Update documentation

Update multiple documentation files.

Minor source change: add #ifdef for MacOS clock defines.

README.md

@@ -6,9 +6,9 @@
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 [![GitHub contributors](https://img.shields.io/github/contributors/civetweb/civetweb.svg)](https://github.com/civetweb/civetweb/blob/master/CREDITS.md)
 
-Continuous integration for Linux and macOS ([Travis CI](https://travis-ci.org/civetweb/civetweb)):
+Continuous integration for Linux and macOS ([Travis CI](https://app.travis-ci.com/github/civetweb/civetweb)):
 
-[![Travis Build Status](https://travis-ci.org/civetweb/civetweb.svg?branch=master)](https://travis-ci.org/civetweb/civetweb)
+[![Travis Build Status](https://api.travis-ci.com/civetweb/civetweb.svg?branch=master)](https://app.travis-ci.com/github/civetweb/civetweb)
 
 Continuous integration for Windows ([AppVeyor](https://ci.appveyor.com/project/civetweb/civetweb)):
 

SECURITY.md

@@ -7,7 +7,7 @@ All development branches may be in an intermediate, untested state.
 
 For released versions, additional tests are performed, including manual tests, static source code analysis and fuzz testing.
 
-Defects will be fixed in the current head version. 
+Defects will be fixed in the current head version.
 Selected, critical defects are fixed in the latest release as well.
 
 ## Reporting a Vulnerability
@@ -15,6 +15,6 @@ Selected, critical defects are fixed in the latest release as well.
 Please send vulnerability reports by email to bel2125 at gmail com.
 Vulnerability with low severity can be sent directly by email.
 
-For high severity vulnerabilities, you can get a private key to encrypt your detailed description on vulnerabilities you want to report. 
+For high severity vulnerabilities, you can get an individual gpg key to encrypt your detailed description of vulnerabilities you want to report.
 
-If you do not get any response within ten days, your email might have got lost (e.g., deleted as spam) - in this case, please open a GitHub issue.
+If you do not get any response within on week, your email might have been lost (e.g., deleted as false positive by a spam filter). In this case, please open a GitHub issue.

docs/Contribution.md

@@ -7,7 +7,7 @@ Contributions to CivetWeb are welcome, provided all contributions carry the MIT
 - If you know how to fix the issue, please create a pull request on GitHub. Please take care your modifications pass the continuous integration checks. These checks are performed automatically when you create a pull request, but it may take some hours until all tests are completed. Please provide a description for every pull request (see below).
 - Alternatively, you can post a patch or describe the required modifications in a GitHub issue. However, a pull request would be preferred.
 
-- Improving documentation, tests and examples are welcome.
+- Improvments to documentation, tests and examples are welcome as well.
 
 - Contributor names are listed in [CREDITS.md](https://github.com/civetweb/civetweb/blob/master/CREDITS.md), unless you explicitly state you don't want your name to be listed there. This file is occasionally updated, adding new contributors, using author names from git commits and GitHub comments.
 
@@ -23,6 +23,18 @@ Contributions to CivetWeb are welcome, provided all contributions carry the MIT
 - In case you think you found a security issue that should be evaluated and fixed before public disclosure, feel free to write an email.  Although CivetWeb is a fork from Mongoose from 2013, the code bases are different now, so security vulnerabilities of Mongoose usually do not affect CivetWeb. See also [SECURITY.md](https://github.com/civetweb/civetweb/blob/master/SECURITY.md).
 
 
+
+Closing Issues
+---
+
+Feel free to create a GitHub issue also for questions, discussions or support requests.
+When your question is anwered, please close your issue again - so I know your request is handled.
+In some cases I will have to query you for additional information.
+If there is no acticity for a question/discussion/support issue for some weeks, I will close this issues.
+Issues created for bugs or enhancement requests will not be closed only because some time has passed.
+
+
+
 Why does a pull request need a description?
 ---
 

docs/Interface_Changes_1.10.md

@@ -1,144 +0,0 @@
-# Interface changes
-
-## Proposed interface changes for future versions
-
-Interface changes from 1.10 to 1.11 and/or later versions -
-see also [this GitHub issue](https://github.com/civetweb/civetweb/issues/544).
-
-
-### Server interface
-
-#### S1: mg\_start / mg\_init\_library
-
-Calling mg\_init\_library is recommended before calling mg\_start.
-
-**Compatibility considerations:**
-Initially, mg\_init\_library will be called implicitly if it has 
-not been called before mg\_start.
-If mg\_init\_library was not called, mg\_stop may leave memory leaks.
-
-**Required Actions:**
-Call mg\_init\_library manually to avoid a small memory leak when
-closing the server.
-
-
-#### S2: mg\_websocket\_write functions
-
-Calling mg\_lock\_connection is no longer called implicitly
-in mg\_websocket\_write functions. 
-If you use websocket write functions them from two threads,
-you must call mg\_lock\_connection explicitly, just like for any
-other connection.
-
-This is an API harmonization issue.
-
-**Compatibility considerations:**
-If a websocket connection was used in only one thread, there is
-no incompatibility. If a websocket connection was used in multiple
-threads, the user has to add the mg\_lock\_connection before and
-the mg\_unlock\_connection after the websocket write call.
-
-**Required Actions:**
-Call mg\_lock\_connection and mg\_unlock\_connection manually
-when using mg\_websocket\_write.
-
-
-#### S3: open\_file member of mg\_callbacks
-
-Memory mapped files are a relic from before `mg_set_request_handler`
-was introduced in CivetWeb 1.4 (September 2013).
-Is "file in memory" still a useful feature or dead code? See this
-[discussion](https://groups.google.com/forum/#!topic/civetweb/h9HT4CmeYqI).
-Since it is not widely used, and a burden in maintenance, the
-"file in memory" should be completely removed, including removing
-the open\_file member of mg\_callbacks.
-
-
-**Compatibility considerations:**
-Removing "file in memory" will require code using open\_file to be changed.
-A possible replacement by mg\_set\_request\_handler is sketched in
-[this comment](https://github.com/civetweb/civetweb/issues/440#issuecomment-290531238).
-
-**Required Actions:**
-Modify code using open\_file by using request handlers.
-
-
-#### S4: Support multiple hostnames and SNI
-
-TLS [Server Name Identification (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication)
-allows to host different domains with different X.509 certificates
-on the same physical server (same IP+port). In order to support this,
-some configurations (like authentication\_domain, ssl\_certificate, 
-document\_root and may others) need to be specified multiple times - 
-once for each domain hosted 
-(see [535](https://github.com/civetweb/civetweb/issues/535)).
-
-The current configuration model does not account for SNI, so it needs
-to be extended to support configuration of multiple instances.
-
-**Compatibility considerations:**
-To be defined as soon as possible solutions are evaluated.
-
-
-#### S5: IPv6 support for access\_control\_list and throttle
-
-The current configuration for access\_control\_list and throttle only
-works for IPv4 addresses. If server and client support 
-[IPv6](https://en.wikipedia.org/wiki/IPv6_address) as well,
-there is no way to add a client to the throttle or access list.
-The current configuration syntax isn't really comfortable for IPv4
-either.
-Combined with hosting multiple domains (and SNI), different domains
-may have different block/throttle configurations as well - this has
-to be considered in a new configuration as well.
-
-**Compatibility considerations:**
-To be defined as soon as possible solutions are evaluated.
-
-
-### Client interface
-
-#### C1: mg\_init\_library
-
-Calling mg\_init\_library is required before calling any client
-function. In particular, the TLS initialization must be done
-before using mg\_connect\_client\_secure.
-
-**Compatibility considerations:**
-Some parts of the client interface did not work, if mg\_start
-was not called before. Now it works after calling
-mg\_init\_library - this is not an incompatibility.
-
-
-#### C2: mg\_connect\_client (family)
-
-mg\_connect\_client needs several new parameters (options).
-
-Details are to be defined.
-
-mg\_connect\_client and mg\_download should return a different kind of
-mg_connection than used in server callbacks. At least, there should
-be a function mg\_get\_response\_info, instead of using 
-mg\_get\_request\_info, and getting the HTTP response code from the
-server by looking into the uri member of struct mg\_request\_info.
-
-
-### General interfaces
-
-#### G1: `size_t` in all interface
-
-Having `size_t` in interfaces while building for 32 and 64 bit
-complicates maintenance in an unnecessary way 
-(see [498](https://github.com/civetweb/civetweb/issues/498)).
-
-Replace all data sizes by 64 bit integers.
-
-
-#### G2: Pattern definition
-
-The current definition of pattern matching is problematic
-(see [499](https://github.com/civetweb/civetweb/issues/499)).
-
-Find and implement a new definition.
-
-

docs/README.md

@@ -8,8 +8,8 @@ CivetWeb uses an [MIT license](https://github.com/civetweb/civetweb/blob/master/
 
 It can also be used by end users as a stand-alone web server. It is available as single executable, no installation is required.
 
-The current stable version is 1.14 - [release notes](https://github.com/civetweb/civetweb/blob/master/RELEASE_NOTES.md)
-Version 1.15 is under construction.
+To find the latest stable release, visit [https://github.com/civetweb/civetweb/releases](https://github.com/civetweb/civetweb/releases).
+A list of selected changes can be found in the [release notes](https://github.com/civetweb/civetweb/blob/master/RELEASE_NOTES.md).
 
 End users can download CivetWeb at SourceForge
 [https://sourceforge.net/projects/civetweb/](https://sourceforge.net/projects/civetweb/)
@@ -29,6 +29,8 @@ Recent questions and discussions use [GitHub issues](https://github.com/civetweb
 Source releases can be found on GitHub
 [https://github.com/civetweb/civetweb/releases](https://github.com/civetweb/civetweb/releases)
 
+A security policy can be found in [SECURITY.md](https://github.com/civetweb/civetweb/blob/master/SECURITY.md).
+
 CivetWeb is free of charge, however, donations for maintenance are welcome:
 [![Donate](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=88ZLXZ6U77GJU)
 

examples/README.md

@@ -2,15 +2,40 @@
 Examples
 =====
 
-Two examples show how to embed civetweb into a C ([embedded_c](https://github.com/civetweb/civetweb/tree/master/examples/embedded_c)) or a C++ ([embedded_cpp](https://github.com/civetweb/civetweb/tree/master/examples/embedded_cpp)) application.
-The C++ wrapper only offers a subset of the full C API, thus the C example is more complete than the C++ example. These examples were not designed with security in mind, but to show how the API can be used in principle. For more information, see the [documentation](https://github.com/civetweb/civetweb/tree/master/docs). Some examples can also be found in the [test](https://github.com/civetweb/civetweb/tree/master/test) folder (but they are less documented and adapted to the needs of the test framework).
+The ([embedded_c](https://github.com/civetweb/civetweb/tree/master/examples/embedded_c)) example shows
+how to embed civetweb into a C or C++ application.
 
-In addition, there is one example how to configure a HTTPS server, to comply with modern security standards ([https](https://github.com/civetweb/civetweb/tree/master/examples/https)). It does not hold any source, but only a configuration file and some documentation how to use it.
+The ([embedded_cpp](https://github.com/civetweb/civetweb/tree/master/examples/embedded_cpp)) example
+demonstrates embedding in a C++ application. It uses the C++ wrapper of the full C interface `civetweb.h`.
+The C++ wrapper only offers a limited subset of the full C API.
+Thus, the C example is more complete than the C++ example.
 
-The [multidomain](https://github.com/civetweb/civetweb/tree/master/examples/multidomain) example demonstrates how to host multiple domains with different HTTPS certificates. It uses the standalone server (civetweb.c + main.c) and existing certificates.
+These examples were not designed with security in mind, but to show how the API can be used in principle.
+For more information, see the [documentation](https://github.com/civetweb/civetweb/tree/master/docs).
+Some examples can also be found in the [test](https://github.com/civetweb/civetweb/tree/master/test) folder,
+but they are less documented and adapted to some special needs of the test frameworks.
 
-The [ws_client](https://github.com/civetweb/civetweb/tree/master/examples/ws_client) example shows how to use the websocket client interface to communicate with an (external) websocket server. It uses the "echo demo" of [websocket.org](http://websocket.org/echo.html), and only works if this server is reachable.
+The ([https](https://github.com/civetweb/civetweb/tree/master/examples/https)) example shows how to configure
+a HTTPS server with improved security settings.
+It does not hold any source, but only a configuration file and some documentation how to use it.
+
+The [multidomain](https://github.com/civetweb/civetweb/tree/master/examples/multidomain) example demonstrates 
+how to host multiple domains with different HTTPS certificates. 
+It uses the standalone server (civetweb.c + main.c) and existing certificates.
+
+The [ws_client](https://github.com/civetweb/civetweb/tree/master/examples/ws_client) example shows 
+how to use the websocket client interface to communicate with an (external) websocket server. 
+It uses the "echo demo" of [websocket.org](http://websocket.org/echo.html) and will work only if this server is reachable.
 
 All examples are subject to the MIT license (unless noted otherwise) - they come without warranty of any kind.
 
-Note that the examples are only meant as a demonstration how to use CivetWeb.  The example codes are omitting some error checking and input validation for better readability of the source.  They are not as actively maintained and continuously developed as main source of the project (include/civetweb.h, src/civetweb.c, src/*.inl).  Example codes undergo less quality management than the main source files of this project.  Examples are not checked and updated with every new version.  There are no repeated security assessment for the example codes, settings are not updated on a regular basis.  Contributions to examples code are welcome, under the same conditions as contributions to the main source code ([Contribution.md](https://github.com/civetweb/civetweb/blob/master/Contribution.md)).
+Note that the examples are only meant as a demonstration how to use CivetWeb.
+The example codes are omitting some error checking and input validation for better readability of the source.
+They are not as actively maintained and continuously developed as main source of the project 
+(include/civetweb.h, src/civetweb.c, src/*.inl).  
+Example codes undergo less quality management than the main source files of this project.
+Examples are not checked and updated with every new version.
+There are no repeated security assessment for the example codes, settings are not updated on a regular basis.
+
+Contributions to examples code are welcome, under the same conditions as contributions to the 
+main source code ([Contribution.md](https://github.com/civetweb/civetweb/blob/master/Contribution.md)).

fuzztest/README.txt

@@ -24,7 +24,12 @@ Open issues:
  * Need "sudo" for container? (ASAN seems to needs it on WSL test)
  * let "make" create "civetweb_fuzz#" instead of "mv"
  * useful initial corpus and directory
- * Planned additional fuzz test: 
+ * Planned additional fuzz test:
   * vary HTTP2 request for HTTP2 server (in HTTP2 feature branch)
   * use internal function to bypass socket (bottleneck)
  * where to put fuzz corpus?
+
+Note:
+This test first starts a server, then launches an attack to this local server.
+If you run this test on a system with endpoint protection software or some web traffic inspector installed,
+this protection software may detect thousands of alarms during this test.

src/civetweb.c

@@ -362,8 +362,12 @@ __cyg_profile_func_exit(void *this_fn, void *call_site)
 #endif
 #endif
 
+#ifndef CLOCK_MONOTONIC
 #define CLOCK_MONOTONIC (1)
+#endif
+#ifndef CLOCK_REALTIME
 #define CLOCK_REALTIME (2)
+#endif
 
 #include <mach/clock.h>
 #include <mach/mach.h>
@@ -10596,7 +10600,7 @@ parse_http_request(char *buf, int len, struct mg_request_info *ri)
 	    NULL;
 	ri->num_headers = 0;
 
-	/* RFC says that all initial whitespaces should be ingored */
+	/* RFC says that all initial whitespaces should be ignored */
 	/* This included all leading \r and \n (isspace) */
 	/* See table: http://www.cplusplus.com/reference/cctype/ */
 	while ((len > 0) && isspace((unsigned char)*buf)) {