(occurred 3 years ago on experimental branch, and now ported forward)
robustness and performance improvements, including atomic updates on
individual files (e.g. for PUT, COPY, MOVE)
exclusive locks are fully supported
shared locks are partly supported
x-ref:
"add RFC-compliant LOCK support to mod_webdav"
https://redmine.lighttpd.net/issues/1818
fdevent_open_cloexec() opens files O_BINARY for consistency,
and with O_NONBLOCK, so that the server will not block if the
target file to open is a fifo.
reduce code duplication in list resizing
realloc() of NULL ptr has behavior similar to malloc()
Note that if initial size == 0, then code used to adjust size
must be += x to ensure the size is non-zero for reallocation.
(Multiplying 0 * x, e.g. power-2 resizing, will result in 0.)
validate UTF-8 in url-decoded paths obtained elsewhere than from request
(burl_normalize(), if enabled with server.http-parseopts, checks url for
overlong encodings of ASCII chars in the HTTP request-line)
buffer_simplify_path() no longer prepends '/' if '/' is missing.
Callers must check for leading '/' depending on use, such as in
concatenation with others paths, or direct use accessing filesystem
Note: lighttpd 1.4.50 provides the server.http-parseopts directive.
Recommended settings unless specific use requires looser settings:
server.http-parseopts = (
"header-strict" => "enable",
"host-strict" => "enable",
"host-normalize" => "enable",
"url-normalize" => "enable",
"url-normalize-unreserved" => "enable",
"url-normalize-required" => "enable",
"url-ctrls-reject" => "enable",
"url-path-2f-decode" => "enable",
"url-path-dotseg-remove" => "enable",
"url-query-20-plus" => "enable"
)
x-ref:
https://digi.ninja/blog/lighttpd_rewrite_bypass.php
As noted in the link above, mod_access should be preferred instead
of mod_rewrite for access controls to URLs.
quickly clear buffer instead of buffer_string_set_length(b, 0) or
buffer_reset(b). Avoids free() of large buffers about to be reused,
or buffers that are module-scoped, persistent, and reused.
(buffer_reset() should still be used with buffers in connection *con
when the data in the buffers is supplied by external, untrusted source)
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
fix crash in mod_webdav_subrequest_handler_huge()
when stat_cache_get_entry() returns HANDLER_ERROR
but errno is not ENOENT
x-ref:
"fix crash in mod_webdav_subrequest_handler_huge()"
https://github.com/lighttpd/lighttpd1.4/pull/86
github: closes #86
check HAVE_UUID for -luuid in order to detect more pedantic cases,
e.g. when -luuid is not installed under Cygwin, even if devel headers
are present (<uuid/uuid.h>)
PROPFIND getetag attr must match Etag response header from GET request
For consistency, make similar change in mod_ssi.
(thx ethoms)
x-ref:
"mod_webdav: Etag in response differs between PROPFIND and GET"
https://redmine.lighttpd.net/boards/3/topics/7473
silence compiler warnings if HAVE_FORK is not set
However, if HAVE_FORK is not set, then -Werror was probably passed to
./configure, which is currently a mistake. lighttpd can successfully
compiles src/ with -Werror on many platforms, but ./configure tests
should not be run with -Werror. [gstrauss]
github: closes #81
x-ref:
"Fix warnings"
https://github.com/lighttpd/lighttpd1.4/pull/81
shared code to get mimetype string via longest extension match
(attempts to match file basename, then longest ext, then "")
Note: this is a behavior change from simple suffix match
if there are 16 or more entries in mimetypes.assign
Set server.stream-request-body = 1 or server.stream-request-body = 2
to have lighttpd connect to backend (CGI, FastCGI, SCGI, proxy)
immediately after parsing request headers, and to stream request body
as it arrives.
default: buffer entire request body before connecting to backend,
in order to avoid tying up (limited) backend resources which are often
implemented using libraries which wait for entire request body before
proceeding.
x-ref:
"Reimplement upload (POST) handling to match apache/zeus/thttpd/boa functionality"
https://redmine.lighttpd.net/issues/376
fix "allprop" propfind request to report all 'live' properties
add "supportedlock" 'live' property, if ./configure --with-webdav-locks
report collections (directory) paths with trailing slash ('/') on path
redirect operations on collections without trailing slash ('/') to URI
with trailing slash ('/')
fix PROPPATCH to work properly and eliminate PROPPATCH memory leak
fix property update after MOVE
move CREATE TABLE statements *before* any prepare statements to avoid
invalidating the prepare statements when the tables are first created
**thx Uranus Zhou for the explanation:
https://zohead.com/archives/lighty-sqlite-err/?lang=en
x-ref:
"Improve DAV support to be able to handle git as a client"
https://redmine.lighttpd.net/issues/1953
"add RFC-compliant LOCK support to mod_webdav" (still not compliant)
https://redmine.lighttpd.net/issues/1818
Note: this has not been tested whether or not mod_webdav works with git
The (highly) recommended method to support git via HTTP is to use
git-http-backend via CGI. gitolite and gitosis provide other good
alternative ways to access git.
This patch does result in more WebDAV 'Litmus' tests passing, even
though mod_webdav still pretends to implement "If" conditional locking,
granting locks to all requestors and not strictly enforcing locks.
attempt to remap COPY/MOVE Destination to aliased physical paths
by finding common URI prefix between request URI and Destination
and finding how that part of the request URI was mapped to a
physical path.
This will work if the aliased physical path is above the webdav root.
It is not a good idea to remap physical paths within a webdav root.
Note: webdav paths and webdav properties are managed by mod_webdav,
so do not modify paths externally or else undefined behavior
or corruption may occur
x-ref:
"Bug in mod_webdav when using aliases and MOVE command"
https://redmine.lighttpd.net/issues/1787
fallback to lseek()/read() if mmap() fails (#fixes 2666)
e.g. when mmap() is used on lighttpd-controlled temporary files
used POST request body (mod_cgi) and PUT file upload (mod_webdav)
replace use of stream_open() on potentially untrusted files
(protect against SIGBUS if a file is modified while map is read)
Note: stream.[ch] may be removed in a future release
For now, stream.[ch] will read entire file into memory if mmap fails
and so it should only be used on trusted files, e.g. config files.
http_auth basic and digest files are typically small and so buffered
stdio fopen(), fgets(), fclose() will likely be approximately as fast
as mmap.
mod_dirlisting header and readme files are typically small and so
open(), read(), close() will typically be approximately as fast as mmap
mod_ssi will likely be much faster, now buffering SSI page construction
rather than a potentially huge number of file open() calls, one for each
tiny chunk of text between SSI directives.
mod_webdav COPY and MOVE may be slower due to removal of mmap, but are
now more resilient to partial writes.
x-ref:
"handle filesystems without mmap() support"
https://redmine.lighttpd.net/issues/2666
"WebDAV upload-> mmap failed: operation not permitted"
https://redmine.lighttpd.net/issues/962
"Lighttpd 1.4.20 Crash (SIGBUS in mod_compress)"
https://redmine.lighttpd.net/issues/1879
"Crash SIGBUS"
https://redmine.lighttpd.net/issues/2391
github: closes #57
For uploaded files or other request body, fall back to
lseek(),read() if filesystem does not support mmap()
(mmap(), if supported, is utilized regardless of --enable-mmap
since request body is either in memory or stored in temporary
files controlled by lighttpd)
x-ref:
"WebDAV upload-> mmap failed: operation not permitted"
https://redmine.lighttpd.net/issues/962
"handle filesystems without mmap() support"
https://redmine.lighttpd.net/issues/2666
github: closes #55
read request body in dynamic handlers supporting request body
(mod_cgi, mod_fastcgi, mod_proxy, mod_scgi, mod_webdav)
(In the future, each dynamic handler might choose whether or not to
buffer request body or to stream request body to backend as request
body is received.)
modify mod_webdav to mark request in handle_physical hook, and move
the main logic to handle_subrequest hook, where the main logic is
for other dynamic handlers.
(still not supporting Depth: Infinity on directories)
patch by mstorsjo submitted as part of feature request #1953
From: Glenn Strauss <gstrauss@gluelogic.com>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3133 152afb58-edef-0310-8abb-c4023f1b3aa9
Mohammed Sadiq