Browse Source

[core] behavior change: stricter URL normalization

behavior change: stricter URL normalization

Prior behavior can be obtained by configuring lighttpd.conf with:
      server.http-parseopts = (“url-normalize” => “disable” )
although this is not recommended.

This behavior change was pre-announced with the releases of
  lighttpd 1.4.52 (2018.11.28)
  lighttpd 1.4.53 (2019.01.27)

The recommended settings are:
      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-backslash-trans" => "enable",
        "url-path-dotseg-remove"   => "enable",
        "url-query-20-plus"        => "enable"
      )

The lighttpd defaults with this commit are slightly less strict:
      server.http-parseopts = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize"            => "enable",
        "url-normalize-unreserved" => "enable",
       #"url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
       #"url-path-backslash-trans" => "enable",
        "url-path-dotseg-remove"   => "enable",
       #"url-query-20-plus"        => "enable"
      )
personal/stbuehler/ci-build
Glenn Strauss 2 years ago
parent
commit
1cf68f79eb
  1. 4
      src/server.c
  2. 2
      tests/core-request.t
  3. 2
      tests/mod-proxy.t

4
src/server.c

@ -289,15 +289,11 @@ static server *server_init(void) {
srv->srvconf.http_header_strict = 1;
srv->srvconf.http_host_strict = 1; /*(implies http_host_normalize)*/
srv->srvconf.http_host_normalize = 0;
#if 0
srv->srvconf.http_url_normalize = HTTP_PARSEOPT_URL_NORMALIZE
| HTTP_PARSEOPT_URL_NORMALIZE_UNRESERVED
| HTTP_PARSEOPT_URL_NORMALIZE_CTRLS_REJECT
| HTTP_PARSEOPT_URL_NORMALIZE_PATH_BACKSLASH_TRANS
| HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE
| HTTP_PARSEOPT_URL_NORMALIZE_PATH_DOTSEG_REMOVE;
#endif
srv->srvconf.http_url_normalize = 0; /* temporary; change in future */
srv->srvconf.high_precision_timestamps = 0;
srv->srvconf.max_request_field_size = 8192;
srv->srvconf.loadavg[0] = 0.0;

2
tests/core-request.t

@ -54,7 +54,7 @@ $t->{REQUEST} = ( <<EOF
GET /index.html%00 HTTP/1.0
EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
ok($tf->handle_http($t) == 0, 'URL-encoding, %00');
$t->{REQUEST} = ( <<EOF

2
tests/mod-proxy.t

@ -51,7 +51,7 @@ GET /rewrite/all/some+test%3axxx%20with%20space HTTP/1.0
Host: www.example.org
EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '/some+test%3axxx%20with%20space' } ];
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '/some+test%3Axxx%20with%20space' } ];
ok($tf_proxy->handle_http($t) == 0, 'rewrited urls work with encoded path');
ok($tf_proxy->stop_proc == 0, "Stopping lighttpd proxy");

Loading…
Cancel
Save