(thx dinoex)
fix removal of server.pid-file when testing config with lighttpd -tt
(regression in lighttpd 1.4.60, 1.4.61)
x-ref:
"Test the configuration file while lighttpd is running."
https://redmine.lighttpd.net/issues/3115
warn if known dynamic modules listed before mod_auth in server.modules
e.g. mod_auth must be listed before mod_fastcgi in server.modules
for fastcgi.server = ( "mode" => "authorizer" ) to work properly
(thx ThomasDevoogdt)
close backend socket fds more quickly by polling with zero timeout when
there are pending fds scheduled to be closed after the next poll.
x-ref:
"Slow request handling in Lighttpd 1.4.60"
https://redmine.lighttpd.net/boards/2/topics/10063
buffer_append_strftime() requires a non-NULL const string for format
buffer_append_string_encoded() and buffer_append_string_c_escaped()
both will handle encoding a 0-length string. Since a 0-length string
is not expected, do not special-case it. C type buffer_encoding_t
expects a constant value to be passed, so encoding map is not NULL.
connection_handle_write_state() call to subrequest handler might set
r->resp_body_finished, but we need to check if r->write_queue is empty
before changing state from CON_STATE_WRITE to CON_STATE_RESPONSE_END
(If r->write_queue was already empty when the subrequest handler marked
resp_body_finished, connection_state_machine_h2() could miss changing
the request state to CON_STATE_RESPONSE_END)
x-ref:
"HTTP/2 requests sometimes take very long (missing last chunk)"
https://redmine.lighttpd.net/issues/3111
"Slow request handling in Lighttpd 1.4.60"
https://redmine.lighttpd.net/boards/2/topics/10063
crypt() static output buffer is cleared upon next call to crypt(),
but clear output buffer anyway since next call to crypt() might be
much later. Only clear crypt() output if length >= 13, since if
there is an error in crypt(), 'man crypt' warns:
"Some implementations of crypt, upon error, return an invalid hash that
is stored in a read-only location or only initialized once, which means
that it is only safe to erase the buffer pointed to by the crypt return
value if an error did not occur."
use pwritev(), where available, with chunkqueue_steal_with_tempfiles()
The initial write to tempfiles (when response initially grows too
large in memory) can be multiple MEM_CHUNKs, so attempt to use
single pwritev() syscall
return 411 Length Required if mod_proxy configured to force HTTP/1.0
to backend and configured to stream request body, and client request
has a request body but did not provide Content-Length.
allow debug.log-state-handling to be enabled in config conditions,
even though the connection and request may already have begun
(and therefore not logging state changes which already occurred)
(also, minor additional structure cleanups made in the vicinity)
Existing behavior: strict header parsing, strict host parsing, and
basic url normalization are enabled by default in lighttpd, and
protect against h2 request tunnelling attempts using invalid chars
in headers.
Keeping strict parsing settings enabled is strongly recommended.
If any are explicitly disabled in lighttpd.conf, then this patch takes
steps to thwart h2 request tunnelling.
x-ref:
"HTTP/2: The Sequel is Always Worse"
https://portswigger.net/research/http2
Existing behavior: mod_proxy *does not* forward Upgrade header
unless explicitly enabled in lighttpd.conf (default: not enabled)
(proxy.header += ("upgrade" => "enable"))
mod_cgi previously used to forward Upgrade request header, but would
remove Upgrade response header if cgi.upgrade was not explicitly enabled
(cgi.upgrade = "enable")
This patch thwarts h2c smuggling when lighttpd.conf has also been
explicitly configured to pass "Upgrade" request header
x-ref:
"h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)"
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c
make ck_memeq_const_time() more generically reusable
remove implementation requirements that strings be '\0' terminated,
or at least have an initialized byte following each string (s[len])
x-ref:
https://redmine.lighttpd.net/issues/3112
"mod_auth cache password doesn't match"
Istiak Ferdous