Glenn Strauss
002a4c524d
[core] array_get_int_ptr()
4 years ago
Glenn Strauss
66ff05db8f
[tests] t/test_array.c
...
(more tests should be added, but starting with something has benefits)
4 years ago
Glenn Strauss
810109cc34
[multiple] code reuse: using array_*() funcs
4 years ago
Glenn Strauss
2b40854ab9
[core] fix include_shell on inline shell commands ( fixes #2910 )
...
regression in lighttpd 1.4.50
x-ref:
"include_shell behavior change in 1.4.50"
https://redmine.lighttpd.net/issues/2910
4 years ago
Glenn Strauss
fc1ddbed33
[mod_sockproxy] add to build
...
(experimental)
4 years ago
Glenn Strauss
df4812ec2e
[mod_authn_pam] mod_auth PAM support ( fixes #688 )
...
x-ref:
"auth via pam"
https://redmine.lighttpd.net/issues/688
4 years ago
Glenn Strauss
5c2d52b4ac
[mod_flv_streaming] code simplifications
4 years ago
Glenn Strauss
ae9f354bae
[doc] lighttpd.service uses network-online.target
...
doc/systemd/lighttpd.service now uses After=network-online.target
instead of After=network.target, as recommended in
https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
(thx janik)
4 years ago
Glenn Strauss
d61f33817c
[multiple] code reuse: employ array_match_*()
4 years ago
Glenn Strauss
863dff6191
[mod_skeleton] review and simplify
4 years ago
Glenn Strauss
e6741acd4e
[core] code reuse array_match_*() routines
4 years ago
Glenn Strauss
6b887f35e3
[mod_auth] send 401 for mismatch HTTP auth scheme ( fixes #2906 )
...
x-ref:
"Lighttpd responds with 400 not 401"
https://redmine.lighttpd.net/issues/2906
4 years ago
Glenn Strauss
4992c4de10
[mod_fastcgi,mod_scgi] error on oversized request ( fixes #2905 )
...
regression in lighttpd 1.4.49 and lighttpd 1.4.50
(thx slawomir.pryczek)
x-ref
"oversized fcgi requests should fail gracefully"
https://redmine.lighttpd.net/issues/2905
4 years ago
Glenn Strauss
a458c2e731
[mod_proxy,mod_wstunnel] copy full plugin_config ( fixes #2903 )
...
x-ref:
"gw backend redesign"
https://redmine.lighttpd.net/issues/2903
4 years ago
Glenn Strauss
5045a9e833
[core] fastcgi.h link to Open Market License (OML) ( fixes #2901 )
...
x-ref:
"License terms of fastcgi.h"
https://redmine.lighttpd.net/issues/2901
4 years ago
Glenn Strauss
2eabe1636c
[mod_rewrite] fix url.rewrite-repeat and url.rewrite-if-not-file ( fixes #2908 )
...
regression in lighttpd 1.4.50
x-ref:
"mod_rewrite now throws error ENDLESS LOOP IN rewrite-rule DETECTED"
https://redmine.lighttpd.net/issues/2908
4 years ago
Glenn Strauss
eebc1b0eec
[mod_proxy] fix proxy.forwarded and proxy.replace-http-host ( fixes #2902 )
...
config settings were not being copied into proxy request context
x-ref:
"mod_proxy's “proxy.forwarded” option seems ignored when used with mod_auth."
https://redmine.lighttpd.net/issues/2902
4 years ago
Glenn Strauss
9725299587
[core] code reuse with http_response_body_clear()
...
code reuse with http_response_body_clear()
rename con->response.transfer_encoding to con->response.send_chunked
4 years ago
Glenn Strauss
3dd3cde902
[core] abstraction layer for HTTP header manip
...
http_header.[ch]
convert existing calls to manip request/response headers
convert existing calls to manip environment array (often header-related)
4 years ago
Glenn Strauss
c8159ee5f6
[core] http_request_parse_reqline() separate func
...
http_request_parse_reqline() separate func from http_request_parse()
600+ line http_request_parse() is now two routines with ~300 lines each
4 years ago
Glenn Strauss
28d6015b45
[core] simplify parsing hdr key whitespace then :
4 years ago
Glenn Strauss
a7c27c9f99
[core] code reuse with array_insert_key_value()
...
code reuse with array_insert_key_value() and related array manipulation
4 years ago
Glenn Strauss
a90526374f
[core] abstraction to insert/modify response hdrs
...
consistent use of abstraction to insert/modify response headers
4 years ago
Glenn Strauss
9d3cbaa74c
[core] parse header line strings before copying
4 years ago
Glenn Strauss
ad27206608
[core] redo HTTP header line folding
...
Replace separators between folded header lines in-place using spaces
and then process the single header line.
(Reverts change which replaces folding whitespace with single space)
Acknowledgement: Or Peles of VDOO reference: VD-0871, VD-0872, VD-0873
(thx Or Peles)
4 years ago
Stefan Bühler
e0260a411d
[buffer] fix duplicate assert and comment
...
this originates from ad3e93ea9
5 years ago
Stefan Bühler
3be0707839
[core] replace folding whitespace with a single space
...
- previously the leading whitespace from folded lines was kept
- also ignore lines without any data
5 years ago
Stefan Bühler
df8e4f9561
[core,security] process headers after combining folded headers
...
- this fixes various use-after-free scenarios (reported by Or Peles of
VDOO): when parse_single_header stores pointers to header values in
con->request, those pointers are not updated if the header value is
reallocated when folded header lines are appended.
- also remove trailing white-space from folded lines
5 years ago
Stefan Bühler
a2cc330fb4
[core] header parsing: use goto for error handling
...
- disable keep-alive for all failures
- default to 400 for status
5 years ago
Stefan Bühler
725d951247
[core] explicitly return 0 instead of constant result
5 years ago
Stefan Bühler
ed0054c2d3
[core] split parsing header line into separate function
5 years ago
Glenn Strauss
a9e131fa37
- next is 1.4.51
5 years ago
Glenn Strauss
a2114a1c9b
[doc] NEWS
5 years ago
Glenn Strauss
8c35064583
[core] extend server.http-parseopts
...
"header-strict" => "enable"
restrict chars permitted in HTTP request headers
(overrides server.http-parseopt-header-strict)
"host-strict" => "enable"
restrict chars permitted in HTTP request Host header
(overrides server.http-parseopt-host-strict)
"host-normalize" => "enable"
normalize HTTP Host header
(overrides server.http-parseopt-host-normalize)
5 years ago
Glenn Strauss
ebd9517639
[core] quell insignificant coverity warning
5 years ago
Glenn Strauss
c791877f13
[build] add missing file for test_burl
...
add missing file for test_burl for cmake and meson builds
5 years ago
Glenn Strauss
82dcb34c73
[core] workaround Coverity cov-build bug with gcc7
...
workaround Coverity cov-build bug with gcc 7
where Coverity does not support _Floatx typedefs
https://stackoverflow.com/questions/50434236/coverity-scan-fails-to-build-stdlib-h-with-gnu-source-defined
5 years ago
Glenn Strauss
c4d743bb4d
mod_sockproxy - socket forwarding
...
(experimental)
5 years ago
Glenn Strauss
7c8cc6f7c5
[core] option to propagate TCP FIN to backend host
...
(experimental support for mod_sockproxy)
"tcp-fin-propagate" = "enable" for each host in *.server backend defs
5 years ago
Glenn Strauss
bbf01a3a6c
[core] reset var if FAMMonitorDirectory() fails
...
do not read fam_dir->version if FAMMonitorDirectory() fails
5 years ago
Glenn Strauss
d161f53de0
[core] security: use-after-free invalid Range req
...
(thx Marcus Wengelin)
5 years ago
Glenn Strauss
1de1746925
[mod_rewrite] require rewrite result to begin '/'
5 years ago
Glenn Strauss
f832b71180
[mod_redirect,mod_rewrite] base64url encoding opt
...
Provide means to encode redirect and rewrite backreference substitutions
%{encb64u:...} encode to base64url characters (no-padding)
%{decb64u:...} decode from base64url characters
5 years ago
Glenn Strauss
5868b8ca12
[core] add missing includes to quiet compiler warn
...
add missing system includes to quiet compiler warnings on Mac OS X
5 years ago
Glenn Strauss
ba5026aa7a
[mod_redirect,mod_rewrite] support up to 19 match
...
support up to 19 regex saved matches ($1 - $9 and ${1} - ${19})
for use in replacement substitutions.
lighttpd config conditionals are still limited to 9 matches (%1 - %9)
5 years ago
Glenn Strauss
769289b954
[core] POLLRDHUP handling for transparent proxying
5 years ago
Glenn Strauss
77d31d8584
[mod_wstunnel] quiet 32-bit compiler warnings
5 years ago
Glenn Strauss
2105dae0f9
[mod_alias] security: potential path traversal with specific configs
...
Security: potential path traversal of a single directory above the alias
target with a specific mod_alias config where the alias which is matched
does not end in '/', but alias target filesystem path does end in '/'.
e.g. server.docroot = "/srv/www/host/HOSTNAME/docroot"
alias.url = ( "/img" => "/srv/www/hosts/HOSTNAME/images/" )
If a malicious URL "/img../" were passed, the request would be
for directory "/srv/www/hosts/HOSTNAME/images/../" which would resolve
to "/srv/www/hosts/HOSTNAME/". If mod_dirlisting were enabled, which
is not the default, this would result in listing the contents of the
directory above the alias. An attacker might also try to directly
access files anywhere under that path, which is one level above the
intended aliased path.
credit: Orange Tsai(@orange_8361) from DEVCORE
5 years ago
Glenn Strauss
eb429c9c19
[mod_fastcgi] fix memleak with FastCGI auth,resp ( fixes #2894 )
...
fix memleak in mod_fastcgi when FastCGI is used for both authentication
and response on the same request
(thx rschmid)
x-ref:
"Memory leak if two fcgi calls with one request (authentication and response)"
https://redmine.lighttpd.net/issues/2894
5 years ago
Glenn Strauss
f4f13745c8
[mod_redirect,mod_rewrite] fix segfault w/ invalid syntax ( fixes #2892 )
...
(thx nti)
x-ref:
"Segmentation fault with invalid lighttpd.conf syntax"
https://redmine.lighttpd.net/issues/2892
5 years ago
