path: root/tests
AgeCommit message (Collapse)AuthorFilesLines
2018-12-18[tests] more test config cleanupGlenn Strauss5-84/+6
2018-12-11[tests] update skip count in mod-fastcgi.tGlenn Strauss1-1/+1
2018-12-10[tests] some test config cleanupGlenn Strauss28-1230/+216
including limiting use of php in tests to mod-fastcgi.t
2018-12-10[tests] t/test_keyvalueGlenn Strauss7-171/+0
create t/test_keyvalue to replace sparse tests in tests/mod-redirect.t and tests/mod-rewrite.t remove tests/mod-redirect.t and tests/mod-rewrite.t
2018-12-03[mod_access] t/test_mod_accessGlenn Strauss5-54/+0
create t/test_mod_access to test mod_access basic logic remove tests/mod-access.t
2018-12-03[mod_evhost] t/test_mod_evhostGlenn Strauss4-117/+1
create t/test_mod_evhost to test mod_evhost basic logic remove tests/mod-evhost.t
2018-12-03[mod_simple_vhost] t/test_mod_simple_vhostGlenn Strauss6-73/+0
create t/test_mod_simple_vhost to test mod_simple_vhost basic logic remove tests/mod-simplevhost.t, which was not testing mod_simple_vhost
2018-09-23[core] http_status_append()Glenn Strauss1-4/+4
2018-08-12[core] security: use-after-free invalid Range reqGlenn Strauss1-1/+21
(thx Marcus Wengelin)
2018-08-05[tests] move src/test_*.c to src/t/Glenn Strauss1-1/+0
2018-08-05[tests] test_request unit testsGlenn Strauss6-497/+16
unit tests for request processing collect existing request processing tests from Perl tests/*.t (test_request.c runs *much* more quickly than Perl tests/*.t)
2018-08-05[core] buffer_append_string_encoded() uc hexGlenn Strauss1-2/+2
Use uc hex chars in buffer_append_string_encoded(), preferred in RFC3986 Preserve behavior using lc hex chars in buffer_append_string_c_escaped()
2018-01-13[core] fix POST with chunked request body (fixes #2854)Glenn Strauss1-1/+17
(thx the_jk) x-ref: "chunked transfer encoding in request body only works for tiny chunks"
2017-10-28[meson] new build systemStefan Bühler2-0/+58
Needed to extend lemon to take an output path parameter.
2017-04-06[mod_extforward] support Forwarded HTTP Extension (#2703)Glenn Strauss2-1/+11
enable with, e.g.: extforward.headers = ( "Forwarded" ) or extforward.headers = ( "Forwarded", "X-Forwarded-For" ) or extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" ) The default remains: extforward.headers = ( "X-Forwarded-For", "Forwarded-For" ) Support for "Forwarded" is not enabled by default since intermediate proxies might not be aware of Forwarded, and might therefore pass spoofed Forwarded header received from client. extforward.params = ( # overwrite "Host" with Forwarded value #"host" => 1 # set REMOTE_USER with Forwarded value #"remote_user" => 1 ) Note: be cautious configuring trusted proxies if enabling these options since Forwarded header may be spoofed and passed along indescriminantly by proxies which do not handle Forwarded. To remove "Forwarded" from incoming requests, do not enable these options and instead use mod_setenv to clear the request header: setenv.set-request-header = ( "Forwarded" => "" ) Other proxy-related headers which admin might evaluate to keep or clear: setenv.set-request-header = ( "X-Forwarded-For" => "", "X-Forwarded-By" => "", "X-Forwarded-Server" => "", "X-Origin-IP" => "", "Via" => "", #... ) x-ref: "Forwarded HTTP Extension" "Forward authenticated user to proxied requests"
2017-03-19[tests] reduce time waiting for backends to startGlenn Strauss3-6/+10
reduce time spent waiting for backends to start tests check for active listening port before proceeding test runs now complete in about 2/3 the time
2017-03-19[core] consolidate dynamic handler response parseGlenn Strauss1-1/+1
- consolidate dynamic handler HTTP response parsing code - reduce string copies for CGI, FastCGI, SCGI, proxy response headers - let read() signal EOF or EAGAIN instead of ioctl FIONREAD 0-data-ready
2017-02-26[mod_cgi] cgi.local-redir = [enable|disable] (#2108, #2793)Glenn Strauss1-0/+1
new directive cgi.local-redir = [enable|disable] *disable* RFC3875 6.2.2 local-redir by default. (behavior change from when local-redir support added in lighttpd 1.4.40) The reason for this behavior change is that CGI local-redir support (RFC3875 6.2.2) is an optimization. Absence of support may result in additional latency in servicing a request due the additional round-trip to the client, but that was the prior behavior (before lighttpd 1.4.40) and is the behavior of web servers which do not support CGI local-redir. However, enabling CGI local-redir by default may result in broken links in the case where a user config (unaware of CGI local-redir behavior) returns HTML pages containing *relative* paths (not root-relative paths) which are relative to the location of the local-redir target document, and the local-redir target document is located at a different URL-path from the original CGI request. x-ref: RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response "CGI local redirect not implemented correctly" "1.4.40 regression: broken redirect (using Location) between url.rewrite-once URLs"
2017-02-25[tests] correct skip count for mod-scgi.tGlenn Strauss1-1/+1
2017-01-31[tests] remove unused file depending on CGI.pmGlenn Strauss2-28/+0
lighttpd tests do not depend on remove *unused* file tests/docroot/www/404.fcgi which used CGI::Fast, which depends on
2017-01-31[mod_scgi] tests/mod-scgi.t unit testsGlenn Strauss6-1/+470
(copied from tests/mod-fastcgi.t fcgi-responder tests)
2017-01-31[core] support Expect: 100-continue with HTTP/1.1 (fixes #377, #1017, #1953, ↵Glenn Strauss1-2/+9
#2438) support Expect: 100-continue with HTTP/1.1 requests Ignore config option server.reject-expect-100-with-417; server.reject-expect-100-with-417 will be removed in a future release. x-ref: "Incorrect handling of the 100 (Continue) Status" "'Expect' header gives HTTP error 417" "Improve DAV support to be able to handle git as a client" "Change server.reject-expect-100-with-417 from flag to regular expression matching the URL"
2017-01-31[mod_secdownload] new directives modify hash path (fixes #646, fixes #1904)Glenn Strauss2-1/+16
secdownload.path-segments = <number> include only given number of path segments in hash digest calculation secdownload.hash-querystr = "enable" | "disable" include the query string in the hash digest calculation x-ref: "secdownload.path_elements support" "mod_secdownload option to include url GET parameters in md5"
2017-01-31[mod_setenv] directives to overwrite/remove hdrs (fixes #650, fixes #2295)Glenn Strauss2-1/+34
directives to set value, rather than append values to headers, env setenv.set-request-header setenv.set-response-header setenv.set-environment These directives take precedence over the setenv.add-* counterparts Set a blank value for request or response header to remove the header (blank value in environment will be set as the value; not removed) setenv.*-environment is now deferred to handle_request_env hook. setenv.*-response-header is now processed in handle_response_start hook. x-ref: "setenv.add-or-replace-response-header" "set-request-header or remove-request-header support for mod_setenv"
2017-01-10[tests] give time for periodic jobs to detect exitGlenn Strauss1-0/+2
give time for periodic jobs to detect backend exit
2017-01-10[tests] FCGI_Finish() final request before exitGlenn Strauss1-0/+2
2017-01-10[tests] update test skip count for !fcgi-responderGlenn Strauss1-1/+1
2017-01-10[mod_fastcgi] detect child exit, restart proactivelyGlenn Strauss2-13/+3
(instead of detecting upon a subsequent HTTP request) (for backends spawned by mod_fastcgi)
2017-01-09[mod_cgi] skip local-redir handling if to self (fixes #2779, #2108)Glenn Strauss1-1/+1
Loosen local redirect handling in mod_cgi to skip handling as local redirect if the Location matches con->uri.path, since if the request is intended to redirect back to the same CGI using the same request method, path info, and query string, the CGI would logically just return the final intended response. Loosening this handling avoids a problem with applications (potentially) accessible through multiple gateways, where the application is not aware of this specific handling of Location in the Common Gateway Interface (CGI/1.1), the application sends abs-path in the Location response header instead of absoluteURI, and the application expects the client to receive this Location response header instead of the server to process as a CGI local redirect. One example of such an application is LuCI, which sends Set-Cookie with Location: /abs-path (Note that this loose check for matching con->uri.path is not perfect and might not match if the CGI returned a path with a different case and the server is on a case-insensitive filesystem, or if the path returned by the CGI is rewritten elsewhere to a different con->uri.path before getting to mod_cgi.) RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response x-ref: "CGI local-redir handling conflicts with LuCI redirect w/ Set-Cookie" "CGI local redirect not implemented correctly"
2016-12-22[tests] mark tests/docroot/www/*.pl scripts a+xGlenn Strauss5-0/+0
2016-12-19[mod_evhost] fix an incorrect error traceGlenn Strauss1-0/+0
2016-12-16[core] support Transfer-Encoding: chunked req body (fixes #2156)Glenn Strauss1-1/+116
support Transfer-Encoding: chunked request body in conjunction with = 0 dynamic handlers will still return 411 Length Required if = 1 or 2 (!= 0) since CGI-like env requires CONTENT_LENGTH be set (and mod_proxy currently sends HTTP/1.0 requests to backends, and Content-Length recommended for robust interaction with backend) x-ref: "request: support Chunked Transfer Coding for HTTP PUT"
2016-12-03comment out auth.backend.ldap.* in tests/*.confGlenn Strauss7-21/+21
(mod_authn_ldap is not loaded in these test confs, so mod_authn_ldap directives are not available)
2016-11-29load mod_auth & mod_authn_file in sample/test.confGlenn Strauss9-0/+9
2016-10-20[mod_evhost] mod-evhost.t tests (#1194)Glenn Strauss4-1/+117
(thx Daniel-Brandt) x-ref: "Partial matching in mod_evhost patterns"
2016-10-18[cmake] build fcgi-auth, fcgi-responder for testsGlenn Strauss1-0/+12
Aside: must have cmake enable building openssl for tests to pass due to tests/lighttpd.conf including config options requiring openssl algorithms in mod_secdownload.c: (secdownload.algorithm = "hmac-sha1") (secdownload.algorithm = "hmac-sha256") $ cmake -L . $ cmake -DWITH_OPENSSL:BOOL=ON . $ make -j 4 -k $ make test x-ref:
2016-09-23[autobuild] skip two new tests if no fcgi-authGlenn Strauss1-1/+1
2016-09-22[mod_auth] structured data, register auth schemesGlenn Strauss1-6/+6
- parse auth.* directives into structured data during config processing - register auth schemes (basic, digest, extern, ...) for extensibility - remove auth.debug directive
2016-09-19[mod_fastcgi] allow authorizer, responder for same path/ext (#321)Glenn Strauss1-4/+2
allow authorizer and responder to be configured for same path or ext x-ref: "mod_fastcgi authorizers cannot protect fastcgi responders"
2016-09-19[tests] test coverage for issues (#321, #322)Christoph Kreutzer4-14/+39
FastCGI Authorizer support with FastCGI Responders x-ref: "mod_fastcgi authorizers cannot protect fastcgi responders" x-ref: "FastCGI Authorizer support for Variable-name variable passing"
2016-08-20[core] better DragonFlyBSD support (fixes #2746)Glenn Strauss1-1/+1
(thx xenu) x-ref: "[PATCH] better DragonFlyBSD support; fix crash"
2016-08-06[core] check if client half-closed TCP if POLLHUP (#2743)Glenn Strauss1-0/+1
Check if client half-closed TCP connection if POLLHUP is received. This more robustly handles if client called shutdown(fd, SHUT_WR). This patch reverts commit:ab05eb7c which should now be handled properly. (Time will tell.) x-ref: "1.4.40/41 mod_proxy, mod_scgi may trigger POLLHUP on *BSD,Darwin"
2016-07-23revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738)Glenn Strauss1-3/+2
reverts part of commit:dbdab5db which swapped REQUEST_URI, REDIRECT_URI x-ref: "mediawiki redirect loop if REQUEST_URI not orig req in 1.4.40" Explanation: REQUEST_URI and REDIRECT_URI are not part of CGI standard environment. The reason for their existence is that PATH_INFO in CGI environment may be different from the path in the current request. The main reason for this potential difference is that the URI path is normalized to a path in the filesystem and tested against the filesystem to determine which part is SCRIPT_NAME and which part is PATH_INFO. In case-insensitive filesystems, the URI might be lowercased before testing against the filesystem, leading to loss of case-sensitive submission in any resulting PATH_INFO. Also, duplicated slashes "///" and directory references "/." and "/.." are removed, including prior path component in the case of "/..". This might be undesirable when the information after the SCRIPT_NAME is virtual information and there target script needs the virtual path preserved as-is. In that case, the target script can re-parse REQUEST_URI (or REDIRECT_URI, as appropriate) to obtain the unmodified information from the URI. con->request.uri is equivalent to con->request.orig_uri unless the request has been internally rewritten (e.g. by mod_rewrite, mod_magnet, others), in which case con->request.orig_uri is the request made by the client, and con->request.uri is the current URI being processed. Historical REQUEST_URI (environment variable) lighttpd inconsistencies - mod_cml set REQUEST_URI to con->request.orig_uri - mod_cgi set REQUEST_URI to con->request.orig_uri - mod_fastcgi set REQUEST_URI to con->request.orig_uri - mod_scgi set REQUEST_URI to con->request.orig_uri - mod_ssi set REQUEST_URI to current con->request.uri - mod_magnet set MAGNET_ENV_REQUEST_URI to current con->request.uri and MAGNET_ENV_REQUEST_ORIG_URI to con->request.orig_uri Historical REDIRECT_URI (environment variable) previously set only in mod_fastcgi and mod_scgi, and set to con->request.uri Since lighttpd 1.4.40 provides REDIRECT_URI with con->request.orig_uri, changes were made to REQUEST_URI for consistency, with the hope that there would be little impact to existing configurations since the request uri and original request uri are the same unless there has been an internal redirect. It turns out that various PHP frameworks use REQUEST_URI and require that it be the original URI requested by client. Therefore, this change is being reverted, and lighttpd will set REQUEST_URI to con->request.orig_uri in mod_cgi, mod_fastcgi, mod_scgi as was done in lighttpd 1.4.39 and earlier. Similarly, REDIRECT_URI also has the prior behavior in mod_fastcgi and mod_scgi, and added to mod_cgi. A future release of lighttpd might change mod_ssi to be consistent with the other modules in setting REQUEST_URI to con->request.orig_uri and to add REDIRECT_URI, when an internal redirect has occurred.
2016-07-16[mod_auth] fix Digest auth to be better than Basic (fixes #1844)Glenn Strauss1-21/+28
Make Digest authentication more compliant with RFC. Excerpt from Section 5.13: The bottom line is that any compliant implementation will be relatively weak by cryptographic standards, but any compliant implementation will be far superior to Basic Authentication. x-ref: "Serious security problem in Digest Authentication"
2016-07-14[mod_cgi] handle local redirect response (fixes #2108)Glenn Strauss2-1/+13
RFC3875 CGI 1.1 specification section 6.2.2 Local Redirect Response x-ref: "CGI local redirect not implemented correctly"
2016-07-14[tests] remove some tests duplicated in mod-cgi.tGlenn Strauss1-26/+2
2016-07-13[mod_access] new directive url.access-allow (fixes #1421)Glenn Strauss2-1/+22
url.access-allow is list of allowed url suffixes (e.g. file extensions) If url.access-allow has been set, then deny any URL that does not match the explicitly listed suffixes. (thx japc) x-ref: "access_allow directive for lighttpd"
2016-07-02[tests] remove dependency on CGI.pmGlenn Strauss3-28/+28 is no longer shipped as part of Perl core distribution (and is easily replaced)
2016-06-23[cygwin] fix mod_proxy and mod_fastcgi ioctl useGlenn Strauss1-0/+4
cygwin does not support ioctl on sockets, returning EOPTNOTSUPP (would be better if cygwin used Windows ioctlsocket() instead) Windows uses signed (socklen_t), so add some casts to quiet warnings Windows path handling is convoluted, so disable one tests in mod_fastcgi since trailing spaces are removed from URL for _WIN32 and __CYGWIN__ in response.c
2016-06-21[build] update EXTRA_DIST w/ new filesGlenn Strauss1-0/+2