *)wDoc,(IXML_Node *)wRoot);
		DOMString wString = ixmlDocumenttoString(wDoc);
		printf(wString);
		free(wString);
		ixmlDocument_free(wDoc);

		return 0;
	}

	The problem was in the printing routine, not in the library data
	structure.

2008-05-31 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Charles Nepveu's suggestion of not allocating a thread for
	MiniServer when it is not compiled.

2008-05-24 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Ported Peter Hartley's patch to compile with mingw.

2008-05-24 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Added some debug capability to ixml.

2008-05-02 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Merged Charles Nepveu's IPv6 work. libupnp now is IPv6 enabled.

2008-02-06 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Breaking API so that we now hide internal data structures.

2008-02-06 Marcelo Jimenez <mroberto(at)users.sourceforge.net>
	* Rewrote Peter Hartley's patch to include a new extra header field in
	FileInfo.

*******************************************************************************
Version 1.6.22
*******************************************************************************

2017-07-07 James Cowgill <james410(at)cowgill.org.uk>

	Replace MD5 impmplementation with public-domain version

	Currently the RSA MD5 implementation is used. Unfortunately the license
	has some potential issues:
	* The license does not explicitly allow distributing derivative works.
	This was the original argument used in
	[Debian #459516](https://bugs.debian.org/459516).
	* The license contains an advertising clause similar to the BSD 4-clause
	license. This is incompatible with the GPL and if it were enforced,
	would require RSA to be mentioned by pretty much everyone who uses pupnp.

	The simple solution is to replace it with a public domain
	implementation. I've taken OpenBSDs implementation and tweaked it
	slightly for use by pupnp by:
	- Adjusting the includes.
	- Removing the __bounded__ attributes which are specific to OpenBSD.
	- Using the standard integer types from stdint.h.
	- Using memset instead of explicit_bzero.

2016-12-16 Peter Pramberger <peterpramb(at)users.sf.net>

	ixml/test/test_document.c is missing the string.h include, therefore
	the compiler complains about an implicit declaration.

*******************************************************************************
Version 1.6.21
*******************************************************************************

2016-12-16 Gabriel Burca <gburca(at)github>

	If the error or info log files can not be created, use stderr and
	stdout instead.

2016-12-08 Uwe Kleine-König <uwe(at)kleine-koenig.org>

	Fix out-of-bound access in create_url_list() (CVE-2016-8863)

	If there is an invalid URL in URLS->buf after a valid one, uri_parse is
	called with out pointing after the allocated memory. As uri_parse writes
	to *out before returning an error the loop in create_url_list must be
	stopped early to prevent an out-of-bound access

	Bug: https://sourceforge.net/p/pupnp/bugs/133/
	Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
	Bug-Debian: https://bugs.debian.org/842093
	Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771

2016-11-30 Uwe Kleine-König <uwe(at)kleine-koenig.org>

	miniserver: fix binding to ipv6 link-local addresses

	Linux requires to have sin6_scope_id hold the interface id when binding to
	link-local addresses. This is already in use in other parts of upnp, so
	portability shouldn't be in the way here. Without this bind(2) fails with
	errno=EINVAL (although ipv6(7) from manpages 4.08 specifies ENODEV in this
	case).

	Fixes: https://bugs.debian.org/813249

2016-09-15 Mathew Garret <(at)mjg59 (twitter)>

	SF Bug Tracker #132 CVE-2016-6255: write files via POST

	Submitted by: Balint Reczey in 2016-08-02

	From Debian's BTS https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831857 :
	From: Salvatore Bonaccorso carnil@debian.org
	To: Debian Bug Tracking System submit@bugs.debian.org
	Subject: libupnp: write files via POST
	Date: Wed, 20 Jul 2016 11:03:34 +0200
	Source: libupnp
	Version: 1:1.6.17-1
	Severity: grave
	Tags: security upstream
	Justification: user security hole
	Hi
	See http://www.openwall.com/lists/oss-security/2016/07/18/13 and
	https://twitter.com/mjg59/status/755062278513319936 .
	Proposed fix:
	https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd
	Regards,
	Salvatore

	From Mathew Garret's commit: Don't allow unhandled POSTs to write to the \ 
filesystem by default

*******************************************************************************
Version 1.6.20
*******************************************************************************

2016-02-22 Jean-Francois Dockes <medoc(at)users.sf.net>

	SF Bugs #131, Creator: Jean-Francois Dockes

	I know it sounds crazy that nobody ever saw this, but the CONTENT-LENGTH
	value in GENA NOTIFY messages is too small by one.

	It appears that most current control points don't notice the extra
	character (an LF, which is validly there but not included in
	Content-Length), probably because their protocol handler is reasonably
	lenient, and because the missing body LF does not prevent parsing the
	XML. But there is a least one anal CP (Linn Kazoo) which barfs, because
	it reads all data until connection close and the size mismatch triggers
	a bug.

	"Proof":
	In gena_device.c:217 (notify_send_and_recv())

	ret_code = http_SendMessage(&info, &timeout,
	    "bbb",
	    start_msg.buf, start_msg.length,
	    propertySet, strlen(propertySet),
	    CRLF, strlen(CRLF));

	start_msg has all the headers, including the empty line.
	Content-length should be strlen(propertySet) + strlen(CRLF) (2)
	In gena_device.c:433 (AllocGenaHeaders())

	rc = snprintf(headers, headers_size, "%s%s%"PRIzu"%s%s%s",
	    HEADER_LINE_1,
	    HEADER_LINE_2A,
	    strlen(propertySet) + 1,
	    HEADER_LINE_2B,
	    HEADER_LINE_3,
	    HEADER_LINE_4);

	HEADER_LINE_2A is "CONTENT-LENGTH: ".
	The following value should be strlen(propertySet) + 2

2016-01-07 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>

	Fix for a reported integer overflow

2016-01-07 Jean-Francois Dockes <medoc(at)users.sf.net>
2016-01-07 Nick Leverton <nick(at)leverton.org>
	SF Patches #60, Creator: Jean-Francois Dockes

	When libupnp is configured with --enable-ipv6 but ipv6 is not available
	on the system (for example because the ipv6 code is not loaded in a Linux
	kernel as is the case by default on Raspbian), the ipv6 socket creation
	call will fail in miniserver.c and the library init will fail, even if
	the ipv4 initialisation would have succeeded.

	Let a library configured with --enable-ipv6 initialize in ipv4-only
	mode if ipv6 is not available instead of failing. This can happen
	if no ipv6 code is configured or loaded in the kernel.

	Don't fail if IPv6 is unavailable.
	We might be an IPv6 enabled distro build running on an IPv4-only custom kernel.

2016-01-07 Nick Leverton <nick(at)leverton.org>

	SF Bug Tracker #128, Creator: Nick Leverton
	redefining strndup causes "error: expected identifier or '(' before \ 
'__extension__'"

	Fix redefinition of strnlen and strndup
	These are available when HAVE_STRNDUP and HAVE_STRNLEN are defined, but
	libupnp provides an extern prototype anyway.  Recent versions of glibc
	define this prototype differently, causing the following compile error:

	src/api/UpnpString.c:47:15: error: expected identifier or '(' before  \ 
'__extension__'
		extern char *strndup(__const char *__string, size_t __n);

2016-01-07 Nick Leverton <nick(at)leverton.org>

	SF Bug Tracker #129, Creator: Nick Leverton
	shutdown() on UDP sockets logs ENOTCONN message.
	https://sourceforge.net/p/pupnp/bugs/129/

	Fix ENOTCONN "Error in shutdown: Transport endpoint is not connected"

	When logging is enabled, ssdpserver logs bursts of
	"Error in shutdown: Transport endpoint is not connected"
	This is because shutdown() is not supported for UDP sockets and under
	recent UNIX specifications it returns ENOTCONN if used.

2016-01-07 Nick Leverton <nick(at)leverton.org>

	SF Bug Tracker #127, Creator: Klaus Fischer
	Miniserver uses INADDR_ANY instead of HostIP
	https://sourceforge.net/p/pupnp/bugs/127/

	The internal miniserver.c uses INADDR_ANY instead of the HostIP/IfName
	provided when initializing libupnp. But, this HostIP/IfName gets used
	for the UDP socket when multicasting SSDP messages.  Because of this,
	miniserver may end up sending from different IP address than ssdpserver.
	This patch causes miniserver to use the already known interface address.

2016-01-07 Marcelo Roberto Jimenez <mroberto(at)users.sourceforge.net>

	SF Bug Tracker #130, Creator: Shaddy Baddah
	infinite loop in UpnpGetIfInfo() under WIN32

	Original code makes no sense. This patch should fix it.

2015-02-04 Shaun Marko <semarko@users.sf.net>

	Bug tracker #124 Build fails with --enable-debug

	Build environment
	Fedora 21
	X86-64
	* gcc 4.9.2

	How to repeat
	$ ./configure --enable debug
	$ make
	libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../upnp/inc -I./inc \ 
-I../threadutil/inc
	-I../ixml/inc -I./src/inc -pthread -g -O2 -Wall -MT src/api/libupnp_la-UpnpString.lo
	-MD -MP -MF src/api/.deps/libupnp_la-UpnpString.Tpo -c src/api/UpnpString.c
	-fPIC -DPIC -o src/api .libs/libupnp_la-UpnpString.o src/api/UpnpString.c:47:16:
	error: expected identifier or '(' before 'extension'
	extern char *strndup(const char *string, size_t __n);
	^
	Makefile:1016: recipe for target 'src/api/libupnp_la-UpnpString.lo' failed

	Reason for failure
	Build enables -O2 optimization flags which causes the inclusion of a
	macro implementation of strndup from include/bits/string2.h.

	Workarounds
	Disable optimization when configuring or making:
	$ configure CFLAGS='-g -pthread -O0' --enable-debug
	$ make
	or
	$ configure --enable-debug
	$ make CFLAGS='-g -pthread -O0' Define NO_STRING_INLINES
	$ export CFLAGS="-DNO_STRING_INLINES -O2"
	$ ./configure --enagble-debug
	$ make

	Fix
	* Don't declare strndup in src/api/UpnpString.c if it exists

2015-02-01 Jean-Francois Dockes <medoc@users.sf.net>

	Out-of-tree builds seem to be currently broken, because ixml and
	threadutil files need an include path to include UpnpGlobal.h, and
	configure tries to copy files into a directory which it does not create.
	The patch fixes both issues.

2014-01-03 Peng <howtofly(at)gmail.com>

	rewrite soap_device.c

	1) separate HTTP handling from SOAP handling
	2) remove repeated validity check, each check is performed exactly once
	3) fix HTTP status code per UPnP spec, SOAP spec and RFC 2774
   2015-11-04 01:35:47 by Alistair G. Crooks | Files touched by this commit (748)
Log message:
Add SHA512 digests for distfiles for net category

Problems found with existing digests:
	Package haproxy distfile haproxy-1.5.14.tar.gz
	159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded]
	da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]

Problems found locating distfiles:
	Package bsddip: missing distfile bsddip-1.02.tar.Z
	Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz
	Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2
	Package djbdns: missing distfile djbdns-cachestats.patch
	Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch
	Package gated: missing distfile gated-3-5-11.tar.gz
	Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz
	Package poink: missing distfile poink-1.6.tar.gz
	Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz
	Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch
	Package waste: missing distfile waste-source.tar.gz

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.