[core] $HTTP["remoteip"] must handle IPv6 w/o [] (existing behavior)
This was inadvertently broken in lighttpd 1.4.40 when IP address
normalization was added.
In $HTTP["remoteip"], IPv6 is now accepted with or without '[]'.
http_request_host_normalize() expects IPv6 with '[]', and config
processing at runtime expects COMP_HTTP_REMOTE_IP compared without '[]',
so '[]' is stripped (internally) after normalization
Do not switch to CON_STATE_ERROR upon idle timeout if already in
CON_STATE_CLOSE. Changing to CON_STATE_ERROR might keep resetting
con->close_timeout_ts if repeated calls to shutdown() succeed.
clock_gettime() needs -lrt with glibc < 2.17,
and possibly other platforms
This commit contains fixes for CMake and SCONS
See also commit:4d920466 which updated configure.ac for same
x-ref:
"1.4.40 compiling issuses on Debian Wheezy"
https://redmine.lighttpd.net/issues/2737
Strip bogus "Proxy" header before creating subprocess environment.
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)
Do not emit HTTP_PROXY to subprocess environment.
Some executables use HTTP_PROXY to configure outgoing proxy.
This is not a lighttpd security issue per se, but this change to
lighttpd adds a layer of defense to protect backend processes which
might be vulnerable due to blindly using this untrusted environment
variable. The HTTP_PROXY environment variable should not be trusted
by a program running in a CGI-like environment.
Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:
* Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
* Modify lighttpd.conf to load mod_magnet and run lua code
server.modules += ( "mod_magnet" )
magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )
References:
https://www.kb.cert.org/vuls/id/797896
CGI web servers assign Proxy header values from client requests to
internal HTTP_PROXY environment variables
https://httpoxy.org/
httpoxy: A CGI application vulnerability
Make Digest authentication more compliant with RFC.
Excerpt from https://www.rfc-editor.org/rfc/rfc7616.txt Section 5.13:
The bottom line is that any compliant implementation will be
relatively weak by cryptographic standards, but any compliant
implementation will be far superior to Basic Authentication.
x-ref:
"Serious security problem in Digest Authentication"
https://redmine.lighttpd.net/issues/1844
inherit server.use-ipv6 and server.set-v6only from global scope
into $SERVER["socket"] blocks
(This potential behavior change was announced with lighttpd 1.4.40)
x-ref:
"$SERVER["socket"] to bind to IPv6 by default"
https://redmine.lighttpd.net/issues/678
url.access-allow is list of allowed url suffixes (e.g. file extensions)
If url.access-allow has been set, then deny any URL that does not match
the explicitly listed suffixes.
(thx japc)
x-ref:
"access_allow directive for lighttpd"
https://redmine.lighttpd.net/issues/1421
error out if duplicated unix socket path and different bin-path is
used by lighttpd to start the backend. This is an error.
Updates commits 97556d99 and b67ff2aa
x-ref:
"Should warn if two FastCGI servers point to same socket file"
https://redmine.lighttpd.net/issues/319
silently use same 'host' if unix socket path is duplicated
(instead of erroring out). Updates commit 97556d99
(It is possible for use of += in config to result in duplicated
fastcgi.server and scgi.server entries)
x-ref:
"Should warn if two FastCGI servers point to same socket file"
https://redmine.lighttpd.net/issues/319
fix memory leak
reduce code redundancy
convert code to use newer buffer.h APIs
proper cleanup if upload cancelled or client disconnected
change "starting" message to "not in progress" if upload not in progress
openssl interfaces typically return 1 to indicate success,
with varying return values to indicate failure
(sometimes 0, sometimes 'not 1')
(thx mackyle)
do not expose server info server_tag is configured by admin
default con->conf.server_tag is still PACKAGE_DESC, those
admin can configure server.tag otherwise.
(these changes reduce recompilation and relinking when switching
brances in source control)
cygwin does not support ioctl on sockets, returning EOPTNOTSUPP
(would be better if cygwin used Windows ioctlsocket() instead)
Windows uses signed (socklen_t), so add some casts to quiet warnings
Windows path handling is convoluted, so disable one tests in mod_fastcgi
since trailing spaces are removed from URL for _WIN32 and __CYGWIN__ in
response.c
fbrosson