Commit Graph

55 Commits

Author SHA1 Message Date
Glenn Strauss 779c133c16 [security] do not emit HTTP_PROXY to CGI env
Strip bogus "Proxy" header before creating subprocess environment.
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)

Do not emit HTTP_PROXY to subprocess environment.
Some executables use HTTP_PROXY to configure outgoing proxy.

This is not a lighttpd security issue per se, but this change to
lighttpd adds a layer of defense to protect backend processes which
might be vulnerable due to blindly using this untrusted environment
variable.  The HTTP_PROXY environment variable should not be trusted
by a program running in a CGI-like environment.

Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:

* Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
  if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
* Modify lighttpd.conf to load mod_magnet and run lua code
    server.modules += ( "mod_magnet" )
    magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )

CGI web servers assign Proxy header values from client requests to
internal HTTP_PROXY environment variables
httpoxy: A CGI application vulnerability
2016-07-19 01:22:33 -04:00
Glenn Strauss 393dfd8cb9 [mod_ssi] fix #config sizefmt="bytes" 2016-07-17 14:54:03 -04:00
Glenn Strauss a714f4f720 fix gcc 6.1.1 compiler warn misleading-indentation 2016-07-12 20:19:32 -04:00
Glenn Strauss 69ec5728f9 use con->conf.server_tag in modules
do not expose server info server_tag is configured by admin

default con->conf.server_tag is still PACKAGE_DESC, those
admin can configure server.tag otherwise.

(these changes reduce recompilation and relinking when switching
 brances in source control)
2016-06-25 18:52:06 -04:00
Glenn Strauss fde843f63e [mod_ssi] fix parse of tag across buf boundary (fixes #2732)
thx fbrosson

  "char copied to wrong place in SSI output"
2016-05-17 15:33:27 -04:00
Glenn Strauss a5fcfee6fc [mod_ssi] more flexible quoting (fixes #1768)
allow double-quotes, single-quotes or no quote on SSI param values

remove use of PCRE from mod_ssi

fix misspelling of 'unknow' to be 'unknown'

  "mod_ssi doesn't accept single quotes"
2016-05-14 05:50:37 -04:00
Glenn Strauss abfb9d9e2d [mod_ssi] add PCRE_* options to constrain regex 2016-05-14 01:17:52 -04:00
Glenn Strauss ede4d17913 [mod_ssi] include relative to alias,userdir (fixes #222)
adjust paths relative to changes made by mod_alias and mod_userdir

Note: this still works only for direct file inclusion.
lighttpd mod_ssi does not perform an "internal subrequest" for the
virtual path, so things like virtual include of CGI are not supported

  "ssi virtual include uses wrong path"
2016-05-14 01:17:52 -04:00
Glenn Strauss df146a7724 [mod_ssi] fix SSI statement parser
bug introduced in 8e3c6bf7 when statement parser was replaced
2016-05-14 01:17:52 -04:00
Glenn Strauss a0a7b9fbf5 [mod_ssi, mod_cml] set DOCUMENT_ROOT to basedir (fixes #2383)
fixes inconsistency w/ mod_fastcgi, mod_scgi, mod_cgi change in adc97e5b

  "mod_alias: use alias directory as doc-root too"
  "mod_userdir doesn't set environment variable DOCUMENT_ROOT"
2016-05-02 14:31:36 -04:00
Glenn Strauss 8e3c6bf754 fallback to lseek()/read() if mmap() fails (#fixes 2666)
fallback to lseek()/read() if mmap() fails (#fixes 2666)
e.g. when mmap() is used on lighttpd-controlled temporary files
used POST request body (mod_cgi) and PUT file upload (mod_webdav)

replace use of stream_open() on potentially untrusted files
(protect against SIGBUS if a file is modified while map is read)
Note: stream.[ch] may be removed in a future release
For now, stream.[ch] will read entire file into memory if mmap fails
and so it should only be used on trusted files, e.g. config files.

http_auth basic and digest files are typically small and so buffered
stdio fopen(), fgets(), fclose() will likely be approximately as fast
as mmap.

mod_dirlisting header and readme files are typically small and so
open(), read(), close() will typically be approximately as fast as mmap

mod_ssi will likely be much faster, now buffering SSI page construction
rather than a potentially huge number of file open() calls, one for each
tiny chunk of text between SSI directives.

mod_webdav COPY and MOVE may be slower due to removal of mmap, but are
now more resilient to partial writes.

  "handle filesystems without mmap() support"
  "WebDAV upload-> mmap failed: operation not permitted"
  "Lighttpd 1.4.20 Crash (SIGBUS in mod_compress)"
  "Crash SIGBUS"

github: closes #57
2016-04-28 13:13:36 -04:00
Glenn Strauss 5492063f35 [core] set REDIRECT_STATUS to error_handler_saved_status (fixes #1828)
set REDIRECT_STATUS to con->error_handler_saved_status in dynamic
handlers for PHP compiled with --force-redirect.  Set to "200"
if (0 == con->error_handler_saved_status)
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi)

FYI: setting REDIRECT_STATUS in con->environment allows access and
manipulation by mod_magnet.

  "REDIRECT_STATUS == 200 on 404 redirect"

github: closes #35
2016-04-25 01:00:06 -04:00
Glenn Strauss fa3a36ffd4 [mod_ssi] config ssi.exec (fixes #2051)
(thx benbrown)

  "mod_ssi Add configuration item to disable SSI exec."
2016-04-14 08:59:07 -04:00
fbrosson 6982b1930e [mod_ssi] config ssi.conditional-requests
A new SSI directive, "ssi.conditional-requests", allows to inform
lighttpd which SSI pages should be considered as cacheable and which
should not. In particular, the "ETag" & "Last-Modified" headers will
only be sent for those SSI pages for which the directive is enabled.

Long description:
"ETag" and "Last-Modified" headers were being sent for all SSI pages,
regardless of whether they were cacheable or not. And yet, there was
no cache validation at all for any SSI page.
This commit fixes these two minor issues by adding a new directive,
"ssi.conditional-requests", which allows to specify which SSI pages
are cacheable and which are not, and by adding cache validation to
those SSI pages which are cacheable. And since sending ETags for
non-cacheable documents is not appropriate, they are no longuer
computed nor sent for those SSI pages which are not cacheable.
Regarding the "Last-Modified" header for non-cacheable documents,
the standards allow to either send the current date and time for
that header or to simply skip it. The approach chosen is to not send
it for non-cacheable SSI pages. "ETag" and "Last-Modified" headers
are therefore only sent for an SSI page if ssi.conditional-requests
is enabled for that page.

The ssi.conditional-requests directive can be enabled or disabled
globally and/or in any context. It is disabled by default.

An index.shtml which only includes deterministic SSI commands such as:
<!--#echo var="LAST_MODIFIED"-->
is a trivial example of a dynamic SSI page that is cacheable.
2016-04-14 12:35:10 +00:00
Glenn Strauss 47f3dbebe4 use li_[iu]tostrn() instead of li_[iu]tostr()
From: Glenn Strauss <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-04-01 17:38:26 +00:00
fbrosson a579e7ffc0 [mod_ssi] Add SSI vars SCRIPT_{URI,URL} and REQUEST_SCHEME (fixes #2721)
This is a proposal to add to lighttpd the famous SSI variables
SCRIPT_URI and SCRIPT_URL (known to Apache users), as well as a bonus
ENV variable called REQUEST_SCHEME.

SCRIPT_URI and SCRIPT_URL will be available as SSI variables from
within documents handled by mod_ssi.
They can be used like any other SSI var with the "#echo var" command:
<!--#echo var="SCRIPT_URI"-->
<!--#echo var="SCRIPT_URL"-->
Webmasters willing to display links to the W3C Validator will be able
to use:
<a href="<!--#echo var="SCRIPT_URI"-->">…</a>
instead of the generic link
which does not work on some (most?) browsers which do not send
referers when the link itself resides in a document sent through

REQUEST_SCHEME will be available both as an environment variable. It
is defined as "http" or "https", depending on the scheme of the
connection. It is safe to use this name as it does not conflict with
any existing variable on Apache or Nginx. This is slightly different
from the HTTPS var which is often added by webadmins on their server's
configuration. EDIT: Some Apache modules also define REQUEST_SCHEME
with the same possible values as this proposal.

From: fbrosson <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-26 11:14:21 +00:00
Glenn Strauss 8abd06a7ff consistent inclusion of config.h at top of files (fixes #2073)
From: Glenn Strauss <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-19 15:14:35 +00:00
fbrosson d8e028e069 [mod_ssi] enhance support for ssi vars
Try ssi_vars if ssi_cgi_env does not have a matching var name.
Allow var names to also include digits after the initial letter or underscore.

From: fbrosson <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-01-03 14:48:07 +00:00
Stefan Bühler c512345fa2 [config] check config option scope; warn if server option is given in conditional
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-11-07 12:51:11 +00:00
Stefan Bühler 33cebeb0f7 fix segfaults in many plugins if they failed configuration
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-05-14 09:38:33 +00:00
Stefan Bühler ad3e93ea96 Use buffer API to read and modify "used" member
- a lot of code tried to handle manually adding terminating zeroes and
  keeping track of the correct "used" count.
  Replaced all "external" usages with simple wrapper functions:
  * buffer_string_is_empty (used <= 1), buffer_is_empty (used == 0);
    prefer buffer_string_is_empty
  * buffer_string_set_length
  * buffer_string_length
  * CONST_BUF_LEN() macro
- removed "static" buffer hacks (buffers pointing to constant/stack
  memory instead of malloc()ed data)
- buffer_append_strftime(): refactor buffer+strftime uses
- li_tohex(): no need for a buffer for binary-to-hex conversion:
  the output data length is easy to predict
- remove "-Winline" from extra warnings: the "inline" keyword just
  supresses the warning about unused but defined (static) functions;
  don't care whether it actually gets inlined or not.

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-02-08 19:10:44 +00:00
Stefan Bühler 4365bdbebe Remove buffer_prepare_copy() and buffer_prepare_append()
* removed almost all usages of buffer as "memory" (without terminating
* refactored cgi variable name encoding

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-02-08 19:10:39 +00:00
Stefan Bühler 1be163b44a Remove chunkqueue_get_{append,prepend}* API
Although those were "easy" to use, they violated the abstraction:
  content of the chunkqueue should only be modified via the API.
  Replace with chunkqueue_get_memory() and chunkqueue_use_memory() for
  functions that read data from network (reusing large buffers),
  chunkqueue_steal_with_tempfiles() to store request bodies on disk
  Modules that were generating content and need a buffer maintain the
  buffer manually (have to be careful to free the buffer on errors, as
  it isn't part of the chunkqueue yet).

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-02-08 19:10:36 +00:00
Stefan Bühler 6afad87d2e fix buffer, chunk and http_chunk API
* remove unused structs and functions
    (buffer_array, read_buffer)
  * change return type from int to void for many functions,
    as the return value (indicating error/success) was never checked,
    and the function would only fail on programming errors and not on
    invalid input; changed functions to use force_assert instead of
    returning an error.
  * all "len" parameters now are the real size of the memory to be read.
    the length of strings is given always without the terminating 0.
  * the "buffer" struct still counts the terminating 0 in ->used,
    provide buffer_string_length() to get the length of a string in a
    unset config "strings" have used == 0, which is used in some places
    to distinguish unset values from "" (empty string) values.
  * most buffer usages should now use it as string container.
  * optimise some buffer copying by "moving" data to other buffers
  * use (u)intmax_t for generic int-to-string functions
  * remove unused enum values: UNUSED_CHUNK, ENCODING_UNSET
  * converted BUFFER_APPEND_SLASH to inline function (no macro feature
  * refactor: create chunkqueue_steal: moving (partial) chunks into another
  * http_chunk: added separate function to terminate chunked body instead of
    magic handling in http_chunk_append_mem().
    http_chunk_append_* now handle empty chunks, and never terminate the
    chunked body.

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-02-08 12:37:10 +00:00
Stefan Bühler 57c661c191 fix unchecked return values from stream_open/stat_cache_get_entry
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2014-02-16 13:08:34 +00:00
Stefan Bühler 6f208cfde1 fix/silence bugs reported by ccc-analyzer (clang)
These should all be non critical:
 * memory leaks on startup in error cases (which lead to
   immediate shutdowns anyway)
 * http_auth/ldap: passing uninitialized "ret" to ldap_err2string
 * sizeof(T) not matching the target pointer in malloc/calloc calls;
   those cases were either:
   * T being the wrong pointer type - shouldn't matter as long as all
     pointers have same size
   * T being larger than the type needed
 * mod_accesslog: direct use after free in cleanup (server shutdown);
   could crash before "clean" shutdown
 * some false positives (mod_compress, mod_expire)
 * assert(srv->config_context->used > 0); - this is always the case,
   as there is always a global config block

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-11-13 11:43:26 +00:00
Stefan Bühler 559b198f86 [auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes #2495)
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-08-30 13:14:52 +00:00
Stefan Bühler 22e8b456a9 Fix header inclusion order, always include "config.h" before any system header
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-10-11 14:31:42 +00:00
Stefan Bühler 4df22f2a32 Fix issues found with clang analyzer
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-07-21 20:35:27 +00:00
Stefan Bühler bcc65ae59f Add ssi.content-type option (default text/html, fixes #615)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-06-10 14:50:42 +00:00
Stefan Bühler 4de9dc077a mod_ssi printenv: print cgi env, add environment vars to cgi env (fixes #1713)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-04-27 09:28:45 +00:00
Stefan Bühler 638ee6cad9 Add revision number to package version for svn/git checkouts
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-04-10 17:35:19 +00:00
Stefan Bühler 63f785a2f8 Added some extra warning options in cmake and fix the resulting warnings (unused/static functions)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2009-03-07 21:05:37 +00:00
Stefan Bühler ad12e4c5b2 Insert many con->mode checks; they should prevent two modules to handle the same request if they shouldn't (#631)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2008-08-01 16:13:34 +00:00
Stefan Bühler 52861d77df Replace buffer_{append,copy}_string with the _len variant where possible (#1732, thx crypt)

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2008-07-30 19:38:32 +00:00
Jan Kneschke 7bb555991c fixed handling of waitpid() == EINTR mod_ssi on solaris
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2008-03-10 19:20:27 +00:00
Elan Ruusamäe 15b126c73e - cosmetic
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2008-01-18 09:23:32 +00:00
Elan Ruusamäe 3078b31568 - generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2008-01-18 09:21:07 +00:00
Jan Kneschke 51826fc05c renamed ltostr() to LI_ltostr() to fix compile on HP/UX (fixes #465)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2007-08-18 12:25:52 +00:00
Jan Kneschke 768a0d0eab fixed type-cast for NULL in execl() (fixes #1235), fix provided by Frank

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2007-06-15 15:04:56 +00:00
Marcus Rückert 8cd1471cb3 - white space cleanup part 2 this time 1.4 ;)
i hope it helps with merging stuff back to 1.5

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2006-10-04 13:26:23 +00:00
Jan Kneschke 1311a6137f added comment on waitpid() + -HUP
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2006-09-10 22:01:26 +00:00
Jan Kneschke a743ad8063 fixed handling of subdirs in ssi (fixes #462), patch by robe
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2006-03-04 15:12:17 +00:00
Jan Kneschke e84aba5c24 fixed missing sys/filio.h on solaris (fixes #332)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2005-10-18 10:38:11 +00:00
Jan Kneschke f5ca9798df only get a buffer if we really need it (fixed #280)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2005-09-21 16:41:23 +00:00
Jan Kneschke 35d3c10d81 on SEGFAULT tell were we where
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2005-08-21 23:09:43 +00:00
Jan Kneschke bac9212c8f fixed possible uninit variables of the config-parser fails (merged [183])
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2005-08-16 13:07:46 +00:00
Jan Kneschke f926c361f9 ..physical_path is gone and has ben replaced by subrequest_start
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2005-08-15 09:46:23 +00:00
Jan Kneschke cd4c324ff2 allow numbers in header-keys
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2005-08-08 16:32:17 +00:00
Jan Kneschke c8408d015c removed setup_connection (merged [295])
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2005-08-08 10:27:07 +00:00