Commit Graph

2573 Commits

Author SHA1 Message Date
Glenn Strauss 4753064318 [mod_magnet] code reuse 2018-04-08 22:22:23 -04:00
Glenn Strauss 6fb023d664 [mod_wstunnel] better Sec-WebSocket-Protocol parse
Improve handling of Sec-WebSocket-Protocol: binary, base64 for RFC6455.
When client sends Sec-WebSocket-Protocol in request header, client
may expect Sec-WebSocket-Protocol response.  mod_wstunnel is basic
tunnel endpoint and supports "binary" and "text" modes for RFC6455,
conventionally requested by client browsers as "binary" or "base64"
2018-04-08 22:22:23 -04:00
Glenn Strauss 04d76e7afd [core] some header cleanup
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
  do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
2018-04-08 22:22:23 -04:00
Glenn Strauss fefc82153a [build] remove m4 AC_PATH_PROG for PKG_CONFIG
2018-03-25 01:06:58 -04:00
Glenn Strauss d400f8aac5 [core] fdevent_accept_listenfd() nonblock cloexec
fdevent_accept_listenfd() now always returns fd O_NONBLOCK O_CLOEXEC
for consistency, rather than setting elsewhere in connection_accepted()

Handle older Linux 2.6 kernels which might have accept4() in glibc,
but return ENOSYS, as accept4() was not added until Linux kernel 2.6.28.
2018-03-25 00:59:48 -04:00
Glenn Strauss 26fb8d3ee6 [mod_proxy] fix segfault in Set-Cookie reverse map (fixes #2879)
fix segfault in reverse url-path mapping of Set-Cookie sent from backend
when proxy.header = ( "map-urlpath" => ( ... ) ) is used and there are
multiple Set-Cookie response headers with path= attributes which need to
be reverse mapped.

(thx ganto)

  "Segfault with proxy-header map-urlpath"
2018-03-22 00:25:06 -04:00
Glenn Strauss 210b57708e [core] fix rare race condition from backends (fixes #2878)
fix rare race condition from backends with

(thx abelbeck)

  "fastcgi and stream-response-body=2 hangs on last chunk"
2018-03-18 19:01:32 -04:00
Glenn Strauss 957916a90e [core] minor code cleanup in gw_recv_response() 2018-03-17 23:16:48 -04:00
Glenn Strauss 86f64a0288 [mod_magnet] fix regression in lighty.stat (fixes #2877)
fix regression in mod_magnet lighty.stat introduced in lighttpd 1.4.49
in commit commit:b1df38ab

  "lighty.stat failure"
2018-03-17 11:57:50 -04:00
Glenn Strauss e21906b3b4 [core] fix crash if 'host' empty in config (fixes #2876)
 "segfault with fastcgi app"
2018-03-15 23:21:37 -04:00
Glenn Strauss 78e25f0f50 [mod_extforward] allow explict IPs to be untrusted (#2860)
Allowing explicit IPs to be rejected might be useful in situations
where an internal network is to be allowed by CIDR mask, but there are
a small number of untrusted hosts on the network, e.g. hosts behind a
NAT to which some external ports are forwarded.

CIDR masks must be marked "trust", or else are ignored with a warning.

  "RFE: mod_extforward CIDR support"
2018-03-13 00:08:10 -04:00
Glenn Strauss ae54806dc2 - next is 1.4.50 2018-03-11 21:54:44 -04:00
Glenn Strauss d0d5d4267b [doc] NEWS 2018-03-11 20:23:32 -04:00
Glenn Strauss 758d24142b [core] fix incorrect hash algorithm impl
fix incorrect implementation of djb hash algorithm
2018-03-11 12:18:41 -04:00
Glenn Strauss 5a6e4df85c [mod_auth] check that digest realm matches config 2018-03-11 00:31:12 -05:00
Glenn Strauss 81b7e8e2fb [mod_auth] constant time compare plain passwords
(digests have same length)
2018-03-11 00:28:56 -05:00
Glenn Strauss 7265c72b6c [autoconf] reduce minimum automake version to 1.13
Although removal of AM_PROG_CC_C_O in f107bac8 requires automake 1.14
to provide the same functionality in AC_PROG_CC, any widely used,
modern compiler supports cc -c -o.  Reducing the minimum required
automake version avoids the current need for Centos 7 maintainers
to patch in order to build binary packages.
2018-03-07 00:35:55 -05:00
Glenn Strauss 4a674224ab [core] re-enable overloaded backends w/ multi wkrs
re-enable overloaded backends when server.max-worker is non-zero

(thx jens-maus)

  "mod_proxy not re-enabling proxy with 1.4.48" (multiple workers)
2018-03-04 14:36:09 -05:00
Glenn Strauss fc7edb3946 [mod_extforward] CIDR support for trusted proxies (fixes #2860)
  "RFE: mod_extforward CIDR support"
2018-03-04 07:16:16 -05:00
Glenn Strauss cd2b51cb1a [core] fix CONNECT w strict header parsing enabled
fix CONNECT with strict header parsing enabled (default)
(or set server.http-parseopt-header-strict = "disabled")

  "ssh over https tunnel"
2018-02-26 00:44:14 -05:00
Glenn Strauss bd32f67046 [core] open additional fds O_CLOEXEC 2018-02-03 13:45:14 -05:00
Glenn Strauss b1df38ab6a [core] increase stat_cache abstraction
reduce dependency on struct connection
routines for getting/caching content_type and etag separate from stat
2018-02-02 23:28:38 -05:00
Glenn Strauss 2496c1af4c [core] pass array_get_element_klen() const array * 2018-02-02 06:22:33 -05:00
Glenn Strauss 6a6d32698e [core] fix path-info calculation in git master (fixes #2861)
(thx ReimuHakurei)

  "Regression: PHP URLs return 404 from lighttpd when they contain PATH_INFO ending in a trailing slash."
2018-02-02 06:10:24 -05:00
Glenn Strauss 978a3f8dad [core] add include sys/poll.h on Solaris (fixes #2859)
  "fdevent_solaris_port.c header missing on Solaris 10"
2018-01-22 19:54:15 -05:00
Glenn Strauss 58a1793964 [core] fix 32-bit compile POST w/ chunked request body (#2854)
(thx the_jk)

  "chunked transfer encoding in request body only works for tiny chunks"
2018-01-19 22:35:17 -05:00
Glenn Strauss 30fe3684f6 [mod_wstunnel] fix for frames larger than 64k (fixes #2858)
(thx rschmid)

  "Wrong websocket frametype if frame is longer then UINT16_MAX"
2018-01-19 22:20:35 -05:00
Glenn Strauss 1c594f0629 [doc] minor update to *outdated* doc
  "unknown config-key: auth.debug (ignored)"

github: closes #89
2018-01-19 22:20:16 -05:00
Glenn Strauss e6564641d8 [core] remove unused func 2018-01-19 22:13:58 -05:00
Glenn Strauss dc1675ea32 [core] fix POST with chunked request body (fixes #2854)
(thx the_jk)

  "chunked transfer encoding in request body only works for tiny chunks"
2018-01-13 22:53:19 -05:00
Glenn Strauss cb371557e5 [core] merge redirect/rewrite pattern substitution
merge redirect/rewrite pattern substitution function (share code)
2018-01-10 01:39:05 -05:00
Glenn Strauss a5a2654bd4 [core] code cleanup: separate physical path sub
code cleanup: separate subroutine to check physical path
2018-01-08 01:06:40 -05:00
Glenn Strauss d5f37803dd [mod_authn_ldap] auth with ldap referrals (fixes #2846)
use ldap_set_rebind_proc() to provide auth when rebinding following
ldap referrals (instead of rebinding anonymously for ldap referrals)

  "LDAP authentication vs. AD: problems with referrals"
2018-01-07 12:50:30 -05:00
Glenn Strauss ec9e6abcb3 [core] check for path-info forward down path
check for path-info forward down path rather than back from end of path
2018-01-06 22:23:51 -05:00
Glenn Strauss 76b9b1fa46 [mod_openssl] elliptic curve auto selection (fixes #2833)
elliptic curve auto selection where available
openssl v1.0.2 - SSL_CTX_set_ecdh_auto()
openssl v1.1.0 - ECDH support always enabled

  "Using X25519 Key exchange"

  "SSL_CTX_set_ecdh_auto is undefined for newer openssl's"
  It has been removed from OpenSSL 1.1.0.
  Here is the relevant CHANGES entry:
  *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
     always enabled now.  If you want to disable the support you should
     exclude it using the list of supported ciphers. This also means
     that the "-no_ecdhe" option has been removed from s_server.
     [Kurt Roeckx]
2018-01-06 20:15:09 -05:00
Glenn Strauss f90ccdef51 [mod_openssl] minor code cleanup; reduce var scope
('git show -u -b -w <commit-sha>' to see minimal changes)
2018-01-06 19:05:26 -05:00
Glenn Strauss b9df146b3c [core] non-blocking write() to piped loggers
If pipe fills and would block, then discard remaining write.
Do not block lighttpd if the logger blocks, such as if disk fills up.
2018-01-02 21:01:41 -05:00
Glenn Strauss e8226c11cb [core] do not reparse request if async cb
do not reparse request if async callback, e.g. for mod_auth
2018-01-01 17:06:05 -05:00
Glenn Strauss b28f03b5a4 [core] warn if mod_indexfile after dynamic handler
mod_indexfile should be listed in server.modules
prior to dynamic handlers

2018-01-01 07:32:52 -05:00
Glenn Strauss 37f9b60d5e [mod_authn_ldap] fix mem leak when ldap auth fails (fixes #2849)
thx, codehero

  "Linux OOM kills lighttpd when using mod_authn_ldap"
2017-12-21 17:44:23 -05:00
Glenn Strauss d4083effab [core] fix base64 decode when char is unsigned (fixes #2848)
thx, codehero

  "buffer_append_base64_decode() broken on compilers where char is assumed unsigned"
2017-12-21 17:41:17 -05:00
Glenn Strauss 0c95ed370f [core] report to stderr if errorlog path ENOENT (fixes #2847)
  "handling permissions at startup"
2017-12-11 22:17:00 -05:00
Glenn Strauss 84b5064dc4 [core] discard from socket using recv MSG_TRUNC
discard from socket using recv MSG_TRUNC on Linux TCP SOCK_STREAM socket

Currently, lighttpd supports only TCP SOCK_STREAM.  If UDP SOCK_DGRAM
were to be supported in the future, then socket type will need to be
stored so that MSG_TRUNC is used appropriately for the desired effect.

To find out socket type on arbitrary socket fd:
  getsockopt(..., SOL_SOCKET, SO_TYPE, ...)
but better to store it with each listening socket.
2017-12-11 21:35:31 -05:00
Glenn Strauss e4ed2ed4ae [mod_compress,mod_deflate] try mmap MAP_PRIVATE
try mmap MAP_PRIVATE if mmap MAP_SHARED fails with errno == EINVAL
Some file systems such as jffs2 and btrfs might not support MAP_SHARED
2017-12-09 20:22:29 -05:00
Glenn Strauss bed3779617 [core] fix segfault if tempdirs fill up (fixes #2843)
(thx wolfram)

  "lighttpd segfault if /var/tmp is full"
2017-11-26 17:03:07 -05:00
Glenn Strauss d3b0eb8264 [mod_deflate] fix deflate of file > 2MB w/o mmap
fix deflate of file > 2MB when lighttpd is built without mmap support
2017-11-26 12:40:34 -05:00
Glenn Strauss 3770df2387 [mod_proxy] basic support for HTTP CONNECT method (#2060)
For security reasons, this supports only specific, pre-configured
target backends and not arbitrary CONNECT targets.

  "ssh over https tunnel"
2017-11-25 19:01:16 -05:00
Glenn Strauss d5d0258362 [core] support POLLRDHUP, where available (#2743)
  "mod_cgi, lighty not killing CGI if connection in the other end is closed"
  "1.4.40/41 mod_proxy, mod_scgi may trigger POLLHUP on *BSD,Darwin"
2017-11-19 12:01:09 -05:00
Glenn Strauss 9f02df2d39 [mod_accesslog] %{canonical,local,remote}p (fixes #2840)
  "accesslog.format remote_port"
2017-11-17 22:19:40 -05:00
Glenn Strauss e7f5e24aeb [core] adjust offset if response header blank line
When backend returns an invalid response header which is exactly a
blank line (\n or \r\n), adjust the offset so as not to discard the
first character following, which is probably intended to be the
beginning of the response body.
2017-11-15 06:36:58 -05:00