lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity
3,272 Commits 9 Branches 87 Tags 16 MiB
Commit Graph

7 Commits

Author SHA1 Message Date
Glenn Strauss c18f442a63 [multiple] add summaries to top of some modules 2020-07-08 22:51:31 -04:00
Glenn Strauss 9cdfb48466 [core] preserve %2b and %2B in query string (fixes #2999) 
normalize %2b or %2B in query string to %2B (uppercase hex),
and not to '+'

(thx int-e)

x-ref:
  "url-normalize-required expands %2B in query strings"
  https://redmine.lighttpd.net/issues/2999
 2020-01-26 00:41:05 -05:00
Glenn Strauss e757978497 [core] remove repeated slashes in http-parseopts 
remove repeated slashes in server.http-parseopts
with url-path-dotseg-remove, including leading "//"

(prior to this patch, leading "//" was skipped)
 2019-04-15 23:53:22 -04:00
Glenn Strauss 32120d5b8b [core] fix abort in http-parseopts (fixes #2945) 
fix abort in server.http-parseopts with url-path-2f-decode enabled

(thx stze)

x-ref:
  "Security - SIGABRT during GET request handling with url-path-2f-decode enabled"
  https://redmine.lighttpd.net/issues/2945
 2019-04-10 11:36:28 -04:00
Glenn Strauss f832b71180 [mod_redirect,mod_rewrite] base64url encoding opt 
Provide means to encode redirect and rewrite backreference substitutions

  %{encb64u:...} encode to base64url characters (no-padding)
  %{decb64u:...} decode from base64url characters
 2018-08-12 14:43:22 -04:00
Glenn Strauss 255269d799 [mod_redirect,mod_rewrite] encoding options (fixes #443, fixes #911) 
Provide means to encode redirect and rewrite backreference substitutions
  In addition to $1 and %1, the following modifiers are now supported,
  followed by the number for the backreference, e.g. ${esc:1}

  ${noesc:...}  no escaping
  ${esc:...}    escape all non-alphanumeric - . _ ~ incl double-escape %
  ${escape:...} escape all non-alphanumeric - . _ ~ incl double-escape %
  ${escnde:...} escape all non-alphanumeric - . _ ~  but no double-esc %
  ${tolower:...}
  ${toupper:...}

  %{noesc:...}
  %{esc:...}
  %{escape:...}
  %{escnde:...}
  %{tolower:...}
  %{toupper:...}

Provide means to substitute URI parts without needing a regex match
  (and can be preceded by encoding modifier,
     e.g. ${tolower:url.authority})

  ${url.scheme}
  ${url.authority}
  ${url.port}
  ${url.path}
  ${url.query}

  ${qsa}        appends query string, if not empty

x-ref:
  "[PATCH] mod_redirect: Add support for url-encoding backreferences, map %%n->%n, $$n->$n"
  https://redmine.lighttpd.net/issues/443
  "Need for URL encoding in mod_redirect and possibly mod_rewrite"
  https://redmine.lighttpd.net/issues/911
 2018-08-12 14:43:22 -04:00
Glenn Strauss 3eb7902e10 [core] server.http-parseopts URL normalization opt (fixes #1720) 
server.http-parseopts = ( ... ) URL normalization options

Note: *not applied* to CONNECT method

Note: In a future release, URL normalization likely enabled by default
  (normalize URL, reject control chars, remove . and .. path segments)
  To prepare for this change, lighttpd.conf configurations should
  explicitly select desired behavior by enabling or disabling:
    server.http-parseopts = ( "url-normalize" => "enable", ... )
    server.http-parseopts = ( "url-normalize" => "disable" )

x-ref:
  "lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
  https://www.cvedetails.com/cve/CVE-2008-4359/
  "Rewrite/redirect rules and URL encoding"
  https://redmine.lighttpd.net/issues/1720
 2018-08-12 14:43:22 -04:00