[core] behavior change: stricter URL normalization

behavior change: stricter URL normalization

Prior behavior can be obtained by configuring lighttpd.conf with:
      server.http-parseopts = (“url-normalize” => “disable” )
although this is not recommended.

This behavior change was pre-announced with the releases of
  lighttpd 1.4.52 (2018.11.28)
  lighttpd 1.4.53 (2019.01.27)

The recommended settings are:
      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-backslash-trans" => "enable",
        "url-path-dotseg-remove"   => "enable",
        "url-query-20-plus"        => "enable"
      )

The lighttpd defaults with this commit are slightly less strict:
      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
       #"url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
       #"url-path-backslash-trans" => "enable",
        "url-path-dotseg-remove"   => "enable",
       #"url-query-20-plus"        => "enable"
      )

src/server.c

@@ -289,15 +289,11 @@ static server *server_init(void) {
 	srv->srvconf.http_header_strict  = 1;
 	srv->srvconf.http_host_strict    = 1; /*(implies http_host_normalize)*/
 	srv->srvconf.http_host_normalize = 0;
-      #if 0
 	srv->srvconf.http_url_normalize = HTTP_PARSEOPT_URL_NORMALIZE
 					| HTTP_PARSEOPT_URL_NORMALIZE_UNRESERVED
 					| HTTP_PARSEOPT_URL_NORMALIZE_CTRLS_REJECT
-					| HTTP_PARSEOPT_URL_NORMALIZE_PATH_BACKSLASH_TRANS
 					| HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE
 					| HTTP_PARSEOPT_URL_NORMALIZE_PATH_DOTSEG_REMOVE;
-      #endif
-	srv->srvconf.http_url_normalize = 0; /* temporary; change in future */
 	srv->srvconf.high_precision_timestamps = 0;
 	srv->srvconf.max_request_field_size = 8192;
 	srv->srvconf.loadavg[0] = 0.0;

tests/core-request.t

@@ -54,7 +54,7 @@ $t->{REQUEST}  = ( <<EOF
 GET /index.html%00 HTTP/1.0
 EOF
  );
-$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
 ok($tf->handle_http($t) == 0, 'URL-encoding, %00');
 
 $t->{REQUEST}  = ( <<EOF

tests/mod-proxy.t

@@ -51,7 +51,7 @@ GET /rewrite/all/some+test%3axxx%20with%20space HTTP/1.0
 Host: www.example.org
 EOF
  );
-	$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '/some+test%3axxx%20with%20space' } ];
+	$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '/some+test%3Axxx%20with%20space' } ];
 	ok($tf_proxy->handle_http($t) == 0, 'rewrited urls work with encoded path');
 
 ok($tf_proxy->stop_proc == 0, "Stopping lighttpd proxy");